search

play-iot / iot-vpn

Play-iO IIoT VPN
Apache License 2.0
5 stars 0 forks source link

VPNClient security #10

Open zero88 opened 3 years ago

zero88 commented 3 years ago

Is your feature request related to a problem? Please describe.

  1. Mandatory Access control Some deny access from linux security when using vpnclient that make DNS resolver is unable to process automatically

    [    5.406136] kernel: audit: type=1400 audit(1617414198.472:17): apparmor="DENIED" operation="mknod" profile="/{,usr/}sbin/dhclient" name="/app/vpnclient/vpn_dhclient.leases" pid=753 comm="dhclient" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[    5.422451] kernel: audit: type=1400 audit(1617414198.492:18): apparmor="DENIED" operation="mknod" profile="/{,usr/}sbin/dhclient" name="/app/vpnclient/vpn_dhclient.pid" pid=753 comm="dhclient" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[    5.422513] kernel: audit: type=1400 audit(1617414198.492:19): apparmor="DENIED" operation="mknod" profile="/{,usr/}sbin/dhclient" name="/app/vpnclient/vpn_dhclient.pid" pid=753 comm="dhclient" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

    Create profile to support:

    On IoT device, it isn't enable by default, but should be in future. So provide this enhancement as optional then let user decide whether to use it

  2. Hardening option for systemd service

zero88 commented 3 years ago

SELINUX

After install

sudo semanage fcontext -a -t NetworkManager_etc_t '/app/vpnclient/runtime/vpn-runtime-nameserver.conf'
sudo restorecon -v '/app/vpnclient/runtime/vpn-runtime-nameserver.conf'

sudo semanage fcontext -a -t dhcpc_state_t '/app/vpnclient/runtime'
sudo restorecon -v '/app/vpnclient/runtime'
anhcq151 commented 3 years ago

Pushed first commit to build SELinux policy in order to run client on Fedora or SELinux enabled systems

82

Original quote the content of README file

SELinux policy

Tested on Fedora

  1. Prerequisites packages:

    • setroubleshoot
    • policycoreutils
    • policycoreutils-devel

  2. Other prerequisites:

    • The playio-vpnc executatble folder path is existed, it's defaulted to /app
    • Enable SELinux boolean: 
      setsebool -P domain_can_mmap_files 1
setsebool -P domain_kernel_load_modules 1
setsebool -P daemons_enable_cluster_mode 1

  3. Build and install the policy:

    Change to this folder selinux and run below command:

    make -f /usr/share/selinux/devel/Makefile playio_vpnc.pp
semodule -i playio_vpnc.pp
restorecon -FRv /app