On Mon, 27 Aug 2001, Westerman, Mark wrote:
> Here are the changes for the ipsec domain for integration of FreeSwan
I've attached a patch relative to the released example policy that
applies the changes described in Mark's message, so you can just apply it
if you are using the example policy without a lot of local customization.
Otherwise, you can follow his directions. This set of changes will be
included in future releases.
--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com
Index: selinux/policy/rbac
diff -u selinux/policy/rbac:1.7 selinux/policy/rbac:1.8
--- selinux/policy/rbac:1.7 Fri Aug 24 14:16:18 2001
+++ selinux/policy/rbac Mon Aug 27 15:36:26 2001
@@ -70,6 +70,7 @@
httpd_suexec_process_t
httpd_suexec_exec_t
automount_t
+ ipsec_t
pump_t
};
Index: selinux/policy/domains/admin/sysadm.te
diff -u selinux/policy/domains/admin/sysadm.te:1.9 selinux/policy/domains/admin/sysadm.te:1.10
--- selinux/policy/domains/admin/sysadm.te:1.9 Fri Aug 24 14:16:18 2001
+++ selinux/policy/domains/admin/sysadm.te Mon Aug 27 15:36:26 2001
@@ -143,6 +143,14 @@
# Allow our crontab domain to unlink a user cron spool file.
allow $1_crontab_t user_cron_spool_t:file unlink;
+#
+# This will allow the sysadm user to read and
+# modify the /etc/ipsec.secrets file.
+# I will create a ipsecadm_r role for this file
+# Mark Westerman mark.westerman@westcam.com
+
+allow $1_t ipsec_file_t:file rw_file_perms;
+
')
Index: selinux/policy/domains/program/modutil.te
diff -u selinux/policy/domains/program/modutil.te:1.6 selinux/policy/domains/program/modutil.te:1.7
--- selinux/policy/domains/program/modutil.te:1.6 Fri Aug 24 14:16:18 2001
+++ selinux/policy/domains/program/modutil.te Mon Aug 27 15:36:26 2001
@@ -72,6 +72,9 @@
allow insmod_t modules_object_t:dir r_dir_perms;
allow insmod_t modules_object_t:file r_file_perms;
+# Rules for ipsec Domain
+allow insmod_t ipsec_t:process signal;
+
#################################
#
Index: selinux/policy/domains/system/initrc.te
diff -u selinux/policy/domains/system/initrc.te:1.14 selinux/policy/domains/system/initrc.te:1.15
--- selinux/policy/domains/system/initrc.te:1.14 Fri Aug 24 14:16:18 2001
+++ selinux/policy/domains/system/initrc.te Mon Aug 27 15:36:26 2001
@@ -175,3 +175,8 @@
allow initrc_t var_spool_t:file rw_file_perms;
allow initrc_t pump_var_run_t:sock_file unlink;
+
+# ipsec Domain
+domain_auto_trans(initrc_t, ipsec_exec_t, ipsec_t)
+allow initrc_t ipsec_file_t:file { read ioctl };
+allow initrc_t ipsec_var_run_t:sock_file { read write };
Index: selinux/policy/domains/system/ipsec.te
diff -u /dev/null selinux/policy/domains/system/ipsec.te:1.1
--- /dev/null Mon Aug 27 15:41:49 2001
+++ selinux/policy/domains/system/ipsec.te Mon Aug 27 15:39:40 2001
@@ -0,0 +1,28 @@
+#
+# Authors: Mark Westerman mark.westerman@westcam.com
+#
+########################################
+#
+# Rules for the ipsec_t domain.
+#
+type ipsec_t, domain, privlog;
+type ipsec_exec_t, file_type, sysadmfile, exec_type;
+type ipsec_file_t, file_type, syadmfile;
+type ipsec_var_run_t, file_type, sysadmfile, pidfile;
+
+allow ipsec_t self:capability { net_admin net_bind_service };
+
+domain_auto_trans(ipsec_t, insmod_exec_t, insmod_t)
+
+domain_auto_trans(ipsec_t, ifconfig_exec_t, ifconfig_t)
+file_type_auto_trans(ipsec_t, var_run_t, ipsec_var_run_t)
+
+allow ipsec_t var_lock_t:dir rw_dir_perms;
+allow ipsec_t var_lock_t:file create_file_perms;
+
+# Inherit and use descriptors from init.
+allow ipsec_t init_t:fd inherit_fd_perms;
+
+allow ipsec_t ipsec_file_t:file { getattr read ioctl };
+
+allow ipsec_t self:key_socket { create write read };
Index: selinux/setfiles/file_contexts
diff -u selinux/setfiles/file_contexts:1.23 selinux/setfiles/file_contexts:1.24
--- selinux/setfiles/file_contexts:1.23 Wed Aug 22 11:48:47 2001
+++ selinux/setfiles/file_contexts Mon Aug 27 15:40:16 2001
@@ -403,6 +403,16 @@
/var/log/sa(|/.*) system_u:object_r:var_log_sa_t
#
+# IPSEC Defination
+#
+/etc/ipsec.secrets system_u:object_r:ipsec_file_t
+/usr/local/lib/ipsec(|/.*) system_u:object_r:sbin_t
+/usr/local/lib/ipsec/eroute system_u:object_r:ipsec_exec_t
+/usr/local/lib/ipsec/klipsdebug system_u:object_r:ipsec_exec_t
+/usr/local/lib/ipsec/pluto system_u:object_r:ipsec_exec_t
+/usr/local/lib/ipsec/spi system_u:object_r:ipsec_exec_t
+
+#
# Persistent label mappings.
#
.*/\.\.\.security(|/.*) system_u:object_r:file_labels_t
--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
Received on Mon 27 Aug 2001 - 16:08:24 EDT