[redhat-lspp] Re: [RFC] [MLSXFRM 02/04] Add enforcement to SE Linux LSM

Venkat Yekkirala vyekkirala at TrustedCS.com
Tue Jun 20 22:50:20 UTC 2006 

> I have a question: if the sock type does not match the policy type  
> (xfrm_lookup hook on output step (2)), can we send the packet?

Only if the packet can send to SECINITSID_UNLABELED as checked in
selinux_xfrm_postroute_last() which would be the 5th step below.

> 
> It seems on output the socket and policy types must match,

More accurately, the flow (which derives from the socket in the locally
generated case)
and the policy types must "polmatch", yes.

> but this  
> is not the case on input (input step (3) checks socket access and  
> flow type is from sa).

Again the flow has to polmatch a policy; the flow derives the Type from the
SA used or unlabeled if no SA was used.

In either direction, it's the "flow" that selects a policy (or not).

The "input step(3)" you refer to above is really a socket Vs. state
(recvfrom) check; the equivalent on the output being the generic
flow_state_match (sendto) check. And the latter has to be a generic "flow"
based check since in the forward case we wouldn't have a source socket.

>  Nor was it the case in the original patch.

Are you referring to my original patch or the current upstreamed
implementation?

> 
> Output step (4) checks that the socket can send to the specific sa  
> type which is right.
> 
> The extra level of indirection provided by the flow makes things a  
> bit harder to follow, so I think that this should be made clear in  
> documentation somehow.  I am not sure if people will be able to  
> maintain this notion easily later.  My understanding is below.

It would be lot a easier if people looked at this in terms of "flow".

> 
> On input:
> (1) get flow label from sa via packet
> (2) authorize flow label matches policy (xfrm_lookup hook)
> (3) authorize socket access to sa label (rcv_skb)
> 
> On output:
> (1) get flow label from socket (xfrm_lookup)
> (2) authorize flow label matches policy (xfrm_lookup hook)
> (3) authorize sa matches policy (state_pol_flow)
> (4) authorize flow label can send to state (flow_state_match)

(5) If not using a xfrm, authorize flow label can send to the unlabeled
"association".

> 
> Regards,
> Trent.
> ----------------------------------------------
> Trent Jaeger, Associate Professor
> Pennsylvania State University, CSE Dept
> 346A IST Bldg, University Park, PA 16802
> Email: tjaeger at cse.psu.edu
> Ph: (814) 865-1042, Fax: (814) 865-3176
> 
> 
>

More information about the redhat-lspp mailing list