selinux-policy/policy/modules/system/ipsec.te

policy_module(ipsec, 1.9.1)

########################################
#
# Declarations
#

type ipsec_t;
type ipsec_exec_t;
init_daemon_domain(ipsec_t, ipsec_exec_t)
role system_r types ipsec_t;

# type for ipsec configuration file(s) - not for keys
type ipsec_conf_file_t;
files_type(ipsec_conf_file_t)

# type for file(s) containing ipsec keys - RSA or preshared
type ipsec_key_file_t;
files_type(ipsec_key_file_t)

# Default type for IPSEC SPD entries
type ipsec_spd_t;

# type for runtime files, including pluto.ctl
type ipsec_var_run_t;
files_pid_file(ipsec_var_run_t)

type ipsec_mgmt_t;
type ipsec_mgmt_exec_t;
init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
corecmd_shell_entry_type(ipsec_mgmt_t)
role system_r types ipsec_mgmt_t;

type ipsec_mgmt_lock_t;
files_lock_file(ipsec_mgmt_lock_t)

type ipsec_mgmt_var_run_t;
files_pid_file(ipsec_mgmt_var_run_t)

type racoon_t;
type racoon_exec_t;
init_daemon_domain(racoon_t, racoon_exec_t)
role system_r types racoon_t;

type setkey_t;
type setkey_exec_t;
init_system_domain(setkey_t, setkey_exec_t)
role system_r types setkey_t;

########################################
#
# ipsec Local policy
#

allow ipsec_t self:capability { net_admin dac_override dac_read_search };
dontaudit ipsec_t self:capability sys_tty_config;
allow ipsec_t self:process { signal setsched };
allow ipsec_t self:tcp_socket create_stream_socket_perms;
allow ipsec_t self:udp_socket create_socket_perms;
allow ipsec_t self:key_socket create_socket_perms;
allow ipsec_t self:fifo_file read_fifo_file_perms;
allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };

allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)

allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
read_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)

manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
files_pid_filetrans(ipsec_t, ipsec_var_run_t, { file sock_file })

can_exec(ipsec_t, ipsec_mgmt_exec_t)

# pluto runs an updown script (by calling popen()!) as this is by default
# a shell script, we need to find a way to make things work without
# letting all sorts of stuff possibly be run...
# so try flipping back into the ipsec_mgmt_t domain
corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
allow ipsec_mgmt_t ipsec_t:fd use;
allow ipsec_mgmt_t ipsec_t:fifo_file rw_file_perms;
allow ipsec_mgmt_t ipsec_t:process sigchld;

kernel_read_kernel_sysctls(ipsec_t)
kernel_list_proc(ipsec_t)
kernel_read_proc_symlinks(ipsec_t)
# allow pluto to access /proc/net/ipsec_eroute;
kernel_read_system_state(ipsec_t)
kernel_read_network_state(ipsec_t)
kernel_read_software_raid_state(ipsec_t)
kernel_getattr_core_if(ipsec_t)
kernel_getattr_message_if(ipsec_t)

corecmd_exec_shell(ipsec_t)
corecmd_exec_bin(ipsec_t)

# Pluto needs network access
corenet_all_recvfrom_unlabeled(ipsec_t)
corenet_tcp_sendrecv_all_if(ipsec_t)
corenet_raw_sendrecv_all_if(ipsec_t)
corenet_tcp_sendrecv_all_nodes(ipsec_t)
corenet_raw_sendrecv_all_nodes(ipsec_t)
corenet_tcp_sendrecv_all_ports(ipsec_t)
corenet_tcp_bind_all_nodes(ipsec_t)
corenet_udp_bind_all_nodes(ipsec_t)
corenet_tcp_bind_reserved_port(ipsec_t)
corenet_tcp_bind_isakmp_port(ipsec_t)
corenet_udp_bind_isakmp_port(ipsec_t)
corenet_udp_bind_ipsecnat_port(ipsec_t)
corenet_sendrecv_generic_server_packets(ipsec_t)
corenet_sendrecv_isakmp_server_packets(ipsec_t)

dev_read_sysfs(ipsec_t)
dev_read_rand(ipsec_t)
dev_read_urand(ipsec_t)

domain_use_interactive_fds(ipsec_t)

files_read_etc_files(ipsec_t)

fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)

term_use_console(ipsec_t)
term_dontaudit_use_all_user_ttys(ipsec_t)

auth_use_nsswitch(ipsec_t)

init_use_fds(ipsec_t)
init_use_script_ptys(ipsec_t)

logging_send_syslog_msg(ipsec_t)

miscfiles_read_localization(ipsec_t)

userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)

optional_policy(`
	seutil_sigchld_newrole(ipsec_t)
')

optional_policy(`
	udev_read_db(ipsec_t)
')

########################################
#
# ipsec_mgmt Local policy
#

allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
allow ipsec_mgmt_t self:process { signal setrlimit };
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
allow ipsec_mgmt_t self:key_socket create_socket_perms;
allow ipsec_mgmt_t self:fifo_file rw_file_perms;

allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)

allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)

manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)

allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms;
files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, sock_file)

# _realsetup needs to be able to cat /var/run/pluto.pid,
# run ps on that pid, and delete the file
read_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
read_lnk_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)

# logger, running in ipsec_mgmt_t needs to use sockets
allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };

allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;

manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
files_etc_filetrans(ipsec_mgmt_t, ipsec_key_file_t, file)

# whack needs to connect to pluto
stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)

can_exec(ipsec_mgmt_t, ipsec_exec_t)
can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;

domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)

kernel_rw_net_sysctls(ipsec_mgmt_t)
# allow pluto to access /proc/net/ipsec_eroute;
kernel_read_system_state(ipsec_mgmt_t)
kernel_read_network_state(ipsec_mgmt_t)
kernel_read_software_raid_state(ipsec_mgmt_t)
kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)

files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)

# the default updown script wants to run route
# the ipsec wrapper wants to run /usr/bin/logger (should we put
# it in its own domain?)
corecmd_exec_bin(ipsec_mgmt_t)
corecmd_exec_shell(ipsec_mgmt_t)

dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)

domain_use_interactive_fds(ipsec_mgmt_t)
# denials when ps tries to search /proc. Do not audit these denials.
domain_dontaudit_list_all_domains_state(ipsec_mgmt_t)
# suppress audit messages about unnecessary socket access
# cjp: this seems excessive
domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)

files_read_etc_files(ipsec_mgmt_t)
files_exec_etc_files(ipsec_mgmt_t)
files_read_etc_runtime_files(ipsec_mgmt_t)
files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
files_dontaudit_getattr_default_files(ipsec_mgmt_t)

fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)

term_use_console(ipsec_mgmt_t)
term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)

init_use_script_ptys(ipsec_mgmt_t)
init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)

logging_send_syslog_msg(ipsec_mgmt_t)

miscfiles_read_localization(ipsec_mgmt_t)

modutils_domtrans_insmod(ipsec_mgmt_t)

seutil_dontaudit_search_config(ipsec_mgmt_t)

sysnet_domtrans_ifconfig(ipsec_mgmt_t)

userdom_use_user_terminals(ipsec_mgmt_t)

optional_policy(`
	consoletype_exec(ipsec_mgmt_t)
')

optional_policy(`
	nscd_socket_use(ipsec_mgmt_t)
')

ifdef(`TODO',`
# ideally it would not need this.  It wants to write to /root/.rnd
file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)

allow ipsec_mgmt_t dev_fs:file_class_set getattr;
') dnl end TODO

########################################
#
# Racoon local policy
#

allow racoon_t self:capability { net_admin net_bind_service };
allow racoon_t self:netlink_route_socket create_netlink_socket_perms;
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
allow racoon_t self:key_socket create_socket_perms;

# manage pid file
manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
manage_sock_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
files_pid_filetrans(racoon_t, ipsec_var_run_t, file)

allow racoon_t ipsec_conf_file_t:dir list_dir_perms;
read_files_pattern(racoon_t, ipsec_conf_file_t, ipsec_conf_file_t)
read_lnk_files_pattern(racoon_t, ipsec_conf_file_t, ipsec_conf_file_t)

allow racoon_t ipsec_key_file_t:dir list_dir_perms;
read_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t)
read_lnk_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t)

kernel_read_system_state(racoon_t)
kernel_read_network_state(racoon_t)

corenet_all_recvfrom_unlabeled(racoon_t)
corenet_tcp_sendrecv_all_if(racoon_t)
corenet_udp_sendrecv_all_if(racoon_t)
corenet_tcp_sendrecv_all_nodes(racoon_t)
corenet_udp_sendrecv_all_nodes(racoon_t)
corenet_tcp_bind_all_nodes(racoon_t)
corenet_udp_bind_all_nodes(racoon_t)
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)

dev_read_urand(racoon_t)

# allow racoon to set contexts on ipsec policy and SAs
domain_ipsec_setcontext_all_domains(racoon_t)

files_read_etc_files(racoon_t)

# allow racoon to use avc_has_perm to check context on proposed SA
selinux_compute_access_vector(racoon_t)

auth_use_nsswitch(racoon_t)

ipsec_setcontext_default_spd(racoon_t)

locallogin_use_fds(racoon_t)

logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t)

miscfiles_read_localization(racoon_t)

########################################
#
# Setkey local policy
#

allow setkey_t self:capability net_admin;
allow setkey_t self:key_socket create_socket_perms;
allow setkey_t self:netlink_route_socket create_netlink_socket_perms;

allow setkey_t ipsec_conf_file_t:dir list_dir_perms;
read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)

# allow setkey utility to set contexts on SA's and policy
domain_ipsec_setcontext_all_domains(setkey_t)

files_read_etc_files(setkey_t)

init_dontaudit_use_fds(setkey_t)

# allow setkey to set the context for ipsec SAs and policy.
ipsec_setcontext_default_spd(setkey_t)

locallogin_use_fds(setkey_t)

miscfiles_read_localization(setkey_t)

seutil_read_config(setkey_t)

userdom_use_user_terminals(setkey_t)