gentoo diff for ipsec

gentoo diff for ipsec

[petre rodan]

[-- Attachment #1.1: Type: text/plain, Size: 703 bytes --]


Hi!

This policy was generated using the ipsec-tools that comes with gentoo [1]
setkey was used to set-up the Security Policy Database and Security Association Database and racoon to do the x509 certificate exchange.

the diff is needed because:

ipsec_conf_file_t is a directory structure, not a single file

ipsec_key_file_t is a directory structure that also contains symlinks (one of the ipsec_key_file_t directories must contain openssl hash-links to each certificate)

racoon is the IKE daemon that is started by initrc_t. so this is why the daemon_base_domain is used.


[1]. http://ipsec-tools.sourceforge.net/

bye,
peter

-- 
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux

[-- Attachment #1.2: selinux-ipsec-tools.diff --]
[-- Type: text/plain, Size: 1618 bytes --]

--- /root/public_html/policy/nsa/file_contexts/program/ipsec.fc	2004-09-09 18:27:39.000000000 +0300
+++ /root/cvs/cvs.gentoo.org/gentoo-projects/selinux/ipsec-tools/ipsec.fc	2004-10-06 04:59:57.000000000 +0300
@@ -25,3 +25,6 @@
 # Kame
 /usr/sbin/racoon	--	system_u:object_r:ipsec_exec_t
 /usr/sbin/setkey	--	system_u:object_r:ipsec_exec_t
+/etc/racoon(/.*)?		system_u:object_r:ipsec_conf_file_t
+/etc/racoon/certs(/.*)?	system_u:object_r:ipsec_key_file_t
+/etc/racoon/psk\.txt	--	system_u:object_r:ipsec_key_file_t
--- /root/public_html/policy/nsa/domains/program/unused/ipsec.te	2004-09-23 05:08:20.000000000 +0300
+++ /root/cvs/cvs.gentoo.org/gentoo-projects/selinux/ipsec-tools/ipsec.te	2004-10-06 06:12:51.000000000 +0300
@@ -10,10 +10,7 @@
 # Rules for the ipsec_t domain.
 #
 # a domain for things that need access to the PF_KEY socket
-type ipsec_t, domain, privlog;
-
-# type for executables that will run in the ipsec_t domain
-type ipsec_exec_t, file_type, sysadmfile, exec_type;
+daemon_base_domain(ipsec, `, privlog')
 
 # type for ipsec configuration file(s) - not for keys
 type ipsec_conf_file_t, file_type, sysadmfile;
@@ -48,9 +45,8 @@
 # I do not know where this pesky pipe is...
 allow ipsec_t initrc_t:fifo_file { write };
 
-allow ipsec_t ipsec_conf_file_t:file { getattr read ioctl };
-allow ipsec_t ipsec_key_file_t:file { getattr read ioctl };
-allow ipsec_t ipsec_key_file_t:dir r_dir_perms;
+r_dir_file(ipsec_t, ipsec_conf_file_t)
+r_dir_file(ipsec_t, ipsec_key_file_t)
 allow ipsec_mgmt_t ipsec_conf_file_t:file { getattr read ioctl };
 rw_dir_create_file(ipsec_mgmt_t, ipsec_key_file_t)
 

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: gentoo diff for ipsec

[James Carter]

[-- Attachment #1: Type: text/plain, Size: 1233 bytes --]

Merged.
The ipsec stuff definitely needs some more work.

I have attached is an ipsec.te file that uses daemon_domain for both the
ipsec and ipsec_mgmt stuff, removes the rules covered by daemon_domain,
removes all the comments so all of the allow rules can easily be seen,
and groups the allow rules.

Now, what can be eliminated?

Petre posted on Oct 25th racoon te and fc files.  Maybe we should split
out the key management stuff.

Any thoughts?

On Thu, 2004-10-07 at 04:42, petre rodan wrote:
> Hi!
> 
> This policy was generated using the ipsec-tools that comes with gentoo [1]
> setkey was used to set-up the Security Policy Database and Security Association Database and racoon to do the x509 certificate exchange.
> 
> the diff is needed because:
> 
> ipsec_conf_file_t is a directory structure, not a single file
> 
> ipsec_key_file_t is a directory structure that also contains symlinks (one of the ipsec_key_file_t directories must contain openssl hash-links to each certificate)
> 
> racoon is the IKE daemon that is started by initrc_t. so this is why the daemon_base_domain is used.
> 
> 
> [1]. http://ipsec-tools.sourceforge.net/
> 
> bye,
> peter
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

[-- Attachment #2: ipsec_new.te --]
[-- Type: text/plain, Size: 5642 bytes --]

#DESC ipsec - TCP/IP encryption
#
# Authors: Mark Westerman mark.westerman@westcam.com
# massively butchered by paul krumviede <pwk@acm.org>
# further massaged by Chris Vance <cvance@tislabs.com>
# X-Debian-Packages: freeswan
#
########################################
#
# Both ipsec_t and ipsec_mgmt_t 
#
type ipsec_conf_file_t, file_type, sysadmfile;
type ipsec_key_file_t, file_type, sysadmfile;

#
# ipsec_t
#
daemon_domain(ipsec)

domain_auto_trans(ipsec_t, shell_exec_t, ipsec_mgmt_t)
file_type_auto_trans(ipsec_t, var_run_t, ipsec_var_run_t, sock_file)

can_exec(ipsec_t, bin_t)
can_exec(ipsec_t, shell_exec_t)
can_exec(ipsec_t, ipsec_mgmt_exec_t)
can_network(ipsec_t)
can_ypbind(ipsec_t)
general_proc_read_access(ipsec_t)

allow ipsec_t self:capability { net_admin net_bind_service };
allow ipsec_t self:capability { dac_override dac_read_search };
allow ipsec_t self:fifo_file { read getattr };
allow ipsec_t self:key_socket { create write read };
allow ipsec_t self:netlink_xfrm_socket create_socket_perms;
allow ipsec_t self:unix_dgram_socket { create connect write };
allow ipsec_t self:unix_stream_socket {create setopt bind listen accept read write };

allow ipsec_t bin_t:lnk_file read;
allow ipsec_t bin_t:dir { search };
allow ipsec_t etc_t:lnk_file read;
allow ipsec_t etc_t:file { read getattr };
allow ipsec_t console_device_t:chr_file rw_file_perms;
allow ipsec_t { initrc_t privfd }:fd use;
allow ipsec_t initrc_t:fifo_file { write };
allow ipsec_t initrc_devpts_t:chr_file { getattr read write };
allow ipsec_t reserved_port_t:udp_socket { name_bind };
allow ipsec_t { urandom_device_t random_device_t }:chr_file r_file_perms;

allow ipsec_t ipsec_conf_file_t:file { getattr read ioctl };
r_dir_file(ipsec_t, ipsec_key_file_t)

dontaudit ipsec_t ttyfile:chr_file { read write };

allow sysadm_t ipsec_t:key_socket getattr;
allow sysadm_t ipsec_t:unix_stream_socket connectto;



#
# ipsec_mgmt_t
#
daemon_domain(ipsec_mgmt,`,admin, privmodule')

domain_auto_trans(ipsec_mgmt_t, ifconfig_exec_t, ifconfig_t)
domain_auto_trans(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
file_type_auto_trans(ipsec_mgmt_t, etc_t, ipsec_key_file_t, file)
file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
file_type_auto_trans(ipsec_mgmt_t, var_run_t, ipsec_var_run_t, sock_file)

can_exec(ipsec_mgmt_t, bin_t)
can_exec(ipsec_mgmt_t, ipsec_exec_t)
can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
can_exec(ipsec_mgmt_t, shell_exec_t)
can_exec(ipsec_mgmt_t, sbin_t)
can_exec(ipsec_mgmt_t, etc_t)
can_exec(ipsec_mgmt_t, initrc_exec_t)
ifdef(`consoletype.te', `
can_exec(ipsec_mgmt_t, consoletype_exec_t )
')

general_proc_read_access(ipsec_mgmt_t)
rw_dir_create_file(ipsec_mgmt_t, ipsec_key_file_t)
rw_dir_create_file(ipsec_mgmt_t, ipsec_var_run_t)

allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
allow ipsec_mgmt_t self:capability { net_admin dac_override };
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:fifo_file rw_file_perms;
allow ipsec_mgmt_t self:udp_socket { create ioctl };
allow ipsec_mgmt_t self:capability { sys_tty_config dac_read_search };
allow ipsec_mgmt_t self:key_socket { create setopt };
allow ipsec_mgmt_t self:{ tcp_socket udp_socket } create_socket_perms;

allow ipsec_mgmt_t bin_t:dir { search };
allow ipsec_mgmt_t bin_t:lnk_file read;
allow ipsec_mgmt_t boot_t:dir search;
allow ipsec_mgmt_t console_device_t:chr_file rw_file_perms;
allow ipsec_mgmt_t dev_fs:file_class_set getattr;
allow ipsec_mgmt_t device_t:dir read;
allow ipsec_mgmt_t etc_t:lnk_file read;
allow ipsec_mgmt_t etc_t:file { read getattr };
allow ipsec_mgmt_t etc_runtime_t:file { read getattr };
allow ipsec_mgmt_t fs_t:filesystem getattr;
allow ipsec_mgmt_t { initrc_t privfd }:fd use;
allow ipsec_mgmt_t { initrc_devpts_t admin_tty_type }:chr_file { getattr read write ioctl };
allow ipsec_mgmt_t modules_object_t:dir search;
allow ipsec_mgmt_t modules_object_t:file getattr;
allow ipsec_mgmt_t sbin_t:lnk_file read;
allow ipsec_mgmt_t sbin_t:dir { search };
allow ipsec_mgmt_t sysctl_t:file write;
allow ipsec_mgmt_t sysctl_net_t:dir { search };
allow ipsec_mgmt_t sysctl_net_t:file { write setattr };
allow ipsec_mgmt_t sysctl_net_t:file { getattr read };
allow ipsec_mgmt_t system_map_t:file { read getattr };
allow ipsec_mgmt_t { urandom_device_t random_device_t }:chr_file r_file_perms;
allow ipsec_mgmt_t tmpfs_t:dir { getattr read };
allow ipsec_mgmt_t var_lock_t:dir rw_dir_perms;
allow ipsec_mgmt_t var_lock_t:file create_file_perms;

allow ipsec_mgmt_t ipsec_t:fd use;
allow ipsec_mgmt_t ipsec_t:{ file lnk_file } r_file_perms;
allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };
allow ipsec_mgmt_t ipsec_t:unix_stream_socket { connectto read write };
allow ipsec_mgmt_t ipsec_conf_file_t:file { getattr read ioctl };
allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
allow ipsec_mgmt_t ipsec_var_run_t:file { getattr read };
allow ipsec_mgmt_t ipsec_var_run_t:sock_file { read write };

dontaudit ipsec_mgmt_t default_t:dir { getattr };
dontaudit ipsec_mgmt_t default_t:file { getattr };
dontaudit ipsec_mgmt_t device_t:lnk_file read;
dontaudit ipsec_mgmt_t devpts_t:dir getattr;
dontaudit ipsec_mgmt_t domain:dir r_dir_perms;
dontaudit ipsec_mgmt_t domain:key_socket { read write };
dontaudit ipsec_mgmt_t domain:udp_socket { read write };
dontaudit ipsec_mgmt_t tty_device_t:chr_file getattr;
dontaudit ipsec_mgmt_t selinux_config_t:dir { search };

can_exec(sysadm_t, ipsec_mgmt_exec_t)