[redhat-lspp] [PATCH 3/3]: labeled ipsec policy

Joy Latten latten at austin.ibm.com
Tue Jan 9 00:23:35 UTC 2007


diff -urpN serefpolicy-2.4.6.patch2/policy/modules/system/ipsec.fc serefpolicy-2.4.6.patch3/policy/modules/system/ipsec.fc
--- serefpolicy-2.4.6.patch2/policy/modules/system/ipsec.fc	2007-01-05 10:47:48.000000000 -0600
+++ serefpolicy-2.4.6.patch3/policy/modules/system/ipsec.fc	2007-01-08 14:48:59.000000000 -0600
@@ -7,7 +7,7 @@
 
 /etc/ipsec\.d(/.*)?			gen_context(system_u:object_r:ipsec_key_file_t,s0)
 
-/sbin/setkey			--	gen_context(system_u:object_r:ipsec_exec_t,s0)
+/sbin/setkey			--	gen_context(system_u:object_r:setkey_exec_t,s0)
 
 /usr/lib(64)?/ipsec/_plutoload	-- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
 /usr/lib(64)?/ipsec/_plutorun	--	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
@@ -26,8 +26,7 @@
 /usr/local/lib(64)?/ipsec/pluto --	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/local/lib(64)?/ipsec/spi	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 
-/usr/sbin/racoon		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/sbin/setkey		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/sbin/racoon		--	gen_context(system_u:object_r:racoon_exec_t,s0)
 
 /var/racoon(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
 
diff -urpN serefpolicy-2.4.6.patch2/policy/modules/system/ipsec.if serefpolicy-2.4.6.patch3/policy/modules/system/ipsec.if
--- serefpolicy-2.4.6.patch2/policy/modules/system/ipsec.if	2007-01-05 10:47:48.000000000 -0600
+++ serefpolicy-2.4.6.patch3/policy/modules/system/ipsec.if	2007-01-08 14:48:59.000000000 -0600
@@ -138,3 +138,83 @@ interface(`ipsec_labeled',`
 	allow $1 ipsec_spd_t:association polmatch;
 	allow $1 self:association { sendto recvfrom };
 ')
+
+########################################
+## <summary>
+##	Execute racoon in the racoon domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`ipsec_racoon_domtrans',`
+	gen_require(`
+		type racoon_t, racoon_exec_t;
+	')
+
+	domain_auto_trans($1,racoon_exec_t,racoon_t)
+
+	allow $1 racoon_t:fd use;
+	allow racoon_t $1:fd use;
+	allow racoon_t $1:fifo_file rw_file_perms;
+	allow racoon_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute setkey in the setkey domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`ipsec_setkey_domtrans',`
+	gen_require(`
+		type setkey_t, setkey_exec_t;
+	')
+	domain_auto_trans($1,setkey_exec_t,setkey_t)
+
+	allow $1 setkey_t:fd use;
+	allow setkey_t $1:fd use;
+	allow setkey_t $1:fifo_file rw_file_perms;
+	allow setkey_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute ipsec-tools in the setkey and racoon domains
+##	and allow the specified role the domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the racoon and setkey domains.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the racoon and setkey domains to use.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ipsec_tools_run',`
+	gen_require(`
+		type racoon_t, setkey_t;
+	')
+	ipsec_racoon_domtrans($1)
+	role $2 types racoon_t;
+	allow racoon_t $3:chr_file rw_term_perms;
+	
+	ipsec_setkey_domtrans($1)
+	role $2 types setkey_t;
+	allow setkey_t $3:chr_file rw_term_perms;
+')
diff -urpN serefpolicy-2.4.6.patch2/policy/modules/system/ipsec.te serefpolicy-2.4.6.patch3/policy/modules/system/ipsec.te
--- serefpolicy-2.4.6.patch2/policy/modules/system/ipsec.te	2007-01-05 10:47:48.000000000 -0600
+++ serefpolicy-2.4.6.patch3/policy/modules/system/ipsec.te	2007-01-08 14:48:58.000000000 -0600
@@ -35,9 +35,19 @@ files_lock_file(ipsec_mgmt_lock_t)
 type ipsec_mgmt_var_run_t;
 files_pid_file(ipsec_mgmt_var_run_t)
 
+#### types for ipsec-tools utilities  #####
 # default type for ipsec-tools ipsec policy
 type ipsec_spd_t;
 
+type racoon_t;
+type racoon_exec_t;
+init_daemon_domain(racoon_t,racoon_exec_t)
+role system_r types racoon_t;
+
+type setkey_t;
+type setkey_exec_t;
+init_system_domain(setkey_t,setkey_exec_t)
+role system_r types setkey_t;
 
 ########################################
 #
@@ -276,3 +286,99 @@ file_type_auto_trans(ipsec_mgmt_t, sysad
 
 allow ipsec_mgmt_t dev_fs:file_class_set getattr;
 ') dnl end TODO
+
+
+########################################
+#
+# ipsec-tools utilities <setkey>
+#
+
+# allow setkey to set the context for ipsec SAs and policy.
+allow setkey_t ipsec_spd_t:association setcontext;
+
+allow setkey_t self:capability net_admin;
+allow setkey_t self:key_socket { create read setopt write };
+allow setkey_t self:netlink_route_socket { create_netlink_socket_perms };
+
+# need to be able to read selinux config files within setkey domain.
+allow setkey_t security_t:dir search;
+allow setkey_t security_t:file read;
+seutil_read_config(setkey_t)
+
+# allow setkey utility to set contexts on SA's and policy
+domain_setcontext(setkey_t)
+
+# allow setkey to read a config files in any directory.
+userdom_read_sysadm_home_content_files(setkey_t)
+userdom_read_all_users_home_content_files(setkey_t)
+
+# setkey will be run by sysadm, thus setkey needs access to sysadm ttys.
+userdom_use_sysadm_ttys(setkey_t)
+locallogin_use_fds(setkey_t)
+files_read_etc_files(setkey_t)
+libs_use_ld_so(setkey_t)
+libs_use_shared_libs(setkey_t)
+miscfiles_read_localization(setkey_t)
+
+########################################
+#
+# ipsec-tools utilities <racoon>
+#
+
+allow racoon_t self:udp_socket { create_socket_perms };
+allow racoon_t self:unix_dgram_socket { connect create ioctl write };
+allow racoon_t self:capability { net_admin net_bind_service };
+
+# allow racoon to use avc_has_perm to check context on proposed SA
+allow racoon_t self:netlink_selinux_socket { bind create read };
+selinux_compute_access_vector(racoon_t)
+
+allow racoon_t self:key_socket { create read setopt write };
+allow racoon_t self:netlink_route_socket { create_netlink_socket_perms };
+
+allow racoon_t node_t:udp_socket node_bind;
+
+# so racoon can listen on admin port.
+allow racoon_t inaddr_any_node_t:tcp_socket node_bind;
+
+# allow racoon to use ISAKMP port
+allow racoon_t isakmp_port_t:udp_socket name_bind;
+
+corenet_non_ipsec_sendrecv(racoon_t)
+corenet_udp_bind_link_local_node(racoon_t)
+corenet_udp_bind_compat_ipv4_node(racoon_t)
+corenet_udp_bind_lo_node(racoon_t)
+kernel_read_network_state(racoon_t)
+corenet_udp_bind_site_local_node(racoon_t)
+seutil_read_config(setkey_t)
+
+# manage pid file
+allow racoon_t ipsec_var_run_t:file manage_file_perms;
+allow racoon_t ipsec_var_run_t:dir rw_dir_perms;
+allow racoon_t ipsec_var_run_t:sock_file create_file_perms;
+files_pid_filetrans(racoon_t,ipsec_var_run_t,file)
+files_rw_generic_pids(racoon_t)
+allow racoon_t var_run_t:file setattr;
+
+allow racoon_t ipsec_conf_file_t:dir r_dir_perms;
+allow racoon_t ipsec_conf_file_t:file r_file_perms;
+allow racoon_t ipsec_conf_file_t:lnk_file r_file_perms;
+
+allow racoon_t ipsec_key_file_t:dir r_dir_perms;
+allow racoon_t ipsec_key_file_t:file r_file_perms;
+allow racoon_t ipsec_key_file_t:lnk_file r_file_perms;
+
+allow racoon_t ipsec_spd_t:association setcontext;
+
+userdom_use_sysadm_ttys(racoon_t)
+locallogin_use_fds(racoon_t)
+
+# allow racoon to set contexts on ipsec policy and SAs
+domain_setcontext(racoon_t)
+
+logging_send_syslog_msg(racoon_t)
+files_read_etc_files(racoon_t)
+libs_use_ld_so(racoon_t)
+libs_use_shared_libs(racoon_t)
+miscfiles_read_localization(racoon_t)
+dev_read_urand(racoon_t)
diff -urpN serefpolicy-2.4.6.patch2/policy/modules/system/userdomain.te serefpolicy-2.4.6.patch3/policy/modules/system/userdomain.te
--- serefpolicy-2.4.6.patch2/policy/modules/system/userdomain.te	2007-01-05 10:47:48.000000000 -0600
+++ serefpolicy-2.4.6.patch3/policy/modules/system/userdomain.te	2007-01-08 17:21:59.000000000 -0600
@@ -275,6 +275,8 @@ ifdef(`strict_policy',`
 		ipsec_stream_connect(sysadm_t)
 		# for lsof
 		ipsec_getattr_key_sockets(sysadm_t)
+		ipsec_tools_run(sysadm_t,sysadm_r,admin_terminal)
+		ipsec_labeled(sysadm_t)
 	')
 
 	optional_policy(`




More information about the redhat-lspp mailing list