[redhat-lspp] [PATCH 1/1]: shortened labeled ipsec policy

Joy Latten latten at austin.ibm.com
Mon Jan 22 18:27:29 UTC 2007 

This patch provides a "shortened" way to provide
labeled ipsec policy. 

Dan Walsh's latest policy includes the ability for
racoon and setkey to run in their own domains.
There are a few permissions left that are needed
for labeled ipsec policy to work in enforcing mode.

My previous patch introduced a new network attribute
which all networking types were included in.
Also, each networking app was provided an interface(s)
to allow other domains the association:recvfrom permission to
it's types. 

This patch takes a shortcut and eliminates the above 
by using the already existing domain attribute.
It also includes the interface ipsec_labeled, which
permits association:polmatch and associations:sendto recvfrom.
These two permissions are needed for labeled ipsec.
The polmatch, so networking types can use the 
default ipsec_spd_t policy type. And the second
permission allows networking types to send and
receive from other networking domains.

I think we eventually may need my previous patch
that adds an interface to permit association:recvfrom
for each each networking type. However, I realize it
is a lengthy patch.  Would the shortcut be ok for now?
I will continue to test/play with it to ensure it works well.

Regards,
Joy
-------------------------------------------------------------------------

diff -urpN serefpolicy-2.4.6.orig/policy/modules/kernel/domain.te serefpolicy-2.4.6.sandbox/policy/modules/kernel/domain.te
--- serefpolicy-2.4.6.orig/policy/modules/kernel/domain.te	2007-01-19 13:52:08.000000000 -0600
+++ serefpolicy-2.4.6.sandbox/policy/modules/kernel/domain.te	2007-01-21 22:00:42.000000000 -0600
@@ -77,6 +77,8 @@ allow domain self:lnk_file r_file_perms;
 allow domain self:file rw_file_perms;
 kernel_read_proc_symlinks(domain)
 
+ipsec_labeled(domain)
+
 # create child processes in the domain
 allow domain self:process { fork sigchld };
 
diff -urpN serefpolicy-2.4.6.orig/policy/modules/system/ipsec.if serefpolicy-2.4.6.sandbox/policy/modules/system/ipsec.if
--- serefpolicy-2.4.6.orig/policy/modules/system/ipsec.if	2007-01-19 13:52:12.000000000 -0600
+++ serefpolicy-2.4.6.sandbox/policy/modules/system/ipsec.if	2007-01-21 22:00:42.000000000 -0600
@@ -199,3 +199,22 @@ interface(`ipsec_tools_run',`
 	role $2 types setkey_t;
 	allow setkey_t $3:chr_file rw_term_perms;
 ')
+
+########################################
+## <summary>
+##	Allow an IPsec SA to be used by an IPsec Policy.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`ipsec_labeled',`
+	gen_require(`
+		type ipsec_spd_t;
+	')
+
+	allow $1 ipsec_spd_t:association polmatch;
+	allow $1 domain:association { sendto recvfrom };
+')
diff -urpN serefpolicy-2.4.6.orig/policy/modules/system/userdomain.te serefpolicy-2.4.6.sandbox/policy/modules/system/userdomain.te
--- serefpolicy-2.4.6.orig/policy/modules/system/userdomain.te	2007-01-19 13:52:11.000000000 -0600
+++ serefpolicy-2.4.6.sandbox/policy/modules/system/userdomain.te	2007-01-21 22:27:02.000000000 -0600
@@ -277,7 +277,6 @@ ifdef(`strict_policy',`
 		# for lsof
 		ipsec_getattr_key_sockets(sysadm_t)
 		ipsec_tools_run(sysadm_t,sysadm_r,admin_terminal)
-#		ipsec_labeled(sysadm_t)
 	')
 
 	optional_policy(`

More information about the redhat-lspp mailing list