On Mon, Jan 23, 2017 at 01:19:02PM +0000, Richard Haines wrote: > On Wed, 2016-12-14 at 13:34 -0500, Stephen Smalley wrote: > > On Wed, 2016-12-14 at 13:39 +0000, Richard Haines wrote: <snip> > > > + 3) SCTP sockets inherit their labels from the creating process > > > (unless > > > + there are policy rules to change this). They do NOT follow > > > the > > > TCP > > > + labeling method even for TCP-style sockets. For reference: > > > TCP > > > child > > > + sockets take the TE information from the parent server > > > socket, > > > but the > > > + MLS/MCS information from the connection when CIPSO is > > > enabled. > > > > This seems problematic, given that the TCP child socket behavior was > > specifically introduced to allow MLS connections to operate > > correctly. > > Why diverge? At some point, it would be useful to rework that to use > > security_transition_sid() or similar to derive the child socket label > > and let policy dictate h > > that's a separate change. > I'll attempt to fix this, currently I've tested against equivalent in > the SELinux test suite: > CIPSO loopback full-labeling - ok > CIPSO - fails some tests > CALIPSO - fails some tests > NetLabel Fallback labeling - ok > iptables - ok > IPSEC - fails probably because rfc3554 (sctp/ipsec support) has > not been implemented yet. FWIW, the kernel side for SCTP/IPSEC is there, but the userspace bits aren't. There is an initiative to do it in libreswan but it's just on papers yet. And sure, bugs might be uncovered during so.. Marcelo -- To unsubscribe from this list: send the line "unsubscribe linux-sctp" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
