Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 34858 Details for
Bug 56204
net-snmp policy files
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
type enforcement
ipsec.te (text/plain), 7.46 KB, created by
petre rodan (RETIRED)
on 2004-07-06 02:27:57 UTC
(
hide
)
Description:
type enforcement
Filename:
MIME Type:
Creator:
petre rodan (RETIRED)
Created:
2004-07-06 02:27:57 UTC
Size:
7.46 KB
patch
obsolete
>#DESC ipsec - TCP/IP encryption ># ># Authors: Mark Westerman mark.westerman@westcam.com ># massively butchered by paul krumviede <pwk@acm.org> ># further massaged by Chris Vance <cvance@tislabs.com> ># gentoo-ed by Petre Rodan <petre.rodan@avira.com> ># ># X-Debian-Packages: freeswan ># X-Gentoo-Packages: ipsec-tools ># >######################################## ># ># Rules for the ipsec_t domain. ># ># a domain for things that need access to the PF_KEY socket >daemon_base_domain(ipsec) > ># type for ipsec configuration file(s) - not for keys >type ipsec_conf_file_t, file_type, sysadmfile; > ># type for file(s) containing ipsec keys - RSA or preshared >type ipsec_key_file_t, file_type, sysadmfile; > ># type for runtime files, including pluto.ctl >var_run_domain(ipsec) > >read_locale(ipsec_t) > >type ipsec_mgmt_t, domain, privlog, admin, privmodule; >type ipsec_mgmt_exec_t, file_type, sysadmfile, exec_type; >domain_auto_trans(ipsec_mgmt_t, ipsec_exec_t, ipsec_t) >file_type_auto_trans(ipsec_mgmt_t, var_run_t, ipsec_var_run_t, sock_file) > >allow ipsec_mgmt_t modules_object_t:dir search; >allow ipsec_mgmt_t modules_object_t:file getattr; > >allow ipsec_t self:capability { net_admin net_bind_service }; >allow ipsec_t self:process signal; >allow ipsec_t etc_t:lnk_file read; > >domain_auto_trans(ipsec_mgmt_t, ifconfig_exec_t, ifconfig_t) > ># Inherit and use descriptors from init. ># allow access (for, e.g., klipsdebug) to console >allow { ipsec_t ipsec_mgmt_t } console_device_t:chr_file rw_file_perms; >allow { ipsec_t ipsec_mgmt_t } { init_t initrc_t privfd }:fd use; > ># I do not know where this pesky pipe is... >#allow ipsec_t initrc_t:fifo_file { write }; > >allow ipsec_t ipsec_conf_file_t:file r_file_perms; >allow ipsec_t ipsec_conf_file_t:dir r_dir_perms; >allow ipsec_t ipsec_key_file_t:file { getattr read ioctl }; >allow ipsec_t ipsec_key_file_t:lnk_file read; >allow ipsec_t ipsec_key_file_t:dir r_dir_perms; >allow ipsec_mgmt_t ipsec_conf_file_t:file { getattr read ioctl }; >rw_dir_create_file(ipsec_mgmt_t, ipsec_key_file_t) > >allow ipsec_t self:key_socket { create write read }; >allow ipsec_t self:netlink_socket { read }; > ># for lsof >allow sysadm_t ipsec_t:key_socket getattr; > ># the ipsec wrapper wants to run /usr/bin/logger (should we put ># it in its own domain?) >can_exec(ipsec_mgmt_t, bin_t) ># logger, running in ipsec_mgmt_t needs to use sockets >allow ipsec_mgmt_t ipsec_mgmt_t:unix_dgram_socket { create connect write }; >allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write }; > ># also need to run things like whack and shell scripts >can_exec(ipsec_mgmt_t, ipsec_exec_t) >can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t) >allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read; >can_exec(ipsec_mgmt_t, shell_exec_t) >can_exec(ipsec_t, shell_exec_t) >can_exec(ipsec_t, ipsec_mgmt_exec_t) >can_exec(ipsec_mgmt_t, ifconfig_exec_t) > ># now for a icky part... ># pluto runs an updown script (by calling popen()!); as this is by default ># a shell script, we need to find a way to make things work without ># letting all sorts of stuff possibly be run... ># so try flipping back into the ipsec_mgmt_t domain >domain_auto_trans(ipsec_t, shell_exec_t, ipsec_mgmt_t) >allow ipsec_mgmt_t ipsec_t:fd use; > ># the default updown script wants to run route >can_exec(ipsec_mgmt_t, sbin_t) >allow ipsec_mgmt_t sbin_t:lnk_file read; >allow ipsec_mgmt_t self:capability { net_admin dac_override }; > ># need access to /proc/sys/net/ipsec/icmp >allow ipsec_mgmt_t sysctl_t:file write; >allow ipsec_mgmt_t sysctl_net_t:file { write setattr }; > ># whack needs to be able to read/write pluto.ctl >allow ipsec_mgmt_t ipsec_var_run_t:sock_file { read write }; ># and it wants to connect to a socket... >allow ipsec_mgmt_t ipsec_mgmt_t:unix_stream_socket { create connect read write }; >allow ipsec_mgmt_t ipsec_t:unix_stream_socket { connectto read write }; > ># allow system administrator to use the ipsec script to look ># at things (e.g., ipsec auto --status) ># probably should create an ipsec_admin role for this kind of thing >can_exec(sysadm_t, ipsec_mgmt_exec_t) >allow sysadm_t ipsec_t:unix_stream_socket connectto; > ># _realsetup needs to be able to cat /var/run/pluto.pid, ># run ps on that pid, and delete the file >allow ipsec_mgmt_t ipsec_t:{ file lnk_file } r_file_perms; > >allow ipsec_mgmt_t boot_t:dir search; >allow ipsec_mgmt_t system_map_t:file { read getattr }; > ># denials when ps tries to search /proc. Do not audit these denials. >dontaudit ipsec_mgmt_t domain:dir r_dir_perms; > ># suppress audit messages about unnecessary socket access >dontaudit ipsec_mgmt_t domain:key_socket { read write }; >dontaudit ipsec_mgmt_t domain:udp_socket { read write }; > ># from rbac >role system_r types { ipsec_t ipsec_mgmt_t }; > ># from initrc.te >domain_auto_trans(initrc_t, ipsec_mgmt_exec_t, ipsec_mgmt_t) > > >########## The following rules were added by cvance@tislabs.com ########## > ># allow pluto and startup scripts to access /dev/urandom >allow { ipsec_t ipsec_mgmt_t } random_device_t:chr_file r_file_perms; > ># allow pluto to access /proc/net/ipsec_eroute; >general_proc_read_access(ipsec_t) >general_proc_read_access(ipsec_mgmt_t) > ># allow pluto to search the root directory (not sure why, but mostly harmless) ># Are these all really necessary? >allow ipsec_t var_t:dir { search }; >allow ipsec_t bin_t:dir { search }; >allow ipsec_t device_t:dir { getattr search }; >allow ipsec_mgmt_t device_t:dir { getattr search read }; >dontaudit ipsec_mgmt_t tty_device_t:chr_file getattr; >dontaudit ipsec_mgmt_t devpts_t:dir getattr; >allow ipsec_mgmt_t etc_t:lnk_file read; >allow ipsec_mgmt_t var_t:dir { search }; >allow ipsec_mgmt_t sbin_t:dir { search }; >allow ipsec_mgmt_t bin_t:dir { search }; >allow ipsec_mgmt_t ipsec_var_run_t:file { getattr read }; > ># Startup scripts ># use libraries >uses_shlib({ ipsec_t ipsec_mgmt_t }) ># Read and write /dev/tty >allow ipsec_mgmt_t devtty_t:chr_file rw_file_perms; ># fork >allow ipsec_mgmt_t self:process fork; ># startup script runs /bin/gawk with a pipe >allow ipsec_mgmt_t self:fifo_file rw_file_perms; ># read /etc/mtab Why? >allow ipsec_mgmt_t etc_runtime_t:file { read getattr }; ># read link for /bin/sh >allow { ipsec_t ipsec_mgmt_t } bin_t:lnk_file read; > ># >allow ipsec_mgmt_t self:process { sigchld signal }; > ># Allow read/write access to /var/run/pluto.ctl >allow ipsec_t ipsec_t:unix_stream_socket {create setopt bind listen accept read write }; > ># Pluto needs network access >can_network(ipsec_t) >allow ipsec_t ipsec_t:unix_dgram_socket { create connect write }; > ># for sleep >allow ipsec_mgmt_t fs_t:filesystem getattr; > ># for the start script >can_exec(ipsec_mgmt_t, etc_t) > ># allow access to /etc/localtime >allow ipsec_mgmt_t etc_t:file { read getattr }; >allow ipsec_t etc_t:file { read getattr }; > ># allow access to /dev/null >allow ipsec_mgmt_t null_device_t:chr_file rw_file_perms; >allow ipsec_t null_device_t:chr_file rw_file_perms; > ># Allow scripts to use /var/locl/subsys/ipsec >allow ipsec_mgmt_t var_lock_t:dir rw_dir_perms; >allow ipsec_mgmt_t var_lock_t:file create_file_perms; > ># allow tncfg to create sockets >allow ipsec_mgmt_t ipsec_mgmt_t:udp_socket { create ioctl }; > >#When running ipsec auto --up <conname> >allow ipsec_t self:process { fork sigchld }; >allow ipsec_t self:fifo_file { read getattr }; > ># ideally it would not need this. It wants to write to /root/.rnd >file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file) > >allow ipsec_mgmt_t { initrc_devpts_t admin_tty_type }:chr_file { getattr read write ioctl }; >allow ipsec_t initrc_devpts_t:chr_file { getattr read write }; >allow ipsec_mgmt_t self:lnk_file read; > ># sysadm can use ipsec tools >role sysadm_r types ipsec_t; >domain_auto_trans( sysadm_t, ipsec_exec_t, ipsec_t)
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=34858">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 56204
:
34857
|
34858
|
34859
