policy/modules/system/ipsec.te

   1 policy_module(ipsec, 1.11.2)
   2
   3 ########################################
   4 #
   5 # Declarations
   6 #
   7
   8 ## <desc>
   9 ## <p>
  10 ## Allow racoon to read shadow
  11 ## </p>
  12 ## </desc>
  13 gen_tunable(racoon_read_shadow, false)
  14
  15 type ipsec_t;
  16 type ipsec_exec_t;
  17 init_daemon_domain(ipsec_t, ipsec_exec_t)
  18 role system_r types ipsec_t;
  19
  20 # type for ipsec configuration file(s) - not for keys
  21 type ipsec_conf_file_t;
  22 files_type(ipsec_conf_file_t)
  23
  24 type ipsec_initrc_exec_t;
  25 init_script_file(ipsec_initrc_exec_t)
  26
  27 # type for file(s) containing ipsec keys - RSA or preshared
  28 type ipsec_key_file_t;
  29 files_type(ipsec_key_file_t)
  30
  31 type ipsec_log_t;
  32 logging_log_file(ipsec_log_t)
  33
  34 # Default type for IPSEC SPD entries
  35 type ipsec_spd_t;
  36 corenet_spd_type(ipsec_spd_t)
  37
  38 type ipsec_tmp_t;
  39 files_tmp_file(ipsec_tmp_t)
  40
  41 # type for runtime files, including pluto.ctl
  42 type ipsec_var_run_t;
  43 files_pid_file(ipsec_var_run_t)
  44
  45 type ipsec_mgmt_t;
  46 type ipsec_mgmt_exec_t;
  47 init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
  48 corecmd_shell_entry_type(ipsec_mgmt_t)
  49 role system_r types ipsec_mgmt_t;
  50
  51 type ipsec_mgmt_lock_t;
  52 files_lock_file(ipsec_mgmt_lock_t)
  53
  54 type ipsec_mgmt_var_run_t;
  55 files_pid_file(ipsec_mgmt_var_run_t)
  56
  57 type racoon_t;
  58 type racoon_exec_t;
  59 init_daemon_domain(racoon_t, racoon_exec_t)
  60 role system_r types racoon_t;
  61
  62 type racoon_tmp_t;
  63 files_tmp_file(racoon_tmp_t)
  64
  65 type setkey_t;
  66 type setkey_exec_t;
  67 init_system_domain(setkey_t, setkey_exec_t)
  68 role system_r types setkey_t;
  69
  70 ########################################
  71 #
  72 # ipsec Local policy
  73 #
  74
  75 allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
  76 dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
  77 allow ipsec_t self:process { getcap setcap getsched signal setsched };
  78 allow ipsec_t self:tcp_socket create_stream_socket_perms;
  79 allow ipsec_t self:udp_socket create_socket_perms;
  80 allow ipsec_t self:key_socket create_socket_perms;
  81 allow ipsec_t self:fifo_file read_fifo_file_perms;
  82 allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
  83
  84 allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
  85
  86 allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
  87 read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
  88 read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
  89
  90 allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
  91 manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
  92 read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
  93
  94 manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
  95 manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
  96 files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file })
  97
  98 manage_dirs_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
  99 manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
 100 manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
 101 files_pid_filetrans(ipsec_t, ipsec_var_run_t, { dir file sock_file })
 102
 103 can_exec(ipsec_t, ipsec_mgmt_exec_t)
 104
 105 # pluto runs an updown script (by calling popen()!) as this is by default
 106 # a shell script, we need to find a way to make things work without
 107 # letting all sorts of stuff possibly be run...
 108 # so try flipping back into the ipsec_mgmt_t domain
 109 corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
 110 allow ipsec_mgmt_t ipsec_t:fd use;
 111 allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
 112 allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
 113 allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
 114
 115 kernel_read_kernel_sysctls(ipsec_t)
 116 kernel_list_proc(ipsec_t)
 117 kernel_read_proc_symlinks(ipsec_t)
 118 # allow pluto to access /proc/net/ipsec_eroute;
 119 kernel_read_system_state(ipsec_t)
 120 kernel_read_network_state(ipsec_t)
 121 kernel_read_software_raid_state(ipsec_t)
 122 kernel_request_load_module(ipsec_t)
 123 kernel_getattr_core_if(ipsec_t)
 124 kernel_getattr_message_if(ipsec_t)
 125
 126 corecmd_exec_shell(ipsec_t)
 127 corecmd_exec_bin(ipsec_t)
 128
 129 # Pluto needs network access
 130 corenet_all_recvfrom_unlabeled(ipsec_t)
 131 corenet_tcp_sendrecv_generic_if(ipsec_t)
 132 corenet_raw_sendrecv_generic_if(ipsec_t)
 133 corenet_tcp_sendrecv_generic_node(ipsec_t)
 134 corenet_raw_sendrecv_generic_node(ipsec_t)
 135 corenet_tcp_sendrecv_all_ports(ipsec_t)
 136 corenet_tcp_bind_generic_node(ipsec_t)
 137 corenet_udp_bind_generic_node(ipsec_t)
 138 corenet_tcp_bind_reserved_port(ipsec_t)
 139 corenet_tcp_bind_isakmp_port(ipsec_t)
 140 corenet_udp_bind_isakmp_port(ipsec_t)
 141 corenet_udp_bind_ipsecnat_port(ipsec_t)
 142 corenet_sendrecv_generic_server_packets(ipsec_t)
 143 corenet_sendrecv_isakmp_server_packets(ipsec_t)
 144
 145 dev_read_sysfs(ipsec_t)
 146 dev_read_rand(ipsec_t)
 147 dev_read_urand(ipsec_t)
 148
 149 domain_use_interactive_fds(ipsec_t)
 150
 151 files_list_tmp(ipsec_t)
 152 files_read_etc_files(ipsec_t)
 153 files_read_usr_files(ipsec_t)
 154 files_dontaudit_search_home(ipsec_t)
 155
 156 fs_getattr_all_fs(ipsec_t)
 157 fs_search_auto_mountpoints(ipsec_t)
 158
 159 term_use_console(ipsec_t)
 160 term_dontaudit_use_all_ttys(ipsec_t)
 161
 162 auth_use_nsswitch(ipsec_t)
 163
 164 init_use_fds(ipsec_t)
 165 init_use_script_ptys(ipsec_t)
 166
 167 logging_send_syslog_msg(ipsec_t)
 168
 169 miscfiles_read_localization(ipsec_t)
 170
 171 sysnet_domtrans_ifconfig(ipsec_t)
 172 sysnet_manage_config(ipsec_t)
 173 sysnet_etc_filetrans_config(ipsec_t)
 174
 175 userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
 176 userdom_dontaudit_search_user_home_dirs(ipsec_t)
 177
 178 optional_policy(`
 179         seutil_sigchld_newrole(ipsec_t)
 180 ')
 181
 182 optional_policy(`
 183         udev_read_db(ipsec_t)
 184 ')
 185
 186 ########################################
 187 #
 188 # ipsec_mgmt Local policy
 189 #
 190
 191 allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
 192 dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config };
 193 allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal };
 194 allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
 195 allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
 196 allow ipsec_mgmt_t self:udp_socket create_socket_perms;
 197 allow ipsec_mgmt_t self:key_socket create_socket_perms;
 198 allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
 199
 200 allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
 201 files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
 202
 203 manage_dirs_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
 204 manage_files_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
 205 files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file })
 206
 207 manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t)
 208 logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
 209
 210 allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
 211 files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
 212
 213 manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
 214 manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
 215
 216 allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms;
 217 files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, sock_file)
 218
 219 # _realsetup needs to be able to cat /var/run/pluto.pid,
 220 # run ps on that pid, and delete the file
 221 read_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
 222 read_lnk_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
 223
 224 # logger, running in ipsec_mgmt_t needs to use sockets
 225 allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
 226 allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };
 227
 228 allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
 229
 230 manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
 231 manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
 232
 233 # whack needs to connect to pluto
 234 stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
 235
 236 can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
 237 allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
 238
 239 domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
 240
 241 kernel_rw_net_sysctls(ipsec_mgmt_t)
 242 # allow pluto to access /proc/net/ipsec_eroute;
 243 kernel_read_system_state(ipsec_mgmt_t)
 244 kernel_read_network_state(ipsec_mgmt_t)
 245 kernel_read_software_raid_state(ipsec_mgmt_t)
 246 kernel_read_kernel_sysctls(ipsec_mgmt_t)
 247 kernel_getattr_core_if(ipsec_mgmt_t)
 248 kernel_getattr_message_if(ipsec_mgmt_t)
 249
 250 # don't audit using of lsof
 251 dontaudit ipsec_mgmt_t self:capability sys_ptrace;
 252
 253 domain_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
 254 domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t)
 255
 256 dev_dontaudit_getattr_all_blk_files(ipsec_mgmt_t)
 257 dev_dontaudit_getattr_all_chr_files(ipsec_mgmt_t)
 258
 259 files_dontaudit_getattr_all_files(ipsec_mgmt_t)
 260 files_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
 261 files_read_kernel_symbol_table(ipsec_mgmt_t)
 262 files_getattr_kernel_modules(ipsec_mgmt_t)
 263
 264 # the default updown script wants to run route
 265 # the ipsec wrapper wants to run /usr/bin/logger (should we put
 266 # it in its own domain?)
 267 corecmd_exec_bin(ipsec_mgmt_t)
 268 corecmd_exec_shell(ipsec_mgmt_t)
 269
 270 dev_read_rand(ipsec_mgmt_t)
 271 dev_read_urand(ipsec_mgmt_t)
 272
 273 domain_use_interactive_fds(ipsec_mgmt_t)
 274 # denials when ps tries to search /proc. Do not audit these denials.
 275 domain_dontaudit_read_all_domains_state(ipsec_mgmt_t)
 276 # suppress audit messages about unnecessary socket access
 277 # cjp: this seems excessive
 278 domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
 279 domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
 280
 281 files_read_etc_files(ipsec_mgmt_t)
 282 files_exec_etc_files(ipsec_mgmt_t)
 283 files_read_etc_runtime_files(ipsec_mgmt_t)
 284 files_read_usr_files(ipsec_mgmt_t)
 285 files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
 286 files_dontaudit_getattr_default_files(ipsec_mgmt_t)
 287 files_list_tmp(ipsec_mgmt_t)
 288
 289 fs_getattr_xattr_fs(ipsec_mgmt_t)
 290 fs_list_tmpfs(ipsec_mgmt_t)
 291
 292 term_use_console(ipsec_mgmt_t)
 293 term_use_all_inherited_terms(ipsec_mgmt_t)
 294
 295 auth_dontaudit_read_login_records(ipsec_mgmt_t)
 296
 297 init_read_utmp(ipsec_mgmt_t)
 298 init_use_script_ptys(ipsec_mgmt_t)
 299 init_exec_script_files(ipsec_mgmt_t)
 300 init_use_fds(ipsec_mgmt_t)
 301 init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
 302
 303 logging_send_syslog_msg(ipsec_mgmt_t)
 304
 305 miscfiles_read_localization(ipsec_mgmt_t)
 306
 307 seutil_dontaudit_search_config(ipsec_mgmt_t)
 308
 309 sysnet_manage_config(ipsec_mgmt_t)
 310 sysnet_domtrans_ifconfig(ipsec_mgmt_t)
 311 sysnet_etc_filetrans_config(ipsec_mgmt_t)
 312
 313 userdom_use_inherited_user_terminals(ipsec_mgmt_t)
 314
 315 optional_policy(`
 316         consoletype_exec(ipsec_mgmt_t)
 317 ')
 318
 319 optional_policy(`
 320         hostname_exec(ipsec_mgmt_t)
 321 ')
 322
 323 optional_policy(`
 324         dbus_system_bus_client(ipsec_mgmt_t)
 325         dbus_connect_system_bus(ipsec_mgmt_t)
 326
 327         optional_policy(`
 328                 networkmanager_dbus_chat(ipsec_mgmt_t)
 329         ')
 330 ')
 331
 332 optional_policy(`
 333         iptables_domtrans(ipsec_mgmt_t)
 334 ')
 335
 336 optional_policy(`
 337         modutils_domtrans_insmod(ipsec_mgmt_t)
 338 ')
 339
 340 optional_policy(`
 341         nscd_socket_use(ipsec_mgmt_t)
 342 ')
 343
 344 ifdef(`TODO',`
 345 # ideally it would not need this.  It wants to write to /root/.rnd
 346 file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
 347
 348 allow ipsec_mgmt_t dev_fs:file_class_set getattr;
 349 ') dnl end TODO
 350
 351 ########################################
 352 #
 353 # Racoon local policy
 354 #
 355
 356 allow racoon_t self:capability { net_admin net_bind_service };
 357 allow racoon_t self:netlink_route_socket create_netlink_socket_perms;
 358 allow racoon_t self:unix_dgram_socket { connect create ioctl write };
 359 allow racoon_t self:netlink_selinux_socket { bind create read };
 360 allow racoon_t self:udp_socket create_socket_perms;
 361 allow racoon_t self:key_socket create_socket_perms;
 362 allow racoon_t self:fifo_file rw_fifo_file_perms;
 363
 364 manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
 365 manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
 366 files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file })
 367
 368 can_exec(racoon_t, racoon_exec_t)
 369
 370 can_exec(racoon_t, setkey_exec_t)
 371
 372 # manage pid file
 373 manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
 374 manage_sock_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
 375 files_pid_filetrans(racoon_t, ipsec_var_run_t, file)
 376
 377 allow racoon_t ipsec_conf_file_t:dir list_dir_perms;
 378 read_files_pattern(racoon_t, ipsec_conf_file_t, ipsec_conf_file_t)
 379 read_lnk_files_pattern(racoon_t, ipsec_conf_file_t, ipsec_conf_file_t)
 380
 381 allow racoon_t ipsec_key_file_t:dir list_dir_perms;
 382 read_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t)
 383 read_lnk_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t)
 384
 385 kernel_read_system_state(racoon_t)
 386 kernel_read_network_state(racoon_t)
 387 kernel_request_load_module(racoon_t)
 388
 389 corecmd_exec_shell(racoon_t)
 390 corecmd_exec_bin(racoon_t)
 391
 392 corenet_all_recvfrom_unlabeled(racoon_t)
 393 corenet_tcp_sendrecv_generic_if(racoon_t)
 394 corenet_udp_sendrecv_generic_if(racoon_t)
 395 corenet_tcp_sendrecv_generic_node(racoon_t)
 396 corenet_udp_sendrecv_generic_node(racoon_t)
 397 corenet_tcp_bind_generic_node(racoon_t)
 398 corenet_udp_bind_generic_node(racoon_t)
 399 corenet_udp_bind_isakmp_port(racoon_t)
 400 corenet_udp_bind_ipsecnat_port(racoon_t)
 401
 402 dev_read_urand(racoon_t)
 403
 404 # allow racoon to set contexts on ipsec policy and SAs
 405 domain_ipsec_setcontext_all_domains(racoon_t)
 406
 407 files_read_etc_files(racoon_t)
 408
 409 fs_dontaudit_getattr_xattr_fs(racoon_t)
 410
 411 # allow racoon to use avc_has_perm to check context on proposed SA
 412 selinux_compute_access_vector(racoon_t)
 413
 414 auth_use_nsswitch(racoon_t)
 415
 416 ipsec_setcontext_default_spd(racoon_t)
 417
 418 locallogin_use_fds(racoon_t)
 419
 420 logging_send_syslog_msg(racoon_t)
 421 logging_send_audit_msgs(racoon_t)
 422
 423 miscfiles_read_localization(racoon_t)
 424
 425 sysnet_exec_ifconfig(racoon_t)
 426
 427 auth_use_pam(racoon_t)
 428
 429 auth_can_read_shadow_passwords(racoon_t)
 430 tunable_policy(`racoon_read_shadow',`
 431         auth_tunable_read_shadow(racoon_t)
 432 ')
 433
 434 ########################################
 435 #
 436 # Setkey local policy
 437 #
 438
 439 allow setkey_t self:capability net_admin;
 440 allow setkey_t self:key_socket create_socket_perms;
 441 allow setkey_t self:netlink_route_socket create_netlink_socket_perms;
 442
 443 allow setkey_t ipsec_conf_file_t:dir list_dir_perms;
 444 read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
 445 read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
 446
 447 kernel_request_load_module(setkey_t)
 448
 449 # allow setkey utility to set contexts on SA's and policy
 450 domain_ipsec_setcontext_all_domains(setkey_t)
 451
 452 files_read_etc_files(setkey_t)
 453
 454 init_dontaudit_use_fds(setkey_t)
 455 init_read_script_tmp_files(setkey_t)
 456
 457 # allow setkey to set the context for ipsec SAs and policy.
 458 corenet_setcontext_all_spds(setkey_t)
 459
 460 locallogin_use_fds(setkey_t)
 461
 462 miscfiles_read_localization(setkey_t)
 463
 464 seutil_read_config(setkey_t)
 465
 466 userdom_use_inherited_user_terminals(setkey_t)
 467 userdom_read_user_tmp_files(setkey_t)
 468