From: jason@perfinion.com (Jason Zaman) Date: Mon, 8 Jun 2015 13:29:22 +0400 Subject: [refpolicy] [PATCH 2/3] Introduce ipsec_admin interface In-Reply-To: <1433755763-30704-1-git-send-email-jason@perfinion.com> References: <1433755763-30704-1-git-send-email-jason@perfinion.com> Message-ID: <1433755763-30704-2-git-send-email-jason@perfinion.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com --- policy/modules/roles/sysadm.te | 8 +------ policy/modules/system/ipsec.if | 51 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+), 7 deletions(-) diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 55e0179..5c4b3fc 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -168,13 +168,7 @@ optional_policy(` ') optional_policy(` - # allow system administrator to use the ipsec script to look - # at things (e.g., ipsec auto --status) - # probably should create an ipsec_admin role for this kind of thing - ipsec_exec_mgmt(sysadm_t) - ipsec_stream_connect(sysadm_t) - # for lsof - ipsec_getattr_key_sockets(sysadm_t) + ipsec_admin(sysadm_t, sysadm_r) ') optional_policy(` diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if index 0d4c8d3..6e8739f 100644 --- a/policy/modules/system/ipsec.if +++ b/policy/modules/system/ipsec.if @@ -369,3 +369,54 @@ interface(`ipsec_run_setkey',` ipsec_domtrans_setkey($1) role $2 types setkey_t; ') + +######################################## +## +## All of the rules required to +## administrate an ipsec environment. +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`ipsec_admin',` + gen_require(` + type ipsec_t, ipsec_initrc_exec_t, ipsec_conf_file_t; + type ipsec_key_file_t, ipsec_log_t, ipsec_tmp_t; + type ipsec_var_run_t, ipsec_mgmt_lock_t; + type ipsec_mgmt_var_run_t, racoon_tmp_t; + ') + + allow $1 ipsec_t:process { ptrace signal_perms }; + ps_process_pattern($1, ipsec_t) + + init_startstop_service($1, $2, ipsec_t, ipsec_initrc_exec_t) + + ipsec_exec_mgmt(sysadm_t) + ipsec_stream_connect(sysadm_t) + # for lsof + ipsec_getattr_key_sockets(sysadm_t) + + files_list_etc($1) + admin_pattern($1, { ipsec_conf_file_t ipsec_key_file_t }) + + files_list_tmp($1) + admin_pattern($1, { ipsec_tmp_t racoon_tmp_t }) + + files_list_pids($1) + admin_pattern($1, { ipsec_var_run_t ipsec_mgmt_var_run_t }) + + files_list_locks($1) + admin_pattern($1, ipsec_mgmt_lock_t) + + logging_list_logs($1) + admin_pattern($1, ipsec_log_t) +') -- 2.3.6