97f7c82703
Also add allow rules from our policy. Change-Id: Id480eb7c8cd4e5544a1ec46cb39a55abc653ddb9 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
25 lines
865 B
Text
25 lines
865 B
Text
# IKE key management daemon
|
|
type racoon, domain;
|
|
permissive_or_unconfined(racoon)
|
|
type racoon_exec, exec_type, file_type;
|
|
|
|
init_daemon_domain(racoon)
|
|
typeattribute racoon mlstrustedsubject;
|
|
|
|
binder_call(racoon, servicemanager)
|
|
binder_call(racoon, keystore)
|
|
|
|
allow racoon tun_device:chr_file r_file_perms;
|
|
allow racoon cgroup:dir { add_name create };
|
|
allow racoon kernel:system module_request;
|
|
allow racoon port:udp_socket name_bind;
|
|
allow racoon node:udp_socket node_bind;
|
|
|
|
allow racoon self:{ key_socket udp_socket } create_socket_perms;
|
|
allow racoon self:tun_socket create;
|
|
allow racoon self:capability { net_admin net_bind_service net_raw setuid };
|
|
|
|
# XXX: should we give ip-up-vpn its own label (currently racoon domain)
|
|
allow racoon system_file:file rx_file_perms;
|
|
allow racoon vpn_data_file:file create_file_perms;
|
|
allow racoon vpn_data_file:dir w_dir_perms;
|