VPN module

VPN module

[Erich Schubert]

Hi,
I'll probably write a OpenVPN module sometime soon.
We already have a "vpn" module, but that is only for the vpnc client so
far.
Should I
- try to make a single module for both (I consider that a bad idea,
since vpnc is a client only for cisco VPNs, whereas OpenVPN can be used
as a full-blown VPN server and is much more flexible)
- rename the vpn policy to vpnc and make a new "openvpn" module?

best regards,
Erich Schubert
-- 
    erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C   (o_
     Go away or i'll replace you with a very small shell script.    //\
   Es ist beschämender seinen Freunden zu mißtrauen als von ihnen   V_/_
        getäuscht zu werden. --- François de la Rochefoucauld



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: VPN module

[Christopher J. PeBenito]

On Wed, 2006-04-05 at 13:59 +0200, Erich Schubert wrote:
> Hi,
> I'll probably write a OpenVPN module sometime soon.
> We already have a "vpn" module, but that is only for the vpnc client so
> far.
> Should I
> - try to make a single module for both (I consider that a bad idea,
> since vpnc is a client only for cisco VPNs, whereas OpenVPN can be used
> as a full-blown VPN server and is much more flexible)
> - rename the vpn policy to vpnc and make a new "openvpn" module?

Creating openvpn will be fine, but the vpn module has to stay as is,
because we can't rename modules, because it causes upgrade issues.  For
example, if you have a vpn module inserted, and you try to insert vpnc
module, it fails because of duplicate symbols.  Perhaps we need support
in modules for one module to deprecate another, so if you insert the
vpnc module, libsemanage automatically removes vpn as part of the
transaction.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: VPN module

[Joshua Brindle]

Christopher J. PeBenito wrote:
> On Wed, 2006-04-05 at 13:59 +0200, Erich Schubert wrote:
>> Hi,
>> I'll probably write a OpenVPN module sometime soon.
>> We already have a "vpn" module, but that is only for the vpnc client so
>> far.
>> Should I
>> - try to make a single module for both (I consider that a bad idea,
>> since vpnc is a client only for cisco VPNs, whereas OpenVPN can be used
>> as a full-blown VPN server and is much more flexible)
>> - rename the vpn policy to vpnc and make a new "openvpn" module?
> 
> Creating openvpn will be fine, but the vpn module has to stay as is,
> because we can't rename modules, because it causes upgrade issues.  For
> example, if you have a vpn module inserted, and you try to insert vpnc
> module, it fails because of duplicate symbols.  Perhaps we need support
> in modules for one module to deprecate another, so if you insert the
> vpnc module, libsemanage automatically removes vpn as part of the
> transaction.
> 

I think this is a package manager issue, not a module issue. Package 
managers already know how to handle complex relationships and I don't 
know why we would reproduce that in libsemanage.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: VPN module

[Erich Schubert]

Hi,
> > Creating openvpn will be fine, but the vpn module has to stay as is,
> > because we can't rename modules, because it causes upgrade issues.  For

I think we'll hit that problem sooner or later, and in order to do some
automatic module loading we'll need much more magic anyway. Apart from
that I don't think we need to be very careful with upgrading policy
anyway, because the admin might have customized it.
So on the one hand, I'd try to change such obvious things like this as
early as possible (the module is badly named, it should be called vpnc!)
so it will effect as few people as possible, on the other hand we'll
probably need all this sooner or later anyway. So we should start
planning tools for that.
(e.g. how to extract dependency / conflict information from modules, how
to map packages to modules that should be loaded)

best regards,
Erich Schubert
-- 
    erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
   To understand recursion you first need to understand recursion.   //\
    Wirklich gute Freunde machen sich erst aus dem Staub, wenn man   V_/_
            sie braucht. --- Charles Maurice de Tayllerand


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: VPN module

[Petre Rodan]

[-- Attachment #1.1: Type: text/plain, Size: 258 bytes --]


Hi,

We had to come up with an openvpn module asap and due to the fact that Erich did not have it on his high priority todo list, I went ahead and wrote it.

cheers,
peter

-- 
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux 

[-- Attachment #1.2: openvpn.fc --]
[-- Type: text/plain, Size: 346 bytes --]


#
# /etc
#
/etc/openvpn(/.*)?         gen_context(system_u:object_r:openvpn_etc_t,s0)

#
# /usr
#
/usr/sbin/openvpn       -- gen_context(system_u:object_r:openvpn_exec_t,s0)

#
# /var
#
/var/log/openvpn.*      -- gen_context(system_u:object_r:openvpn_var_log_t,s0)
/var/run/openvpn.*      -- gen_context(system_u:object_r:openvpn_var_run_t,s0)


[-- Attachment #1.3: openvpn.if --]
[-- Type: text/plain, Size: 53 bytes --]

## <summary>full-featured SSL VPN solution</summary>

[-- Attachment #1.4: openvpn.te --]
[-- Type: text/plain, Size: 2466 bytes --]


policy_module(openvpn,1.0.0)


########################################
#
# Declarations
#

# main openvpn domain
type openvpn_t;
type openvpn_exec_t;
init_daemon_domain(openvpn_t, openvpn_exec_t)

# configuration files
type openvpn_etc_t;
files_type(openvpn_etc_t)

# log files
type openvpn_var_log_t;
logging_log_file(openvpn_var_log_t)

# pid files
type openvpn_var_run_t;
files_pid_file(openvpn_var_run_t)

########################################
#
# openvpn local policy
#

allow openvpn_t self:capability { net_admin setgid setuid };
allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow openvpn_t self:udp_socket create_socket_perms;
allow openvpn_t self:tcp_socket create_socket_perms;

kernel_read_net_sysctls(openvpn_t)
kernel_read_network_state(openvpn_t)
kernel_read_system_state(openvpn_t)

allow openvpn_t openvpn_etc_t:dir r_dir_perms;
allow openvpn_t openvpn_etc_t:file r_file_perms;
allow openvpn_t openvpn_etc_t:lnk_file { getattr read };
allow openvpn_t openvpn_var_log_t:file create_file_perms;
allow openvpn_t openvpn_var_run_t:file create_file_perms;

allow initrc_t openvpn_etc_t:dir r_dir_perms;
allow initrc_t openvpn_etc_t:file r_file_perms;
allow initrc_t openvpn_etc_t:lnk_file { getattr read };

corecmd_exec_bin(openvpn_t)
corecmd_exec_sbin(openvpn_t)
corecmd_exec_shell(openvpn_t)

corenet_non_ipsec_sendrecv(openvpn_t)
corenet_rw_tun_tap_dev(openvpn_t)
corenet_tcp_bind_openvpn_port(openvpn_t)
corenet_tcp_bind_all_nodes(openvpn_t)
corenet_tcp_sendrecv_all_if(openvpn_t)
corenet_tcp_sendrecv_all_ports(openvpn_t)
corenet_tcp_sendrecv_generic_if(openvpn_t)
corenet_tcp_sendrecv_generic_node(openvpn_t)
corenet_udp_bind_openvpn_port(openvpn_t)
corenet_udp_bind_all_nodes(openvpn_t)
corenet_udp_sendrecv_all_if(clamd_t)
corenet_udp_sendrecv_all_ports(openvpn_t)
corenet_udp_sendrecv_generic_if(openvpn_t)
corenet_udp_sendrecv_generic_node(openvpn_t)

dev_read_rand(openvpn_t)
dev_read_urand(openvpn_t)

files_pid_filetrans(openvpn_t, openvpn_var_run_t, file)
files_read_etc_files(openvpn_t)
files_read_etc_runtime_files(openvpn_t)

libs_use_ld_so(openvpn_t)
libs_use_shared_libs(openvpn_t)
logging_log_filetrans(openvpn_t,openvpn_var_log_t,file)
logging_send_syslog_msg(openvpn_t)
miscfiles_read_localization(openvpn_t)

sysnet_exec_ifconfig(openvpn_t)

optional_policy(`
	daemontools_service_domain(openvpn_t,openvpn_exec_t)
')


[-- Attachment #2: Type: application/pgp-signature, Size: 200 bytes --]

Re: VPN module

[Christopher J. PeBenito]

On Fri, 2006-04-14 at 21:51 +0300, Petre Rodan wrote:
> We had to come up with an openvpn module asap and due to the fact that
> Erich did not have it on his high priority todo list, I went ahead and
> wrote it.

Merged.  One fix, I moved the initrc_t reading openvpn_etc_t to the init
module.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: VPN module

[Erich Schubert]

Hello Christopher,
> Merged.  One fix, I moved the initrc_t reading openvpn_etc_t to the init
> module.

policy/modules/kernel/corenetwork.te.in currently has port 5000 for
OpenVPN.

Port 1194 is the official IANA port for OpenVPN and should be added, too
(or maybe even instead of port 5000, which is more likely to conflict
with custom applications IMHO)

best regards,
Erich Schubert
-- 
     erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
 Why waste time learning, when ignorance is instantaneous? --- Calvin //\
   Wenn zwei gute Freunde sind, die einander kennen, Sonn' und Mond   V_/_
     begegnen sich, ehe sie sich trennen. --- Clemens von Brentano


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: VPN module

[Erich Schubert]

Hi Christopher,
Two more issues with openvpn:
avc:  denied  { sys_tty_config } for  pid=2716 comm="sh" capability=26
scontext=system_u:system_r:openvpn_t:s0
tcontext=system_u:system_r:openvpn_t:s0 tclass=capability
avc:  denied  { search } for  pid=2717 comm="openvpn" name="tun0"
dev=sysfs ino=8054 scontext=system_u:system_r:openvpn_t:s0
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir

The first looks pretty straighforward, I don't know about sysfs handling
in SELinux...

best regards,
Erich Schubert
-- 
   erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
     This one's tricky. You have to use imaginary numbers, like     //\
                      eleventeen... --- Hobbes                      V_/_
          Ein schöner Moment leuchtet das Leben hindurch.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: VPN module

[Christopher J. PeBenito]

On Tue, 2006-04-18 at 00:18 +0200, Erich Schubert wrote:
> Hello Christopher,
> > Merged.  One fix, I moved the initrc_t reading openvpn_etc_t to the init
> > module.
> 
> policy/modules/kernel/corenetwork.te.in currently has port 5000 for
> OpenVPN.
> 
> Port 1194 is the official IANA port for OpenVPN and should be added, too
> (or maybe even instead of port 5000, which is more likely to conflict
> with custom applications IMHO)

I've removed 5000 and added 1194.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: VPN module

[Christopher J. PeBenito]

On Tue, 2006-04-18 at 00:23 +0200, Erich Schubert wrote:
> Hi Christopher,
> Two more issues with openvpn:
> avc:  denied  { sys_tty_config } for  pid=2716 comm="sh" capability=26
> scontext=system_u:system_r:openvpn_t:s0
> tcontext=system_u:system_r:openvpn_t:s0 tclass=capability
> avc:  denied  { search } for  pid=2717 comm="openvpn" name="tun0"
> dev=sysfs ino=8054 scontext=system_u:system_r:openvpn_t:s0
> tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
> 
> The first looks pretty straighforward, I don't know about sysfs handling
> in SELinux...

sys_tty_config can probably be dontaudited, as it is in almost all other
daemons.  Is the search on sysfs the only access needed, or is it
reading entries in sysfs?

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.