1 |
commit: 84d4e9d4f9c40980dd9f8c7a57c556d807990c26 |
2 |
Author: Jason Zaman <jason <AT> perfinion <DOT> com> |
3 |
AuthorDate: Sun Oct 11 08:40:25 2015 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Oct 11 08:40:25 2015 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=84d4e9d4 |
7 |
|
8 |
system/ipsec: Add policy for StrongSwan |
9 |
|
10 |
Adds an ipsec_supervisor_t domain for StrongSwan's starter. |
11 |
Thanks to Matthias Dahl for most of the work regarding this. |
12 |
|
13 |
policy/modules/system/ipsec.fc | 17 ++++++++++++ |
14 |
policy/modules/system/ipsec.te | 61 +++++++++++++++++++++++++++++++++++++++--- |
15 |
2 files changed, 75 insertions(+), 3 deletions(-) |
16 |
|
17 |
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc |
18 |
index 0f1e351..d42b08e 100644 |
19 |
--- a/policy/modules/system/ipsec.fc |
20 |
+++ b/policy/modules/system/ipsec.fc |
21 |
@@ -10,6 +10,14 @@ |
22 |
|
23 |
/etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) |
24 |
|
25 |
+/etc/strongswan\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) |
26 |
+ |
27 |
+/etc/strongswan\.d(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0) |
28 |
+ |
29 |
+/etc/swanctl/(.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) |
30 |
+/etc/swanctl -d gen_context(system_u:object_r:ipsec_conf_file_t,s0) |
31 |
+/etc/swanctl/swanctl.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) |
32 |
+ |
33 |
/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) |
34 |
|
35 |
/usr/lib/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) |
36 |
@@ -19,17 +27,25 @@ |
37 |
/usr/lib/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) |
38 |
/usr/lib/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) |
39 |
|
40 |
+/usr/libexec/ipsec/_copyright -- gen_context(system_u:object_r:ipsec_exec_t,s0) |
41 |
/usr/libexec/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) |
42 |
/usr/libexec/ipsec/_plutorun -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) |
43 |
+/usr/libexec/ipsec/_updown -- gen_context(system_u:object_r:ipsec_exec_t,s0) |
44 |
+/usr/libexec/ipsec/charon -- gen_context(system_u:object_r:ipsec_exec_t,s0) |
45 |
/usr/libexec/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0) |
46 |
/usr/libexec/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0) |
47 |
+/usr/libexec/ipsec/lookip -- gen_context(system_u:object_r:ipsec_exec_t,s0) |
48 |
/usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) |
49 |
+/usr/libexec/ipsec/scepclient -- gen_context(system_u:object_r:ipsec_exec_t,s0) |
50 |
/usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) |
51 |
+/usr/libexec/ipsec/starter -- gen_context(system_u:object_r:ipsec_supervisor_exec_t,s0) |
52 |
+/usr/libexec/ipsec/stroke -- gen_context(system_u:object_r:ipsec_exec_t,s0) |
53 |
/usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) |
54 |
|
55 |
/usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) |
56 |
/usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0) |
57 |
/usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) |
58 |
+/usr/sbin/swanctl -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) |
59 |
|
60 |
/var/lib/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) |
61 |
|
62 |
@@ -39,5 +55,6 @@ |
63 |
|
64 |
/var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) |
65 |
|
66 |
+/var/run/charon\.(.*)? -- gen_context(system_u:object_r:ipsec_var_run_t,s0) |
67 |
/var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) |
68 |
/var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) |
69 |
|
70 |
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te |
71 |
index 3734bd4..2d8b686 100644 |
72 |
--- a/policy/modules/system/ipsec.te |
73 |
+++ b/policy/modules/system/ipsec.te |
74 |
@@ -67,19 +67,25 @@ type setkey_exec_t; |
75 |
init_system_domain(setkey_t, setkey_exec_t) |
76 |
role system_r types setkey_t; |
77 |
|
78 |
+type ipsec_supervisor_t; |
79 |
+type ipsec_supervisor_exec_t; |
80 |
+init_daemon_domain(ipsec_supervisor_t, ipsec_supervisor_exec_t); |
81 |
+role system_r types ipsec_supervisor_t; |
82 |
+ |
83 |
######################################## |
84 |
# |
85 |
# ipsec Local policy |
86 |
# |
87 |
|
88 |
-allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice }; |
89 |
+allow ipsec_t self:capability { chown dac_override dac_read_search setgid setuid setpcap net_admin sys_nice }; |
90 |
dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config }; |
91 |
allow ipsec_t self:process { getcap setcap getsched signal setsched }; |
92 |
allow ipsec_t self:tcp_socket create_stream_socket_perms; |
93 |
allow ipsec_t self:udp_socket create_socket_perms; |
94 |
allow ipsec_t self:key_socket create_socket_perms; |
95 |
-allow ipsec_t self:fifo_file read_fifo_file_perms; |
96 |
+allow ipsec_t self:fifo_file rw_fifo_file_perms; |
97 |
allow ipsec_t self:netlink_xfrm_socket create_netlink_socket_perms; |
98 |
+allow ipsec_t self:netlink_route_socket rw_netlink_socket_perms; |
99 |
|
100 |
allow ipsec_t ipsec_initrc_exec_t:file read_file_perms; |
101 |
|
102 |
@@ -113,7 +119,7 @@ allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write }; |
103 |
allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld }; |
104 |
|
105 |
kernel_read_kernel_sysctls(ipsec_t) |
106 |
-kernel_read_net_sysctls(ipsec_t) |
107 |
+kernel_rw_net_sysctls(ipsec_t); |
108 |
kernel_list_proc(ipsec_t) |
109 |
kernel_read_proc_symlinks(ipsec_t) |
110 |
# allow pluto to access /proc/net/ipsec_eroute; |
111 |
@@ -196,6 +202,8 @@ allow ipsec_mgmt_t self:udp_socket create_socket_perms; |
112 |
allow ipsec_mgmt_t self:key_socket create_socket_perms; |
113 |
allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms; |
114 |
|
115 |
+allow ipsec_mgmt_t ipsec_supervisor_t:process { signal signull }; |
116 |
+ |
117 |
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; |
118 |
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file) |
119 |
|
120 |
@@ -236,6 +244,7 @@ can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t) |
121 |
allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read; |
122 |
|
123 |
domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t) |
124 |
+domtrans_pattern(ipsec_mgmt_t, ipsec_supervisor_exec_t, ipsec_supervisor_t); |
125 |
|
126 |
kernel_rw_net_sysctls(ipsec_mgmt_t) |
127 |
# allow pluto to access /proc/net/ipsec_eroute; |
128 |
@@ -444,6 +453,52 @@ seutil_read_config(setkey_t) |
129 |
|
130 |
userdom_use_user_terminals(setkey_t) |
131 |
|
132 |
+######################################## |
133 |
+# |
134 |
+# ipsec_supervisor policy |
135 |
+# |
136 |
+ |
137 |
+allow ipsec_supervisor_t self:capability { dac_read_search dac_override kill net_admin }; |
138 |
+allow ipsec_supervisor_t self:process { signal }; |
139 |
+allow ipsec_supervisor_t self:fifo_file rw_fifo_file_perms; |
140 |
+allow ipsec_supervisor_t self:netlink_route_socket rw_netlink_socket_perms; |
141 |
+allow ipsec_supervisor_t self:netlink_xfrm_socket create_netlink_socket_perms; |
142 |
+ |
143 |
+allow ipsec_supervisor_t ipsec_conf_file_t:dir list_dir_perms; |
144 |
+read_files_pattern(ipsec_supervisor_t, ipsec_conf_file_t, ipsec_conf_file_t); |
145 |
+ |
146 |
+manage_files_pattern(ipsec_supervisor_t, ipsec_key_file_t, ipsec_key_file_t) |
147 |
+ |
148 |
+allow ipsec_supervisor_t ipsec_t:unix_stream_socket { connectto }; |
149 |
+allow ipsec_supervisor_t ipsec_t:process { signal }; |
150 |
+ |
151 |
+allow ipsec_supervisor_t ipsec_var_run_t:sock_file { rw_sock_file_perms unlink }; |
152 |
+manage_dirs_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t) |
153 |
+manage_files_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t) |
154 |
+files_pid_filetrans(ipsec_supervisor_t, ipsec_var_run_t, { dir file sock_file }) |
155 |
+ |
156 |
+domtrans_pattern(ipsec_supervisor_t, ipsec_exec_t, ipsec_t); |
157 |
+ |
158 |
+kernel_read_network_state(ipsec_supervisor_t) |
159 |
+kernel_read_system_state(ipsec_supervisor_t) |
160 |
+kernel_rw_net_sysctls(ipsec_supervisor_t); |
161 |
+ |
162 |
+corecmd_exec_bin(ipsec_supervisor_t); |
163 |
+corecmd_exec_shell(ipsec_supervisor_t) |
164 |
+ |
165 |
+dev_read_rand(ipsec_supervisor_t); |
166 |
+dev_read_urand(ipsec_supervisor_t); |
167 |
+ |
168 |
+files_read_etc_files(ipsec_supervisor_t); |
169 |
+ |
170 |
+logging_send_syslog_msg(ipsec_supervisor_t); |
171 |
+ |
172 |
+miscfiles_read_localization(ipsec_supervisor_t); |
173 |
+ |
174 |
+optional_policy(` |
175 |
+ modutils_domtrans_insmod(ipsec_supervisor_t) |
176 |
+') |
177 |
+ |
178 |
ifdef(`distro_gentoo',` |
179 |
################################################ |
180 |
# |