From: dac.override@gmail.com (Dominick Grift) Date: Thu, 26 Jul 2018 17:06:56 +0200 Subject: [refpolicy] [PATCH 1/1] ipsec: add missing permissions for pluto In-Reply-To: References: <20180725143313.2387-1-yuli@crunchydata.com> <20180725183724.GA27758@julius.enp8s0.d30> Message-ID: <20180726150656.GA28965@julius.enp8s0.d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, Jul 26, 2018 at 10:58:26AM -0400, Yuli Khodorkovskiy wrote: > > > > On Jul 25, 2018, at 2:37 PM, Dominick Grift wrote: > > > > On Wed, Jul 25, 2018 at 10:33:13AM -0400, Yuli Khodorkovskiy via refpolicy wrote: > >> When using libreswan, pluto needs permissions for building the > >> Security Association Database and for setting contexts on IPSec > >> policy and SAs. > >> > > > > I am fine with this, just wanted to share some considerations inline below. > > > >> Signed-off-by: Yuli Khodorkovskiy > >> --- > >> policy/modules/system/ipsec.te | 6 ++++++ > >> 1 file changed, 6 insertions(+) > >> > >> diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te > >> index 867aefc4..e7ac88f2 100644 > >> --- a/policy/modules/system/ipsec.te > >> +++ b/policy/modules/system/ipsec.te > >> @@ -212,6 +212,12 @@ domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t) > >> read_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t) > >> read_lnk_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t) > >> > >> +# allow pluto to build Security Association Database > >> +ipsec_setcontext_default_spd(ipsec_t) > > > > I would probably consider instead: corenet_setcontext_all_spds(ipsec_t) > > > > That will make it easier to declare new spds and then associate them. You dont have to worry then about whether ipsec_t can setcontext > > > > If its an ipsec spd then pluto can setcontext automatically > > I like this better. I?ll send a second version. > > > > >> + > >> +# allow pluto to set contexts on ipsec policy and SAs > >> +domain_ipsec_setcontext_all_domains(ipsec_t) > > > > This in practice could probably be limited to domains with network access. (which are nss clients as well) > > I can?t find a network domain attribute nor an interface setcontext on network domain associations. Yes you would have to create one yourself. Not sure its worth the trouble. Probably safer and cleaner to stick with what you have. For example: interface auth_setcontext_nsswitch_domains(`,' allow $1 nsswitch_domain:association setcontext; ') The assumption here is that nsswitch_domain assoc. types are domains with network access. The problem is that in reference policy this is not necessarily so. But even then, this would probably narrow things down at least a little. Regardless. I wouldnt blame you for keeping what you have instead. > > > > >> + > >> allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms; > >> > >> manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t) > >> -- > >> 2.18.0 > >> > >> _______________________________________________ > >> refpolicy mailing list > >> refpolicy at oss.tresys.com > >> http://oss.tresys.com/mailman/listinfo/refpolicy > > > > -- > > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > > Dominick Grift > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20180726/aae88b27/attachment.bin