Adds an ipsec_supervisor_t domain for StrongSwan's starter.
Thanks to Matthias Dahl for most of the work on this.
---
policy/modules/system/ipsec.fc | 17 ++++++++++++
policy/modules/system/ipsec.te | 60 +++++++++++++++++++++++++++++++++++++++---
2 files changed, 74 insertions(+), 3 deletions(-)
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index 0f1e351..d42b08e 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -10,6 +10,14 @@
/etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
+/etc/strongswan\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+
+/etc/strongswan\.d(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+
+/etc/swanctl/(.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
+/etc/swanctl -d gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+/etc/swanctl/swanctl.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+
/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
/usr/lib/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
@@ -19,17 +27,25 @@
/usr/lib/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/lib/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/_copyright -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
/usr/libexec/ipsec/_plutorun -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+/usr/libexec/ipsec/_updown -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/charon -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/lookip -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/scepclient -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/starter -- gen_context(system_u:object_r:ipsec_supervisor_exec_t,s0)
+/usr/libexec/ipsec/stroke -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
/usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
/usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0)
/usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
+/usr/sbin/swanctl -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
/var/lib/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
@@ -39,5 +55,6 @@
/var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
+/var/run/charon\.(.*)? -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
/var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
/var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index d5bcfd8..3a3e6d5 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -67,19 +67,25 @@ type setkey_exec_t;
init_system_domain(setkey_t, setkey_exec_t)
role system_r types setkey_t;
+type ipsec_supervisor_t;
+type ipsec_supervisor_exec_t;
+init_daemon_domain(ipsec_supervisor_t, ipsec_supervisor_exec_t);
+role system_r types ipsec_supervisor_t;
+
########################################
#
# ipsec Local policy
#
-allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
+allow ipsec_t self:capability { chown dac_override dac_read_search setgid setuid setpcap net_admin sys_nice };
dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
allow ipsec_t self:process { getcap setcap getsched signal setsched };
allow ipsec_t self:tcp_socket create_stream_socket_perms;
allow ipsec_t self:udp_socket create_socket_perms;
allow ipsec_t self:key_socket create_socket_perms;
-allow ipsec_t self:fifo_file read_fifo_file_perms;
+allow ipsec_t self:fifo_file rw_fifo_file_perms;
allow ipsec_t self:netlink_xfrm_socket create_netlink_socket_perms;
+allow ipsec_t self:netlink_route_socket rw_netlink_socket_perms;
allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
@@ -113,7 +119,7 @@ allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
kernel_read_kernel_sysctls(ipsec_t)
-kernel_read_net_sysctls(ipsec_t)
+kernel_rw_net_sysctls(ipsec_t);
kernel_list_proc(ipsec_t)
kernel_read_proc_symlinks(ipsec_t)
# allow pluto to access /proc/net/ipsec_eroute;
@@ -196,6 +202,8 @@ allow ipsec_mgmt_t self:udp_socket create_socket_perms;
allow ipsec_mgmt_t self:key_socket create_socket_perms;
allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
+allow ipsec_mgmt_t ipsec_supervisor_t:process { signal signull };
+
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
@@ -236,6 +244,7 @@ can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
+domtrans_pattern(ipsec_mgmt_t, ipsec_supervisor_exec_t, ipsec_supervisor_t);
kernel_rw_net_sysctls(ipsec_mgmt_t)
# allow pluto to access /proc/net/ipsec_eroute;
@@ -444,3 +453,48 @@ seutil_read_config(setkey_t)
userdom_use_user_terminals(setkey_t)
+########################################
+#
+# ipsec_supervisor policy
+#
+
+allow ipsec_supervisor_t self:capability { dac_read_search dac_override kill net_admin };
+allow ipsec_supervisor_t self:process { signal };
+allow ipsec_supervisor_t self:fifo_file rw_fifo_file_perms;
+allow ipsec_supervisor_t self:netlink_route_socket rw_netlink_socket_perms;
+allow ipsec_supervisor_t self:netlink_xfrm_socket create_netlink_socket_perms;
+
+allow ipsec_supervisor_t ipsec_conf_file_t:dir list_dir_perms;
+read_files_pattern(ipsec_supervisor_t, ipsec_conf_file_t, ipsec_conf_file_t);
+
+manage_files_pattern(ipsec_supervisor_t, ipsec_key_file_t, ipsec_key_file_t)
+
+allow ipsec_supervisor_t ipsec_t:unix_stream_socket { connectto };
+allow ipsec_supervisor_t ipsec_t:process { signal };
+
+allow ipsec_supervisor_t ipsec_var_run_t:sock_file { rw_sock_file_perms unlink };
+manage_dirs_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t)
+manage_files_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t)
+files_pid_filetrans(ipsec_supervisor_t, ipsec_var_run_t, { dir file sock_file })
+
+domtrans_pattern(ipsec_supervisor_t, ipsec_exec_t, ipsec_t);
+
+kernel_read_network_state(ipsec_supervisor_t)
+kernel_read_system_state(ipsec_supervisor_t)
+kernel_rw_net_sysctls(ipsec_supervisor_t);
+
+corecmd_exec_bin(ipsec_supervisor_t);
+corecmd_exec_shell(ipsec_supervisor_t)
+
+dev_read_rand(ipsec_supervisor_t);
+dev_read_urand(ipsec_supervisor_t);
+
+files_read_etc_files(ipsec_supervisor_t);
+
+logging_send_syslog_msg(ipsec_supervisor_t);
+
+miscfiles_read_localization(ipsec_supervisor_t);
+
+optional_policy(`
+ modutils_domtrans_insmod(ipsec_supervisor_t)
+')
--
2.4.9
On 10/11/2015 6:37 AM, Jason Zaman wrote:
> Adds an ipsec_supervisor_t domain for StrongSwan's starter.
> Thanks to Matthias Dahl for most of the work on this.
Merged, with some rearrangements.
> ---
> policy/modules/system/ipsec.fc | 17 ++++++++++++
> policy/modules/system/ipsec.te | 60 +++++++++++++++++++++++++++++++++++++++---
> 2 files changed, 74 insertions(+), 3 deletions(-)
>
> diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
> index 0f1e351..d42b08e 100644
> --- a/policy/modules/system/ipsec.fc
> +++ b/policy/modules/system/ipsec.fc
> @@ -10,6 +10,14 @@
>
> /etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
>
> +/etc/strongswan\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
> +
> +/etc/strongswan\.d(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
> +
> +/etc/swanctl/(.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
> +/etc/swanctl -d gen_context(system_u:object_r:ipsec_conf_file_t,s0)
> +/etc/swanctl/swanctl.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
> +
> /sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
>
> /usr/lib/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
> @@ -19,17 +27,25 @@
> /usr/lib/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
> /usr/lib/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>
> +/usr/libexec/ipsec/_copyright -- gen_context(system_u:object_r:ipsec_exec_t,s0)
> /usr/libexec/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
> /usr/libexec/ipsec/_plutorun -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
> +/usr/libexec/ipsec/_updown -- gen_context(system_u:object_r:ipsec_exec_t,s0)
> +/usr/libexec/ipsec/charon -- gen_context(system_u:object_r:ipsec_exec_t,s0)
> /usr/libexec/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
> /usr/libexec/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
> +/usr/libexec/ipsec/lookip -- gen_context(system_u:object_r:ipsec_exec_t,s0)
> /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
> +/usr/libexec/ipsec/scepclient -- gen_context(system_u:object_r:ipsec_exec_t,s0)
> /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
> +/usr/libexec/ipsec/starter -- gen_context(system_u:object_r:ipsec_supervisor_exec_t,s0)
> +/usr/libexec/ipsec/stroke -- gen_context(system_u:object_r:ipsec_exec_t,s0)
> /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
>
> /usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
> /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0)
> /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
> +/usr/sbin/swanctl -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
>
> /var/lib/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
>
> @@ -39,5 +55,6 @@
>
> /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
>
> +/var/run/charon\.(.*)? -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
> /var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
> /var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
> diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
> index d5bcfd8..3a3e6d5 100644
> --- a/policy/modules/system/ipsec.te
> +++ b/policy/modules/system/ipsec.te
> @@ -67,19 +67,25 @@ type setkey_exec_t;
> init_system_domain(setkey_t, setkey_exec_t)
> role system_r types setkey_t;
>
> +type ipsec_supervisor_t;
> +type ipsec_supervisor_exec_t;
> +init_daemon_domain(ipsec_supervisor_t, ipsec_supervisor_exec_t);
> +role system_r types ipsec_supervisor_t;
> +
> ########################################
> #
> # ipsec Local policy
> #
>
> -allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
> +allow ipsec_t self:capability { chown dac_override dac_read_search setgid setuid setpcap net_admin sys_nice };
> dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
> allow ipsec_t self:process { getcap setcap getsched signal setsched };
> allow ipsec_t self:tcp_socket create_stream_socket_perms;
> allow ipsec_t self:udp_socket create_socket_perms;
> allow ipsec_t self:key_socket create_socket_perms;
> -allow ipsec_t self:fifo_file read_fifo_file_perms;
> +allow ipsec_t self:fifo_file rw_fifo_file_perms;
> allow ipsec_t self:netlink_xfrm_socket create_netlink_socket_perms;
> +allow ipsec_t self:netlink_route_socket rw_netlink_socket_perms;
>
> allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
>
> @@ -113,7 +119,7 @@ allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
> allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
>
> kernel_read_kernel_sysctls(ipsec_t)
> -kernel_read_net_sysctls(ipsec_t)
> +kernel_rw_net_sysctls(ipsec_t);
> kernel_list_proc(ipsec_t)
> kernel_read_proc_symlinks(ipsec_t)
> # allow pluto to access /proc/net/ipsec_eroute;
> @@ -196,6 +202,8 @@ allow ipsec_mgmt_t self:udp_socket create_socket_perms;
> allow ipsec_mgmt_t self:key_socket create_socket_perms;
> allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
>
> +allow ipsec_mgmt_t ipsec_supervisor_t:process { signal signull };
> +
> allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
> files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
>
> @@ -236,6 +244,7 @@ can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
> allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
>
> domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
> +domtrans_pattern(ipsec_mgmt_t, ipsec_supervisor_exec_t, ipsec_supervisor_t);
>
> kernel_rw_net_sysctls(ipsec_mgmt_t)
> # allow pluto to access /proc/net/ipsec_eroute;
> @@ -444,3 +453,48 @@ seutil_read_config(setkey_t)
>
> userdom_use_user_terminals(setkey_t)
>
> +########################################
> +#
> +# ipsec_supervisor policy
> +#
> +
> +allow ipsec_supervisor_t self:capability { dac_read_search dac_override kill net_admin };
> +allow ipsec_supervisor_t self:process { signal };
> +allow ipsec_supervisor_t self:fifo_file rw_fifo_file_perms;
> +allow ipsec_supervisor_t self:netlink_route_socket rw_netlink_socket_perms;
> +allow ipsec_supervisor_t self:netlink_xfrm_socket create_netlink_socket_perms;
> +
> +allow ipsec_supervisor_t ipsec_conf_file_t:dir list_dir_perms;
> +read_files_pattern(ipsec_supervisor_t, ipsec_conf_file_t, ipsec_conf_file_t);
> +
> +manage_files_pattern(ipsec_supervisor_t, ipsec_key_file_t, ipsec_key_file_t)
> +
> +allow ipsec_supervisor_t ipsec_t:unix_stream_socket { connectto };
> +allow ipsec_supervisor_t ipsec_t:process { signal };
> +
> +allow ipsec_supervisor_t ipsec_var_run_t:sock_file { rw_sock_file_perms unlink };
> +manage_dirs_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t)
> +manage_files_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t)
> +files_pid_filetrans(ipsec_supervisor_t, ipsec_var_run_t, { dir file sock_file })
> +
> +domtrans_pattern(ipsec_supervisor_t, ipsec_exec_t, ipsec_t);
> +
> +kernel_read_network_state(ipsec_supervisor_t)
> +kernel_read_system_state(ipsec_supervisor_t)
> +kernel_rw_net_sysctls(ipsec_supervisor_t);
> +
> +corecmd_exec_bin(ipsec_supervisor_t);
> +corecmd_exec_shell(ipsec_supervisor_t)
> +
> +dev_read_rand(ipsec_supervisor_t);
> +dev_read_urand(ipsec_supervisor_t);
> +
> +files_read_etc_files(ipsec_supervisor_t);
> +
> +logging_send_syslog_msg(ipsec_supervisor_t);
> +
> +miscfiles_read_localization(ipsec_supervisor_t);
> +
> +optional_policy(`
> + modutils_domtrans_insmod(ipsec_supervisor_t)
> +')
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 10/12/2015 03:31 PM, Christopher J. PeBenito wrote:
> On 10/11/2015 6:37 AM, Jason Zaman wrote:
>> Adds an ipsec_supervisor_t domain for StrongSwan's starter.
>> Thanks to Matthias Dahl for most of the work on this.
>
> Merged, with some rearrangements.
>
>> ---
>> policy/modules/system/ipsec.fc | 17 ++++++++++++
>> policy/modules/system/ipsec.te | 60 +++++++++++++++++++++++++++++++++++++++---
>> 2 files changed, 74 insertions(+), 3 deletions(-)
>>
>> diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
>> index 0f1e351..d42b08e 100644
>> --- a/policy/modules/system/ipsec.fc
>> +++ b/policy/modules/system/ipsec.fc
>> @@ -10,6 +10,14 @@
>>
>> /etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
>>
>> +/etc/strongswan\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
>> +
>> +/etc/strongswan\.d(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
>> +
>> +/etc/swanctl/(.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
>> +/etc/swanctl -d gen_context(system_u:object_r:ipsec_conf_file_t,s0)
>> +/etc/swanctl/swanctl.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
>> +
>> /sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
>>
>> /usr/lib/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
>> @@ -19,17 +27,25 @@
>> /usr/lib/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>> /usr/lib/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>>
>> +/usr/libexec/ipsec/_copyright -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>> /usr/libexec/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
>> /usr/libexec/ipsec/_plutorun -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
>> +/usr/libexec/ipsec/_updown -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>> +/usr/libexec/ipsec/charon -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>> /usr/libexec/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>> /usr/libexec/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>> +/usr/libexec/ipsec/lookip -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>> /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>> +/usr/libexec/ipsec/scepclient -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>> /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>> +/usr/libexec/ipsec/starter -- gen_context(system_u:object_r:ipsec_supervisor_exec_t,s0)
>> +/usr/libexec/ipsec/stroke -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>> /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
>>
>> /usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
>> /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0)
>> /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
>> +/usr/sbin/swanctl -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
>>
>> /var/lib/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
>>
>> @@ -39,5 +55,6 @@
>>
>> /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
>>
>> +/var/run/charon\.(.*)? -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
>> /var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
>> /var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
>> diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
>> index d5bcfd8..3a3e6d5 100644
>> --- a/policy/modules/system/ipsec.te
>> +++ b/policy/modules/system/ipsec.te
>> @@ -67,19 +67,25 @@ type setkey_exec_t;
>> init_system_domain(setkey_t, setkey_exec_t)
>> role system_r types setkey_t;
>>
>> +type ipsec_supervisor_t;
>> +type ipsec_supervisor_exec_t;
>> +init_daemon_domain(ipsec_supervisor_t, ipsec_supervisor_exec_t);
>> +role system_r types ipsec_supervisor_t;
>> +
>> ########################################
>> #
>> # ipsec Local policy
>> #
>>
>> -allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
>> +allow ipsec_t self:capability { chown dac_override dac_read_search setgid setuid setpcap net_admin sys_nice };
>> dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
>> allow ipsec_t self:process { getcap setcap getsched signal setsched };
>> allow ipsec_t self:tcp_socket create_stream_socket_perms;
>> allow ipsec_t self:udp_socket create_socket_perms;
>> allow ipsec_t self:key_socket create_socket_perms;
>> -allow ipsec_t self:fifo_file read_fifo_file_perms;
>> +allow ipsec_t self:fifo_file rw_fifo_file_perms;
>> allow ipsec_t self:netlink_xfrm_socket create_netlink_socket_perms;
>> +allow ipsec_t self:netlink_route_socket rw_netlink_socket_perms;
>>
>> allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
>>
>> @@ -113,7 +119,7 @@ allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
>> allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
>>
>> kernel_read_kernel_sysctls(ipsec_t)
>> -kernel_read_net_sysctls(ipsec_t)
>> +kernel_rw_net_sysctls(ipsec_t);
>> kernel_list_proc(ipsec_t)
>> kernel_read_proc_symlinks(ipsec_t)
>> # allow pluto to access /proc/net/ipsec_eroute;
>> @@ -196,6 +202,8 @@ allow ipsec_mgmt_t self:udp_socket create_socket_perms;
>> allow ipsec_mgmt_t self:key_socket create_socket_perms;
>> allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
>>
>> +allow ipsec_mgmt_t ipsec_supervisor_t:process { signal signull };
>> +
>> allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
>> files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
>>
>> @@ -236,6 +244,7 @@ can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
>> allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
>>
>> domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
>> +domtrans_pattern(ipsec_mgmt_t, ipsec_supervisor_exec_t, ipsec_supervisor_t);
>>
>> kernel_rw_net_sysctls(ipsec_mgmt_t)
>> # allow pluto to access /proc/net/ipsec_eroute;
>> @@ -444,3 +453,48 @@ seutil_read_config(setkey_t)
>>
>> userdom_use_user_terminals(setkey_t)
>>
>> +########################################
>> +#
>> +# ipsec_supervisor policy
>> +#
>> +
>> +allow ipsec_supervisor_t self:capability { dac_read_search dac_override kill net_admin };
>> +allow ipsec_supervisor_t self:process { signal };
>> +allow ipsec_supervisor_t self:fifo_file rw_fifo_file_perms;
>> +allow ipsec_supervisor_t self:netlink_route_socket rw_netlink_socket_perms;
>> +allow ipsec_supervisor_t self:netlink_xfrm_socket create_netlink_socket_perms;
>> +
>> +allow ipsec_supervisor_t ipsec_conf_file_t:dir list_dir_perms;
>> +read_files_pattern(ipsec_supervisor_t, ipsec_conf_file_t, ipsec_conf_file_t);
>> +
>> +manage_files_pattern(ipsec_supervisor_t, ipsec_key_file_t, ipsec_key_file_t)
>> +
>> +allow ipsec_supervisor_t ipsec_t:unix_stream_socket { connectto };
>> +allow ipsec_supervisor_t ipsec_t:process { signal };
>> +
>> +allow ipsec_supervisor_t ipsec_var_run_t:sock_file { rw_sock_file_perms unlink };
>> +manage_dirs_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t)
>> +manage_files_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t)
>> +files_pid_filetrans(ipsec_supervisor_t, ipsec_var_run_t, { dir file sock_file })
>> +
>> +domtrans_pattern(ipsec_supervisor_t, ipsec_exec_t, ipsec_t);
>> +
>> +kernel_read_network_state(ipsec_supervisor_t)
>> +kernel_read_system_state(ipsec_supervisor_t)
>> +kernel_rw_net_sysctls(ipsec_supervisor_t);
>> +
>> +corecmd_exec_bin(ipsec_supervisor_t);
>> +corecmd_exec_shell(ipsec_supervisor_t)
>> +
>> +dev_read_rand(ipsec_supervisor_t);
>> +dev_read_urand(ipsec_supervisor_t);
>> +
>> +files_read_etc_files(ipsec_supervisor_t);
>> +
>> +logging_send_syslog_msg(ipsec_supervisor_t);
>> +
>> +miscfiles_read_localization(ipsec_supervisor_t);
>> +
>> +optional_policy(`
>> + modutils_domtrans_insmod(ipsec_supervisor_t)
>> +')
>>
>
>
Hi guys,
what is a purpose of this new domain? Maybe I overlooked something but
why we need to have a new domain instead of ipsec_mgmt_t which has these
rules.
Regards,
Miroslav
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
On 10/26/2015 5:06 PM, Miroslav Grepl wrote:
> On 10/12/2015 03:31 PM, Christopher J. PeBenito wrote:
>> On 10/11/2015 6:37 AM, Jason Zaman wrote:
>>> Adds an ipsec_supervisor_t domain for StrongSwan's starter.
>>> Thanks to Matthias Dahl for most of the work on this.
>>
>> Merged, with some rearrangements.
>>
>>> ---
>>> policy/modules/system/ipsec.fc | 17 ++++++++++++
>>> policy/modules/system/ipsec.te | 60 +++++++++++++++++++++++++++++++++++++++---
>>> 2 files changed, 74 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
>>> index 0f1e351..d42b08e 100644
>>> --- a/policy/modules/system/ipsec.fc
>>> +++ b/policy/modules/system/ipsec.fc
>>> @@ -10,6 +10,14 @@
>>>
>>> /etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
>>>
>>> +/etc/strongswan\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
>>> +
>>> +/etc/strongswan\.d(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
>>> +
>>> +/etc/swanctl/(.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
>>> +/etc/swanctl -d gen_context(system_u:object_r:ipsec_conf_file_t,s0)
>>> +/etc/swanctl/swanctl.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
>>> +
>>> /sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
>>>
>>> /usr/lib/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
>>> @@ -19,17 +27,25 @@
>>> /usr/lib/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>>> /usr/lib/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>>>
>>> +/usr/libexec/ipsec/_copyright -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>>> /usr/libexec/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
>>> /usr/libexec/ipsec/_plutorun -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
>>> +/usr/libexec/ipsec/_updown -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>>> +/usr/libexec/ipsec/charon -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>>> /usr/libexec/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>>> /usr/libexec/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>>> +/usr/libexec/ipsec/lookip -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>>> /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>>> +/usr/libexec/ipsec/scepclient -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>>> /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>>> +/usr/libexec/ipsec/starter -- gen_context(system_u:object_r:ipsec_supervisor_exec_t,s0)
>>> +/usr/libexec/ipsec/stroke -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>>> /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
>>>
>>> /usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
>>> /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0)
>>> /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
>>> +/usr/sbin/swanctl -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
>>>
>>> /var/lib/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
>>>
>>> @@ -39,5 +55,6 @@
>>>
>>> /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
>>>
>>> +/var/run/charon\.(.*)? -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
>>> /var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
>>> /var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
>>> diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
>>> index d5bcfd8..3a3e6d5 100644
>>> --- a/policy/modules/system/ipsec.te
>>> +++ b/policy/modules/system/ipsec.te
>>> @@ -67,19 +67,25 @@ type setkey_exec_t;
>>> init_system_domain(setkey_t, setkey_exec_t)
>>> role system_r types setkey_t;
>>>
>>> +type ipsec_supervisor_t;
>>> +type ipsec_supervisor_exec_t;
>>> +init_daemon_domain(ipsec_supervisor_t, ipsec_supervisor_exec_t);
>>> +role system_r types ipsec_supervisor_t;
>>> +
>>> ########################################
>>> #
>>> # ipsec Local policy
>>> #
>>>
>>> -allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
>>> +allow ipsec_t self:capability { chown dac_override dac_read_search setgid setuid setpcap net_admin sys_nice };
>>> dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
>>> allow ipsec_t self:process { getcap setcap getsched signal setsched };
>>> allow ipsec_t self:tcp_socket create_stream_socket_perms;
>>> allow ipsec_t self:udp_socket create_socket_perms;
>>> allow ipsec_t self:key_socket create_socket_perms;
>>> -allow ipsec_t self:fifo_file read_fifo_file_perms;
>>> +allow ipsec_t self:fifo_file rw_fifo_file_perms;
>>> allow ipsec_t self:netlink_xfrm_socket create_netlink_socket_perms;
>>> +allow ipsec_t self:netlink_route_socket rw_netlink_socket_perms;
>>>
>>> allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
>>>
>>> @@ -113,7 +119,7 @@ allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
>>> allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
>>>
>>> kernel_read_kernel_sysctls(ipsec_t)
>>> -kernel_read_net_sysctls(ipsec_t)
>>> +kernel_rw_net_sysctls(ipsec_t);
>>> kernel_list_proc(ipsec_t)
>>> kernel_read_proc_symlinks(ipsec_t)
>>> # allow pluto to access /proc/net/ipsec_eroute;
>>> @@ -196,6 +202,8 @@ allow ipsec_mgmt_t self:udp_socket create_socket_perms;
>>> allow ipsec_mgmt_t self:key_socket create_socket_perms;
>>> allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
>>>
>>> +allow ipsec_mgmt_t ipsec_supervisor_t:process { signal signull };
>>> +
>>> allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
>>> files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
>>>
>>> @@ -236,6 +244,7 @@ can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
>>> allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
>>>
>>> domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
>>> +domtrans_pattern(ipsec_mgmt_t, ipsec_supervisor_exec_t, ipsec_supervisor_t);
>>>
>>> kernel_rw_net_sysctls(ipsec_mgmt_t)
>>> # allow pluto to access /proc/net/ipsec_eroute;
>>> @@ -444,3 +453,48 @@ seutil_read_config(setkey_t)
>>>
>>> userdom_use_user_terminals(setkey_t)
>>>
>>> +########################################
>>> +#
>>> +# ipsec_supervisor policy
>>> +#
>>> +
>>> +allow ipsec_supervisor_t self:capability { dac_read_search dac_override kill net_admin };
>>> +allow ipsec_supervisor_t self:process { signal };
>>> +allow ipsec_supervisor_t self:fifo_file rw_fifo_file_perms;
>>> +allow ipsec_supervisor_t self:netlink_route_socket rw_netlink_socket_perms;
>>> +allow ipsec_supervisor_t self:netlink_xfrm_socket create_netlink_socket_perms;
>>> +
>>> +allow ipsec_supervisor_t ipsec_conf_file_t:dir list_dir_perms;
>>> +read_files_pattern(ipsec_supervisor_t, ipsec_conf_file_t, ipsec_conf_file_t);
>>> +
>>> +manage_files_pattern(ipsec_supervisor_t, ipsec_key_file_t, ipsec_key_file_t)
>>> +
>>> +allow ipsec_supervisor_t ipsec_t:unix_stream_socket { connectto };
>>> +allow ipsec_supervisor_t ipsec_t:process { signal };
>>> +
>>> +allow ipsec_supervisor_t ipsec_var_run_t:sock_file { rw_sock_file_perms unlink };
>>> +manage_dirs_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t)
>>> +manage_files_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t)
>>> +files_pid_filetrans(ipsec_supervisor_t, ipsec_var_run_t, { dir file sock_file })
>>> +
>>> +domtrans_pattern(ipsec_supervisor_t, ipsec_exec_t, ipsec_t);
>>> +
>>> +kernel_read_network_state(ipsec_supervisor_t)
>>> +kernel_read_system_state(ipsec_supervisor_t)
>>> +kernel_rw_net_sysctls(ipsec_supervisor_t);
>>> +
>>> +corecmd_exec_bin(ipsec_supervisor_t);
>>> +corecmd_exec_shell(ipsec_supervisor_t)
>>> +
>>> +dev_read_rand(ipsec_supervisor_t);
>>> +dev_read_urand(ipsec_supervisor_t);
>>> +
>>> +files_read_etc_files(ipsec_supervisor_t);
>>> +
>>> +logging_send_syslog_msg(ipsec_supervisor_t);
>>> +
>>> +miscfiles_read_localization(ipsec_supervisor_t);
>>> +
>>> +optional_policy(`
>>> + modutils_domtrans_insmod(ipsec_supervisor_t)
>>> +')
>>>
>>
>>
>
> Hi guys,
> what is a purpose of this new domain? Maybe I overlooked something but
> why we need to have a new domain instead of ipsec_mgmt_t which has these
> rules.
Fair point. It looks like ipsec_supervisor_t is a proper subset of
ipsec_mgmt_t. Jason is there a reason ipsec_mgmt_t didn't work?
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com