selinux-policy/policy/modules/system/ipsec.if

## <summary>TCP/IP encryption</summary>

########################################
## <summary>
##	Execute ipsec in the ipsec domain.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`ipsec_domtrans',`
	gen_require(`
		type ipsec_t, ipsec_exec_t;
	')

	domtrans_pattern($1,ipsec_exec_t,ipsec_t)
')

########################################
## <summary>
##	Connect to IPSEC using a unix domain stream socket.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`ipsec_stream_connect',`
	gen_require(`
		type ipsec_t, ipsec_var_run_t;
	')

	files_search_pids($1)
	stream_connect_pattern($1,ipsec_var_run_t,ipsec_var_run_t,ipsec_t)
')

########################################
## <summary>
##	Get the attributes of an IPSEC key socket.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`ipsec_getattr_key_sockets',`
	gen_require(`
		type ipsec_t;
	')

	allow $1 ipsec_t:key_socket getattr;
')

########################################
## <summary>
##	Execute the IPSEC management program in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`ipsec_exec_mgmt',`
	gen_require(`
		type ipsec_exec_t;
	')

	can_exec($1,ipsec_exec_t)
')

########################################
## <summary>
##	Read the IPSEC configuration
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
## <rolecap/>
#
interface(`ipsec_read_config',`
	gen_require(`
		type ipsec_conf_file_t;
	')

	files_search_etc($1)
	allow $1 ipsec_conf_file_t:file read_file_perms;
')

########################################
## <summary>
##	Match the default SPD entry.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`ipsec_match_default_spd',`
	gen_require(`
		type ipsec_spd_t;
	')

	allow $1 ipsec_spd_t:association polmatch;
	allow $1 self:association sendto;
')

########################################
## <summary>
##	Set the context of a SPD entry to
##	the default context.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`ipsec_setcontext_default_spd',`
	gen_require(`
		type ipsec_spd_t;
	')

	allow $1 ipsec_spd_t:association setcontext;
')

########################################
## <summary>
##	write the ipsec_var_run_t files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`ipsec_write_pid',`
	gen_require(`
		type ipsec_var_run_t;
	')

	files_search_pids($1)
	write_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
')

########################################
## <summary>
##	Create, read, write, and delete the IPSEC pid files.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`ipsec_manage_pid',`
	gen_require(`
		type ipsec_var_run_t;
	')

	files_search_pids($1)
	manage_files_pattern($1,ipsec_var_run_t,ipsec_var_run_t)
')

########################################
## <summary>
##	Execute racoon in the racoon domain.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`ipsec_domtrans_racoon',`
	gen_require(`
		type racoon_t, racoon_exec_t;
	')

	domtrans_pattern($1,racoon_exec_t,racoon_t)
')

########################################
## <summary>
##	Execute setkey in the setkey domain.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`ipsec_domtrans_setkey',`
	gen_require(`
		type setkey_t, setkey_exec_t;
	')

	domtrans_pattern($1,setkey_exec_t,setkey_t)
')

########################################
## <summary>
##	Execute setkey and allow the specified role the domains.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed the racoon and setkey domains.
##	</summary>
## </param>
## <rolecap/>
#
interface(`ipsec_run_setkey',`
	gen_require(`
		type setkey_t;
	')

	ipsec_domtrans_setkey($1)
	role $2 types setkey_t;
')
add ipsec 2005-07-14 18:15:47 +00:00			`## <summary>TCP/IP encryption</summary>`

			`########################################`
			`## <summary>`
			`## Execute ipsec in the ipsec domain.`
			`## </summary>`
			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
add ipsec 2005-07-14 18:15:47 +00:00			`## The type of the process performing this action.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
add ipsec 2005-07-14 18:15:47 +00:00			`## </param>`
			`#`
			interface(`ipsec_domtrans',`
			gen_require(`
			`type ipsec_t, ipsec_exec_t;`
			`')`

merge policy patterns to trunk 2006-12-12 20:08:08 +00:00			`domtrans_pattern($1,ipsec_exec_t,ipsec_t)`
add ipsec 2005-07-14 18:15:47 +00:00			`')`
more cleanup in system 2005-07-18 18:31:49 +00:00
			`########################################`
			`## <summary>`
* Rename ipsec connect interface for consistency. * Add missing parts of unix stream socket connect interface of ipsec. * Rename inetd connect interface for consistency. 2005-08-03 15:16:33 +00:00			`## Connect to IPSEC using a unix domain stream socket.`
more cleanup in system 2005-07-18 18:31:49 +00:00			`## </summary>`
			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
more cleanup in system 2005-07-18 18:31:49 +00:00			`## The type of the process performing this action.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
more cleanup in system 2005-07-18 18:31:49 +00:00			`## </param>`
			`#`
* Rename ipsec connect interface for consistency. * Add missing parts of unix stream socket connect interface of ipsec. * Rename inetd connect interface for consistency. 2005-08-03 15:16:33 +00:00			interface(`ipsec_stream_connect',`
more cleanup in system 2005-07-18 18:31:49 +00:00			gen_require(`
* Rename ipsec connect interface for consistency. * Add missing parts of unix stream socket connect interface of ipsec. * Rename inetd connect interface for consistency. 2005-08-03 15:16:33 +00:00			`type ipsec_t, ipsec_var_run_t;`
more cleanup in system 2005-07-18 18:31:49 +00:00			`')`

* Rename ipsec connect interface for consistency. * Add missing parts of unix stream socket connect interface of ipsec. * Rename inetd connect interface for consistency. 2005-08-03 15:16:33 +00:00			`files_search_pids($1)`
merge policy patterns to trunk 2006-12-12 20:08:08 +00:00			`stream_connect_pattern($1,ipsec_var_run_t,ipsec_var_run_t,ipsec_t)`
more cleanup in system 2005-07-18 18:31:49 +00:00			`')`

			`########################################`
			`## <summary>`
			`## Get the attributes of an IPSEC key socket.`
			`## </summary>`
			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
more cleanup in system 2005-07-18 18:31:49 +00:00			`## The type of the process performing this action.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
more cleanup in system 2005-07-18 18:31:49 +00:00			`## </param>`
			`#`
another slew of renaming 2006-02-02 21:08:12 +00:00			interface(`ipsec_getattr_key_sockets',`
more cleanup in system 2005-07-18 18:31:49 +00:00			gen_require(`
			`type ipsec_t;`
			`')`

			`allow $1 ipsec_t:key_socket getattr;`
			`')`

			`########################################`
			`## <summary>`
			`## Execute the IPSEC management program in the caller domain.`
			`## </summary>`
			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
more cleanup in system 2005-07-18 18:31:49 +00:00			`## The type of the process performing this action.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
more cleanup in system 2005-07-18 18:31:49 +00:00			`## </param>`
			`#`
			interface(`ipsec_exec_mgmt',`
			gen_require(`
			`type ipsec_exec_t;`
			`')`

			`can_exec($1,ipsec_exec_t)`
			`')`

			`########################################`
			`## <summary>`
			`## Read the IPSEC configuration`
			`## </summary>`
			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
more cleanup in system 2005-07-18 18:31:49 +00:00			`## The type of the process performing this action.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
more cleanup in system 2005-07-18 18:31:49 +00:00			`## </param>`
add main part of role-o-matic 2006-09-06 22:07:25 +00:00			`## <rolecap/>`
more cleanup in system 2005-07-18 18:31:49 +00:00			`#`
			interface(`ipsec_read_config',`
			gen_require(`
			`type ipsec_conf_file_t;`
			`')`

			`files_search_etc($1)`
merge policy patterns to trunk 2006-12-12 20:08:08 +00:00			`allow $1 ipsec_conf_file_t:file read_file_perms;`
more cleanup in system 2005-07-18 18:31:49 +00:00			`')`

			`########################################`
			`## <summary>`
trunk: add in polmatch for default spd. 2007-11-14 15:53:18 +00:00			`## Match the default SPD entry.`
more cleanup in system 2005-07-18 18:31:49 +00:00			`## </summary>`
			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
trunk: add in polmatch for default spd. 2007-11-14 15:53:18 +00:00			`## Domain allowed access.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
more cleanup in system 2005-07-18 18:31:49 +00:00			`## </param>`
			`#`
trunk: add in polmatch for default spd. 2007-11-14 15:53:18 +00:00			interface(`ipsec_match_default_spd',`
more cleanup in system 2005-07-18 18:31:49 +00:00			gen_require(`
trunk: add in polmatch for default spd. 2007-11-14 15:53:18 +00:00			`type ipsec_spd_t;`
more cleanup in system 2005-07-18 18:31:49 +00:00			`')`

trunk: add in polmatch for default spd. 2007-11-14 15:53:18 +00:00			`allow $1 ipsec_spd_t:association polmatch;`
trunk: More complete labeled networking infrastructure from KaiGai Kohei. 2007-11-26 16:44:57 +00:00			`allow $1 self:association sendto;`
more cleanup in system 2005-07-18 18:31:49 +00:00			`')`
six trivial patches from dan for iptables, netutils, ipsec, devices, filesystem and cpuspeed 2007-03-26 20:47:29 +00:00
trunk: add labeled networking support to unconfined. 2007-11-14 14:38:45 +00:00			`########################################`
			`## <summary>`
trunk: add in polmatch for default spd. 2007-11-14 15:53:18 +00:00			`## Set the context of a SPD entry to`
			`## the default context.`
trunk: add labeled networking support to unconfined. 2007-11-14 14:38:45 +00:00			`## </summary>`
			`## <param name="domain">`
trunk: add in polmatch for default spd. 2007-11-14 15:53:18 +00:00			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
trunk: add labeled networking support to unconfined. 2007-11-14 14:38:45 +00:00			`## </param>`
			`#`
			interface(`ipsec_setcontext_default_spd',`
			gen_require(`
			`type ipsec_spd_t;`
			`')`

			`allow $1 ipsec_spd_t:association setcontext;`
			`')`

trunk: 3 patches from the fedora policy, cherry picked by David Hardeman. 2008-08-11 14:03:36 +00:00			`########################################`
			`## <summary>`
			`## write the ipsec_var_run_t files.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`ipsec_write_pid',`
			gen_require(`
			`type ipsec_var_run_t;`
			`')`

			`files_search_pids($1)`
			`write_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)`
			`')`

trunk: add in polmatch for default spd. 2007-11-14 15:53:18 +00:00			`########################################`
			`## <summary>`
			`## Create, read, write, and delete the IPSEC pid files.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## The type of the process performing this action.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`ipsec_manage_pid',`
			gen_require(`
			`type ipsec_var_run_t;`
			`')`

			`files_search_pids($1)`
			`manage_files_pattern($1,ipsec_var_run_t,ipsec_var_run_t)`
			`')`

six trivial patches from dan for iptables, netutils, ipsec, devices, filesystem and cpuspeed 2007-03-26 20:47:29 +00:00			`########################################`
			`## <summary>`
			`## Execute racoon in the racoon domain.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## The type of the process performing this action.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`ipsec_domtrans_racoon',`
			gen_require(`
			`type racoon_t, racoon_exec_t;`
			`')`

			`domtrans_pattern($1,racoon_exec_t,racoon_t)`
			`')`

			`########################################`
			`## <summary>`
			`## Execute setkey in the setkey domain.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## The type of the process performing this action.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`ipsec_domtrans_setkey',`
			gen_require(`
			`type setkey_t, setkey_exec_t;`
			`')`

			`domtrans_pattern($1,setkey_exec_t,setkey_t)`
			`')`

			`########################################`
			`## <summary>`
			`## Execute setkey and allow the specified role the domains.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`## <param name="role">`
			`## <summary>`
			`## The role to be allowed the racoon and setkey domains.`
			`## </summary>`
			`## </param>`
			`## <rolecap/>`
			`#`
			interface(`ipsec_run_setkey',`
			gen_require(`
			`type setkey_t;`
			`')`

			`ipsec_domtrans_setkey($1)`
			`role $2 types setkey_t;`
			`')`