2 policy_module(ipsec, 1.10.0)
4 ########################################
11 init_daemon_domain(ipsec_t, ipsec_exec_t)
12 role system_r types ipsec_t;
14 # type for ipsec configuration file(s) - not for keys
15 type ipsec_conf_file_t;
16 files_type(ipsec_conf_file_t)
18 # type for file(s) containing ipsec keys - RSA or preshared
19 type ipsec_key_file_t;
20 files_type(ipsec_key_file_t)
22 # Default type for IPSEC SPD entries
25 # type for runtime files, including pluto.ctl
27 files_pid_file(ipsec_var_run_t)
30 type ipsec_mgmt_exec_t;
31 init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
32 corecmd_shell_entry_type(ipsec_mgmt_t)
33 role system_r types ipsec_mgmt_t;
35 type ipsec_mgmt_lock_t;
36 files_lock_file(ipsec_mgmt_lock_t)
38 type ipsec_mgmt_var_run_t;
39 files_pid_file(ipsec_mgmt_var_run_t)
43 init_daemon_domain(racoon_t, racoon_exec_t)
44 role system_r types racoon_t;
48 init_system_domain(setkey_t, setkey_exec_t)
49 role system_r types setkey_t;
51 ########################################
56 allow ipsec_t self:capability { net_admin dac_override dac_read_search };
57 dontaudit ipsec_t self:capability sys_tty_config;
58 allow ipsec_t self:process { signal setsched };
59 allow ipsec_t self:tcp_socket create_stream_socket_perms;
60 allow ipsec_t self:udp_socket create_socket_perms;
61 allow ipsec_t self:key_socket create_socket_perms;
62 allow ipsec_t self:fifo_file read_fifo_file_perms;
63 allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
65 allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
66 read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
67 read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
69 allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
70 read_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
71 read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
73 manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
74 manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
75 files_pid_filetrans(ipsec_t, ipsec_var_run_t, { file sock_file })
77 can_exec(ipsec_t, ipsec_mgmt_exec_t)
79 # pluto runs an updown script (by calling popen()!) as this is by default
80 # a shell script, we need to find a way to make things work without
81 # letting all sorts of stuff possibly be run...
82 # so try flipping back into the ipsec_mgmt_t domain
83 corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
84 allow ipsec_mgmt_t ipsec_t:fd use;
85 allow ipsec_mgmt_t ipsec_t:fifo_file rw_file_perms;
86 allow ipsec_mgmt_t ipsec_t:process sigchld;
88 kernel_read_kernel_sysctls(ipsec_t)
89 kernel_list_proc(ipsec_t)
90 kernel_read_proc_symlinks(ipsec_t)
91 # allow pluto to access /proc/net/ipsec_eroute;
92 kernel_read_system_state(ipsec_t)
93 kernel_read_network_state(ipsec_t)
94 kernel_read_software_raid_state(ipsec_t)
95 kernel_getattr_core_if(ipsec_t)
96 kernel_getattr_message_if(ipsec_t)
98 corecmd_exec_shell(ipsec_t)
99 corecmd_exec_bin(ipsec_t)
101 # Pluto needs network access
102 corenet_all_recvfrom_unlabeled(ipsec_t)
103 corenet_tcp_sendrecv_all_if(ipsec_t)
104 corenet_raw_sendrecv_all_if(ipsec_t)
105 corenet_tcp_sendrecv_all_nodes(ipsec_t)
106 corenet_raw_sendrecv_all_nodes(ipsec_t)
107 corenet_tcp_sendrecv_all_ports(ipsec_t)
108 corenet_tcp_bind_all_nodes(ipsec_t)
109 corenet_udp_bind_all_nodes(ipsec_t)
110 corenet_tcp_bind_reserved_port(ipsec_t)
111 corenet_tcp_bind_isakmp_port(ipsec_t)
112 corenet_udp_bind_isakmp_port(ipsec_t)
113 corenet_udp_bind_ipsecnat_port(ipsec_t)
114 corenet_sendrecv_generic_server_packets(ipsec_t)
115 corenet_sendrecv_isakmp_server_packets(ipsec_t)
117 dev_read_sysfs(ipsec_t)
118 dev_read_rand(ipsec_t)
119 dev_read_urand(ipsec_t)
121 domain_use_interactive_fds(ipsec_t)
123 files_read_etc_files(ipsec_t)
125 fs_getattr_all_fs(ipsec_t)
126 fs_search_auto_mountpoints(ipsec_t)
128 term_use_console(ipsec_t)
129 term_dontaudit_use_all_user_ttys(ipsec_t)
131 auth_use_nsswitch(ipsec_t)
133 init_use_fds(ipsec_t)
134 init_use_script_ptys(ipsec_t)
136 logging_send_syslog_msg(ipsec_t)
138 miscfiles_read_localization(ipsec_t)
140 userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
141 userdom_dontaudit_search_user_home_dirs(ipsec_t)
144 seutil_sigchld_newrole(ipsec_t)
148 udev_read_db(ipsec_t)
151 ########################################
153 # ipsec_mgmt Local policy
156 allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
157 allow ipsec_mgmt_t self:process { signal setrlimit };
158 allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
159 allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
160 allow ipsec_mgmt_t self:udp_socket create_socket_perms;
161 allow ipsec_mgmt_t self:key_socket create_socket_perms;
162 allow ipsec_mgmt_t self:fifo_file rw_file_perms;
164 allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
165 files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
167 allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
168 files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
170 manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
171 manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
173 allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms;
174 files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, sock_file)
176 # _realsetup needs to be able to cat /var/run/pluto.pid,
177 # run ps on that pid, and delete the file
178 read_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
179 read_lnk_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
181 # logger, running in ipsec_mgmt_t needs to use sockets
182 allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
183 allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };
185 allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
187 manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
188 manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
189 files_etc_filetrans(ipsec_mgmt_t, ipsec_key_file_t, file)
191 # whack needs to connect to pluto
192 stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
194 can_exec(ipsec_mgmt_t, ipsec_exec_t)
195 can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
196 allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
198 domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
200 kernel_rw_net_sysctls(ipsec_mgmt_t)
201 # allow pluto to access /proc/net/ipsec_eroute;
202 kernel_read_system_state(ipsec_mgmt_t)
203 kernel_read_network_state(ipsec_mgmt_t)
204 kernel_read_software_raid_state(ipsec_mgmt_t)
205 kernel_read_kernel_sysctls(ipsec_mgmt_t)
206 kernel_getattr_core_if(ipsec_mgmt_t)
207 kernel_getattr_message_if(ipsec_mgmt_t)
209 files_read_kernel_symbol_table(ipsec_mgmt_t)
210 files_getattr_kernel_modules(ipsec_mgmt_t)
212 # the default updown script wants to run route
213 # the ipsec wrapper wants to run /usr/bin/logger (should we put
214 # it in its own domain?)
215 corecmd_exec_bin(ipsec_mgmt_t)
216 corecmd_exec_shell(ipsec_mgmt_t)
218 dev_read_rand(ipsec_mgmt_t)
219 dev_read_urand(ipsec_mgmt_t)
221 domain_use_interactive_fds(ipsec_mgmt_t)
222 # denials when ps tries to search /proc. Do not audit these denials.
223 domain_dontaudit_list_all_domains_state(ipsec_mgmt_t)
224 # suppress audit messages about unnecessary socket access
225 # cjp: this seems excessive
226 domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
227 domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
229 files_read_etc_files(ipsec_mgmt_t)
230 files_exec_etc_files(ipsec_mgmt_t)
231 files_read_etc_runtime_files(ipsec_mgmt_t)
232 files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
233 files_dontaudit_getattr_default_files(ipsec_mgmt_t)
235 fs_getattr_xattr_fs(ipsec_mgmt_t)
236 fs_list_tmpfs(ipsec_mgmt_t)
238 term_use_console(ipsec_mgmt_t)
239 term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
241 init_use_script_ptys(ipsec_mgmt_t)
242 init_exec_script_files(ipsec_mgmt_t)
243 init_use_fds(ipsec_mgmt_t)
245 logging_send_syslog_msg(ipsec_mgmt_t)
247 miscfiles_read_localization(ipsec_mgmt_t)
249 modutils_domtrans_insmod(ipsec_mgmt_t)
251 seutil_dontaudit_search_config(ipsec_mgmt_t)
253 sysnet_domtrans_ifconfig(ipsec_mgmt_t)
255 userdom_use_user_terminals(ipsec_mgmt_t)
258 consoletype_exec(ipsec_mgmt_t)
262 nscd_socket_use(ipsec_mgmt_t)
266 # ideally it would not need this. It wants to write to /root/.rnd
267 file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
269 allow ipsec_mgmt_t dev_fs:file_class_set getattr;
272 ########################################
274 # Racoon local policy
277 allow racoon_t self:capability { net_admin net_bind_service };
278 allow racoon_t self:netlink_route_socket create_netlink_socket_perms;
279 allow racoon_t self:unix_dgram_socket { connect create ioctl write };
280 allow racoon_t self:netlink_selinux_socket { bind create read };
281 allow racoon_t self:udp_socket create_socket_perms;
282 allow racoon_t self:key_socket create_socket_perms;
285 manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
286 manage_sock_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
287 files_pid_filetrans(racoon_t, ipsec_var_run_t, file)
289 allow racoon_t ipsec_conf_file_t:dir list_dir_perms;
290 read_files_pattern(racoon_t, ipsec_conf_file_t, ipsec_conf_file_t)
291 read_lnk_files_pattern(racoon_t, ipsec_conf_file_t, ipsec_conf_file_t)
293 allow racoon_t ipsec_key_file_t:dir list_dir_perms;
294 read_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t)
295 read_lnk_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t)
297 kernel_read_system_state(racoon_t)
298 kernel_read_network_state(racoon_t)
300 corenet_all_recvfrom_unlabeled(racoon_t)
301 corenet_tcp_sendrecv_all_if(racoon_t)
302 corenet_udp_sendrecv_all_if(racoon_t)
303 corenet_tcp_sendrecv_all_nodes(racoon_t)
304 corenet_udp_sendrecv_all_nodes(racoon_t)
305 corenet_tcp_bind_all_nodes(racoon_t)
306 corenet_udp_bind_all_nodes(racoon_t)
307 corenet_udp_bind_isakmp_port(racoon_t)
308 corenet_udp_bind_ipsecnat_port(racoon_t)
310 dev_read_urand(racoon_t)
312 # allow racoon to set contexts on ipsec policy and SAs
313 domain_ipsec_setcontext_all_domains(racoon_t)
315 files_read_etc_files(racoon_t)
317 # allow racoon to use avc_has_perm to check context on proposed SA
318 selinux_compute_access_vector(racoon_t)
320 auth_use_nsswitch(racoon_t)
322 ipsec_setcontext_default_spd(racoon_t)
324 locallogin_use_fds(racoon_t)
326 logging_send_syslog_msg(racoon_t)
327 logging_send_audit_msgs(racoon_t)
329 miscfiles_read_localization(racoon_t)
331 ########################################
333 # Setkey local policy
336 allow setkey_t self:capability net_admin;
337 allow setkey_t self:key_socket create_socket_perms;
338 allow setkey_t self:netlink_route_socket create_netlink_socket_perms;
340 allow setkey_t ipsec_conf_file_t:dir list_dir_perms;
341 read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
342 read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
344 # allow setkey utility to set contexts on SA's and policy
345 domain_ipsec_setcontext_all_domains(setkey_t)
347 files_read_etc_files(setkey_t)
349 init_dontaudit_use_fds(setkey_t)
351 # allow setkey to set the context for ipsec SAs and policy.
352 ipsec_setcontext_default_spd(setkey_t)
354 locallogin_use_fds(setkey_t)
356 miscfiles_read_localization(setkey_t)
358 seutil_read_config(setkey_t)
360 userdom_use_user_terminals(setkey_t)