diff options
author | Sven Vermeulen <sven.vermeulen@siphos.be> | 2012-04-21 20:07:46 +0200 |
---|---|---|
committer | Sven Vermeulen <sven.vermeulen@siphos.be> | 2012-04-21 20:07:46 +0200 |
commit | 3962a6834f4e7ef04441de4f3134ff329d8602f9 (patch) | |
tree | cae07463edd5b609a97513e00d63e1bd410cc8bb /policy/modules/system/ipsec.if | |
parent | Initial commit (diff) | |
download | hardened-refpolicy-3962a6834f4e7ef04441de4f3134ff329d8602f9.tar.gz hardened-refpolicy-3962a6834f4e7ef04441de4f3134ff329d8602f9.tar.bz2 hardened-refpolicy-3962a6834f4e7ef04441de4f3134ff329d8602f9.zip |
Pushing 2.20120215 (current version)
Diffstat (limited to 'policy/modules/system/ipsec.if')
-rw-r--r-- | policy/modules/system/ipsec.if | 371 |
1 files changed, 371 insertions, 0 deletions
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if new file mode 100644 index 00000000..0d4c8d35 --- /dev/null +++ b/policy/modules/system/ipsec.if @@ -0,0 +1,371 @@ +## <summary>TCP/IP encryption</summary> + +######################################## +## <summary> +## Execute ipsec in the ipsec domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ipsec_domtrans',` + gen_require(` + type ipsec_t, ipsec_exec_t; + ') + + domtrans_pattern($1, ipsec_exec_t, ipsec_t) +') + +######################################## +## <summary> +## Connect to IPSEC using a unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ipsec_stream_connect',` + gen_require(` + type ipsec_t, ipsec_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, ipsec_var_run_t, ipsec_var_run_t, ipsec_t) +') + +######################################## +## <summary> +## Execute ipsec in the ipsec mgmt domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ipsec_domtrans_mgmt',` + gen_require(` + type ipsec_mgmt_t, ipsec_mgmt_exec_t; + ') + + domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t) +') + +######################################## +## <summary> +## Connect to racoon using a unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ipsec_stream_connect_racoon',` + gen_require(` + type racoon_t, ipsec_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, ipsec_var_run_t, ipsec_var_run_t, racoon_t) +') + +######################################## +## <summary> +## Get the attributes of an IPSEC key socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ipsec_getattr_key_sockets',` + gen_require(` + type ipsec_t; + ') + + allow $1 ipsec_t:key_socket getattr; +') + +######################################## +## <summary> +## Execute the IPSEC management program in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ipsec_exec_mgmt',` + gen_require(` + type ipsec_exec_t; + ') + + can_exec($1, ipsec_exec_t) +') + +######################################## +## <summary> +## Send ipsec mgmt a general signal. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +# +interface(`ipsec_signal_mgmt',` + gen_require(` + type ipsec_mgmt_t; + ') + + allow $1 ipsec_mgmt_t:process signal; +') + +######################################## +## <summary> +## Send ipsec mgmt a null signal. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +# +interface(`ipsec_signull_mgmt',` + gen_require(` + type ipsec_mgmt_t; + ') + + allow $1 ipsec_mgmt_t:process signull; +') + +######################################## +## <summary> +## Send ipsec mgmt a kill signal. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +# +interface(`ipsec_kill_mgmt',` + gen_require(` + type ipsec_mgmt_t; + ') + + allow $1 ipsec_mgmt_t:process sigkill; +') + +###################################### +## <summary> +## Send and receive messages from +## ipsec-mgmt over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ipsec_mgmt_dbus_chat',` + gen_require(` + type ipsec_mgmt_t; + class dbus send_msg; + ') + + allow $1 ipsec_mgmt_t:dbus send_msg; + allow ipsec_mgmt_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Read the IPSEC configuration +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`ipsec_read_config',` + gen_require(` + type ipsec_conf_file_t; + ') + + files_search_etc($1) + allow $1 ipsec_conf_file_t:file read_file_perms; +') + +######################################## +## <summary> +## Match the default SPD entry. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ipsec_match_default_spd',` + gen_require(` + type ipsec_spd_t; + ') + + allow $1 ipsec_spd_t:association polmatch; + allow $1 self:association sendto; +') + +######################################## +## <summary> +## Set the context of a SPD entry to +## the default context. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ipsec_setcontext_default_spd',` + gen_require(` + type ipsec_spd_t; + ') + + allow $1 ipsec_spd_t:association setcontext; +') + +######################################## +## <summary> +## write the ipsec_var_run_t files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ipsec_write_pid',` + gen_require(` + type ipsec_var_run_t; + ') + + files_search_pids($1) + write_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t) +') + +######################################## +## <summary> +## Create, read, write, and delete the IPSEC pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ipsec_manage_pid',` + gen_require(` + type ipsec_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t) +') + +######################################## +## <summary> +## Execute racoon in the racoon domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ipsec_domtrans_racoon',` + gen_require(` + type racoon_t, racoon_exec_t; + ') + + domtrans_pattern($1, racoon_exec_t, racoon_t) +') + +######################################## +## <summary> +## Execute racoon and allow the specified role the domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`ipsec_run_racoon',` + gen_require(` + type racoon_t; + ') + + ipsec_domtrans_racoon($1) + role $2 types racoon_t; +') + +######################################## +## <summary> +## Execute setkey in the setkey domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ipsec_domtrans_setkey',` + gen_require(` + type setkey_t, setkey_exec_t; + ') + + domtrans_pattern($1, setkey_exec_t, setkey_t) +') + +######################################## +## <summary> +## Execute setkey and allow the specified role the domains. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access.. +## </summary> +## </param> +## <rolecap/> +# +interface(`ipsec_run_setkey',` + gen_require(` + type setkey_t; + ') + + ipsec_domtrans_setkey($1) + role $2 types setkey_t; +') |