policy_module(ipsec, 1.21.2) ######################################## # # Declarations # ## ##

## Allow racoon to read shadow ##

##
gen_tunable(racoon_read_shadow, false) type ipsec_t; type ipsec_exec_t; init_daemon_domain(ipsec_t, ipsec_exec_t) role system_r types ipsec_t; # type for ipsec configuration file(s) - not for keys type ipsec_conf_file_t; files_type(ipsec_conf_file_t) type ipsec_initrc_exec_t; init_script_file(ipsec_initrc_exec_t) # type for file(s) containing ipsec keys - RSA or preshared type ipsec_key_file_t; files_type(ipsec_key_file_t) type ipsec_log_t; logging_log_file(ipsec_log_t) # type for runtime files, including pluto.ctl type ipsec_runtime_t alias ipsec_var_run_t; files_pid_file(ipsec_runtime_t) # Default type for IPSEC SPD entries type ipsec_spd_t; corenet_spd_type(ipsec_spd_t) type ipsec_tmp_t; files_tmp_file(ipsec_tmp_t) type ipsec_unit_t; init_unit_file(ipsec_unit_t) type ipsec_mgmt_t; type ipsec_mgmt_exec_t; init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) corecmd_shell_entry_type(ipsec_mgmt_t) role system_r types ipsec_mgmt_t; type ipsec_mgmt_lock_t; files_lock_file(ipsec_mgmt_lock_t) type ipsec_mgmt_runtime_t alias ipsec_mgmt_var_run_t; files_pid_file(ipsec_mgmt_runtime_t) type ipsec_supervisor_t; type ipsec_supervisor_exec_t; init_daemon_domain(ipsec_supervisor_t, ipsec_supervisor_exec_t) role system_r types ipsec_supervisor_t; type racoon_t; type racoon_exec_t; init_daemon_domain(racoon_t, racoon_exec_t) role system_r types racoon_t; type racoon_tmp_t; files_tmp_file(racoon_tmp_t) type setkey_t; type setkey_exec_t; init_system_domain(setkey_t, setkey_exec_t) role system_r types setkey_t; ######################################## # # ipsec Local policy # allow ipsec_t self:capability { chown dac_override dac_read_search net_admin setgid setpcap setuid sys_nice }; dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config }; allow ipsec_t self:process { getcap setcap getsched signal setsched }; allow ipsec_t self:tcp_socket create_stream_socket_perms; allow ipsec_t self:udp_socket create_socket_perms; allow ipsec_t self:key_socket create_socket_perms; allow ipsec_t self:fifo_file rw_fifo_file_perms; allow ipsec_t self:netlink_xfrm_socket create_netlink_socket_perms; allow ipsec_t self:netlink_route_socket rw_netlink_socket_perms; allow ipsec_t ipsec_initrc_exec_t:file read_file_perms; allow ipsec_t ipsec_conf_file_t:dir list_dir_perms; read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t) read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t) allow ipsec_t ipsec_key_file_t:dir list_dir_perms; manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file }) manage_dirs_pattern(ipsec_t, ipsec_runtime_t, ipsec_runtime_t) manage_files_pattern(ipsec_t, ipsec_runtime_t, ipsec_runtime_t) manage_sock_files_pattern(ipsec_t, ipsec_runtime_t, ipsec_runtime_t) files_pid_filetrans(ipsec_t, ipsec_runtime_t, { dir file sock_file }) can_exec(ipsec_t, ipsec_mgmt_exec_t) # pluto runs an updown script (by calling popen()!) as this is by default # a shell script, we need to find a way to make things work without # letting all sorts of stuff possibly be run... # so try flipping back into the ipsec_mgmt_t domain corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t) allow ipsec_mgmt_t ipsec_t:fd use; allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms; allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write }; allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld }; kernel_read_kernel_sysctls(ipsec_t) kernel_rw_net_sysctls(ipsec_t) kernel_list_proc(ipsec_t) kernel_read_proc_symlinks(ipsec_t) # allow pluto to access /proc/net/ipsec_eroute; kernel_read_system_state(ipsec_t) kernel_read_network_state(ipsec_t) kernel_read_software_raid_state(ipsec_t) kernel_request_load_module(ipsec_t) kernel_getattr_core_if(ipsec_t) kernel_getattr_message_if(ipsec_t) corecmd_exec_shell(ipsec_t) corecmd_exec_bin(ipsec_t) # Pluto needs network access corenet_all_recvfrom_unlabeled(ipsec_t) corenet_tcp_sendrecv_all_if(ipsec_t) corenet_raw_sendrecv_all_if(ipsec_t) corenet_tcp_sendrecv_all_nodes(ipsec_t) corenet_raw_sendrecv_all_nodes(ipsec_t) corenet_tcp_sendrecv_all_ports(ipsec_t) corenet_tcp_bind_all_nodes(ipsec_t) corenet_udp_bind_all_nodes(ipsec_t) corenet_tcp_bind_reserved_port(ipsec_t) corenet_tcp_bind_isakmp_port(ipsec_t) corenet_udp_bind_isakmp_port(ipsec_t) corenet_udp_bind_ipsecnat_port(ipsec_t) corenet_sendrecv_generic_server_packets(ipsec_t) corenet_sendrecv_isakmp_server_packets(ipsec_t) # allow pluto to build Security Association Database corenet_setcontext_all_spds(ipsec_t) dev_read_sysfs(ipsec_t) dev_read_rand(ipsec_t) dev_read_urand(ipsec_t) domain_use_interactive_fds(ipsec_t) # allow pluto to set contexts on ipsec policy and SAs domain_ipsec_setcontext_all_domains(ipsec_t) files_list_tmp(ipsec_t) files_read_etc_files(ipsec_t) files_read_usr_files(ipsec_t) files_dontaudit_search_home(ipsec_t) fs_getattr_all_fs(ipsec_t) fs_search_auto_mountpoints(ipsec_t) term_use_console(ipsec_t) term_dontaudit_use_all_ttys(ipsec_t) auth_use_nsswitch(ipsec_t) init_use_fds(ipsec_t) init_use_script_ptys(ipsec_t) logging_send_syslog_msg(ipsec_t) miscfiles_read_localization(ipsec_t) sysnet_domtrans_ifconfig(ipsec_t) userdom_dontaudit_use_unpriv_user_fds(ipsec_t) userdom_dontaudit_search_user_home_dirs(ipsec_t) optional_policy(` seutil_sigchld_newrole(ipsec_t) ') optional_policy(` udev_read_db(ipsec_t) ') ######################################## # # ipsec_mgmt Local policy # allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice }; dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config }; allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal }; allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; allow ipsec_mgmt_t self:key_socket create_socket_perms; allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t) # _realsetup needs to be able to cat /var/run/pluto.pid, # run ps on that pid, and delete the file read_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t) read_lnk_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t) allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms; manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t) manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t) allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file) manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t) logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) manage_dirs_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t) manage_files_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t) files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file }) allow ipsec_mgmt_t ipsec_mgmt_runtime_t:file manage_file_perms; manage_files_pattern(ipsec_mgmt_t, ipsec_runtime_t, ipsec_runtime_t) manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_runtime_t, ipsec_runtime_t) files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_runtime_t, file) allow ipsec_mgmt_t ipsec_runtime_t:sock_file manage_sock_file_perms; files_pid_filetrans(ipsec_mgmt_t, ipsec_runtime_t, sock_file) # logger, running in ipsec_mgmt_t needs to use sockets allow ipsec_mgmt_t self:unix_dgram_socket { create connect write }; allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write }; # whack needs to connect to pluto stream_connect_pattern(ipsec_mgmt_t, ipsec_runtime_t, ipsec_runtime_t, ipsec_t) can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t) allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read; domtrans_pattern(ipsec_mgmt_t, ipsec_supervisor_exec_t, ipsec_supervisor_t) allow ipsec_mgmt_t ipsec_supervisor_t:process { signal signull }; kernel_rw_net_sysctls(ipsec_mgmt_t) # allow pluto to access /proc/net/ipsec_eroute; kernel_read_system_state(ipsec_mgmt_t) kernel_read_network_state(ipsec_mgmt_t) kernel_read_software_raid_state(ipsec_mgmt_t) kernel_read_kernel_sysctls(ipsec_mgmt_t) kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) files_read_kernel_symbol_table(ipsec_mgmt_t) files_getattr_kernel_modules(ipsec_mgmt_t) # the default updown script wants to run route # the ipsec wrapper wants to run /usr/bin/logger (should we put # it in its own domain?) corecmd_exec_bin(ipsec_mgmt_t) corecmd_exec_shell(ipsec_mgmt_t) dev_read_rand(ipsec_mgmt_t) dev_read_urand(ipsec_mgmt_t) domain_use_interactive_fds(ipsec_mgmt_t) # denials when ps tries to search /proc. Do not audit these denials. domain_dontaudit_read_all_domains_state(ipsec_mgmt_t) # suppress audit messages about unnecessary socket access # cjp: this seems excessive domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t) domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t) files_read_etc_files(ipsec_mgmt_t) files_exec_etc_files(ipsec_mgmt_t) files_read_etc_runtime_files(ipsec_mgmt_t) files_read_usr_files(ipsec_mgmt_t) files_dontaudit_getattr_default_dirs(ipsec_mgmt_t) files_dontaudit_getattr_default_files(ipsec_mgmt_t) files_list_tmp(ipsec_mgmt_t) fs_getattr_xattr_fs(ipsec_mgmt_t) fs_list_tmpfs(ipsec_mgmt_t) term_use_console(ipsec_mgmt_t) term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t) auth_dontaudit_read_login_records(ipsec_mgmt_t) init_read_utmp(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) init_exec_script_files(ipsec_mgmt_t) init_use_fds(ipsec_mgmt_t) init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) logging_send_syslog_msg(ipsec_mgmt_t) miscfiles_read_localization(ipsec_mgmt_t) seutil_dontaudit_search_config(ipsec_mgmt_t) sysnet_manage_config(ipsec_mgmt_t) sysnet_domtrans_ifconfig(ipsec_mgmt_t) sysnet_etc_filetrans_config(ipsec_mgmt_t) userdom_use_user_terminals(ipsec_mgmt_t) optional_policy(` consoletype_exec(ipsec_mgmt_t) ') optional_policy(` hostname_exec(ipsec_mgmt_t) ') optional_policy(` dbus_system_bus_client(ipsec_mgmt_t) dbus_connect_system_bus(ipsec_mgmt_t) optional_policy(` networkmanager_dbus_chat(ipsec_mgmt_t) ') ') optional_policy(` iptables_domtrans(ipsec_mgmt_t) ') optional_policy(` modutils_domtrans(ipsec_mgmt_t) ') optional_policy(` nscd_use(ipsec_mgmt_t) ') ######################################## # # Racoon local policy # allow racoon_t self:capability { net_admin net_bind_service }; allow racoon_t self:netlink_route_socket create_netlink_socket_perms; allow racoon_t self:unix_dgram_socket { connect create ioctl write }; allow racoon_t self:netlink_selinux_socket { bind create read }; allow racoon_t self:udp_socket create_socket_perms; allow racoon_t self:key_socket create_socket_perms; allow racoon_t self:fifo_file rw_fifo_file_perms; manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t) manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t) files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file }) can_exec(racoon_t, racoon_exec_t) can_exec(racoon_t, setkey_exec_t) # manage pid file manage_files_pattern(racoon_t, ipsec_runtime_t, ipsec_runtime_t) manage_sock_files_pattern(racoon_t, ipsec_runtime_t, ipsec_runtime_t) files_pid_filetrans(racoon_t, ipsec_runtime_t, file) allow racoon_t ipsec_conf_file_t:dir list_dir_perms; read_files_pattern(racoon_t, ipsec_conf_file_t, ipsec_conf_file_t) read_lnk_files_pattern(racoon_t, ipsec_conf_file_t, ipsec_conf_file_t) allow racoon_t ipsec_key_file_t:dir list_dir_perms; read_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t) read_lnk_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t) kernel_read_system_state(racoon_t) kernel_read_network_state(racoon_t) kernel_request_load_module(racoon_t) corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) corenet_all_recvfrom_unlabeled(racoon_t) corenet_tcp_sendrecv_all_if(racoon_t) corenet_udp_sendrecv_all_if(racoon_t) corenet_tcp_sendrecv_all_nodes(racoon_t) corenet_udp_sendrecv_all_nodes(racoon_t) corenet_tcp_bind_all_nodes(racoon_t) corenet_udp_bind_all_nodes(racoon_t) corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) dev_read_urand(racoon_t) # allow racoon to set contexts on ipsec policy and SAs domain_ipsec_setcontext_all_domains(racoon_t) files_read_etc_files(racoon_t) fs_dontaudit_getattr_xattr_fs(racoon_t) # allow racoon to use avc_has_perm to check context on proposed SA selinux_compute_access_vector(racoon_t) auth_use_nsswitch(racoon_t) ipsec_setcontext_default_spd(racoon_t) locallogin_use_fds(racoon_t) logging_send_syslog_msg(racoon_t) logging_send_audit_msgs(racoon_t) miscfiles_read_localization(racoon_t) sysnet_exec_ifconfig(racoon_t) auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) ') ######################################## # # Setkey local policy # allow setkey_t self:capability net_admin; allow setkey_t self:key_socket create_socket_perms; allow setkey_t self:netlink_route_socket create_netlink_socket_perms; allow setkey_t ipsec_conf_file_t:dir list_dir_perms; read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t) read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t) kernel_request_load_module(setkey_t) # allow setkey utility to set contexts on SA's and policy domain_ipsec_setcontext_all_domains(setkey_t) files_read_etc_files(setkey_t) init_dontaudit_use_fds(setkey_t) init_read_script_tmp_files(setkey_t) # allow setkey to set the context for ipsec SAs and policy. corenet_setcontext_all_spds(setkey_t) locallogin_use_fds(setkey_t) miscfiles_read_localization(setkey_t) seutil_read_config(setkey_t) userdom_use_user_terminals(setkey_t) ######################################## # # ipsec_supervisor policy # allow ipsec_supervisor_t self:capability { dac_override dac_read_search kill net_admin }; allow ipsec_supervisor_t self:process { signal signull }; allow ipsec_supervisor_t self:fifo_file rw_fifo_file_perms; allow ipsec_supervisor_t self:netlink_route_socket rw_netlink_socket_perms; allow ipsec_supervisor_t self:netlink_xfrm_socket create_netlink_socket_perms; allow ipsec_supervisor_t ipsec_conf_file_t:dir list_dir_perms; read_files_pattern(ipsec_supervisor_t, ipsec_conf_file_t, ipsec_conf_file_t) manage_files_pattern(ipsec_supervisor_t, ipsec_key_file_t, ipsec_key_file_t) allow ipsec_supervisor_t ipsec_t:unix_stream_socket { connectto }; allow ipsec_supervisor_t ipsec_t:process { signal signull }; allow ipsec_supervisor_t ipsec_runtime_t:sock_file { rw_sock_file_perms unlink }; manage_dirs_pattern(ipsec_supervisor_t, ipsec_runtime_t, ipsec_runtime_t) manage_files_pattern(ipsec_supervisor_t, ipsec_runtime_t, ipsec_runtime_t) files_pid_filetrans(ipsec_supervisor_t, ipsec_runtime_t, { dir file sock_file }) domtrans_pattern(ipsec_supervisor_t, ipsec_exec_t, ipsec_t) kernel_read_network_state(ipsec_supervisor_t) kernel_read_system_state(ipsec_supervisor_t) kernel_rw_net_sysctls(ipsec_supervisor_t) corecmd_exec_bin(ipsec_supervisor_t) corecmd_exec_shell(ipsec_supervisor_t) dev_read_rand(ipsec_supervisor_t) dev_read_urand(ipsec_supervisor_t) files_read_etc_files(ipsec_supervisor_t) logging_send_syslog_msg(ipsec_supervisor_t) miscfiles_read_localization(ipsec_supervisor_t) optional_policy(` modutils_domtrans(ipsec_supervisor_t) ')