[people/stevee/selinux-policy.git] / policy / modules / system / ipsec.te

policy_module(ipsec, 1.11.2)

########################################
#
# Declarations
#

## <desc>
## <p>
## Allow racoon to read shadow
## </p>
## </desc>
gen_tunable(racoon_read_shadow, false)

type ipsec_t;
type ipsec_exec_t;
init_daemon_domain(ipsec_t, ipsec_exec_t)
role system_r types ipsec_t;

# type for ipsec configuration file(s) - not for keys
type ipsec_conf_file_t;
files_type(ipsec_conf_file_t)

type ipsec_initrc_exec_t;
init_script_file(ipsec_initrc_exec_t)

# type for file(s) containing ipsec keys - RSA or preshared
type ipsec_key_file_t;
files_type(ipsec_key_file_t)

type ipsec_log_t;
logging_log_file(ipsec_log_t)

# Default type for IPSEC SPD entries
type ipsec_spd_t;
corenet_spd_type(ipsec_spd_t)

type ipsec_tmp_t;
files_tmp_file(ipsec_tmp_t)

# type for runtime files, including pluto.ctl
type ipsec_var_run_t;
files_pid_file(ipsec_var_run_t)

type ipsec_mgmt_t;
type ipsec_mgmt_exec_t;
init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
corecmd_shell_entry_type(ipsec_mgmt_t)
role system_r types ipsec_mgmt_t;

type ipsec_mgmt_lock_t;
files_lock_file(ipsec_mgmt_lock_t)

type ipsec_mgmt_var_run_t;
files_pid_file(ipsec_mgmt_var_run_t)

type racoon_t;
type racoon_exec_t;
init_daemon_domain(racoon_t, racoon_exec_t)
role system_r types racoon_t;

type racoon_tmp_t;
files_tmp_file(racoon_tmp_t)

type setkey_t;
type setkey_exec_t;
init_system_domain(setkey_t, setkey_exec_t)
role system_r types setkey_t;

########################################
#
# ipsec Local policy
#

allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
allow ipsec_t self:process { getcap setcap getsched signal setsched };
allow ipsec_t self:tcp_socket create_stream_socket_perms;
allow ipsec_t self:udp_socket create_socket_perms;
allow ipsec_t self:key_socket create_socket_perms;
allow ipsec_t self:fifo_file read_fifo_file_perms;
allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };

allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;

allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)

allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)

manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file })

manage_dirs_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
files_pid_filetrans(ipsec_t, ipsec_var_run_t, { dir file sock_file })

can_exec(ipsec_t, ipsec_mgmt_exec_t)

# pluto runs an updown script (by calling popen()!) as this is by default
# a shell script, we need to find a way to make things work without
# letting all sorts of stuff possibly be run...
# so try flipping back into the ipsec_mgmt_t domain
corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
allow ipsec_mgmt_t ipsec_t:fd use;
allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };

kernel_read_kernel_sysctls(ipsec_t)
kernel_list_proc(ipsec_t)
kernel_read_proc_symlinks(ipsec_t)
# allow pluto to access /proc/net/ipsec_eroute;
kernel_read_system_state(ipsec_t)
kernel_read_network_state(ipsec_t)
kernel_read_software_raid_state(ipsec_t)
kernel_request_load_module(ipsec_t)
kernel_getattr_core_if(ipsec_t)
kernel_getattr_message_if(ipsec_t)

corecmd_exec_shell(ipsec_t)
corecmd_exec_bin(ipsec_t)

# Pluto needs network access
corenet_all_recvfrom_unlabeled(ipsec_t)
corenet_tcp_sendrecv_generic_if(ipsec_t)
corenet_raw_sendrecv_generic_if(ipsec_t)
corenet_tcp_sendrecv_generic_node(ipsec_t)
corenet_raw_sendrecv_generic_node(ipsec_t)
corenet_tcp_sendrecv_all_ports(ipsec_t)
corenet_tcp_bind_generic_node(ipsec_t)
corenet_udp_bind_generic_node(ipsec_t)
corenet_tcp_bind_reserved_port(ipsec_t)
corenet_tcp_bind_isakmp_port(ipsec_t)
corenet_udp_bind_isakmp_port(ipsec_t)
corenet_udp_bind_ipsecnat_port(ipsec_t)
corenet_sendrecv_generic_server_packets(ipsec_t)
corenet_sendrecv_isakmp_server_packets(ipsec_t)

dev_read_sysfs(ipsec_t)
dev_read_rand(ipsec_t)
dev_read_urand(ipsec_t)

domain_use_interactive_fds(ipsec_t)

files_list_tmp(ipsec_t)
files_read_etc_files(ipsec_t)
files_read_usr_files(ipsec_t)
files_dontaudit_search_home(ipsec_t)

fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)

term_use_console(ipsec_t)
term_dontaudit_use_all_ttys(ipsec_t)

auth_use_nsswitch(ipsec_t)

init_use_fds(ipsec_t)
init_use_script_ptys(ipsec_t)

logging_send_syslog_msg(ipsec_t)

miscfiles_read_localization(ipsec_t)

sysnet_domtrans_ifconfig(ipsec_t)
sysnet_manage_config(ipsec_t)
sysnet_etc_filetrans_config(ipsec_t)

userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)

optional_policy(`
	seutil_sigchld_newrole(ipsec_t)
')

optional_policy(`
	udev_read_db(ipsec_t)
')

########################################
#
# ipsec_mgmt Local policy
#

allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config };
allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal };
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
allow ipsec_mgmt_t self:key_socket create_socket_perms;
allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;

allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)

manage_dirs_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
manage_files_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file })

manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t)
logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)

allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)

manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)

allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms;
files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, sock_file)

# _realsetup needs to be able to cat /var/run/pluto.pid,
# run ps on that pid, and delete the file
read_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
read_lnk_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)

# logger, running in ipsec_mgmt_t needs to use sockets
allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };

allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;

manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)

# whack needs to connect to pluto
stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)

can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;

domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)

kernel_rw_net_sysctls(ipsec_mgmt_t)
# allow pluto to access /proc/net/ipsec_eroute;
kernel_read_system_state(ipsec_mgmt_t)
kernel_read_network_state(ipsec_mgmt_t)
kernel_read_software_raid_state(ipsec_mgmt_t)
kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)

# don't audit using of lsof
dontaudit ipsec_mgmt_t self:capability sys_ptrace;

domain_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t)

dev_dontaudit_getattr_all_blk_files(ipsec_mgmt_t)
dev_dontaudit_getattr_all_chr_files(ipsec_mgmt_t)

files_dontaudit_getattr_all_files(ipsec_mgmt_t)
files_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)

# the default updown script wants to run route
# the ipsec wrapper wants to run /usr/bin/logger (should we put
# it in its own domain?)
corecmd_exec_bin(ipsec_mgmt_t)
corecmd_exec_shell(ipsec_mgmt_t)

dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)

domain_use_interactive_fds(ipsec_mgmt_t)
# denials when ps tries to search /proc. Do not audit these denials.
domain_dontaudit_read_all_domains_state(ipsec_mgmt_t)
# suppress audit messages about unnecessary socket access
# cjp: this seems excessive
domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)

files_read_etc_files(ipsec_mgmt_t)
files_exec_etc_files(ipsec_mgmt_t)
files_read_etc_runtime_files(ipsec_mgmt_t)
files_read_usr_files(ipsec_mgmt_t)
files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
files_dontaudit_getattr_default_files(ipsec_mgmt_t)
files_list_tmp(ipsec_mgmt_t)

fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)

term_use_console(ipsec_mgmt_t)
term_use_all_inherited_terms(ipsec_mgmt_t)

auth_dontaudit_read_login_records(ipsec_mgmt_t)

init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)

logging_send_syslog_msg(ipsec_mgmt_t)

miscfiles_read_localization(ipsec_mgmt_t)

seutil_dontaudit_search_config(ipsec_mgmt_t)

sysnet_manage_config(ipsec_mgmt_t)
sysnet_domtrans_ifconfig(ipsec_mgmt_t)
sysnet_etc_filetrans_config(ipsec_mgmt_t)

userdom_use_inherited_user_terminals(ipsec_mgmt_t)

optional_policy(`
	consoletype_exec(ipsec_mgmt_t)
')

optional_policy(`
	hostname_exec(ipsec_mgmt_t)
')

optional_policy(`
	dbus_system_bus_client(ipsec_mgmt_t)
	dbus_connect_system_bus(ipsec_mgmt_t)

	optional_policy(`
		networkmanager_dbus_chat(ipsec_mgmt_t)
	')
')

optional_policy(`
	iptables_domtrans(ipsec_mgmt_t)
')

optional_policy(`
	modutils_domtrans_insmod(ipsec_mgmt_t)
')

optional_policy(`
	nscd_socket_use(ipsec_mgmt_t)
')

ifdef(`TODO',`
# ideally it would not need this.  It wants to write to /root/.rnd
file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)

allow ipsec_mgmt_t dev_fs:file_class_set getattr;
') dnl end TODO

########################################
#
# Racoon local policy
#

allow racoon_t self:capability { net_admin net_bind_service };
allow racoon_t self:netlink_route_socket create_netlink_socket_perms;
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
allow racoon_t self:key_socket create_socket_perms;
allow racoon_t self:fifo_file rw_fifo_file_perms;

manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file })

can_exec(racoon_t, racoon_exec_t)

can_exec(racoon_t, setkey_exec_t)

# manage pid file
manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
manage_sock_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
files_pid_filetrans(racoon_t, ipsec_var_run_t, file)

allow racoon_t ipsec_conf_file_t:dir list_dir_perms;
read_files_pattern(racoon_t, ipsec_conf_file_t, ipsec_conf_file_t)
read_lnk_files_pattern(racoon_t, ipsec_conf_file_t, ipsec_conf_file_t)

allow racoon_t ipsec_key_file_t:dir list_dir_perms;
read_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t)
read_lnk_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t)

kernel_read_system_state(racoon_t)
kernel_read_network_state(racoon_t)
kernel_request_load_module(racoon_t)

corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)

corenet_all_recvfrom_unlabeled(racoon_t)
corenet_tcp_sendrecv_generic_if(racoon_t)
corenet_udp_sendrecv_generic_if(racoon_t)
corenet_tcp_sendrecv_generic_node(racoon_t)
corenet_udp_sendrecv_generic_node(racoon_t)
corenet_tcp_bind_generic_node(racoon_t)
corenet_udp_bind_generic_node(racoon_t)
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)

dev_read_urand(racoon_t)

# allow racoon to set contexts on ipsec policy and SAs
domain_ipsec_setcontext_all_domains(racoon_t)

files_read_etc_files(racoon_t)

fs_dontaudit_getattr_xattr_fs(racoon_t)

# allow racoon to use avc_has_perm to check context on proposed SA
selinux_compute_access_vector(racoon_t)

auth_use_nsswitch(racoon_t)

ipsec_setcontext_default_spd(racoon_t)

locallogin_use_fds(racoon_t)

logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t)

miscfiles_read_localization(racoon_t)

sysnet_exec_ifconfig(racoon_t)

auth_use_pam(racoon_t)

auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
	auth_tunable_read_shadow(racoon_t)
')

########################################
#
# Setkey local policy
#

allow setkey_t self:capability net_admin;
allow setkey_t self:key_socket create_socket_perms;
allow setkey_t self:netlink_route_socket create_netlink_socket_perms;

allow setkey_t ipsec_conf_file_t:dir list_dir_perms;
read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)

kernel_request_load_module(setkey_t)

# allow setkey utility to set contexts on SA's and policy
domain_ipsec_setcontext_all_domains(setkey_t)

files_read_etc_files(setkey_t)

init_dontaudit_use_fds(setkey_t)
init_read_script_tmp_files(setkey_t)

# allow setkey to set the context for ipsec SAs and policy.
corenet_setcontext_all_spds(setkey_t)

locallogin_use_fds(setkey_t)

miscfiles_read_localization(setkey_t)

seutil_read_config(setkey_t)

userdom_use_inherited_user_terminals(setkey_t)
userdom_read_user_tmp_files(setkey_t)
Commit	Line	Data
127d617b	1	policy_module(ipsec, 1.11.2)
11633bba CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
832c1be4 CP	8	## <desc>
	9	## <p>
	10	## Allow racoon to read shadow
	11	## </p>
	12	## </desc>
	13	gen_tunable(racoon_read_shadow, false)
	14
11633bba CP	15	type ipsec_t;
11633bba CP	16	type ipsec_exec_t;
3f67f722	17	init_daemon_domain(ipsec_t, ipsec_exec_t)
11633bba CP	18	role system_r types ipsec_t;
	19
	20	# type for ipsec configuration file(s) - not for keys
	21	type ipsec_conf_file_t;
3fd83368	22	files_type(ipsec_conf_file_t)
11633bba	23
832c1be4 CP	24	type ipsec_initrc_exec_t;
	25	init_script_file(ipsec_initrc_exec_t)
	26
11633bba CP	27	# type for file(s) containing ipsec keys - RSA or preshared
11633bba CP	28	type ipsec_key_file_t;
3fd83368	29	files_type(ipsec_key_file_t)
11633bba	30
90e65fec CP	31	type ipsec_log_t;
	32	logging_log_file(ipsec_log_t)
	33
6b19be33 CP	34	# Default type for IPSEC SPD entries
6b19be33 CP	35	type ipsec_spd_t;
371908d1	36	corenet_spd_type(ipsec_spd_t)
6b19be33	37
90e65fec CP	38	type ipsec_tmp_t;
	39	files_tmp_file(ipsec_tmp_t)
	40
11633bba CP	41	# type for runtime files, including pluto.ctl
	42	type ipsec_var_run_t;
	43	files_pid_file(ipsec_var_run_t)
	44
3fd83368	45	type ipsec_mgmt_t;
11633bba	46	type ipsec_mgmt_exec_t;
3f67f722	47	init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
d40c0ecf	48	corecmd_shell_entry_type(ipsec_mgmt_t)
11633bba CP	49	role system_r types ipsec_mgmt_t;
11633bba CP	50
98a8ead4 CP	51	type ipsec_mgmt_lock_t;
	52	files_lock_file(ipsec_mgmt_lock_t)
	53
11633bba CP	54	type ipsec_mgmt_var_run_t;
	55	files_pid_file(ipsec_mgmt_var_run_t)
	56
6b19be33 CP	57	type racoon_t;
6b19be33 CP	58	type racoon_exec_t;
3f67f722	59	init_daemon_domain(racoon_t, racoon_exec_t)
6b19be33 CP	60	role system_r types racoon_t;
6b19be33 CP	61
832c1be4 CP	62	type racoon_tmp_t;
	63	files_tmp_file(racoon_tmp_t)
	64
6b19be33 CP	65	type setkey_t;
6b19be33 CP	66	type setkey_exec_t;
3f67f722	67	init_system_domain(setkey_t, setkey_exec_t)
6b19be33 CP	68	role system_r types setkey_t;
6b19be33 CP	69
11633bba CP	70	########################################
	71	#
	72	# ipsec Local policy
	73	#
	74
90e65fec	75	allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
3eaa9939	76	dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
832c1be4	77	allow ipsec_t self:process { getcap setcap getsched signal setsched };
3fd83368	78	allow ipsec_t self:tcp_socket create_stream_socket_perms;
d6605bc4 CP	79	allow ipsec_t self:udp_socket create_socket_perms;
	80	allow ipsec_t self:key_socket create_socket_perms;
	81	allow ipsec_t self:fifo_file read_fifo_file_perms;
	82	allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
11633bba	83
832c1be4 CP	84	allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
832c1be4 CP	85
c0868a7a	86	allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
3f67f722 CP	87	read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
3f67f722 CP	88	read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
11633bba	89
c0868a7a	90	allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
832c1be4	91	manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
3f67f722	92	read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
11633bba	93
90e65fec CP	94	manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
90e65fec CP	95	manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
530ad6fc	96	files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file })
90e65fec	97
3eaa9939	98	manage_dirs_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
e0ed765c CP	99	manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
e0ed765c CP	100	manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
3eaa9939	101	files_pid_filetrans(ipsec_t, ipsec_var_run_t, { dir file sock_file })
11633bba CP	102
	103	can_exec(ipsec_t, ipsec_mgmt_exec_t)
	104
26410ddf	105	# pluto runs an updown script (by calling popen()!) as this is by default
11633bba CP	106	# a shell script, we need to find a way to make things work without
	107	# letting all sorts of stuff possibly be run...
	108	# so try flipping back into the ipsec_mgmt_t domain
3f67f722	109	corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
11633bba	110	allow ipsec_mgmt_t ipsec_t:fd use;
832c1be4	111	allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
3eaa9939	112	allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
127d617b	113	allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
11633bba	114
445522dc	115	kernel_read_kernel_sysctls(ipsec_t)
11633bba CP	116	kernel_list_proc(ipsec_t)
	117	kernel_read_proc_symlinks(ipsec_t)
	118	# allow pluto to access /proc/net/ipsec_eroute;
	119	kernel_read_system_state(ipsec_t)
	120	kernel_read_network_state(ipsec_t)
	121	kernel_read_software_raid_state(ipsec_t)
832c1be4	122	kernel_request_load_module(ipsec_t)
445522dc	123	kernel_getattr_core_if(ipsec_t)
11633bba CP	124	kernel_getattr_message_if(ipsec_t)
11633bba CP	125
e6985f91 CP	126	corecmd_exec_shell(ipsec_t)
	127	corecmd_exec_bin(ipsec_t)
	128
3fd83368	129	# Pluto needs network access
19006686	130	corenet_all_recvfrom_unlabeled(ipsec_t)
4bc56eb9 DW	131	corenet_tcp_sendrecv_generic_if(ipsec_t)
	132	corenet_raw_sendrecv_generic_if(ipsec_t)
	133	corenet_tcp_sendrecv_generic_node(ipsec_t)
	134	corenet_raw_sendrecv_generic_node(ipsec_t)
3fd83368	135	corenet_tcp_sendrecv_all_ports(ipsec_t)
4bc56eb9 DW	136	corenet_tcp_bind_generic_node(ipsec_t)
4bc56eb9 DW	137	corenet_udp_bind_generic_node(ipsec_t)
35a4b349 CP	138	corenet_tcp_bind_reserved_port(ipsec_t)
35a4b349 CP	139	corenet_tcp_bind_isakmp_port(ipsec_t)
d6605bc4 CP	140	corenet_udp_bind_isakmp_port(ipsec_t)
d6605bc4 CP	141	corenet_udp_bind_ipsecnat_port(ipsec_t)
35a4b349 CP	142	corenet_sendrecv_generic_server_packets(ipsec_t)
35a4b349 CP	143	corenet_sendrecv_isakmp_server_packets(ipsec_t)
11633bba CP	144
	145	dev_read_sysfs(ipsec_t)
	146	dev_read_rand(ipsec_t)
	147	dev_read_urand(ipsec_t)
	148
e6985f91 CP	149	domain_use_interactive_fds(ipsec_t)
e6985f91 CP	150
832c1be4	151	files_list_tmp(ipsec_t)
e6985f91	152	files_read_etc_files(ipsec_t)
832c1be4	153	files_read_usr_files(ipsec_t)
3eaa9939	154	files_dontaudit_search_home(ipsec_t)
e6985f91	155
11633bba CP	156	fs_getattr_all_fs(ipsec_t)
	157	fs_search_auto_mountpoints(ipsec_t)
	158
	159	term_use_console(ipsec_t)
c3c753f7	160	term_dontaudit_use_all_ttys(ipsec_t)
11633bba	161
e6985f91	162	auth_use_nsswitch(ipsec_t)
11633bba	163
1c1ac67f	164	init_use_fds(ipsec_t)
1815bad1	165	init_use_script_ptys(ipsec_t)
11633bba	166
11633bba CP	167	logging_send_syslog_msg(ipsec_t)
	168
	169	miscfiles_read_localization(ipsec_t)
	170
90e65fec	171	sysnet_domtrans_ifconfig(ipsec_t)
3eaa9939 DW	172	sysnet_manage_config(ipsec_t)
3eaa9939 DW	173	sysnet_etc_filetrans_config(ipsec_t)
90e65fec	174
15722ec9	175	userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
296273a7	176	userdom_dontaudit_search_user_home_dirs(ipsec_t)
11633bba	177
bb7170f6	178	optional_policy(`
11633bba CP	179	seutil_sigchld_newrole(ipsec_t)
	180	')
	181
bb7170f6	182	optional_policy(`
11633bba CP	183	udev_read_db(ipsec_t)
	184	')
	185
11633bba CP	186	########################################
	187	#
	188	# ipsec_mgmt Local policy
	189	#
	190
90e65fec	191	allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
3eaa9939 DW	192	dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config };
3eaa9939 DW	193	allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal };
11633bba	194	allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
d6605bc4	195	allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
11633bba	196	allow ipsec_mgmt_t self:udp_socket create_socket_perms;
d6605bc4	197	allow ipsec_mgmt_t self:key_socket create_socket_perms;
832c1be4	198	allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
11633bba	199
c0868a7a	200	allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
3f67f722	201	files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
98a8ead4	202
90e65fec CP	203	manage_dirs_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
90e65fec CP	204	manage_files_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
530ad6fc	205	files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file })
90e65fec CP	206
	207	manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t)
	208	logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
	209
c0868a7a	210	allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
3f67f722	211	files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
11633bba	212
3f67f722 CP	213	manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
3f67f722 CP	214	manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
11633bba	215
c0868a7a	216	allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms;
3f67f722	217	files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, sock_file)
11633bba CP	218
	219	# _realsetup needs to be able to cat /var/run/pluto.pid,
	220	# run ps on that pid, and delete the file
3f67f722 CP	221	read_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
3f67f722 CP	222	read_lnk_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
11633bba CP	223
	224	# logger, running in ipsec_mgmt_t needs to use sockets
	225	allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
	226	allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };
	227
0b36a214	228	allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
11633bba	229
3f67f722 CP	230	manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
3f67f722 CP	231	manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
11633bba CP	232
11633bba CP	233	# whack needs to connect to pluto
3f67f722	234	stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
11633bba	235
11633bba CP	236	can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
	237	allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
	238
3f67f722	239	domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
11633bba	240
445522dc	241	kernel_rw_net_sysctls(ipsec_mgmt_t)
11633bba CP	242	# allow pluto to access /proc/net/ipsec_eroute;
	243	kernel_read_system_state(ipsec_mgmt_t)
	244	kernel_read_network_state(ipsec_mgmt_t)
	245	kernel_read_software_raid_state(ipsec_mgmt_t)
445522dc CP	246	kernel_read_kernel_sysctls(ipsec_mgmt_t)
445522dc CP	247	kernel_getattr_core_if(ipsec_mgmt_t)
11633bba CP	248	kernel_getattr_message_if(ipsec_mgmt_t)
11633bba CP	249
3eaa9939 DW	250	# don't audit using of lsof
	251	dontaudit ipsec_mgmt_t self:capability sys_ptrace;
	252
	253	domain_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
	254	domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t)
	255
	256	dev_dontaudit_getattr_all_blk_files(ipsec_mgmt_t)
	257	dev_dontaudit_getattr_all_chr_files(ipsec_mgmt_t)
	258
	259	files_dontaudit_getattr_all_files(ipsec_mgmt_t)
	260	files_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
1c1ac67f CP	261	files_read_kernel_symbol_table(ipsec_mgmt_t)
1c1ac67f CP	262	files_getattr_kernel_modules(ipsec_mgmt_t)
11633bba	263
11633bba	264	# the default updown script wants to run route
11633bba CP	265	# the ipsec wrapper wants to run /usr/bin/logger (should we put
	266	# it in its own domain?)
	267	corecmd_exec_bin(ipsec_mgmt_t)
d6605bc4	268	corecmd_exec_shell(ipsec_mgmt_t)
11633bba	269
e6985f91 CP	270	dev_read_rand(ipsec_mgmt_t)
	271	dev_read_urand(ipsec_mgmt_t)
	272
15722ec9	273	domain_use_interactive_fds(ipsec_mgmt_t)
a5f339f1	274	# denials when ps tries to search /proc. Do not audit these denials.
3eaa9939	275	domain_dontaudit_read_all_domains_state(ipsec_mgmt_t)
a5f339f1 CP	276	# suppress audit messages about unnecessary socket access
	277	# cjp: this seems excessive
	278	domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
	279	domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
11633bba CP	280
	281	files_read_etc_files(ipsec_mgmt_t)
	282	files_exec_etc_files(ipsec_mgmt_t)
	283	files_read_etc_runtime_files(ipsec_mgmt_t)
90e65fec	284	files_read_usr_files(ipsec_mgmt_t)
9e04f5c5	285	files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
11633bba	286	files_dontaudit_getattr_default_files(ipsec_mgmt_t)
90e65fec	287	files_list_tmp(ipsec_mgmt_t)
11633bba	288
e6985f91 CP	289	fs_getattr_xattr_fs(ipsec_mgmt_t)
	290	fs_list_tmpfs(ipsec_mgmt_t)
	291
	292	term_use_console(ipsec_mgmt_t)
af2d8802	293	term_use_all_inherited_terms(ipsec_mgmt_t)
3eaa9939 DW	294
3eaa9939 DW	295	auth_dontaudit_read_login_records(ipsec_mgmt_t)
e6985f91	296
3eaa9939	297	init_read_utmp(ipsec_mgmt_t)
1815bad1	298	init_use_script_ptys(ipsec_mgmt_t)
f7547934	299	init_exec_script_files(ipsec_mgmt_t)
1c1ac67f	300	init_use_fds(ipsec_mgmt_t)
90e65fec	301	init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
11633bba	302
d6605bc4 CP	303	logging_send_syslog_msg(ipsec_mgmt_t)
d6605bc4 CP	304
11633bba CP	305	miscfiles_read_localization(ipsec_mgmt_t)
	306
	307	seutil_dontaudit_search_config(ipsec_mgmt_t)
	308
3eaa9939	309	sysnet_manage_config(ipsec_mgmt_t)
11633bba	310	sysnet_domtrans_ifconfig(ipsec_mgmt_t)
3eaa9939	311	sysnet_etc_filetrans_config(ipsec_mgmt_t)
11633bba	312
af2d8802	313	userdom_use_inherited_user_terminals(ipsec_mgmt_t)
11633bba	314
bb7170f6	315	optional_policy(`
11633bba CP	316	consoletype_exec(ipsec_mgmt_t)
	317	')
	318
3eaa9939	319	optional_policy(`
127d617b	320	hostname_exec(ipsec_mgmt_t)
3eaa9939 DW	321	')
	322
	323	optional_policy(`
127d617b CP	324	dbus_system_bus_client(ipsec_mgmt_t)
127d617b CP	325	dbus_connect_system_bus(ipsec_mgmt_t)
3eaa9939 DW	326
3eaa9939 DW	327	optional_policy(`
127d617b	328	networkmanager_dbus_chat(ipsec_mgmt_t)
3eaa9939 DW	329	')
	330	')
	331
	332	optional_policy(`
2371d8d8 MG	333	iptables_domtrans(ipsec_mgmt_t)
	334	')
	335
	336	optional_policy(`
	337	modutils_domtrans_insmod(ipsec_mgmt_t)
3eaa9939 DW	338	')
3eaa9939 DW	339
bb7170f6	340	optional_policy(`
1815bad1	341	nscd_socket_use(ipsec_mgmt_t)
a5f339f1	342	')
11633bba	343
a5f339f1	344	ifdef(`TODO',`
11633bba CP	345	# ideally it would not need this. It wants to write to /root/.rnd
	346	file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
	347
11633bba	348	allow ipsec_mgmt_t dev_fs:file_class_set getattr;
11633bba	349	') dnl end TODO
6b19be33 CP	350
	351	########################################
	352	#
	353	# Racoon local policy
	354	#
	355
	356	allow racoon_t self:capability { net_admin net_bind_service };
	357	allow racoon_t self:netlink_route_socket create_netlink_socket_perms;
	358	allow racoon_t self:unix_dgram_socket { connect create ioctl write };
	359	allow racoon_t self:netlink_selinux_socket { bind create read };
	360	allow racoon_t self:udp_socket create_socket_perms;
d6605bc4	361	allow racoon_t self:key_socket create_socket_perms;
832c1be4 CP	362	allow racoon_t self:fifo_file rw_fifo_file_perms;
	363
	364	manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
	365	manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
	366	files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file })
	367
	368	can_exec(racoon_t, racoon_exec_t)
	369
	370	can_exec(racoon_t, setkey_exec_t)
6b19be33 CP	371
6b19be33 CP	372	# manage pid file
3f67f722 CP	373	manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
	374	manage_sock_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
	375	files_pid_filetrans(racoon_t, ipsec_var_run_t, file)
6b19be33 CP	376
6b19be33 CP	377	allow racoon_t ipsec_conf_file_t:dir list_dir_perms;
3f67f722 CP	378	read_files_pattern(racoon_t, ipsec_conf_file_t, ipsec_conf_file_t)
3f67f722 CP	379	read_lnk_files_pattern(racoon_t, ipsec_conf_file_t, ipsec_conf_file_t)
6b19be33 CP	380
6b19be33 CP	381	allow racoon_t ipsec_key_file_t:dir list_dir_perms;
3f67f722 CP	382	read_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t)
3f67f722 CP	383	read_lnk_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t)
6b19be33	384
ee6608ba	385	kernel_read_system_state(racoon_t)
6b19be33	386	kernel_read_network_state(racoon_t)
90e65fec	387	kernel_request_load_module(racoon_t)
6b19be33	388
832c1be4 CP	389	corecmd_exec_shell(racoon_t)
	390	corecmd_exec_bin(racoon_t)
	391
19006686	392	corenet_all_recvfrom_unlabeled(racoon_t)
4bc56eb9 DW	393	corenet_tcp_sendrecv_generic_if(racoon_t)
	394	corenet_udp_sendrecv_generic_if(racoon_t)
	395	corenet_tcp_sendrecv_generic_node(racoon_t)
	396	corenet_udp_sendrecv_generic_node(racoon_t)
	397	corenet_tcp_bind_generic_node(racoon_t)
	398	corenet_udp_bind_generic_node(racoon_t)
6b19be33	399	corenet_udp_bind_isakmp_port(racoon_t)
ee6608ba	400	corenet_udp_bind_ipsecnat_port(racoon_t)
6b19be33 CP	401
	402	dev_read_urand(racoon_t)
	403
	404	# allow racoon to set contexts on ipsec policy and SAs
	405	domain_ipsec_setcontext_all_domains(racoon_t)
	406
	407	files_read_etc_files(racoon_t)
	408
832c1be4 CP	409	fs_dontaudit_getattr_xattr_fs(racoon_t)
832c1be4 CP	410
6b19be33 CP	411	# allow racoon to use avc_has_perm to check context on proposed SA
	412	selinux_compute_access_vector(racoon_t)
	413
d6605bc4 CP	414	auth_use_nsswitch(racoon_t)
d6605bc4 CP	415
e6985f91 CP	416	ipsec_setcontext_default_spd(racoon_t)
e6985f91 CP	417
6b19be33 CP	418	locallogin_use_fds(racoon_t)
	419
	420	logging_send_syslog_msg(racoon_t)
cdf98fed	421	logging_send_audit_msgs(racoon_t)
6b19be33 CP	422
	423	miscfiles_read_localization(racoon_t)
	424
832c1be4 CP	425	sysnet_exec_ifconfig(racoon_t)
832c1be4 CP	426
3eaa9939 DW	427	auth_use_pam(racoon_t)
3eaa9939 DW	428
832c1be4 CP	429	auth_can_read_shadow_passwords(racoon_t)
	430	tunable_policy(`racoon_read_shadow',`
	431	auth_tunable_read_shadow(racoon_t)
	432	')
	433
6b19be33 CP	434	########################################
	435	#
	436	# Setkey local policy
	437	#
	438
	439	allow setkey_t self:capability net_admin;
d6605bc4	440	allow setkey_t self:key_socket create_socket_perms;
6b19be33 CP	441	allow setkey_t self:netlink_route_socket create_netlink_socket_perms;
6b19be33 CP	442
a26923c3	443	allow setkey_t ipsec_conf_file_t:dir list_dir_perms;
3f67f722 CP	444	read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
3f67f722 CP	445	read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
a26923c3	446
90e65fec CP	447	kernel_request_load_module(setkey_t)
90e65fec CP	448
6b19be33 CP	449	# allow setkey utility to set contexts on SA's and policy
	450	domain_ipsec_setcontext_all_domains(setkey_t)
	451
	452	files_read_etc_files(setkey_t)
	453
a26923c3	454	init_dontaudit_use_fds(setkey_t)
3eaa9939	455	init_read_script_tmp_files(setkey_t)
a26923c3	456
bdccbacd	457	# allow setkey to set the context for ipsec SAs and policy.
371908d1	458	corenet_setcontext_all_spds(setkey_t)
bdccbacd	459
6b19be33 CP	460	locallogin_use_fds(setkey_t)
6b19be33 CP	461
6b19be33 CP	462	miscfiles_read_localization(setkey_t)
	463
	464	seutil_read_config(setkey_t)
296273a7	465
af2d8802	466	userdom_use_inherited_user_terminals(setkey_t)
3eaa9939	467	userdom_read_user_tmp_files(setkey_t)
6237b724	468