[Swan-commit] Changes to ref refs/heads/main
Paul Wouters
paul at vault.libreswan.fi
Mon Mar 22 04:26:38 UTC 2021
New commits:
commit 8d1f8aec2ca811954811337008b4aee1a8900286
Author: Kavinda Wewegama <kavinda.wewegama at forcepointgov.com>
Date: Mon Mar 22 00:24:59 2021 -0400
pluto: use `policy-label` value for initial child/IPsec SA pair's label
* A previous commit made the initial child/IPsec SA pair _not_ use a
label.
* Not using a label, however, caused traffic to bypass the IPsec tunnel
when using labeled IPsec at just one endpoint, i.e. `policy-label` was
only specified at one endpoint.
* In order to prevent this "leakage", the initial child/IPsec SA pair
uses the `policy-label` value for the label, which is usually
`ipsec_spd_t`.
** The behavior implemented by this commit was, in fact, the original
behavior of the IKEv2 labeled IPsec implementation in Libreswan.
** Previously, we had to add the following SELinux rule to the
`targeted` policy when `ipsec_spd_t` was specified for the initial
child/IPsec pair:
`allow ipsec_spd_t self:association { polmatch };`
** The rule is no longer needed because:
*** `pluto`'s code-path no longer invokes a `polmatch` check for the
initial child/IPsec SA pair via `se_label_match()`.
*** The kernel creates a child/IPsec SA pair with `ipsec_spd_t`
without complaint - I am not sure why this is though.
Signed-off-by: Paul Wouters <pwouters at redhat.com>
More information about the Swan-commit
mailing list