From: yuli.khodorkovskiy@crunchydata.com (Yuli Khodorkovskiy) Date: Thu, 26 Jul 2018 10:58:26 -0400 Subject: [refpolicy] [PATCH 1/1] ipsec: add missing permissions for pluto In-Reply-To: <20180725183724.GA27758@julius.enp8s0.d30> References: <20180725143313.2387-1-yuli@crunchydata.com> <20180725183724.GA27758@julius.enp8s0.d30> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com > On Jul 25, 2018, at 2:37 PM, Dominick Grift wrote: > > On Wed, Jul 25, 2018 at 10:33:13AM -0400, Yuli Khodorkovskiy via refpolicy wrote: >> When using libreswan, pluto needs permissions for building the >> Security Association Database and for setting contexts on IPSec >> policy and SAs. >> > > I am fine with this, just wanted to share some considerations inline below. > >> Signed-off-by: Yuli Khodorkovskiy >> --- >> policy/modules/system/ipsec.te | 6 ++++++ >> 1 file changed, 6 insertions(+) >> >> diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te >> index 867aefc4..e7ac88f2 100644 >> --- a/policy/modules/system/ipsec.te >> +++ b/policy/modules/system/ipsec.te >> @@ -212,6 +212,12 @@ domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t) >> read_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t) >> read_lnk_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t) >> >> +# allow pluto to build Security Association Database >> +ipsec_setcontext_default_spd(ipsec_t) > > I would probably consider instead: corenet_setcontext_all_spds(ipsec_t) > > That will make it easier to declare new spds and then associate them. You dont have to worry then about whether ipsec_t can setcontext > > If its an ipsec spd then pluto can setcontext automatically I like this better. I?ll send a second version. > >> + >> +# allow pluto to set contexts on ipsec policy and SAs >> +domain_ipsec_setcontext_all_domains(ipsec_t) > > This in practice could probably be limited to domains with network access. (which are nss clients as well) I can?t find a network domain attribute nor an interface setcontext on network domain associations. > >> + >> allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms; >> >> manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t) >> -- >> 2.18.0 >> >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy > > -- > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > Dominick Grift