Open jdesaigtri opened 10 years ago
letoams
commented
10 years ago Is there really a valid policy label that you need that is bigger than that? I've heard that 256 is really long and very reasonable. If you really need it please email me at pwouters@redhat.com and I can see about changing it for libreswan upstream/RHEL (and possibly openswan-RHEL)
jdesaigtri
commented
10 years ago Thank you. Email sent to pwouters@redhat.com
jdesaigtri
commented
10 years ago Hi Paul,
I left work early on Friday. I just responded to your pwouters@redhat.com address.
Thanks.
-Janak
On Fri, Oct 17, 2014 at 3:56 PM, Paul Wouters (libreswan) < notifications@github.com> wrote:
Is there really a valid policy label that you need that is bigger than that? I've heard that 256 is really long and very reasonable. If you really need it please email me at pwouters@redhat.com and I can see about changing it for libreswan upstream/RHEL (and possibly openswan-RHEL)
— Reply to this email directly or view it on GitHub https://github.com/xelerance/Openswan/issues/96#issuecomment-59566541.
In the latest (2.6.41) version of openswan, file programs/pluto/state.h enforces a maximum SELinux context size MAX_SECCTX_LEN to be 257. File programs/pluto/kernel_netlink.c limits that size to a hardcoded 1024. Both SELinux library as well as the kernel uses a higher limit of page size, which is 4096 on x86_64, for selinux context size. This openswan restriction of 257 and 1024 limits the size of the context that can be exchanged by pluto when using labeled ipsec (ifdef HAVE_LABELED_IPSEC) running with mls SELinux policy.
To reproduce, setup two SELinux systems to run with mls policy in permissive mode. Use the client/server pair of test programs from http://securityblog.org/2007/05/28/secure-networking-with-selinux/
Setup labeled ipsec using a configuration file such as the attached ipsectnl.conf
Start ./server program on the server system.
On the system with client program, change current level using the attached con2 file
newrole -l
cat con2and then start the client. It should display the full context and not hang.
./client
---- ipsectnl.conf--- conn peertnl type=transport left=192.168.100.10 leftrsasigkey=%cert leftcert=usercert-rhel6left right=192.168.100.11 rightrsasigkey=%cert rightcert=usercert-rhel6right esp=aes128-sha1;modp2048 ike=aes128-sha1;modp2048 auto=start labeled_ipsec=yes
policy_label=system_u:system_r:sysadm_t:s0-s15:c0.c1023
----con2------------
s0:c1,c2,c4,c5,c7,c8,c10,c11,c13,c14,c16,c17,c19,c20,c22,c23,c25,c26,c28,c29,c31,c32,c34,c35,c37,c38,c40,c41,c43,c44,c46,c47,c49,c50,c52,c53,c55,c56,c58,c59,c61,c62,c64,c65,c67,c68,c70,c71,c73,c74,c76,c77,c79,c80,c82,c83,c85,c86,c88,c89,c91,c92,c94,c95,c97,c98,c100,c101,c103,c104,c106,c107,c109,c110,c112,c113,c115,c116,c118,c119,c121,c122,c124,c125,c127,c128,c130,c131,c133,c134,c136,c137,c139,c140,c142,c143,c145,c146,c148,c149,c151,c152,c154,c155,c157,c158,c160,c161,c163,c164,c166,c167,c169,c170,c172,c173,c175,c176,c178,c179,c181,c182,c184,c185,c187,c188,c190,c191,c193,c194,c196,c197,c199,c200,c202,c203,c205,c206,c208,c209,c211,c212,c214,c215,c217,c218,c220,c221,c223,c224,c226,c227,c229,c230,c232,c233,c235,c236,c238,c239,c241,c242,c244,c245,c247,c248,c250,c251,c253,c254,c256,c257,c259,c260,c262,c263,c265,c266,c268,c269,c271,c272,c274,c275,c277,c278,c280,c281,c283,c284,c286,c287,c289,c290,c292,c293,c295,c296,c298,c299,c301,c302,c304,c305,c307,c308,c310,c311,c313,c314,c316,c317,c319,c320,c322,c323,c325,c326,c328,c329,c331,c332,c334,c335,c337,c338,c340,c341,c343,c344,c346,c347,c349,c350,c352,c353,c355,c356,c358,c359,c361,c362,c364,c365,c367,c368,c370,c371,c373,c374,c376,c377,c379,c380,c382,c383,c385,c386,c388,c389,c391,c392,c394,c395,c397,c398,c400,c401,c403,c404,c406,c407,c409,c410,c412,c413,c415,c416,c418,c419,c421,c422,c424,c425,c427,c428,c430,c431,c433,c434,c436,c437,c439,c440,c442,c443,c445,c446,c448,c449,c451,c452,c454,c455,c457,c458,c460,c461,c463,c464,c466,c467,c469,c470,c472,c473,c475,c476,c478,c479,c481,c482,c484,c485,c487,c488,c490,c491,c493,c494,c496,c497,c499,c500,c502,c503,c505,c506,c508,c509,c511,c512,c514,c515,c517,c518,c520,c521,c523,c524,c526,c527,c529,c530,c532,c533,c535,c536,c538,c539,c541,c542,c544,c545,c547,c548,c550,c551,c553,c554,c556,c557,c559,c560,c562,c563,c565,c566,c568,c569,c571,c572,c574,c575,c577,c578,c580,c581,c583,c584,c586,c587,c589,c590,c592,c593,c595,c596,c598,c599,c601,c602,c604,c605,c607,c608,c610,c611,c613,c614,c616,c617,c619,c620,c622,c623,c625,c626,c628,c629,c631,c632,c634,c635,c637,c638,c640,c641,c643,c644,c646,c647,c649,c650,c652,c653,c655,c656,c658,c659,c661,c662,c664,c665,c667,c668,c670,c671,c673,c674,c676,c677,c679,c680,c682,c683,c685,c686,c688,c689,c691,c692,c694,c695,c697,c698,c700,c701,c703,c704,c706,c707,c709,c710,c712,c713,c715,c716,c718,c719,c721,c722,c724,c725,c727,c728,c730,c731,c733,c734,c736,c737,c739,c740,c742,c743,c745,c746,c748,c749,c751,c752,c754,c755,c757,c758,c760,c761,c763,c764,c766,c767,c769,c770,c772,c773,c775,c776,c778,c779,c781,c782,c784,c785,c787,c788,c790,c791,c793,c794,c796,c797,c799,c800,c802,c803,c805,c806,c808,c809,c811,c812,c814,c815,c817,c818,c820,c821,c823,c824,c826,c827,c829,c830,c832,c833,c835,c836,c838,c839,c841,c842,c844,c845,c847,c848,c850,c851,c853,c854,c856,c857,c859,c860,c862,c863,c865,c866,c868,c869,c871,c872,c874,c875,c877,c878,c880,c881,c883,c884,c886,c887,c889,c890,c892,c893,c895,c896,c898,c899,c901,c902,c904,c905,c907,c908,c910,c911,c913,c914,c916,c917,c919,c920,c922,c923,c925,c926,c928,c929,c931,c932,c934,c935,c937,c938,c940,c941,c943,c944,c946,c947,c949,c950,c952,c953,c955,c956,c958,c959,c961,c962,c964,c965,c967,c968,c970,c971,c973,c974,c976,c977,c979,c980,c982,c983,c985,c986,c988,c989,c991,c992,c994,c995,c997,c998,c1000,c1001,c1003,c1004,c1006,c1007,c1009,c1010,c1012,c1013,c1015,c1016,c1018,c1019,c1021,c1022-s15:c0.c1023