[redhat-lspp] [PATCH 1/1]: shortened labeled ipsec policy
Joy Latten
latten at austin.ibm.com
Mon Jan 22 18:27:29 UTC 2007
This patch provides a "shortened" way to provide
labeled ipsec policy.
Dan Walsh's latest policy includes the ability for
racoon and setkey to run in their own domains.
There are a few permissions left that are needed
for labeled ipsec policy to work in enforcing mode.
My previous patch introduced a new network attribute
which all networking types were included in.
Also, each networking app was provided an interface(s)
to allow other domains the association:recvfrom permission to
it's types.
This patch takes a shortcut and eliminates the above
by using the already existing domain attribute.
It also includes the interface ipsec_labeled, which
permits association:polmatch and associations:sendto recvfrom.
These two permissions are needed for labeled ipsec.
The polmatch, so networking types can use the
default ipsec_spd_t policy type. And the second
permission allows networking types to send and
receive from other networking domains.
I think we eventually may need my previous patch
that adds an interface to permit association:recvfrom
for each each networking type. However, I realize it
is a lengthy patch. Would the shortcut be ok for now?
I will continue to test/play with it to ensure it works well.
Regards,
Joy
-------------------------------------------------------------------------
diff -urpN serefpolicy-2.4.6.orig/policy/modules/kernel/domain.te serefpolicy-2.4.6.sandbox/policy/modules/kernel/domain.te
--- serefpolicy-2.4.6.orig/policy/modules/kernel/domain.te 2007-01-19 13:52:08.000000000 -0600
+++ serefpolicy-2.4.6.sandbox/policy/modules/kernel/domain.te 2007-01-21 22:00:42.000000000 -0600
@@ -77,6 +77,8 @@ allow domain self:lnk_file r_file_perms;
allow domain self:file rw_file_perms;
kernel_read_proc_symlinks(domain)
+ipsec_labeled(domain)
+
# create child processes in the domain
allow domain self:process { fork sigchld };
diff -urpN serefpolicy-2.4.6.orig/policy/modules/system/ipsec.if serefpolicy-2.4.6.sandbox/policy/modules/system/ipsec.if
--- serefpolicy-2.4.6.orig/policy/modules/system/ipsec.if 2007-01-19 13:52:12.000000000 -0600
+++ serefpolicy-2.4.6.sandbox/policy/modules/system/ipsec.if 2007-01-21 22:00:42.000000000 -0600
@@ -199,3 +199,22 @@ interface(`ipsec_tools_run',`
role $2 types setkey_t;
allow setkey_t $3:chr_file rw_term_perms;
')
+
+########################################
+## <summary>
+## Allow an IPsec SA to be used by an IPsec Policy.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`ipsec_labeled',`
+ gen_require(`
+ type ipsec_spd_t;
+ ')
+
+ allow $1 ipsec_spd_t:association polmatch;
+ allow $1 domain:association { sendto recvfrom };
+')
diff -urpN serefpolicy-2.4.6.orig/policy/modules/system/userdomain.te serefpolicy-2.4.6.sandbox/policy/modules/system/userdomain.te
--- serefpolicy-2.4.6.orig/policy/modules/system/userdomain.te 2007-01-19 13:52:11.000000000 -0600
+++ serefpolicy-2.4.6.sandbox/policy/modules/system/userdomain.te 2007-01-21 22:27:02.000000000 -0600
@@ -277,7 +277,6 @@ ifdef(`strict_policy',`
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
ipsec_tools_run(sysadm_t,sysadm_r,admin_terminal)
-# ipsec_labeled(sysadm_t)
')
optional_policy(`
More information about the redhat-lspp
mailing list