Here is the changes for the ipsec domian for intergration of FreeSwan
You must have applied the patch (key.patch) that Mr Smalley has posted to
the list.
The key.patch was posted 8-27-01
Mark Westerman
Thank to Mr. Smalley for all the sujestions!
###########################################
file: rbac
all ipsec_t to role system_r types
###########################################
file: domains/program/modutil.te
Add the following lines
# Rules for ipsec Domain
allow insmod_t ipsec_t:process signal;
##########################################
file: domains/system/initrc.te
Add the following lines
# ipsec Domain
domain_auto_trans(initrc_t, ipsec_exec_t, ipsec_t)
allow initrc_t ipsec_file_t:file { read ioctl };
allow initrc_t ipsec_var_run_t:sock_file { read write };
############################################
file: domains/system/ipsec.te
Create the file and add the following lines
#
# Authors: Mark Westerman mark.westerman@westcam.com
#
########################################
#
# Rules for the ipsec_t domain.
#
type ipsec_t, domain, privlog; type ipsec_exec_t, file_type, sysadmfile, exec_type; type ipsec_file_t, file_type, syadmfile; type ipsec_var_run_t, file_type, sysadmfile, pidfile;
allow ipsec_t self:capability { net_admin net_bind_service };
domain_auto_trans(ipsec_t, insmod_exec_t, insmod_t)
domain_auto_trans(ipsec_t, ifconfig_exec_t, ifconfig_t) file_type_auto_trans(ipsec_t, var_run_t, ipsec_var_run_t)
allow ipsec_t var_lock_t:dir rw_dir_perms; allow ipsec_t var_lock_t:file create_file_perms;
# Inherit and use descriptors from init.
allow ipsec_t init_t:fd inherit_fd_perms;
allow ipsec_t ipsec_file_t:file { getattr read ioctl };
allow ipsec_t self:key_socket { create write read };
#####################################################
file: domains/admin/sysadm.te
Add the following before the ') line
#
# This will allow the sysadm user to read and
# modify the /etc/ipsec.secrets file.
# I will create a ipsecadm_r role for this file
# Mark Westerman mark.westerman@westcam.com
allow $1_t ipsec_file_t:file rw_file_perms;
####################################################
file: ../setfiles/file_contexts
I would add the following line right before the
persistent label mapping. Order does mater for this file
#
# IPSEC Defination
#
/etc/ipsec.secrets system_u:object_r:ipsec_file_t /usr/local/lib/ipsec(|/.*) system_u:object_r:sbin_t /usr/local/lib/ipsec/eroute system_u:object_r:ipsec_exec_t /usr/local/lib/ipsec/klipsdebug system_u:object_r:ipsec_exec_t /usr/local/lib/ipsec/pluto system_u:object_r:ipsec_exec_t /usr/local/lib/ipsec/spi system_u:object_r:ipsec_exec_t
-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tislabs.com>
On Mon, 27 Aug 2001, Westerman, Mark wrote:
> Here are the changes for the ipsec domain for integration of FreeSwan
I've attached a patch relative to the released example policy that applies the changes described in Mark's message, so you can just apply it if you are using the example policy without a lot of local customization. Otherwise, you can follow his directions. This set of changes will be included in future releases.
-- Stephen D. Smalley, NAI Labs ssmalley@nai.comIndex: selinux/policy/rbac diff -u selinux/policy/rbac:1.7 selinux/policy/rbac:1.8 --- selinux/policy/rbac:1.7 Fri Aug 24 14:16:18 2001
+++ selinux/policy/rbac Mon Aug 27 15:36:26 2001
@@ -70,6 +70,7 @@ httpd_suexec_process_t httpd_suexec_exec_t automount_t + ipsec_t pump_t }; Index: selinux/policy/domains/admin/sysadm.te diff -u selinux/policy/domains/admin/sysadm.te:1.9 selinux/policy/domains/admin/sysadm.te:1.10 --- selinux/policy/domains/admin/sysadm.te:1.9 Fri Aug 24 14:16:18 2001
+++ selinux/policy/domains/admin/sysadm.te Mon Aug 27 15:36:26 2001
@@ -143,6 +143,14 @@ # Allow our crontab domain to unlink a user cron spool file. allow $1_crontab_t user_cron_spool_t:file unlink; +# +# This will allow the sysadm user to read and +# modify the /etc/ipsec.secrets file. +# I will create a ipsecadm_r role for this file +# Mark Westerman mark.westerman@westcam.com + +allow $1_t ipsec_file_t:file rw_file_perms; + ') Index: selinux/policy/domains/program/modutil.te diff -u selinux/policy/domains/program/modutil.te:1.6 selinux/policy/domains/program/modutil.te:1.7 --- selinux/policy/domains/program/modutil.te:1.6 Fri Aug 24 14:16:18 2001
+++ selinux/policy/domains/program/modutil.te Mon Aug 27 15:36:26 2001
@@ -72,6 +72,9 @@ allow insmod_t modules_object_t:dir r_dir_perms; allow insmod_t modules_object_t:file r_file_perms; +# Rules for ipsec Domain +allow insmod_t ipsec_t:process signal; + ################################# # Index: selinux/policy/domains/system/initrc.te diff -u selinux/policy/domains/system/initrc.te:1.14 selinux/policy/domains/system/initrc.te:1.15 --- selinux/policy/domains/system/initrc.te:1.14 Fri Aug 24 14:16:18 2001
+++ selinux/policy/domains/system/initrc.te Mon Aug 27 15:36:26 2001
@@ -175,3 +175,8 @@ allow initrc_t var_spool_t:file rw_file_perms; allow initrc_t pump_var_run_t:sock_file unlink; + +# ipsec Domain +domain_auto_trans(initrc_t, ipsec_exec_t, ipsec_t) +allow initrc_t ipsec_file_t:file { read ioctl }; +allow initrc_t ipsec_var_run_t:sock_file { read write }; Index: selinux/policy/domains/system/ipsec.te diff -u /dev/null selinux/policy/domains/system/ipsec.te:1.1 --- /dev/null Mon Aug 27 15:41:49 2001
+++ selinux/policy/domains/system/ipsec.te Mon Aug 27 15:39:40 2001
@@ -0,0 +1,28 @@ +# +# Authors: Mark Westerman mark.westerman@westcam.com +# +######################################## +# +# Rules for the ipsec_t domain. +# +type ipsec_t, domain, privlog; +type ipsec_exec_t, file_type, sysadmfile, exec_type; +type ipsec_file_t, file_type, syadmfile; +type ipsec_var_run_t, file_type, sysadmfile, pidfile; + +allow ipsec_t self:capability { net_admin net_bind_service }; + +domain_auto_trans(ipsec_t, insmod_exec_t, insmod_t) + +domain_auto_trans(ipsec_t, ifconfig_exec_t, ifconfig_t) +file_type_auto_trans(ipsec_t, var_run_t, ipsec_var_run_t) + +allow ipsec_t var_lock_t:dir rw_dir_perms; +allow ipsec_t var_lock_t:file create_file_perms; + +# Inherit and use descriptors from init. +allow ipsec_t init_t:fd inherit_fd_perms; + +allow ipsec_t ipsec_file_t:file { getattr read ioctl }; + +allow ipsec_t self:key_socket { create write read }; Index: selinux/setfiles/file_contexts diff -u selinux/setfiles/file_contexts:1.23 selinux/setfiles/file_contexts:1.24 --- selinux/setfiles/file_contexts:1.23 Wed Aug 22 11:48:47 2001
+++ selinux/setfiles/file_contexts Mon Aug 27 15:40:16 2001
@@ -403,6 +403,16 @@ /var/log/sa(|/.*) system_u:object_r:var_log_sa_t # +# IPSEC Defination +# +/etc/ipsec.secrets system_u:object_r:ipsec_file_t +/usr/local/lib/ipsec(|/.*) system_u:object_r:sbin_t +/usr/local/lib/ipsec/eroute system_u:object_r:ipsec_exec_t +/usr/local/lib/ipsec/klipsdebug system_u:object_r:ipsec_exec_t +/usr/local/lib/ipsec/pluto system_u:object_r:ipsec_exec_t +/usr/local/lib/ipsec/spi system_u:object_r:ipsec_exec_t + +# # Persistent label mappings. # .*/\.\.\.security(|/.*) system_u:object_r:file_labels_t -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:54 EDT