policy/modules/system/ipsec.te

   1
   2 policy_module(ipsec, 1.9.1)
   3
   4 ########################################
   5 #
   6 # Declarations
   7 #
   8
   9 type ipsec_t;
  10 type ipsec_exec_t;
  11 init_daemon_domain(ipsec_t, ipsec_exec_t)
  12 role system_r types ipsec_t;
  13
  14 # type for ipsec configuration file(s) - not for keys
  15 type ipsec_conf_file_t;
  16 files_type(ipsec_conf_file_t)
  17
  18 # type for file(s) containing ipsec keys - RSA or preshared
  19 type ipsec_key_file_t;
  20 files_type(ipsec_key_file_t)
  21
  22 # Default type for IPSEC SPD entries
  23 type ipsec_spd_t;
  24
  25 # type for runtime files, including pluto.ctl
  26 type ipsec_var_run_t;
  27 files_pid_file(ipsec_var_run_t)
  28
  29 type ipsec_mgmt_t;
  30 type ipsec_mgmt_exec_t;
  31 init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
  32 corecmd_shell_entry_type(ipsec_mgmt_t)
  33 role system_r types ipsec_mgmt_t;
  34
  35 type ipsec_mgmt_lock_t;
  36 files_lock_file(ipsec_mgmt_lock_t)
  37
  38 type ipsec_mgmt_var_run_t;
  39 files_pid_file(ipsec_mgmt_var_run_t)
  40
  41 type racoon_t;
  42 type racoon_exec_t;
  43 init_daemon_domain(racoon_t, racoon_exec_t)
  44 role system_r types racoon_t;
  45
  46 type setkey_t;
  47 type setkey_exec_t;
  48 init_system_domain(setkey_t, setkey_exec_t)
  49 role system_r types setkey_t;
  50
  51 ########################################
  52 #
  53 # ipsec Local policy
  54 #
  55
  56 allow ipsec_t self:capability { net_admin dac_override dac_read_search };
  57 dontaudit ipsec_t self:capability sys_tty_config;
  58 allow ipsec_t self:process { signal setsched };
  59 allow ipsec_t self:tcp_socket create_stream_socket_perms;
  60 allow ipsec_t self:udp_socket create_socket_perms;
  61 allow ipsec_t self:key_socket create_socket_perms;
  62 allow ipsec_t self:fifo_file read_fifo_file_perms;
  63 allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
  64
  65 allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
  66 read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
  67 read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
  68
  69 allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
  70 read_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
  71 read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
  72
  73 manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
  74 manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
  75 files_pid_filetrans(ipsec_t, ipsec_var_run_t, { file sock_file })
  76
  77 can_exec(ipsec_t, ipsec_mgmt_exec_t)
  78
  79 # pluto runs an updown script (by calling popen()!) as this is by default
  80 # a shell script, we need to find a way to make things work without
  81 # letting all sorts of stuff possibly be run...
  82 # so try flipping back into the ipsec_mgmt_t domain
  83 corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
  84 allow ipsec_mgmt_t ipsec_t:fd use;
  85 allow ipsec_mgmt_t ipsec_t:fifo_file rw_file_perms;
  86 allow ipsec_mgmt_t ipsec_t:process sigchld;
  87
  88 kernel_read_kernel_sysctls(ipsec_t)
  89 kernel_list_proc(ipsec_t)
  90 kernel_read_proc_symlinks(ipsec_t)
  91 # allow pluto to access /proc/net/ipsec_eroute;
  92 kernel_read_system_state(ipsec_t)
  93 kernel_read_network_state(ipsec_t)
  94 kernel_read_software_raid_state(ipsec_t)
  95 kernel_getattr_core_if(ipsec_t)
  96 kernel_getattr_message_if(ipsec_t)
  97
  98 # Pluto needs network access
  99 corenet_all_recvfrom_unlabeled(ipsec_t)
 100 corenet_tcp_sendrecv_all_if(ipsec_t)
 101 corenet_raw_sendrecv_all_if(ipsec_t)
 102 corenet_tcp_sendrecv_all_nodes(ipsec_t)
 103 corenet_raw_sendrecv_all_nodes(ipsec_t)
 104 corenet_tcp_sendrecv_all_ports(ipsec_t)
 105 corenet_tcp_bind_all_nodes(ipsec_t)
 106 corenet_udp_bind_all_nodes(ipsec_t)
 107 corenet_tcp_bind_reserved_port(ipsec_t)
 108 corenet_tcp_bind_isakmp_port(ipsec_t)
 109 corenet_udp_bind_isakmp_port(ipsec_t)
 110 corenet_udp_bind_ipsecnat_port(ipsec_t)
 111 corenet_sendrecv_generic_server_packets(ipsec_t)
 112 corenet_sendrecv_isakmp_server_packets(ipsec_t)
 113
 114 dev_read_sysfs(ipsec_t)
 115 dev_read_rand(ipsec_t)
 116 dev_read_urand(ipsec_t)
 117
 118 fs_getattr_all_fs(ipsec_t)
 119 fs_search_auto_mountpoints(ipsec_t)
 120
 121 term_use_console(ipsec_t)
 122 term_dontaudit_use_all_user_ttys(ipsec_t)
 123
 124 corecmd_exec_shell(ipsec_t)
 125 corecmd_exec_bin(ipsec_t)
 126
 127 domain_use_interactive_fds(ipsec_t)
 128
 129 files_read_etc_files(ipsec_t)
 130
 131 init_use_fds(ipsec_t)
 132 init_use_script_ptys(ipsec_t)
 133
 134 auth_use_nsswitch(ipsec_t)
 135
 136 logging_send_syslog_msg(ipsec_t)
 137
 138 miscfiles_read_localization(ipsec_t)
 139
 140 userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
 141 userdom_dontaudit_search_user_home_dirs(ipsec_t)
 142
 143 optional_policy(`
 144         seutil_sigchld_newrole(ipsec_t)
 145 ')
 146
 147 optional_policy(`
 148         udev_read_db(ipsec_t)
 149 ')
 150
 151 ########################################
 152 #
 153 # ipsec_mgmt Local policy
 154 #
 155
 156 allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
 157 allow ipsec_mgmt_t self:process { signal setrlimit };
 158 allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
 159 allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
 160 allow ipsec_mgmt_t self:udp_socket create_socket_perms;
 161 allow ipsec_mgmt_t self:key_socket create_socket_perms;
 162 allow ipsec_mgmt_t self:fifo_file rw_file_perms;
 163
 164 allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
 165 files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
 166
 167 allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
 168 files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
 169
 170 manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
 171 manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
 172
 173 allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms;
 174 files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, sock_file)
 175
 176 # _realsetup needs to be able to cat /var/run/pluto.pid,
 177 # run ps on that pid, and delete the file
 178 read_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
 179 read_lnk_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
 180
 181 # logger, running in ipsec_mgmt_t needs to use sockets
 182 allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
 183 allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };
 184
 185 allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
 186
 187 manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
 188 manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
 189 files_etc_filetrans(ipsec_mgmt_t, ipsec_key_file_t, file)
 190
 191 # whack needs to connect to pluto
 192 stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
 193
 194 can_exec(ipsec_mgmt_t, ipsec_exec_t)
 195 can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
 196 allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
 197
 198 domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
 199
 200 kernel_rw_net_sysctls(ipsec_mgmt_t)
 201 # allow pluto to access /proc/net/ipsec_eroute;
 202 kernel_read_system_state(ipsec_mgmt_t)
 203 kernel_read_network_state(ipsec_mgmt_t)
 204 kernel_read_software_raid_state(ipsec_mgmt_t)
 205 kernel_read_kernel_sysctls(ipsec_mgmt_t)
 206 kernel_getattr_core_if(ipsec_mgmt_t)
 207 kernel_getattr_message_if(ipsec_mgmt_t)
 208
 209 files_read_kernel_symbol_table(ipsec_mgmt_t)
 210 files_getattr_kernel_modules(ipsec_mgmt_t)
 211
 212 dev_read_rand(ipsec_mgmt_t)
 213 dev_read_urand(ipsec_mgmt_t)
 214
 215 fs_getattr_xattr_fs(ipsec_mgmt_t)
 216 fs_list_tmpfs(ipsec_mgmt_t)
 217
 218 term_use_console(ipsec_mgmt_t)
 219 term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
 220
 221 # the default updown script wants to run route
 222 # the ipsec wrapper wants to run /usr/bin/logger (should we put
 223 # it in its own domain?)
 224 corecmd_exec_bin(ipsec_mgmt_t)
 225 corecmd_exec_shell(ipsec_mgmt_t)
 226
 227 domain_use_interactive_fds(ipsec_mgmt_t)
 228 # denials when ps tries to search /proc. Do not audit these denials.
 229 domain_dontaudit_list_all_domains_state(ipsec_mgmt_t)
 230 # suppress audit messages about unnecessary socket access
 231 # cjp: this seems excessive
 232 domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
 233 domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
 234
 235 files_read_etc_files(ipsec_mgmt_t)
 236 files_exec_etc_files(ipsec_mgmt_t)
 237 files_read_etc_runtime_files(ipsec_mgmt_t)
 238 files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
 239 files_dontaudit_getattr_default_files(ipsec_mgmt_t)
 240
 241 init_use_script_ptys(ipsec_mgmt_t)
 242 init_exec_script_files(ipsec_mgmt_t)
 243 init_use_fds(ipsec_mgmt_t)
 244
 245 logging_send_syslog_msg(ipsec_mgmt_t)
 246
 247 miscfiles_read_localization(ipsec_mgmt_t)
 248
 249 modutils_domtrans_insmod(ipsec_mgmt_t)
 250
 251 seutil_dontaudit_search_config(ipsec_mgmt_t)
 252
 253 sysnet_domtrans_ifconfig(ipsec_mgmt_t)
 254
 255 userdom_use_user_terminals(ipsec_mgmt_t)
 256
 257 optional_policy(`
 258         consoletype_exec(ipsec_mgmt_t)
 259 ')
 260
 261 optional_policy(`
 262         nscd_socket_use(ipsec_mgmt_t)
 263 ')
 264
 265 ifdef(`TODO',`
 266 # ideally it would not need this.  It wants to write to /root/.rnd
 267 file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
 268
 269 allow ipsec_mgmt_t dev_fs:file_class_set getattr;
 270 ') dnl end TODO
 271
 272 ########################################
 273 #
 274 # Racoon local policy
 275 #
 276
 277 allow racoon_t self:capability { net_admin net_bind_service };
 278 allow racoon_t self:netlink_route_socket create_netlink_socket_perms;
 279 allow racoon_t self:unix_dgram_socket { connect create ioctl write };
 280 allow racoon_t self:netlink_selinux_socket { bind create read };
 281 allow racoon_t self:udp_socket create_socket_perms;
 282 allow racoon_t self:key_socket create_socket_perms;
 283
 284 # manage pid file
 285 manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
 286 manage_sock_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
 287 files_pid_filetrans(racoon_t, ipsec_var_run_t, file)
 288
 289 allow racoon_t ipsec_conf_file_t:dir list_dir_perms;
 290 read_files_pattern(racoon_t, ipsec_conf_file_t, ipsec_conf_file_t)
 291 read_lnk_files_pattern(racoon_t, ipsec_conf_file_t, ipsec_conf_file_t)
 292
 293 allow racoon_t ipsec_key_file_t:dir list_dir_perms;
 294 read_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t)
 295 read_lnk_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t)
 296
 297 kernel_read_system_state(racoon_t)
 298 kernel_read_network_state(racoon_t)
 299
 300 corenet_all_recvfrom_unlabeled(racoon_t)
 301 corenet_tcp_sendrecv_all_if(racoon_t)
 302 corenet_udp_sendrecv_all_if(racoon_t)
 303 corenet_tcp_sendrecv_all_nodes(racoon_t)
 304 corenet_udp_sendrecv_all_nodes(racoon_t)
 305 corenet_tcp_bind_all_nodes(racoon_t)
 306 corenet_udp_bind_all_nodes(racoon_t)
 307 corenet_udp_bind_isakmp_port(racoon_t)
 308 corenet_udp_bind_ipsecnat_port(racoon_t)
 309
 310 dev_read_urand(racoon_t)
 311
 312 # allow racoon to set contexts on ipsec policy and SAs
 313 domain_ipsec_setcontext_all_domains(racoon_t)
 314
 315 files_read_etc_files(racoon_t)
 316
 317 # allow racoon to use avc_has_perm to check context on proposed SA
 318 selinux_compute_access_vector(racoon_t)
 319
 320 ipsec_setcontext_default_spd(racoon_t)
 321
 322 auth_use_nsswitch(racoon_t)
 323
 324 locallogin_use_fds(racoon_t)
 325
 326 logging_send_syslog_msg(racoon_t)
 327 logging_send_audit_msgs(racoon_t)
 328
 329 miscfiles_read_localization(racoon_t)
 330
 331 ########################################
 332 #
 333 # Setkey local policy
 334 #
 335
 336 allow setkey_t self:capability net_admin;
 337 allow setkey_t self:key_socket create_socket_perms;
 338 allow setkey_t self:netlink_route_socket create_netlink_socket_perms;
 339
 340 allow setkey_t ipsec_conf_file_t:dir list_dir_perms;
 341 read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
 342 read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
 343
 344 # allow setkey utility to set contexts on SA's and policy
 345 domain_ipsec_setcontext_all_domains(setkey_t)
 346
 347 files_read_etc_files(setkey_t)
 348
 349 init_dontaudit_use_fds(setkey_t)
 350
 351 # allow setkey to set the context for ipsec SAs and policy.
 352 ipsec_setcontext_default_spd(setkey_t)
 353
 354 locallogin_use_fds(setkey_t)
 355
 356 miscfiles_read_localization(setkey_t)
 357
 358 seutil_read_config(setkey_t)
 359
 360 userdom_use_user_terminals(setkey_t)