From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Mon, 12 Oct 2015 09:31:50 -0400 Subject: [refpolicy] [PATCH] system/ipsec: Add policy for StrongSwan In-Reply-To: <1444559876-8098-1-git-send-email-jason@perfinion.com> References: <1444559876-8098-1-git-send-email-jason@perfinion.com> Message-ID: <561BB646.2060801@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 10/11/2015 6:37 AM, Jason Zaman wrote: > Adds an ipsec_supervisor_t domain for StrongSwan's starter. > Thanks to Matthias Dahl for most of the work on this. Merged, with some rearrangements. > --- > policy/modules/system/ipsec.fc | 17 ++++++++++++ > policy/modules/system/ipsec.te | 60 +++++++++++++++++++++++++++++++++++++++--- > 2 files changed, 74 insertions(+), 3 deletions(-) > > diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc > index 0f1e351..d42b08e 100644 > --- a/policy/modules/system/ipsec.fc > +++ b/policy/modules/system/ipsec.fc > @@ -10,6 +10,14 @@ > > /etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) > > +/etc/strongswan\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) > + > +/etc/strongswan\.d(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0) > + > +/etc/swanctl/(.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) > +/etc/swanctl -d gen_context(system_u:object_r:ipsec_conf_file_t,s0) > +/etc/swanctl/swanctl.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) > + > /sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) > > /usr/lib/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) > @@ -19,17 +27,25 @@ > /usr/lib/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) > /usr/lib/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) > > +/usr/libexec/ipsec/_copyright -- gen_context(system_u:object_r:ipsec_exec_t,s0) > /usr/libexec/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) > /usr/libexec/ipsec/_plutorun -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) > +/usr/libexec/ipsec/_updown -- gen_context(system_u:object_r:ipsec_exec_t,s0) > +/usr/libexec/ipsec/charon -- gen_context(system_u:object_r:ipsec_exec_t,s0) > /usr/libexec/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0) > /usr/libexec/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0) > +/usr/libexec/ipsec/lookip -- gen_context(system_u:object_r:ipsec_exec_t,s0) > /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) > +/usr/libexec/ipsec/scepclient -- gen_context(system_u:object_r:ipsec_exec_t,s0) > /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) > +/usr/libexec/ipsec/starter -- gen_context(system_u:object_r:ipsec_supervisor_exec_t,s0) > +/usr/libexec/ipsec/stroke -- gen_context(system_u:object_r:ipsec_exec_t,s0) > /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) > > /usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) > /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0) > /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) > +/usr/sbin/swanctl -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) > > /var/lib/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) > > @@ -39,5 +55,6 @@ > > /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) > > +/var/run/charon\.(.*)? -- gen_context(system_u:object_r:ipsec_var_run_t,s0) > /var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) > /var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) > diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te > index d5bcfd8..3a3e6d5 100644 > --- a/policy/modules/system/ipsec.te > +++ b/policy/modules/system/ipsec.te > @@ -67,19 +67,25 @@ type setkey_exec_t; > init_system_domain(setkey_t, setkey_exec_t) > role system_r types setkey_t; > > +type ipsec_supervisor_t; > +type ipsec_supervisor_exec_t; > +init_daemon_domain(ipsec_supervisor_t, ipsec_supervisor_exec_t); > +role system_r types ipsec_supervisor_t; > + > ######################################## > # > # ipsec Local policy > # > > -allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice }; > +allow ipsec_t self:capability { chown dac_override dac_read_search setgid setuid setpcap net_admin sys_nice }; > dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config }; > allow ipsec_t self:process { getcap setcap getsched signal setsched }; > allow ipsec_t self:tcp_socket create_stream_socket_perms; > allow ipsec_t self:udp_socket create_socket_perms; > allow ipsec_t self:key_socket create_socket_perms; > -allow ipsec_t self:fifo_file read_fifo_file_perms; > +allow ipsec_t self:fifo_file rw_fifo_file_perms; > allow ipsec_t self:netlink_xfrm_socket create_netlink_socket_perms; > +allow ipsec_t self:netlink_route_socket rw_netlink_socket_perms; > > allow ipsec_t ipsec_initrc_exec_t:file read_file_perms; > > @@ -113,7 +119,7 @@ allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write }; > allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld }; > > kernel_read_kernel_sysctls(ipsec_t) > -kernel_read_net_sysctls(ipsec_t) > +kernel_rw_net_sysctls(ipsec_t); > kernel_list_proc(ipsec_t) > kernel_read_proc_symlinks(ipsec_t) > # allow pluto to access /proc/net/ipsec_eroute; > @@ -196,6 +202,8 @@ allow ipsec_mgmt_t self:udp_socket create_socket_perms; > allow ipsec_mgmt_t self:key_socket create_socket_perms; > allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms; > > +allow ipsec_mgmt_t ipsec_supervisor_t:process { signal signull }; > + > allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; > files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file) > > @@ -236,6 +244,7 @@ can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t) > allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read; > > domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t) > +domtrans_pattern(ipsec_mgmt_t, ipsec_supervisor_exec_t, ipsec_supervisor_t); > > kernel_rw_net_sysctls(ipsec_mgmt_t) > # allow pluto to access /proc/net/ipsec_eroute; > @@ -444,3 +453,48 @@ seutil_read_config(setkey_t) > > userdom_use_user_terminals(setkey_t) > > +######################################## > +# > +# ipsec_supervisor policy > +# > + > +allow ipsec_supervisor_t self:capability { dac_read_search dac_override kill net_admin }; > +allow ipsec_supervisor_t self:process { signal }; > +allow ipsec_supervisor_t self:fifo_file rw_fifo_file_perms; > +allow ipsec_supervisor_t self:netlink_route_socket rw_netlink_socket_perms; > +allow ipsec_supervisor_t self:netlink_xfrm_socket create_netlink_socket_perms; > + > +allow ipsec_supervisor_t ipsec_conf_file_t:dir list_dir_perms; > +read_files_pattern(ipsec_supervisor_t, ipsec_conf_file_t, ipsec_conf_file_t); > + > +manage_files_pattern(ipsec_supervisor_t, ipsec_key_file_t, ipsec_key_file_t) > + > +allow ipsec_supervisor_t ipsec_t:unix_stream_socket { connectto }; > +allow ipsec_supervisor_t ipsec_t:process { signal }; > + > +allow ipsec_supervisor_t ipsec_var_run_t:sock_file { rw_sock_file_perms unlink }; > +manage_dirs_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t) > +manage_files_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t) > +files_pid_filetrans(ipsec_supervisor_t, ipsec_var_run_t, { dir file sock_file }) > + > +domtrans_pattern(ipsec_supervisor_t, ipsec_exec_t, ipsec_t); > + > +kernel_read_network_state(ipsec_supervisor_t) > +kernel_read_system_state(ipsec_supervisor_t) > +kernel_rw_net_sysctls(ipsec_supervisor_t); > + > +corecmd_exec_bin(ipsec_supervisor_t); > +corecmd_exec_shell(ipsec_supervisor_t) > + > +dev_read_rand(ipsec_supervisor_t); > +dev_read_urand(ipsec_supervisor_t); > + > +files_read_etc_files(ipsec_supervisor_t); > + > +logging_send_syslog_msg(ipsec_supervisor_t); > + > +miscfiles_read_localization(ipsec_supervisor_t); > + > +optional_policy(` > + modutils_domtrans_insmod(ipsec_supervisor_t) > +') > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com