From 90e65feca5efd8a16dab5b568d8f77a7ba16bf58 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Mar 17 2010 17:52:07 +0000
Subject: Ipsec patch from Dan Walsh.


---

diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index 7dbf57e..07eba2b 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -35,8 +35,9 @@
 /usr/sbin/racoon		--	gen_context(system_u:object_r:racoon_exec_t,s0)
 /usr/sbin/setkey		--	gen_context(system_u:object_r:setkey_exec_t,s0)
 
+/var/log/pluto\.log		--	gen_context(system_u:object_r:ipsec_log_t,s0)
+
 /var/racoon(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
 
 /var/run/pluto(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
-
-/var/run/racoon.pid		--	gen_context(system_u:object_r:ipsec_var_run_t,s0)
+/var/run/racoon\.pid		--	gen_context(system_u:object_r:ipsec_var_run_t,s0)
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
index 7ed91dd..e0f0224 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@@ -39,6 +39,25 @@ interface(`ipsec_stream_connect',`
 
 ########################################
 ## <summary>
+##	Connect to racoon using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`ipsec_stream_connect_racoon',`
+	gen_require(`
+		type racoon_t, ipsec_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, ipsec_var_run_t, ipsec_var_run_t, racoon_t)
+')
+
+########################################
+## <summary>
 ##	Get the attributes of an IPSEC key socket.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index b4d92fd..93f9524 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -1,5 +1,5 @@
 
-policy_module(ipsec, 1.10.1)
+policy_module(ipsec, 1.10.2)
 
 ########################################
 #
@@ -29,9 +29,15 @@ init_script_file(ipsec_initrc_exec_t)
 type ipsec_key_file_t;
 files_type(ipsec_key_file_t)
 
+type ipsec_log_t;
+logging_log_file(ipsec_log_t)
+
 # Default type for IPSEC SPD entries
 type ipsec_spd_t;
 
+type ipsec_tmp_t;
+files_tmp_file(ipsec_tmp_t)
+
 # type for runtime files, including pluto.ctl
 type ipsec_var_run_t;
 files_pid_file(ipsec_var_run_t)
@@ -66,7 +72,7 @@ role system_r types setkey_t;
 # ipsec Local policy
 #
 
-allow ipsec_t self:capability { net_admin dac_override dac_read_search sys_nice };
+allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
 dontaudit ipsec_t self:capability sys_tty_config;
 allow ipsec_t self:process { getcap setcap getsched signal setsched };
 allow ipsec_t self:tcp_socket create_stream_socket_perms;
@@ -85,6 +91,10 @@ allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
 manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
 read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
 
+manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
+manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
+files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file }) 
+
 manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
 manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
 files_pid_filetrans(ipsec_t, ipsec_var_run_t, { file sock_file })
@@ -98,6 +108,7 @@ can_exec(ipsec_t, ipsec_mgmt_exec_t)
 corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
 allow ipsec_mgmt_t ipsec_t:fd use;
 allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
+dontaudit ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
 allow ipsec_mgmt_t ipsec_t:process sigchld;
 
 kernel_read_kernel_sysctls(ipsec_t)
@@ -155,6 +166,8 @@ logging_send_syslog_msg(ipsec_t)
 
 miscfiles_read_localization(ipsec_t)
 
+sysnet_domtrans_ifconfig(ipsec_t)
+
 userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
 userdom_dontaudit_search_user_home_dirs(ipsec_t)
 
@@ -171,8 +184,9 @@ optional_policy(`
 # ipsec_mgmt Local policy
 #
 
-allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
-allow ipsec_mgmt_t self:process { signal setrlimit };
+allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
+dontaudit ipsec_mgmt_t self:capability sys_tty_config;
+allow ipsec_mgmt_t self:process { getsched ptrace setrlimit signal };
 allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
 allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
 allow ipsec_mgmt_t self:udp_socket create_socket_perms;
@@ -182,6 +196,13 @@ allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
 allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
 files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
 
+manage_dirs_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
+manage_files_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
+files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file }) 
+
+manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t)
+logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
+
 allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
 files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
 
@@ -209,7 +230,6 @@ files_etc_filetrans(ipsec_mgmt_t, ipsec_key_file_t, file)
 # whack needs to connect to pluto
 stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
 
-can_exec(ipsec_mgmt_t, ipsec_exec_t)
 can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
 allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
 
@@ -247,8 +267,10 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
 files_read_etc_files(ipsec_mgmt_t)
 files_exec_etc_files(ipsec_mgmt_t)
 files_read_etc_runtime_files(ipsec_mgmt_t)
+files_read_usr_files(ipsec_mgmt_t)
 files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
 files_dontaudit_getattr_default_files(ipsec_mgmt_t)
+files_list_tmp(ipsec_mgmt_t)
 
 fs_getattr_xattr_fs(ipsec_mgmt_t)
 fs_list_tmpfs(ipsec_mgmt_t)
@@ -259,6 +281,7 @@ term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
 init_use_script_ptys(ipsec_mgmt_t)
 init_exec_script_files(ipsec_mgmt_t)
 init_use_fds(ipsec_mgmt_t)
+init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
 
 logging_send_syslog_msg(ipsec_mgmt_t)
 
@@ -323,6 +346,7 @@ read_lnk_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t)
 
 kernel_read_system_state(racoon_t)
 kernel_read_network_state(racoon_t)
+kernel_request_load_module(racoon_t)
 
 corecmd_exec_shell(racoon_t)
 corecmd_exec_bin(racoon_t)
@@ -380,6 +404,8 @@ allow setkey_t ipsec_conf_file_t:dir list_dir_perms;
 read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
 read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
 
+kernel_request_load_module(setkey_t)
+
 # allow setkey utility to set contexts on SA's and policy
 domain_ipsec_setcontext_all_domains(setkey_t)