policy/modules/system/ipsec.te

   1
   2 policy_module(ipsec,1.1.1)
   3
   4 ########################################
   5 #
   6 # Declarations
   7 #
   8
   9 type ipsec_t;
  10 type ipsec_exec_t;
  11 init_daemon_domain(ipsec_t,ipsec_exec_t)
  12 role system_r types ipsec_t;
  13
  14 # type for ipsec configuration file(s) - not for keys
  15 type ipsec_conf_file_t;
  16 files_type(ipsec_conf_file_t)
  17
  18 # type for file(s) containing ipsec keys - RSA or preshared
  19 type ipsec_key_file_t;
  20 files_type(ipsec_key_file_t)
  21
  22 # type for runtime files, including pluto.ctl
  23 type ipsec_var_run_t;
  24 files_pid_file(ipsec_var_run_t)
  25
  26 type ipsec_mgmt_t;
  27 type ipsec_mgmt_exec_t;
  28 init_system_domain(ipsec_mgmt_t,ipsec_mgmt_exec_t)
  29 corecmd_shell_entry_type(ipsec_mgmt_t)
  30 role system_r types ipsec_mgmt_t;
  31
  32 type ipsec_mgmt_lock_t;
  33 files_lock_file(ipsec_mgmt_lock_t)
  34
  35 type ipsec_mgmt_var_run_t;
  36 files_pid_file(ipsec_mgmt_var_run_t)
  37
  38 ########################################
  39 #
  40 # ipsec Local policy
  41 #
  42
  43 allow ipsec_t self:capability { net_admin dac_override dac_read_search };
  44 dontaudit ipsec_t self:capability sys_tty_config;
  45 allow ipsec_t self:process signal;
  46 allow ipsec_t self:netlink_route_socket r_netlink_socket_perms;
  47 allow ipsec_t self:tcp_socket create_stream_socket_perms;
  48 allow ipsec_t self:key_socket { create write read setopt };
  49 allow ipsec_t self:fifo_file { read getattr };
  50
  51 allow ipsec_t ipsec_conf_file_t:dir r_dir_perms;
  52 allow ipsec_t ipsec_conf_file_t:file r_file_perms;
  53 allow ipsec_t ipsec_conf_file_t:lnk_file r_file_perms;
  54
  55 allow ipsec_t ipsec_key_file_t:dir r_dir_perms;
  56 allow ipsec_t ipsec_key_file_t:file r_file_perms;
  57 allow ipsec_t ipsec_key_file_t:lnk_file r_file_perms;
  58
  59 allow ipsec_t ipsec_var_run_t:file create_file_perms;
  60 allow ipsec_t ipsec_var_run_t:sock_file create_file_perms;
  61 files_pid_filetrans(ipsec_t,ipsec_var_run_t,{ file sock_file })
  62
  63 can_exec(ipsec_t, ipsec_mgmt_exec_t)
  64
  65 # pluto runs an updown script (by calling popen()!); as this is by default
  66 # a shell script, we need to find a way to make things work without
  67 # letting all sorts of stuff possibly be run...
  68 # so try flipping back into the ipsec_mgmt_t domain
  69 corecmd_shell_domtrans(ipsec_t,ipsec_mgmt_t)
  70 allow ipsec_t ipsec_mgmt_t:fd use;
  71 allow ipsec_mgmt_t ipsec_t:fd use;
  72 allow ipsec_mgmt_t ipsec_t:fifo_file rw_file_perms;
  73 allow ipsec_mgmt_t ipsec_t:process sigchld;
  74
  75 kernel_read_kernel_sysctls(ipsec_t)
  76 kernel_list_proc(ipsec_t)
  77 kernel_read_proc_symlinks(ipsec_t)
  78 # allow pluto to access /proc/net/ipsec_eroute;
  79 kernel_read_system_state(ipsec_t)
  80 kernel_read_network_state(ipsec_t)
  81 kernel_read_software_raid_state(ipsec_t)
  82 kernel_getattr_core_if(ipsec_t)
  83 kernel_getattr_message_if(ipsec_t)
  84
  85 # Pluto needs network access
  86 corenet_non_ipsec_sendrecv(ipsec_t)
  87 corenet_tcp_sendrecv_all_if(ipsec_t)
  88 corenet_raw_sendrecv_all_if(ipsec_t)
  89 corenet_tcp_sendrecv_all_nodes(ipsec_t)
  90 corenet_raw_sendrecv_all_nodes(ipsec_t)
  91 corenet_tcp_sendrecv_all_ports(ipsec_t)
  92 corenet_tcp_bind_all_nodes(ipsec_t)
  93 corenet_tcp_bind_reserved_port(ipsec_t)
  94 corenet_tcp_bind_isakmp_port(ipsec_t)
  95 corenet_sendrecv_generic_server_packets(ipsec_t)
  96 corenet_sendrecv_isakmp_server_packets(ipsec_t)
  97
  98 dev_read_sysfs(ipsec_t)
  99 dev_read_rand(ipsec_t)
 100 dev_read_urand(ipsec_t)
 101
 102 fs_getattr_all_fs(ipsec_t)
 103 fs_search_auto_mountpoints(ipsec_t)
 104
 105 term_use_console(ipsec_t)
 106 term_dontaudit_use_all_user_ttys(ipsec_t)
 107
 108 corecmd_exec_shell(ipsec_t)
 109 corecmd_exec_bin(ipsec_t)
 110
 111 domain_use_interactive_fds(ipsec_t)
 112
 113 files_read_etc_files(ipsec_t)
 114
 115 init_use_fds(ipsec_t)
 116 init_use_script_ptys(ipsec_t)
 117
 118 libs_use_ld_so(ipsec_t)
 119 libs_use_shared_libs(ipsec_t)
 120
 121 logging_send_syslog_msg(ipsec_t)
 122
 123 miscfiles_read_localization(ipsec_t)
 124
 125 sysnet_read_config(ipsec_t)
 126
 127 userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
 128 userdom_dontaudit_search_sysadm_home_dirs(ipsec_t)
 129
 130 ifdef(`targeted_policy', `
 131         term_dontaudit_use_unallocated_ttys(ipsec_t)
 132         term_dontaudit_use_generic_ptys(ipsec_t)
 133         files_dontaudit_read_root_files(ipsec_t)
 134 ')
 135
 136 optional_policy(`
 137         nis_use_ypbind(ipsec_t)
 138 ')
 139
 140 optional_policy(`
 141         seutil_sigchld_newrole(ipsec_t)
 142 ')
 143
 144 optional_policy(`
 145         udev_read_db(ipsec_t)
 146 ')
 147
 148 ########################################
 149 #
 150 # ipsec_mgmt Local policy
 151 #
 152
 153 allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
 154 allow ipsec_mgmt_t self:process { signal setrlimit };
 155 allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
 156 allow ipsec_mgmt_t self:tcp_socket create_socket_perms;
 157 allow ipsec_mgmt_t self:udp_socket create_socket_perms;
 158 allow ipsec_mgmt_t self:key_socket { create setopt };
 159 allow ipsec_mgmt_t self:fifo_file rw_file_perms;
 160
 161 allow ipsec_mgmt_t ipsec_mgmt_lock_t:file create_file_perms;
 162 files_lock_filetrans(ipsec_mgmt_t,ipsec_mgmt_lock_t,file)
 163
 164 allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file create_file_perms;
 165 files_pid_filetrans(ipsec_mgmt_t,ipsec_mgmt_var_run_t,file)
 166
 167 allow ipsec_mgmt_t ipsec_var_run_t:dir rw_dir_perms;
 168 allow ipsec_mgmt_t ipsec_var_run_t:file create_file_perms;
 169 allow ipsec_mgmt_t ipsec_var_run_t:lnk_file create_lnk_perms;
 170
 171 allow ipsec_mgmt_t ipsec_var_run_t:sock_file create_file_perms;
 172 files_pid_filetrans(ipsec_mgmt_t,ipsec_var_run_t,sock_file)
 173
 174 # _realsetup needs to be able to cat /var/run/pluto.pid,
 175 # run ps on that pid, and delete the file
 176 allow ipsec_mgmt_t ipsec_t:{ file lnk_file } r_file_perms;
 177
 178 # logger, running in ipsec_mgmt_t needs to use sockets
 179 allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
 180 allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };
 181
 182 allow ipsec_mgmt_t ipsec_conf_file_t:file { getattr read ioctl };
 183
 184 allow ipsec_mgmt_t ipsec_key_file_t:dir rw_dir_perms;
 185 allow ipsec_mgmt_t ipsec_key_file_t:lnk_file create_lnk_perms;
 186 allow ipsec_mgmt_t ipsec_key_file_t:file create_file_perms;
 187 files_etc_filetrans(ipsec_mgmt_t,ipsec_key_file_t,file)
 188
 189 # whack needs to connect to pluto
 190 allow ipsec_mgmt_t ipsec_var_run_t:sock_file { read write };
 191 allow ipsec_mgmt_t ipsec_t:unix_stream_socket { connectto read write };
 192
 193 can_exec(ipsec_mgmt_t, ipsec_exec_t)
 194 can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
 195 allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
 196
 197 domain_auto_trans(ipsec_mgmt_t,ipsec_exec_t,ipsec_t)
 198 allow ipsec_mgmt_t ipsec_t:fd use;
 199 allow ipsec_t ipsec_mgmt_t:fd use;
 200 allow ipsec_t ipsec_mgmt_t:fifo_file rw_file_perms;
 201 allow ipsec_t ipsec_mgmt_t:process sigchld;
 202
 203 kernel_rw_net_sysctls(ipsec_mgmt_t)
 204 # allow pluto to access /proc/net/ipsec_eroute;
 205 kernel_read_system_state(ipsec_mgmt_t)
 206 kernel_read_network_state(ipsec_mgmt_t)
 207 kernel_read_software_raid_state(ipsec_mgmt_t)
 208 kernel_read_kernel_sysctls(ipsec_mgmt_t)
 209 kernel_getattr_core_if(ipsec_mgmt_t)
 210 kernel_getattr_message_if(ipsec_mgmt_t)
 211
 212 files_read_kernel_symbol_table(ipsec_mgmt_t)
 213 files_getattr_kernel_modules(ipsec_mgmt_t)
 214
 215 dev_read_rand(ipsec_mgmt_t)
 216 dev_read_urand(ipsec_mgmt_t)
 217
 218 fs_getattr_xattr_fs(ipsec_mgmt_t)
 219 fs_list_tmpfs(ipsec_mgmt_t)
 220
 221 term_use_console(ipsec_mgmt_t)
 222 term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
 223
 224 # the default updown script wants to run route
 225 corecmd_exec_sbin(ipsec_mgmt_t)
 226 # the ipsec wrapper wants to run /usr/bin/logger (should we put
 227 # it in its own domain?)
 228 corecmd_exec_bin(ipsec_mgmt_t)
 229
 230 domain_use_interactive_fds(ipsec_mgmt_t)
 231 # denials when ps tries to search /proc. Do not audit these denials.
 232 domain_dontaudit_list_all_domains_state(ipsec_mgmt_t)
 233 # suppress audit messages about unnecessary socket access
 234 # cjp: this seems excessive
 235 domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
 236 domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
 237
 238 files_read_etc_files(ipsec_mgmt_t)
 239 files_exec_etc_files(ipsec_mgmt_t)
 240 files_read_etc_runtime_files(ipsec_mgmt_t)
 241 files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
 242 files_dontaudit_getattr_default_files(ipsec_mgmt_t)
 243
 244 init_use_script_ptys(ipsec_mgmt_t)
 245 init_exec_script_files(ipsec_mgmt_t)
 246 init_use_fds(ipsec_mgmt_t)
 247
 248 libs_use_ld_so(ipsec_mgmt_t)
 249 libs_use_shared_libs(ipsec_mgmt_t)
 250
 251 miscfiles_read_localization(ipsec_mgmt_t)
 252
 253 modutils_domtrans_insmod(ipsec_mgmt_t)
 254
 255 seutil_dontaudit_search_config(ipsec_mgmt_t)
 256
 257 sysnet_domtrans_ifconfig(ipsec_mgmt_t)
 258
 259 userdom_use_sysadm_terms(ipsec_mgmt_t)
 260
 261 optional_policy(`
 262         consoletype_exec(ipsec_mgmt_t)
 263 ')
 264
 265 optional_policy(`
 266         nscd_socket_use(ipsec_mgmt_t)
 267 ')
 268
 269 ifdef(`TODO',`
 270 # ideally it would not need this.  It wants to write to /root/.rnd
 271 file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
 272
 273 allow ipsec_mgmt_t dev_fs:file_class_set getattr;
 274 ') dnl end TODO