[redhat-lspp] Re: labeled ipsec policy
Christopher J. PeBenito
cpebenito at tresys.com
Tue Nov 21 14:10:02 UTC 2006
On Fri, 2006-11-17 at 16:30 -0600, Joy Latten wrote:
> The following policy enables labeled ipsec to run
> in enforcing mode. I configure labeled ipsec in sysadm_r role.
> Thus the rules I needed were specific to this role.
[cut]
> Included are some interfaces, which I used in an xxxx.if
> file. Then, there are a bunch of rules which I used in a xxxx.te file
> These rules were just an example of what I needed
> to get ping, nc, and ssh to work with labeled ipsec. For my
> policy, I used the types unlabeled_t, passwd_t, and ipsec_spd_t.
> When using passwd_t, ipsec_spd_t or any other domain, please be
> mindful of mls constraints.
[cut]
> interface(`ipsec_set_label',`
> gen_require(`
> type sysadm_t;
> ')
>
> allow sysadm_t $1:association setcontext;
> ')
Interfaces are written from the perspective of the subject (except for a
few very specific cases), so the parameter should be the subject, not
the object. Neglecting that, is this for sysadm_t instead of
ipsec_mgmt_t? I suspect that we want to add an interface to the domain
module that allows setcontext on the domain attribute.
> interface(`ipsec_label_sa_pol',`
> allow $1 $2:association polmatch;
> ')
Generally refpolicy would leave this as a raw rule these types are in
separate modules, in which case the interface would be in $2's module
and have a specific type instead of $2.
> interface(`ipsec_labels_send_recv',`
> allow $1 self:association { recvfrom sendto };
> ')
This would be raw rule in refpolicy instead of an interface.
> interface(`ipsec_tools_utilities',`
> gen_require(`
> type isakmp_port_t;
> type inaddr_any_node_t;
> ')
>
> # allow setkey and racoon to create and use a key socket.
> allow $1 self:key_socket { create read write setopt };
>
> # allow racoon to use ISAKMP port
> allow $1 isakmp_port_t:udp_socket name_bind;
>
> # allow racoon to use avc_has_perm in within_range()
> # to determine if proposed SA "polmatches" to policy
> allow $1 self:netlink_selinux_socket { bind create read };
>
> # I think this is so racoon can listen on an admin port.
> allow $1 inaddr_any_node_t:tcp_socket node_bind;
>
> # to create, remove read lock in /var/racoon/
> ipsec_manage_pid($1)
>
> # in grabmyaddrs() socket(PF_ROUTE...)
> allow $1 self:netlink_route_socket { create_netlink_socket_perms };
> ')
Again, why is this needed, instead of ipsec_mgmt_t?
I suspect that the ipsec policy needs to be overhauled because I believe
it was oriented towards the KAME ipsec implementation (pluto, et al) and
was augmented to work with racoon afterwards.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
More information about the redhat-lspp
mailing list