571 lines
17 KiB
Text
571 lines
17 KiB
Text
policy_module(ipsec, 1.14.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow racoon to read shadow
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(racoon_read_shadow, false)
|
|
|
|
type ipsec_t;
|
|
type ipsec_exec_t;
|
|
init_daemon_domain(ipsec_t, ipsec_exec_t)
|
|
role system_r types ipsec_t;
|
|
|
|
# type for ipsec configuration file(s) - not for keys
|
|
type ipsec_conf_file_t;
|
|
files_type(ipsec_conf_file_t)
|
|
|
|
type ipsec_initrc_exec_t;
|
|
init_script_file(ipsec_initrc_exec_t)
|
|
|
|
# type for file(s) containing ipsec keys - RSA or preshared
|
|
type ipsec_key_file_t;
|
|
files_type(ipsec_key_file_t)
|
|
|
|
type ipsec_log_t;
|
|
logging_log_file(ipsec_log_t)
|
|
|
|
# Default type for IPSEC SPD entries
|
|
type ipsec_spd_t;
|
|
corenet_spd_type(ipsec_spd_t)
|
|
|
|
type ipsec_tmp_t;
|
|
files_tmp_file(ipsec_tmp_t)
|
|
|
|
# type for runtime files, including pluto.ctl
|
|
type ipsec_var_run_t;
|
|
files_pid_file(ipsec_var_run_t)
|
|
|
|
type ipsec_mgmt_t;
|
|
type ipsec_mgmt_exec_t;
|
|
init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
|
|
corecmd_shell_entry_type(ipsec_mgmt_t)
|
|
role system_r types ipsec_mgmt_t;
|
|
|
|
type ipsec_mgmt_unit_file_t;
|
|
systemd_unit_file(ipsec_mgmt_unit_file_t)
|
|
|
|
type ipsec_mgmt_lock_t;
|
|
files_lock_file(ipsec_mgmt_lock_t)
|
|
|
|
type ipsec_mgmt_var_run_t;
|
|
files_pid_file(ipsec_mgmt_var_run_t)
|
|
|
|
type racoon_t;
|
|
type racoon_exec_t;
|
|
init_daemon_domain(racoon_t, racoon_exec_t)
|
|
role system_r types racoon_t;
|
|
|
|
type racoon_tmp_t;
|
|
files_tmp_file(racoon_tmp_t)
|
|
|
|
type setkey_t;
|
|
type setkey_exec_t;
|
|
init_system_domain(setkey_t, setkey_exec_t)
|
|
role system_r types setkey_t;
|
|
|
|
# The NetworkManager helper communicates the password via PTY
|
|
type ipsec_mgmt_devpts_t;
|
|
term_pty(ipsec_mgmt_devpts_t)
|
|
files_type(ipsec_mgmt_devpts_t)
|
|
|
|
########################################
|
|
#
|
|
# ipsec Local policy
|
|
#
|
|
|
|
allow ipsec_t self:capability { chown net_admin dac_read_search dac_override setpcap sys_admin sys_nice net_raw setuid setgid };
|
|
dontaudit ipsec_t self:capability sys_tty_config;
|
|
allow ipsec_t self:capability2 bpf;
|
|
allow ipsec_t self:process { getcap setcap getsched signal signull setsched sigkill };
|
|
allow ipsec_t self:tcp_socket create_stream_socket_perms;
|
|
allow ipsec_t self:udp_socket create_socket_perms;
|
|
allow ipsec_t self:packet_socket create_socket_perms;
|
|
allow ipsec_t self:key_socket create_socket_perms;
|
|
allow ipsec_t self:fifo_file read_fifo_file_perms;
|
|
allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
|
|
allow ipsec_t self:netlink_selinux_socket create_socket_perms;
|
|
allow ipsec_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
allow ipsec_t self:netlink_route_socket { create_netlink_socket_perms write };
|
|
allow ipsec_t self:tun_socket create_socket_perms;
|
|
|
|
allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
|
|
|
|
allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
|
|
read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
|
|
manage_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
|
|
filetrans_pattern(ipsec_t, ipsec_conf_file_t, ipsec_key_file_t, file, "ipsec.secrets")
|
|
allow ipsec_t ipsec_conf_file_t:file map;
|
|
|
|
allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
|
|
read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
|
|
manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
|
|
allow ipsec_t ipsec_key_file_t:file map;
|
|
|
|
manage_files_pattern(ipsec_t, ipsec_log_t, ipsec_log_t)
|
|
logging_log_filetrans(ipsec_t, ipsec_log_t, file, "pluto.log")
|
|
|
|
manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
|
|
manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
|
|
files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file })
|
|
allow ipsec_t ipsec_tmp_t:file { execute map };
|
|
|
|
manage_dirs_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
|
|
manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
|
|
manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
|
|
files_pid_filetrans(ipsec_t, ipsec_var_run_t, { dir file sock_file })
|
|
allow ipsec_t ipsec_var_run_t:file { map };
|
|
|
|
stream_connect_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_mgmt_t)
|
|
|
|
can_exec(ipsec_t, ipsec_mgmt_exec_t)
|
|
can_exec(ipsec_t, ipsec_exec_t)
|
|
|
|
# pluto runs an updown script (by calling popen()!) as this is by default
|
|
# a shell script, we need to find a way to make things work without
|
|
# letting all sorts of stuff possibly be run...
|
|
# so try flipping back into the ipsec_mgmt_t domain
|
|
corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
|
|
allow ipsec_t ipsec_mgmt_t:process2 nnp_transition;
|
|
|
|
allow ipsec_mgmt_t self:tun_socket create_socket_perms;
|
|
allow ipsec_mgmt_t ipsec_t:fd use;
|
|
allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
|
|
allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
|
|
allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld signull };
|
|
|
|
kernel_read_kernel_sysctls(ipsec_t)
|
|
kernel_rw_net_sysctls(ipsec_t)
|
|
kernel_read_fs_sysctls(ipsec_t)
|
|
kernel_list_proc(ipsec_t)
|
|
kernel_read_proc_symlinks(ipsec_t)
|
|
# allow pluto to access /proc/net/ipsec_eroute;
|
|
kernel_read_system_state(ipsec_t)
|
|
kernel_read_network_state(ipsec_t)
|
|
kernel_read_software_raid_state(ipsec_t)
|
|
kernel_request_load_module(ipsec_t)
|
|
kernel_getattr_core_if(ipsec_t)
|
|
kernel_getattr_message_if(ipsec_t)
|
|
|
|
corecmd_exec_shell(ipsec_t)
|
|
corecmd_exec_bin(ipsec_t)
|
|
|
|
# Pluto needs network access
|
|
corenet_tcp_sendrecv_generic_if(ipsec_t)
|
|
corenet_raw_sendrecv_generic_if(ipsec_t)
|
|
corenet_tcp_sendrecv_generic_node(ipsec_t)
|
|
corenet_raw_sendrecv_generic_node(ipsec_t)
|
|
corenet_tcp_sendrecv_all_ports(ipsec_t)
|
|
corenet_tcp_bind_generic_node(ipsec_t)
|
|
corenet_udp_bind_generic_node(ipsec_t)
|
|
corenet_tcp_bind_reserved_port(ipsec_t)
|
|
corenet_tcp_bind_isakmp_port(ipsec_t)
|
|
corenet_udp_bind_isakmp_port(ipsec_t)
|
|
corenet_tcp_bind_ipsecnat_port(ipsec_t)
|
|
corenet_udp_bind_ipsecnat_port(ipsec_t)
|
|
corenet_udp_bind_dhcpc_port(ipsec_t)
|
|
corenet_sendrecv_generic_server_packets(ipsec_t)
|
|
corenet_sendrecv_isakmp_server_packets(ipsec_t)
|
|
corenet_tcp_connect_http_port(ipsec_t)
|
|
corenet_tcp_connect_ipsecnat_port(ipsec_t)
|
|
corenet_tcp_connect_ldap_port(ipsec_t)
|
|
|
|
corenet_rw_tun_tap_dev(ipsec_t)
|
|
|
|
dev_read_sysfs(ipsec_t)
|
|
dev_read_rand(ipsec_t)
|
|
dev_read_tpm(ipsec_t)
|
|
dev_read_urand(ipsec_t)
|
|
|
|
domain_use_interactive_fds(ipsec_t)
|
|
|
|
files_list_tmp(ipsec_t)
|
|
files_read_etc_files(ipsec_t)
|
|
files_read_usr_files(ipsec_t)
|
|
files_dontaudit_search_home(ipsec_t)
|
|
files_dontaudit_write_all_files(ipsec_t)
|
|
|
|
fs_getattr_all_fs(ipsec_t)
|
|
fs_read_nsfs_files(ipsec_mgmt_t)
|
|
fs_search_auto_mountpoints(ipsec_t)
|
|
|
|
selinux_compute_access_vector(ipsec_t)
|
|
|
|
term_use_console(ipsec_t)
|
|
term_dontaudit_use_all_ttys(ipsec_t)
|
|
|
|
auth_use_pam(ipsec_t)
|
|
auth_use_nsswitch(ipsec_t)
|
|
auth_read_home_content(ipsec_t)
|
|
|
|
init_use_fds(ipsec_t)
|
|
init_use_script_ptys(ipsec_t)
|
|
|
|
ipsec_setcontext_default_spd(ipsec_t)
|
|
|
|
logging_send_audit_msgs(ipsec_t)
|
|
logging_send_syslog_msg(ipsec_t)
|
|
|
|
miscfiles_map_generic_certs(ipsec_t)
|
|
|
|
sysnet_domtrans_ifconfig(ipsec_t)
|
|
sysnet_exec_ifconfig(ipsec_t)
|
|
sysnet_nnp_domtrans_ifconfig(ipsec_t)
|
|
sysnet_manage_config(ipsec_t)
|
|
sysnet_etc_filetrans_config(ipsec_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
|
|
userdom_dontaudit_search_user_home_dirs(ipsec_t)
|
|
userdom_read_home_certs(ipsec_t)
|
|
|
|
optional_policy(`
|
|
bind_rw_cache(ipsec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
iptables_domtrans(ipsec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
l2tpd_read_pid_files(ipsec_t)
|
|
l2tpd_rw_pipes(ipsec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(ipsec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(ipsec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dbus_system_bus_client(ipsec_t)
|
|
dbus_connect_system_bus(ipsec_t)
|
|
|
|
optional_policy(`
|
|
networkmanager_dbus_chat(ipsec_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
pkcs_tmpfs_named_filetrans(ipsec_t)
|
|
pkcs_use_opencryptoki(ipsec_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# ipsec_mgmt Local policy
|
|
#
|
|
|
|
allow ipsec_mgmt_t self:capability { dac_read_search dac_override net_admin net_raw setpcap sys_nice sys_ptrace };
|
|
dontaudit ipsec_mgmt_t self:capability sys_tty_config;
|
|
allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal };
|
|
allow ipsec_mgmt_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
|
|
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
|
|
allow ipsec_mgmt_t self:key_socket create_socket_perms;
|
|
allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
|
|
allow ipsec_mgmt_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
|
|
allow ipsec_mgmt_t self:netlink_route_socket { create_netlink_socket_perms };
|
|
allow ipsec_mgmt_t self:packet_socket create_socket_perms;
|
|
|
|
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
|
|
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
|
|
|
|
manage_dirs_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
|
|
manage_files_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
|
|
files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file })
|
|
|
|
manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t)
|
|
logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
|
|
|
|
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file { map manage_file_perms };
|
|
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
|
|
filetrans_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_mgmt_var_run_t, file)
|
|
|
|
manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
|
|
manage_dirs_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
|
|
manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
|
|
|
|
allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms;
|
|
files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, { dir sock_file })
|
|
|
|
# _realsetup needs to be able to cat /var/run/pluto.pid,
|
|
# run ps on that pid, and delete the file
|
|
read_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
|
|
read_lnk_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
|
|
|
|
# logger, running in ipsec_mgmt_t needs to use sockets
|
|
allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
|
|
allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };
|
|
|
|
allow ipsec_mgmt_t ipsec_t:process { signal };
|
|
|
|
allow ipsec_mgmt_t ipsec_conf_file_t:dir list_dir_perms;
|
|
allow ipsec_mgmt_t ipsec_conf_file_t:file { map read_file_perms };
|
|
|
|
manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
|
|
manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
|
|
allow ipsec_mgmt_t ipsec_key_file_t:file map;
|
|
|
|
# whack needs to connect to pluto
|
|
stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
|
|
|
|
can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
|
|
allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
|
|
|
|
domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
|
|
|
|
kernel_rw_net_sysctls(ipsec_mgmt_t)
|
|
# allow pluto to access /proc/net/ipsec_eroute;
|
|
kernel_read_system_state(ipsec_mgmt_t)
|
|
kernel_read_network_state(ipsec_mgmt_t)
|
|
kernel_read_software_raid_state(ipsec_mgmt_t)
|
|
kernel_read_kernel_sysctls(ipsec_mgmt_t)
|
|
kernel_getattr_core_if(ipsec_mgmt_t)
|
|
kernel_getattr_message_if(ipsec_mgmt_t)
|
|
|
|
# There is bug in kernel in 4.16 where lot of domains requesting module_request, for now dontauditing
|
|
kernel_dontaudit_request_load_module(ipsec_mgmt_t)
|
|
|
|
corenet_udp_bind_dhcpc_port(ipsec_mgmt_t)
|
|
corenet_udp_bind_ipsecnat_port(ipsec_mgmt_t)
|
|
corenet_udp_bind_isakmp_port(ipsec_mgmt_t)
|
|
corenet_rw_tun_tap_dev(ipsec_mgmt_t)
|
|
|
|
domain_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
|
|
domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t)
|
|
|
|
dev_dontaudit_getattr_all_blk_files(ipsec_mgmt_t)
|
|
dev_dontaudit_getattr_all_chr_files(ipsec_mgmt_t)
|
|
|
|
dev_read_sysfs(ipsec_mgmt_t)
|
|
|
|
files_dontaudit_getattr_all_files(ipsec_mgmt_t)
|
|
files_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
|
|
files_read_kernel_symbol_table(ipsec_mgmt_t)
|
|
files_getattr_kernel_modules(ipsec_mgmt_t)
|
|
|
|
# the default updown script wants to run route
|
|
# the ipsec wrapper wants to run /usr/bin/logger (should we put
|
|
# it in its own domain?)
|
|
corecmd_exec_bin(ipsec_mgmt_t)
|
|
corecmd_exec_shell(ipsec_mgmt_t)
|
|
|
|
corenet_tcp_connect_rndc_port(ipsec_mgmt_t)
|
|
|
|
dev_read_rand(ipsec_mgmt_t)
|
|
dev_read_urand(ipsec_mgmt_t)
|
|
|
|
domain_use_interactive_fds(ipsec_mgmt_t)
|
|
# denials when ps tries to search /proc. Do not audit these denials.
|
|
domain_dontaudit_read_all_domains_state(ipsec_mgmt_t)
|
|
# suppress audit messages about unnecessary socket access
|
|
# cjp: this seems excessive
|
|
domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
|
|
domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
|
|
|
|
files_read_etc_files(ipsec_mgmt_t)
|
|
files_exec_etc_files(ipsec_mgmt_t)
|
|
files_read_etc_runtime_files(ipsec_mgmt_t)
|
|
files_list_kernel_modules(ipsec_mgmt_t)
|
|
files_read_usr_files(ipsec_mgmt_t)
|
|
files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
|
|
files_dontaudit_getattr_default_files(ipsec_mgmt_t)
|
|
files_dontaudit_write_all_mountpoints(ipsec_mgmt_t)
|
|
files_list_tmp(ipsec_mgmt_t)
|
|
|
|
fs_getattr_xattr_fs(ipsec_mgmt_t)
|
|
fs_list_tmpfs(ipsec_mgmt_t)
|
|
fs_dontaudit_write_configfs_dirs(ipsec_mgmt_t)
|
|
|
|
term_use_console(ipsec_mgmt_t)
|
|
term_use_all_inherited_terms(ipsec_mgmt_t)
|
|
|
|
auth_dontaudit_read_login_records(ipsec_mgmt_t)
|
|
auth_use_nsswitch(ipsec_mgmt_t)
|
|
|
|
init_read_utmp(ipsec_mgmt_t)
|
|
init_use_script_ptys(ipsec_mgmt_t)
|
|
init_exec_script_files(ipsec_mgmt_t)
|
|
init_use_fds(ipsec_mgmt_t)
|
|
init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
|
|
|
|
ipsec_mgmt_systemctl(ipsec_mgmt_t)
|
|
|
|
logging_read_all_logs(ipsec_mgmt_t)
|
|
logging_send_syslog_msg(ipsec_mgmt_t)
|
|
|
|
sysnet_manage_config(ipsec_mgmt_t)
|
|
sysnet_domtrans_ifconfig(ipsec_mgmt_t)
|
|
sysnet_etc_filetrans_config(ipsec_mgmt_t)
|
|
sysnet_exec_ifconfig(ipsec_mgmt_t)
|
|
sysnet_nnp_domtrans_ifconfig(ipsec_mgmt_t)
|
|
|
|
systemd_exec_systemctl(ipsec_mgmt_t)
|
|
|
|
userdom_use_inherited_user_terminals(ipsec_mgmt_t)
|
|
|
|
allow ipsec_mgmt_t ipsec_mgmt_devpts_t:chr_file rw_term_perms;
|
|
term_create_pty(ipsec_mgmt_t,ipsec_mgmt_devpts_t)
|
|
|
|
optional_policy(`
|
|
bind_domtrans(ipsec_mgmt_t)
|
|
bind_read_dnssec_keys(ipsec_mgmt_t)
|
|
bind_read_config(ipsec_mgmt_t)
|
|
bind_read_state(ipsec_mgmt_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
consoletype_exec(ipsec_mgmt_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
hostname_exec(ipsec_mgmt_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dbus_system_bus_client(ipsec_mgmt_t)
|
|
dbus_connect_system_bus(ipsec_mgmt_t)
|
|
|
|
optional_policy(`
|
|
networkmanager_dbus_chat(ipsec_mgmt_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
iptables_domtrans(ipsec_mgmt_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
l2tpd_read_pid_files(ipsec_mgmt_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
modutils_domtrans_kmod(ipsec_mgmt_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nscd_use(ipsec_mgmt_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Racoon local policy
|
|
#
|
|
|
|
allow racoon_t self:capability { net_admin net_bind_service };
|
|
allow racoon_t self:netlink_route_socket { create_netlink_socket_perms };
|
|
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
|
|
allow racoon_t self:netlink_selinux_socket { bind create read };
|
|
allow racoon_t self:udp_socket create_socket_perms;
|
|
allow racoon_t self:key_socket create_socket_perms;
|
|
allow racoon_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
|
|
manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
|
|
files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file })
|
|
|
|
can_exec(racoon_t, racoon_exec_t)
|
|
|
|
can_exec(racoon_t, setkey_exec_t)
|
|
|
|
# manage pid file
|
|
manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
|
|
manage_sock_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
|
|
files_pid_filetrans(racoon_t, ipsec_var_run_t, file)
|
|
|
|
allow racoon_t ipsec_conf_file_t:dir list_dir_perms;
|
|
read_files_pattern(racoon_t, ipsec_conf_file_t, ipsec_conf_file_t)
|
|
read_lnk_files_pattern(racoon_t, ipsec_conf_file_t, ipsec_conf_file_t)
|
|
|
|
allow racoon_t ipsec_key_file_t:dir list_dir_perms;
|
|
read_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t)
|
|
read_lnk_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t)
|
|
|
|
kernel_read_system_state(racoon_t)
|
|
kernel_read_network_state(racoon_t)
|
|
kernel_request_load_module(racoon_t)
|
|
|
|
corecmd_exec_shell(racoon_t)
|
|
corecmd_exec_bin(racoon_t)
|
|
|
|
corenet_tcp_sendrecv_generic_if(racoon_t)
|
|
corenet_udp_sendrecv_generic_if(racoon_t)
|
|
corenet_tcp_sendrecv_generic_node(racoon_t)
|
|
corenet_udp_sendrecv_generic_node(racoon_t)
|
|
corenet_tcp_bind_generic_node(racoon_t)
|
|
corenet_udp_bind_generic_node(racoon_t)
|
|
corenet_udp_bind_isakmp_port(racoon_t)
|
|
corenet_udp_bind_ipsecnat_port(racoon_t)
|
|
|
|
dev_read_urand(racoon_t)
|
|
|
|
# allow racoon to set contexts on ipsec policy and SAs
|
|
domain_ipsec_setcontext_all_domains(racoon_t)
|
|
|
|
files_read_etc_files(racoon_t)
|
|
|
|
fs_dontaudit_getattr_xattr_fs(racoon_t)
|
|
|
|
# allow racoon to use avc_has_perm to check context on proposed SA
|
|
selinux_compute_access_vector(racoon_t)
|
|
|
|
auth_use_nsswitch(racoon_t)
|
|
|
|
ipsec_setcontext_default_spd(racoon_t)
|
|
|
|
locallogin_use_fds(racoon_t)
|
|
|
|
logging_send_syslog_msg(racoon_t)
|
|
logging_send_audit_msgs(racoon_t)
|
|
|
|
sysnet_exec_ifconfig(racoon_t)
|
|
|
|
auth_use_pam(racoon_t)
|
|
|
|
auth_can_read_shadow_passwords(racoon_t)
|
|
tunable_policy(`racoon_read_shadow',`
|
|
auth_tunable_read_shadow(racoon_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Setkey local policy
|
|
#
|
|
|
|
allow setkey_t self:capability net_admin;
|
|
allow setkey_t self:key_socket create_socket_perms;
|
|
allow setkey_t self:netlink_route_socket create_netlink_socket_perms;
|
|
|
|
allow setkey_t ipsec_conf_file_t:dir list_dir_perms;
|
|
read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
|
|
read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
|
|
|
|
kernel_request_load_module(setkey_t)
|
|
|
|
# allow setkey utility to set contexts on SA's and policy
|
|
domain_ipsec_setcontext_all_domains(setkey_t)
|
|
|
|
files_read_etc_files(setkey_t)
|
|
|
|
init_dontaudit_use_fds(setkey_t)
|
|
init_read_script_tmp_files(setkey_t)
|
|
|
|
# allow setkey to set the context for ipsec SAs and policy.
|
|
corenet_setcontext_all_spds(setkey_t)
|
|
|
|
locallogin_use_fds(setkey_t)
|
|
|
|
|
|
seutil_read_config(setkey_t)
|
|
|
|
userdom_use_inherited_user_terminals(setkey_t)
|
|
userdom_read_user_tmp_files(setkey_t)
|