From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 14 Jul 2015 11:17:59 -0400 Subject: [refpolicy] [PATCH 2/4] Introduce ipsec_admin interface In-Reply-To: <1436606147-6943-2-git-send-email-jason@perfinion.com> References: <1436606147-6943-1-git-send-email-jason@perfinion.com> <1436606147-6943-2-git-send-email-jason@perfinion.com> Message-ID: <55A52827.3090900@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 7/11/2015 5:15 AM, Jason Zaman wrote: > --- > policy/modules/roles/sysadm.te | 8 +------ > policy/modules/system/ipsec.if | 51 ++++++++++++++++++++++++++++++++++++++++++ > 2 files changed, 52 insertions(+), 7 deletions(-) > > diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te > index 0a6b4b2..253f6ba 100644 > --- a/policy/modules/roles/sysadm.te > +++ b/policy/modules/roles/sysadm.te > @@ -473,13 +473,7 @@ optional_policy(` > ') > > optional_policy(` > - # allow system administrator to use the ipsec script to look > - # at things (e.g., ipsec auto --status) > - # probably should create an ipsec_admin role for this kind of thing > - ipsec_exec_mgmt(sysadm_t) > - ipsec_stream_connect(sysadm_t) > - # for lsof > - ipsec_getattr_key_sockets(sysadm_t) > + ipsec_admin(sysadm_t, sysadm_r) > ') > > optional_policy(` > diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if > index 0d4c8d3..3d64054 100644 > --- a/policy/modules/system/ipsec.if > +++ b/policy/modules/system/ipsec.if > @@ -369,3 +369,54 @@ interface(`ipsec_run_setkey',` > ipsec_domtrans_setkey($1) > role $2 types setkey_t; > ') > + > +######################################## > +##

> +## All of the rules required to > +## administrate an ipsec environment. > +##

> +## > +##

> +## Domain allowed access. > +##

> +## > +## > +##

> +## Role allowed access. > +##

> +## > +## > +# > +interface(`ipsec_admin',` > + gen_require(` > + type ipsec_t, ipsec_initrc_exec_t, ipsec_conf_file_t; > + type ipsec_key_file_t, ipsec_log_t, ipsec_tmp_t; > + type ipsec_var_run_t, ipsec_mgmt_lock_t; > + type ipsec_mgmt_var_run_t, racoon_tmp_t; > + ') > + > + allow $1 ipsec_t:process { ptrace signal_perms }; > + ps_process_pattern($1, ipsec_t) > + > + init_startstop_service($1, $2, ipsec_t, ipsec_initrc_exec_t) > + > + ipsec_exec_mgmt($1) > + ipsec_stream_connect($1) > + # for lsof > + ipsec_getattr_key_sockets($1) > + > + files_search_etc($1) > + admin_pattern($1, { ipsec_conf_file_t ipsec_key_file_t }) > + > + files_search_tmp($1) > + admin_pattern($1, { ipsec_tmp_t racoon_tmp_t }) > + > + files_search_pids($1) > + admin_pattern($1, { ipsec_var_run_t ipsec_mgmt_var_run_t }) > + > + files_search_locks($1) > + admin_pattern($1, ipsec_mgmt_lock_t) > + > + logging_search_logs($1) > + admin_pattern($1, ipsec_log_t) > +') Merged. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com