Chris PeBenito 0fbfa5
#DESC ipsec - TCP/IP encryption
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Authors: Mark Westerman
Chris PeBenito 0fbfa5
# massively butchered by paul krumviede <>
Chris PeBenito 0fbfa5
# further massaged by Chris Vance <>
Chris PeBenito 0fbfa5
# X-Debian-Packages: freeswan
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Rules for the ipsec_t domain.
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# a domain for things that need access to the PF_KEY socket
Chris PeBenito 0fbfa5
daemon_base_domain(ipsec, `, privlog')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# type for ipsec configuration file(s) - not for keys
Chris PeBenito 0fbfa5
type ipsec_conf_file_t, file_type, sysadmfile;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# type for file(s) containing ipsec keys - RSA or preshared
Chris PeBenito 0fbfa5
type ipsec_key_file_t, file_type, sysadmfile;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# type for runtime files, including pluto.ctl
Chris PeBenito 0fbfa5
# lots of strange stuff for the ipsec_var_run_t - need to check it
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
type ipsec_mgmt_t, domain, privlog, admin, privmodule, nscd_client_domain;
Chris PeBenito 0fbfa5
type ipsec_mgmt_exec_t, file_type, sysadmfile, exec_type;
Chris PeBenito 0fbfa5
domain_auto_trans(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
Chris PeBenito 0fbfa5
file_type_auto_trans(ipsec_mgmt_t, var_run_t, ipsec_var_run_t, sock_file)
Chris PeBenito 0fbfa5
file_type_auto_trans(ipsec_t, var_run_t, ipsec_var_run_t, sock_file)
Chris PeBenito 0fbfa5
file_type_auto_trans(ipsec_mgmt_t, etc_t, ipsec_key_file_t, file)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t modules_object_t:dir search;
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t modules_object_t:file getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow ipsec_t self:capability { net_admin net_bind_service };
Chris PeBenito 0fbfa5
allow ipsec_t self:process signal;
Chris PeBenito 0fbfa5
allow ipsec_t etc_t:lnk_file read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
domain_auto_trans(ipsec_mgmt_t, ifconfig_exec_t, ifconfig_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Inherit and use descriptors from init.
Chris PeBenito 0fbfa5
# allow access (for, e.g., klipsdebug) to console
Chris PeBenito 0fbfa5
allow { ipsec_t ipsec_mgmt_t } console_device_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
allow { ipsec_t ipsec_mgmt_t } { init_t initrc_t privfd }:fd use;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# I do not know where this pesky pipe is...
Chris PeBenito 0fbfa5
allow ipsec_t initrc_t:fifo_file write;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
r_dir_file(ipsec_t, ipsec_conf_file_t)
Chris PeBenito 0fbfa5
r_dir_file(ipsec_t, ipsec_key_file_t)
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t ipsec_conf_file_t:file { getattr read ioctl };
Chris PeBenito 0fbfa5
rw_dir_create_file(ipsec_mgmt_t, ipsec_key_file_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow ipsec_t self:key_socket { create write read setopt };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for lsof
Chris PeBenito 0fbfa5
allow sysadm_t ipsec_t:key_socket getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# the ipsec wrapper wants to run /usr/bin/logger (should we put
Chris PeBenito 0fbfa5
# it in its own domain?)
Chris PeBenito 0fbfa5
can_exec(ipsec_mgmt_t, bin_t)
Chris PeBenito 0fbfa5
# logger, running in ipsec_mgmt_t needs to use sockets
Chris PeBenito a08248
allow ipsec_mgmt_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito a08248
allow ipsec_mgmt_t ipsec_t:unix_dgram_socket create_socket_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# also need to run things like whack and shell scripts
Chris PeBenito 0fbfa5
can_exec(ipsec_mgmt_t, ipsec_exec_t)
Chris PeBenito 0fbfa5
can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
Chris PeBenito 0fbfa5
can_exec(ipsec_mgmt_t, shell_exec_t)
Chris PeBenito 0fbfa5
can_exec(ipsec_t, shell_exec_t)
Chris PeBenito 0fbfa5
can_exec(ipsec_t, bin_t)
Chris PeBenito 0fbfa5
can_exec(ipsec_t, ipsec_mgmt_exec_t)
Chris PeBenito 0fbfa5
# now for a icky part...
Chris PeBenito 0fbfa5
# pluto runs an updown script (by calling popen()!); as this is by default
Chris PeBenito 0fbfa5
# a shell script, we need to find a way to make things work without
Chris PeBenito 0fbfa5
# letting all sorts of stuff possibly be run...
Chris PeBenito 0fbfa5
# so try flipping back into the ipsec_mgmt_t domain
Chris PeBenito 0fbfa5
domain_auto_trans(ipsec_t, shell_exec_t, ipsec_mgmt_t)
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t ipsec_t:fd use;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# the default updown script wants to run route
Chris PeBenito 0fbfa5
can_exec(ipsec_mgmt_t, sbin_t)
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t sbin_t:lnk_file read;
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t self:capability { net_admin dac_override };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# need access to /proc/sys/net/ipsec/icmp
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t sysctl_t:file write;
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t sysctl_net_t:dir search;
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t sysctl_net_t:file { write setattr };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# whack needs to be able to read/write pluto.ctl
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t ipsec_var_run_t:sock_file { read write };
Chris PeBenito 0fbfa5
# and it wants to connect to a socket...
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t ipsec_t:unix_stream_socket { connectto read write };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow system administrator to use the ipsec script to look
Chris PeBenito 0fbfa5
# at things (e.g., ipsec auto --status)
Chris PeBenito 0fbfa5
# probably should create an ipsec_admin role for this kind of thing
Chris PeBenito 0fbfa5
can_exec(sysadm_t, ipsec_mgmt_exec_t)
Chris PeBenito 0fbfa5
allow sysadm_t ipsec_t:unix_stream_socket connectto;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# _realsetup needs to be able to cat /var/run/,
Chris PeBenito 0fbfa5
# run ps on that pid, and delete the file
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t ipsec_t:{ file lnk_file } r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t boot_t:dir search;
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t system_map_t:file { read getattr };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# denials when ps tries to search /proc. Do not audit these denials.
Chris PeBenito 0fbfa5
dontaudit ipsec_mgmt_t domain:dir r_dir_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# suppress audit messages about unnecessary socket access
Chris PeBenito 0fbfa5
dontaudit ipsec_mgmt_t domain:key_socket { read write };
Chris PeBenito 0fbfa5
dontaudit ipsec_mgmt_t domain:udp_socket { read write };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# from rbac
Chris PeBenito 0fbfa5
role system_r types { ipsec_t ipsec_mgmt_t };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# from initrc.te
Chris PeBenito 0fbfa5
domain_auto_trans(initrc_t, ipsec_mgmt_exec_t, ipsec_mgmt_t)
Chris PeBenito 0fbfa5
domain_auto_trans(initrc_t, ipsec_exec_t, ipsec_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
########## The following rules were added by ##########
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow pluto and startup scripts to access /dev/urandom
Chris PeBenito 0fbfa5
allow { ipsec_t ipsec_mgmt_t } { urandom_device_t random_device_t }:chr_file r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow pluto to access /proc/net/ipsec_eroute;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow pluto to search the root directory (not sure why, but mostly harmless)
Chris PeBenito 0fbfa5
# Are these all really necessary?
Chris PeBenito 0fbfa5
allow ipsec_t var_t:dir search;
Chris PeBenito 0fbfa5
allow ipsec_t bin_t:dir search;
Chris PeBenito 0fbfa5
allow ipsec_t device_t:dir { getattr search };
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t device_t:dir { getattr search read };
Chris PeBenito 0fbfa5
dontaudit ipsec_mgmt_t tty_device_t:chr_file getattr;
Chris PeBenito 0fbfa5
dontaudit ipsec_mgmt_t devpts_t:dir getattr;
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t etc_t:lnk_file read;
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t var_t:dir search;
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t sbin_t:dir search;
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t bin_t:dir search;
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t ipsec_var_run_t:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Startup scripts
Chris PeBenito 0fbfa5
# use libraries
Chris PeBenito 0fbfa5
uses_shlib({ ipsec_t ipsec_mgmt_t })
Chris PeBenito 0fbfa5
# Read and write /dev/tty
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t devtty_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
# fork
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t self:process fork;
Chris PeBenito 0fbfa5
# startup script runs /bin/gawk with a pipe
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t self:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5
# read /etc/mtab Why?
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t etc_runtime_t:file { read getattr };
Chris PeBenito 0fbfa5
# read link for /bin/sh 
Chris PeBenito 0fbfa5
allow { ipsec_t ipsec_mgmt_t } bin_t:lnk_file read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t self:process { sigchld signal setrlimit };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow read/write access to /var/run/pluto.ctl
Chris PeBenito 0fbfa5
allow ipsec_t self:unix_stream_socket {create setopt bind listen accept read write };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Pluto needs network access
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
Chris PeBenito a08248
allow ipsec_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for sleep
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t fs_t:filesystem getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for the start script
Chris PeBenito 0fbfa5
can_exec(ipsec_mgmt_t, etc_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow access to /etc/localtime
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t etc_t:file { read getattr };
Chris PeBenito 0fbfa5
allow ipsec_t etc_t:file { read getattr };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow access to /dev/null
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t null_device_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
allow ipsec_t null_device_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 5493c2
# Allow scripts to use /var/lock/subsys/ipsec
Chris PeBenito 5493c2
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow tncfg to create sockets
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t self:udp_socket { create ioctl };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#When running ipsec auto --up <conname>
Chris PeBenito 0fbfa5
allow ipsec_t self:process { fork sigchld };
Chris PeBenito 0fbfa5
allow ipsec_t self:fifo_file { read getattr };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# ideally it would not need this.  It wants to write to /root/.rnd
Chris PeBenito 0fbfa5
file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t { initrc_devpts_t admin_tty_type }:chr_file { getattr read write ioctl };
Chris PeBenito 0fbfa5
allow ipsec_t initrc_devpts_t:chr_file { getattr read write };
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t self:lnk_file read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t self:capability { sys_tty_config dac_read_search };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
dontaudit ipsec_mgmt_t default_t:dir getattr;
Chris PeBenito 0fbfa5
dontaudit ipsec_mgmt_t default_t:file getattr;
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t tmpfs_t:dir { getattr read };
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t self:key_socket { create setopt };
Chris PeBenito 0fbfa5
can_exec(ipsec_mgmt_t, initrc_exec_t)
Chris PeBenito 0fbfa5
allow ipsec_t self:netlink_xfrm_socket create_socket_perms;
Chris PeBenito a08248
allow ipsec_t self:netlink_route_socket r_netlink_socket_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`consoletype.te', `
Chris PeBenito 0fbfa5
can_exec(ipsec_mgmt_t, consoletype_exec_t )
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
dontaudit ipsec_mgmt_t selinux_config_t:dir search;
Chris PeBenito 0fbfa5
dontaudit ipsec_t ttyfile:chr_file { read write };
Chris PeBenito 0fbfa5
allow ipsec_t self:capability { dac_override dac_read_search };
Chris PeBenito 0fbfa5
allow ipsec_t reserved_port_t:udp_socket name_bind;
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t dev_fs:file_class_set getattr;
Chris PeBenito 0fbfa5
dontaudit ipsec_mgmt_t device_t:lnk_file read;
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t self:{ tcp_socket udp_socket } create_socket_perms;
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t sysctl_net_t:file { getattr read };
Chris PeBenito 0fbfa5
rw_dir_create_file(ipsec_mgmt_t, ipsec_var_run_t)
Chris PeBenito 0fbfa5
rw_dir_create_file(initrc_t, ipsec_var_run_t)
Chris PeBenito 0fbfa5
allow initrc_t ipsec_conf_file_t:file { getattr read ioctl };