[PATCH 7/7] labeled ipsec policy changes

[PATCH 7/7] labeled ipsec policy changes

[Joy Latten]

This patch defines domains for racoon and setkey
as well as raw rules they require.
It also includes an interface in system/ipsec.if
to execute racoon and setkey in their own domains.
I call this interface in userdomain.te, such that
sysadm_t runs setkey and racoon in their own domains.

Signed-off-by: Joy Latten <latten@austin.ibm.com>

 ipsec.fc      |    5 +-
 ipsec.if      |   30 ++++++++++++++++
 ipsec.te      |  107 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 userdomain.te |    1 
 4 files changed, 140 insertions(+), 3 deletions(-)
----------------------------------------------------------

diff -urpN serefpolicy-2.4.6.patchbox2/policy/modules/system/ipsec.fc serefpolicy-2.4.6.patchbox3/policy/modules/system/ipsec.fc
--- serefpolicy-2.4.6.patchbox2/policy/modules/system/ipsec.fc	2006-12-14 11:40:21.000000000 -0600
+++ serefpolicy-2.4.6.patchbox3/policy/modules/system/ipsec.fc	2006-12-14 15:04:48.000000000 -0600
@@ -7,7 +7,7 @@
 
 /etc/ipsec\.d(/.*)?			gen_context(system_u:object_r:ipsec_key_file_t,s0)
 
-/sbin/setkey			--	gen_context(system_u:object_r:ipsec_exec_t,s0)
+/sbin/setkey			--	gen_context(system_u:object_r:setkey_exec_t,s0)
 
 /usr/lib(64)?/ipsec/_plutoload	-- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
 /usr/lib(64)?/ipsec/_plutorun	--	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
@@ -26,8 +26,7 @@
 /usr/local/lib(64)?/ipsec/pluto --	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/local/lib(64)?/ipsec/spi	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 
-/usr/sbin/racoon		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/sbin/setkey		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/sbin/racoon		--	gen_context(system_u:object_r:racoon_exec_t,s0)
 
 /var/racoon(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
 
diff -urpN serefpolicy-2.4.6.patchbox2/policy/modules/system/ipsec.if serefpolicy-2.4.6.patchbox3/policy/modules/system/ipsec.if
--- serefpolicy-2.4.6.patchbox2/policy/modules/system/ipsec.if	2006-12-14 12:04:40.000000000 -0600
+++ serefpolicy-2.4.6.patchbox3/policy/modules/system/ipsec.if	2006-12-14 13:32:11.000000000 -0600
@@ -137,3 +137,33 @@ interface(`ipsec_label_sa_pol',`
 
 	allow $1 ipsec_spd_t:association polmatch;
 ')
+
+########################################
+## <summary>
+##	Execute ipsec-tools in the appropriate ipsec domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`ipsec_tools_domtrans',`
+	gen_require(`
+		type racoon_t, racoon_exec_t, setkey_t, setkey_exec_t;
+	')
+
+	domain_auto_trans($1,racoon_exec_t,racoon_t)
+
+	allow $1 racoon_t:fd use;
+	allow racoon_t $1:fd use;
+	allow racoon_t $1:fifo_file rw_file_perms;
+	allow racoon_t $1:process sigchld;
+
+	domain_auto_trans($1,setkey_exec_t,setkey_t)
+
+	allow $1 setkey_t:fd use;
+	allow setkey_t $1:fd use;
+	allow setkey_t $1:fifo_file rw_file_perms;
+	allow setkey_t $1:process sigchld;
+')
diff -urpN serefpolicy-2.4.6.patchbox2/policy/modules/system/ipsec.te serefpolicy-2.4.6.patchbox3/policy/modules/system/ipsec.te
--- serefpolicy-2.4.6.patchbox2/policy/modules/system/ipsec.te	2006-12-14 11:40:21.000000000 -0600
+++ serefpolicy-2.4.6.patchbox3/policy/modules/system/ipsec.te	2006-12-14 16:08:23.000000000 -0600
@@ -35,9 +35,20 @@ files_lock_file(ipsec_mgmt_lock_t)
 type ipsec_mgmt_var_run_t;
 files_pid_file(ipsec_mgmt_var_run_t)
 
+#### types for ipsec-tools utilities  #####
 # default type for ipsec-tools ipsec policy
 type ipsec_spd_t;
 
+type racoon_t;
+type racoon_exec_t;
+init_daemon_domain(racoon_t,racoon_exec_t)
+role system_r types racoon_t;
+
+type setkey_t;
+type setkey_exec_t;
+init_system_domain(setkey_t,setkey_exec_t)
+role system_r types setkey_t;
+
 ########################################
 #
 # ipsec Local policy
@@ -275,3 +286,99 @@ file_type_auto_trans(ipsec_mgmt_t, sysad
 
 allow ipsec_mgmt_t dev_fs:file_class_set getattr;
 ') dnl end TODO
+
+
+########################################
+#
+# ipsec-tools utilities <setkey>
+#
+
+# allow setkey to set the context for ipsec SAs and policy.
+allow setkey_t ipsec_spd_t:association setcontext;
+
+allow setkey_t self:capability net_admin;
+allow setkey_t self:key_socket { create read setopt write };
+allow setkey_t self:netlink_route_socket { create_netlink_socket_perms };
+
+# need to be able to read selinux config files within setkey domain.
+allow setkey_t security_t:dir search;
+allow setkey_t security_t:file read;
+seutil_read_config(setkey_t)
+
+# allow setkey utility to set contexts on SA's and policy
+domain_setcontext(setkey_t)
+
+# allow setkey to read a config files in any directory.
+userdom_read_sysadm_home_content_files(setkey_t)
+userdom_read_all_users_home_content_files(setkey_t)
+
+# setkey will be run by sysadm, thus setkey needs access to sysadm ttys.
+userdom_use_sysadm_ttys(setkey_t)
+locallogin_use_fds(setkey_t)
+files_read_etc_files(setkey_t)
+libs_use_ld_so(setkey_t)
+libs_use_shared_libs(setkey_t)
+miscfiles_read_localization(setkey_t)
+
+########################################
+#
+# ipsec-tools utilities <racoon>
+#
+
+allow racoon_t self:udp_socket { create_socket_perms };
+allow racoon_t self:unix_dgram_socket { connect create ioctl write };
+allow racoon_t self:capability { net_admin net_bind_service };
+
+# allow racoon to use avc_has_perm to check context on proposed SA
+allow racoon_t self:netlink_selinux_socket { bind create read };
+selinux_compute_access_vector(racoon_t)
+
+allow racoon_t self:key_socket { create read setopt write };
+allow racoon_t self:netlink_route_socket { create_netlink_socket_perms };
+
+allow racoon_t node_t:udp_socket node_bind;
+
+# so racoon can listen on admin port.
+allow racoon_t inaddr_any_node_t:tcp_socket node_bind;
+
+# allow racoon to use ISAKMP port
+allow racoon_t isakmp_port_t:udp_socket name_bind;
+
+corenet_non_ipsec_sendrecv(racoon_t)
+corenet_udp_bind_link_local_node(racoon_t)
+corenet_udp_bind_compat_ipv4_node(racoon_t)
+corenet_udp_bind_lo_node(racoon_t)
+kernel_read_network_state(racoon_t)
+corenet_udp_bind_site_local_node(racoon_t)
+seutil_read_config(setkey_t)
+
+# manage pid file
+allow racoon_t ipsec_var_run_t:file manage_file_perms;
+allow racoon_t ipsec_var_run_t:dir rw_dir_perms;
+allow racoon_t ipsec_var_run_t:sock_file create_file_perms;
+files_pid_filetrans(racoon_t,ipsec_var_run_t,file)
+files_rw_generic_pids(racoon_t)
+allow racoon_t var_run_t:file setattr;
+
+allow racoon_t ipsec_conf_file_t:dir r_dir_perms;
+allow racoon_t ipsec_conf_file_t:file r_file_perms;
+allow racoon_t ipsec_conf_file_t:lnk_file r_file_perms;
+
+allow racoon_t ipsec_key_file_t:dir r_dir_perms;
+allow racoon_t ipsec_key_file_t:file r_file_perms;
+allow racoon_t ipsec_key_file_t:lnk_file r_file_perms;
+
+allow racoon_t ipsec_spd_t:association setcontext;
+
+userdom_use_sysadm_ttys(racoon_t)
+locallogin_use_fds(racoon_t)
+
+# allow racoon to set contexts on ipsec policy and SAs
+domain_setcontext(racoon_t)
+
+logging_send_syslog_msg(racoon_t)
+files_read_etc_files(racoon_t)
+libs_use_ld_so(racoon_t)
+libs_use_shared_libs(racoon_t)
+miscfiles_read_localization(racoon_t)
+dev_read_urand(racoon_t)
diff -urpN serefpolicy-2.4.6.patchbox2/policy/modules/system/userdomain.te serefpolicy-2.4.6.patchbox3/policy/modules/system/userdomain.te
--- serefpolicy-2.4.6.patchbox2/policy/modules/system/userdomain.te	2006-12-14 12:06:33.000000000 -0600
+++ serefpolicy-2.4.6.patchbox3/policy/modules/system/userdomain.te	2006-12-14 11:39:34.000000000 -0600
@@ -292,6 +292,7 @@ ifdef(`strict_policy',`
 		ipsec_stream_connect(sysadm_t)
 		# for lsof
 		ipsec_getattr_key_sockets(sysadm_t)
+		ipsec_tools_domtrans(sysadm_t)
 	')
 
 	optional_policy(`

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

please guide me a way to study selinux in Kernel

[Nerazzurri.YANG]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=gb18030; format=flowed, Size: 702 bytes --]


hi all,


i am studying SELinux, mainly about kernel part.

but i can not find more informations about that, except
the docs in NSA website.

most of docs and websites are about user space and policy,
which is not i want now.

please guide me a way to find more informations about selinux
in linux kernel, especially in implementations

by the way, where can i get the book

<<SELinux by Example: Using Security Enhanced Linux>>

  wrote by Tresys, i am in china.


thanks very much

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: please guide me a way to study selinux in Kernel

[James Morris]

On Wed, 20 Dec 2006, Nerazzurri.YANG wrote:

> but i can not find more informations about that, except
> the docs in NSA website.

Here are some slides I made for a talk last year at Foss.in:
http://people.redhat.com/jmorris/slides/fossin2005_selinux_kernel.pdf

SELinux uses LSM, so also see:
http://www.usenix.org/event/sec02/wright.html



-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: please guide me a way to study selinux in Kernel

[Stephen Smalley]

On Wed, 2006-12-20 at 15:00 +0800, Nerazzurri.YANG wrote:
> hi all,
> 
> 
> i am studying SELinux, mainly about kernel part.
> 
> but i can not find more informations about that, except
> the docs in NSA website.
> 
> most of docs and websites are about user space and policy,
> which is not i want now.
> 
> please guide me a way to find more informations about selinux
> in linux kernel, especially in implementations

Have you looked at the
"Implementing SELinux as a Linux Security Module" technical report?
Available from
http://www.nsa.gov/selinux/papers/module-abs.cfm
Not entirely up to date, but still a good resource on the implementation.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: please guide me a way to study selinux in Kernel

[Nerazzurri.YANG]

 >Here are some slides I made for a talk last year at Foss.in:
 >http://people.redhat.com/jmorris/slides/fossin2005_selinux_kernel.pdf

 >SELinux uses LSM, so also see:
 >http://www.usenix.org/event/sec02/wright.html

 >Have you looked at the
 >"Implementing SELinux as a Linux Security Module" technical report?
 >Available from
 >http://www.nsa.gov/selinux/papers/module-abs.cfm
 >Not entirely up to date, but still a good resource on the >implementation.


Morris, Smalley, thanks very much

i have read all these papers, but i still have not understood well

and furthermore, the informations of LSM is not necessary too.

it seems that i have to study from kernel source code.

the source code is best study material :-)

by the way, why i have not received the mail i sent to the 
list(selinux@tycho.nsa.gov), but others can see my mail sent to the
list. Is there something i misunderstand?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: please guide me a way to study selinux in Kernel

[Nerazzurri.YANG]

Stephen Smalley wrote:
> On Fri, 2006-12-22 at 10:08 +0800, Nerazzurri.YANG wrote:
>> i have not received any mails i have sent to the list from i subscribe to
>> the list :-))
> 
> Strange.  But are you seeing other people's emails posted to the list
> (not just ones sent directly to you, like the replies to your message,
> but other messages posted to the list by other people, like the recent
> ones from Karl MacMillan)?


i think i have received the mail, do you mean this mail:

[PATCH] correct return value handling in libsemanage

The function semanage_direct_commit in libsemanage:direct_api.c does not 
correctly propagate error codes. This patch fixes that.

Signed-off-by: Karl MacMillan <kmacmillan@mentalrootkit.com>


diff -r 1ecfd5befe3f src/direct_api.c
--- a/src/direct_api.c    Thu Dec 21 17:09:45 2006 -0500
+++ b/src/direct_api.c    Thu Dec 21 17:47:06 2006 -0500
@@ -603,7 +603,8 @@ static int semanage_direct_commit(semana

.............



from Karl MacMillan.

can you reply this message direct to the list, not to me.

if i can receive the reply, that may mean the mailing list
work well.


futhermore, i will reply your mail to the list (in CC), if
you will have received two same mails, it seems that my
mail client has something wrong.


> 
>> i have checked, there are not any mail in junk and spam.
>>
>> is it possbile that my setting in thunderbird is wrong?
>>
>> everything is right, when i subscribe to other mailing list
>> such as rpm, anaconda.....
> 
> I don't see anything on our end that would explain it (no bounces to
> owner-selinux for your address, and your address is listed in the list
> members).  And if you can receive mail directly from me like this, then
> there shouldn't be any real difference - they are both going through the
> same mail servers.
> 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.