From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 80A00138BED for ; Tue, 13 Oct 2015 14:51:02 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E5EB7E07D6; Tue, 13 Oct 2015 14:51:01 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 68420E07D6 for ; Tue, 13 Oct 2015 14:51:01 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 5201634092D for ; Tue, 13 Oct 2015 14:50:58 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id CFA36104A for ; Tue, 13 Oct 2015 14:50:55 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1444746101.4db341f7c2dd5502db391b2322967772e3213c01.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/ipsec.te X-VCS-Directories: policy/modules/system/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 4db341f7c2dd5502db391b2322967772e3213c01 X-VCS-Branch: master Date: Tue, 13 Oct 2015 14:50:55 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: ab0734b1-7bad-4ffc-a6fa-13210eda9889 X-Archives-Hash: d81e4937c39938e53f5bded53e84748a Message-ID: <20151013145055.9LQ8sVRUF5d6D23DXX3WBQp5ccS_Eb_csXwupHu-Bqo@z> commit: 4db341f7c2dd5502db391b2322967772e3213c01 Author: Chris PeBenito tresys com> AuthorDate: Mon Oct 12 13:30:05 2015 +0000 Commit: Jason Zaman gentoo org> CommitDate: Tue Oct 13 14:21:41 2015 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4db341f7 Rearrange lines in ipsec.te. policy/modules/system/ipsec.te | 43 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 22 deletions(-) diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te index 2d8b686..b9cfcc3 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -54,6 +54,11 @@ files_lock_file(ipsec_mgmt_lock_t) type ipsec_mgmt_var_run_t; files_pid_file(ipsec_mgmt_var_run_t) +type ipsec_supervisor_t; +type ipsec_supervisor_exec_t; +init_daemon_domain(ipsec_supervisor_t, ipsec_supervisor_exec_t); +role system_r types ipsec_supervisor_t; + type racoon_t; type racoon_exec_t; init_daemon_domain(racoon_t, racoon_exec_t) @@ -67,11 +72,6 @@ type setkey_exec_t; init_system_domain(setkey_t, setkey_exec_t) role system_r types setkey_t; -type ipsec_supervisor_t; -type ipsec_supervisor_exec_t; -init_daemon_domain(ipsec_supervisor_t, ipsec_supervisor_exec_t); -role system_r types ipsec_supervisor_t; - ######################################## # # ipsec Local policy @@ -202,49 +202,48 @@ allow ipsec_mgmt_t self:udp_socket create_socket_perms; allow ipsec_mgmt_t self:key_socket create_socket_perms; allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms; -allow ipsec_mgmt_t ipsec_supervisor_t:process { signal signull }; +domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t) + +# _realsetup needs to be able to cat /var/run/pluto.pid, +# run ps on that pid, and delete the file +read_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t) +read_lnk_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t) + +allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms; + +manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t) +manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t) allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file) +manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t) +logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) + manage_dirs_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t) manage_files_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t) files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file }) -manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t) -logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) - allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; -files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) - manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) +files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms; files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, sock_file) -# _realsetup needs to be able to cat /var/run/pluto.pid, -# run ps on that pid, and delete the file -read_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t) -read_lnk_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t) - # logger, running in ipsec_mgmt_t needs to use sockets allow ipsec_mgmt_t self:unix_dgram_socket { create connect write }; allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write }; -allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms; - -manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t) -manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t) - # whack needs to connect to pluto stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t) can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t) allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read; -domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t) domtrans_pattern(ipsec_mgmt_t, ipsec_supervisor_exec_t, ipsec_supervisor_t); +allow ipsec_mgmt_t ipsec_supervisor_t:process { signal signull }; kernel_rw_net_sysctls(ipsec_mgmt_t) # allow pluto to access /proc/net/ipsec_eroute;