Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VPNClient security #10

Open
zero88 opened this issue Apr 15, 2021 · 2 comments · May be fixed by #82
Open

VPNClient security #10

zero88 opened this issue Apr 15, 2021 · 2 comments · May be fixed by #82
Assignees
@zero88 @anhcq151
Labels
C: security C: vpnclient CL: Medium Complexity level: medium P: Medium T: Feature Issue Type: Feature
Milestone
VPNC-v1.0.0

Comments

@zero88
Copy link
Collaborator

zero88 commented Apr 15, 2021
edited
Loading

Is your feature request related to a problem? Please describe.

  1. Mandatory Access control
    Some deny access from linux security when using vpnclient that make DNS resolver is unable to process automatically

    [    5.406136] kernel: audit: type=1400 audit(1617414198.472:17): apparmor="DENIED" operation="mknod" profile="/{,usr/}sbin/dhclient" name="/app/vpnclient/vpn_dhclient.leases" pid=753 comm="dhclient" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[    5.422451] kernel: audit: type=1400 audit(1617414198.492:18): apparmor="DENIED" operation="mknod" profile="/{,usr/}sbin/dhclient" name="/app/vpnclient/vpn_dhclient.pid" pid=753 comm="dhclient" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[    5.422513] kernel: audit: type=1400 audit(1617414198.492:19): apparmor="DENIED" operation="mknod" profile="/{,usr/}sbin/dhclient" name="/app/vpnclient/vpn_dhclient.pid" pid=753 comm="dhclient" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

    Create profile to support:

    On IoT device, it isn't enable by default, but should be in future.
    So provide this enhancement as optional then let user decide whether to use it

  2. Hardening option for systemd service
@zero88 zero88 added T: Feature Issue Type: Feature C: security CL: Medium Complexity level: medium P: Medium labels Apr 15, 2021
@zero88
Copy link
Collaborator Author

zero88 commented Apr 16, 2021

SELINUX

After install

sudo semanage fcontext -a -t NetworkManager_etc_t '/app/vpnclient/runtime/vpn-runtime-nameserver.conf'
sudo restorecon -v '/app/vpnclient/runtime/vpn-runtime-nameserver.conf'

sudo semanage fcontext -a -t dhcpc_state_t '/app/vpnclient/runtime'
sudo restorecon -v '/app/vpnclient/runtime'

@zero88 zero88 added this to the VPNC-v1.0.0 milestone Apr 20, 2021
@anhcq151 anhcq151 linked a pull request May 29, 2021 that will close this issue
Open
@anhcq151
Copy link
Collaborator

anhcq151 commented May 29, 2021
edited
Loading

Pushed first commit to build SELinux policy in order to run client on Fedora or SELinux enabled systems
#82
Original quote the content of README file

SELinux policy

Tested on Fedora

  1. Prerequisites packages:

    • setroubleshoot
    • policycoreutils
    • policycoreutils-devel

  2. Other prerequisites:

    • The playio-vpnc executatble folder path is existed, it's defaulted to /app
    • Enable SELinux boolean:
    setsebool -P domain_can_mmap_files 1
setsebool -P domain_kernel_load_modules 1
setsebool -P daemons_enable_cluster_mode 1

  3. Build and install the policy:

    Change to this folder selinux and run below command:

    make -f /usr/share/selinux/devel/Makefile playio_vpnc.pp
semodule -i playio_vpnc.pp
restorecon -FRv /app

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zero88 zero88

@anhcq151 anhcq151

Labels
C: security C: vpnclient CL: Medium Complexity level: medium P: Medium T: Feature Issue Type: Feature
Projects
None yet
Milestone
VPNC-v1.0.0
Development

Successfully merging a pull request may close this issue.

SELinux policy for vpn client play-iot/iot-vpn
2 participants
@zero88 @anhcq151