In selinux_xfrm_state_pol_flow_match we have cases where we drop
packets without asking the avc. No audit message is generated in
this case. Lets at least print out a message to the logs, so the
users don't need to dig in the code to find out why these packets
are dropped.
Signed-off-by: Steffen Klassert <steffen.klassert@xxxxxxxxxxx>
---
security/selinux/xfrm.c | 26 +++++++++++++++++---------
1 files changed, 17 insertions(+), 9 deletions(-)
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 728c57e..b0dd401 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -118,25 +118,33 @@ int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *
int rc;
if (!xp->security)
- if (x->security)
- /* unlabeled policy and labeled SA can't match */
+ if (x->security) {
+ if (net_ratelimit())
+ printk("selinux: unlabeled policy and labeled SA can't match\n");
return 0;
- else
+ } else
/* unlabeled policy and unlabeled SA match all flows */
return 1;
else
- if (!x->security)
- /* unlabeled SA and labeled policy can't match */
+ if (!x->security) {
+ if (net_ratelimit())
+ printk("selinux: unlabeled SA and labeled policy can't match\n");
return 0;
- else
- if (!selinux_authorizable_xfrm(x))
- /* Not a SELinux-labeled SA */
+ } else {
+ if (!selinux_authorizable_xfrm(x)) {
+ if (net_ratelimit())
+ printk("selinux: Not a SELinux-labeled SA\n");
return 0;
+ }
+ }
state_sid = x->security->ctx_sid;
- if (fl->secid != state_sid)
+ if (fl->secid != state_sid) {
+ if (net_ratelimit())
+ printk("selinux: Flow label does not match SA label\n");
return 0;
+ }
rc = avc_has_perm(fl->secid, state_sid, SECCLASS_ASSOCIATION,
ASSOCIATION__SENDTO,
--
1.7.0.4
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
