The following adds Venkat's changes to racoon to understand
mls label.
I have not yet thoroughly tested this patch. I have played with
it a little and have found that racoon won't establish an SA
when using ipsec without labels. The function, within_range()
appears to always assume there is a label. I am currently working
on fixing this.
If you have any problems with this patch, please let me know.
Basic steps to use:
1. This patch is against ipsec-tools-0.6.5.3-1 source in latest rawhide.
2. To patch source:
install ipsec-tools-0.6.5.3-1.src.rpm
cd to /usr/src/redhat
rpmbuild -bp SPECS/ipsec-tools.spec
cd BUILD/ipsec-tools-0.6.5
patch -p1 < <patch.source>
3. To build ipsec-tools
./bootstrap
./configure
make
4. install new binary into /usr/local/sbin/racoon
cp src/racoon /usr/local/sbin/racoon
5. to run new racoon, you must also specify location of config
file since we did not build with redhat default of /etc/racoon.
/usr/local/sbin/racoon -f /etc/racoon/racoon.conf
6. Some config info:
You must first add policies to the policy database in order for racoon
to know to establish SAs for a particular traffic stream.
For example:
in the file /tmp/setkey.nolabel I have the following info
to create policies without labels.
spdadd 10.1.0.55 10.1.0.206 any -P in ipsec
esp/transport//require;
spdadd 10.1.0.206 10.1.0.55 any -P out ipsec
esp/transport//require;
OR in the file /tmp/setkey.label I have the following info
to create policy with labels.
spdadd 10.1.0.55 10.1.0.206 any
-ctx 1 1 "system_u:object_r:unlabeled_t:s0:c0"
-P in ipsec
esp/transport//require;
spdadd 9.3.192.206 9.3.189.55 any
-ctx 1 1 "system_u:object_r:unlabeled_t:s0:c0"
-P out ipsec
esp/transport//require;
NEXT
run "setkey -f /tmp/setkey.nolabel" to establish policy without labels
OR
run "setkey -f /tmp/setkey.label" to establish policy with a label.
NEXT
Now you need to configure racoon. For a simple config,
I use pre-shared keys with a very basic racoon configuration.
The two files i will use are psk.txt for preshared keys and
racoon's basic config file, racoon.conf.
For example:
I first add the following to /etc/racoon/psk.txt,
(please add whatever text you want for your shared
secret key. In this example, I used "flibbertigibbet".)
10.1.0.55 flibbertigibbet
10.1.0.206 flibbertigibbet
In /etc/racoon/racoon.conf, I pretty much use the defaults.
I have the following in my /etc/racoon/racoon.conf:
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
sainfo anonymous
{
pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm 3des, aes ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
NEXT
You can now start racoon daemon. On command line issue,
/usr/local/sbin/racoon -f /etc/racoon/racoon.conf
This should do it. Let me know if you have any problems.
Regards,
Joy Latten
---------------------------------------------------------------------------
diff -urpN ipsec-tools-0.6.5.orig/configure.ac
ipsec-tools-0.6.5.0918/configure.ac
--- ipsec-tools-0.6.5.orig/configure.ac 2006-08-22 00:49:52.000000000 -0500
+++ ipsec-tools-0.6.5.0918/configure.ac 2006-09-18 03:29:40.000000000 -0500
@@ -620,6 +620,7 @@ if test "$enable_security_context" = "ye
AC_DEFINE([HAVE_SECCTX], [], [Enable Security Context])
SECCTX_OBJS="security.o"
AC_SUBST(SECCTX_OBJS)
+ LIBS="$LIBS -lselinux"
fi
fi
diff -urpN ipsec-tools-0.6.5.orig/src/racoon/cftoken.c
ipsec-tools-0.6.5.0918/src/racoon/cftoken.c
--- ipsec-tools-0.6.5.orig/src/racoon/cftoken.c 2006-08-22 00:49:52.000000000
-0500
+++ ipsec-tools-0.6.5.0918/src/racoon/cftoken.c 2006-09-18 02:57:23.000000000
-0500
@@ -1363,6 +1363,7 @@ char *yytext;
#include "isakmp_var.h"
#include "isakmp.h"
#include "ipsec_doi.h"
+#include "policy.h"
#include "proposal.h"
#include "nattraversal.h"
#ifdef GC
diff -urpN ipsec-tools-0.6.5.orig/src/racoon/isakmp_quick.c
ipsec-tools-0.6.5.0918/src/racoon/isakmp_quick.c
--- ipsec-tools-0.6.5.orig/src/racoon/isakmp_quick.c 2006-08-22
00:49:53.000000000 -0500
+++ ipsec-tools-0.6.5.0918/src/racoon/isakmp_quick.c 2006-09-18
02:47:16.000000000 -0500
@@ -2128,5 +2128,11 @@ get_proposal_r(iph2)
return ISAKMP_INTERNAL_ERROR;
}
+#ifdef HAVE_SECCTX
+ if (spidx.sec_ctx.ctx_str) {
+ set_secctx_in_proposal(iph2, spidx);
+ }
+#endif /* HAVE_SECCTX */
+
return 0;
}
diff -urpN ipsec-tools-0.6.5.orig/src/racoon/pfkey.c
ipsec-tools-0.6.5.0918/src/racoon/pfkey.c
--- ipsec-tools-0.6.5.orig/src/racoon/pfkey.c 2006-08-22 00:49:53.000000000
-0500
+++ ipsec-tools-0.6.5.0918/src/racoon/pfkey.c 2006-09-18 03:04:00.000000000
-0500
@@ -1672,6 +1672,10 @@ pk_recvacquire(mhp)
struct ph2handle *iph2[MAXNESTEDSA];
struct sockaddr *src, *dst;
int n; /* # of phase 2 handler */
+#ifdef HAVE_SECCTX
+ struct sadb_x_sec_ctx *m_sec_ctx;
+#endif /* HAVE_SECCTX */
+ struct policyindex spidx;
/* ignore this message because of local test mode. */
if (f_local)
@@ -1691,6 +1695,24 @@ pk_recvacquire(mhp)
src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
+#ifdef HAVE_SECCTX
+ m_sec_ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
+
+ if (m_sec_ctx != NULL) {
+ plog(LLV_INFO, LOCATION, NULL,
+ "security context doi: %u\n",
+ m_sec_ctx->sadb_x_ctx_doi);
+ plog(LLV_INFO, LOCATION, NULL,
+ "security context algorithm: %u\n",
+ m_sec_ctx->sadb_x_ctx_alg);
+ plog(LLV_INFO, LOCATION, NULL,
+ "security context length: %u\n",
+ m_sec_ctx->sadb_x_ctx_len);
+ plog(LLV_INFO, LOCATION, NULL, "security context: %s\n",
+ ((char *)m_sec_ctx + sizeof(struct sadb_x_sec_ctx)));
+ }
+#endif /* HAVE_SECCTX */
+
/* ignore if type is not IPSEC_POLICY_IPSEC */
if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) {
plog(LLV_DEBUG, LOCATION, NULL,
@@ -1778,7 +1800,6 @@ pk_recvacquire(mhp)
/* get inbound policy */
{
- struct policyindex spidx;
spidx.dir = IPSEC_DIR_INBOUND;
memcpy(&spidx.src, &sp_out->spidx.dst, sizeof(spidx.src));
@@ -1786,10 +1807,16 @@ pk_recvacquire(mhp)
spidx.prefs = sp_out->spidx.prefd;
spidx.prefd = sp_out->spidx.prefs;
spidx.ul_proto = sp_out->spidx.ul_proto;
+
#ifdef HAVE_SECCTX
- if (*sp_out->spidx.sec_ctx.ctx_str)
- memcpy(&spidx.sec_ctx, &sp_out->spidx.sec_ctx,
- sizeof(spidx.sec_ctx));
+ if (m_sec_ctx) {
+ spidx.sec_ctx.ctx_doi = m_sec_ctx->sadb_x_ctx_doi;
+ spidx.sec_ctx.ctx_alg = m_sec_ctx->sadb_x_ctx_alg;
+ spidx.sec_ctx.ctx_strlen = m_sec_ctx->sadb_x_ctx_len;
+ memcpy(spidx.sec_ctx.ctx_str,
+ ((char *)m_sec_ctx + sizeof(struct sadb_x_sec_ctx)),
+ spidx.sec_ctx.ctx_strlen);
+ }
#endif
sp_in = getsp(&spidx);
@@ -1877,6 +1904,12 @@ pk_recvacquire(mhp)
delph2(iph2[n]);
return -1;
}
+#ifdef HAVE_SECCTX
+ if (m_sec_ctx) {
+ set_secctx_in_proposal(iph2[n], spidx);
+ }
+#endif /* HAVE_SECCTX */
+
insph2(iph2[n]);
/* start isakmp initiation by using ident exchange */
diff -urpN ipsec-tools-0.6.5.orig/src/racoon/policy.c
ipsec-tools-0.6.5.0918/src/racoon/policy.c
--- ipsec-tools-0.6.5.orig/src/racoon/policy.c 2006-08-22 00:49:53.000000000
-0500
+++ ipsec-tools-0.6.5.0918/src/racoon/policy.c 2006-09-18 02:47:16.000000000
-0500
@@ -206,9 +206,13 @@ cmpspidxstrict(a, b)
#ifdef HAVE_SECCTX
if (a->sec_ctx.ctx_alg != b->sec_ctx.ctx_alg
|| a->sec_ctx.ctx_doi != b->sec_ctx.ctx_doi
+#if 1
+ || !within_range(a->sec_ctx.ctx_str, b->sec_ctx.ctx_str))
+#else
|| a->sec_ctx.ctx_strlen != b->sec_ctx.ctx_strlen
|| (memcmp(a->sec_ctx.ctx_str, b->sec_ctx.ctx_str,
a->sec_ctx.ctx_strlen) != 0))
+#endif
return 1;
#endif
return 0;
@@ -284,9 +288,13 @@ cmpspidxwild(a, b)
#ifdef HAVE_SECCTX
if (a->sec_ctx.ctx_alg != b->sec_ctx.ctx_alg
|| a->sec_ctx.ctx_doi != b->sec_ctx.ctx_doi
+#if 1
+ || !within_range(a->sec_ctx.ctx_str, b->sec_ctx.ctx_str))
+#else
|| a->sec_ctx.ctx_strlen != b->sec_ctx.ctx_strlen
|| (memcmp(a->sec_ctx.ctx_str, b->sec_ctx.ctx_str,
a->sec_ctx.ctx_strlen) != 0))
+#endif
return 1;
#endif
diff -urpN ipsec-tools-0.6.5.orig/src/racoon/policy.h
ipsec-tools-0.6.5.0918/src/racoon/policy.h
--- ipsec-tools-0.6.5.orig/src/racoon/policy.h 2006-08-22 00:49:53.000000000
-0500
+++ ipsec-tools-0.6.5.0918/src/racoon/policy.h 2006-09-18 03:05:08.000000000
-0500
@@ -35,6 +35,7 @@
#include <sys/queue.h>
#ifdef HAVE_SECCTX
+
#define MAX_CTXSTR_SIZE 50
struct security_ctx {
u_int8_t ctx_doi; /* Security Context DOI */
@@ -146,6 +147,11 @@ extern void initsp __P((void));
extern struct ipsecrequest *newipsecreq __P((void));
extern const char *spidx2str __P((const struct policyindex *));
+#ifdef HAVE_SECCTX
+#include <selinux/selinux.h>
extern int get_security_context __P((vchar_t *, struct policyindex *));
+extern int within_range __P((security_context_t, security_context_t));
+extern void set_secctx_in_proposal __P((struct ph2handle *, struct
policyindex));
+#endif
#endif /* _POLICY_H */
diff -urpN ipsec-tools-0.6.5.orig/src/racoon/proposal.c
ipsec-tools-0.6.5.0918/src/racoon/proposal.c
--- ipsec-tools-0.6.5.orig/src/racoon/proposal.c 2006-08-22
00:49:53.000000000 -0500
+++ ipsec-tools-0.6.5.0918/src/racoon/proposal.c 2006-09-18
02:47:16.000000000 -0500
@@ -1025,15 +1025,6 @@ set_proposal_from_policy(iph2, sp_main,
newpp->lifetime = iph2->sainfo->lifetime;
newpp->lifebyte = iph2->sainfo->lifebyte;
newpp->pfs_group = iph2->sainfo->pfs_group;
-#ifdef HAVE_SECCTX
- if (*sp_main->spidx.sec_ctx.ctx_str) {
- newpp->sctx.ctx_doi = sp_main->spidx.sec_ctx.ctx_doi;
- newpp->sctx.ctx_alg = sp_main->spidx.sec_ctx.ctx_alg;
- newpp->sctx.ctx_strlen = sp_main->spidx.sec_ctx.ctx_strlen;
- memcpy(newpp->sctx.ctx_str, sp_main->spidx.sec_ctx.ctx_str,
- sp_main->spidx.sec_ctx.ctx_strlen);
- }
-#endif /* HAVE_SECCTX */
if (lcconf->complex_bundle)
goto skip1;
@@ -1196,7 +1187,11 @@ set_proposal_from_proposal(iph2)
pp0->sctx.ctx_strlen = pp_peer->sctx.ctx_strlen;
memcpy(pp0->sctx.ctx_str, pp_peer->sctx.ctx_str,
pp_peer->sctx.ctx_strlen);
+
+ plog(LLV_INFO, LOCATION, NULL,
+ "RESPONDING with (%s).\n", pp_peer->sctx.ctx_str);
}
+
#endif /* HAVE_SECCTX */
if (pp_peer->next != NULL) {
diff -urpN ipsec-tools-0.6.5.orig/src/racoon/security.c
ipsec-tools-0.6.5.0918/src/racoon/security.c
--- ipsec-tools-0.6.5.orig/src/racoon/security.c 2006-08-22
00:49:53.000000000 -0500
+++ ipsec-tools-0.6.5.0918/src/racoon/security.c 2006-09-18
03:06:42.000000000 -0500
@@ -1,5 +1,6 @@
/*
* Copyright (C) 2005 International Business Machines Corporation
+ * Copyright (c) 2005 by Trusted Computer Solutions, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -36,6 +37,12 @@
#include <stdio.h>
#include <string.h>
+#include <selinux/selinux.h>
+#include <selinux/flask.h>
+#include <selinux/av_permissions.h>
+#include <selinux/avc.h>
+#include <selinux/context.h>
+
#include "var.h"
#include "vmbuf.h"
#include "misc.h"
@@ -45,6 +52,7 @@
#include "isakmp.h"
#include "ipsec_doi.h"
#include "policy.h"
+#include "proposal.h"
#include "strnames.h"
#include "handler.h"
@@ -150,3 +158,109 @@ get_security_context(sa, p)
}
return 0;
}
+
+void
+set_secctx_in_proposal(iph2, spidx)
+ struct ph2handle *iph2;
+ struct policyindex spidx;
+{
+ iph2->proposal->sctx.ctx_doi = spidx.sec_ctx.ctx_doi;
+ iph2->proposal->sctx.ctx_alg = spidx.sec_ctx.ctx_alg;
+ iph2->proposal->sctx.ctx_strlen = spidx.sec_ctx.ctx_strlen;
+ memcpy(iph2->proposal->sctx.ctx_str, spidx.sec_ctx.ctx_str,
+ spidx.sec_ctx.ctx_strlen);
+}
+
+
+/*
+ * function: init_avc
+ * description: function performs the steps necessary to initialize the
+ * userspace avc.
+ * input: void
+ * return: 0 if avc was successfully initialized
+ * 1 if the avc could not be initialized
+ */
+
+static int
+init_avc(void)
+{
+ int rtn = 0;
+
+ if (!is_selinux_mls_enabled()) {
+ plog(LLV_ERROR, LOCATION, NULL, "racoon: MLS support is not"
+ " enabled.\n");
+ return 1;
+ }
+
+ rtn = avc_init("racoon", NULL, NULL, NULL, NULL);
+ if (rtn != 0) {
+ plog(LLV_ERROR, LOCATION, NULL, "racoon: could not initialize
avc.\n");
+ rtn = 1;
+ }
+ return rtn;
+}
+
+/*
+ * function: within_range
+ * description: function determines if the specified sl is within the
+ * configured range for a policy rule.
+ * input: security_context *sl SL
+ * char *range Range
+ * return: 1 if the sl is within the range
+ * 0 if the sl is not within the range or an error
+ * occurred which prevented the determination
+ */
+
+int
+within_range(security_context_t sl, security_context_t range)
+{
+ int rtn = 1;
+ security_id_t slsid;
+ security_id_t rangesid;
+ struct av_decision avd;
+ security_class_t tclass;
+ access_vector_t av;
+
+ rtn = init_avc();
+ if (rtn != 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "within_range: couldn't initialize the AVC\n");
+ return 0;
+ }
+
+ /*
+ * Get the sids for the sl and range contexts
+ */
+ rtn = avc_context_to_sid(sl, &slsid);
+ if (rtn != 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "within_range: Unable to retrieve "
+ "sid for sl context (%s).\n", sl);
+ return 0;
+ }
+ rtn = avc_context_to_sid(range, &rangesid);
+ if (rtn != 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "within_range: Unable to retrieve "
+ "sid for range context (%s).\n", range);
+ sidput(slsid);
+ return 0;
+ }
+
+ /*
+ * Straight up test between sl and range
+ */
+ tclass = SECCLASS_ASSOCIATION;
+ av = ASSOCIATION__POLMATCH;
+ rtn = avc_has_perm(slsid, rangesid, tclass, av, NULL, &avd);
+ if (rtn != 0) {
+ plog(LLV_INFO, LOCATION, NULL,
+ "within_range: The sl is not within range\n");
+ sidput(slsid);
+ sidput(rangesid);
+ return 0;
+ }
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "within_range: The sl (%s) is within range (%s)\n", sl, range);
+ return 1;
+}
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
