From: KaiGai Kohei <kaigai@kaigai.gr.jp>
To: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Cc: KaiGai Kohei <kaigai@ak.jp.nec.com>,
cpebenito@tresys.com, selinux@tycho.nsa.gov
Subject: Re: security context for SPD entries of labeled IPsec
Date: Thu, 08 Nov 2007 23:22:35 +0900 [thread overview]
Message-ID: <47331BAB.8040107@kaigai.gr.jp> (raw)
In-Reply-To: <D709A20F2164C84E8B7014B0301F5EF87C72FA@HAVOC.tcs-sec.com>
[-- Attachment #1: Type: text/plain, Size: 2686 bytes --]
Hi, Venkat
Thanks for your suggestion.
I got a success to set up labeled ipsec connection with modified
reference policy, as follows:
----------------------------------------------------------------
[kaigai@fedora8 ~]$ psql -q -h 192.168.1.10 postgres
Password:
postgres=# SELECT sepgsql_getcon();
sepgsql_getcon
-------------------------------------------------
root:system_r:unconfined_t:SystemLow-SystemHigh
(1 row)
postgres=#
[kaigai@fedora8 ~]$ runcon -l s0 psql -q -h 192.168.1.10 postgres
Password:
postgres=# SELECT sepgsql_getcon();
sepgsql_getcon
----------------------------
root:system_r:unconfined_t
(1 row)
postgres=#
----------------------------------------------------------------
The attached patch provides two new interfaces to access the default
context of SPD entries (ipsec_spd_t), and enables unconfined domains
to set up SPD entries with the default context.
In addition, any unconfined domain, user domain and daemon domain
got being possible to communicate others via labeled ipsec.
Please review it,
Thanks,
Venkat Yekkirala wrote:
> <snip>
>>> There are 2 aspects:
>>>
>>> 1. IPsec policy matching discussed above:
>>> allow domain-that-should-use-labeled-ipsec
>> ipsec_spd_t:association { polmatch };
>>> 2. Use of IPsec associations themselves:
>>>
>>> For sending:
>>> allow
>> domain-that-should-use-labeled-ipsec-to-label-its-packets
>> self:association { sendto };
>>> For receiving:
>>> allow domain-that-should-received-from-peer peer-domain
>> self:association { recvfrom };
>>
>> When we consider the case unconfined_t process tries to
>> communicate with a postgresql_t
>> process running on another host via labeled IPsec, the
>> following policy will be needed.
>>
>> 1. allow unconfined_t ipsec_spd_t : association { polmatch };
>
> Also, allow postgresql_t ipsec_spd_t : association { polmatch };
> since the incoming packet labeled postgresql_t should be checked
> against IPsec policy (SPD) rule labeled with ipsec_spd_t.
>
>> 2s. allow unconfined_t self : association { sendto };
>
> OK.
>
>> 2r. allow postgresql_t unconfined_t : association { recvfrom };
>
> This should actually be:
>
> allow unconfined_t postgresql_t : association { recvfrom };
>
> since it would be the unconfined_t socket that would be receiving
> a packet using the postgresql_t association.
>
>> Is it correct?
>>
> <snip>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>
--
KaiGai Kohei <kaigai@kaigai.gr.jp>
[-- Attachment #2: refpolicy-labeled-ipsec.patch --]
[-- Type: text/plain, Size: 3890 bytes --]
Index: refpolicy/policy/modules/system/ipsec.if
===================================================================
--- refpolicy/policy/modules/system/ipsec.if (revision 2483)
+++ refpolicy/policy/modules/system/ipsec.if (working copy)
@@ -114,6 +114,43 @@
########################################
## <summary>
+## Allow to communicate another peer via labeled IPsec.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`ipsec_default_sendrecv',`
+ gen_require(`
+ type ipsec_spd_t;
+ ')
+
+ allow $1 ipsec_spd_t : association { polmatch };
+ domain_ipsec_labels($1)
+')
+
+########################################
+## <summary>
+## Allow to set an default security context of IPsec Policy.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`ipsec_default_setcontext',`
+ gen_require(`
+ type ipsec_spd_t;
+ ')
+
+ allow $1 ipsec_spd_t : association { setcontext };
+')
+
+########################################
+## <summary>
## Execute racoon in the racoon domain.
## </summary>
## <param name="domain">
Index: refpolicy/policy/modules/system/userdomain.if
===================================================================
--- refpolicy/policy/modules/system/userdomain.if (revision 2483)
+++ refpolicy/policy/modules/system/userdomain.if (working copy)
@@ -547,6 +547,10 @@
corenet_udp_sendrecv_all_ports($1_t)
corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_all_client_packets($1_t)
+
+ optional_policy(`
+ ipsec_default_sendrecv($1_t)
+ ')
')
#######################################
Index: refpolicy/policy/modules/system/init.if
===================================================================
--- refpolicy/policy/modules/system/init.if (revision 2483)
+++ refpolicy/policy/modules/system/init.if (working copy)
@@ -134,6 +134,10 @@
')
optional_policy(`
+ ipsec_default_sendrecv($1)
+ ')
+
+ optional_policy(`
nscd_socket_use($1)
')
')
Index: refpolicy/policy/modules/system/unconfined.if
===================================================================
--- refpolicy/policy/modules/system/unconfined.if (revision 2483)
+++ refpolicy/policy/modules/system/unconfined.if (working copy)
@@ -73,6 +73,11 @@
')
optional_policy(`
+ ipsec_default_setcontext($1)
+ ipsec_default_sendrecv($1)
+ ')
+
+ optional_policy(`
# this is to handle execmod on shared
# libs with text relocations
libs_use_shared_libs($1)
Index: refpolicy/policy/modules/system/ipsec.te
===================================================================
--- refpolicy/policy/modules/system/ipsec.te (revision 2483)
+++ refpolicy/policy/modules/system/ipsec.te (working copy)
@@ -6,6 +6,9 @@
# Declarations
#
+# Default type for IPSEC SPD entries
+type ipsec_spd_t;
+
type ipsec_t;
type ipsec_exec_t;
init_daemon_domain(ipsec_t,ipsec_exec_t)
@@ -19,9 +22,6 @@
type ipsec_key_file_t;
files_type(ipsec_key_file_t)
-# Default type for IPSEC SPD entries
-type ipsec_spd_t;
-
# type for runtime files, including pluto.ctl
type ipsec_var_run_t;
files_pid_file(ipsec_var_run_t)
@@ -297,7 +297,7 @@
read_files_pattern(racoon_t,ipsec_key_file_t,ipsec_key_file_t)
read_lnk_files_pattern(racoon_t,ipsec_key_file_t,ipsec_key_file_t)
-allow racoon_t ipsec_spd_t:association setcontext;
+ipsec_default_setcontext(racoon_t)
kernel_read_network_state(racoon_t)
@@ -339,7 +339,7 @@
read_lnk_files_pattern(setkey_t,ipsec_conf_file_t,ipsec_conf_file_t)
# allow setkey to set the context for ipsec SAs and policy.
-allow setkey_t ipsec_spd_t:association setcontext;
+ipsec_default_setcontext(setkey_t)
# allow setkey utility to set contexts on SA's and policy
domain_ipsec_setcontext_all_domains(setkey_t)
next prev parent reply other threads:[~2007-11-08 14:23 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-07 16:07 security context for SPD entries of labeled IPsec Venkat Yekkirala
2007-11-08 14:22 ` KaiGai Kohei [this message]
[not found] ` <473872F8.7000208@ak.jp.nec.com>
[not found] ` <1195055160.13737.33.camel@gorn.columbia.tresys.com>
[not found] ` <473B23F9.4080506@ak.jp.nec.com>
[not found] ` <1195064402.13737.42.camel@gorn.columbia.tresys.com>
2007-11-15 2:51 ` [PATCH] IPsec SPD default security context (Re: security context for SPD entries of labeled IPsec) KaiGai Kohei
2007-11-15 14:26 ` Christopher J. PeBenito
2007-11-15 16:05 ` Paul Moore
2007-11-19 2:21 ` KaiGai Kohei
2007-11-19 18:48 ` Christopher J. PeBenito
2007-11-20 9:14 ` [PATCH] IPsec SPD default security context KaiGai Kohei
2007-11-20 18:34 ` Christopher J. PeBenito
2007-11-21 4:26 ` KaiGai Kohei
2007-11-26 16:38 ` Christopher J. PeBenito
2007-11-29 11:46 ` KaiGai Kohei
2008-01-23 3:00 ` Kohei KaiGai
2008-02-19 7:09 ` [PATCH] Labeled IPsec for PostgreSQL/MySQL/SSHd (Re: [PATCH] IPsec SPD default security context) Kohei KaiGai
2008-02-19 13:35 ` Christopher J. PeBenito
2008-02-20 0:59 ` Kohei KaiGai
2008-02-20 3:37 ` Paul Moore
2008-02-20 5:11 ` Kohei KaiGai
2008-02-20 14:18 ` Paul Moore
2008-02-25 16:13 ` Christopher J. PeBenito
2008-02-25 16:12 ` Christopher J. PeBenito
2008-02-26 2:03 ` Kohei KaiGai
2008-06-24 9:10 ` KaiGai Kohei
2008-06-25 5:59 ` [PATCH] Communication between domains under labeled networks KaiGai Kohei
2008-07-18 13:41 ` Christopher J. PeBenito
2008-07-22 10:49 ` KaiGai Kohei
2008-07-25 4:10 ` Chris PeBenito
2008-08-15 8:48 ` KaiGai Kohei
2008-09-11 13:31 ` [refpolicy] " Christopher J. PeBenito
2008-07-18 13:34 ` [PATCH] Labeled IPsec for PostgreSQL/MySQL/SSHd (Re: [PATCH] IPsec SPD default security context) Christopher J. PeBenito
2007-12-13 14:00 ` [PATCH] IPsec SPD default security context (Re: security context for SPD entries of labeled IPsec) Ted X Toth
2007-12-13 14:14 ` Christopher J. PeBenito
2007-12-13 14:58 ` Xavier Toth
2007-12-14 19:20 ` Christopher J. PeBenito
2007-12-15 21:10 ` Xavier Toth
-- strict thread matches above, loose matches on Subject: below --
2007-11-06 17:56 security context for SPD entries of labeled IPsec Venkat Yekkirala
2007-11-06 17:37 Venkat Yekkirala
2007-11-07 2:47 ` KaiGai Kohei
2007-11-06 3:59 KaiGai Kohei
2007-11-06 10:00 ` KaiGai Kohei
2007-11-06 18:14 ` Joy Latten
2007-11-07 4:42 ` KaiGai Kohei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47331BAB.8040107@kaigai.gr.jp \
--to=kaigai@kaigai.gr.jp \
--cc=cpebenito@tresys.com \
--cc=kaigai@ak.jp.nec.com \
--cc=selinux@tycho.nsa.gov \
--cc=vyekkirala@TrustedCS.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.