Commit Graph

80 Commits

Author SHA1 Message Date
Chris PeBenito e1caae17a2 ipsec: Module version bump. 2018-07-28 09:02:22 -04:00
Yuli Khodorkovskiy 305bd29f65 ipsec: add missing permissions for pluto
When using libreswan, pluto needs permissions for building the
Security Association Database and for setting contexts on IPSec
policy and SAs.

Signed-off-by: Yuli Khodorkovskiy <yuli@crunchydata.com>
2018-07-28 08:58:34 -04:00
Chris PeBenito 65e8f758ca Bump module versions for release. 2018-07-01 11:02:33 -04:00
Chris PeBenito e75bcdead0 Module version bumps for patches from James Carter. 2018-04-12 18:49:46 -04:00
James Carter 2268d42fee Removed unnecessary semicolons
Removed unecessary semicolons in ipsec.te, logging.te, and systemd.te

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2018-04-12 18:44:50 -04:00
Chris PeBenito 4d5b06428b Bump module versions for release. 2018-01-14 14:08:09 -05:00
Chris PeBenito 3001c50364 ipsec: Module version bump. 2017-10-11 18:45:29 -04:00
David Graziano 99aebc2af5 system/ipsec: Add signull access for strongSwan
Allows ipsec_supervisor_t domain to signull other
strongSwan domains.

Signed-off-by: David Graziano <david.graziano@rockwellcollins.com>
2017-10-11 08:17:51 -05:00
Chris PeBenito aa0eecf3e3 Bump module versions for release. 2017-08-05 12:59:42 -04:00
Chris PeBenito a599f28196 Module version bump for /usr/bin fc fixes from Nicolas Iooss. 2017-05-04 08:27:46 -04:00
Chris PeBenito 4d028498d8 Module version bumps for fixes from cgzones. 2017-03-05 10:48:42 -05:00
cgzones 4b79a54b41 modutils: adopt callers to new interfaces 2017-03-03 12:28:17 +01:00
Chris PeBenito 1720e109a3 Sort capabilities permissions from Russell Coker. 2017-02-15 18:47:33 -05:00
Chris PeBenito 2e7553db63 Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker. 2017-02-04 15:19:35 -05:00
Chris PeBenito 69ede859e8 Bump module versions for release. 2017-02-04 13:30:53 -05:00
Chris PeBenito f850ec37df Module version bumps for /run fc changes from cgzones. 2016-12-22 15:54:46 -05:00
Chris PeBenito c23353bcd8 Bump module versions for release. 2015-12-08 09:53:02 -05:00
Chris PeBenito 17694adc7b Module version bump for systemd additions. 2015-10-23 14:53:14 -04:00
Chris PeBenito f7286189b3 Add systemd units for core refpolicy services.
Only for services that already have a named init script.

Add rules to init_startstop_service(), with conditional arg until
all of refpolicy-contrib callers are updated.
2015-10-23 10:17:46 -04:00
Chris PeBenito 4d28cb714f Module version bump for patches from Jason Zaman/Matthias Dahl. 2015-10-12 09:31:18 -04:00
Chris PeBenito 2c0e3d9a24 Rearrange lines in ipsec.te. 2015-10-12 09:30:05 -04:00
Jason Zaman 775b07e60a system/ipsec: Add policy for StrongSwan
Adds an ipsec_supervisor_t domain for StrongSwan's starter.
Thanks to Matthias Dahl for most of the work on this.
2015-10-12 09:16:28 -04:00
Chris PeBenito d74c9bd6b8 Module version bumps for admin interfaces from Jason Zaman. 2015-07-14 11:18:35 -04:00
Chris PeBenito 468185f5f7 Bump module versions for release. 2014-12-03 13:37:38 -05:00
Chris PeBenito 0735f2ca4a Module version bump for misc fixes from Sven Vermeulen. 2014-12-02 10:29:59 -05:00
Nicolas Iooss 5fb1249f37 Use create_netlink_socket_perms when allowing netlink socket creation
create_netlink_socket_perms is defined as:

    { create_socket_perms nlmsg_read nlmsg_write }

This means that it is redundant to allow create_socket_perms and
nlmsg_read/nlmsg_write.

Clean up things without allowing anything new.
2014-10-23 08:07:44 -04:00
Chris PeBenito d174521a64 Bump module versions for release. 2013-04-24 16:14:52 -04:00
Chris PeBenito be2e70be8d Module version bump for fixes from Dominick Grift. 2013-01-03 10:53:34 -05:00
Dominick Grift 79e1e4efb9 NSCD related changes in various policy modules
Use nscd_use instead of nscd_socket_use. This conditionally allows
nscd_shm_use

Remove the nscd_socket_use from ssh_keygen since it was redundant
already allowed by auth_use_nsswitch

Had to make some ssh_keysign_t rules unconditional else
nscd_use(ssh_keysign_t) would not build (nested booleans) but that does
not matter, the only actual domain transition to ssh_keysign_t is
conditional so the other unconditional ssh_keygen_t rules are
conditional in practice

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-01-03 10:43:10 -05:00
Chris PeBenito e036d3d694 Module version bump for ipsec net sysctls reading from Miroslav Grepl. 2012-10-02 10:15:31 -04:00
Miroslav Grepl 672f146fec Allow ipsec to read kernel sysctl 2012-10-02 10:14:44 -04:00
Chris PeBenito 2b70efd2f6 Module version bump for fc substitutions optimizations from Sven Vermeulen. 2012-08-15 11:00:55 -04:00
Chris PeBenito 3516535aa6 Bump module versions for release. 2012-07-25 14:33:06 -04:00
Chris PeBenito 8e00a439ef Module verion bump for simplify file contexts based on file context path substitutions, from Sven Vermeulen. 2012-05-10 10:36:06 -04:00
Chris PeBenito 7b98e4f436 Clean up stale TODOs. 2011-09-26 11:51:47 -04:00
Chris PeBenito aa4dad379b Module version bump for release. 2011-07-26 08:11:01 -04:00
Chris PeBenito 127d617b31 Pull in some changes from Fedora policy system layer. 2011-04-14 11:36:56 -04:00
Chris PeBenito 4f6f347d4c Module version bump and changelog for hadoop ipsec patch from Paul Nuzzi. 2011-01-13 13:50:47 -05:00
Chris PeBenito 530ad6fc6a Whitespace fixes in corenetwork and ipsec. 2011-01-13 13:37:04 -05:00
Chris PeBenito 371908d1c8 Rename new hadoop ipsec interfaces. 2011-01-13 12:56:12 -05:00
Paul Nuzzi 6237b7241b hadoop: labeled ipsec
On 01/05/2011 08:48 AM, Christopher J. PeBenito wrote:
> On 12/16/10 12:32, Paul Nuzzi wrote:
>> On 12/15/2010 03:54 PM, Christopher J. PeBenito wrote:
>>> On 12/10/10 18:22, Paul Nuzzi wrote:
>>>> Added labeled IPSec support to hadoop.  SELinux will be able to enforce what services are allowed to
>>>> connect to.  Labeled IPSec can enforce the range of services they can receive from.  This enforces
>>>> the architecture of Hadoop without having to modify any of the code.  This adds a level of
>>>> confidentiality, integrity, and authentication provided outside the software stack.
>>>
>>> A few things.
>>>
>>> The verb used in Reference Policy interfaces for peer recv is recvfrom
>>> (a holdover from previous labeled networking implementations).  So the
>>> interfaces are like hadoop_recvfrom_datanode().
>>
>> Easy change.
>>
>>> It seems like setkey should be able to setcontext any type used on ipsec
>>> associations.  I think the best thing would be to add additional support
>>> to either the ipsec or corenetwork modules (I haven't decided which one
>>> yet) for associations.  So, say we have an interface called
>>> ipsec_spd_type() which adds the parameter type to the attribute
>>> ipsec_spd_types.  Then we can have an allow setkey_t
>>> ipsec_spd_types:association setkey; rule and we don't have to update it
>>> every time more labeled network is added.
>>
>> That seems a lot less clunky than updating setkey every time we add a new association.
>>
>>> This is definitely wrong since its not a file:
>>> +files_type(hadoop_lan_t)
>>
>> Let me know how you would like to handle associations and I could update the
>> patch.
>
> Lets go with putting the associations in corenetwork.
>
>>  Will the files_type error be cleared up when we re-engineer this?
>
> I'm not sure what you mean.  The incorrect rule was added in your patch.
>

Adds labeled IPSec policy to hadoop to control the remote processes that are allowed to connect to the cloud's services.

Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
2011-01-13 08:22:32 -05:00
Chris PeBenito 48f99a81c0 Whitespace change: drop unnecessary blank line at the start of .te files. 2010-06-10 08:16:35 -04:00
Chris PeBenito 29af4c13e7 Bump module versions for release. 2010-05-24 15:32:01 -04:00
Chris PeBenito 90e65feca5 Ipsec patch from Dan Walsh. 2010-03-17 13:52:07 -04:00
Chris PeBenito c3c753f786 Remove concept of user from terminal module interfaces dealing with ptynode and ttynode since these attributes are not specific to users. 2010-02-11 14:20:10 -05:00
Chris PeBenito 832c1be4ca IPSEC patch from Dan Walsh. 2009-11-24 14:09:10 -05:00
Chris PeBenito 9570b28801 module version number bump for release 2.20090730 that was mistakenly omitted. 2009-08-05 10:59:21 -04:00
Chris PeBenito e6985f91ab fix ordering of interface calls in iptables. 2009-08-05 10:04:13 -04:00
Chris PeBenito 3f67f722bb trunk: whitespace fixes 2009-06-26 14:40:13 +00:00
Chris PeBenito 26410ddf54 trunk: remove unnecessary semicolons after interface/template calls. 2009-06-19 13:52:33 +00:00