commit: 5522373aa919d8f9ee0e1937e9f031ad35c07c4a
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Oct 11 10:37:56 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Oct 13 14:21:41 2015 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5522373a
system/ipsec: Add policy for StrongSwan
Adds an ipsec_supervisor_t domain for StrongSwan's starter.
Thanks to Matthias Dahl for most of the work on this.
policy/modules/system/ipsec.fc | 17 ++++++++++++
policy/modules/system/ipsec.te | 61 +++++++++++++++++++++++++++++++++++++++---
2 files changed, 75 insertions(+), 3 deletions(-)
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index 0f1e351..d42b08e 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -10,6 +10,14 @@
/etc/ipsec\.d(/.*)?
gen_context(system_u:object_r:ipsec_key_file_t,s0)
+/etc/strongswan\.conf --
gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+
+/etc/strongswan\.d(/.*)?
gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+
+/etc/swanctl/(.*)?
gen_context(system_u:object_r:ipsec_key_file_t,s0)
+/etc/swanctl -d
gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+/etc/swanctl/swanctl.conf --
gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+
/sbin/setkey --
gen_context(system_u:object_r:setkey_exec_t,s0)
/usr/lib/ipsec/_plutoload --
gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
@@ -19,17 +27,25 @@
/usr/lib/ipsec/pluto --
gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/lib/ipsec/spi --
gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/_copyright --
gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/_plutoload --
gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
/usr/libexec/ipsec/_plutorun --
gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+/usr/libexec/ipsec/_updown --
gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/charon --
gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/eroute --
gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/klipsdebug --
gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/lookip --
gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/pluto --
gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/scepclient --
gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/spi --
gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/starter --
gen_context(system_u:object_r:ipsec_supervisor_exec_t,s0)
+/usr/libexec/ipsec/stroke --
gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/nm-openswan-service --
gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
/usr/sbin/ipsec --
gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
/usr/sbin/racoon --
gen_context(system_u:object_r:racoon_exec_t,s0)
/usr/sbin/setkey --
gen_context(system_u:object_r:setkey_exec_t,s0)
+/usr/sbin/swanctl --
gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
/var/lib/racoon(/.*)?
gen_context(system_u:object_r:ipsec_var_run_t,s0)
@@ -39,5 +55,6 @@
/var/racoon(/.*)?
gen_context(system_u:object_r:ipsec_var_run_t,s0)
+/var/run/charon\.(.*)? --
gen_context(system_u:object_r:ipsec_var_run_t,s0)
/var/run/pluto(/.*)?
gen_context(system_u:object_r:ipsec_var_run_t,s0)
/var/run/racoon\.pid --
gen_context(system_u:object_r:ipsec_var_run_t,s0)
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 3734bd4..2d8b686 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -67,19 +67,25 @@ type setkey_exec_t;
init_system_domain(setkey_t, setkey_exec_t)
role system_r types setkey_t;
+type ipsec_supervisor_t;
+type ipsec_supervisor_exec_t;
+init_daemon_domain(ipsec_supervisor_t, ipsec_supervisor_exec_t);
+role system_r types ipsec_supervisor_t;
+
########################################
#
# ipsec Local policy
#
-allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap
sys_nice };
+allow ipsec_t self:capability { chown dac_override dac_read_search setgid
setuid setpcap net_admin sys_nice };
dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
allow ipsec_t self:process { getcap setcap getsched signal setsched };
allow ipsec_t self:tcp_socket create_stream_socket_perms;
allow ipsec_t self:udp_socket create_socket_perms;
allow ipsec_t self:key_socket create_socket_perms;
-allow ipsec_t self:fifo_file read_fifo_file_perms;
+allow ipsec_t self:fifo_file rw_fifo_file_perms;
allow ipsec_t self:netlink_xfrm_socket create_netlink_socket_perms;
+allow ipsec_t self:netlink_route_socket rw_netlink_socket_perms;
allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
@@ -113,7 +119,7 @@ allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write
};
allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
kernel_read_kernel_sysctls(ipsec_t)
-kernel_read_net_sysctls(ipsec_t)
+kernel_rw_net_sysctls(ipsec_t);
kernel_list_proc(ipsec_t)
kernel_read_proc_symlinks(ipsec_t)
# allow pluto to access /proc/net/ipsec_eroute;
@@ -196,6 +202,8 @@ allow ipsec_mgmt_t self:udp_socket create_socket_perms;
allow ipsec_mgmt_t self:key_socket create_socket_perms;
allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
+allow ipsec_mgmt_t ipsec_supervisor_t:process { signal signull };
+
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
@@ -236,6 +244,7 @@ can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
+domtrans_pattern(ipsec_mgmt_t, ipsec_supervisor_exec_t, ipsec_supervisor_t);
kernel_rw_net_sysctls(ipsec_mgmt_t)
# allow pluto to access /proc/net/ipsec_eroute;
@@ -444,6 +453,52 @@ seutil_read_config(setkey_t)
userdom_use_user_terminals(setkey_t)
+########################################
+#
+# ipsec_supervisor policy
+#
+
+allow ipsec_supervisor_t self:capability { dac_read_search dac_override kill
net_admin };
+allow ipsec_supervisor_t self:process { signal };
+allow ipsec_supervisor_t self:fifo_file rw_fifo_file_perms;
+allow ipsec_supervisor_t self:netlink_route_socket rw_netlink_socket_perms;
+allow ipsec_supervisor_t self:netlink_xfrm_socket create_netlink_socket_perms;
+
+allow ipsec_supervisor_t ipsec_conf_file_t:dir list_dir_perms;
+read_files_pattern(ipsec_supervisor_t, ipsec_conf_file_t, ipsec_conf_file_t);
+
+manage_files_pattern(ipsec_supervisor_t, ipsec_key_file_t, ipsec_key_file_t)
+
+allow ipsec_supervisor_t ipsec_t:unix_stream_socket { connectto };
+allow ipsec_supervisor_t ipsec_t:process { signal };
+
+allow ipsec_supervisor_t ipsec_var_run_t:sock_file { rw_sock_file_perms unlink
};
+manage_dirs_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t)
+manage_files_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t)
+files_pid_filetrans(ipsec_supervisor_t, ipsec_var_run_t, { dir file sock_file
})
+
+domtrans_pattern(ipsec_supervisor_t, ipsec_exec_t, ipsec_t);
+
+kernel_read_network_state(ipsec_supervisor_t)
+kernel_read_system_state(ipsec_supervisor_t)
+kernel_rw_net_sysctls(ipsec_supervisor_t);
+
+corecmd_exec_bin(ipsec_supervisor_t);
+corecmd_exec_shell(ipsec_supervisor_t)
+
+dev_read_rand(ipsec_supervisor_t);
+dev_read_urand(ipsec_supervisor_t);
+
+files_read_etc_files(ipsec_supervisor_t);
+
+logging_send_syslog_msg(ipsec_supervisor_t);
+
+miscfiles_read_localization(ipsec_supervisor_t);
+
+optional_policy(`
+ modutils_domtrans_insmod(ipsec_supervisor_t)
+')
+
ifdef(`distro_gentoo',`
################################################
#
