[PATCH] Labeled IPsec for PostgreSQL/MySQL/SSHd (Re: [PATCH] IPsec SPD default security context)

[Kohei KaiGai <kaigai@ak.jp.nec.com>]

[-- Attachment #1: Type: text/plain, Size: 1576 bytes --]

>>> Merged [1], but I made some changes.  I created corenetwork interfaces
>>> to use instead of the patterns, so the current MLS-only netlabel case
>>> can be handled too.  I also updated the domain module to use the
>>> interfaces.
>>>
>>> The thing that makes me a little nervous, which I didn't realize at
>>> first, is if you use non-labeled networking, the peer policy will still
>>> be needed, since the corenet connect/sendrecv calls are abstracted into
>>> the interface.  Consider the non-labeled case for apache.  The
>>> httpd_can_network_connect_db tunable won't work for postgresql, if the
>>> postgresql module isn't in the apache server's policy.  Whats worse is,
>>> to make it work, you need to bring in the entire postgresql policy, even
>>> though you only need one type, and only need the recvfrom rules.
>>>
>>> [1] http://oss.tresys.com/projects/refpolicy/changeset/2531

Chris, what is the current status of my patch submitted previously?

You pointed out that undeprecating postgresql_tcp_connect() to allow
permissions for labeled and traditional networks can make unneeded
dependency.

The attached patch reverts postgresql_tcp_connect() and related part,
and puts corenet_tcp_recvfrom_labeled() and ipsec_match_default_spd()
within optional_policy block, if necessary.
It enables any userdomain to communicate PostgreSQL/MySQL/SSHd via
labeled networking, at first.
However, I believe we can apply this method for other domains also.

Please consider to apply.
Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

[-- Attachment #2: refpolicy-use-corenet-for-ipsec.patch --]
[-- Type: text/x-patch, Size: 3411 bytes --]

Index: refpolicy/policy/modules/services/postgresql.if
===================================================================
--- refpolicy/policy/modules/services/postgresql.if	(revision 2614)
+++ refpolicy/policy/modules/services/postgresql.if	(working copy)
@@ -79,7 +79,7 @@
 
 ########################################
 ## <summary>
-##	Allow the specified domain to connect to postgresql with a tcp socket.
+##	Allow the specified domain to connect to postgresql with a tcp socket.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -88,14 +88,7 @@
 ## </param>
 #
 interface(`postgresql_tcp_connect',`
-	gen_require(`
-		type postgresql_t;
-	')
-
-	corenet_tcp_recvfrom_labeled($1,postgresql_t)
-	corenet_tcp_sendrecv_postgresql_port($1)
-	corenet_tcp_connect_postgresql_port($1)
-	corenet_sendrecv_postgresql_client_packets($1)
+	refpolicywarn(`$0($*) has been deprecated.')
 ')
 
 ########################################
Index: refpolicy/policy/modules/services/ssh.te
===================================================================
--- refpolicy/policy/modules/services/ssh.te	(revision 2614)
+++ refpolicy/policy/modules/services/ssh.te	(working copy)
@@ -109,6 +109,10 @@
 ')
 
 optional_policy(`
+	ipsec_match_default_spd(sshd_t)
+')
+
+optional_policy(`
 	rpm_use_script_fds(sshd_t)
 ')
 
Index: refpolicy/policy/modules/services/apache.te
===================================================================
--- refpolicy/policy/modules/services/apache.te	(revision 2614)
+++ refpolicy/policy/modules/services/apache.te	(working copy)
@@ -370,6 +370,14 @@
 	corenet_tcp_connect_all_ports(httpd_t)
 ')
 
+tunable_policy(`httpd_can_network_connect_db',`
+	# allow httpd to connect to mysql/posgresql
+	corenet_tcp_connect_postgresql_port(httpd_t)
+	corenet_tcp_connect_mysqld_port(httpd_t)
+	corenet_sendrecv_postgresql_client_packets(httpd_t)
+	corenet_sendrecv_mysqld_client_packets(httpd_t)
+')
+
 tunable_policy(`httpd_can_network_relay',`
 	# allow httpd to work as a relay
 	corenet_tcp_connect_gopher_port(httpd_t)
@@ -455,8 +463,7 @@
 	mysql_rw_db_sockets(httpd_t)
 
 	tunable_policy(`httpd_can_network_connect_db',`
-		corenet_tcp_connect_mysqld_port(httpd_t)
-		corenet_sendrecv_mysqld_client_packets(httpd_t)
+		corenet_tcp_recvfrom_labeled(httpd_t,mysqld_t)
 	')
 ')
 
@@ -477,7 +484,7 @@
 	postgresql_stream_connect(httpd_t)
 
 	tunable_policy(`httpd_can_network_connect_db',`
-		postgresql_tcp_connect(httpd_t)
+		corenet_tcp_recvfrom_labeled(httpd_t,postgresql_t)
 	')
 ')
 
Index: refpolicy/policy/modules/system/userdomain.if
===================================================================
--- refpolicy/policy/modules/system/userdomain.if	(revision 2614)
+++ refpolicy/policy/modules/system/userdomain.if	(working copy)
@@ -834,6 +834,7 @@
 	optional_policy(`
 		tunable_policy(`allow_user_mysql_connect',`
 			mysql_stream_connect($1_t)
+			corenet_tcp_recvfrom_labeled($1_t,mysqld_t)
 		')
 	')
 
@@ -850,7 +851,7 @@
 	optional_policy(`
 		tunable_policy(`allow_user_postgresql_connect',`
 			postgresql_stream_connect($1_t)
-			postgresql_tcp_connect($1_t)
+			corenet_tcp_recvfrom_labeled($1_t,postgresql_t)
 		')
 	')
 
@@ -872,6 +873,13 @@
 	')
 
 	optional_policy(`
+		gen_require(`
+			type sshd_t;
+		')
+		corenet_tcp_recvfrom_labeled($1_t,sshd_t)
+	')
+
+	optional_policy(`
 		usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
 	')
 ')