From: petre rodan <kaiowas@gentoo.org>
To: Park Lee <parklee_sel@yahoo.com>
Cc: sds@epoch.ncsc.mil, SELinux@tycho.nsa.gov, rusinskystanislas@yahoo.fr
Subject: Re: SELinux with IPSec - something going on ?
Date: Mon, 25 Oct 2004 18:51:18 +0300 [thread overview]
Message-ID: <417D20F6.1080607@gentoo.org> (raw)
In-Reply-To: <20041024093014.14853.qmail@web51506.mail.yahoo.com>
[-- Attachment #1.1: Type: text/plain, Size: 760 bytes --]
Hi,
here is a fresh ipsec-tools [1] policy made for gentoo.
works flawlessly with my setup [2] (the doc is work in progress).
[1] http://ipsec-tools.sourceforge.net/
[2] http://dev.gentoo.org/~kaiowas/doc/wifi_ipsec-howto.html
is this usable for any of you?
bye,
peter
Park Lee wrote:
> On 2003-11-17 at 14:37 Stephen Smalley wrote:
>
> >We have not done any work on integrating SELinux with IPSEC yet;
> >at this point, such work would presumably be done based on the new
> >Linux 2.6 IPSEC implementation.
>
> Now, 11 months have passed, has any work been made to integrate IPSec
> with SELinux?
> I also want to see if there is something I can do with it.
>
> Thanks.
>
--
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux
[-- Attachment #1.2: racoon.fc --]
[-- Type: text/plain, Size: 458 bytes --]
/etc/ipsec\.conf -- system_u:object_r:setkey_conf_file_t
/etc/racoon(/.*)? system_u:object_r:racoon_conf_file_t
/etc/racoon/certs(/.*)? system_u:object_r:racoon_key_file_t
/etc/racoon/psk\.txt -- system_u:object_r:racoon_key_file_t
/usr/sbin/racoon -- system_u:object_r:racoon_exec_t
/usr/sbin/setkey -- system_u:object_r:setkey_exec_t
/var/run/pluto\.ctl -s system_u:object_r:racoon_var_run_t
/var/run/racoon\.pid -- system_u:object_r:racoon_var_run_t
[-- Attachment #1.3: racoon.te --]
[-- Type: text/plain, Size: 1168 bytes --]
#DESC ipsec-tools
#
# Author: petre rodan <kaiowas@gentoo.org>
daemon_base_domain(racoon, `, privlog')
type racoon_conf_file_t, file_type, sysadmfile;
type racoon_key_file_t, file_type, sysadmfile;
var_run_domain(racoon)
read_locale(racoon_t)
can_network(racoon_t)
allow racoon_t self:capability { net_admin net_bind_service };
r_dir_file(racoon_t, racoon_conf_file_t)
r_dir_file(racoon_t, racoon_key_file_t)
daemon_domain(setkey)
type setkey_conf_file_t, file_type, sysadmfile;
define(`setkey_domain', `
uses_shlib($1_t)
read_locale($1_t)
allow $1_t self:capability { net_admin };
allow $1_t setkey_conf_file_t:file r_file_perms;
') dnl end setkey_domain
define(`setkey_userdomain', `
# derived domain based on the calling user domain
type $1_setkey_t, domain;
domain_auto_trans($1_t, setkey_exec_t, $1_setkey_t)
role $1_r types $1_setkey_t;
setkey_domain($1_setkey)
# this is why there is a setkey_userdomain :)
allow $1_setkey_t { $1_tty_device_t $1_devpts_t }:chr_file { getattr read write };
allow $1_setkey_t privfd:fd use;
') dnl end setkey_userdomain
# one for initrc
setkey_domain(setkey)
# and one for sysadm
setkey_userdomain(sysadm)
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]
next prev parent reply other threads:[~2004-10-25 15:51 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-10-24 9:30 SELinux with IPSec - something going on ? Park Lee
2004-10-24 14:53 ` Luke Kenneth Casson Leighton
2004-10-25 15:51 ` petre rodan [this message]
2004-10-25 15:55 ` Stephen Smalley
-- strict thread matches above, loose matches on Subject: below --
2005-01-12 17:02 Park Lee
2005-01-12 19:13 ` petre rodan
2004-11-11 2:45 Park Lee
2004-11-11 3:00 ` Trent Jaeger
2004-11-11 4:13 ` Park Lee
2004-11-07 18:33 Park Lee
2004-11-08 14:55 ` Trent Jaeger
2004-11-08 15:03 ` Trent Jaeger
2004-11-05 9:04 Park Lee
2004-11-05 19:24 ` Trent Jaeger
2004-10-27 5:40 Philip Leo
2004-10-26 17:35 Park Lee
2004-10-26 18:01 ` Trent Jaeger
2004-10-28 16:40 ` Park Lee
2004-10-28 16:48 ` Trent Jaeger
2004-10-26 15:04 Philip Leo
2004-10-26 15:23 ` Trent Jaeger
2004-10-25 10:10 Stanislas Rusinsky
2004-10-25 14:59 ` Trent Jaeger
2003-11-17 11:58 Sead Muftic
2003-11-16 15:42 Rusinsky Stanislas Herman W. A.
2003-11-17 14:37 ` Stephen Smalley
2003-11-19 10:36 ` Rusinsky Stanislas Herman W. A.
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=417D20F6.1080607@gentoo.org \
--to=kaiowas@gentoo.org \
--cc=SELinux@tycho.nsa.gov \
--cc=parklee_sel@yahoo.com \
--cc=rusinskystanislas@yahoo.fr \
--cc=sds@epoch.ncsc.mil \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.