Bump module versions for release.

[people/stevee/selinux-policy.git] / policy / modules / system / ipsec.te

diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index f2c3843a136cbe10f5e9e3f938288ace7c0b3eda..4d8e383af9b87a31633af393cd635da01b645717 100644 (file)
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -1,34 +1,50 @@
 
-policy_module(ipsec, 1.7.1)
+policy_module(ipsec, 1.11.0)
 
 ########################################
 #
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow racoon to read shadow
+## </p>
+## </desc>
+gen_tunable(racoon_read_shadow, false)
+
 type ipsec_t;
 type ipsec_exec_t;
-init_daemon_domain(ipsec_t,ipsec_exec_t)
+init_daemon_domain(ipsec_t, ipsec_exec_t)
 role system_r types ipsec_t;
 
 # type for ipsec configuration file(s) - not for keys
 type ipsec_conf_file_t;
 files_type(ipsec_conf_file_t)
 
+type ipsec_initrc_exec_t;
+init_script_file(ipsec_initrc_exec_t)
+
 # type for file(s) containing ipsec keys - RSA or preshared
 type ipsec_key_file_t;
 files_type(ipsec_key_file_t)
 
+type ipsec_log_t;
+logging_log_file(ipsec_log_t)
+
 # Default type for IPSEC SPD entries
 type ipsec_spd_t;
 
+type ipsec_tmp_t;
+files_tmp_file(ipsec_tmp_t)
+
 # type for runtime files, including pluto.ctl
 type ipsec_var_run_t;
 files_pid_file(ipsec_var_run_t)
 
 type ipsec_mgmt_t;
 type ipsec_mgmt_exec_t;
-init_system_domain(ipsec_mgmt_t,ipsec_mgmt_exec_t)
+init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
 corecmd_shell_entry_type(ipsec_mgmt_t)
 role system_r types ipsec_mgmt_t;
 
@@ -40,12 +56,15 @@ files_pid_file(ipsec_mgmt_var_run_t)
 
 type racoon_t;
 type racoon_exec_t;
-init_daemon_domain(racoon_t,racoon_exec_t)
+init_daemon_domain(racoon_t, racoon_exec_t)
 role system_r types racoon_t;
 
+type racoon_tmp_t;
+files_tmp_file(racoon_tmp_t)
+
 type setkey_t;
 type setkey_exec_t;
-init_system_domain(setkey_t,setkey_exec_t)
+init_system_domain(setkey_t, setkey_exec_t)
 role system_r types setkey_t;
 
 ########################################
@@ -53,21 +72,28 @@ role system_r types setkey_t;
 # ipsec Local policy
 #
 
-allow ipsec_t self:capability { net_admin dac_override dac_read_search };
+allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
 dontaudit ipsec_t self:capability sys_tty_config;
-allow ipsec_t self:process signal;
-allow ipsec_t self:netlink_route_socket r_netlink_socket_perms;
+allow ipsec_t self:process { getcap setcap getsched signal setsched };
 allow ipsec_t self:tcp_socket create_stream_socket_perms;
-allow ipsec_t self:key_socket { create write read setopt };
-allow ipsec_t self:fifo_file { read getattr };
+allow ipsec_t self:udp_socket create_socket_perms;
+allow ipsec_t self:key_socket create_socket_perms;
+allow ipsec_t self:fifo_file read_fifo_file_perms;
+allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
+
+allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
 
 allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
-read_files_pattern(ipsec_t,ipsec_conf_file_t,ipsec_conf_file_t)
-read_lnk_files_pattern(ipsec_t,ipsec_conf_file_t,ipsec_conf_file_t)
+read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
+read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
 
 allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
-read_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
-read_lnk_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
+manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
+read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
+
+manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
+manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
+files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file }) 
 
 manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
 manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
@@ -75,13 +101,14 @@ files_pid_filetrans(ipsec_t, ipsec_var_run_t, { file sock_file })
 
 can_exec(ipsec_t, ipsec_mgmt_exec_t)
 
-# pluto runs an updown script (by calling popen()!); as this is by default
+# pluto runs an updown script (by calling popen()!) as this is by default
 # a shell script, we need to find a way to make things work without
 # letting all sorts of stuff possibly be run...
 # so try flipping back into the ipsec_mgmt_t domain
-corecmd_shell_domtrans(ipsec_t,ipsec_mgmt_t)
+corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
 allow ipsec_mgmt_t ipsec_t:fd use;
-allow ipsec_mgmt_t ipsec_t:fifo_file rw_file_perms;
+allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
+dontaudit ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
 allow ipsec_mgmt_t ipsec_t:process sigchld;
 
 kernel_read_kernel_sysctls(ipsec_t)
@@ -91,9 +118,13 @@ kernel_read_proc_symlinks(ipsec_t)
 kernel_read_system_state(ipsec_t)
 kernel_read_network_state(ipsec_t)
 kernel_read_software_raid_state(ipsec_t)
+kernel_request_load_module(ipsec_t)
 kernel_getattr_core_if(ipsec_t)
 kernel_getattr_message_if(ipsec_t)
 
+corecmd_exec_shell(ipsec_t)
+corecmd_exec_bin(ipsec_t)
+
 # Pluto needs network access
 corenet_all_recvfrom_unlabeled(ipsec_t)
 corenet_tcp_sendrecv_all_if(ipsec_t)
@@ -102,8 +133,11 @@ corenet_tcp_sendrecv_all_nodes(ipsec_t)
 corenet_raw_sendrecv_all_nodes(ipsec_t)
 corenet_tcp_sendrecv_all_ports(ipsec_t)
 corenet_tcp_bind_all_nodes(ipsec_t)
+corenet_udp_bind_all_nodes(ipsec_t)
 corenet_tcp_bind_reserved_port(ipsec_t)
 corenet_tcp_bind_isakmp_port(ipsec_t)
+corenet_udp_bind_isakmp_port(ipsec_t)
+corenet_udp_bind_ipsecnat_port(ipsec_t)
 corenet_sendrecv_generic_server_packets(ipsec_t)
 corenet_sendrecv_isakmp_server_packets(ipsec_t)
 
@@ -111,38 +145,31 @@ dev_read_sysfs(ipsec_t)
 dev_read_rand(ipsec_t)
 dev_read_urand(ipsec_t)
 
+domain_use_interactive_fds(ipsec_t)
+
+files_list_tmp(ipsec_t)
+files_read_etc_files(ipsec_t)
+files_read_usr_files(ipsec_t)
+
 fs_getattr_all_fs(ipsec_t)
 fs_search_auto_mountpoints(ipsec_t)
 
 term_use_console(ipsec_t)
-term_dontaudit_use_all_user_ttys(ipsec_t)
+term_dontaudit_use_all_ttys(ipsec_t)
 
-corecmd_exec_shell(ipsec_t)
-corecmd_exec_bin(ipsec_t)
-
-domain_use_interactive_fds(ipsec_t)
-
-files_read_etc_files(ipsec_t)
+auth_use_nsswitch(ipsec_t)
 
 init_use_fds(ipsec_t)
 init_use_script_ptys(ipsec_t)
 
-libs_use_ld_so(ipsec_t)
-libs_use_shared_libs(ipsec_t)
-
 logging_send_syslog_msg(ipsec_t)
 
 miscfiles_read_localization(ipsec_t)
 
-sysnet_read_config(ipsec_t)
+sysnet_domtrans_ifconfig(ipsec_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
-
-sysadm_dontaudit_search_home_dirs(ipsec_t)
-
-optional_policy(`
-       nis_use_ypbind(ipsec_t)
-')
+userdom_dontaudit_search_user_home_dirs(ipsec_t)
 
 optional_policy(`
        seutil_sigchld_newrole(ipsec_t)
@@ -157,49 +184,56 @@ optional_policy(`
 # ipsec_mgmt Local policy
 #
 
-allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
-allow ipsec_mgmt_t self:process { signal setrlimit };
+allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
+dontaudit ipsec_mgmt_t self:capability sys_tty_config;
+allow ipsec_mgmt_t self:process { getsched ptrace setrlimit signal };
 allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
-allow ipsec_mgmt_t self:tcp_socket create_socket_perms;
+allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
 allow ipsec_mgmt_t self:udp_socket create_socket_perms;
-allow ipsec_mgmt_t self:key_socket { create setopt };
-allow ipsec_mgmt_t self:fifo_file rw_file_perms;
+allow ipsec_mgmt_t self:key_socket create_socket_perms;
+allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
 
 allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
-files_lock_filetrans(ipsec_mgmt_t,ipsec_mgmt_lock_t,file)
+files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
+
+manage_dirs_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
+manage_files_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
+files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file }) 
+
+manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t)
+logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
 
 allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
-files_pid_filetrans(ipsec_mgmt_t,ipsec_mgmt_var_run_t,file)
+files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
 
-manage_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t)
-manage_lnk_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t)
+manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
+manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
 
 allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms;
-files_pid_filetrans(ipsec_mgmt_t,ipsec_var_run_t,sock_file)
+files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, sock_file)
 
 # _realsetup needs to be able to cat /var/run/pluto.pid,
 # run ps on that pid, and delete the file
-read_files_pattern(ipsec_mgmt_t,ipsec_t,ipsec_t)
-read_lnk_files_pattern(ipsec_mgmt_t,ipsec_t,ipsec_t)
+read_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
+read_lnk_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
 
 # logger, running in ipsec_mgmt_t needs to use sockets
 allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
 allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };
 
-allow ipsec_mgmt_t ipsec_conf_file_t:file { getattr read ioctl };
+allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
 
-manage_files_pattern(ipsec_mgmt_t,ipsec_key_file_t,ipsec_key_file_t)
-manage_lnk_files_pattern(ipsec_mgmt_t,ipsec_key_file_t,ipsec_key_file_t)
-files_etc_filetrans(ipsec_mgmt_t,ipsec_key_file_t,file)
+manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
+manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
+files_etc_filetrans(ipsec_mgmt_t, ipsec_key_file_t, file)
 
 # whack needs to connect to pluto
-stream_connect_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t,ipsec_t)
+stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
 
-can_exec(ipsec_mgmt_t, ipsec_exec_t)
 can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
 allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
 
-domtrans_pattern(ipsec_mgmt_t,ipsec_exec_t,ipsec_t)
+domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
 
 kernel_rw_net_sysctls(ipsec_mgmt_t)
 # allow pluto to access /proc/net/ipsec_eroute;
@@ -213,19 +247,14 @@ kernel_getattr_message_if(ipsec_mgmt_t)
 files_read_kernel_symbol_table(ipsec_mgmt_t)
 files_getattr_kernel_modules(ipsec_mgmt_t)
 
-dev_read_rand(ipsec_mgmt_t)
-dev_read_urand(ipsec_mgmt_t)
-
-fs_getattr_xattr_fs(ipsec_mgmt_t)
-fs_list_tmpfs(ipsec_mgmt_t)
-
-term_use_console(ipsec_mgmt_t)
-term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
-
 # the default updown script wants to run route
 # the ipsec wrapper wants to run /usr/bin/logger (should we put
 # it in its own domain?)
 corecmd_exec_bin(ipsec_mgmt_t)
+corecmd_exec_shell(ipsec_mgmt_t)
+
+dev_read_rand(ipsec_mgmt_t)
+dev_read_urand(ipsec_mgmt_t)
 
 domain_use_interactive_fds(ipsec_mgmt_t)
 # denials when ps tries to search /proc. Do not audit these denials.
@@ -238,15 +267,23 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
 files_read_etc_files(ipsec_mgmt_t)
 files_exec_etc_files(ipsec_mgmt_t)
 files_read_etc_runtime_files(ipsec_mgmt_t)
+files_read_usr_files(ipsec_mgmt_t)
 files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
 files_dontaudit_getattr_default_files(ipsec_mgmt_t)
+files_list_tmp(ipsec_mgmt_t)
+
+fs_getattr_xattr_fs(ipsec_mgmt_t)
+fs_list_tmpfs(ipsec_mgmt_t)
+
+term_use_console(ipsec_mgmt_t)
+term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
 
 init_use_script_ptys(ipsec_mgmt_t)
 init_exec_script_files(ipsec_mgmt_t)
 init_use_fds(ipsec_mgmt_t)
+init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
 
-libs_use_ld_so(ipsec_mgmt_t)
-libs_use_shared_libs(ipsec_mgmt_t)
+logging_send_syslog_msg(ipsec_mgmt_t)
 
 miscfiles_read_localization(ipsec_mgmt_t)
 
@@ -256,7 +293,7 @@ seutil_dontaudit_search_config(ipsec_mgmt_t)
 
 sysnet_domtrans_ifconfig(ipsec_mgmt_t)
 
-sysadm_use_terms(ipsec_mgmt_t)
+userdom_use_user_terminals(ipsec_mgmt_t)
 
 optional_policy(`
        consoletype_exec(ipsec_mgmt_t)
@@ -283,25 +320,42 @@ allow racoon_t self:netlink_route_socket create_netlink_socket_perms;
 allow racoon_t self:unix_dgram_socket { connect create ioctl write };
 allow racoon_t self:netlink_selinux_socket { bind create read };
 allow racoon_t self:udp_socket create_socket_perms;
-allow racoon_t self:key_socket { create read setopt write };
+allow racoon_t self:key_socket create_socket_perms;
+allow racoon_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
+manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
+files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file })
+
+can_exec(racoon_t, racoon_exec_t)
+
+can_exec(racoon_t, setkey_exec_t)
 
 # manage pid file
-manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t)
-manage_sock_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t)
-files_pid_filetrans(racoon_t,ipsec_var_run_t,file)
+manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
+manage_sock_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
+files_pid_filetrans(racoon_t, ipsec_var_run_t, file)
 
 allow racoon_t ipsec_conf_file_t:dir list_dir_perms;
-read_files_pattern(racoon_t,ipsec_conf_file_t,ipsec_conf_file_t)
-read_lnk_files_pattern(racoon_t,ipsec_conf_file_t,ipsec_conf_file_t)
+read_files_pattern(racoon_t, ipsec_conf_file_t, ipsec_conf_file_t)
+read_lnk_files_pattern(racoon_t, ipsec_conf_file_t, ipsec_conf_file_t)
 
 allow racoon_t ipsec_key_file_t:dir list_dir_perms;
-read_files_pattern(racoon_t,ipsec_key_file_t,ipsec_key_file_t)
-read_lnk_files_pattern(racoon_t,ipsec_key_file_t,ipsec_key_file_t)
+read_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t)
+read_lnk_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t)
 
 kernel_read_system_state(racoon_t)
 kernel_read_network_state(racoon_t)
+kernel_request_load_module(racoon_t)
+
+corecmd_exec_shell(racoon_t)
+corecmd_exec_bin(racoon_t)
 
 corenet_all_recvfrom_unlabeled(racoon_t)
+corenet_tcp_sendrecv_all_if(racoon_t)
+corenet_udp_sendrecv_all_if(racoon_t)
+corenet_tcp_sendrecv_all_nodes(racoon_t)
+corenet_udp_sendrecv_all_nodes(racoon_t)
 corenet_tcp_bind_all_nodes(racoon_t)
 corenet_udp_bind_all_nodes(racoon_t)
 corenet_udp_bind_isakmp_port(racoon_t)
@@ -314,13 +368,14 @@ domain_ipsec_setcontext_all_domains(racoon_t)
 
 files_read_etc_files(racoon_t)
 
+fs_dontaudit_getattr_xattr_fs(racoon_t)
+
 # allow racoon to use avc_has_perm to check context on proposed SA
 selinux_compute_access_vector(racoon_t)
 
-ipsec_setcontext_default_spd(racoon_t)
+auth_use_nsswitch(racoon_t)
 
-libs_use_ld_so(racoon_t)
-libs_use_shared_libs(racoon_t)
+ipsec_setcontext_default_spd(racoon_t)
 
 locallogin_use_fds(racoon_t)
 
@@ -329,18 +384,27 @@ logging_send_audit_msgs(racoon_t)
 
 miscfiles_read_localization(racoon_t)
 
+sysnet_exec_ifconfig(racoon_t)
+
+auth_can_read_shadow_passwords(racoon_t)
+tunable_policy(`racoon_read_shadow',`
+       auth_tunable_read_shadow(racoon_t)
+')
+
 ########################################
 #
 # Setkey local policy
 #
 
 allow setkey_t self:capability net_admin;
-allow setkey_t self:key_socket { create read setopt write };
+allow setkey_t self:key_socket create_socket_perms;
 allow setkey_t self:netlink_route_socket create_netlink_socket_perms;
 
 allow setkey_t ipsec_conf_file_t:dir list_dir_perms;
-read_files_pattern(setkey_t,ipsec_conf_file_t,ipsec_conf_file_t)
-read_lnk_files_pattern(setkey_t,ipsec_conf_file_t,ipsec_conf_file_t)
+read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
+read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
+
+kernel_request_load_module(setkey_t)
 
 # allow setkey utility to set contexts on SA's and policy
 domain_ipsec_setcontext_all_domains(setkey_t)
@@ -354,9 +418,8 @@ ipsec_setcontext_default_spd(setkey_t)
 
 locallogin_use_fds(setkey_t)
 
-libs_use_ld_so(setkey_t)
-libs_use_shared_libs(setkey_t)
-
 miscfiles_read_localization(setkey_t)
 
 seutil_read_config(setkey_t)
+
+userdom_use_user_terminals(setkey_t)