[refpolicy] [PATCH] system/ipsec: Add policy for StrongSwan

All of lore.kernel.org
 help / color / mirror / Atom feed

From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH] system/ipsec: Add policy for StrongSwan
Date: Mon, 12 Oct 2015 09:31:50 -0400	[thread overview]
Message-ID: <561BB646.2060801@tresys.com> (raw)
In-Reply-To: <1444559876-8098-1-git-send-email-jason@perfinion.com>

On 10/11/2015 6:37 AM, Jason Zaman wrote:
> Adds an ipsec_supervisor_t domain for StrongSwan's starter.
> Thanks to Matthias Dahl for most of the work on this.

Merged, with some rearrangements.

> ---
>  policy/modules/system/ipsec.fc | 17 ++++++++++++
>  policy/modules/system/ipsec.te | 60 +++++++++++++++++++++++++++++++++++++++---
>  2 files changed, 74 insertions(+), 3 deletions(-)
> 
> diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
> index 0f1e351..d42b08e 100644
> --- a/policy/modules/system/ipsec.fc
> +++ b/policy/modules/system/ipsec.fc
> @@ -10,6 +10,14 @@
>  
>  /etc/ipsec\.d(/.*)?			gen_context(system_u:object_r:ipsec_key_file_t,s0)
>  
> +/etc/strongswan\.conf		--	gen_context(system_u:object_r:ipsec_conf_file_t,s0)
> +
> +/etc/strongswan\.d(/.*)?		gen_context(system_u:object_r:ipsec_conf_file_t,s0)
> +
> +/etc/swanctl/(.*)?			gen_context(system_u:object_r:ipsec_key_file_t,s0)
> +/etc/swanctl			-d	gen_context(system_u:object_r:ipsec_conf_file_t,s0)
> +/etc/swanctl/swanctl.conf	--	gen_context(system_u:object_r:ipsec_conf_file_t,s0)
> +
>  /sbin/setkey			--	gen_context(system_u:object_r:setkey_exec_t,s0)
>  
>  /usr/lib/ipsec/_plutoload	-- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
> @@ -19,17 +27,25 @@
>  /usr/lib/ipsec/pluto		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
>  /usr/lib/ipsec/spi		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
>  
> +/usr/libexec/ipsec/_copyright	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
>  /usr/libexec/ipsec/_plutoload	-- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
>  /usr/libexec/ipsec/_plutorun	--	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
> +/usr/libexec/ipsec/_updown	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
> +/usr/libexec/ipsec/charon	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
>  /usr/libexec/ipsec/eroute	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
>  /usr/libexec/ipsec/klipsdebug	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
> +/usr/libexec/ipsec/lookip	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
>  /usr/libexec/ipsec/pluto	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
> +/usr/libexec/ipsec/scepclient	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
>  /usr/libexec/ipsec/spi		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
> +/usr/libexec/ipsec/starter	--	gen_context(system_u:object_r:ipsec_supervisor_exec_t,s0)
> +/usr/libexec/ipsec/stroke	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
>  /usr/libexec/nm-openswan-service -- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
>  
>  /usr/sbin/ipsec			-- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
>  /usr/sbin/racoon		--	gen_context(system_u:object_r:racoon_exec_t,s0)
>  /usr/sbin/setkey		--	gen_context(system_u:object_r:setkey_exec_t,s0)
> +/usr/sbin/swanctl		--	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
>  
>  /var/lib/racoon(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
>  
> @@ -39,5 +55,6 @@
>  
>  /var/racoon(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
>  
> +/var/run/charon\.(.*)?		--	gen_context(system_u:object_r:ipsec_var_run_t,s0)
>  /var/run/pluto(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
>  /var/run/racoon\.pid		--	gen_context(system_u:object_r:ipsec_var_run_t,s0)
> diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
> index d5bcfd8..3a3e6d5 100644
> --- a/policy/modules/system/ipsec.te
> +++ b/policy/modules/system/ipsec.te
> @@ -67,19 +67,25 @@ type setkey_exec_t;
>  init_system_domain(setkey_t, setkey_exec_t)
>  role system_r types setkey_t;
>  
> +type ipsec_supervisor_t;
> +type ipsec_supervisor_exec_t;
> +init_daemon_domain(ipsec_supervisor_t, ipsec_supervisor_exec_t);
> +role system_r types ipsec_supervisor_t;
> +
>  ########################################
>  #
>  # ipsec Local policy
>  #
>  
> -allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
> +allow ipsec_t self:capability { chown dac_override dac_read_search setgid setuid setpcap net_admin sys_nice };
>  dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
>  allow ipsec_t self:process { getcap setcap getsched signal setsched };
>  allow ipsec_t self:tcp_socket create_stream_socket_perms;
>  allow ipsec_t self:udp_socket create_socket_perms;
>  allow ipsec_t self:key_socket create_socket_perms;
> -allow ipsec_t self:fifo_file read_fifo_file_perms;
> +allow ipsec_t self:fifo_file rw_fifo_file_perms;
>  allow ipsec_t self:netlink_xfrm_socket create_netlink_socket_perms;
> +allow ipsec_t self:netlink_route_socket rw_netlink_socket_perms;
>  
>  allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
>  
> @@ -113,7 +119,7 @@ allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
>  allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
>  
>  kernel_read_kernel_sysctls(ipsec_t)
> -kernel_read_net_sysctls(ipsec_t)
> +kernel_rw_net_sysctls(ipsec_t);
>  kernel_list_proc(ipsec_t)
>  kernel_read_proc_symlinks(ipsec_t)
>  # allow pluto to access /proc/net/ipsec_eroute;
> @@ -196,6 +202,8 @@ allow ipsec_mgmt_t self:udp_socket create_socket_perms;
>  allow ipsec_mgmt_t self:key_socket create_socket_perms;
>  allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
>  
> +allow ipsec_mgmt_t ipsec_supervisor_t:process { signal signull };
> +
>  allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
>  files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
>  
> @@ -236,6 +244,7 @@ can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
>  allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
>  
>  domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
> +domtrans_pattern(ipsec_mgmt_t, ipsec_supervisor_exec_t, ipsec_supervisor_t);
>  
>  kernel_rw_net_sysctls(ipsec_mgmt_t)
>  # allow pluto to access /proc/net/ipsec_eroute;
> @@ -444,3 +453,48 @@ seutil_read_config(setkey_t)
>  
>  userdom_use_user_terminals(setkey_t)
>  
> +########################################
> +#
> +# ipsec_supervisor policy
> +#
> +
> +allow ipsec_supervisor_t self:capability { dac_read_search dac_override kill net_admin };
> +allow ipsec_supervisor_t self:process { signal };
> +allow ipsec_supervisor_t self:fifo_file rw_fifo_file_perms;
> +allow ipsec_supervisor_t self:netlink_route_socket rw_netlink_socket_perms;
> +allow ipsec_supervisor_t self:netlink_xfrm_socket create_netlink_socket_perms;
> +
> +allow ipsec_supervisor_t ipsec_conf_file_t:dir list_dir_perms;
> +read_files_pattern(ipsec_supervisor_t, ipsec_conf_file_t, ipsec_conf_file_t);
> +
> +manage_files_pattern(ipsec_supervisor_t, ipsec_key_file_t, ipsec_key_file_t)
> +
> +allow ipsec_supervisor_t ipsec_t:unix_stream_socket { connectto };
> +allow ipsec_supervisor_t ipsec_t:process { signal };
> +
> +allow ipsec_supervisor_t ipsec_var_run_t:sock_file { rw_sock_file_perms unlink };
> +manage_dirs_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t)
> +manage_files_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t)
> +files_pid_filetrans(ipsec_supervisor_t, ipsec_var_run_t, { dir file sock_file })
> +
> +domtrans_pattern(ipsec_supervisor_t, ipsec_exec_t, ipsec_t);
> +
> +kernel_read_network_state(ipsec_supervisor_t)
> +kernel_read_system_state(ipsec_supervisor_t)
> +kernel_rw_net_sysctls(ipsec_supervisor_t);
> +
> +corecmd_exec_bin(ipsec_supervisor_t);
> +corecmd_exec_shell(ipsec_supervisor_t)
> +
> +dev_read_rand(ipsec_supervisor_t);
> +dev_read_urand(ipsec_supervisor_t);
> +
> +files_read_etc_files(ipsec_supervisor_t);
> +
> +logging_send_syslog_msg(ipsec_supervisor_t);
> +
> +miscfiles_read_localization(ipsec_supervisor_t);
> +
> +optional_policy(`
> +	modutils_domtrans_insmod(ipsec_supervisor_t)
> +')
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

next prev parent reply	other threads:[~2015-10-12 13:31 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-10-11 10:37 [refpolicy] [PATCH] system/ipsec: Add policy for StrongSwan Jason Zaman
2015-10-12 13:31 ` Christopher J. PeBenito [this message]
2015-10-26 21:06   ` Miroslav Grepl
2015-10-29 11:21     ` Christopher J. PeBenito

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=561BB646.2060801@tresys.com \
    --to=cpebenito@tresys.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.