rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity
4231988555
selinux-policy/policy/modules/system/ipsec.te
Chris PeBenito 1900668638 trunk: Unified labeled networking policy from Paul Moore. 
The latest revision of the labeled policy patches which enable both labeled 
and unlabeled policy support for NetLabel.  This revision takes into account
Chris' feedback from the first version and reduces the number of interface
calls in each domain down to two at present: one for unlabeled access, one for
NetLabel access.  The older, transport layer specific interfaces, are still  
present for use by third-party modules but are not used in the default policy
modules.

trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.

This patch changes the policy to use the netmsg initial SID as the "base"
SID/context for NetLabel packets which only have MLS security attributes.
Currently we use the unlabeled initial SID which makes it very difficult to
distinquish between actual unlabeled packets and those packets which have MLS
security attributes.
2007-06-27 15:23:21 +00:00

364 lines
11 KiB
Plaintext
Raw Blame History

policy_module(ipsec,1.3.1)
########################################
#
# Declarations
#
type ipsec_t;
type ipsec_exec_t;
init_daemon_domain(ipsec_t,ipsec_exec_t)
role system_r types ipsec_t;
# type for ipsec configuration file(s) - not for keys
type ipsec_conf_file_t;
files_type(ipsec_conf_file_t)
# type for file(s) containing ipsec keys - RSA or preshared
type ipsec_key_file_t;
files_type(ipsec_key_file_t)
# Default type for IPSEC SPD entries
type ipsec_spd_t;
# type for runtime files, including pluto.ctl
type ipsec_var_run_t;
files_pid_file(ipsec_var_run_t)
type ipsec_mgmt_t;
type ipsec_mgmt_exec_t;
init_system_domain(ipsec_mgmt_t,ipsec_mgmt_exec_t)
corecmd_shell_entry_type(ipsec_mgmt_t)
role system_r types ipsec_mgmt_t;
type ipsec_mgmt_lock_t;
files_lock_file(ipsec_mgmt_lock_t)
type ipsec_mgmt_var_run_t;
files_pid_file(ipsec_mgmt_var_run_t)
type racoon_t;
type racoon_exec_t;
init_daemon_domain(racoon_t,racoon_exec_t)
role system_r types racoon_t;
type setkey_t;
type setkey_exec_t;
init_system_domain(setkey_t,setkey_exec_t)
role system_r types setkey_t;
########################################
#
# ipsec Local policy
#
allow ipsec_t self:capability { net_admin dac_override dac_read_search };
dontaudit ipsec_t self:capability sys_tty_config;
allow ipsec_t self:process signal;
allow ipsec_t self:netlink_route_socket r_netlink_socket_perms;
allow ipsec_t self:tcp_socket create_stream_socket_perms;
allow ipsec_t self:key_socket { create write read setopt };
allow ipsec_t self:fifo_file { read getattr };
allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
read_files_pattern(ipsec_t,ipsec_conf_file_t,ipsec_conf_file_t)
read_lnk_files_pattern(ipsec_t,ipsec_conf_file_t,ipsec_conf_file_t)
allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
read_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
read_lnk_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
allow ipsec_t ipsec_var_run_t:file manage_file_perms;
allow ipsec_t ipsec_var_run_t:sock_file manage_sock_file_perms;
files_pid_filetrans(ipsec_t,ipsec_var_run_t,{ file sock_file })
can_exec(ipsec_t, ipsec_mgmt_exec_t)
# pluto runs an updown script (by calling popen()!); as this is by default
# a shell script, we need to find a way to make things work without
# letting all sorts of stuff possibly be run...
# so try flipping back into the ipsec_mgmt_t domain
corecmd_shell_domtrans(ipsec_t,ipsec_mgmt_t)
allow ipsec_mgmt_t ipsec_t:fd use;
allow ipsec_mgmt_t ipsec_t:fifo_file rw_file_perms;
allow ipsec_mgmt_t ipsec_t:process sigchld;
kernel_read_kernel_sysctls(ipsec_t)
kernel_list_proc(ipsec_t)
kernel_read_proc_symlinks(ipsec_t)
# allow pluto to access /proc/net/ipsec_eroute;
kernel_read_system_state(ipsec_t)
kernel_read_network_state(ipsec_t)
kernel_read_software_raid_state(ipsec_t)
kernel_getattr_core_if(ipsec_t)
kernel_getattr_message_if(ipsec_t)
# Pluto needs network access
corenet_all_recvfrom_unlabeled(ipsec_t)
corenet_tcp_sendrecv_all_if(ipsec_t)
corenet_raw_sendrecv_all_if(ipsec_t)
corenet_tcp_sendrecv_all_nodes(ipsec_t)
corenet_raw_sendrecv_all_nodes(ipsec_t)
corenet_tcp_sendrecv_all_ports(ipsec_t)
corenet_tcp_bind_all_nodes(ipsec_t)
corenet_tcp_bind_reserved_port(ipsec_t)
corenet_tcp_bind_isakmp_port(ipsec_t)
corenet_sendrecv_generic_server_packets(ipsec_t)
corenet_sendrecv_isakmp_server_packets(ipsec_t)
dev_read_sysfs(ipsec_t)
dev_read_rand(ipsec_t)
dev_read_urand(ipsec_t)
fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)
term_use_console(ipsec_t)
term_dontaudit_use_all_user_ttys(ipsec_t)
corecmd_exec_shell(ipsec_t)
corecmd_exec_bin(ipsec_t)
domain_use_interactive_fds(ipsec_t)
files_read_etc_files(ipsec_t)
init_use_fds(ipsec_t)
init_use_script_ptys(ipsec_t)
libs_use_ld_so(ipsec_t)
libs_use_shared_libs(ipsec_t)
logging_send_syslog_msg(ipsec_t)
miscfiles_read_localization(ipsec_t)
sysnet_read_config(ipsec_t)
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_sysadm_home_dirs(ipsec_t)
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_ttys(ipsec_t)
term_dontaudit_use_generic_ptys(ipsec_t)
files_dontaudit_read_root_files(ipsec_t)
')
optional_policy(`
nis_use_ypbind(ipsec_t)
')
optional_policy(`
seutil_sigchld_newrole(ipsec_t)
')
optional_policy(`
udev_read_db(ipsec_t)
')
########################################
#
# ipsec_mgmt Local policy
#
allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
allow ipsec_mgmt_t self:process { signal setrlimit };
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:tcp_socket create_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
allow ipsec_mgmt_t self:key_socket { create setopt };
allow ipsec_mgmt_t self:fifo_file rw_file_perms;
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
files_lock_filetrans(ipsec_mgmt_t,ipsec_mgmt_lock_t,file)
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t,ipsec_mgmt_var_run_t,file)
manage_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t)
manage_lnk_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t)
allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms;
files_pid_filetrans(ipsec_mgmt_t,ipsec_var_run_t,sock_file)
# _realsetup needs to be able to cat /var/run/pluto.pid,
# run ps on that pid, and delete the file
read_files_pattern(ipsec_mgmt_t,ipsec_t,ipsec_t)
read_lnk_files_pattern(ipsec_mgmt_t,ipsec_t,ipsec_t)
# logger, running in ipsec_mgmt_t needs to use sockets
allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };
allow ipsec_mgmt_t ipsec_conf_file_t:file { getattr read ioctl };
manage_files_pattern(ipsec_mgmt_t,ipsec_key_file_t,ipsec_key_file_t)
manage_lnk_files_pattern(ipsec_mgmt_t,ipsec_key_file_t,ipsec_key_file_t)
files_etc_filetrans(ipsec_mgmt_t,ipsec_key_file_t,file)
# whack needs to connect to pluto
stream_connect_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t,ipsec_t)
can_exec(ipsec_mgmt_t, ipsec_exec_t)
can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
domtrans_pattern(ipsec_mgmt_t,ipsec_exec_t,ipsec_t)
kernel_rw_net_sysctls(ipsec_mgmt_t)
# allow pluto to access /proc/net/ipsec_eroute;
kernel_read_system_state(ipsec_mgmt_t)
kernel_read_network_state(ipsec_mgmt_t)
kernel_read_software_raid_state(ipsec_mgmt_t)
kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)
fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
# the default updown script wants to run route
# the ipsec wrapper wants to run /usr/bin/logger (should we put
# it in its own domain?)
corecmd_exec_bin(ipsec_mgmt_t)
domain_use_interactive_fds(ipsec_mgmt_t)
# denials when ps tries to search /proc. Do not audit these denials.
domain_dontaudit_list_all_domains_state(ipsec_mgmt_t)
# suppress audit messages about unnecessary socket access
# cjp: this seems excessive
domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
files_read_etc_files(ipsec_mgmt_t)
files_exec_etc_files(ipsec_mgmt_t)
files_read_etc_runtime_files(ipsec_mgmt_t)
files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
files_dontaudit_getattr_default_files(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
libs_use_ld_so(ipsec_mgmt_t)
libs_use_shared_libs(ipsec_mgmt_t)
miscfiles_read_localization(ipsec_mgmt_t)
modutils_domtrans_insmod(ipsec_mgmt_t)
seutil_dontaudit_search_config(ipsec_mgmt_t)
sysnet_domtrans_ifconfig(ipsec_mgmt_t)
userdom_use_sysadm_terms(ipsec_mgmt_t)
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
')
optional_policy(`
nscd_socket_use(ipsec_mgmt_t)
')
ifdef(`TODO',`
# ideally it would not need this. It wants to write to /root/.rnd
file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
allow ipsec_mgmt_t dev_fs:file_class_set getattr;
') dnl end TODO
########################################
#
# Racoon local policy
#
allow racoon_t self:capability { net_admin net_bind_service };
allow racoon_t self:netlink_route_socket create_netlink_socket_perms;
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
allow racoon_t self:key_socket { create read setopt write };
# manage pid file
manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t)
manage_sock_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t)
files_pid_filetrans(racoon_t,ipsec_var_run_t,file)
allow racoon_t ipsec_conf_file_t:dir list_dir_perms;
read_files_pattern(racoon_t,ipsec_conf_file_t,ipsec_conf_file_t)
read_lnk_files_pattern(racoon_t,ipsec_conf_file_t,ipsec_conf_file_t)
allow racoon_t ipsec_key_file_t:dir list_dir_perms;
read_files_pattern(racoon_t,ipsec_key_file_t,ipsec_key_file_t)
read_lnk_files_pattern(racoon_t,ipsec_key_file_t,ipsec_key_file_t)
allow racoon_t ipsec_spd_t:association setcontext;
kernel_read_network_state(racoon_t)
corenet_all_recvfrom_unlabeled(racoon_t)
corenet_tcp_bind_all_nodes(racoon_t)
corenet_udp_bind_isakmp_port(racoon_t)
dev_read_urand(racoon_t)
# allow racoon to set contexts on ipsec policy and SAs
domain_ipsec_setcontext_all_domains(racoon_t)
files_read_etc_files(racoon_t)
# allow racoon to use avc_has_perm to check context on proposed SA
selinux_compute_access_vector(racoon_t)
libs_use_ld_so(racoon_t)
libs_use_shared_libs(racoon_t)
locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
miscfiles_read_localization(racoon_t)
########################################
#
# Setkey local policy
#
allow setkey_t self:capability net_admin;
allow setkey_t self:key_socket { create read setopt write };
allow setkey_t self:netlink_route_socket create_netlink_socket_perms;
allow setkey_t ipsec_conf_file_t:dir list_dir_perms;
read_files_pattern(setkey_t,ipsec_conf_file_t,ipsec_conf_file_t)
read_lnk_files_pattern(setkey_t,ipsec_conf_file_t,ipsec_conf_file_t)
# allow setkey to set the context for ipsec SAs and policy.
allow setkey_t ipsec_spd_t:association setcontext;
# allow setkey utility to set contexts on SA's and policy
domain_ipsec_setcontext_all_domains(setkey_t)
files_read_etc_files(setkey_t)
init_dontaudit_use_fds(setkey_t)
locallogin_use_fds(setkey_t)
libs_use_ld_so(setkey_t)
libs_use_shared_libs(setkey_t)
miscfiles_read_localization(setkey_t)
seutil_read_config(setkey_t)
Reference in New Issue View Git Blame Copy Permalink