selinux-refpolicy/policy/modules/system/ipsec.te

503 lines
15 KiB
Plaintext
Raw Normal View History

2015-12-08 14:53:02 +00:00
policy_module(ipsec, 1.16.0)
2005-07-14 18:15:47 +00:00
########################################
#
# Declarations
#
2009-11-24 19:09:10 +00:00
## <desc>
## <p>
## Allow racoon to read shadow
## </p>
## </desc>
gen_tunable(racoon_read_shadow, false)
2005-07-14 18:15:47 +00:00
type ipsec_t;
type ipsec_exec_t;
2009-06-26 14:40:13 +00:00
init_daemon_domain(ipsec_t, ipsec_exec_t)
2005-07-14 18:15:47 +00:00
role system_r types ipsec_t;
# type for ipsec configuration file(s) - not for keys
type ipsec_conf_file_t;
2005-08-04 20:54:51 +00:00
files_type(ipsec_conf_file_t)
2005-07-14 18:15:47 +00:00
2009-11-24 19:09:10 +00:00
type ipsec_initrc_exec_t;
init_script_file(ipsec_initrc_exec_t)
2005-07-14 18:15:47 +00:00
# type for file(s) containing ipsec keys - RSA or preshared
type ipsec_key_file_t;
2005-08-04 20:54:51 +00:00
files_type(ipsec_key_file_t)
2005-07-14 18:15:47 +00:00
2010-03-17 17:52:07 +00:00
type ipsec_log_t;
logging_log_file(ipsec_log_t)
# Default type for IPSEC SPD entries
type ipsec_spd_t;
2011-01-13 17:56:12 +00:00
corenet_spd_type(ipsec_spd_t)
2010-03-17 17:52:07 +00:00
type ipsec_tmp_t;
files_tmp_file(ipsec_tmp_t)
type ipsec_unit_t;
init_unit_file(ipsec_unit_t)
2005-07-14 18:15:47 +00:00
# type for runtime files, including pluto.ctl
type ipsec_var_run_t;
files_pid_file(ipsec_var_run_t)
2005-08-04 20:54:51 +00:00
type ipsec_mgmt_t;
2005-07-14 18:15:47 +00:00
type ipsec_mgmt_exec_t;
2009-06-26 14:40:13 +00:00
init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
2006-05-01 19:11:54 +00:00
corecmd_shell_entry_type(ipsec_mgmt_t)
2005-07-14 18:15:47 +00:00
role system_r types ipsec_mgmt_t;
2005-09-15 21:03:29 +00:00
type ipsec_mgmt_lock_t;
files_lock_file(ipsec_mgmt_lock_t)
2005-07-14 18:15:47 +00:00
type ipsec_mgmt_var_run_t;
files_pid_file(ipsec_mgmt_var_run_t)
2015-10-12 13:30:05 +00:00
type ipsec_supervisor_t;
type ipsec_supervisor_exec_t;
init_daemon_domain(ipsec_supervisor_t, ipsec_supervisor_exec_t);
role system_r types ipsec_supervisor_t;
type racoon_t;
type racoon_exec_t;
2009-06-26 14:40:13 +00:00
init_daemon_domain(racoon_t, racoon_exec_t)
role system_r types racoon_t;
2009-11-24 19:09:10 +00:00
type racoon_tmp_t;
files_tmp_file(racoon_tmp_t)
type setkey_t;
type setkey_exec_t;
2009-06-26 14:40:13 +00:00
init_system_domain(setkey_t, setkey_exec_t)
role system_r types setkey_t;
2005-07-14 18:15:47 +00:00
########################################
#
# ipsec Local policy
#
allow ipsec_t self:capability { chown dac_override dac_read_search setgid setuid setpcap net_admin sys_nice };
dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
2009-11-24 19:09:10 +00:00
allow ipsec_t self:process { getcap setcap getsched signal setsched };
2005-08-04 20:54:51 +00:00
allow ipsec_t self:tcp_socket create_stream_socket_perms;
2009-04-03 14:14:43 +00:00
allow ipsec_t self:udp_socket create_socket_perms;
allow ipsec_t self:key_socket create_socket_perms;
allow ipsec_t self:fifo_file rw_fifo_file_perms;
allow ipsec_t self:netlink_xfrm_socket create_netlink_socket_perms;
allow ipsec_t self:netlink_route_socket rw_netlink_socket_perms;
2005-07-14 18:15:47 +00:00
2009-11-24 19:09:10 +00:00
allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
2006-12-12 20:08:08 +00:00
allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
2009-06-26 14:40:13 +00:00
read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
2005-07-14 18:15:47 +00:00
2006-12-12 20:08:08 +00:00
allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
2009-11-24 19:09:10 +00:00
manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
2009-06-26 14:40:13 +00:00
read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
2005-07-14 18:15:47 +00:00
2010-03-17 17:52:07 +00:00
manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file })
2010-03-17 17:52:07 +00:00
manage_dirs_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
files_pid_filetrans(ipsec_t, ipsec_var_run_t, { dir file sock_file })
2005-07-14 18:15:47 +00:00
can_exec(ipsec_t, ipsec_mgmt_exec_t)
# pluto runs an updown script (by calling popen()!) as this is by default
2005-07-14 18:15:47 +00:00
# a shell script, we need to find a way to make things work without
# letting all sorts of stuff possibly be run...
# so try flipping back into the ipsec_mgmt_t domain
2009-06-26 14:40:13 +00:00
corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
2005-07-14 18:15:47 +00:00
allow ipsec_mgmt_t ipsec_t:fd use;
2009-11-24 19:09:10 +00:00
allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
2005-07-14 18:15:47 +00:00
kernel_read_kernel_sysctls(ipsec_t)
kernel_rw_net_sysctls(ipsec_t);
2005-07-14 18:15:47 +00:00
kernel_list_proc(ipsec_t)
kernel_read_proc_symlinks(ipsec_t)
# allow pluto to access /proc/net/ipsec_eroute;
kernel_read_system_state(ipsec_t)
kernel_read_network_state(ipsec_t)
kernel_read_software_raid_state(ipsec_t)
2009-11-24 19:09:10 +00:00
kernel_request_load_module(ipsec_t)
kernel_getattr_core_if(ipsec_t)
2005-07-14 18:15:47 +00:00
kernel_getattr_message_if(ipsec_t)
corecmd_exec_shell(ipsec_t)
corecmd_exec_bin(ipsec_t)
2005-08-04 20:54:51 +00:00
# Pluto needs network access
corenet_all_recvfrom_unlabeled(ipsec_t)
2005-08-04 20:54:51 +00:00
corenet_tcp_sendrecv_all_if(ipsec_t)
corenet_raw_sendrecv_all_if(ipsec_t)
corenet_tcp_sendrecv_all_nodes(ipsec_t)
corenet_raw_sendrecv_all_nodes(ipsec_t)
corenet_tcp_sendrecv_all_ports(ipsec_t)
corenet_tcp_bind_all_nodes(ipsec_t)
2009-04-03 14:14:43 +00:00
corenet_udp_bind_all_nodes(ipsec_t)
corenet_tcp_bind_reserved_port(ipsec_t)
corenet_tcp_bind_isakmp_port(ipsec_t)
2009-04-03 14:14:43 +00:00
corenet_udp_bind_isakmp_port(ipsec_t)
corenet_udp_bind_ipsecnat_port(ipsec_t)
corenet_sendrecv_generic_server_packets(ipsec_t)
corenet_sendrecv_isakmp_server_packets(ipsec_t)
2005-07-14 18:15:47 +00:00
dev_read_sysfs(ipsec_t)
dev_read_rand(ipsec_t)
dev_read_urand(ipsec_t)
domain_use_interactive_fds(ipsec_t)
2009-11-24 19:09:10 +00:00
files_list_tmp(ipsec_t)
files_read_etc_files(ipsec_t)
2009-11-24 19:09:10 +00:00
files_read_usr_files(ipsec_t)
files_dontaudit_search_home(ipsec_t)
2005-07-14 18:15:47 +00:00
fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)
term_use_console(ipsec_t)
term_dontaudit_use_all_ttys(ipsec_t)
2005-07-14 18:15:47 +00:00
auth_use_nsswitch(ipsec_t)
2005-07-14 18:15:47 +00:00
init_use_fds(ipsec_t)
2006-02-02 21:08:12 +00:00
init_use_script_ptys(ipsec_t)
2005-07-14 18:15:47 +00:00
logging_send_syslog_msg(ipsec_t)
miscfiles_read_localization(ipsec_t)
2010-03-17 17:52:07 +00:00
sysnet_domtrans_ifconfig(ipsec_t)
2006-02-20 21:33:25 +00:00
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
2008-11-05 16:10:46 +00:00
userdom_dontaudit_search_user_home_dirs(ipsec_t)
2005-07-14 18:15:47 +00:00
optional_policy(`
2005-07-14 18:15:47 +00:00
seutil_sigchld_newrole(ipsec_t)
')
optional_policy(`
2005-07-14 18:15:47 +00:00
udev_read_db(ipsec_t)
')
########################################
#
# ipsec_mgmt Local policy
#
2010-03-17 17:52:07 +00:00
allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config };
allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal };
2005-07-14 18:15:47 +00:00
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
2009-04-03 14:14:43 +00:00
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
2005-07-14 18:15:47 +00:00
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
2009-04-03 14:14:43 +00:00
allow ipsec_mgmt_t self:key_socket create_socket_perms;
2009-11-24 19:09:10 +00:00
allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
2005-07-14 18:15:47 +00:00
2015-10-12 13:30:05 +00:00
domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
# _realsetup needs to be able to cat /var/run/pluto.pid,
# run ps on that pid, and delete the file
read_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
read_lnk_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
2006-12-12 20:08:08 +00:00
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
2009-06-26 14:40:13 +00:00
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
2005-09-15 21:03:29 +00:00
2015-10-12 13:30:05 +00:00
manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t)
logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
2010-03-17 17:52:07 +00:00
manage_dirs_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
manage_files_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file })
2010-03-17 17:52:07 +00:00
2006-12-12 20:08:08 +00:00
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
2009-06-26 14:40:13 +00:00
manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
2015-10-12 13:30:05 +00:00
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
2005-07-14 18:15:47 +00:00
2006-12-12 20:08:08 +00:00
allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms;
2009-06-26 14:40:13 +00:00
files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, sock_file)
2005-07-14 18:15:47 +00:00
# logger, running in ipsec_mgmt_t needs to use sockets
allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };
# whack needs to connect to pluto
2009-06-26 14:40:13 +00:00
stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
2005-07-14 18:15:47 +00:00
can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
domtrans_pattern(ipsec_mgmt_t, ipsec_supervisor_exec_t, ipsec_supervisor_t);
2015-10-12 13:30:05 +00:00
allow ipsec_mgmt_t ipsec_supervisor_t:process { signal signull };
2005-07-14 18:15:47 +00:00
kernel_rw_net_sysctls(ipsec_mgmt_t)
2005-07-14 18:15:47 +00:00
# allow pluto to access /proc/net/ipsec_eroute;
kernel_read_system_state(ipsec_mgmt_t)
kernel_read_network_state(ipsec_mgmt_t)
kernel_read_software_raid_state(ipsec_mgmt_t)
kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
2005-07-14 18:15:47 +00:00
kernel_getattr_message_if(ipsec_mgmt_t)
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
2005-07-14 18:15:47 +00:00
# the default updown script wants to run route
# the ipsec wrapper wants to run /usr/bin/logger (should we put
# it in its own domain?)
corecmd_exec_bin(ipsec_mgmt_t)
2009-04-03 14:14:43 +00:00
corecmd_exec_shell(ipsec_mgmt_t)
2005-07-14 18:15:47 +00:00
dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)
2006-02-20 21:33:25 +00:00
domain_use_interactive_fds(ipsec_mgmt_t)
2005-07-18 18:31:49 +00:00
# denials when ps tries to search /proc. Do not audit these denials.
domain_dontaudit_read_all_domains_state(ipsec_mgmt_t)
2005-07-18 18:31:49 +00:00
# suppress audit messages about unnecessary socket access
# cjp: this seems excessive
domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
2005-07-14 18:15:47 +00:00
files_read_etc_files(ipsec_mgmt_t)
files_exec_etc_files(ipsec_mgmt_t)
files_read_etc_runtime_files(ipsec_mgmt_t)
2010-03-17 17:52:07 +00:00
files_read_usr_files(ipsec_mgmt_t)
files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
2005-07-14 18:15:47 +00:00
files_dontaudit_getattr_default_files(ipsec_mgmt_t)
2010-03-17 17:52:07 +00:00
files_list_tmp(ipsec_mgmt_t)
2005-07-14 18:15:47 +00:00
fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
auth_dontaudit_read_login_records(ipsec_mgmt_t)
init_read_utmp(ipsec_mgmt_t)
2006-02-02 21:08:12 +00:00
init_use_script_ptys(ipsec_mgmt_t)
2006-02-06 15:40:41 +00:00
init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
2010-03-17 17:52:07 +00:00
init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
2005-07-14 18:15:47 +00:00
2009-04-03 14:14:43 +00:00
logging_send_syslog_msg(ipsec_mgmt_t)
2005-07-14 18:15:47 +00:00
miscfiles_read_localization(ipsec_mgmt_t)
seutil_dontaudit_search_config(ipsec_mgmt_t)
sysnet_manage_config(ipsec_mgmt_t)
2005-07-14 18:15:47 +00:00
sysnet_domtrans_ifconfig(ipsec_mgmt_t)
sysnet_etc_filetrans_config(ipsec_mgmt_t)
2005-07-14 18:15:47 +00:00
2008-11-05 16:10:46 +00:00
userdom_use_user_terminals(ipsec_mgmt_t)
2005-07-14 18:15:47 +00:00
optional_policy(`
2005-07-14 18:15:47 +00:00
consoletype_exec(ipsec_mgmt_t)
')
optional_policy(`
hostname_exec(ipsec_mgmt_t)
')
optional_policy(`
dbus_system_bus_client(ipsec_mgmt_t)
dbus_connect_system_bus(ipsec_mgmt_t)
optional_policy(`
networkmanager_dbus_chat(ipsec_mgmt_t)
')
')
optional_policy(`
iptables_domtrans(ipsec_mgmt_t)
')
optional_policy(`
modutils_domtrans_insmod(ipsec_mgmt_t)
')
optional_policy(`
nscd_use(ipsec_mgmt_t)
2005-07-18 18:31:49 +00:00
')
2005-07-14 18:15:47 +00:00
########################################
#
# Racoon local policy
#
allow racoon_t self:capability { net_admin net_bind_service };
allow racoon_t self:netlink_route_socket create_netlink_socket_perms;
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
2009-04-03 14:14:43 +00:00
allow racoon_t self:key_socket create_socket_perms;
2009-11-24 19:09:10 +00:00
allow racoon_t self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file })
can_exec(racoon_t, racoon_exec_t)
can_exec(racoon_t, setkey_exec_t)
# manage pid file
2009-06-26 14:40:13 +00:00
manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
manage_sock_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
files_pid_filetrans(racoon_t, ipsec_var_run_t, file)
allow racoon_t ipsec_conf_file_t:dir list_dir_perms;
2009-06-26 14:40:13 +00:00
read_files_pattern(racoon_t, ipsec_conf_file_t, ipsec_conf_file_t)
read_lnk_files_pattern(racoon_t, ipsec_conf_file_t, ipsec_conf_file_t)
allow racoon_t ipsec_key_file_t:dir list_dir_perms;
2009-06-26 14:40:13 +00:00
read_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t)
read_lnk_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t)
2008-02-18 18:44:40 +00:00
kernel_read_system_state(racoon_t)
kernel_read_network_state(racoon_t)
2010-03-17 17:52:07 +00:00
kernel_request_load_module(racoon_t)
2009-11-24 19:09:10 +00:00
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
corenet_all_recvfrom_unlabeled(racoon_t)
2009-04-03 14:14:43 +00:00
corenet_tcp_sendrecv_all_if(racoon_t)
corenet_udp_sendrecv_all_if(racoon_t)
corenet_tcp_sendrecv_all_nodes(racoon_t)
corenet_udp_sendrecv_all_nodes(racoon_t)
corenet_tcp_bind_all_nodes(racoon_t)
2008-02-18 18:44:40 +00:00
corenet_udp_bind_all_nodes(racoon_t)
corenet_udp_bind_isakmp_port(racoon_t)
2008-02-18 18:44:40 +00:00
corenet_udp_bind_ipsecnat_port(racoon_t)
dev_read_urand(racoon_t)
# allow racoon to set contexts on ipsec policy and SAs
domain_ipsec_setcontext_all_domains(racoon_t)
files_read_etc_files(racoon_t)
2009-11-24 19:09:10 +00:00
fs_dontaudit_getattr_xattr_fs(racoon_t)
# allow racoon to use avc_has_perm to check context on proposed SA
selinux_compute_access_vector(racoon_t)
2009-04-03 14:14:43 +00:00
auth_use_nsswitch(racoon_t)
ipsec_setcontext_default_spd(racoon_t)
locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
2007-10-11 18:12:29 +00:00
logging_send_audit_msgs(racoon_t)
miscfiles_read_localization(racoon_t)
2009-11-24 19:09:10 +00:00
sysnet_exec_ifconfig(racoon_t)
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
')
########################################
#
# Setkey local policy
#
allow setkey_t self:capability net_admin;
2009-04-03 14:14:43 +00:00
allow setkey_t self:key_socket create_socket_perms;
allow setkey_t self:netlink_route_socket create_netlink_socket_perms;
allow setkey_t ipsec_conf_file_t:dir list_dir_perms;
2009-06-26 14:40:13 +00:00
read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
2010-03-17 17:52:07 +00:00
kernel_request_load_module(setkey_t)
# allow setkey utility to set contexts on SA's and policy
domain_ipsec_setcontext_all_domains(setkey_t)
files_read_etc_files(setkey_t)
init_dontaudit_use_fds(setkey_t)
init_read_script_tmp_files(setkey_t)
# allow setkey to set the context for ipsec SAs and policy.
2011-01-13 17:56:12 +00:00
corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t)
miscfiles_read_localization(setkey_t)
seutil_read_config(setkey_t)
2008-11-05 16:10:46 +00:00
userdom_use_user_terminals(setkey_t)
hadoop: labeled ipsec On 01/05/2011 08:48 AM, Christopher J. PeBenito wrote: > On 12/16/10 12:32, Paul Nuzzi wrote: >> On 12/15/2010 03:54 PM, Christopher J. PeBenito wrote: >>> On 12/10/10 18:22, Paul Nuzzi wrote: >>>> Added labeled IPSec support to hadoop. SELinux will be able to enforce what services are allowed to >>>> connect to. Labeled IPSec can enforce the range of services they can receive from. This enforces >>>> the architecture of Hadoop without having to modify any of the code. This adds a level of >>>> confidentiality, integrity, and authentication provided outside the software stack. >>> >>> A few things. >>> >>> The verb used in Reference Policy interfaces for peer recv is recvfrom >>> (a holdover from previous labeled networking implementations). So the >>> interfaces are like hadoop_recvfrom_datanode(). >> >> Easy change. >> >>> It seems like setkey should be able to setcontext any type used on ipsec >>> associations. I think the best thing would be to add additional support >>> to either the ipsec or corenetwork modules (I haven't decided which one >>> yet) for associations. So, say we have an interface called >>> ipsec_spd_type() which adds the parameter type to the attribute >>> ipsec_spd_types. Then we can have an allow setkey_t >>> ipsec_spd_types:association setkey; rule and we don't have to update it >>> every time more labeled network is added. >> >> That seems a lot less clunky than updating setkey every time we add a new association. >> >>> This is definitely wrong since its not a file: >>> +files_type(hadoop_lan_t) >> >> Let me know how you would like to handle associations and I could update the >> patch. > > Lets go with putting the associations in corenetwork. > >> Will the files_type error be cleared up when we re-engineer this? > > I'm not sure what you mean. The incorrect rule was added in your patch. > Adds labeled IPSec policy to hadoop to control the remote processes that are allowed to connect to the cloud's services. Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
2011-01-06 16:33:39 +00:00
########################################
#
# ipsec_supervisor policy
#
allow ipsec_supervisor_t self:capability { dac_read_search dac_override kill net_admin };
allow ipsec_supervisor_t self:process { signal };
allow ipsec_supervisor_t self:fifo_file rw_fifo_file_perms;
allow ipsec_supervisor_t self:netlink_route_socket rw_netlink_socket_perms;
allow ipsec_supervisor_t self:netlink_xfrm_socket create_netlink_socket_perms;
allow ipsec_supervisor_t ipsec_conf_file_t:dir list_dir_perms;
read_files_pattern(ipsec_supervisor_t, ipsec_conf_file_t, ipsec_conf_file_t);
manage_files_pattern(ipsec_supervisor_t, ipsec_key_file_t, ipsec_key_file_t)
allow ipsec_supervisor_t ipsec_t:unix_stream_socket { connectto };
allow ipsec_supervisor_t ipsec_t:process { signal };
allow ipsec_supervisor_t ipsec_var_run_t:sock_file { rw_sock_file_perms unlink };
manage_dirs_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t)
manage_files_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t)
files_pid_filetrans(ipsec_supervisor_t, ipsec_var_run_t, { dir file sock_file })
domtrans_pattern(ipsec_supervisor_t, ipsec_exec_t, ipsec_t);
kernel_read_network_state(ipsec_supervisor_t)
kernel_read_system_state(ipsec_supervisor_t)
kernel_rw_net_sysctls(ipsec_supervisor_t);
corecmd_exec_bin(ipsec_supervisor_t);
corecmd_exec_shell(ipsec_supervisor_t)
dev_read_rand(ipsec_supervisor_t);
dev_read_urand(ipsec_supervisor_t);
files_read_etc_files(ipsec_supervisor_t);
logging_send_syslog_msg(ipsec_supervisor_t);
miscfiles_read_localization(ipsec_supervisor_t);
optional_policy(`
modutils_domtrans_insmod(ipsec_supervisor_t)
')