[selinux-policy: 2318/3172] IPSEC patch from Dan Walsh.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:25:49 UTC 2010 

commit 832c1be4caaecf8659405cee985e556fede92a19
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Nov 24 14:09:10 2009 -0500

    IPSEC patch from Dan Walsh.

 policy/modules/system/ipsec.fc |    3 ++
 policy/modules/system/ipsec.if |   25 +++++++++++++++++++
 policy/modules/system/ipsec.te |   51 +++++++++++++++++++++++++++++++++++----
 3 files changed, 73 insertions(+), 6 deletions(-)
---
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index d65ef1e..7dbf57e 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -1,3 +1,6 @@
+/etc/rc\.d/init\.d/ipsec	--	gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/racoon	--	gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
+
 /etc/ipsec\.secrets		--	gen_context(system_u:object_r:ipsec_key_file_t,s0)
 /etc/ipsec\.conf		--	gen_context(system_u:object_r:ipsec_conf_file_t,s0)
 /etc/racoon/psk\.txt		--	gen_context(system_u:object_r:ipsec_key_file_t,s0)
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
index a162c77..7ed91dd 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@@ -189,6 +189,31 @@ interface(`ipsec_domtrans_racoon',`
 
 ########################################
 ## <summary>
+##	Execute racoon and allow the specified role the domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ipsec_run_racoon',`
+	gen_require(`
+		type racoon_t;
+	')
+
+	ipsec_domtrans_racoon($1)
+	role $2 types racoon_t;
+')
+
+########################################
+## <summary>
 ##	Execute setkey in the setkey domain.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 8f18cbc..d65140f 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -1,11 +1,18 @@
 
-policy_module(ipsec, 1.10.0)
+policy_module(ipsec, 1.10.1)
 
 ########################################
 #
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow racoon to read shadow
+## </p>
+## </desc>
+gen_tunable(racoon_read_shadow, false)
+
 type ipsec_t;
 type ipsec_exec_t;
 init_daemon_domain(ipsec_t, ipsec_exec_t)
@@ -15,6 +22,9 @@ role system_r types ipsec_t;
 type ipsec_conf_file_t;
 files_type(ipsec_conf_file_t)
 
+type ipsec_initrc_exec_t;
+init_script_file(ipsec_initrc_exec_t)
+
 # type for file(s) containing ipsec keys - RSA or preshared
 type ipsec_key_file_t;
 files_type(ipsec_key_file_t)
@@ -43,6 +53,9 @@ type racoon_exec_t;
 init_daemon_domain(racoon_t, racoon_exec_t)
 role system_r types racoon_t;
 
+type racoon_tmp_t;
+files_tmp_file(racoon_tmp_t)
+
 type setkey_t;
 type setkey_exec_t;
 init_system_domain(setkey_t, setkey_exec_t)
@@ -53,21 +66,23 @@ role system_r types setkey_t;
 # ipsec Local policy
 #
 
-allow ipsec_t self:capability { net_admin dac_override dac_read_search };
+allow ipsec_t self:capability { net_admin dac_override dac_read_search sys_nice };
 dontaudit ipsec_t self:capability sys_tty_config;
-allow ipsec_t self:process { signal setsched };
+allow ipsec_t self:process { getcap setcap getsched signal setsched };
 allow ipsec_t self:tcp_socket create_stream_socket_perms;
 allow ipsec_t self:udp_socket create_socket_perms;
 allow ipsec_t self:key_socket create_socket_perms;
 allow ipsec_t self:fifo_file read_fifo_file_perms;
 allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
 
+allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
+
 allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
 read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
 read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
 
 allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
-read_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
+manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
 read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
 
 manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
@@ -82,7 +97,7 @@ can_exec(ipsec_t, ipsec_mgmt_exec_t)
 # so try flipping back into the ipsec_mgmt_t domain
 corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
 allow ipsec_mgmt_t ipsec_t:fd use;
-allow ipsec_mgmt_t ipsec_t:fifo_file rw_file_perms;
+allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
 allow ipsec_mgmt_t ipsec_t:process sigchld;
 
 kernel_read_kernel_sysctls(ipsec_t)
@@ -92,6 +107,7 @@ kernel_read_proc_symlinks(ipsec_t)
 kernel_read_system_state(ipsec_t)
 kernel_read_network_state(ipsec_t)
 kernel_read_software_raid_state(ipsec_t)
+kernel_request_load_module(ipsec_t)
 kernel_getattr_core_if(ipsec_t)
 kernel_getattr_message_if(ipsec_t)
 
@@ -120,7 +136,9 @@ dev_read_urand(ipsec_t)
 
 domain_use_interactive_fds(ipsec_t)
 
+files_list_tmp(ipsec_t)
 files_read_etc_files(ipsec_t)
+files_read_usr_files(ipsec_t)
 
 fs_getattr_all_fs(ipsec_t)
 fs_search_auto_mountpoints(ipsec_t)
@@ -159,7 +177,7 @@ allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
 allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
 allow ipsec_mgmt_t self:udp_socket create_socket_perms;
 allow ipsec_mgmt_t self:key_socket create_socket_perms;
-allow ipsec_mgmt_t self:fifo_file rw_file_perms;
+allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
 
 allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
 files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
@@ -280,6 +298,15 @@ allow racoon_t self:unix_dgram_socket { connect create ioctl write };
 allow racoon_t self:netlink_selinux_socket { bind create read };
 allow racoon_t self:udp_socket create_socket_perms;
 allow racoon_t self:key_socket create_socket_perms;
+allow racoon_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
+manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
+files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file })
+
+can_exec(racoon_t, racoon_exec_t)
+
+can_exec(racoon_t, setkey_exec_t)
 
 # manage pid file
 manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
@@ -297,6 +324,9 @@ read_lnk_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t)
 kernel_read_system_state(racoon_t)
 kernel_read_network_state(racoon_t)
 
+corecmd_exec_shell(racoon_t)
+corecmd_exec_bin(racoon_t)
+
 corenet_all_recvfrom_unlabeled(racoon_t)
 corenet_tcp_sendrecv_all_if(racoon_t)
 corenet_udp_sendrecv_all_if(racoon_t)
@@ -314,6 +344,8 @@ domain_ipsec_setcontext_all_domains(racoon_t)
 
 files_read_etc_files(racoon_t)
 
+fs_dontaudit_getattr_xattr_fs(racoon_t)
+
 # allow racoon to use avc_has_perm to check context on proposed SA
 selinux_compute_access_vector(racoon_t)
 
@@ -328,6 +360,13 @@ logging_send_audit_msgs(racoon_t)
 
 miscfiles_read_localization(racoon_t)
 
+sysnet_exec_ifconfig(racoon_t)
+
+auth_can_read_shadow_passwords(racoon_t)
+tunable_policy(`racoon_read_shadow',`
+	auth_tunable_read_shadow(racoon_t)
+')
+
 ########################################
 #
 # Setkey local policy

More information about the scm-commits mailing list