forked from pool/selinux-policy
66 lines
3.2 KiB
Diff
66 lines
3.2 KiB
Diff
Index: serefpolicy-20140730/policy/modules/system/ipsec.te
|
|
===================================================================
|
|
--- serefpolicy-20140730.orig/policy/modules/system/ipsec.te 2015-08-10 12:55:56.098645940 +0200
|
|
+++ serefpolicy-20140730/policy/modules/system/ipsec.te 2015-08-10 14:32:28.542764339 +0200
|
|
@@ -209,14 +209,18 @@ optional_policy(`
|
|
# ipsec_mgmt Local policy
|
|
#
|
|
|
|
-allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice sys_ptrace };
|
|
+allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin net_raw setpcap sys_nice sys_ptrace };
|
|
dontaudit ipsec_mgmt_t self:capability sys_tty_config;
|
|
-allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal };
|
|
+allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal setcap };
|
|
allow ipsec_mgmt_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
|
|
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
|
|
allow ipsec_mgmt_t self:key_socket create_socket_perms;
|
|
allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
|
|
+allow ipsec_mgmt_t self:netlink_route_socket nlmsg_write;
|
|
+allow ipsec_mgmt_t self:packet_socket { setopt create read write };
|
|
+allow ipsec_mgmt_t self:socket { bind create read write };
|
|
+allow ipsec_mgmt_t self:netlink_xfrm_socket { nlmsg_write write read bind create };
|
|
|
|
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
|
|
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
|
|
@@ -231,6 +235,8 @@ logging_log_filetrans(ipsec_mgmt_t, ipse
|
|
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
|
|
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
|
|
filetrans_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_mgmt_var_run_t, file)
|
|
+# temporary fix until the rules above work
|
|
+allow ipsec_mgmt_t var_run_t:sock_file { write unlink };
|
|
|
|
manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
|
|
manage_dirs_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
|
|
@@ -269,6 +275,7 @@ kernel_read_software_raid_state(ipsec_mg
|
|
kernel_read_kernel_sysctls(ipsec_mgmt_t)
|
|
kernel_getattr_core_if(ipsec_mgmt_t)
|
|
kernel_getattr_message_if(ipsec_mgmt_t)
|
|
+kernel_request_load_module(ipsec_mgmt_t)
|
|
|
|
domain_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
|
|
domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t)
|
|
@@ -290,6 +297,10 @@ corecmd_exec_bin(ipsec_mgmt_t)
|
|
corecmd_exec_shell(ipsec_mgmt_t)
|
|
|
|
corenet_tcp_connect_rndc_port(ipsec_mgmt_t)
|
|
+corenet_udp_bind_dhcpc_port(ipsec_mgmt_t)
|
|
+corenet_udp_bind_isakmp_port(ipsec_mgmt_t)
|
|
+corenet_udp_bind_generic_node(ipsec_mgmt_t)
|
|
+corenet_udp_bind_ipsecnat_port(ipsec_mgmt_t)
|
|
|
|
dev_read_rand(ipsec_mgmt_t)
|
|
dev_read_urand(ipsec_mgmt_t)
|
|
@@ -297,10 +308,7 @@ dev_read_urand(ipsec_mgmt_t)
|
|
domain_use_interactive_fds(ipsec_mgmt_t)
|
|
# denials when ps tries to search /proc. Do not audit these denials.
|
|
domain_dontaudit_read_all_domains_state(ipsec_mgmt_t)
|
|
-# suppress audit messages about unnecessary socket access
|
|
-# cjp: this seems excessive
|
|
-domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
|
|
-domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
|
|
+# domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
|
|
|
|
files_read_etc_files(ipsec_mgmt_t)
|
|
files_exec_etc_files(ipsec_mgmt_t)
|