1 policy_module(ipsec, 1.11.2)
3 ########################################
10 ## Allow racoon to read shadow
13 gen_tunable(racoon_read_shadow, false)
17 init_daemon_domain(ipsec_t, ipsec_exec_t)
18 role system_r types ipsec_t;
20 # type for ipsec configuration file(s) - not for keys
21 type ipsec_conf_file_t;
22 files_type(ipsec_conf_file_t)
24 type ipsec_initrc_exec_t;
25 init_script_file(ipsec_initrc_exec_t)
27 # type for file(s) containing ipsec keys - RSA or preshared
28 type ipsec_key_file_t;
29 files_type(ipsec_key_file_t)
32 logging_log_file(ipsec_log_t)
34 # Default type for IPSEC SPD entries
36 corenet_spd_type(ipsec_spd_t)
39 files_tmp_file(ipsec_tmp_t)
41 # type for runtime files, including pluto.ctl
43 files_pid_file(ipsec_var_run_t)
46 type ipsec_mgmt_exec_t;
47 init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
48 corecmd_shell_entry_type(ipsec_mgmt_t)
49 role system_r types ipsec_mgmt_t;
51 type ipsec_mgmt_lock_t;
52 files_lock_file(ipsec_mgmt_lock_t)
54 type ipsec_mgmt_var_run_t;
55 files_pid_file(ipsec_mgmt_var_run_t)
59 init_daemon_domain(racoon_t, racoon_exec_t)
60 role system_r types racoon_t;
63 files_tmp_file(racoon_tmp_t)
67 init_system_domain(setkey_t, setkey_exec_t)
68 role system_r types setkey_t;
70 ########################################
75 allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
76 dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
77 allow ipsec_t self:process { getcap setcap getsched signal setsched };
78 allow ipsec_t self:tcp_socket create_stream_socket_perms;
79 allow ipsec_t self:udp_socket create_socket_perms;
80 allow ipsec_t self:key_socket create_socket_perms;
81 allow ipsec_t self:fifo_file read_fifo_file_perms;
82 allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
84 allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
86 allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
87 read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
88 read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
90 allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
91 manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
92 read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
94 manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
95 manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
96 files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file })
98 manage_dirs_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
99 manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
100 manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
101 files_pid_filetrans(ipsec_t, ipsec_var_run_t, { dir file sock_file })
103 can_exec(ipsec_t, ipsec_mgmt_exec_t)
105 # pluto runs an updown script (by calling popen()!) as this is by default
106 # a shell script, we need to find a way to make things work without
107 # letting all sorts of stuff possibly be run...
108 # so try flipping back into the ipsec_mgmt_t domain
109 corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
110 allow ipsec_mgmt_t ipsec_t:fd use;
111 allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
112 allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
113 allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
115 kernel_read_kernel_sysctls(ipsec_t)
116 kernel_list_proc(ipsec_t)
117 kernel_read_proc_symlinks(ipsec_t)
118 # allow pluto to access /proc/net/ipsec_eroute;
119 kernel_read_system_state(ipsec_t)
120 kernel_read_network_state(ipsec_t)
121 kernel_read_software_raid_state(ipsec_t)
122 kernel_request_load_module(ipsec_t)
123 kernel_getattr_core_if(ipsec_t)
124 kernel_getattr_message_if(ipsec_t)
126 corecmd_exec_shell(ipsec_t)
127 corecmd_exec_bin(ipsec_t)
129 # Pluto needs network access
130 corenet_all_recvfrom_unlabeled(ipsec_t)
131 corenet_tcp_sendrecv_generic_if(ipsec_t)
132 corenet_raw_sendrecv_generic_if(ipsec_t)
133 corenet_tcp_sendrecv_generic_node(ipsec_t)
134 corenet_raw_sendrecv_generic_node(ipsec_t)
135 corenet_tcp_sendrecv_all_ports(ipsec_t)
136 corenet_tcp_bind_generic_node(ipsec_t)
137 corenet_udp_bind_generic_node(ipsec_t)
138 corenet_tcp_bind_reserved_port(ipsec_t)
139 corenet_tcp_bind_isakmp_port(ipsec_t)
140 corenet_udp_bind_isakmp_port(ipsec_t)
141 corenet_udp_bind_ipsecnat_port(ipsec_t)
142 corenet_sendrecv_generic_server_packets(ipsec_t)
143 corenet_sendrecv_isakmp_server_packets(ipsec_t)
145 dev_read_sysfs(ipsec_t)
146 dev_read_rand(ipsec_t)
147 dev_read_urand(ipsec_t)
149 domain_use_interactive_fds(ipsec_t)
151 files_list_tmp(ipsec_t)
152 files_read_etc_files(ipsec_t)
153 files_read_usr_files(ipsec_t)
154 files_dontaudit_search_home(ipsec_t)
156 fs_getattr_all_fs(ipsec_t)
157 fs_search_auto_mountpoints(ipsec_t)
159 term_use_console(ipsec_t)
160 term_dontaudit_use_all_ttys(ipsec_t)
162 auth_use_nsswitch(ipsec_t)
164 init_use_fds(ipsec_t)
165 init_use_script_ptys(ipsec_t)
167 logging_send_syslog_msg(ipsec_t)
169 miscfiles_read_localization(ipsec_t)
171 sysnet_domtrans_ifconfig(ipsec_t)
172 sysnet_manage_config(ipsec_t)
173 sysnet_etc_filetrans_config(ipsec_t)
175 userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
176 userdom_dontaudit_search_user_home_dirs(ipsec_t)
179 seutil_sigchld_newrole(ipsec_t)
183 udev_read_db(ipsec_t)
186 ########################################
188 # ipsec_mgmt Local policy
191 allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
192 dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config };
193 allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal };
194 allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
195 allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
196 allow ipsec_mgmt_t self:udp_socket create_socket_perms;
197 allow ipsec_mgmt_t self:key_socket create_socket_perms;
198 allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
200 allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
201 files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
203 manage_dirs_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
204 manage_files_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
205 files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file })
207 manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t)
208 logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
210 allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
211 files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
213 manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
214 manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
216 allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms;
217 files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, sock_file)
219 # _realsetup needs to be able to cat /var/run/pluto.pid,
220 # run ps on that pid, and delete the file
221 read_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
222 read_lnk_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
224 # logger, running in ipsec_mgmt_t needs to use sockets
225 allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
226 allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };
228 allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
230 manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
231 manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
233 # whack needs to connect to pluto
234 stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
236 can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
237 allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
239 domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
241 kernel_rw_net_sysctls(ipsec_mgmt_t)
242 # allow pluto to access /proc/net/ipsec_eroute;
243 kernel_read_system_state(ipsec_mgmt_t)
244 kernel_read_network_state(ipsec_mgmt_t)
245 kernel_read_software_raid_state(ipsec_mgmt_t)
246 kernel_read_kernel_sysctls(ipsec_mgmt_t)
247 kernel_getattr_core_if(ipsec_mgmt_t)
248 kernel_getattr_message_if(ipsec_mgmt_t)
250 # don't audit using of lsof
251 dontaudit ipsec_mgmt_t self:capability sys_ptrace;
253 domain_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
254 domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t)
256 dev_dontaudit_getattr_all_blk_files(ipsec_mgmt_t)
257 dev_dontaudit_getattr_all_chr_files(ipsec_mgmt_t)
259 files_dontaudit_getattr_all_files(ipsec_mgmt_t)
260 files_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
261 files_read_kernel_symbol_table(ipsec_mgmt_t)
262 files_getattr_kernel_modules(ipsec_mgmt_t)
264 # the default updown script wants to run route
265 # the ipsec wrapper wants to run /usr/bin/logger (should we put
266 # it in its own domain?)
267 corecmd_exec_bin(ipsec_mgmt_t)
268 corecmd_exec_shell(ipsec_mgmt_t)
270 dev_read_rand(ipsec_mgmt_t)
271 dev_read_urand(ipsec_mgmt_t)
273 domain_use_interactive_fds(ipsec_mgmt_t)
274 # denials when ps tries to search /proc. Do not audit these denials.
275 domain_dontaudit_read_all_domains_state(ipsec_mgmt_t)
276 # suppress audit messages about unnecessary socket access
277 # cjp: this seems excessive
278 domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
279 domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
281 files_read_etc_files(ipsec_mgmt_t)
282 files_exec_etc_files(ipsec_mgmt_t)
283 files_read_etc_runtime_files(ipsec_mgmt_t)
284 files_read_usr_files(ipsec_mgmt_t)
285 files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
286 files_dontaudit_getattr_default_files(ipsec_mgmt_t)
287 files_list_tmp(ipsec_mgmt_t)
289 fs_getattr_xattr_fs(ipsec_mgmt_t)
290 fs_list_tmpfs(ipsec_mgmt_t)
292 term_use_console(ipsec_mgmt_t)
293 term_use_all_inherited_terms(ipsec_mgmt_t)
295 auth_dontaudit_read_login_records(ipsec_mgmt_t)
297 init_read_utmp(ipsec_mgmt_t)
298 init_use_script_ptys(ipsec_mgmt_t)
299 init_exec_script_files(ipsec_mgmt_t)
300 init_use_fds(ipsec_mgmt_t)
301 init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
303 logging_send_syslog_msg(ipsec_mgmt_t)
305 miscfiles_read_localization(ipsec_mgmt_t)
307 seutil_dontaudit_search_config(ipsec_mgmt_t)
309 sysnet_manage_config(ipsec_mgmt_t)
310 sysnet_domtrans_ifconfig(ipsec_mgmt_t)
311 sysnet_etc_filetrans_config(ipsec_mgmt_t)
313 userdom_use_inherited_user_terminals(ipsec_mgmt_t)
316 consoletype_exec(ipsec_mgmt_t)
320 hostname_exec(ipsec_mgmt_t)
324 dbus_system_bus_client(ipsec_mgmt_t)
325 dbus_connect_system_bus(ipsec_mgmt_t)
328 networkmanager_dbus_chat(ipsec_mgmt_t)
333 iptables_domtrans(ipsec_mgmt_t)
337 modutils_domtrans_insmod(ipsec_mgmt_t)
341 nscd_socket_use(ipsec_mgmt_t)
345 # ideally it would not need this. It wants to write to /root/.rnd
346 file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
348 allow ipsec_mgmt_t dev_fs:file_class_set getattr;
351 ########################################
353 # Racoon local policy
356 allow racoon_t self:capability { net_admin net_bind_service };
357 allow racoon_t self:netlink_route_socket create_netlink_socket_perms;
358 allow racoon_t self:unix_dgram_socket { connect create ioctl write };
359 allow racoon_t self:netlink_selinux_socket { bind create read };
360 allow racoon_t self:udp_socket create_socket_perms;
361 allow racoon_t self:key_socket create_socket_perms;
362 allow racoon_t self:fifo_file rw_fifo_file_perms;
364 manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
365 manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
366 files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file })
368 can_exec(racoon_t, racoon_exec_t)
370 can_exec(racoon_t, setkey_exec_t)
373 manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
374 manage_sock_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
375 files_pid_filetrans(racoon_t, ipsec_var_run_t, file)
377 allow racoon_t ipsec_conf_file_t:dir list_dir_perms;
378 read_files_pattern(racoon_t, ipsec_conf_file_t, ipsec_conf_file_t)
379 read_lnk_files_pattern(racoon_t, ipsec_conf_file_t, ipsec_conf_file_t)
381 allow racoon_t ipsec_key_file_t:dir list_dir_perms;
382 read_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t)
383 read_lnk_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t)
385 kernel_read_system_state(racoon_t)
386 kernel_read_network_state(racoon_t)
387 kernel_request_load_module(racoon_t)
389 corecmd_exec_shell(racoon_t)
390 corecmd_exec_bin(racoon_t)
392 corenet_all_recvfrom_unlabeled(racoon_t)
393 corenet_tcp_sendrecv_generic_if(racoon_t)
394 corenet_udp_sendrecv_generic_if(racoon_t)
395 corenet_tcp_sendrecv_generic_node(racoon_t)
396 corenet_udp_sendrecv_generic_node(racoon_t)
397 corenet_tcp_bind_generic_node(racoon_t)
398 corenet_udp_bind_generic_node(racoon_t)
399 corenet_udp_bind_isakmp_port(racoon_t)
400 corenet_udp_bind_ipsecnat_port(racoon_t)
402 dev_read_urand(racoon_t)
404 # allow racoon to set contexts on ipsec policy and SAs
405 domain_ipsec_setcontext_all_domains(racoon_t)
407 files_read_etc_files(racoon_t)
409 fs_dontaudit_getattr_xattr_fs(racoon_t)
411 # allow racoon to use avc_has_perm to check context on proposed SA
412 selinux_compute_access_vector(racoon_t)
414 auth_use_nsswitch(racoon_t)
416 ipsec_setcontext_default_spd(racoon_t)
418 locallogin_use_fds(racoon_t)
420 logging_send_syslog_msg(racoon_t)
421 logging_send_audit_msgs(racoon_t)
423 miscfiles_read_localization(racoon_t)
425 sysnet_exec_ifconfig(racoon_t)
427 auth_use_pam(racoon_t)
429 auth_can_read_shadow_passwords(racoon_t)
430 tunable_policy(`racoon_read_shadow',`
431 auth_tunable_read_shadow(racoon_t)
434 ########################################
436 # Setkey local policy
439 allow setkey_t self:capability net_admin;
440 allow setkey_t self:key_socket create_socket_perms;
441 allow setkey_t self:netlink_route_socket create_netlink_socket_perms;
443 allow setkey_t ipsec_conf_file_t:dir list_dir_perms;
444 read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
445 read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
447 kernel_request_load_module(setkey_t)
449 # allow setkey utility to set contexts on SA's and policy
450 domain_ipsec_setcontext_all_domains(setkey_t)
452 files_read_etc_files(setkey_t)
454 init_dontaudit_use_fds(setkey_t)
455 init_read_script_tmp_files(setkey_t)
457 # allow setkey to set the context for ipsec SAs and policy.
458 corenet_setcontext_all_spds(setkey_t)
460 locallogin_use_fds(setkey_t)
462 miscfiles_read_localization(setkey_t)
464 seutil_read_config(setkey_t)
466 userdom_use_inherited_user_terminals(setkey_t)
467 userdom_read_user_tmp_files(setkey_t)