Ipsec patch from Dan Walsh.
This commit is contained in:
Chris PeBenito
parent
d13c6758a4
commit
90e65feca5
|
|
@ -35,8 +35,9 @@
|
|||
/usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0)
|
||||
/usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
|
||||
|
||||
/var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0)
|
||||
|
||||
/var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
|
||||
|
||||
/var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
|
||||
|
||||
/var/run/racoon.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
|
||||
/var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
|
||||
|
|
|
|||
|
|
@ -37,6 +37,25 @@ interface(`ipsec_stream_connect',`
|
|||
stream_connect_pattern($1, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to racoon using a unix domain stream socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`ipsec_stream_connect_racoon',`
|
||||
gen_require(`
|
||||
type racoon_t, ipsec_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
stream_connect_pattern($1, ipsec_var_run_t, ipsec_var_run_t, racoon_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of an IPSEC key socket.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(ipsec, 1.10.1)
|
||||
policy_module(ipsec, 1.10.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -29,9 +29,15 @@ init_script_file(ipsec_initrc_exec_t)
|
|||
type ipsec_key_file_t;
|
||||
files_type(ipsec_key_file_t)
|
||||
|
||||
type ipsec_log_t;
|
||||
logging_log_file(ipsec_log_t)
|
||||
|
||||
# Default type for IPSEC SPD entries
|
||||
type ipsec_spd_t;
|
||||
|
||||
type ipsec_tmp_t;
|
||||
files_tmp_file(ipsec_tmp_t)
|
||||
|
||||
# type for runtime files, including pluto.ctl
|
||||
type ipsec_var_run_t;
|
||||
files_pid_file(ipsec_var_run_t)
|
||||
|
|
@ -66,7 +72,7 @@ role system_r types setkey_t;
|
|||
# ipsec Local policy
|
||||
#
|
||||
|
||||
allow ipsec_t self:capability { net_admin dac_override dac_read_search sys_nice };
|
||||
allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
|
||||
dontaudit ipsec_t self:capability sys_tty_config;
|
||||
allow ipsec_t self:process { getcap setcap getsched signal setsched };
|
||||
allow ipsec_t self:tcp_socket create_stream_socket_perms;
|
||||
|
|
@ -85,6 +91,10 @@ allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
|
|||
manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
|
||||
read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
|
||||
|
||||
manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
|
||||
manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
|
||||
files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file })
|
||||
|
||||
manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
|
||||
manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
|
||||
files_pid_filetrans(ipsec_t, ipsec_var_run_t, { file sock_file })
|
||||
|
|
@ -98,6 +108,7 @@ can_exec(ipsec_t, ipsec_mgmt_exec_t)
|
|||
corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
|
||||
allow ipsec_mgmt_t ipsec_t:fd use;
|
||||
allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
|
||||
dontaudit ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
|
||||
allow ipsec_mgmt_t ipsec_t:process sigchld;
|
||||
|
||||
kernel_read_kernel_sysctls(ipsec_t)
|
||||
|
|
@ -155,6 +166,8 @@ logging_send_syslog_msg(ipsec_t)
|
|||
|
||||
miscfiles_read_localization(ipsec_t)
|
||||
|
||||
sysnet_domtrans_ifconfig(ipsec_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
|
||||
userdom_dontaudit_search_user_home_dirs(ipsec_t)
|
||||
|
||||
|
|
@ -171,8 +184,9 @@ optional_policy(`
|
|||
# ipsec_mgmt Local policy
|
||||
#
|
||||
|
||||
allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
|
||||
allow ipsec_mgmt_t self:process { signal setrlimit };
|
||||
allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
|
||||
dontaudit ipsec_mgmt_t self:capability sys_tty_config;
|
||||
allow ipsec_mgmt_t self:process { getsched ptrace setrlimit signal };
|
||||
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
|
||||
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
|
||||
|
|
@ -182,6 +196,13 @@ allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
|
|||
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
|
||||
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
|
||||
|
||||
manage_dirs_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
|
||||
manage_files_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
|
||||
files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file })
|
||||
|
||||
manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t)
|
||||
logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
|
||||
|
||||
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
|
||||
|
||||
|
|
@ -209,7 +230,6 @@ files_etc_filetrans(ipsec_mgmt_t, ipsec_key_file_t, file)
|
|||
# whack needs to connect to pluto
|
||||
stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
|
||||
|
||||
can_exec(ipsec_mgmt_t, ipsec_exec_t)
|
||||
can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
|
||||
allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
|
||||
|
||||
|
|
@ -247,8 +267,10 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
|
|||
files_read_etc_files(ipsec_mgmt_t)
|
||||
files_exec_etc_files(ipsec_mgmt_t)
|
||||
files_read_etc_runtime_files(ipsec_mgmt_t)
|
||||
files_read_usr_files(ipsec_mgmt_t)
|
||||
files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
|
||||
files_dontaudit_getattr_default_files(ipsec_mgmt_t)
|
||||
files_list_tmp(ipsec_mgmt_t)
|
||||
|
||||
fs_getattr_xattr_fs(ipsec_mgmt_t)
|
||||
fs_list_tmpfs(ipsec_mgmt_t)
|
||||
|
|
@ -259,6 +281,7 @@ term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
|
|||
init_use_script_ptys(ipsec_mgmt_t)
|
||||
init_exec_script_files(ipsec_mgmt_t)
|
||||
init_use_fds(ipsec_mgmt_t)
|
||||
init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
|
||||
|
||||
logging_send_syslog_msg(ipsec_mgmt_t)
|
||||
|
||||
|
|
@ -323,6 +346,7 @@ read_lnk_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t)
|
|||
|
||||
kernel_read_system_state(racoon_t)
|
||||
kernel_read_network_state(racoon_t)
|
||||
kernel_request_load_module(racoon_t)
|
||||
|
||||
corecmd_exec_shell(racoon_t)
|
||||
corecmd_exec_bin(racoon_t)
|
||||
|
|
@ -380,6 +404,8 @@ allow setkey_t ipsec_conf_file_t:dir list_dir_perms;
|
|||
read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
|
||||
read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
|
||||
|
||||
kernel_request_load_module(setkey_t)
|
||||
|
||||
# allow setkey utility to set contexts on SA's and policy
|
||||
domain_ipsec_setcontext_all_domains(setkey_t)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue