diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index 7dbf57e..07eba2b 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -35,8 +35,9 @@
/usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0)
/usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
+/var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0)
+
/var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
/var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
-
-/var/run/racoon.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
+/var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
index 7ed91dd..e0f0224 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@@ -39,6 +39,25 @@ interface(`ipsec_stream_connect',`
########################################
##
+## Connect to racoon using a unix domain stream socket.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`ipsec_stream_connect_racoon',`
+ gen_require(`
+ type racoon_t, ipsec_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, ipsec_var_run_t, ipsec_var_run_t, racoon_t)
+')
+
+########################################
+##
## Get the attributes of an IPSEC key socket.
##
##
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index b4d92fd..93f9524 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -1,5 +1,5 @@
-policy_module(ipsec, 1.10.1)
+policy_module(ipsec, 1.10.2)
########################################
#
@@ -29,9 +29,15 @@ init_script_file(ipsec_initrc_exec_t)
type ipsec_key_file_t;
files_type(ipsec_key_file_t)
+type ipsec_log_t;
+logging_log_file(ipsec_log_t)
+
# Default type for IPSEC SPD entries
type ipsec_spd_t;
+type ipsec_tmp_t;
+files_tmp_file(ipsec_tmp_t)
+
# type for runtime files, including pluto.ctl
type ipsec_var_run_t;
files_pid_file(ipsec_var_run_t)
@@ -66,7 +72,7 @@ role system_r types setkey_t;
# ipsec Local policy
#
-allow ipsec_t self:capability { net_admin dac_override dac_read_search sys_nice };
+allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
dontaudit ipsec_t self:capability sys_tty_config;
allow ipsec_t self:process { getcap setcap getsched signal setsched };
allow ipsec_t self:tcp_socket create_stream_socket_perms;
@@ -85,6 +91,10 @@ allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
+manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
+manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
+files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file })
+
manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
files_pid_filetrans(ipsec_t, ipsec_var_run_t, { file sock_file })
@@ -98,6 +108,7 @@ can_exec(ipsec_t, ipsec_mgmt_exec_t)
corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
allow ipsec_mgmt_t ipsec_t:fd use;
allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
+dontaudit ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
allow ipsec_mgmt_t ipsec_t:process sigchld;
kernel_read_kernel_sysctls(ipsec_t)
@@ -155,6 +166,8 @@ logging_send_syslog_msg(ipsec_t)
miscfiles_read_localization(ipsec_t)
+sysnet_domtrans_ifconfig(ipsec_t)
+
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)
@@ -171,8 +184,9 @@ optional_policy(`
# ipsec_mgmt Local policy
#
-allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
-allow ipsec_mgmt_t self:process { signal setrlimit };
+allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
+dontaudit ipsec_mgmt_t self:capability sys_tty_config;
+allow ipsec_mgmt_t self:process { getsched ptrace setrlimit signal };
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
@@ -182,6 +196,13 @@ allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
+manage_dirs_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
+manage_files_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
+files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file })
+
+manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t)
+logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
+
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
@@ -209,7 +230,6 @@ files_etc_filetrans(ipsec_mgmt_t, ipsec_key_file_t, file)
# whack needs to connect to pluto
stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
-can_exec(ipsec_mgmt_t, ipsec_exec_t)
can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
@@ -247,8 +267,10 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
files_read_etc_files(ipsec_mgmt_t)
files_exec_etc_files(ipsec_mgmt_t)
files_read_etc_runtime_files(ipsec_mgmt_t)
+files_read_usr_files(ipsec_mgmt_t)
files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
files_dontaudit_getattr_default_files(ipsec_mgmt_t)
+files_list_tmp(ipsec_mgmt_t)
fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
@@ -259,6 +281,7 @@ term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
+init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
logging_send_syslog_msg(ipsec_mgmt_t)
@@ -323,6 +346,7 @@ read_lnk_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t)
kernel_read_system_state(racoon_t)
kernel_read_network_state(racoon_t)
+kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
@@ -380,6 +404,8 @@ allow setkey_t ipsec_conf_file_t:dir list_dir_perms;
read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
+kernel_request_load_module(setkey_t)
+
# allow setkey utility to set contexts on SA's and policy
domain_ipsec_setcontext_all_domains(setkey_t)