From: mgrepl@redhat.com (Miroslav Grepl) Date: Mon, 26 Oct 2015 22:06:54 +0100 Subject: [refpolicy] [PATCH] system/ipsec: Add policy for StrongSwan In-Reply-To: <561BB646.2060801@tresys.com> References: <1444559876-8098-1-git-send-email-jason@perfinion.com> <561BB646.2060801@tresys.com> Message-ID: <562E95EE.2090507@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 10/12/2015 03:31 PM, Christopher J. PeBenito wrote: > On 10/11/2015 6:37 AM, Jason Zaman wrote: >> Adds an ipsec_supervisor_t domain for StrongSwan's starter. >> Thanks to Matthias Dahl for most of the work on this. > > Merged, with some rearrangements. > >> --- >> policy/modules/system/ipsec.fc | 17 ++++++++++++ >> policy/modules/system/ipsec.te | 60 +++++++++++++++++++++++++++++++++++++++--- >> 2 files changed, 74 insertions(+), 3 deletions(-) >> >> diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc >> index 0f1e351..d42b08e 100644 >> --- a/policy/modules/system/ipsec.fc >> +++ b/policy/modules/system/ipsec.fc >> @@ -10,6 +10,14 @@ >> >> /etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) >> >> +/etc/strongswan\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) >> + >> +/etc/strongswan\.d(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0) >> + >> +/etc/swanctl/(.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) >> +/etc/swanctl -d gen_context(system_u:object_r:ipsec_conf_file_t,s0) >> +/etc/swanctl/swanctl.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) >> + >> /sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) >> >> /usr/lib/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) >> @@ -19,17 +27,25 @@ >> /usr/lib/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) >> /usr/lib/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) >> >> +/usr/libexec/ipsec/_copyright -- gen_context(system_u:object_r:ipsec_exec_t,s0) >> /usr/libexec/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) >> /usr/libexec/ipsec/_plutorun -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) >> +/usr/libexec/ipsec/_updown -- gen_context(system_u:object_r:ipsec_exec_t,s0) >> +/usr/libexec/ipsec/charon -- gen_context(system_u:object_r:ipsec_exec_t,s0) >> /usr/libexec/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0) >> /usr/libexec/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0) >> +/usr/libexec/ipsec/lookip -- gen_context(system_u:object_r:ipsec_exec_t,s0) >> /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) >> +/usr/libexec/ipsec/scepclient -- gen_context(system_u:object_r:ipsec_exec_t,s0) >> /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) >> +/usr/libexec/ipsec/starter -- gen_context(system_u:object_r:ipsec_supervisor_exec_t,s0) >> +/usr/libexec/ipsec/stroke -- gen_context(system_u:object_r:ipsec_exec_t,s0) >> /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) >> >> /usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) >> /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0) >> /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) >> +/usr/sbin/swanctl -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) >> >> /var/lib/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) >> >> @@ -39,5 +55,6 @@ >> >> /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) >> >> +/var/run/charon\.(.*)? -- gen_context(system_u:object_r:ipsec_var_run_t,s0) >> /var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) >> /var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) >> diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te >> index d5bcfd8..3a3e6d5 100644 >> --- a/policy/modules/system/ipsec.te >> +++ b/policy/modules/system/ipsec.te >> @@ -67,19 +67,25 @@ type setkey_exec_t; >> init_system_domain(setkey_t, setkey_exec_t) >> role system_r types setkey_t; >> >> +type ipsec_supervisor_t; >> +type ipsec_supervisor_exec_t; >> +init_daemon_domain(ipsec_supervisor_t, ipsec_supervisor_exec_t); >> +role system_r types ipsec_supervisor_t; >> + >> ######################################## >> # >> # ipsec Local policy >> # >> >> -allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice }; >> +allow ipsec_t self:capability { chown dac_override dac_read_search setgid setuid setpcap net_admin sys_nice }; >> dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config }; >> allow ipsec_t self:process { getcap setcap getsched signal setsched }; >> allow ipsec_t self:tcp_socket create_stream_socket_perms; >> allow ipsec_t self:udp_socket create_socket_perms; >> allow ipsec_t self:key_socket create_socket_perms; >> -allow ipsec_t self:fifo_file read_fifo_file_perms; >> +allow ipsec_t self:fifo_file rw_fifo_file_perms; >> allow ipsec_t self:netlink_xfrm_socket create_netlink_socket_perms; >> +allow ipsec_t self:netlink_route_socket rw_netlink_socket_perms; >> >> allow ipsec_t ipsec_initrc_exec_t:file read_file_perms; >> >> @@ -113,7 +119,7 @@ allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write }; >> allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld }; >> >> kernel_read_kernel_sysctls(ipsec_t) >> -kernel_read_net_sysctls(ipsec_t) >> +kernel_rw_net_sysctls(ipsec_t); >> kernel_list_proc(ipsec_t) >> kernel_read_proc_symlinks(ipsec_t) >> # allow pluto to access /proc/net/ipsec_eroute; >> @@ -196,6 +202,8 @@ allow ipsec_mgmt_t self:udp_socket create_socket_perms; >> allow ipsec_mgmt_t self:key_socket create_socket_perms; >> allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms; >> >> +allow ipsec_mgmt_t ipsec_supervisor_t:process { signal signull }; >> + >> allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; >> files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file) >> >> @@ -236,6 +244,7 @@ can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t) >> allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read; >> >> domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t) >> +domtrans_pattern(ipsec_mgmt_t, ipsec_supervisor_exec_t, ipsec_supervisor_t); >> >> kernel_rw_net_sysctls(ipsec_mgmt_t) >> # allow pluto to access /proc/net/ipsec_eroute; >> @@ -444,3 +453,48 @@ seutil_read_config(setkey_t) >> >> userdom_use_user_terminals(setkey_t) >> >> +######################################## >> +# >> +# ipsec_supervisor policy >> +# >> + >> +allow ipsec_supervisor_t self:capability { dac_read_search dac_override kill net_admin }; >> +allow ipsec_supervisor_t self:process { signal }; >> +allow ipsec_supervisor_t self:fifo_file rw_fifo_file_perms; >> +allow ipsec_supervisor_t self:netlink_route_socket rw_netlink_socket_perms; >> +allow ipsec_supervisor_t self:netlink_xfrm_socket create_netlink_socket_perms; >> + >> +allow ipsec_supervisor_t ipsec_conf_file_t:dir list_dir_perms; >> +read_files_pattern(ipsec_supervisor_t, ipsec_conf_file_t, ipsec_conf_file_t); >> + >> +manage_files_pattern(ipsec_supervisor_t, ipsec_key_file_t, ipsec_key_file_t) >> + >> +allow ipsec_supervisor_t ipsec_t:unix_stream_socket { connectto }; >> +allow ipsec_supervisor_t ipsec_t:process { signal }; >> + >> +allow ipsec_supervisor_t ipsec_var_run_t:sock_file { rw_sock_file_perms unlink }; >> +manage_dirs_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t) >> +manage_files_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t) >> +files_pid_filetrans(ipsec_supervisor_t, ipsec_var_run_t, { dir file sock_file }) >> + >> +domtrans_pattern(ipsec_supervisor_t, ipsec_exec_t, ipsec_t); >> + >> +kernel_read_network_state(ipsec_supervisor_t) >> +kernel_read_system_state(ipsec_supervisor_t) >> +kernel_rw_net_sysctls(ipsec_supervisor_t); >> + >> +corecmd_exec_bin(ipsec_supervisor_t); >> +corecmd_exec_shell(ipsec_supervisor_t) >> + >> +dev_read_rand(ipsec_supervisor_t); >> +dev_read_urand(ipsec_supervisor_t); >> + >> +files_read_etc_files(ipsec_supervisor_t); >> + >> +logging_send_syslog_msg(ipsec_supervisor_t); >> + >> +miscfiles_read_localization(ipsec_supervisor_t); >> + >> +optional_policy(` >> + modutils_domtrans_insmod(ipsec_supervisor_t) >> +') >> > > Hi guys, what is a purpose of this new domain? Maybe I overlooked something but why we need to have a new domain instead of ipsec_mgmt_t which has these rules. Regards, Miroslav -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc.