aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSven Vermeulen <sven.vermeulen@siphos.be>2012-04-21 20:07:46 +0200
committerSven Vermeulen <sven.vermeulen@siphos.be>2012-04-21 20:07:46 +0200
commit3962a6834f4e7ef04441de4f3134ff329d8602f9 (patch)
treecae07463edd5b609a97513e00d63e1bd410cc8bb /policy/modules/system/ipsec.if
parentInitial commit (diff)
downloadhardened-refpolicy-3962a6834f4e7ef04441de4f3134ff329d8602f9.tar.gz
hardened-refpolicy-3962a6834f4e7ef04441de4f3134ff329d8602f9.tar.bz2
hardened-refpolicy-3962a6834f4e7ef04441de4f3134ff329d8602f9.zip
Pushing 2.20120215 (current version)
Diffstat (limited to 'policy/modules/system/ipsec.if')
-rw-r--r--policy/modules/system/ipsec.if371
1 files changed, 371 insertions, 0 deletions
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
new file mode 100644
index 00000000..0d4c8d35
--- /dev/null
+++ b/policy/modules/system/ipsec.if
@@ -0,0 +1,371 @@
+## <summary>TCP/IP encryption</summary>
+
+########################################
+## <summary>
+## Execute ipsec in the ipsec domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ipsec_domtrans',`
+ gen_require(`
+ type ipsec_t, ipsec_exec_t;
+ ')
+
+ domtrans_pattern($1, ipsec_exec_t, ipsec_t)
+')
+
+########################################
+## <summary>
+## Connect to IPSEC using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipsec_stream_connect',`
+ gen_require(`
+ type ipsec_t, ipsec_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
+')
+
+########################################
+## <summary>
+## Execute ipsec in the ipsec mgmt domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipsec_domtrans_mgmt',`
+ gen_require(`
+ type ipsec_mgmt_t, ipsec_mgmt_exec_t;
+ ')
+
+ domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t)
+')
+
+########################################
+## <summary>
+## Connect to racoon using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipsec_stream_connect_racoon',`
+ gen_require(`
+ type racoon_t, ipsec_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, ipsec_var_run_t, ipsec_var_run_t, racoon_t)
+')
+
+########################################
+## <summary>
+## Get the attributes of an IPSEC key socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipsec_getattr_key_sockets',`
+ gen_require(`
+ type ipsec_t;
+ ')
+
+ allow $1 ipsec_t:key_socket getattr;
+')
+
+########################################
+## <summary>
+## Execute the IPSEC management program in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipsec_exec_mgmt',`
+ gen_require(`
+ type ipsec_exec_t;
+ ')
+
+ can_exec($1, ipsec_exec_t)
+')
+
+########################################
+## <summary>
+## Send ipsec mgmt a general signal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+#
+interface(`ipsec_signal_mgmt',`
+ gen_require(`
+ type ipsec_mgmt_t;
+ ')
+
+ allow $1 ipsec_mgmt_t:process signal;
+')
+
+########################################
+## <summary>
+## Send ipsec mgmt a null signal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+#
+interface(`ipsec_signull_mgmt',`
+ gen_require(`
+ type ipsec_mgmt_t;
+ ')
+
+ allow $1 ipsec_mgmt_t:process signull;
+')
+
+########################################
+## <summary>
+## Send ipsec mgmt a kill signal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+#
+interface(`ipsec_kill_mgmt',`
+ gen_require(`
+ type ipsec_mgmt_t;
+ ')
+
+ allow $1 ipsec_mgmt_t:process sigkill;
+')
+
+######################################
+## <summary>
+## Send and receive messages from
+## ipsec-mgmt over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipsec_mgmt_dbus_chat',`
+ gen_require(`
+ type ipsec_mgmt_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 ipsec_mgmt_t:dbus send_msg;
+ allow ipsec_mgmt_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Read the IPSEC configuration
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ipsec_read_config',`
+ gen_require(`
+ type ipsec_conf_file_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 ipsec_conf_file_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Match the default SPD entry.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipsec_match_default_spd',`
+ gen_require(`
+ type ipsec_spd_t;
+ ')
+
+ allow $1 ipsec_spd_t:association polmatch;
+ allow $1 self:association sendto;
+')
+
+########################################
+## <summary>
+## Set the context of a SPD entry to
+## the default context.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipsec_setcontext_default_spd',`
+ gen_require(`
+ type ipsec_spd_t;
+ ')
+
+ allow $1 ipsec_spd_t:association setcontext;
+')
+
+########################################
+## <summary>
+## write the ipsec_var_run_t files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipsec_write_pid',`
+ gen_require(`
+ type ipsec_var_run_t;
+ ')
+
+ files_search_pids($1)
+ write_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the IPSEC pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipsec_manage_pid',`
+ gen_require(`
+ type ipsec_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute racoon in the racoon domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ipsec_domtrans_racoon',`
+ gen_require(`
+ type racoon_t, racoon_exec_t;
+ ')
+
+ domtrans_pattern($1, racoon_exec_t, racoon_t)
+')
+
+########################################
+## <summary>
+## Execute racoon and allow the specified role the domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ipsec_run_racoon',`
+ gen_require(`
+ type racoon_t;
+ ')
+
+ ipsec_domtrans_racoon($1)
+ role $2 types racoon_t;
+')
+
+########################################
+## <summary>
+## Execute setkey in the setkey domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ipsec_domtrans_setkey',`
+ gen_require(`
+ type setkey_t, setkey_exec_t;
+ ')
+
+ domtrans_pattern($1, setkey_exec_t, setkey_t)
+')
+
+########################################
+## <summary>
+## Execute setkey and allow the specified role the domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access..
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ipsec_run_setkey',`
+ gen_require(`
+ type setkey_t;
+ ')
+
+ ipsec_domtrans_setkey($1)
+ role $2 types setkey_t;
+')