diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc index 7dbf57e..07eba2b 100644 --- a/policy/modules/system/ipsec.fc +++ b/policy/modules/system/ipsec.fc @@ -35,8 +35,9 @@ /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0) /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) +/var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0) + /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) /var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) - -/var/run/racoon.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) +/var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if index 7ed91dd..e0f0224 100644 --- a/policy/modules/system/ipsec.if +++ b/policy/modules/system/ipsec.if @@ -39,6 +39,25 @@ interface(`ipsec_stream_connect',` ######################################## ## +## Connect to racoon using a unix domain stream socket. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`ipsec_stream_connect_racoon',` + gen_require(` + type racoon_t, ipsec_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, ipsec_var_run_t, ipsec_var_run_t, racoon_t) +') + +######################################## +## ## Get the attributes of an IPSEC key socket. ## ## diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te index b4d92fd..93f9524 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -1,5 +1,5 @@ -policy_module(ipsec, 1.10.1) +policy_module(ipsec, 1.10.2) ######################################## # @@ -29,9 +29,15 @@ init_script_file(ipsec_initrc_exec_t) type ipsec_key_file_t; files_type(ipsec_key_file_t) +type ipsec_log_t; +logging_log_file(ipsec_log_t) + # Default type for IPSEC SPD entries type ipsec_spd_t; +type ipsec_tmp_t; +files_tmp_file(ipsec_tmp_t) + # type for runtime files, including pluto.ctl type ipsec_var_run_t; files_pid_file(ipsec_var_run_t) @@ -66,7 +72,7 @@ role system_r types setkey_t; # ipsec Local policy # -allow ipsec_t self:capability { net_admin dac_override dac_read_search sys_nice }; +allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice }; dontaudit ipsec_t self:capability sys_tty_config; allow ipsec_t self:process { getcap setcap getsched signal setsched }; allow ipsec_t self:tcp_socket create_stream_socket_perms; @@ -85,6 +91,10 @@ allow ipsec_t ipsec_key_file_t:dir list_dir_perms; manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) +manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) +manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) +files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file }) + manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) files_pid_filetrans(ipsec_t, ipsec_var_run_t, { file sock_file }) @@ -98,6 +108,7 @@ can_exec(ipsec_t, ipsec_mgmt_exec_t) corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t) allow ipsec_mgmt_t ipsec_t:fd use; allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms; +dontaudit ipsec_mgmt_t ipsec_t:unix_stream_socket { read write }; allow ipsec_mgmt_t ipsec_t:process sigchld; kernel_read_kernel_sysctls(ipsec_t) @@ -155,6 +166,8 @@ logging_send_syslog_msg(ipsec_t) miscfiles_read_localization(ipsec_t) +sysnet_domtrans_ifconfig(ipsec_t) + userdom_dontaudit_use_unpriv_user_fds(ipsec_t) userdom_dontaudit_search_user_home_dirs(ipsec_t) @@ -171,8 +184,9 @@ optional_policy(` # ipsec_mgmt Local policy # -allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search }; -allow ipsec_mgmt_t self:process { signal setrlimit }; +allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice }; +dontaudit ipsec_mgmt_t self:capability sys_tty_config; +allow ipsec_mgmt_t self:process { getsched ptrace setrlimit signal }; allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; @@ -182,6 +196,13 @@ allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms; allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file) +manage_dirs_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t) +manage_files_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t) +files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file }) + +manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t) +logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) + allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) @@ -209,7 +230,6 @@ files_etc_filetrans(ipsec_mgmt_t, ipsec_key_file_t, file) # whack needs to connect to pluto stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t) -can_exec(ipsec_mgmt_t, ipsec_exec_t) can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t) allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read; @@ -247,8 +267,10 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t) files_read_etc_files(ipsec_mgmt_t) files_exec_etc_files(ipsec_mgmt_t) files_read_etc_runtime_files(ipsec_mgmt_t) +files_read_usr_files(ipsec_mgmt_t) files_dontaudit_getattr_default_dirs(ipsec_mgmt_t) files_dontaudit_getattr_default_files(ipsec_mgmt_t) +files_list_tmp(ipsec_mgmt_t) fs_getattr_xattr_fs(ipsec_mgmt_t) fs_list_tmpfs(ipsec_mgmt_t) @@ -259,6 +281,7 @@ term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) init_exec_script_files(ipsec_mgmt_t) init_use_fds(ipsec_mgmt_t) +init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) logging_send_syslog_msg(ipsec_mgmt_t) @@ -323,6 +346,7 @@ read_lnk_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t) kernel_read_system_state(racoon_t) kernel_read_network_state(racoon_t) +kernel_request_load_module(racoon_t) corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) @@ -380,6 +404,8 @@ allow setkey_t ipsec_conf_file_t:dir list_dir_perms; read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t) read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t) +kernel_request_load_module(setkey_t) + # allow setkey utility to set contexts on SA's and policy domain_ipsec_setcontext_all_domains(setkey_t)