Re: [RFC PATCH external/sepolicy] Add vpn_contexts used for Ipsec labeling

Wed, 31 Oct 2012 11:43:47 -0700 

On 10/31/2012 01:13 PM, qsw...@tresys.com wrote:

From: Quentin Swain <qsw...@tresys.com>

Added vpn_contexts used to define labels used for applying security context to
inbound and outbound SPD policies created for IPSec connections.

Change-Id: I7c64677ff29abaaa3f0c6d901584e2bd81ab3dbb
---
  Android.mk   | 12 ++++++++++++
  vpn_contexts | 12 ++++++++++++
  2 files changed, 24 insertions(+)
  create mode 100644 vpn_contexts

diff --git a/Android.mk b/Android.mk
index fca366f..d6714ea 100644
--- a/Android.mk
+++ b/Android.mk
@@ -185,4 +185,16 @@ include $(BUILD_PREBUILT)

  ##################################

+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := vpn_contexts
+LOCAL_SRC_FILES := $(LOCAL_MODULE)
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH :=  $(TARGET_OUT_ETC)/security
+
+include $(BUILD_PREBUILT)
+
+##################################
  endif #ifeq ($(HAVE_SELINUX),true)
diff --git a/vpn_contexts b/vpn_contexts
new file mode 100644
index 0000000..6749265
--- /dev/null
+++ b/vpn_contexts
@@ -0,0 +1,12 @@
+# All entries use the format: <traffic-direction> \t <endpoint-ip> \t <context>
+# The contexts must be valid SElinux context or the Kernel will not create the
+# labeled SPD policies. SAs created for traffic matching the policies will
+# contain the label of the matching SPD policy. If there are no matching
+# entries then the SPD entry will default to u:object_r:unlabeled:s0 context
+# Lines beginning with # are comments
+# defined in ipsec.h
+# IPSEC_DIR_INBOUND = 1
+# IPSEC_DIR_OUTBOUND = 2
+# Sample policies:
+#1     10.1.12.212     u:object_r:lo_packet:s0
+#2     10.1.12.212     u:object_r:lo_packet:s0
Use "in" and "out" rather than "1" and "2" in the configuration language. You are only supporting one SA per remote address? Not taking into account the local process at all? 


--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to majord...@tycho.nsa.gov with
the words "unsubscribe seandroid-list" without quotes as the message.

Reply via email to