tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/racoon.te
Riley Spahn 1196d2a576 Adding policies for KeyStore MAC. 
Add keystore_key class and an action for each action supported
by keystore. Add policies that replicate the access control that
already exists in keystore. Add auditallow rules for actions
not known to be used frequently. Add macro for those domains
wishing to access keystore.

Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
2014-06-26 08:53:10 -07:00

32 lines
874 B
Text
Raw Blame History

# IKE key management daemon
type racoon, domain;
type racoon_exec, exec_type, file_type;
init_daemon_domain(racoon)
typeattribute racoon mlstrustedsubject;
net_domain(racoon)
binder_use(racoon)
allow racoon tun_device:chr_file r_file_perms;
allow racoon cgroup:dir { add_name create };
allow racoon kernel:system module_request;
allow racoon self:key_socket create_socket_perms;
allow racoon self:tun_socket create_socket_perms;
allow racoon self:capability { net_admin net_bind_service net_raw setuid };
# XXX: should we give ip-up-vpn its own label (currently racoon domain)
allow racoon system_file:file rx_file_perms;
allow racoon vpn_data_file:file create_file_perms;
allow racoon vpn_data_file:dir w_dir_perms;
use_keystore(racoon)
# Racoon (VPN) has a restricted set of permissions from the default.
allow racoon keystore:keystore_key {
get
sign
verify
};
Reference in a new issue View git blame Copy permalink