]>
Commit | Line | Data |
---|---|---|
127d617b | 1 | policy_module(ipsec, 1.11.2) |
11633bba CP |
2 | |
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
832c1be4 CP |
8 | ## <desc> |
9 | ## <p> | |
10 | ## Allow racoon to read shadow | |
11 | ## </p> | |
12 | ## </desc> | |
13 | gen_tunable(racoon_read_shadow, false) | |
14 | ||
11633bba CP |
15 | type ipsec_t; |
16 | type ipsec_exec_t; | |
3f67f722 | 17 | init_daemon_domain(ipsec_t, ipsec_exec_t) |
11633bba CP |
18 | role system_r types ipsec_t; |
19 | ||
20 | # type for ipsec configuration file(s) - not for keys | |
21 | type ipsec_conf_file_t; | |
3fd83368 | 22 | files_type(ipsec_conf_file_t) |
11633bba | 23 | |
832c1be4 CP |
24 | type ipsec_initrc_exec_t; |
25 | init_script_file(ipsec_initrc_exec_t) | |
26 | ||
11633bba CP |
27 | # type for file(s) containing ipsec keys - RSA or preshared |
28 | type ipsec_key_file_t; | |
3fd83368 | 29 | files_type(ipsec_key_file_t) |
11633bba | 30 | |
90e65fec CP |
31 | type ipsec_log_t; |
32 | logging_log_file(ipsec_log_t) | |
33 | ||
6b19be33 CP |
34 | # Default type for IPSEC SPD entries |
35 | type ipsec_spd_t; | |
371908d1 | 36 | corenet_spd_type(ipsec_spd_t) |
6b19be33 | 37 | |
90e65fec CP |
38 | type ipsec_tmp_t; |
39 | files_tmp_file(ipsec_tmp_t) | |
40 | ||
11633bba CP |
41 | # type for runtime files, including pluto.ctl |
42 | type ipsec_var_run_t; | |
43 | files_pid_file(ipsec_var_run_t) | |
44 | ||
3fd83368 | 45 | type ipsec_mgmt_t; |
11633bba | 46 | type ipsec_mgmt_exec_t; |
3f67f722 | 47 | init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) |
d40c0ecf | 48 | corecmd_shell_entry_type(ipsec_mgmt_t) |
11633bba CP |
49 | role system_r types ipsec_mgmt_t; |
50 | ||
98a8ead4 CP |
51 | type ipsec_mgmt_lock_t; |
52 | files_lock_file(ipsec_mgmt_lock_t) | |
53 | ||
11633bba CP |
54 | type ipsec_mgmt_var_run_t; |
55 | files_pid_file(ipsec_mgmt_var_run_t) | |
56 | ||
6b19be33 CP |
57 | type racoon_t; |
58 | type racoon_exec_t; | |
3f67f722 | 59 | init_daemon_domain(racoon_t, racoon_exec_t) |
6b19be33 CP |
60 | role system_r types racoon_t; |
61 | ||
832c1be4 CP |
62 | type racoon_tmp_t; |
63 | files_tmp_file(racoon_tmp_t) | |
64 | ||
6b19be33 CP |
65 | type setkey_t; |
66 | type setkey_exec_t; | |
3f67f722 | 67 | init_system_domain(setkey_t, setkey_exec_t) |
6b19be33 CP |
68 | role system_r types setkey_t; |
69 | ||
11633bba CP |
70 | ######################################## |
71 | # | |
72 | # ipsec Local policy | |
73 | # | |
74 | ||
90e65fec | 75 | allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice }; |
3eaa9939 | 76 | dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config }; |
832c1be4 | 77 | allow ipsec_t self:process { getcap setcap getsched signal setsched }; |
3fd83368 | 78 | allow ipsec_t self:tcp_socket create_stream_socket_perms; |
d6605bc4 CP |
79 | allow ipsec_t self:udp_socket create_socket_perms; |
80 | allow ipsec_t self:key_socket create_socket_perms; | |
81 | allow ipsec_t self:fifo_file read_fifo_file_perms; | |
82 | allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write }; | |
11633bba | 83 | |
832c1be4 CP |
84 | allow ipsec_t ipsec_initrc_exec_t:file read_file_perms; |
85 | ||
c0868a7a | 86 | allow ipsec_t ipsec_conf_file_t:dir list_dir_perms; |
3f67f722 CP |
87 | read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t) |
88 | read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t) | |
11633bba | 89 | |
c0868a7a | 90 | allow ipsec_t ipsec_key_file_t:dir list_dir_perms; |
832c1be4 | 91 | manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) |
3f67f722 | 92 | read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) |
11633bba | 93 | |
90e65fec CP |
94 | manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) |
95 | manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) | |
530ad6fc | 96 | files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file }) |
90e65fec | 97 | |
3eaa9939 | 98 | manage_dirs_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) |
e0ed765c CP |
99 | manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) |
100 | manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) | |
3eaa9939 | 101 | files_pid_filetrans(ipsec_t, ipsec_var_run_t, { dir file sock_file }) |
11633bba CP |
102 | |
103 | can_exec(ipsec_t, ipsec_mgmt_exec_t) | |
104 | ||
26410ddf | 105 | # pluto runs an updown script (by calling popen()!) as this is by default |
11633bba CP |
106 | # a shell script, we need to find a way to make things work without |
107 | # letting all sorts of stuff possibly be run... | |
108 | # so try flipping back into the ipsec_mgmt_t domain | |
3f67f722 | 109 | corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t) |
11633bba | 110 | allow ipsec_mgmt_t ipsec_t:fd use; |
832c1be4 | 111 | allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms; |
3eaa9939 | 112 | allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write }; |
127d617b | 113 | allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld }; |
11633bba | 114 | |
445522dc | 115 | kernel_read_kernel_sysctls(ipsec_t) |
11633bba CP |
116 | kernel_list_proc(ipsec_t) |
117 | kernel_read_proc_symlinks(ipsec_t) | |
118 | # allow pluto to access /proc/net/ipsec_eroute; | |
119 | kernel_read_system_state(ipsec_t) | |
120 | kernel_read_network_state(ipsec_t) | |
121 | kernel_read_software_raid_state(ipsec_t) | |
832c1be4 | 122 | kernel_request_load_module(ipsec_t) |
445522dc | 123 | kernel_getattr_core_if(ipsec_t) |
11633bba CP |
124 | kernel_getattr_message_if(ipsec_t) |
125 | ||
e6985f91 CP |
126 | corecmd_exec_shell(ipsec_t) |
127 | corecmd_exec_bin(ipsec_t) | |
128 | ||
3fd83368 | 129 | # Pluto needs network access |
19006686 | 130 | corenet_all_recvfrom_unlabeled(ipsec_t) |
4bc56eb9 DW |
131 | corenet_tcp_sendrecv_generic_if(ipsec_t) |
132 | corenet_raw_sendrecv_generic_if(ipsec_t) | |
133 | corenet_tcp_sendrecv_generic_node(ipsec_t) | |
134 | corenet_raw_sendrecv_generic_node(ipsec_t) | |
3fd83368 | 135 | corenet_tcp_sendrecv_all_ports(ipsec_t) |
4bc56eb9 DW |
136 | corenet_tcp_bind_generic_node(ipsec_t) |
137 | corenet_udp_bind_generic_node(ipsec_t) | |
35a4b349 CP |
138 | corenet_tcp_bind_reserved_port(ipsec_t) |
139 | corenet_tcp_bind_isakmp_port(ipsec_t) | |
d6605bc4 CP |
140 | corenet_udp_bind_isakmp_port(ipsec_t) |
141 | corenet_udp_bind_ipsecnat_port(ipsec_t) | |
35a4b349 CP |
142 | corenet_sendrecv_generic_server_packets(ipsec_t) |
143 | corenet_sendrecv_isakmp_server_packets(ipsec_t) | |
11633bba CP |
144 | |
145 | dev_read_sysfs(ipsec_t) | |
146 | dev_read_rand(ipsec_t) | |
147 | dev_read_urand(ipsec_t) | |
148 | ||
e6985f91 CP |
149 | domain_use_interactive_fds(ipsec_t) |
150 | ||
832c1be4 | 151 | files_list_tmp(ipsec_t) |
e6985f91 | 152 | files_read_etc_files(ipsec_t) |
832c1be4 | 153 | files_read_usr_files(ipsec_t) |
3eaa9939 | 154 | files_dontaudit_search_home(ipsec_t) |
e6985f91 | 155 | |
11633bba CP |
156 | fs_getattr_all_fs(ipsec_t) |
157 | fs_search_auto_mountpoints(ipsec_t) | |
158 | ||
159 | term_use_console(ipsec_t) | |
c3c753f7 | 160 | term_dontaudit_use_all_ttys(ipsec_t) |
11633bba | 161 | |
e6985f91 | 162 | auth_use_nsswitch(ipsec_t) |
11633bba | 163 | |
1c1ac67f | 164 | init_use_fds(ipsec_t) |
1815bad1 | 165 | init_use_script_ptys(ipsec_t) |
11633bba | 166 | |
11633bba CP |
167 | logging_send_syslog_msg(ipsec_t) |
168 | ||
169 | miscfiles_read_localization(ipsec_t) | |
170 | ||
90e65fec | 171 | sysnet_domtrans_ifconfig(ipsec_t) |
3eaa9939 DW |
172 | sysnet_manage_config(ipsec_t) |
173 | sysnet_etc_filetrans_config(ipsec_t) | |
90e65fec | 174 | |
15722ec9 | 175 | userdom_dontaudit_use_unpriv_user_fds(ipsec_t) |
296273a7 | 176 | userdom_dontaudit_search_user_home_dirs(ipsec_t) |
11633bba | 177 | |
bb7170f6 | 178 | optional_policy(` |
11633bba CP |
179 | seutil_sigchld_newrole(ipsec_t) |
180 | ') | |
181 | ||
bb7170f6 | 182 | optional_policy(` |
11633bba CP |
183 | udev_read_db(ipsec_t) |
184 | ') | |
185 | ||
11633bba CP |
186 | ######################################## |
187 | # | |
188 | # ipsec_mgmt Local policy | |
189 | # | |
190 | ||
90e65fec | 191 | allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice }; |
3eaa9939 DW |
192 | dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config }; |
193 | allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal }; | |
11633bba | 194 | allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; |
d6605bc4 | 195 | allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; |
11633bba | 196 | allow ipsec_mgmt_t self:udp_socket create_socket_perms; |
d6605bc4 | 197 | allow ipsec_mgmt_t self:key_socket create_socket_perms; |
832c1be4 | 198 | allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms; |
11633bba | 199 | |
c0868a7a | 200 | allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; |
3f67f722 | 201 | files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file) |
98a8ead4 | 202 | |
90e65fec CP |
203 | manage_dirs_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t) |
204 | manage_files_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t) | |
530ad6fc | 205 | files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file }) |
90e65fec CP |
206 | |
207 | manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t) | |
208 | logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) | |
209 | ||
c0868a7a | 210 | allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; |
3f67f722 | 211 | files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) |
11633bba | 212 | |
3f67f722 CP |
213 | manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) |
214 | manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) | |
11633bba | 215 | |
c0868a7a | 216 | allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms; |
3f67f722 | 217 | files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, sock_file) |
11633bba CP |
218 | |
219 | # _realsetup needs to be able to cat /var/run/pluto.pid, | |
220 | # run ps on that pid, and delete the file | |
3f67f722 CP |
221 | read_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t) |
222 | read_lnk_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t) | |
11633bba CP |
223 | |
224 | # logger, running in ipsec_mgmt_t needs to use sockets | |
225 | allow ipsec_mgmt_t self:unix_dgram_socket { create connect write }; | |
226 | allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write }; | |
227 | ||
0b36a214 | 228 | allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms; |
11633bba | 229 | |
3f67f722 CP |
230 | manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t) |
231 | manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t) | |
11633bba CP |
232 | |
233 | # whack needs to connect to pluto | |
3f67f722 | 234 | stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t) |
11633bba | 235 | |
11633bba CP |
236 | can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t) |
237 | allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read; | |
238 | ||
3f67f722 | 239 | domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t) |
11633bba | 240 | |
445522dc | 241 | kernel_rw_net_sysctls(ipsec_mgmt_t) |
11633bba CP |
242 | # allow pluto to access /proc/net/ipsec_eroute; |
243 | kernel_read_system_state(ipsec_mgmt_t) | |
244 | kernel_read_network_state(ipsec_mgmt_t) | |
245 | kernel_read_software_raid_state(ipsec_mgmt_t) | |
445522dc CP |
246 | kernel_read_kernel_sysctls(ipsec_mgmt_t) |
247 | kernel_getattr_core_if(ipsec_mgmt_t) | |
11633bba CP |
248 | kernel_getattr_message_if(ipsec_mgmt_t) |
249 | ||
3eaa9939 DW |
250 | # don't audit using of lsof |
251 | dontaudit ipsec_mgmt_t self:capability sys_ptrace; | |
252 | ||
253 | domain_dontaudit_getattr_all_sockets(ipsec_mgmt_t) | |
254 | domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t) | |
255 | ||
256 | dev_dontaudit_getattr_all_blk_files(ipsec_mgmt_t) | |
257 | dev_dontaudit_getattr_all_chr_files(ipsec_mgmt_t) | |
258 | ||
259 | files_dontaudit_getattr_all_files(ipsec_mgmt_t) | |
260 | files_dontaudit_getattr_all_sockets(ipsec_mgmt_t) | |
1c1ac67f CP |
261 | files_read_kernel_symbol_table(ipsec_mgmt_t) |
262 | files_getattr_kernel_modules(ipsec_mgmt_t) | |
11633bba | 263 | |
11633bba | 264 | # the default updown script wants to run route |
11633bba CP |
265 | # the ipsec wrapper wants to run /usr/bin/logger (should we put |
266 | # it in its own domain?) | |
267 | corecmd_exec_bin(ipsec_mgmt_t) | |
d6605bc4 | 268 | corecmd_exec_shell(ipsec_mgmt_t) |
11633bba | 269 | |
e6985f91 CP |
270 | dev_read_rand(ipsec_mgmt_t) |
271 | dev_read_urand(ipsec_mgmt_t) | |
272 | ||
15722ec9 | 273 | domain_use_interactive_fds(ipsec_mgmt_t) |
a5f339f1 | 274 | # denials when ps tries to search /proc. Do not audit these denials. |
3eaa9939 | 275 | domain_dontaudit_read_all_domains_state(ipsec_mgmt_t) |
a5f339f1 CP |
276 | # suppress audit messages about unnecessary socket access |
277 | # cjp: this seems excessive | |
278 | domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t) | |
279 | domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t) | |
11633bba CP |
280 | |
281 | files_read_etc_files(ipsec_mgmt_t) | |
282 | files_exec_etc_files(ipsec_mgmt_t) | |
283 | files_read_etc_runtime_files(ipsec_mgmt_t) | |
90e65fec | 284 | files_read_usr_files(ipsec_mgmt_t) |
9e04f5c5 | 285 | files_dontaudit_getattr_default_dirs(ipsec_mgmt_t) |
11633bba | 286 | files_dontaudit_getattr_default_files(ipsec_mgmt_t) |
90e65fec | 287 | files_list_tmp(ipsec_mgmt_t) |
11633bba | 288 | |
e6985f91 CP |
289 | fs_getattr_xattr_fs(ipsec_mgmt_t) |
290 | fs_list_tmpfs(ipsec_mgmt_t) | |
291 | ||
292 | term_use_console(ipsec_mgmt_t) | |
af2d8802 | 293 | term_use_all_inherited_terms(ipsec_mgmt_t) |
3eaa9939 DW |
294 | |
295 | auth_dontaudit_read_login_records(ipsec_mgmt_t) | |
e6985f91 | 296 | |
3eaa9939 | 297 | init_read_utmp(ipsec_mgmt_t) |
1815bad1 | 298 | init_use_script_ptys(ipsec_mgmt_t) |
f7547934 | 299 | init_exec_script_files(ipsec_mgmt_t) |
1c1ac67f | 300 | init_use_fds(ipsec_mgmt_t) |
90e65fec | 301 | init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) |
11633bba | 302 | |
d6605bc4 CP |
303 | logging_send_syslog_msg(ipsec_mgmt_t) |
304 | ||
11633bba CP |
305 | miscfiles_read_localization(ipsec_mgmt_t) |
306 | ||
307 | seutil_dontaudit_search_config(ipsec_mgmt_t) | |
308 | ||
3eaa9939 | 309 | sysnet_manage_config(ipsec_mgmt_t) |
11633bba | 310 | sysnet_domtrans_ifconfig(ipsec_mgmt_t) |
3eaa9939 | 311 | sysnet_etc_filetrans_config(ipsec_mgmt_t) |
11633bba | 312 | |
af2d8802 | 313 | userdom_use_inherited_user_terminals(ipsec_mgmt_t) |
11633bba | 314 | |
bb7170f6 | 315 | optional_policy(` |
11633bba CP |
316 | consoletype_exec(ipsec_mgmt_t) |
317 | ') | |
318 | ||
3eaa9939 | 319 | optional_policy(` |
127d617b | 320 | hostname_exec(ipsec_mgmt_t) |
3eaa9939 DW |
321 | ') |
322 | ||
323 | optional_policy(` | |
127d617b CP |
324 | dbus_system_bus_client(ipsec_mgmt_t) |
325 | dbus_connect_system_bus(ipsec_mgmt_t) | |
3eaa9939 DW |
326 | |
327 | optional_policy(` | |
127d617b | 328 | networkmanager_dbus_chat(ipsec_mgmt_t) |
3eaa9939 DW |
329 | ') |
330 | ') | |
331 | ||
332 | optional_policy(` | |
2371d8d8 MG |
333 | iptables_domtrans(ipsec_mgmt_t) |
334 | ') | |
335 | ||
336 | optional_policy(` | |
337 | modutils_domtrans_insmod(ipsec_mgmt_t) | |
3eaa9939 DW |
338 | ') |
339 | ||
bb7170f6 | 340 | optional_policy(` |
1815bad1 | 341 | nscd_socket_use(ipsec_mgmt_t) |
a5f339f1 | 342 | ') |
11633bba | 343 | |
a5f339f1 | 344 | ifdef(`TODO',` |
11633bba CP |
345 | # ideally it would not need this. It wants to write to /root/.rnd |
346 | file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file) | |
347 | ||
11633bba | 348 | allow ipsec_mgmt_t dev_fs:file_class_set getattr; |
11633bba | 349 | ') dnl end TODO |
6b19be33 CP |
350 | |
351 | ######################################## | |
352 | # | |
353 | # Racoon local policy | |
354 | # | |
355 | ||
356 | allow racoon_t self:capability { net_admin net_bind_service }; | |
357 | allow racoon_t self:netlink_route_socket create_netlink_socket_perms; | |
358 | allow racoon_t self:unix_dgram_socket { connect create ioctl write }; | |
359 | allow racoon_t self:netlink_selinux_socket { bind create read }; | |
360 | allow racoon_t self:udp_socket create_socket_perms; | |
d6605bc4 | 361 | allow racoon_t self:key_socket create_socket_perms; |
832c1be4 CP |
362 | allow racoon_t self:fifo_file rw_fifo_file_perms; |
363 | ||
364 | manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t) | |
365 | manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t) | |
366 | files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file }) | |
367 | ||
368 | can_exec(racoon_t, racoon_exec_t) | |
369 | ||
370 | can_exec(racoon_t, setkey_exec_t) | |
6b19be33 CP |
371 | |
372 | # manage pid file | |
3f67f722 CP |
373 | manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t) |
374 | manage_sock_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t) | |
375 | files_pid_filetrans(racoon_t, ipsec_var_run_t, file) | |
6b19be33 CP |
376 | |
377 | allow racoon_t ipsec_conf_file_t:dir list_dir_perms; | |
3f67f722 CP |
378 | read_files_pattern(racoon_t, ipsec_conf_file_t, ipsec_conf_file_t) |
379 | read_lnk_files_pattern(racoon_t, ipsec_conf_file_t, ipsec_conf_file_t) | |
6b19be33 CP |
380 | |
381 | allow racoon_t ipsec_key_file_t:dir list_dir_perms; | |
3f67f722 CP |
382 | read_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t) |
383 | read_lnk_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t) | |
6b19be33 | 384 | |
ee6608ba | 385 | kernel_read_system_state(racoon_t) |
6b19be33 | 386 | kernel_read_network_state(racoon_t) |
90e65fec | 387 | kernel_request_load_module(racoon_t) |
6b19be33 | 388 | |
832c1be4 CP |
389 | corecmd_exec_shell(racoon_t) |
390 | corecmd_exec_bin(racoon_t) | |
391 | ||
19006686 | 392 | corenet_all_recvfrom_unlabeled(racoon_t) |
4bc56eb9 DW |
393 | corenet_tcp_sendrecv_generic_if(racoon_t) |
394 | corenet_udp_sendrecv_generic_if(racoon_t) | |
395 | corenet_tcp_sendrecv_generic_node(racoon_t) | |
396 | corenet_udp_sendrecv_generic_node(racoon_t) | |
397 | corenet_tcp_bind_generic_node(racoon_t) | |
398 | corenet_udp_bind_generic_node(racoon_t) | |
6b19be33 | 399 | corenet_udp_bind_isakmp_port(racoon_t) |
ee6608ba | 400 | corenet_udp_bind_ipsecnat_port(racoon_t) |
6b19be33 CP |
401 | |
402 | dev_read_urand(racoon_t) | |
403 | ||
404 | # allow racoon to set contexts on ipsec policy and SAs | |
405 | domain_ipsec_setcontext_all_domains(racoon_t) | |
406 | ||
407 | files_read_etc_files(racoon_t) | |
408 | ||
832c1be4 CP |
409 | fs_dontaudit_getattr_xattr_fs(racoon_t) |
410 | ||
6b19be33 CP |
411 | # allow racoon to use avc_has_perm to check context on proposed SA |
412 | selinux_compute_access_vector(racoon_t) | |
413 | ||
d6605bc4 CP |
414 | auth_use_nsswitch(racoon_t) |
415 | ||
e6985f91 CP |
416 | ipsec_setcontext_default_spd(racoon_t) |
417 | ||
6b19be33 CP |
418 | locallogin_use_fds(racoon_t) |
419 | ||
420 | logging_send_syslog_msg(racoon_t) | |
cdf98fed | 421 | logging_send_audit_msgs(racoon_t) |
6b19be33 CP |
422 | |
423 | miscfiles_read_localization(racoon_t) | |
424 | ||
832c1be4 CP |
425 | sysnet_exec_ifconfig(racoon_t) |
426 | ||
3eaa9939 DW |
427 | auth_use_pam(racoon_t) |
428 | ||
832c1be4 CP |
429 | auth_can_read_shadow_passwords(racoon_t) |
430 | tunable_policy(`racoon_read_shadow',` | |
431 | auth_tunable_read_shadow(racoon_t) | |
432 | ') | |
433 | ||
6b19be33 CP |
434 | ######################################## |
435 | # | |
436 | # Setkey local policy | |
437 | # | |
438 | ||
439 | allow setkey_t self:capability net_admin; | |
d6605bc4 | 440 | allow setkey_t self:key_socket create_socket_perms; |
6b19be33 CP |
441 | allow setkey_t self:netlink_route_socket create_netlink_socket_perms; |
442 | ||
a26923c3 | 443 | allow setkey_t ipsec_conf_file_t:dir list_dir_perms; |
3f67f722 CP |
444 | read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t) |
445 | read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t) | |
a26923c3 | 446 | |
90e65fec CP |
447 | kernel_request_load_module(setkey_t) |
448 | ||
6b19be33 CP |
449 | # allow setkey utility to set contexts on SA's and policy |
450 | domain_ipsec_setcontext_all_domains(setkey_t) | |
451 | ||
452 | files_read_etc_files(setkey_t) | |
453 | ||
a26923c3 | 454 | init_dontaudit_use_fds(setkey_t) |
3eaa9939 | 455 | init_read_script_tmp_files(setkey_t) |
a26923c3 | 456 | |
bdccbacd | 457 | # allow setkey to set the context for ipsec SAs and policy. |
371908d1 | 458 | corenet_setcontext_all_spds(setkey_t) |
bdccbacd | 459 | |
6b19be33 CP |
460 | locallogin_use_fds(setkey_t) |
461 | ||
6b19be33 CP |
462 | miscfiles_read_localization(setkey_t) |
463 | ||
464 | seutil_read_config(setkey_t) | |
296273a7 | 465 | |
af2d8802 | 466 | userdom_use_inherited_user_terminals(setkey_t) |
3eaa9939 | 467 | userdom_read_user_tmp_files(setkey_t) |
6237b724 | 468 |