ipsec tools domtrans patch

All of lore.kernel.org
 help / color / mirror / Atom feed

* ipsec tools domtrans patch
@ 2007-03-08 15:35 Daniel J Walsh
  2007-03-26 19:44 ` Christopher J. PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Daniel J Walsh @ 2007-03-08 15:35 UTC (permalink / raw)
  To: Christopher J. PeBenito, SE Linux

[-- Attachment #1: Type: text/plain, Size: 1 bytes --]



[-- Attachment #2: ipsec.patch --]
[-- Type: text/x-patch, Size: 3584 bytes --]

--- nsaserefpolicy/policy/modules/system/ipsec.if	2007-01-02 12:57:49.000000000 -0500
+++ serefpolicy-2.5.8/policy/modules/system/ipsec.if	2007-03-08 10:31:24.000000000 -0500
@@ -111,3 +111,103 @@
 	files_search_pids($1)
 	manage_files_pattern($1,ipsec_var_run_t,ipsec_var_run_t)
 ')
+
+########################################
+## <summary>
+##	Allow an IPsec SA to be used by an IPsec Policy.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`ipsec_labeled',`
+	gen_require(`
+		type ipsec_spd_t;
+	')
+
+	allow $1 ipsec_spd_t:association polmatch;
+	domain_ipsec_labels($1)
+')
+
+
+########################################
+## <summary>
+##	Execute racoon in the racoon domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`ipsec_domtrans_racoon',`
+	gen_require(`
+		type racoon_t, racoon_exec_t;
+	')
+
+	domain_auto_trans($1,racoon_exec_t,racoon_t)
+
+	allow $1 racoon_t:fd use;
+	allow racoon_t $1:fd use;
+	allow racoon_t $1:fifo_file rw_file_perms;
+	allow racoon_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute setkey in the setkey domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`ipsec_domtrans_setkey',`
+	gen_require(`
+		type setkey_t, setkey_exec_t;
+	')
+	domain_auto_trans($1,setkey_exec_t,setkey_t)
+
+	allow $1 setkey_t:fd use;
+	allow setkey_t $1:fd use;
+	allow setkey_t $1:fifo_file rw_file_perms;
+	allow setkey_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute ipsec-tools in the setkey and racoon domains
+##	and allow the specified role the domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the racoon and setkey domains.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the racoon and setkey domains to use.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ipsec_run_tools',`
+	gen_require(`
+		type racoon_t, setkey_t;
+	')
+	ipsec_domtrans_racoon($1)
+	role $2 types racoon_t;
+	allow racoon_t $3:chr_file rw_term_perms;
+	
+	ipsec_domtrans_setkey($1)
+	role $2 types setkey_t;
+	allow setkey_t $3:chr_file rw_term_perms;
+')
--- nsaserefpolicy/policy/modules/kernel/domain.if	2007-02-19 11:32:51.000000000 -0500
+++ serefpolicy-2.5.8/policy/modules/kernel/domain.if	2007-03-08 08:42:36.000000000 -0500
@@ -1254,3 +1254,21 @@
 	typeattribute $1 can_change_object_identity;
 	typeattribute $1 set_curr_context;
 ')
+
+########################################
+## <summary>
+##	Allow specified type to associate ipsec packets from any domain
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type of subject to be allowed this.
+##	</summary>
+## </param>
+#
+interface(`domain_ipsec_labels',`
+	gen_require(`
+		attribute domain;
+ 	')
+ 
+	allow $1 domain:association { sendto recvfrom };
+')
--- nsaserefpolicy/policy/modules/system/userdomain.if	2007-02-19 11:32:53.000000000 -0500
+++ serefpolicy-2.5.8/policy/modules/system/userdomain.if	2007-03-08 10:30:10.000000000 -0500
@@ -1313,6 +1318,8 @@
 
 	init_exec($1)
 
+	ipsec_run_tools($1,$2,$3)
+
 	logging_send_syslog_msg($1)
 	logging_read_audit_log($1)
 	logging_read_generic_logs($1)

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: ipsec tools domtrans patch
  2007-03-08 15:35 ipsec tools domtrans patch Daniel J Walsh
@ 2007-03-26 19:44 ` Christopher J. PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Christopher J. PeBenito @ 2007-03-26 19:44 UTC (permalink / raw)
  To: Daniel J Walsh; +Cc: SE Linux

On Thu, 2007-03-08 at 10:35 -0500, Daniel J Walsh wrote:
> --- nsaserefpolicy/policy/modules/system/ipsec.if       2007-01-02 12:57:49.000000000 -0500
> +++ serefpolicy-2.5.8/policy/modules/system/ipsec.if    2007-03-08 10:31:24.000000000 -0500
> @@ -111,3 +111,103 @@
>         files_search_pids($1)
>         manage_files_pattern($1,ipsec_var_run_t,ipsec_var_run_t)
>  ')
> +
> +########################################
> +## <summary>
> +##     Allow an IPsec SA to be used by an IPsec Policy.
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     The type of the process performing this action.
> +##     </summary>
> +## </param>
> +#
> +interface(`ipsec_labeled',`
> +       gen_require(`
> +               type ipsec_spd_t;
> +       ')
> +
> +       allow $1 ipsec_spd_t:association polmatch;
> +       domain_ipsec_labels($1)
> +')

Not so sure about this one.  I don't think we want to allow sending and
receiving to all domains.

> +########################################
> +## <summary>
> +##     Execute racoon in the racoon domain.
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     The type of the process performing this action.
> +##     </summary>
> +## </param>
> +#
> +interface(`ipsec_domtrans_racoon',`
> +       gen_require(`
> +               type racoon_t, racoon_exec_t;
> +       ')
> +
> +       domain_auto_trans($1,racoon_exec_t,racoon_t)
> +
> +       allow $1 racoon_t:fd use;
> +       allow racoon_t $1:fd use;
> +       allow racoon_t $1:fifo_file rw_file_perms;
> +       allow racoon_t $1:process sigchld;
> +')
> +
> +########################################
> +## <summary>
> +##     Execute setkey in the setkey domain.
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     The type of the process performing this action.
> +##     </summary>
> +## </param>
> +#
> +interface(`ipsec_domtrans_setkey',`
> +       gen_require(`
> +               type setkey_t, setkey_exec_t;
> +       ')
> +       domain_auto_trans($1,setkey_exec_t,setkey_t)
> +
> +       allow $1 setkey_t:fd use;
> +       allow setkey_t $1:fd use;
> +       allow setkey_t $1:fifo_file rw_file_perms;
> +       allow setkey_t $1:process sigchld;
> +')

Merged these

> +########################################
> +## <summary>
> +##     Execute ipsec-tools in the setkey and racoon domains
> +##     and allow the specified role the domains.
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +## <param name="role">
> +##     <summary>
> +##     The role to be allowed the racoon and setkey domains.
> +##     </summary>
> +## </param>
> +## <param name="terminal">
> +##     <summary>
> +##     The type of the terminal allow the racoon and setkey domains to use.
> +##     </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`ipsec_run_tools',`
> +       gen_require(`
> +               type racoon_t, setkey_t;
> +       ')
> +       ipsec_domtrans_racoon($1)
> +       role $2 types racoon_t;
> +       allow racoon_t $3:chr_file rw_term_perms;
> +       
> +       ipsec_domtrans_setkey($1)
> +       role $2 types setkey_t;
> +       allow setkey_t $3:chr_file rw_term_perms;
> +')

Turned this into ipsec run setkey.  Racoon is a daemon so it doesn't
make sense to be here.

> --- nsaserefpolicy/policy/modules/kernel/domain.if      2007-02-19 11:32:51.000000000 -0500
> +++ serefpolicy-2.5.8/policy/modules/kernel/domain.if   2007-03-08 08:42:36.000000000 -0500
> @@ -1254,3 +1254,21 @@
>         typeattribute $1 can_change_object_identity;
>         typeattribute $1 set_curr_context;
>  ')
> +
> +########################################
> +## <summary>
> +##     Allow specified type to associate ipsec packets from any domain
> +## </summary>
> +## <param name="type">
> +##     <summary>
> +##     Type of subject to be allowed this.
> +##     </summary>
> +## </param>
> +#
> +interface(`domain_ipsec_labels',`
> +       gen_require(`
> +               attribute domain;
> +       ')
> + 
> +       allow $1 domain:association { sendto recvfrom };
> +')
> --- nsaserefpolicy/policy/modules/system/userdomain.if  2007-02-19 11:32:53.000000000 -0500
> +++ serefpolicy-2.5.8/policy/modules/system/userdomain.if       2007-03-08 10:30:10.000000000 -0500
> @@ -1313,6 +1318,8 @@
>  
>         init_exec($1)
>  
> +       ipsec_run_tools($1,$2,$3)
> +
>         logging_send_syslog_msg($1)
>         logging_read_audit_log($1)
>         logging_read_generic_logs($1) 

changed this do ipsec_run_setkey and made it optional.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2007-03-26 19:43 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-03-08 15:35 ipsec tools domtrans patch Daniel J Walsh
2007-03-26 19:44 ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.