From: dac.override@gmail.com (Dominick Grift) Date: Wed, 25 Jul 2018 20:37:24 +0200 Subject: [refpolicy] [PATCH 1/1] ipsec: add missing permissions for pluto In-Reply-To: <20180725143313.2387-1-yuli@crunchydata.com> References: <20180725143313.2387-1-yuli@crunchydata.com> Message-ID: <20180725183724.GA27758@julius.enp8s0.d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, Jul 25, 2018 at 10:33:13AM -0400, Yuli Khodorkovskiy via refpolicy wrote: > When using libreswan, pluto needs permissions for building the > Security Association Database and for setting contexts on IPSec > policy and SAs. > I am fine with this, just wanted to share some considerations inline below. > Signed-off-by: Yuli Khodorkovskiy > --- > policy/modules/system/ipsec.te | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te > index 867aefc4..e7ac88f2 100644 > --- a/policy/modules/system/ipsec.te > +++ b/policy/modules/system/ipsec.te > @@ -212,6 +212,12 @@ domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t) > read_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t) > read_lnk_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t) > > +# allow pluto to build Security Association Database > +ipsec_setcontext_default_spd(ipsec_t) I would probably consider instead: corenet_setcontext_all_spds(ipsec_t) That will make it easier to declare new spds and then associate them. You dont have to worry then about whether ipsec_t can setcontext If its an ipsec spd then pluto can setcontext automatically > + > +# allow pluto to set contexts on ipsec policy and SAs > +domain_ipsec_setcontext_all_domains(ipsec_t) This in practice could probably be limited to domains with network access. (which are nss clients as well) > + > allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms; > > manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t) > -- > 2.18.0 > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20180725/49714916/attachment.bin