On Thu, Mar 06, 2014 at 10:04:54PM -0500, Paul Moore wrote:

On Wednesday, March 05, 2014 01:20:09 PM Steffen Klassert wrote:

quoted

Right, that's not really surprising. But it is a bit surprising that
we care for the security context only if we add a socket policy via
the pfkey key manager. The security context is not handled if we do
that with the netlink key manager, see xfrm_compile_policy().

I'm not that familiar with selinux and labeled IPsec, but maybe this
needs to be implemented in xfrm_compile_policy() too.

Okay, I see your point.  We probably should add support for per-socket policy 
labels just to keep parity with the pfkey code (and this is far removed from 
any critical path), but to be honest it isn't something that I think would get 
much use in practice.  Labeled networking users tend to fall under the very 
strict, one-system-wide-security-policy and per-socket policies tend to go 
against that logic.

If you think socket policy labels are no usecase for labeled IPsec, we could
fix this bug simply by removing the code from pfkey ;)

Otherwise I think we should implement it for xfrm_compile_policy() too.