From: jason@perfinion.com (Jason Zaman) Date: Tue, 9 Jun 2015 00:13:29 +0400 Subject: [refpolicy] [PATCH 2/3] Introduce ipsec_admin interface In-Reply-To: <1433755763-30704-2-git-send-email-jason@perfinion.com> References: <1433755763-30704-1-git-send-email-jason@perfinion.com> <1433755763-30704-2-git-send-email-jason@perfinion.com> Message-ID: <20150608201329.GA11371@meriadoc.Home> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, Jun 08, 2015 at 01:29:22PM +0400, Jason Zaman wrote: > --- > policy/modules/roles/sysadm.te | 8 +------ > policy/modules/system/ipsec.if | 51 ++++++++++++++++++++++++++++++++++++++++++ > 2 files changed, 52 insertions(+), 7 deletions(-) > > diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te > index 55e0179..5c4b3fc 100644 > --- a/policy/modules/roles/sysadm.te > +++ b/policy/modules/roles/sysadm.te > @@ -168,13 +168,7 @@ optional_policy(` > ') > > optional_policy(` > - # allow system administrator to use the ipsec script to look > - # at things (e.g., ipsec auto --status) > - # probably should create an ipsec_admin role for this kind of thing > - ipsec_exec_mgmt(sysadm_t) > - ipsec_stream_connect(sysadm_t) > - # for lsof > - ipsec_getattr_key_sockets(sysadm_t) > + ipsec_admin(sysadm_t, sysadm_r) Do not commit this one yet. I want to setup ipsec properly and test this part. It is really messy I think I will end up creating an ipsec_role also. -- Jason > ') > > optional_policy(` > diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if > index 0d4c8d3..6e8739f 100644 > --- a/policy/modules/system/ipsec.if > +++ b/policy/modules/system/ipsec.if > @@ -369,3 +369,54 @@ interface(`ipsec_run_setkey',` > ipsec_domtrans_setkey($1) > role $2 types setkey_t; > ') > + > +######################################## > +##

> +## All of the rules required to > +## administrate an ipsec environment. > +##

> +## > +##

> +## Domain allowed access. > +##

> +## > +## > +##

> +## Role allowed access. > +##

> +## > +## > +# > +interface(`ipsec_admin',` > + gen_require(` > + type ipsec_t, ipsec_initrc_exec_t, ipsec_conf_file_t; > + type ipsec_key_file_t, ipsec_log_t, ipsec_tmp_t; > + type ipsec_var_run_t, ipsec_mgmt_lock_t; > + type ipsec_mgmt_var_run_t, racoon_tmp_t; > + ') > + > + allow $1 ipsec_t:process { ptrace signal_perms }; > + ps_process_pattern($1, ipsec_t) > + > + init_startstop_service($1, $2, ipsec_t, ipsec_initrc_exec_t) > + > + ipsec_exec_mgmt(sysadm_t) > + ipsec_stream_connect(sysadm_t) > + # for lsof > + ipsec_getattr_key_sockets(sysadm_t) > + > + files_list_etc($1) > + admin_pattern($1, { ipsec_conf_file_t ipsec_key_file_t }) > + > + files_list_tmp($1) > + admin_pattern($1, { ipsec_tmp_t racoon_tmp_t }) > + > + files_list_pids($1) > + admin_pattern($1, { ipsec_var_run_t ipsec_mgmt_var_run_t }) > + > + files_list_locks($1) > + admin_pattern($1, ipsec_mgmt_lock_t) > + > + logging_list_logs($1) > + admin_pattern($1, ipsec_log_t) > +') > -- > 2.3.6 >