[redhat-lspp] labeled ipsec policy
Joy Latten
latten at austin.ibm.com
Fri Nov 17 22:30:22 UTC 2006
The following policy enables labeled ipsec to run
in enforcing mode. I configure labeled ipsec in sysadm_r role.
Thus the rules I needed were specific to this role.
This is just what I needed to get it to work and use labels,
please feel free to modify this and make corrections.
I was not sure if anyone had started this work.
I am not sure where this should even reside in refpolicy modules.
I apologize if this email gets long, but I wanted to make sure
I tried to explain everything.
Included are some interfaces, which I used in an xxxx.if
file. Then, there are a bunch of rules which I used in a xxxx.te file
These rules were just an example of what I needed
to get ping, nc, and ssh to work with labeled ipsec. For my
policy, I used the types unlabeled_t, passwd_t, and ipsec_spd_t.
When using passwd_t, ipsec_spd_t or any other domain, please be
mindful of mls constraints.
I am still "playing" with labeled ipsec, so I don't think this policy
is absolute and totally correct. :-)
The interfaces:
ipsec_set_label()
-setkey needs to be able to add an ipsec policy containing a
security context to the SPD.
-racoon/setkey need to be able to add SAs containing security
context to the SAD.
-A sysadm would use this interface to enter the domain of the
security context used in an ipsec policy entry.
-A sysadm would also use this interface to enter the domain of
the security context the SA will have.
**NOTE: SAs pose a problem because there is the assumption you
know the domain of the socket that will be created by an
application. i.e, a ping proccess opens a socket with
ping_t, thus SA's security context is also ping_t.
sysadm would need to enter "ping_t" into this interface
so the SA could be added to the SAD.
ipsec_label_sa_pol()
-Enter the domain of the SA and the domain of the ipsec policy.
The SA will be considered "within the range" of the ipsec policy.
i.e. the domain of your ipsec policy is ipsec_spd_t,
you want ping_t SAs to be within range of ipsec_spd_t policy.
racoon requires this in order to determine if
a proposed SA "polmatches" to the SPD entry for the
traffic stream.
ipsec_labels_send_recv()
-Allow a socket to send and receive with an IPSec SA.
It is assumed that the type of the IPSec SA is the
same as the domain of the socket which created and used
it.
** NOTE: perhaps another interface is needed to allow
a socket to use an SA of a different type than the socket.
i.e. allow sshd_t sysadm_ssh_t:association recvfrom;
ipsec_tools_utilites()
-Enter the type of the process that can use setkey and racoon.
-Actually, I kinda just grouped together all the rules that
I needed to run racoon and setkey while in sysadm_r role.
- I could not help but wonder if setkey and racoon should
be run in sysadm_r role and transition into ipsec_t domain
(see system/ipsec.te and system/ipsec.if) or left alone to
run in sysadm domain. All the rules in this interface
are when racoon and ipsec run in sysadm_t domain.
NOTE: ideally it seems to me these rules should
be in a *.te file.
-----------------------------------------------------------------------------
xxxx.if
## <summary>Labeled IPSec</summary>
########################################
## <summary>
## Allow setkey/racoon to add policy to the SPD or
## Security Associations to the SAD with the specified
## specified domain.
## </summary>
## <param name="domain">
## <summary>
## Domain specified in security context of IPSec policy entry
## or IPSec SA.
## </summary>
## </param>
#
interface(`ipsec_set_label',`
gen_require(`
type sysadm_t;
')
allow sysadm_t $1:association setcontext;
')
########################################
## <summary>
## Allow an IPSec SA to be within the range of an IPSec Policy.
## </summary>
## <param name="domain">
## <summary>
## 1. The type of the IPSec SA
## 2. The type of the IPSec Policy
## </summary>
## </param>
#
interface(`ipsec_label_sa_pol',`
allow $1 $2:association polmatch;
')
########################################
## <summary>
## Allow a socket to send and receive with an IPSec SA.
## Note: It is assumed that the type of the IPSec SA is same
## as the type of the socket that created it.
## </summary>
## <param name="domain">
## <summary>
## 1. The type of the socket and the IPSec SA
## </summary>
## </param>
#
interface(`ipsec_labels_send_recv',`
allow $1 self:association { recvfrom sendto };
')
########################################
## <summary>
## Run ipsec utilities, setkey and racoon.
## </summary>
## <param name="domain">
## <summary>
## The type of the proces performing this action.
## </summary>
## </param>
#
interface(`ipsec_tools_utilities',`
gen_require(`
type isakmp_port_t;
type inaddr_any_node_t;
')
# allow setkey and racoon to create and use a key socket.
allow $1 self:key_socket { create read write setopt };
# allow racoon to use ISAKMP port
allow $1 isakmp_port_t:udp_socket name_bind;
# allow racoon to use avc_has_perm in within_range()
# to determine if proposed SA "polmatches" to policy
allow $1 self:netlink_selinux_socket { bind create read };
# I think this is so racoon can listen on an admin port.
allow $1 inaddr_any_node_t:tcp_socket node_bind;
# to create, remove read lock in /var/racoon/
ipsec_manage_pid($1)
# in grabmyaddrs() socket(PF_ROUTE...)
allow $1 self:netlink_route_socket { create_netlink_socket_perms };
')
-------------------------------------------------------------------------
xxxx.te
policy_module(ipsec_joy,1.0)
gen_require(`
type sysadm_t;
type passwd_t;
type ping_t;
type unlabeled_t;
type sysadm_ssh_t;
type sshd_t;
')
type ipsec_spd_t;
ipsec_tools_utilities(sysadm_t)
# use following domains in spd
ipsec_set_label(unlabeled_t)
ipsec_set_label(passwd_t)
ipsec_set_label(ipsec_spd_t)
# use following domains in SAs
ipsec_set_label(ping_t)
ipsec_set_label(sysadm_t) #for NC
# allow specified SA to be considered within range of specified policy
ipsec_label_sa_pol(ping_t, passwd_t)
ipsec_label_sa_pol(sysadm_t, passwd_t)
ipsec_label_sa_pol(ping_t, unlabeled_t)
ipsec_label_sa_pol(sysadm_t, unlabeled_t)
ipsec_label_sa_pol(ping_t, ipsec_spd_t)
ipsec_label_sa_pol(sysadm_t, ipsec_spd_t)
# allow SAs to be used for sending and receiving
ipsec_labels_send_recv(ping_t)
ipsec_labels_send_recv(sysadm_t)
# for ssh
ipsec_set_label(sysadm_ssh_t)
ipsec_set_label(sshd_t)
ipsec_label_sa_pol(sysadm_ssh_t, unlabeled_t)
ipsec_label_sa_pol(sshd_t, unlabeled_t)
ipsec_labels_send_recv(sshd_t)
ipsec_labels_send_recv(sysadm_ssh_t)
allow sysadm_ssh_t sshd_t:association recvfrom;
allow sshd_t sysadm_ssh_t:association recvfrom;
More information about the redhat-lspp
mailing list