From: petre rodan <kaiowas@gentoo.org>
To: selinux@tycho.nsa.gov
Subject: gentoo diff for ipsec
Date: Thu, 07 Oct 2004 11:42:28 +0300 [thread overview]
Message-ID: <41650174.4090103@gentoo.org> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 703 bytes --]
Hi!
This policy was generated using the ipsec-tools that comes with gentoo [1]
setkey was used to set-up the Security Policy Database and Security Association Database and racoon to do the x509 certificate exchange.
the diff is needed because:
ipsec_conf_file_t is a directory structure, not a single file
ipsec_key_file_t is a directory structure that also contains symlinks (one of the ipsec_key_file_t directories must contain openssl hash-links to each certificate)
racoon is the IKE daemon that is started by initrc_t. so this is why the daemon_base_domain is used.
[1]. http://ipsec-tools.sourceforge.net/
bye,
peter
--
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux
[-- Attachment #1.2: selinux-ipsec-tools.diff --]
[-- Type: text/plain, Size: 1618 bytes --]
--- /root/public_html/policy/nsa/file_contexts/program/ipsec.fc 2004-09-09 18:27:39.000000000 +0300
+++ /root/cvs/cvs.gentoo.org/gentoo-projects/selinux/ipsec-tools/ipsec.fc 2004-10-06 04:59:57.000000000 +0300
@@ -25,3 +25,6 @@
# Kame
/usr/sbin/racoon -- system_u:object_r:ipsec_exec_t
/usr/sbin/setkey -- system_u:object_r:ipsec_exec_t
+/etc/racoon(/.*)? system_u:object_r:ipsec_conf_file_t
+/etc/racoon/certs(/.*)? system_u:object_r:ipsec_key_file_t
+/etc/racoon/psk\.txt -- system_u:object_r:ipsec_key_file_t
--- /root/public_html/policy/nsa/domains/program/unused/ipsec.te 2004-09-23 05:08:20.000000000 +0300
+++ /root/cvs/cvs.gentoo.org/gentoo-projects/selinux/ipsec-tools/ipsec.te 2004-10-06 06:12:51.000000000 +0300
@@ -10,10 +10,7 @@
# Rules for the ipsec_t domain.
#
# a domain for things that need access to the PF_KEY socket
-type ipsec_t, domain, privlog;
-
-# type for executables that will run in the ipsec_t domain
-type ipsec_exec_t, file_type, sysadmfile, exec_type;
+daemon_base_domain(ipsec, `, privlog')
# type for ipsec configuration file(s) - not for keys
type ipsec_conf_file_t, file_type, sysadmfile;
@@ -48,9 +45,8 @@
# I do not know where this pesky pipe is...
allow ipsec_t initrc_t:fifo_file { write };
-allow ipsec_t ipsec_conf_file_t:file { getattr read ioctl };
-allow ipsec_t ipsec_key_file_t:file { getattr read ioctl };
-allow ipsec_t ipsec_key_file_t:dir r_dir_perms;
+r_dir_file(ipsec_t, ipsec_conf_file_t)
+r_dir_file(ipsec_t, ipsec_key_file_t)
allow ipsec_mgmt_t ipsec_conf_file_t:file { getattr read ioctl };
rw_dir_create_file(ipsec_mgmt_t, ipsec_key_file_t)
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]
next reply other threads:[~2004-10-07 8:41 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-10-07 8:42 petre rodan [this message]
2004-11-08 21:34 ` gentoo diff for ipsec James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41650174.4090103@gentoo.org \
--to=kaiowas@gentoo.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.