From: pebenito@ieee.org (Chris PeBenito)
Date: Thu, 26 Jul 2018 17:27:58 -0400
Subject: [refpolicy] [PATCH v2] ipsec: add missing permissions for pluto
In-Reply-To: <20180726155131.80771-1-yuli@crunchydata.com>
References: <20180726155131.80771-1-yuli@crunchydata.com>
Message-ID: <47a42a61-3465-3778-86a4-cc1a42edecb1@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 07/26/2018 11:51 AM, Yuli Khodorkovskiy via refpolicy wrote:
> When using libreswan, pluto needs permissions for building the
> Security Association Database and for setting contexts on IPSec
> policy and SAs.
> 
> Signed-off-by: Yuli Khodorkovskiy <yuli@crunchydata.com>
> ---
>   policy/modules/system/ipsec.te | 6 ++++++
>   1 file changed, 6 insertions(+)
> 
> diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
> index 867aefc4..1613a960 100644
> --- a/policy/modules/system/ipsec.te
> +++ b/policy/modules/system/ipsec.te
> @@ -212,6 +212,12 @@ domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
>   read_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
>   read_lnk_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
>   
> +# allow pluto to build Security Association Database
> +corenet_setcontext_all_spds(ipsec_t)
> +
> +# allow pluto to set contexts on ipsec policy and SAs
> +domain_ipsec_setcontext_all_domains(ipsec_t)
> +
>   allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
>   
>   manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)

One nit: the additions should be down with the other corenet and domain 
rules.

-- 
Chris PeBenito