summaryrefslogtreecommitdiff
path: root/policy/modules/system/ipsec.te
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/system/ipsec.te')
-rw-r--r--policy/modules/system/ipsec.te274
1 files changed, 274 insertions, 0 deletions
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
new file mode 100644
index 00000000..930c8dcb
--- /dev/null
+++ b/policy/modules/system/ipsec.te
@@ -0,0 +1,274 @@
+
+policy_module(ipsec,1.1.1)
+
+########################################
+#
+# Declarations
+#
+
+type ipsec_t;
+type ipsec_exec_t;
+init_daemon_domain(ipsec_t,ipsec_exec_t)
+role system_r types ipsec_t;
+
+# type for ipsec configuration file(s) - not for keys
+type ipsec_conf_file_t;
+files_type(ipsec_conf_file_t)
+
+# type for file(s) containing ipsec keys - RSA or preshared
+type ipsec_key_file_t;
+files_type(ipsec_key_file_t)
+
+# type for runtime files, including pluto.ctl
+type ipsec_var_run_t;
+files_pid_file(ipsec_var_run_t)
+
+type ipsec_mgmt_t;
+type ipsec_mgmt_exec_t;
+init_system_domain(ipsec_mgmt_t,ipsec_mgmt_exec_t)
+corecmd_shell_entry_type(ipsec_mgmt_t)
+role system_r types ipsec_mgmt_t;
+
+type ipsec_mgmt_lock_t;
+files_lock_file(ipsec_mgmt_lock_t)
+
+type ipsec_mgmt_var_run_t;
+files_pid_file(ipsec_mgmt_var_run_t)
+
+########################################
+#
+# ipsec Local policy
+#
+
+allow ipsec_t self:capability { net_admin dac_override dac_read_search };
+dontaudit ipsec_t self:capability sys_tty_config;
+allow ipsec_t self:process signal;
+allow ipsec_t self:netlink_route_socket r_netlink_socket_perms;
+allow ipsec_t self:tcp_socket create_stream_socket_perms;
+allow ipsec_t self:key_socket { create write read setopt };
+allow ipsec_t self:fifo_file { read getattr };
+
+allow ipsec_t ipsec_conf_file_t:dir r_dir_perms;
+allow ipsec_t ipsec_conf_file_t:file r_file_perms;
+allow ipsec_t ipsec_conf_file_t:lnk_file r_file_perms;
+
+allow ipsec_t ipsec_key_file_t:dir r_dir_perms;
+allow ipsec_t ipsec_key_file_t:file r_file_perms;
+allow ipsec_t ipsec_key_file_t:lnk_file r_file_perms;
+
+allow ipsec_t ipsec_var_run_t:file create_file_perms;
+allow ipsec_t ipsec_var_run_t:sock_file create_file_perms;
+files_pid_filetrans(ipsec_t,ipsec_var_run_t,{ file sock_file })
+
+can_exec(ipsec_t, ipsec_mgmt_exec_t)
+
+# pluto runs an updown script (by calling popen()!); as this is by default
+# a shell script, we need to find a way to make things work without
+# letting all sorts of stuff possibly be run...
+# so try flipping back into the ipsec_mgmt_t domain
+corecmd_shell_domtrans(ipsec_t,ipsec_mgmt_t)
+allow ipsec_t ipsec_mgmt_t:fd use;
+allow ipsec_mgmt_t ipsec_t:fd use;
+allow ipsec_mgmt_t ipsec_t:fifo_file rw_file_perms;
+allow ipsec_mgmt_t ipsec_t:process sigchld;
+
+kernel_read_kernel_sysctls(ipsec_t)
+kernel_list_proc(ipsec_t)
+kernel_read_proc_symlinks(ipsec_t)
+# allow pluto to access /proc/net/ipsec_eroute;
+kernel_read_system_state(ipsec_t)
+kernel_read_network_state(ipsec_t)
+kernel_read_software_raid_state(ipsec_t)
+kernel_getattr_core_if(ipsec_t)
+kernel_getattr_message_if(ipsec_t)
+
+# Pluto needs network access
+corenet_non_ipsec_sendrecv(ipsec_t)
+corenet_tcp_sendrecv_all_if(ipsec_t)
+corenet_raw_sendrecv_all_if(ipsec_t)
+corenet_tcp_sendrecv_all_nodes(ipsec_t)
+corenet_raw_sendrecv_all_nodes(ipsec_t)
+corenet_tcp_sendrecv_all_ports(ipsec_t)
+corenet_tcp_bind_all_nodes(ipsec_t)
+corenet_tcp_bind_reserved_port(ipsec_t)
+corenet_tcp_bind_isakmp_port(ipsec_t)
+corenet_sendrecv_generic_server_packets(ipsec_t)
+corenet_sendrecv_isakmp_server_packets(ipsec_t)
+
+dev_read_sysfs(ipsec_t)
+dev_read_rand(ipsec_t)
+dev_read_urand(ipsec_t)
+
+fs_getattr_all_fs(ipsec_t)
+fs_search_auto_mountpoints(ipsec_t)
+
+term_use_console(ipsec_t)
+term_dontaudit_use_all_user_ttys(ipsec_t)
+
+corecmd_exec_shell(ipsec_t)
+corecmd_exec_bin(ipsec_t)
+
+domain_use_interactive_fds(ipsec_t)
+
+files_read_etc_files(ipsec_t)
+
+init_use_fds(ipsec_t)
+init_use_script_ptys(ipsec_t)
+
+libs_use_ld_so(ipsec_t)
+libs_use_shared_libs(ipsec_t)
+
+logging_send_syslog_msg(ipsec_t)
+
+miscfiles_read_localization(ipsec_t)
+
+sysnet_read_config(ipsec_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
+userdom_dontaudit_search_sysadm_home_dirs(ipsec_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(ipsec_t)
+ term_dontaudit_use_generic_ptys(ipsec_t)
+ files_dontaudit_read_root_files(ipsec_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(ipsec_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(ipsec_t)
+')
+
+optional_policy(`
+ udev_read_db(ipsec_t)
+')
+
+########################################
+#
+# ipsec_mgmt Local policy
+#
+
+allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
+allow ipsec_mgmt_t self:process { signal setrlimit };
+allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
+allow ipsec_mgmt_t self:tcp_socket create_socket_perms;
+allow ipsec_mgmt_t self:udp_socket create_socket_perms;
+allow ipsec_mgmt_t self:key_socket { create setopt };
+allow ipsec_mgmt_t self:fifo_file rw_file_perms;
+
+allow ipsec_mgmt_t ipsec_mgmt_lock_t:file create_file_perms;
+files_lock_filetrans(ipsec_mgmt_t,ipsec_mgmt_lock_t,file)
+
+allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file create_file_perms;
+files_pid_filetrans(ipsec_mgmt_t,ipsec_mgmt_var_run_t,file)
+
+allow ipsec_mgmt_t ipsec_var_run_t:dir rw_dir_perms;
+allow ipsec_mgmt_t ipsec_var_run_t:file create_file_perms;
+allow ipsec_mgmt_t ipsec_var_run_t:lnk_file create_lnk_perms;
+
+allow ipsec_mgmt_t ipsec_var_run_t:sock_file create_file_perms;
+files_pid_filetrans(ipsec_mgmt_t,ipsec_var_run_t,sock_file)
+
+# _realsetup needs to be able to cat /var/run/pluto.pid,
+# run ps on that pid, and delete the file
+allow ipsec_mgmt_t ipsec_t:{ file lnk_file } r_file_perms;
+
+# logger, running in ipsec_mgmt_t needs to use sockets
+allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
+allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };
+
+allow ipsec_mgmt_t ipsec_conf_file_t:file { getattr read ioctl };
+
+allow ipsec_mgmt_t ipsec_key_file_t:dir rw_dir_perms;
+allow ipsec_mgmt_t ipsec_key_file_t:lnk_file create_lnk_perms;
+allow ipsec_mgmt_t ipsec_key_file_t:file create_file_perms;
+files_etc_filetrans(ipsec_mgmt_t,ipsec_key_file_t,file)
+
+# whack needs to connect to pluto
+allow ipsec_mgmt_t ipsec_var_run_t:sock_file { read write };
+allow ipsec_mgmt_t ipsec_t:unix_stream_socket { connectto read write };
+
+can_exec(ipsec_mgmt_t, ipsec_exec_t)
+can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
+allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
+
+domain_auto_trans(ipsec_mgmt_t,ipsec_exec_t,ipsec_t)
+allow ipsec_mgmt_t ipsec_t:fd use;
+allow ipsec_t ipsec_mgmt_t:fd use;
+allow ipsec_t ipsec_mgmt_t:fifo_file rw_file_perms;
+allow ipsec_t ipsec_mgmt_t:process sigchld;
+
+kernel_rw_net_sysctls(ipsec_mgmt_t)
+# allow pluto to access /proc/net/ipsec_eroute;
+kernel_read_system_state(ipsec_mgmt_t)
+kernel_read_network_state(ipsec_mgmt_t)
+kernel_read_software_raid_state(ipsec_mgmt_t)
+kernel_read_kernel_sysctls(ipsec_mgmt_t)
+kernel_getattr_core_if(ipsec_mgmt_t)
+kernel_getattr_message_if(ipsec_mgmt_t)
+
+files_read_kernel_symbol_table(ipsec_mgmt_t)
+files_getattr_kernel_modules(ipsec_mgmt_t)
+
+dev_read_rand(ipsec_mgmt_t)
+dev_read_urand(ipsec_mgmt_t)
+
+fs_getattr_xattr_fs(ipsec_mgmt_t)
+fs_list_tmpfs(ipsec_mgmt_t)
+
+term_use_console(ipsec_mgmt_t)
+term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
+
+# the default updown script wants to run route
+corecmd_exec_sbin(ipsec_mgmt_t)
+# the ipsec wrapper wants to run /usr/bin/logger (should we put
+# it in its own domain?)
+corecmd_exec_bin(ipsec_mgmt_t)
+
+domain_use_interactive_fds(ipsec_mgmt_t)
+# denials when ps tries to search /proc. Do not audit these denials.
+domain_dontaudit_list_all_domains_state(ipsec_mgmt_t)
+# suppress audit messages about unnecessary socket access
+# cjp: this seems excessive
+domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
+domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
+
+files_read_etc_files(ipsec_mgmt_t)
+files_exec_etc_files(ipsec_mgmt_t)
+files_read_etc_runtime_files(ipsec_mgmt_t)
+files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
+files_dontaudit_getattr_default_files(ipsec_mgmt_t)
+
+init_use_script_ptys(ipsec_mgmt_t)
+init_exec_script_files(ipsec_mgmt_t)
+init_use_fds(ipsec_mgmt_t)
+
+libs_use_ld_so(ipsec_mgmt_t)
+libs_use_shared_libs(ipsec_mgmt_t)
+
+miscfiles_read_localization(ipsec_mgmt_t)
+
+modutils_domtrans_insmod(ipsec_mgmt_t)
+
+seutil_dontaudit_search_config(ipsec_mgmt_t)
+
+sysnet_domtrans_ifconfig(ipsec_mgmt_t)
+
+userdom_use_sysadm_terms(ipsec_mgmt_t)
+
+optional_policy(`
+ consoletype_exec(ipsec_mgmt_t)
+')
+
+optional_policy(`
+ nscd_socket_use(ipsec_mgmt_t)
+')
+
+ifdef(`TODO',`
+# ideally it would not need this. It wants to write to /root/.rnd
+file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
+
+allow ipsec_mgmt_t dev_fs:file_class_set getattr;
+') dnl end TODO
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-22 17:49:57 +0000