From bdccbacdd62c3b57887fbde5ac56a0349ac13de6 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Nov 14 2007 14:38:45 +0000 Subject: trunk: add labeled networking support to unconfined. --- diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index 17231cd..63a2b19 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -1,5 +1,5 @@ -policy_module(domain,1.4.3) +policy_module(domain,1.4.4) ######################################## # @@ -145,3 +145,6 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; + +# receive from all domains over labeled networking +domain_all_recvfrom_all_domains(unconfined_domain_type) diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if index dbb2b6e..433abf4 100644 --- a/policy/modules/system/ipsec.if +++ b/policy/modules/system/ipsec.if @@ -114,6 +114,24 @@ interface(`ipsec_manage_pid',` ######################################## ## +## Allow to set an default security context of IPsec Policy. +## +## +## +## Domain allowed access. +## +## +# +interface(`ipsec_setcontext_default_spd',` + gen_require(` + type ipsec_spd_t; + ') + + allow $1 ipsec_spd_t:association setcontext; +') + +######################################## +## ## Execute racoon in the racoon domain. ## ## diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te index 8005483..80f58e6 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -1,5 +1,5 @@ -policy_module(ipsec,1.4.2) +policy_module(ipsec,1.4.3) ######################################## # @@ -297,8 +297,6 @@ allow racoon_t ipsec_key_file_t:dir list_dir_perms; read_files_pattern(racoon_t,ipsec_key_file_t,ipsec_key_file_t) read_lnk_files_pattern(racoon_t,ipsec_key_file_t,ipsec_key_file_t) -allow racoon_t ipsec_spd_t:association setcontext; - kernel_read_network_state(racoon_t) corenet_all_recvfrom_unlabeled(racoon_t) @@ -315,6 +313,8 @@ files_read_etc_files(racoon_t) # allow racoon to use avc_has_perm to check context on proposed SA selinux_compute_access_vector(racoon_t) +ipsec_setcontext_default_spd(racoon_t) + libs_use_ld_so(racoon_t) libs_use_shared_libs(racoon_t) @@ -338,9 +338,6 @@ allow setkey_t ipsec_conf_file_t:dir list_dir_perms; read_files_pattern(setkey_t,ipsec_conf_file_t,ipsec_conf_file_t) read_lnk_files_pattern(setkey_t,ipsec_conf_file_t,ipsec_conf_file_t) -# allow setkey to set the context for ipsec SAs and policy. -allow setkey_t ipsec_spd_t:association setcontext; - # allow setkey utility to set contexts on SA's and policy domain_ipsec_setcontext_all_domains(setkey_t) @@ -348,6 +345,9 @@ files_read_etc_files(setkey_t) init_dontaudit_use_fds(setkey_t) +# allow setkey to set the context for ipsec SAs and policy. +ipsec_setcontext_default_spd(setkey_t) + locallogin_use_fds(setkey_t) libs_use_ld_so(setkey_t) diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if index a49911f..695ea51 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if @@ -73,6 +73,10 @@ interface(`unconfined_domain_noaudit',` ') optional_policy(` + ipsec_setcontext_default_spd($1) + ') + + optional_policy(` # this is to handle execmod on shared # libs with text relocations libs_use_shared_libs($1) diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index f202cde..95a9fc8 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -1,5 +1,5 @@ -policy_module(unconfined,2.0.0) +policy_module(unconfined,2.0.1) ######################################## #