From: mgrepl@redhat.com (Miroslav Grepl)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH] system/ipsec: Add policy for StrongSwan
Date: Mon, 26 Oct 2015 22:06:54 +0100 [thread overview]
Message-ID: <562E95EE.2090507@redhat.com> (raw)
In-Reply-To: <561BB646.2060801@tresys.com>
On 10/12/2015 03:31 PM, Christopher J. PeBenito wrote:
> On 10/11/2015 6:37 AM, Jason Zaman wrote:
>> Adds an ipsec_supervisor_t domain for StrongSwan's starter.
>> Thanks to Matthias Dahl for most of the work on this.
>
> Merged, with some rearrangements.
>
>> ---
>> policy/modules/system/ipsec.fc | 17 ++++++++++++
>> policy/modules/system/ipsec.te | 60 +++++++++++++++++++++++++++++++++++++++---
>> 2 files changed, 74 insertions(+), 3 deletions(-)
>>
>> diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
>> index 0f1e351..d42b08e 100644
>> --- a/policy/modules/system/ipsec.fc
>> +++ b/policy/modules/system/ipsec.fc
>> @@ -10,6 +10,14 @@
>>
>> /etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
>>
>> +/etc/strongswan\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
>> +
>> +/etc/strongswan\.d(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
>> +
>> +/etc/swanctl/(.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
>> +/etc/swanctl -d gen_context(system_u:object_r:ipsec_conf_file_t,s0)
>> +/etc/swanctl/swanctl.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
>> +
>> /sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
>>
>> /usr/lib/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
>> @@ -19,17 +27,25 @@
>> /usr/lib/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>> /usr/lib/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>>
>> +/usr/libexec/ipsec/_copyright -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>> /usr/libexec/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
>> /usr/libexec/ipsec/_plutorun -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
>> +/usr/libexec/ipsec/_updown -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>> +/usr/libexec/ipsec/charon -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>> /usr/libexec/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>> /usr/libexec/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>> +/usr/libexec/ipsec/lookip -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>> /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>> +/usr/libexec/ipsec/scepclient -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>> /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>> +/usr/libexec/ipsec/starter -- gen_context(system_u:object_r:ipsec_supervisor_exec_t,s0)
>> +/usr/libexec/ipsec/stroke -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>> /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
>>
>> /usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
>> /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0)
>> /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
>> +/usr/sbin/swanctl -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
>>
>> /var/lib/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
>>
>> @@ -39,5 +55,6 @@
>>
>> /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
>>
>> +/var/run/charon\.(.*)? -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
>> /var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
>> /var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
>> diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
>> index d5bcfd8..3a3e6d5 100644
>> --- a/policy/modules/system/ipsec.te
>> +++ b/policy/modules/system/ipsec.te
>> @@ -67,19 +67,25 @@ type setkey_exec_t;
>> init_system_domain(setkey_t, setkey_exec_t)
>> role system_r types setkey_t;
>>
>> +type ipsec_supervisor_t;
>> +type ipsec_supervisor_exec_t;
>> +init_daemon_domain(ipsec_supervisor_t, ipsec_supervisor_exec_t);
>> +role system_r types ipsec_supervisor_t;
>> +
>> ########################################
>> #
>> # ipsec Local policy
>> #
>>
>> -allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
>> +allow ipsec_t self:capability { chown dac_override dac_read_search setgid setuid setpcap net_admin sys_nice };
>> dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
>> allow ipsec_t self:process { getcap setcap getsched signal setsched };
>> allow ipsec_t self:tcp_socket create_stream_socket_perms;
>> allow ipsec_t self:udp_socket create_socket_perms;
>> allow ipsec_t self:key_socket create_socket_perms;
>> -allow ipsec_t self:fifo_file read_fifo_file_perms;
>> +allow ipsec_t self:fifo_file rw_fifo_file_perms;
>> allow ipsec_t self:netlink_xfrm_socket create_netlink_socket_perms;
>> +allow ipsec_t self:netlink_route_socket rw_netlink_socket_perms;
>>
>> allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
>>
>> @@ -113,7 +119,7 @@ allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
>> allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
>>
>> kernel_read_kernel_sysctls(ipsec_t)
>> -kernel_read_net_sysctls(ipsec_t)
>> +kernel_rw_net_sysctls(ipsec_t);
>> kernel_list_proc(ipsec_t)
>> kernel_read_proc_symlinks(ipsec_t)
>> # allow pluto to access /proc/net/ipsec_eroute;
>> @@ -196,6 +202,8 @@ allow ipsec_mgmt_t self:udp_socket create_socket_perms;
>> allow ipsec_mgmt_t self:key_socket create_socket_perms;
>> allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
>>
>> +allow ipsec_mgmt_t ipsec_supervisor_t:process { signal signull };
>> +
>> allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
>> files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
>>
>> @@ -236,6 +244,7 @@ can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
>> allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
>>
>> domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
>> +domtrans_pattern(ipsec_mgmt_t, ipsec_supervisor_exec_t, ipsec_supervisor_t);
>>
>> kernel_rw_net_sysctls(ipsec_mgmt_t)
>> # allow pluto to access /proc/net/ipsec_eroute;
>> @@ -444,3 +453,48 @@ seutil_read_config(setkey_t)
>>
>> userdom_use_user_terminals(setkey_t)
>>
>> +########################################
>> +#
>> +# ipsec_supervisor policy
>> +#
>> +
>> +allow ipsec_supervisor_t self:capability { dac_read_search dac_override kill net_admin };
>> +allow ipsec_supervisor_t self:process { signal };
>> +allow ipsec_supervisor_t self:fifo_file rw_fifo_file_perms;
>> +allow ipsec_supervisor_t self:netlink_route_socket rw_netlink_socket_perms;
>> +allow ipsec_supervisor_t self:netlink_xfrm_socket create_netlink_socket_perms;
>> +
>> +allow ipsec_supervisor_t ipsec_conf_file_t:dir list_dir_perms;
>> +read_files_pattern(ipsec_supervisor_t, ipsec_conf_file_t, ipsec_conf_file_t);
>> +
>> +manage_files_pattern(ipsec_supervisor_t, ipsec_key_file_t, ipsec_key_file_t)
>> +
>> +allow ipsec_supervisor_t ipsec_t:unix_stream_socket { connectto };
>> +allow ipsec_supervisor_t ipsec_t:process { signal };
>> +
>> +allow ipsec_supervisor_t ipsec_var_run_t:sock_file { rw_sock_file_perms unlink };
>> +manage_dirs_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t)
>> +manage_files_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t)
>> +files_pid_filetrans(ipsec_supervisor_t, ipsec_var_run_t, { dir file sock_file })
>> +
>> +domtrans_pattern(ipsec_supervisor_t, ipsec_exec_t, ipsec_t);
>> +
>> +kernel_read_network_state(ipsec_supervisor_t)
>> +kernel_read_system_state(ipsec_supervisor_t)
>> +kernel_rw_net_sysctls(ipsec_supervisor_t);
>> +
>> +corecmd_exec_bin(ipsec_supervisor_t);
>> +corecmd_exec_shell(ipsec_supervisor_t)
>> +
>> +dev_read_rand(ipsec_supervisor_t);
>> +dev_read_urand(ipsec_supervisor_t);
>> +
>> +files_read_etc_files(ipsec_supervisor_t);
>> +
>> +logging_send_syslog_msg(ipsec_supervisor_t);
>> +
>> +miscfiles_read_localization(ipsec_supervisor_t);
>> +
>> +optional_policy(`
>> + modutils_domtrans_insmod(ipsec_supervisor_t)
>> +')
>>
>
>
Hi guys,
what is a purpose of this new domain? Maybe I overlooked something but
why we need to have a new domain instead of ipsec_mgmt_t which has these
rules.
Regards,
Miroslav
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
next prev parent reply other threads:[~2015-10-26 21:06 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-11 10:37 [refpolicy] [PATCH] system/ipsec: Add policy for StrongSwan Jason Zaman
2015-10-12 13:31 ` Christopher J. PeBenito
2015-10-26 21:06 ` Miroslav Grepl [this message]
2015-10-29 11:21 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=562E95EE.2090507@redhat.com \
--to=mgrepl@redhat.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.