[Swan-commit] Changes to ref refs/heads/main

Paul Wouters paul at vault.libreswan.fi
Mon Mar 22 04:26:38 UTC 2021

New commits:
commit 8d1f8aec2ca811954811337008b4aee1a8900286
Author: Kavinda Wewegama <kavinda.wewegama at forcepointgov.com>
Date:   Mon Mar 22 00:24:59 2021 -0400

    pluto: use `policy-label` value for initial child/IPsec SA pair's label
    * A previous commit made the initial child/IPsec SA pair _not_ use a
    * Not using a label, however, caused traffic to bypass the IPsec tunnel
      when using labeled IPsec at just one endpoint, i.e. `policy-label` was
      only specified at one endpoint.
    * In order to prevent this "leakage", the initial child/IPsec SA pair
      uses the `policy-label` value for the label, which is usually
      ** The behavior implemented by this commit was, in fact, the original
         behavior of the IKEv2 labeled IPsec implementation in Libreswan.
      ** Previously, we had to add the following SELinux rule to the
         `targeted` policy when `ipsec_spd_t` was specified for the initial
         child/IPsec pair:
         `allow ipsec_spd_t self:association { polmatch };`
      ** The rule is no longer needed because:
         *** `pluto`'s code-path no longer invokes a `polmatch` check for the
             initial child/IPsec SA pair via `se_label_match()`.
         *** The kernel creates a child/IPsec SA pair with `ipsec_spd_t`
             without complaint - I am not sure why this is though.
    Signed-off-by: Paul Wouters <pwouters at redhat.com>

More information about the Swan-commit mailing list