Navigation

Changeset 2186

Timestamp:

05/27/08 10:16:47 (6 months ago)

Author:

dsugar

Message:

Updates so the ipsec test cases now run in enforcing

Files:

r2148	r2186
	1	add 172.16.133.129[3490] 172.16.133.131 esp 0x6789 -m transport -ctx 1 1 "system_u:system_r:server_t:s0-s0:c0.c1023" -E 3des-cbc "012345678901234567890123" -A hmac-md5 "0123456789012345";
1	2	add 172.16.133.131 172.16.133.129[3490] esp 0x5678 -m transport -ctx 1 1 "system_u:system_r:client_t:s0-s0:c0.c1023" -E 3des-cbc "012345678901234567890123" -A hmac-md5 "0123456789012345";
2	3	add 172.16.133.129[3490] 172.16.133.131 esp 0x6789 -m transport -ctx 1 1 "system_u:system_r:server_t:s0-s0:c0.c1023" -E 3des-cbc "012345678901234567890123" -A hmac-md5 "0123456789012345";
	4	add 172.16.133.131 172.16.133.129[3490] esp 0x5678 -m transport -ctx 1 1 "system_u:system_r:client_t:s0-s0:c0.c1023" -E 3des-cbc "012345678901234567890123" -A hmac-md5 "0123456789012345";

r2148	r2186
7	7	#Framework ability: tcp_server
8	8	allow server_t self :tcp_socket { accept append bind create getopt listen name_bind node_bind read setopt write };
	9	corenet_tcp_bind_all_ports(server_t)
	10	corenet_tcp_bind_generic_port(server_t)
	11	corenet_tcp_bind_inaddr_any_node(server_t)
	12	corenet_tcp_bind_generic_node(server_t)
9	13	#End of Framework ability: tcp_server
10	14	optional_policy(`
…	…
23	27	SEFramework_entrypoint(server_exe_t)
24	28	SEFramework_files_type(server_exe_t)
	29	SEFramework_ipsec_endpoint(server_t)
25	30	# CDSFramework access (domain resource verb): server net1 readwrite
26	31	# remote types of data coming over the wire (Labeled Networking)
27	32	type client_t;
28	33	SEFramework_domain(client_t)
	34	SEFramework_ipsec_endpoint(client_t)
29	35	framework_ipsec_readwrite_connrw(server_t,self)
30	36	allow server_t client_t:association { recvfrom sendto };
…	…
38	44	allow server_t tmp_t:dir { search };
39	45	# CDSFramework access (domain baseresource verb): server selinux read
40		~~seutil_read_config(server_t)~~
41	46	selinux_getattr_fs(server_t)
42	47	selinux_validate_context(server_t)
	48	seutil_read_config(server_t)
	49	# CDSFramework access (domain baseresource verb): server terminal readwrite
	50	term_use_all_user_ptys(server_t)
	51	term_use_all_terms(server_t)
	52	term_use_generic_ptys(server_t)
43	53	# CDSFramework enter (domain domain entrypoint): unconfined server server_exe
44	54	optional_policy(`

r2148	r2186
1	1	ability tcp_server
2		[ desc:" " ]
	2	[ desc:"Domain that communicates over the network as a TCP Server" ]
3	3	{
	4	corenet_tcp_bind_all_ports($)
	5	corenet_tcp_bind_generic_port($)
	6	corenet_tcp_bind_inaddr_any_node($)
	7	corenet_tcp_bind_generic_node($)
4	8	self
5	9	{

r2148	r2186
4	4	baseresource selinux from "selinux.flnk";
5	5	ability tcp_server from "tcp_server.flnk";
	6	baseresource terminal from "terminal.flnk";
6	7
7	8	resource res1 { file };
…	…
13	14	access server res1 write;
14	15	access server selinux read;
	16	access server terminal readwrite;
15	17
16	18	entrypoint server_exe;

r2148	r2186
	1	add 172.16.133.129[3490] 172.16.133.131 esp 0x6789 -m transport -ctx 1 1 "system_u:system_r:server_t:s0-s0:c0.c1023" -E 3des-cbc "012345678901234567890123" -A hmac-md5 "0123456789012345";
1	2	add 172.16.133.131 172.16.133.129[3490] esp 0x5678 -m transport -ctx 1 1 "system_u:system_r:client_t:s0-s0:c0.c1023" -E 3des-cbc "012345678901234567890123" -A hmac-md5 "0123456789012345";
2	3	add 172.16.133.129[3490] 172.16.133.131 esp 0x6789 -m transport -ctx 1 1 "system_u:system_r:server_t:s0-s0:c0.c1023" -E 3des-cbc "012345678901234567890123" -A hmac-md5 "0123456789012345";
	4	add 172.16.133.131 172.16.133.129[3490] esp 0x5678 -m transport -ctx 1 1 "system_u:system_r:client_t:s0-s0:c0.c1023" -E 3des-cbc "012345678901234567890123" -A hmac-md5 "0123456789012345";

r2148	r2186
7	7	#Framework ability: tcp_client
8	8	allow client_t self :tcp_socket { connect create getopt name_connect node_bind read setopt write };
	9	corenet_tcp_connect_all_ports(client_t)
9	10	#End of Framework ability: tcp_client
10	11	optional_policy(`
…	…
23	24	SEFramework_entrypoint(client_exe_t)
24	25	SEFramework_files_type(client_exe_t)
	26	SEFramework_ipsec_endpoint(client_t)
25	27	# CDSFramework access (domain resource verb): client net1 readwrite
26	28	# remote types of data coming over the wire (Labeled Networking)
27	29	type server_t;
28	30	SEFramework_domain(server_t)
	31	SEFramework_ipsec_endpoint(server_t)
29	32	framework_ipsec_readwrite_connrw(client_t,self)
30	33	allow client_t self:association { recvfrom sendto };
…	…
38	41	allow client_t tmp_t:dir { search };
39	42	# CDSFramework access (domain baseresource verb): client selinux read
40		~~seutil_read_config(client_t)~~
41	43	selinux_getattr_fs(client_t)
42	44	selinux_validate_context(client_t)
	45	seutil_read_config(client_t)
43	46	# CDSFramework access (domain baseresource verb): client sysnetwork read
44	47	sysnet_read_config(client_t)
	48	# CDSFramework access (domain baseresource verb): client terminal readwrite
	49	term_use_all_user_ptys(client_t)
	50	term_use_all_terms(client_t)
	51	term_use_generic_ptys(client_t)
45	52	# CDSFramework enter (domain domain entrypoint): unconfined client client_exe
46	53	optional_policy(`

r2148	r2186
2	2	[ desc:"Domain that communicates over the network as a TCP Client " ]
3	3	{
	4	corenet_tcp_connect_all_ports($)
4	5	self
5	6	{

r2148	r2186
5	5	baseresource sysnetwork from "sysnetwork.flnk";
6	6	ability tcp_client from "tcp_client.flnk";
	7	baseresource terminal from "terminal.flnk";
7	8
8	9	resource res2 { file };
…	…
15	16	access client selinux read ;
16	17	access client sysnetwork read;
	18	access client terminal readwrite;
17	19
18	20	entrypoint client_exe;

* Generating other formats may take time.