Hi, Venkat
Thanks for your suggestion.
I got a success to set up labeled ipsec connection with modified
reference policy, as follows:
----------------------------------------------------------------
[kaigai@fedora8 ~]$ psql -q -h 192.168.1.10 postgres
Password:
postgres=# SELECT sepgsql_getcon();
sepgsql_getcon
-------------------------------------------------
root:system_r:unconfined_t:SystemLow-SystemHigh
(1 row)
postgres=#
[kaigai@fedora8 ~]$ runcon -l s0 psql -q -h 192.168.1.10 postgres
Password:
postgres=# SELECT sepgsql_getcon();
sepgsql_getcon
----------------------------
root:system_r:unconfined_t
(1 row)
postgres=#
----------------------------------------------------------------
The attached patch provides two new interfaces to access the default
context of SPD entries (ipsec_spd_t), and enables unconfined domains
to set up SPD entries with the default context.
In addition, any unconfined domain, user domain and daemon domain
got being possible to communicate others via labeled ipsec.
Please review it,
Thanks,
Venkat Yekkirala wrote:
> <snip>
>>> There are 2 aspects:
>>>
>>> 1. IPsec policy matching discussed above:
>>> allow domain-that-should-use-labeled-ipsec
>> ipsec_spd_t:association { polmatch };
>>> 2. Use of IPsec associations themselves:
>>>
>>> For sending:
>>> allow
>> domain-that-should-use-labeled-ipsec-to-label-its-packets
>> self:association { sendto };
>>> For receiving:
>>> allow domain-that-should-received-from-peer peer-domain
>> self:association { recvfrom };
>>
>> When we consider the case unconfined_t process tries to
>> communicate with a postgresql_t
>> process running on another host via labeled IPsec, the
>> following policy will be needed.
>>
>> 1. allow unconfined_t ipsec_spd_t : association { polmatch };
>
> Also, allow postgresql_t ipsec_spd_t : association { polmatch };
> since the incoming packet labeled postgresql_t should be checked
> against IPsec policy (SPD) rule labeled with ipsec_spd_t.
>
>> 2s. allow unconfined_t self : association { sendto };
>
> OK.
>
>> 2r. allow postgresql_t unconfined_t : association { recvfrom };
>
> This should actually be:
>
> allow unconfined_t postgresql_t : association { recvfrom };
>
> since it would be the unconfined_t socket that would be receiving
> a packet using the postgresql_t association.
>
>> Is it correct?
>>
> <snip>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
> the words "unsubscribe selinux" without quotes as the message.
>
--
KaiGai Kohei <kaigai@xxxxxxxxxxxx>
Index: refpolicy/policy/modules/system/ipsec.if
===================================================================
--- refpolicy/policy/modules/system/ipsec.if (revision 2483)
+++ refpolicy/policy/modules/system/ipsec.if (working copy)
@@ -114,6 +114,43 @@
########################################
## <summary>
+## Allow to communicate another peer via labeled IPsec.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`ipsec_default_sendrecv',`
+ gen_require(`
+ type ipsec_spd_t;
+ ')
+
+ allow $1 ipsec_spd_t : association { polmatch };
+ domain_ipsec_labels($1)
+')
+
+########################################
+## <summary>
+## Allow to set an default security context of IPsec Policy.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`ipsec_default_setcontext',`
+ gen_require(`
+ type ipsec_spd_t;
+ ')
+
+ allow $1 ipsec_spd_t : association { setcontext };
+')
+
+########################################
+## <summary>
## Execute racoon in the racoon domain.
## </summary>
## <param name="domain">
Index: refpolicy/policy/modules/system/userdomain.if
===================================================================
--- refpolicy/policy/modules/system/userdomain.if (revision 2483)
+++ refpolicy/policy/modules/system/userdomain.if (working copy)
@@ -547,6 +547,10 @@
corenet_udp_sendrecv_all_ports($1_t)
corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_all_client_packets($1_t)
+
+ optional_policy(`
+ ipsec_default_sendrecv($1_t)
+ ')
')
#######################################
Index: refpolicy/policy/modules/system/init.if
===================================================================
--- refpolicy/policy/modules/system/init.if (revision 2483)
+++ refpolicy/policy/modules/system/init.if (working copy)
@@ -134,6 +134,10 @@
')
optional_policy(`
+ ipsec_default_sendrecv($1)
+ ')
+
+ optional_policy(`
nscd_socket_use($1)
')
')
Index: refpolicy/policy/modules/system/unconfined.if
===================================================================
--- refpolicy/policy/modules/system/unconfined.if (revision 2483)
+++ refpolicy/policy/modules/system/unconfined.if (working copy)
@@ -73,6 +73,11 @@
')
optional_policy(`
+ ipsec_default_setcontext($1)
+ ipsec_default_sendrecv($1)
+ ')
+
+ optional_policy(`
# this is to handle execmod on shared
# libs with text relocations
libs_use_shared_libs($1)
Index: refpolicy/policy/modules/system/ipsec.te
===================================================================
--- refpolicy/policy/modules/system/ipsec.te (revision 2483)
+++ refpolicy/policy/modules/system/ipsec.te (working copy)
@@ -6,6 +6,9 @@
# Declarations
#
+# Default type for IPSEC SPD entries
+type ipsec_spd_t;
+
type ipsec_t;
type ipsec_exec_t;
init_daemon_domain(ipsec_t,ipsec_exec_t)
@@ -19,9 +22,6 @@
type ipsec_key_file_t;
files_type(ipsec_key_file_t)
-# Default type for IPSEC SPD entries
-type ipsec_spd_t;
-
# type for runtime files, including pluto.ctl
type ipsec_var_run_t;
files_pid_file(ipsec_var_run_t)
@@ -297,7 +297,7 @@
read_files_pattern(racoon_t,ipsec_key_file_t,ipsec_key_file_t)
read_lnk_files_pattern(racoon_t,ipsec_key_file_t,ipsec_key_file_t)
-allow racoon_t ipsec_spd_t:association setcontext;
+ipsec_default_setcontext(racoon_t)
kernel_read_network_state(racoon_t)
@@ -339,7 +339,7 @@
read_lnk_files_pattern(setkey_t,ipsec_conf_file_t,ipsec_conf_file_t)
# allow setkey to set the context for ipsec SAs and policy.
-allow setkey_t ipsec_spd_t:association setcontext;
+ipsec_default_setcontext(setkey_t)
# allow setkey utility to set contexts on SA's and policy
domain_ipsec_setcontext_all_domains(setkey_t)
