strange avc with racoon under f-11 mls

[Joe Nall]

On Fri, Oct 16, 2009 at 9:19 AM, Joshua Roys
<joshua.roys at gtri.gatech.edu> wrote:
> On 10/15/2009 09:27 AM, Xavier Toth wrote:
>>
>> On Wed, Oct 14, 2009 at 5:42 PM, Joshua Roys
>> <joshua.roys at gtri.gatech.edu>  wrote:
>>>
>>> On 10/14/2009 03:42 PM, Daniel J Walsh wrote:
>>>>
>>>> On 10/14/2009 01:30 PM, Joshua Roys wrote:
>>>>>
>>>>> avc:  denied  { recv } for  saddr=1.2.3.4 src=500 daddr=4.3.2.1
>>>>> dest=500
>>>>> netif=eth0 scontext=system_u:system_r:racoon_t:s0-s15:c0.c1023
>>>>> tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=peer
>>>>>
>>>
>>> Looking at policy/mls, I see this:
>>> # the peer/packet recv op
>>> mlsconstrain { peer packet } { recv }
>>>        (( l1 dom l2 ) or
>>>         (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
>>>         ( t1 == mlsnetread ));
>>>
>>> mlsnetreadtoclr appears to only be granted via:
>>> policy/modules/kernel/mls.if: mls_socket_read_to_clearance
>>> which is not granted to racoon_t
>>>
>
> Hello,
>
> We have ipsec working again, using something like:
>
> ($local_t and $remote_t being the local and remote types)
>
> mls_socket_read_to_clearance(racoon_t)
>
> allow $local_t $remote_t:association polmatch;
> allow $remote_t $local_t:association polmatch;
>
> allow $local_t $remote_t:peer recv;
>
> Thanks for the tips,
>
> Joshua Roys

Here is what we are using. Some of this is because we do a fair amount
of dynamic config in the init scripts, some may be redundant with
other fixes in refpol/F11 because it was originally developed in F9.

policy_module(hack_ipsec,1.0.9)

require { type initrc_t, ipsec_spd_t; attribute domain; }
allow domain ipsec_spd_t:association { polmatch sendto recvfrom };

require { type setkey_t, initrc_tmp_t; }

# autoconfiguration needs this
gen_require(`type ipsec_conf_file_t, ipsec_key_file_t;');
allow initrc_t ipsec_conf_file_t:dir { write remove_name add_name };
allow initrc_t ipsec_conf_file_t:file { rename write setattr
relabelfrom relabelto create unlink };
allow initrc_t ipsec_key_file_t:file { write read rename };

# get setkey to talk to me in enforcing mode
gen_require(`type setkey_t, initrc_devpts_t, initrc_tmp_t;');
allow setkey_t initrc_tmp_t:file { read getattr};

gen_require(`type udev_t, ipsec_conf_file_t;');
allow udev_t ipsec_conf_file_t:file ioctl;
allow udev_t self:key_socket create;

# runtime
gen_require(` type racoon_t, ipsec_spd_t, unlabeled_t; ');
allow unlabeled_t ipsec_spd_t:association polmatch;
allow unlabeled_t self:association sendto;

allow racoon_t unlabeled_t:udp_socket recvfrom;
allow racoon_t unlabeled_t:association setcontext;

mls_socket_read_to_clearance(racoon_t)
mls_socket_write_to_clearance(racoon_t)

corenet_out_generic_if(racoon_t);
corenet_udp_send_generic_node(racoon_t);