From: "Christopher J. PeBenito" <cpebenito@tresys.com>
To: Daniel J Walsh <dwalsh@redhat.com>
Cc: SE Linux <selinux@tycho.nsa.gov>
Subject: Re: ipsec tools domtrans patch
Date: Mon, 26 Mar 2007 19:44:09 +0000 [thread overview]
Message-ID: <1174938249.28830.74.camel@sgc> (raw)
In-Reply-To: <45F02D32.2040508@redhat.com>
On Thu, 2007-03-08 at 10:35 -0500, Daniel J Walsh wrote:
> --- nsaserefpolicy/policy/modules/system/ipsec.if 2007-01-02 12:57:49.000000000 -0500
> +++ serefpolicy-2.5.8/policy/modules/system/ipsec.if 2007-03-08 10:31:24.000000000 -0500
> @@ -111,3 +111,103 @@
> files_search_pids($1)
> manage_files_pattern($1,ipsec_var_run_t,ipsec_var_run_t)
> ')
> +
> +########################################
> +## <summary>
> +## Allow an IPsec SA to be used by an IPsec Policy.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## The type of the process performing this action.
> +## </summary>
> +## </param>
> +#
> +interface(`ipsec_labeled',`
> + gen_require(`
> + type ipsec_spd_t;
> + ')
> +
> + allow $1 ipsec_spd_t:association polmatch;
> + domain_ipsec_labels($1)
> +')
Not so sure about this one. I don't think we want to allow sending and
receiving to all domains.
> +########################################
> +## <summary>
> +## Execute racoon in the racoon domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## The type of the process performing this action.
> +## </summary>
> +## </param>
> +#
> +interface(`ipsec_domtrans_racoon',`
> + gen_require(`
> + type racoon_t, racoon_exec_t;
> + ')
> +
> + domain_auto_trans($1,racoon_exec_t,racoon_t)
> +
> + allow $1 racoon_t:fd use;
> + allow racoon_t $1:fd use;
> + allow racoon_t $1:fifo_file rw_file_perms;
> + allow racoon_t $1:process sigchld;
> +')
> +
> +########################################
> +## <summary>
> +## Execute setkey in the setkey domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## The type of the process performing this action.
> +## </summary>
> +## </param>
> +#
> +interface(`ipsec_domtrans_setkey',`
> + gen_require(`
> + type setkey_t, setkey_exec_t;
> + ')
> + domain_auto_trans($1,setkey_exec_t,setkey_t)
> +
> + allow $1 setkey_t:fd use;
> + allow setkey_t $1:fd use;
> + allow setkey_t $1:fifo_file rw_file_perms;
> + allow setkey_t $1:process sigchld;
> +')
Merged these
> +########################################
> +## <summary>
> +## Execute ipsec-tools in the setkey and racoon domains
> +## and allow the specified role the domains.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## The role to be allowed the racoon and setkey domains.
> +## </summary>
> +## </param>
> +## <param name="terminal">
> +## <summary>
> +## The type of the terminal allow the racoon and setkey domains to use.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`ipsec_run_tools',`
> + gen_require(`
> + type racoon_t, setkey_t;
> + ')
> + ipsec_domtrans_racoon($1)
> + role $2 types racoon_t;
> + allow racoon_t $3:chr_file rw_term_perms;
> +
> + ipsec_domtrans_setkey($1)
> + role $2 types setkey_t;
> + allow setkey_t $3:chr_file rw_term_perms;
> +')
Turned this into ipsec run setkey. Racoon is a daemon so it doesn't
make sense to be here.
> --- nsaserefpolicy/policy/modules/kernel/domain.if 2007-02-19 11:32:51.000000000 -0500
> +++ serefpolicy-2.5.8/policy/modules/kernel/domain.if 2007-03-08 08:42:36.000000000 -0500
> @@ -1254,3 +1254,21 @@
> typeattribute $1 can_change_object_identity;
> typeattribute $1 set_curr_context;
> ')
> +
> +########################################
> +## <summary>
> +## Allow specified type to associate ipsec packets from any domain
> +## </summary>
> +## <param name="type">
> +## <summary>
> +## Type of subject to be allowed this.
> +## </summary>
> +## </param>
> +#
> +interface(`domain_ipsec_labels',`
> + gen_require(`
> + attribute domain;
> + ')
> +
> + allow $1 domain:association { sendto recvfrom };
> +')
> --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-02-19 11:32:53.000000000 -0500
> +++ serefpolicy-2.5.8/policy/modules/system/userdomain.if 2007-03-08 10:30:10.000000000 -0500
> @@ -1313,6 +1318,8 @@
>
> init_exec($1)
>
> + ipsec_run_tools($1,$2,$3)
> +
> logging_send_syslog_msg($1)
> logging_read_audit_log($1)
> logging_read_generic_logs($1)
changed this do ipsec_run_setkey and made it optional.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
prev parent reply other threads:[~2007-03-26 19:43 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-03-08 15:35 ipsec tools domtrans patch Daniel J Walsh
2007-03-26 19:44 ` Christopher J. PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1174938249.28830.74.camel@sgc \
--to=cpebenito@tresys.com \
--cc=dwalsh@redhat.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.