From 11633bbaa81f7acdc4fe9b7b5ea7feec643af31a Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 14 Jul 2005 18:15:47 +0000 Subject: [PATCH] add ipsec --- refpolicy/Changelog | 1 + refpolicy/policy/modules/kernel/bootloader.if | 92 +++--- refpolicy/policy/modules/services/nscd.fc | 10 +- .../policy/modules/system/corecommands.fc | 8 +- refpolicy/policy/modules/system/files.fc | 2 + refpolicy/policy/modules/system/files.if | 36 +++ refpolicy/policy/modules/system/ipsec.fc | 32 ++ refpolicy/policy/modules/system/ipsec.if | 25 ++ refpolicy/policy/modules/system/ipsec.te | 274 ++++++++++++++++++ 9 files changed, 436 insertions(+), 44 deletions(-) create mode 100644 refpolicy/policy/modules/system/ipsec.fc create mode 100644 refpolicy/policy/modules/system/ipsec.if create mode 100644 refpolicy/policy/modules/system/ipsec.te diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 67d79237..878af43e 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -3,6 +3,7 @@ module page when it is selected in the interface/template index. * Added support for layer summaries. * Added policies: + ipsec nscd 20050707 (7 Jul 2005) diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if index bd870912..2e8def07 100644 --- a/refpolicy/policy/modules/kernel/bootloader.if +++ b/refpolicy/policy/modules/kernel/bootloader.if @@ -1,9 +1,9 @@ ## Policy for the kernel modules, kernel image, and bootloader. ######################################## -## +## ## Execute bootloader in the bootloader domain. -## +## ## ## The type of the process performing this action. ## @@ -25,10 +25,10 @@ interface(`bootloader_domtrans',` ') ######################################## -## +## ## Execute bootloader interactively and do ## a domain transition to the bootloader domain. -## +## ## ## The type of the process performing this action. ## @@ -52,9 +52,9 @@ interface(`bootloader_run',` ') ######################################## -## +## ## Search the /boot directory. -## +## ## ## The type of the process performing this action. ## @@ -69,9 +69,9 @@ interface(`bootloader_search_boot',` ') ######################################## -## +## ## Do not audit attempts to search the /boot directory. -## +## ## ## The type of the process performing this action. ## @@ -86,10 +86,10 @@ interface(`bootloader_dontaudit_search_boot',` ') ######################################## -## +## ## Read and write symbolic links ## in the /boot directory. -## +## ## ## The type of the process performing this action. ## @@ -106,9 +106,9 @@ interface(`bootloader_rw_boot_symlinks',` ') ######################################## -## +## ## Install a kernel into the /boot directory. -## +## ## ## The type of the process performing this action. ## @@ -127,9 +127,9 @@ interface(`bootloader_create_kernel',` ') ######################################## -## +## ## Install a system.map into the /boot directory. -## +## ## ## The type of the process performing this action. ## @@ -146,9 +146,9 @@ interface(`bootloader_create_kernel_symbol_table',` ') ######################################## -## +## ## Read system.map in the /boot directory. -## +## ## ## The type of the process performing this action. ## @@ -165,9 +165,9 @@ interface(`bootloader_read_kernel_symbol_table',` ') ######################################## -## +## ## Delete a kernel from /boot. -## +## ## ## The type of the process performing this action. ## @@ -184,9 +184,9 @@ interface(`bootloader_delete_kernel',` ') ######################################## -## +## ## Delete a system.map in the /boot directory. -## +## ## ## The type of the process performing this action. ## @@ -203,9 +203,9 @@ interface(`bootloader_delete_kernel_symbol_table',` ') ######################################## -## +## ## Read the bootloader configuration file. -## +## ## ## The type of the process performing this action. ## @@ -220,10 +220,10 @@ interface(`bootloader_read_config',` ') ######################################## -## +## ## Read and write the bootloader ## configuration file. -## +## ## ## The type of the process performing this action. ## @@ -238,10 +238,10 @@ interface(`bootloader_rw_config',` ') ######################################## -## +## ## Read and write the bootloader ## temporary data in /tmp. -## +## ## ## The type of the process performing this action. ## @@ -257,10 +257,10 @@ interface(`bootloader_rw_tmp_file',` ') ######################################## -## +## ## Read and write the bootloader ## temporary data in /tmp. -## +## ## ## The type of the process performing this action. ## @@ -278,9 +278,9 @@ interface(`bootloader_create_runtime_file',` ') ######################################## -## +## ## List the contents of the kernel module directories. -## +## ## ## The type of the process performing this action. ## @@ -295,9 +295,28 @@ interface(`bootloader_list_kernel_modules',` ') ######################################## -## +## +## Get the attributes of kernel module files. +## +## +## The type of the process performing this action. +## +# +interface(`bootloader_getattr_kernel_modules',` + gen_require(` + type modules_object_t; + class dir search; + class file getattr; + ') + + allow $1 modules_object_t:dir search; + allow $1 modules_object_t:dir getattr; +') + +######################################## +## ## Read kernel module files. -## +## ## ## The type of the process performing this action. ## @@ -316,9 +335,9 @@ interface(`bootloader_read_kernel_modules',` ') ######################################## -## +## ## Write kernel module files. -## +## ## ## The type of the process performing this action. ## @@ -338,10 +357,10 @@ interface(`bootloader_write_kernel_modules',` ') ######################################## -## +## ## Create, read, write, and delete ## kernel module files. -## +## ## ## The type of the process performing this action. ## @@ -379,4 +398,3 @@ interface(`bootloader_create_modules',` type_transition $1 modules_object_t:$3 $2; ') ') - diff --git a/refpolicy/policy/modules/services/nscd.fc b/refpolicy/policy/modules/services/nscd.fc index a21cf11d..0eec9bad 100644 --- a/refpolicy/policy/modules/services/nscd.fc +++ b/refpolicy/policy/modules/services/nscd.fc @@ -1,9 +1,9 @@ -/usr/sbin/nscd -- system_u:object_r:nscd_exec_t +/usr/sbin/nscd -- context_template(system_u:object_r:nscd_exec_t,s0) -/var/db/nscd(/.*)? system_u:object_r:nscd_var_run_t +/var/db/nscd(/.*)? context_template(system_u:object_r:nscd_var_run_t,s0) -/var/run/nscd\.pid -- system_u:object_r:nscd_var_run_t -/var/run/\.nscd_socket -s system_u:object_r:nscd_var_run_t +/var/run/nscd\.pid -- context_template(system_u:object_r:nscd_var_run_t,s0) +/var/run/\.nscd_socket -s context_template(system_u:object_r:nscd_var_run_t,s0) -/var/run/nscd(/.*)? system_u:object_r:nscd_var_run_t +/var/run/nscd(/.*)? context_template(system_u:object_r:nscd_var_run_t,s0) diff --git a/refpolicy/policy/modules/system/corecommands.fc b/refpolicy/policy/modules/system/corecommands.fc index 4fe103f7..9bf7bb12 100644 --- a/refpolicy/policy/modules/system/corecommands.fc +++ b/refpolicy/policy/modules/system/corecommands.fc @@ -64,10 +64,12 @@ ifdef(`distro_gentoo', ` /usr/lib(64)?/emacsen-common/.* context_template(system_u:object_r:bin_t,s0) -/usr/lib(64)?/misc/sftp-server -- context_template(system_u:object_r:bin_t,s0) +/usr/lib(64)?/ipsec/.* -- context_template(system_u:object_r:sbin_t,s0) + +/usr/lib(64)?/misc/sftp-server -- context_template(system_u:object_r:bin_t,s0) ifdef(`distro_suse', ` -/usr/lib(64)?/ssh/.* -- context_template(system_u:object_r:bin_t,s0) +/usr/lib(64)?/ssh/.* -- context_template(system_u:object_r:bin_t,s0) ') /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- context_template(system_u:object_r:bin_t,s0) @@ -78,6 +80,8 @@ ifdef(`distro_suse', ` /usr/libexec(/.*)? context_template(system_u:object_r:bin_t,s0) /usr/libexec/openssh/sftp-server -- context_template(system_u:object_r:bin_t,s0) +/usr/local/lib(64)?/ipsec/.* -- context_template(system_u:object_r:sbin_t,s0) + /usr/sbin/sesh -- context_template(system_u:object_r:shell_exec_t,s0) /usr/share/gnucash/finance-quote-check -- context_template(system_u:object_r:bin_t,s0) diff --git a/refpolicy/policy/modules/system/files.fc b/refpolicy/policy/modules/system/files.fc index 743395b1..ce349377 100644 --- a/refpolicy/policy/modules/system/files.fc +++ b/refpolicy/policy/modules/system/files.fc @@ -33,6 +33,8 @@ /etc/init\.d/functions -- context_template(system_u:object_r:etc_t,s0) +/etc/ipsec\.d/examples(/.*)? context_template(system_u:object_r:etc_t,s0) + /etc/network/ifstate -- context_template(system_u:object_r:etc_runtime_t,s0) /etc/ptal/ptal-printd-like -- context_template(system_u:object_r:etc_runtime_t,s0) diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 54103627..c810f0f9 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -415,6 +415,24 @@ interface(`files_unmount_rootfs',` allow $1 root_t:filesystem unmount; ') +######################################## +## +## Do not audit attempts to get the attributes of +## directories with the default file type. +## +## +## Domain to not audit. +## +# +interface(`files_dontaudit_getattr_default_dir',` + gen_require(` + type default_t; + class dir getattr; + ') + + dontaudit $1 default_t:dir getattr; +') + ######################################## ## ## List contents of directories with the default file type. @@ -449,6 +467,24 @@ interface(`files_mounton_default',` allow $1 default_t:dir { getattr search mounton }; ') +######################################## +## +## Do not audit attempts to get the attributes of +## files with the default file type. +## +## +## Domain to not audit. +## +# +interface(`files_dontaudit_getattr_default_files',` + gen_require(` + type default_t; + class files getattr; + ') + + dontaudit $1 default_t:file getattr; +') + ######################################## ## ## Read files with the default file type. diff --git a/refpolicy/policy/modules/system/ipsec.fc b/refpolicy/policy/modules/system/ipsec.fc new file mode 100644 index 00000000..22a5f733 --- /dev/null +++ b/refpolicy/policy/modules/system/ipsec.fc @@ -0,0 +1,32 @@ +/etc/ipsec\.secrets -- context_template(system_u:object_r:ipsec_key_file_t,s0) +/etc/ipsec\.conf -- context_template(system_u:object_r:ipsec_conf_file_t,s0) +/etc/racoon/psk\.txt -- context_template(system_u:object_r:ipsec_key_file_t,s0) + +/etc/racoon(/.*)? context_template(system_u:object_r:ipsec_conf_file_t,s0) +/etc/racoon/certs(/.*)? context_template(system_u:object_r:ipsec_key_file_t,s0) + +/etc/ipsec\.d(/.*)? context_template(system_u:object_r:ipsec_key_file_t,s0) + +/sbin/setkey -- context_template(system_u:object_r:ipsec_exec_t,s0) + +/usr/lib(64)?/ipsec/_plutoload -- context_template(system_u:object_r:ipsec_mgmt_exec_t,s0) +/usr/lib(64)?/ipsec/_plutorun -- context_template(system_u:object_r:ipsec_mgmt_exec_t,s0) +/usr/lib(64)?/ipsec/eroute -- context_template(system_u:object_r:ipsec_exec_t,s0) +/usr/lib(64)?/ipsec/klipsdebug -- context_template(system_u:object_r:ipsec_exec_t,s0) +/usr/lib(64)?/ipsec/pluto -- context_template(system_u:object_r:ipsec_exec_t,s0) +/usr/lib(64)?/ipsec/spi -- context_template(system_u:object_r:ipsec_exec_t,s0) + +/usr/libexec/ipsec/eroute -- context_template(system_u:object_r:ipsec_exec_t,s0) +/usr/libexec/ipsec/klipsdebug -- context_template(system_u:object_r:ipsec_exec_t,s0) +/usr/libexec/ipsec/pluto -- context_template(system_u:object_r:ipsec_exec_t,s0) +/usr/libexec/ipsec/spi -- context_template(system_u:object_r:ipsec_exec_t,s0) + +/usr/local/lib(64)?/ipsec/eroute -- context_template(system_u:object_r:ipsec_exec_t,s0) +/usr/local/lib(64)?/ipsec/klipsdebug -- context_template(system_u:object_r:ipsec_exec_t,s0) +/usr/local/lib(64)?/ipsec/pluto -- context_template(system_u:object_r:ipsec_exec_t,s0) +/usr/local/lib(64)?/ipsec/spi -- context_template(system_u:object_r:ipsec_exec_t,s0) + +/usr/sbin/racoon -- context_template(system_u:object_r:ipsec_exec_t,s0) +/usr/sbin/setkey -- context_template(system_u:object_r:ipsec_exec_t,s0) + +/var/run/pluto(/.*)? context_template(system_u:object_r:ipsec_var_run_t,s0) diff --git a/refpolicy/policy/modules/system/ipsec.if b/refpolicy/policy/modules/system/ipsec.if new file mode 100644 index 00000000..023e4f6b --- /dev/null +++ b/refpolicy/policy/modules/system/ipsec.if @@ -0,0 +1,25 @@ +## TCP/IP encryption + +######################################## +## +## Execute ipsec in the ipsec domain. +## +## +## The type of the process performing this action. +## +# +interface(`ipsec_domtrans',` + gen_require(` + type ipsec_t, ipsec_exec_t; + class process sigchld; + class fd use; + class fifo_file rw_file_perms; + ') + + domain_auto_trans($1,ipsec_exec_t,ipsec_t) + + allow $1 ipsec_t:fd use; + allow ipsec_t $1:fd use; + allow ipsec_t $1:fifo_file rw_file_perms; + allow ipsec_t $1:process sigchld; +') diff --git a/refpolicy/policy/modules/system/ipsec.te b/refpolicy/policy/modules/system/ipsec.te new file mode 100644 index 00000000..2d0832ff --- /dev/null +++ b/refpolicy/policy/modules/system/ipsec.te @@ -0,0 +1,274 @@ + +policy_module(ipsec,1.0) + +######################################## +# +# Declarations +# + +type ipsec_t; +type ipsec_exec_t; +init_daemon_domain(ipsec_t,ipsec_exec_t) +role system_r types ipsec_t; + +# type for ipsec configuration file(s) - not for keys +type ipsec_conf_file_t; + +# type for file(s) containing ipsec keys - RSA or preshared +type ipsec_key_file_t; + +# type for runtime files, including pluto.ctl +type ipsec_var_run_t; +files_pid_file(ipsec_var_run_t) + +type ipsec_mgmt_t; #, privlog, admin, privmodule, nscd_client_domain; +type ipsec_mgmt_exec_t; +init_system_domain(ipsec_mgmt_t,ipsec_mgmt_exec_t) +role system_r types ipsec_mgmt_t; + +type ipsec_mgmt_var_run_t; +files_pid_file(ipsec_mgmt_var_run_t) + +######################################## +# +# ipsec Local policy +# + +allow ipsec_t self:capability { net_admin dac_override dac_read_search }; +dontaudit ipsec_t self:capability sys_tty_config; +allow ipsec_t self:process signal; +allow ipsec_t self:key_socket { create write read setopt }; +allow ipsec_t self:fifo_file { read getattr }; + +allow ipsec_t ipsec_conf_file_t:dir r_dir_perms; +allow ipsec_t ipsec_conf_file_t:file r_file_perms; +allow ipsec_t ipsec_conf_file_t:lnk_file r_file_perms; + +allow ipsec_t ipsec_key_file_t:dir r_dir_perms; +allow ipsec_t ipsec_key_file_t:file r_file_perms; +allow ipsec_t ipsec_key_file_t:lnk_file r_file_perms; + +allow ipsec_t ipsec_var_run_t:file create_file_perms; +allow ipsec_t ipsec_var_run_t:sock_file create_file_perms; +files_create_pid(ipsec_t,ipsec_var_run_t,{ file sock_file }) + +can_exec(ipsec_t, ipsec_mgmt_exec_t) + +# pluto runs an updown script (by calling popen()!); as this is by default +# a shell script, we need to find a way to make things work without +# letting all sorts of stuff possibly be run... +# so try flipping back into the ipsec_mgmt_t domain +corecmd_shell_domtrans(ipsec_t,ipsec_mgmt_t) +allow ipsec_t ipsec_mgmt_t:fd use; +allow ipsec_mgmt_t ipsec_t:fd use; +allow ipsec_mgmt_t ipsec_t:fifo_file rw_file_perms; +allow ipsec_mgmt_t ipsec_t:process sigchld; + +kernel_read_kernel_sysctl(ipsec_t) +kernel_list_proc(ipsec_t) +kernel_read_proc_symlinks(ipsec_t) +# allow pluto to access /proc/net/ipsec_eroute; +kernel_read_system_state(ipsec_t) +kernel_read_network_state(ipsec_t) +kernel_read_software_raid_state(ipsec_t) +kernel_getattr_core(ipsec_t) +kernel_getattr_message_if(ipsec_t) + +corenet_udp_bind_reserved_port(ipsec_t) + +dev_read_sysfs(ipsec_t) +dev_read_rand(ipsec_t) +dev_read_urand(ipsec_t) + +fs_getattr_all_fs(ipsec_t) +fs_search_auto_mountpoints(ipsec_t) + +term_use_console(ipsec_t) + +corecmd_exec_shell(ipsec_t) +corecmd_exec_bin(ipsec_t) + +domain_use_wide_inherit_fd(ipsec_t) + +files_read_etc_files(ipsec_t) + +init_use_fd(ipsec_t) +init_use_script_pty(ipsec_t) + +libs_use_ld_so(ipsec_t) +libs_use_shared_libs(ipsec_t) + +logging_send_syslog_msg(ipsec_t) + +miscfiles_read_localization(ipsec_t) + +userdom_dontaudit_use_unpriv_user_fd(ipsec_t) +userdom_dontaudit_search_sysadm_home_dir(ipsec_t) + +ifdef(`targeted_policy', ` + term_dontaudit_use_unallocated_tty(ipsec_t) + term_dontaudit_use_generic_pty(ipsec_t) + files_dontaudit_read_root_file(ipsec_t) +') + +optional_policy(`nis.te',` + nis_use_ypbind(ipsec_t) +') + +optional_policy(`rhgb.te',` + rhgb_domain(ipsec_t) +') + +optional_policy(`selinuxutils.te',` + seutil_sigchld_newrole(ipsec_t) +') + +optional_policy(`udev.te', ` + udev_read_db(ipsec_t) +') + +ifdef(`TODO',` +allow ipsec_t etc_t:lnk_file read; +allow ipsec_t initrc_t:fifo_file write; +dontaudit ipsec_t ttyfile:chr_file { read write }; +# Pluto needs network access +can_network_server(ipsec_t) +') dnl end TODO + +######################################## +# +# ipsec_mgmt Local policy +# + +allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search }; +allow ipsec_mgmt_t self:process { signal setrlimit }; +allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; +allow ipsec_mgmt_t self:tcp_socket create_socket_perms; +allow ipsec_mgmt_t self:udp_socket create_socket_perms; +allow ipsec_mgmt_t self:key_socket { create setopt }; +allow ipsec_mgmt_t self:fifo_file rw_file_perms; + +allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file create_file_perms; +files_create_pid(ipsec_mgmt_t,ipsec_mgmt_var_run_t) + +allow ipsec_mgmt_t ipsec_var_run_t:dir rw_dir_perms; +allow ipsec_mgmt_t ipsec_var_run_t:file create_file_perms; +allow ipsec_mgmt_t ipsec_var_run_t:lnk_file create_lnk_perms; + +allow ipsec_mgmt_t ipsec_var_run_t:sock_file create_file_perms; +files_create_pid(ipsec_mgmt_t,ipsec_var_run_t,sock_file) + +# _realsetup needs to be able to cat /var/run/pluto.pid, +# run ps on that pid, and delete the file +allow ipsec_mgmt_t ipsec_t:{ file lnk_file } r_file_perms; + +# logger, running in ipsec_mgmt_t needs to use sockets +allow ipsec_mgmt_t self:unix_dgram_socket { create connect write }; +allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write }; + +allow ipsec_mgmt_t ipsec_conf_file_t:file { getattr read ioctl }; + +allow ipsec_mgmt_t ipsec_key_file_t:dir rw_dir_perms; +allow ipsec_mgmt_t ipsec_key_file_t:lnk_file create_lnk_perms; +# cjp: combo of file_type_auto_trans and rw_dir_create_file +allow ipsec_mgmt_t ipsec_key_file_t:file create_file_perms; +files_create_etc_config(ipsec_mgmt_t,ipsec_key_file_t) + +# whack needs to connect to pluto +allow ipsec_mgmt_t ipsec_var_run_t:sock_file { read write }; +allow ipsec_mgmt_t ipsec_t:unix_stream_socket { connectto read write }; + +can_exec(ipsec_mgmt_t, ipsec_exec_t) +can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t) +allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read; + +domain_auto_trans(ipsec_mgmt_t,ipsec_exec_t,ipsec_t) +allow ipsec_mgmt_t ipsec_t:fd use; +allow ipsec_t ipsec_mgmt_t:fd use; +allow ipsec_t ipsec_mgmt_t:fifo_file rw_file_perms; +allow ipsec_t ipsec_mgmt_t:process sigchld; + +kernel_rw_net_sysctl(ipsec_mgmt_t) +# allow pluto to access /proc/net/ipsec_eroute; +kernel_read_system_state(ipsec_mgmt_t) +kernel_read_network_state(ipsec_mgmt_t) +kernel_read_software_raid_state(ipsec_mgmt_t) +kernel_read_kernel_sysctl(ipsec_mgmt_t) +kernel_getattr_core(ipsec_mgmt_t) +kernel_getattr_message_if(ipsec_mgmt_t) + +bootloader_read_kernel_symbol_table(ipsec_mgmt_t) +bootloader_getattr_kernel_modules(ipsec_mgmt_t) + +dev_read_rand(ipsec_mgmt_t) +dev_read_urand(ipsec_mgmt_t) + +fs_getattr_xattr_fs(ipsec_mgmt_t) + +term_use_console(ipsec_mgmt_t) + +# the default updown script wants to run route +corecmd_exec_sbin(ipsec_mgmt_t) +# the ipsec wrapper wants to run /usr/bin/logger (should we put +# it in its own domain?) +corecmd_exec_bin(ipsec_mgmt_t) + +domain_use_wide_inherit_fd(ipsec_mgmt_t) + +files_read_etc_files(ipsec_mgmt_t) +files_exec_etc_files(ipsec_mgmt_t) +files_read_etc_runtime_files(ipsec_mgmt_t) +files_dontaudit_getattr_default_dir(ipsec_mgmt_t) +files_dontaudit_getattr_default_files(ipsec_mgmt_t) +# Allow scripts to use /var/locl/subsys/ipsec +# cjp: need a lock type +files_manage_generic_locks(ipsec_mgmt_t) + +init_use_script_pty(ipsec_mgmt_t) +init_exec_script(ipsec_mgmt_t) +init_use_fd(ipsec_mgmt_t) + +libs_use_ld_so(ipsec_mgmt_t) +libs_use_shared_libs(ipsec_mgmt_t) + +miscfiles_read_localization(ipsec_mgmt_t) + +seutil_dontaudit_search_config(ipsec_mgmt_t) + +sysnet_domtrans_ifconfig(ipsec_mgmt_t) + +userdom_use_sysadm_terms(ipsec_mgmt_t) + +optional_policy(`consoletype.te',` + consoletype_exec(ipsec_mgmt_t) +') + +ifdef(`TODO',` +# denials when ps tries to search /proc. Do not audit these denials. +dontaudit ipsec_mgmt_t domain:dir r_dir_perms; + +# suppress audit messages about unnecessary socket access +dontaudit ipsec_mgmt_t domain:key_socket { read write }; +dontaudit ipsec_mgmt_t domain:udp_socket { read write }; + +# allow pluto to search the root directory (not sure why, but mostly harmless) +# Are these all really necessary? +dontaudit ipsec_mgmt_t tty_device_t:chr_file getattr; + +# ideally it would not need this. It wants to write to /root/.rnd +file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file) + +allow ipsec_mgmt_t tmpfs_t:dir { getattr read }; +allow ipsec_mgmt_t dev_fs:file_class_set getattr; + +# allow system administrator to use the ipsec script to look +# at things (e.g., ipsec auto --status) +# probably should create an ipsec_admin role for this kind of thing +can_exec(sysadm_t, ipsec_mgmt_exec_t) +allow sysadm_t ipsec_t:unix_stream_socket connectto; +# for lsof +allow sysadm_t ipsec_t:key_socket getattr; + +rw_dir_create_file(initrc_t, ipsec_var_run_t) +allow initrc_t ipsec_conf_file_t:file { getattr read ioctl }; +') dnl end TODO