[redhat-lspp] labeled ipsec policy
Paul Moore
paul.moore at hp.com
Mon Nov 20 16:24:18 UTC 2006
On Monday 20 November 2006 10:09 am, Joy Latten wrote:
> On Mon, 2006-11-20 at 10:00 -0500, Paul Moore wrote:
> > On Friday 17 November 2006 5:30 pm, Joy Latten wrote:
> > > The following policy enables labeled ipsec to run
> > > in enforcing mode. I configure labeled ipsec in sysadm_r role.
> > > Thus the rules I needed were specific to this role.
> >
> > I'll let the policy gurus comment on the rest of the policy, but I think
> > that we would want only the secadm_r role (in the MLS/LSPP policy) to be
> > able to configure labeled IPsec. Yes?
>
> Actually, I wondered about this too. But when I took a look at the
> policy source, I noticed that in userdomain.te, sysadm_t was allowed
> to execute ipsec programs ipsec_exec_mgmt(sysadm_t), so I just assumed I
> should use sysadm_r role. Not sure if this was correct or not. Tried
> secadm_r role out of curiousity and got quite a lot of avc denied
> messages. So went with sysadm_r. :-)
Hmmm, I suspect this will probably be a problem as the IPsec management tools
serve a dual purpose, they control the IPsec configuration (sysadm_r) as well
as the policy relating to labeling SAs (secadm_r). I guess we'll just have
to settle for sysadm_r and deal with the fact that sysadm_r is going to have
some control over the system's security policy in this case.
--
paul moore
linux security @ hp
More information about the redhat-lspp
mailing list