[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
Date:	Sun, 11 Oct 2015 10:48:44
Message-Id:	`1444552825.84d4e9d4f9c40980dd9f8c7a57c556d807990c26.perfinion@gentoo`

1

commit:     84d4e9d4f9c40980dd9f8c7a57c556d807990c26

2

Author:     Jason Zaman <jason <AT> perfinion <DOT> com>

3

AuthorDate: Sun Oct 11 08:40:25 2015 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Sun Oct 11 08:40:25 2015 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=84d4e9d4

7

8

system/ipsec: Add policy for StrongSwan

9

10

Adds an ipsec_supervisor_t domain for StrongSwan's starter.

11

Thanks to Matthias Dahl for most of the work regarding this.

12

13

 policy/modules/system/ipsec.fc | 17 ++++++++++++

14

 policy/modules/system/ipsec.te | 61 +++++++++++++++++++++++++++++++++++++++---

15

 2 files changed, 75 insertions(+), 3 deletions(-)

16

17

diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc

18

index 0f1e351..d42b08e 100644

19

--- a/policy/modules/system/ipsec.fc

20

+++ b/policy/modules/system/ipsec.fc

21

@@ -10,6 +10,14 @@

22

23

 /etc/ipsec\.d(/.*)?			gen_context(system_u:object_r:ipsec_key_file_t,s0)

24

25

+/etc/strongswan\.conf		--	gen_context(system_u:object_r:ipsec_conf_file_t,s0)

26

+

27

+/etc/strongswan\.d(/.*)?		gen_context(system_u:object_r:ipsec_conf_file_t,s0)

28

+

29

+/etc/swanctl/(.*)?			gen_context(system_u:object_r:ipsec_key_file_t,s0)

30

+/etc/swanctl			-d	gen_context(system_u:object_r:ipsec_conf_file_t,s0)

31

+/etc/swanctl/swanctl.conf	--	gen_context(system_u:object_r:ipsec_conf_file_t,s0)

32

+

33

 /sbin/setkey			--	gen_context(system_u:object_r:setkey_exec_t,s0)

34

35

 /usr/lib/ipsec/_plutoload	-- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)

36

@@ -19,17 +27,25 @@

37

 /usr/lib/ipsec/pluto		--	gen_context(system_u:object_r:ipsec_exec_t,s0)

38

 /usr/lib/ipsec/spi		--	gen_context(system_u:object_r:ipsec_exec_t,s0)

39

40

+/usr/libexec/ipsec/_copyright	--	gen_context(system_u:object_r:ipsec_exec_t,s0)

41

 /usr/libexec/ipsec/_plutoload	-- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)

42

 /usr/libexec/ipsec/_plutorun	--	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)

43

+/usr/libexec/ipsec/_updown	--	gen_context(system_u:object_r:ipsec_exec_t,s0)

44

+/usr/libexec/ipsec/charon	--	gen_context(system_u:object_r:ipsec_exec_t,s0)

45

 /usr/libexec/ipsec/eroute	--	gen_context(system_u:object_r:ipsec_exec_t,s0)

46

 /usr/libexec/ipsec/klipsdebug	--	gen_context(system_u:object_r:ipsec_exec_t,s0)

47

+/usr/libexec/ipsec/lookip	--	gen_context(system_u:object_r:ipsec_exec_t,s0)

48

 /usr/libexec/ipsec/pluto	--	gen_context(system_u:object_r:ipsec_exec_t,s0)

49

+/usr/libexec/ipsec/scepclient	--	gen_context(system_u:object_r:ipsec_exec_t,s0)

50

 /usr/libexec/ipsec/spi		--	gen_context(system_u:object_r:ipsec_exec_t,s0)

51

+/usr/libexec/ipsec/starter	--	gen_context(system_u:object_r:ipsec_supervisor_exec_t,s0)

52

+/usr/libexec/ipsec/stroke	--	gen_context(system_u:object_r:ipsec_exec_t,s0)

53

 /usr/libexec/nm-openswan-service -- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)

54

55

 /usr/sbin/ipsec			-- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)

56

 /usr/sbin/racoon		--	gen_context(system_u:object_r:racoon_exec_t,s0)

57

 /usr/sbin/setkey		--	gen_context(system_u:object_r:setkey_exec_t,s0)

58

+/usr/sbin/swanctl		--	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)

59

60

 /var/lib/racoon(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)

61

62

@@ -39,5 +55,6 @@

63

64

 /var/racoon(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)

65

66

+/var/run/charon\.(.*)?		--	gen_context(system_u:object_r:ipsec_var_run_t,s0)

67

 /var/run/pluto(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)

68

 /var/run/racoon\.pid		--	gen_context(system_u:object_r:ipsec_var_run_t,s0)

69

70

diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te

71

index 3734bd4..2d8b686 100644

72

--- a/policy/modules/system/ipsec.te

73

+++ b/policy/modules/system/ipsec.te

74

@@ -67,19 +67,25 @@ type setkey_exec_t;

75

 init_system_domain(setkey_t, setkey_exec_t)

76

 role system_r types setkey_t;

77

78

+type ipsec_supervisor_t;

79

+type ipsec_supervisor_exec_t;

80

+init_daemon_domain(ipsec_supervisor_t, ipsec_supervisor_exec_t);

81

+role system_r types ipsec_supervisor_t;

82

+

83

 ########################################

84

#

85

 # ipsec Local policy

86

#

87

88

-allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };

89

+allow ipsec_t self:capability { chown dac_override dac_read_search setgid setuid setpcap net_admin sys_nice };

90

 dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };

91

 allow ipsec_t self:process { getcap setcap getsched signal setsched };

92

 allow ipsec_t self:tcp_socket create_stream_socket_perms;

93

 allow ipsec_t self:udp_socket create_socket_perms;

94

 allow ipsec_t self:key_socket create_socket_perms;

95

-allow ipsec_t self:fifo_file read_fifo_file_perms;

96

+allow ipsec_t self:fifo_file rw_fifo_file_perms;

97

 allow ipsec_t self:netlink_xfrm_socket create_netlink_socket_perms;

98

+allow ipsec_t self:netlink_route_socket rw_netlink_socket_perms;

99

100

 allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;

101

102

@@ -113,7 +119,7 @@ allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };

103

 allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };

104

105

 kernel_read_kernel_sysctls(ipsec_t)

106

-kernel_read_net_sysctls(ipsec_t)

107

+kernel_rw_net_sysctls(ipsec_t);

108

 kernel_list_proc(ipsec_t)

109

 kernel_read_proc_symlinks(ipsec_t)

110

 # allow pluto to access /proc/net/ipsec_eroute;

111

@@ -196,6 +202,8 @@ allow ipsec_mgmt_t self:udp_socket create_socket_perms;

112

 allow ipsec_mgmt_t self:key_socket create_socket_perms;

113

 allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;

114

115

+allow ipsec_mgmt_t ipsec_supervisor_t:process { signal signull };

116

+

117

 allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;

118

 files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)

119

120

@@ -236,6 +244,7 @@ can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)

121

 allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;

122

123

 domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)

124

+domtrans_pattern(ipsec_mgmt_t, ipsec_supervisor_exec_t, ipsec_supervisor_t);

125

126

 kernel_rw_net_sysctls(ipsec_mgmt_t)

127

 # allow pluto to access /proc/net/ipsec_eroute;

128

@@ -444,6 +453,52 @@ seutil_read_config(setkey_t)

129

130

 userdom_use_user_terminals(setkey_t)

131

132

+########################################

133

+#

134

+# ipsec_supervisor policy

135

+#

136

+

137

+allow ipsec_supervisor_t self:capability { dac_read_search dac_override kill net_admin };

138

+allow ipsec_supervisor_t self:process { signal };

139

+allow ipsec_supervisor_t self:fifo_file rw_fifo_file_perms;

140

+allow ipsec_supervisor_t self:netlink_route_socket rw_netlink_socket_perms;

141

+allow ipsec_supervisor_t self:netlink_xfrm_socket create_netlink_socket_perms;

142

+

143

+allow ipsec_supervisor_t ipsec_conf_file_t:dir list_dir_perms;

144

+read_files_pattern(ipsec_supervisor_t, ipsec_conf_file_t, ipsec_conf_file_t);

145

+

146

+manage_files_pattern(ipsec_supervisor_t, ipsec_key_file_t, ipsec_key_file_t)

147

+

148

+allow ipsec_supervisor_t ipsec_t:unix_stream_socket { connectto };

149

+allow ipsec_supervisor_t ipsec_t:process { signal };

150

+

151

+allow ipsec_supervisor_t ipsec_var_run_t:sock_file { rw_sock_file_perms unlink };

152

+manage_dirs_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t)

153

+manage_files_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t)

154

+files_pid_filetrans(ipsec_supervisor_t, ipsec_var_run_t, { dir file sock_file })

155

+

156

+domtrans_pattern(ipsec_supervisor_t, ipsec_exec_t, ipsec_t);

157

+

158

+kernel_read_network_state(ipsec_supervisor_t)

159

+kernel_read_system_state(ipsec_supervisor_t)

160

+kernel_rw_net_sysctls(ipsec_supervisor_t);

161

+

162

+corecmd_exec_bin(ipsec_supervisor_t);

163

+corecmd_exec_shell(ipsec_supervisor_t)

164

+

165

+dev_read_rand(ipsec_supervisor_t);

166

+dev_read_urand(ipsec_supervisor_t);

167

+

168

+files_read_etc_files(ipsec_supervisor_t);

169

+

170

+logging_send_syslog_msg(ipsec_supervisor_t);

171

+

172

+miscfiles_read_localization(ipsec_supervisor_t);

173

+

174

+optional_policy(`

175

+	modutils_domtrans_insmod(ipsec_supervisor_t)

176

+')

177

+

178

 ifdef(`distro_gentoo',`

179

 	################################################

180

#

1	commit: 84d4e9d4f9c40980dd9f8c7a57c556d807990c26
2	Author: Jason Zaman <jason <AT> perfinion <DOT> com>
3	AuthorDate: Sun Oct 11 08:40:25 2015 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Sun Oct 11 08:40:25 2015 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=84d4e9d4
7
8	system/ipsec: Add policy for StrongSwan
9
10	Adds an ipsec_supervisor_t domain for StrongSwan's starter.
11	Thanks to Matthias Dahl for most of the work regarding this.
12
13	policy/modules/system/ipsec.fc \| 17 ++++++++++++
14	policy/modules/system/ipsec.te \| 61 +++++++++++++++++++++++++++++++++++++++---
15	2 files changed, 75 insertions(+), 3 deletions(-)
16
17	diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
18	index 0f1e351..d42b08e 100644
19	--- a/policy/modules/system/ipsec.fc
20	+++ b/policy/modules/system/ipsec.fc
21	@@ -10,6 +10,14 @@
22
23	/etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
24
25	+/etc/strongswan\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
26	+
27	+/etc/strongswan\.d(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
28	+
29	+/etc/swanctl/(.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
30	+/etc/swanctl -d gen_context(system_u:object_r:ipsec_conf_file_t,s0)
31	+/etc/swanctl/swanctl.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
32	+
33	/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
34
35	/usr/lib/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
36	@@ -19,17 +27,25 @@
37	/usr/lib/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
38	/usr/lib/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
39
40	+/usr/libexec/ipsec/_copyright -- gen_context(system_u:object_r:ipsec_exec_t,s0)
41	/usr/libexec/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
42	/usr/libexec/ipsec/_plutorun -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
43	+/usr/libexec/ipsec/_updown -- gen_context(system_u:object_r:ipsec_exec_t,s0)
44	+/usr/libexec/ipsec/charon -- gen_context(system_u:object_r:ipsec_exec_t,s0)
45	/usr/libexec/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
46	/usr/libexec/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
47	+/usr/libexec/ipsec/lookip -- gen_context(system_u:object_r:ipsec_exec_t,s0)
48	/usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
49	+/usr/libexec/ipsec/scepclient -- gen_context(system_u:object_r:ipsec_exec_t,s0)
50	/usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
51	+/usr/libexec/ipsec/starter -- gen_context(system_u:object_r:ipsec_supervisor_exec_t,s0)
52	+/usr/libexec/ipsec/stroke -- gen_context(system_u:object_r:ipsec_exec_t,s0)
53	/usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
54
55	/usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
56	/usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0)
57	/usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
58	+/usr/sbin/swanctl -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
59
60	/var/lib/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
61
62	@@ -39,5 +55,6 @@
63
64	/var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
65
66	+/var/run/charon\.(.*)? -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
67	/var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
68	/var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
69
70	diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
71	index 3734bd4..2d8b686 100644
72	--- a/policy/modules/system/ipsec.te
73	+++ b/policy/modules/system/ipsec.te
74	@@ -67,19 +67,25 @@ type setkey_exec_t;
75	init_system_domain(setkey_t, setkey_exec_t)
76	role system_r types setkey_t;
77
78	+type ipsec_supervisor_t;
79	+type ipsec_supervisor_exec_t;
80	+init_daemon_domain(ipsec_supervisor_t, ipsec_supervisor_exec_t);
81	+role system_r types ipsec_supervisor_t;
82	+
83	########################################
84	#
85	# ipsec Local policy
86	#
87
88	-allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
89	+allow ipsec_t self:capability { chown dac_override dac_read_search setgid setuid setpcap net_admin sys_nice };
90	dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
91	allow ipsec_t self:process { getcap setcap getsched signal setsched };
92	allow ipsec_t self:tcp_socket create_stream_socket_perms;
93	allow ipsec_t self:udp_socket create_socket_perms;
94	allow ipsec_t self:key_socket create_socket_perms;
95	-allow ipsec_t self:fifo_file read_fifo_file_perms;
96	+allow ipsec_t self:fifo_file rw_fifo_file_perms;
97	allow ipsec_t self:netlink_xfrm_socket create_netlink_socket_perms;
98	+allow ipsec_t self:netlink_route_socket rw_netlink_socket_perms;
99
100	allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
101
102	@@ -113,7 +119,7 @@ allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
103	allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
104
105	kernel_read_kernel_sysctls(ipsec_t)
106	-kernel_read_net_sysctls(ipsec_t)
107	+kernel_rw_net_sysctls(ipsec_t);
108	kernel_list_proc(ipsec_t)
109	kernel_read_proc_symlinks(ipsec_t)
110	# allow pluto to access /proc/net/ipsec_eroute;
111	@@ -196,6 +202,8 @@ allow ipsec_mgmt_t self:udp_socket create_socket_perms;
112	allow ipsec_mgmt_t self:key_socket create_socket_perms;
113	allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
114
115	+allow ipsec_mgmt_t ipsec_supervisor_t:process { signal signull };
116	+
117	allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
118	files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
119
120	@@ -236,6 +244,7 @@ can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
121	allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
122
123	domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
124	+domtrans_pattern(ipsec_mgmt_t, ipsec_supervisor_exec_t, ipsec_supervisor_t);
125
126	kernel_rw_net_sysctls(ipsec_mgmt_t)
127	# allow pluto to access /proc/net/ipsec_eroute;
128	@@ -444,6 +453,52 @@ seutil_read_config(setkey_t)
129
130	userdom_use_user_terminals(setkey_t)
131
132	+########################################
133	+#
134	+# ipsec_supervisor policy
135	+#
136	+
137	+allow ipsec_supervisor_t self:capability { dac_read_search dac_override kill net_admin };
138	+allow ipsec_supervisor_t self:process { signal };
139	+allow ipsec_supervisor_t self:fifo_file rw_fifo_file_perms;
140	+allow ipsec_supervisor_t self:netlink_route_socket rw_netlink_socket_perms;
141	+allow ipsec_supervisor_t self:netlink_xfrm_socket create_netlink_socket_perms;
142	+
143	+allow ipsec_supervisor_t ipsec_conf_file_t:dir list_dir_perms;
144	+read_files_pattern(ipsec_supervisor_t, ipsec_conf_file_t, ipsec_conf_file_t);
145	+
146	+manage_files_pattern(ipsec_supervisor_t, ipsec_key_file_t, ipsec_key_file_t)
147	+
148	+allow ipsec_supervisor_t ipsec_t:unix_stream_socket { connectto };
149	+allow ipsec_supervisor_t ipsec_t:process { signal };
150	+
151	+allow ipsec_supervisor_t ipsec_var_run_t:sock_file { rw_sock_file_perms unlink };
152	+manage_dirs_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t)
153	+manage_files_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t)
154	+files_pid_filetrans(ipsec_supervisor_t, ipsec_var_run_t, { dir file sock_file })
155	+
156	+domtrans_pattern(ipsec_supervisor_t, ipsec_exec_t, ipsec_t);
157	+
158	+kernel_read_network_state(ipsec_supervisor_t)
159	+kernel_read_system_state(ipsec_supervisor_t)
160	+kernel_rw_net_sysctls(ipsec_supervisor_t);
161	+
162	+corecmd_exec_bin(ipsec_supervisor_t);
163	+corecmd_exec_shell(ipsec_supervisor_t)
164	+
165	+dev_read_rand(ipsec_supervisor_t);
166	+dev_read_urand(ipsec_supervisor_t);
167	+
168	+files_read_etc_files(ipsec_supervisor_t);
169	+
170	+logging_send_syslog_msg(ipsec_supervisor_t);
171	+
172	+miscfiles_read_localization(ipsec_supervisor_t);
173	+
174	+optional_policy(`
175	+ modutils_domtrans_insmod(ipsec_supervisor_t)
176	+')
177	+
178	ifdef(`distro_gentoo',`
179	################################################
180	#

Gentoo Archives: gentoo-commits