[Swan-dev] [PATCH] pluto: Update pluto to support selinux_check_access(3).

Richard Haines richard_c_haines at btinternet.com
Fri May 12 15:01:16 UTC 2017


Replace the SELinux avc_* calls with selinux_check_access(3) that
combines all those services, plus:
Checks if SELinux enabled.
Supports reordering of classes/permissions at runtime.
Handles unknown classes/permissions (allow|deny|reject).

Requires libselinux 2.1.9 or greater.

Signed-off-by: Richard Haines <richard_c_haines at btinternet.com>
---
 programs/pluto/ikev1_spdb_struct.c |  2 +-
 programs/pluto/plutomain.c         |  2 +-
 programs/pluto/security_selinux.c  | 68 +++++++++-----------------------------
 programs/pluto/security_selinux.h  |  6 ++--
 4 files changed, 20 insertions(+), 58 deletions(-)

diff --git a/programs/pluto/ikev1_spdb_struct.c b/programs/pluto/ikev1_spdb_struct.c
index 53aed7f..6fee5ef 100644
--- a/programs/pluto/ikev1_spdb_struct.c
+++ b/programs/pluto/ikev1_spdb_struct.c
@@ -126,7 +126,7 @@ static bool parse_secctx_attr(pb_stream *pbs, struct state *st)
 					 st->st_connection->policy_label)) {
 			DBG_log("security context verification succeeded");
 		} else {
-			libreswan_log("security context verification failed (perhaps policy_label is not confgured for this connection)");
+			libreswan_log("security context verification failed (perhaps policy-label is not confgured for this connection)");
 			return FALSE;
 		}
 		/*
diff --git a/programs/pluto/plutomain.c b/programs/pluto/plutomain.c
index 33c139c..a5097e0 100644
--- a/programs/pluto/plutomain.c
+++ b/programs/pluto/plutomain.c
@@ -1700,7 +1700,7 @@ int main(int argc, char **argv)
 	init_fetch();
 #endif
 #ifdef HAVE_LABELED_IPSEC
-	init_avc();
+	init_selinux();
 #endif
 	daily_log_event();
 #ifdef USE_SYSTEMD_WATCHDOG
diff --git a/programs/pluto/security_selinux.c b/programs/pluto/security_selinux.c
index ac5028e..865f7c8 100644
--- a/programs/pluto/security_selinux.c
+++ b/programs/pluto/security_selinux.c
@@ -13,72 +13,36 @@
  *
  */
 
+#include <errno.h>
+
 #include "security_selinux.h"
 #include "lswlog.h"
 
-static int selinux_ready = 0;
-
-void init_avc(void)
+void init_selinux(void)
 {
-	if (!is_selinux_enabled()) {
-		DBG_log("selinux support is NOT enabled.");
-		return;
-	} else {
-		DBG_log("selinux support is enabled.");
-	}
-
-	if (avc_init("libreswan", NULL, NULL, NULL, NULL) == 0)
-		selinux_ready = 1;
+	if (!is_selinux_enabled())
+		DBG_log("SELinux support is NOT enabled.");
 	else
-		DBG_log("selinux: could not initialize avc.");
+		DBG_log("SELinux support is enabled in %s mode.",
+			security_getenforce() ? "ENFORCING" : "PERMISSIVE");
 }
 
-int within_range(security_context_t sl, security_context_t range)
+int within_range(const char *sl, const char *range)
 {
-	int rtn = 1;
-	security_id_t slsid;
-	security_id_t rangesid;
-	struct av_decision avd;
-	security_class_t tclass;
-	access_vector_t av;
-
-	if (!selinux_ready) {
-		/* mls may not be enabled */
-		DBG_log("selinux check failed");
-		return 0;
-	}
-
-	/*
-	 * * Get the sids for the sl and range contexts
-	 */
-	rtn = avc_context_to_sid(sl, &slsid);
-	if (rtn != 0) {
-		DBG_log("within_range: Unable to retrieve sid for sl context (%s)",
-			sl);
-		return 0;
-	}
-	rtn = avc_context_to_sid(range, &rangesid);
-	if (rtn != 0) {
-		DBG_log("within_range: Unable to retrieve sid for range context (%s)",
-			range);
-		sidput(slsid);
-		return 0;
-	}
+	int rtn;
 
 	/*
-	** Straight up test between sl and range
+	** Check access permission for sl (connection policy label from SAD)
+	** and range (connection flow label from SPD but initially the
+	** conn policy-label= entry of the ipsec.conf(5) configuration file).
 	**/
-	tclass = string_to_security_class("association");
-	av = string_to_av_perm(tclass, "polmatch");
-	rtn = avc_has_perm(slsid, rangesid, tclass, av, NULL, &avd);
+	rtn = selinux_check_access(sl, range, "association", "polmatch", NULL);
 	if (rtn != 0) {
-		DBG_log("within_range: The sl (%s) is not within range of (%s)", sl,
-			range);
-		sidput(slsid);
-		sidput(rangesid);
+		DBG_log("within_range: sl (%s) - range (%s) error: %s\n",
+			sl, range, strerror(errno));
 		return 0;
 	}
-	DBG_log("within_range: The sl (%s) is within range of (%s)", sl,
+	DBG_log("within_range: Permission granted sl (%s) - range (%s)", sl,
 		range);
 	return 1;
 }
diff --git a/programs/pluto/security_selinux.h b/programs/pluto/security_selinux.h
index cccd60f..554b75e 100644
--- a/programs/pluto/security_selinux.h
+++ b/programs/pluto/security_selinux.h
@@ -16,10 +16,8 @@
 #define _SECURITY_SELINUX_H
 
 #include <selinux/selinux.h>
-#include <selinux/avc.h>
-#include <selinux/context.h>
 
-void init_avc(void);
-int within_range(security_context_t sl, security_context_t range);
+void init_selinux(void);
+int within_range(const char *sl, const char *range);
 
 #endif /* _SECURITY_SELINUX_H */
-- 
2.9.3



More information about the Swan-dev mailing list