[Swan-commit] Changes to ref refs/heads/main
Paul Wouters
paul at vault.libreswan.fi
Thu Mar 4 14:42:04 UTC 2021
New commits:
commit ddbdbcfb38f13550cfe83dda5531dc729389858d
Author: Kavinda Wewegama <kavinda.wewegama at forcepointgov.com>
Date: Thu Mar 4 09:40:32 2021 -0500
IKEv2: fix bug where the wrong label was used for SELinux policy checko
* The bug was that `policy-label` (e.g. `ipsec_spd_t`) was used in place
of the SELinux domain in the `TS_SECLABEL` payload in `TSr`.
Signed-off-by: Paul Wouters <pwouters at redhat.com>
commit 51d2c76f5f9755bf1c1f1f5fc443d68ba31282da
Author: Kavinda Wewegama <kavinda.wewegama at forcepointgov.com>
Date: Thu Mar 4 09:31:50 2021 -0500
IKEv2: fix bug where Initiator only sent a security label in TSi
* Per IKEv2 labeled IPsec proposal (https://tools.ietf.org/html/draft-ietf-ipsecme-labeled-ipsec-04),
both `TSi` and `TSr` contain a `TS_SECLABEL` payload when security
labels are in use.
** For SELinux, the security label payloads in `TSi` and `TSr` should be
identical.
* Prior to this change, the Initiator did _not_ send a `TS_SECLABEL`
payload as part of the `TSr` payload.
Signed-off-by: Paul Wouters <pwouters at redhat.com>
commit f558273b73f1c40c779010cd75f1e9ac37acc8e8
Author: Kavinda Wewegama <kavinda.wewegama at forcepointgov.com>
Date: Thu Mar 4 09:31:18 2021 -0500
IKEv2: don't use `policy-label` for a child SA
* `policy-label` in a connection configuration, which is usually
`ipsec_spd_t`, is only meant for Security Policy Database (SPD)
entries.
* Therefore, the `policy-label` should _not_ be used for the pair of
child/IPsec SAs created as part of IKE_AUTH.
** We want security labels in child/IPsec SAs to be driven by
Netlink ACQUIREs.
** If a connection with `policy-label` specified has `auto=start`,
then there is no ACQUIRE with a label driving the creation of the
child/IPsec SA pair.
*** In this scenario, the child/IPsec SA pair that is created as
part of IKE_AUTH should have _no_ security label.
**** This behavior is what existed in the original IKEv1
labeled IPsec implementation.
**** The child/IPsec SA pair without a security label won't be
used in a SELinux labeled IPsec environment. This is
because every IP datagram will have a SELinux domain
associated with it meaning that none of the datagrams will
match the child/IPsec SA pair without a security label.
**** Therefore, having the child/IPsec SA pair without a
security label is harmless.
Signed-off-by: Paul Wouters <pwouters at redhat.com>
commit 30f6c5a01e630f6073f91693810acc7a2546491b
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Mar 4 09:30:00 2021 -0500
testing: rename ikev2-labeled-ipsec-03-mismatch -> ikev2-labeled-ipsec-04-no-label
More information about the Swan-commit
mailing list