platform_system_sepolicy/racoon.te
Nick Kralevich 2c1094058c racoon.te: Remove allow racoon toolbox_exec:file rx_file_perms;
auditallow says never used.

Change-Id: I789f32bd7d2bbfc583a12bf8a05662e812f09a38
2016-01-14 21:30:32 -08:00

32 lines
893 B
Text

# IKE key management daemon
type racoon, domain, domain_deprecated;
type racoon_exec, exec_type, file_type;
init_daemon_domain(racoon)
typeattribute racoon mlstrustedsubject;
net_domain(racoon)
binder_use(racoon)
allow racoon tun_device:chr_file r_file_perms;
allow racoon cgroup:dir { add_name create };
allow racoon kernel:system module_request;
allow racoon self:key_socket create_socket_perms;
allow racoon self:tun_socket create_socket_perms;
allow racoon self:capability { net_admin net_bind_service net_raw setuid };
# XXX: should we give ip-up-vpn its own label (currently racoon domain)
allow racoon system_file:file rx_file_perms;
allow racoon vpn_data_file:file create_file_perms;
allow racoon vpn_data_file:dir w_dir_perms;
use_keystore(racoon)
# Racoon (VPN) has a restricted set of permissions from the default.
allow racoon keystore:keystore_key {
get
sign
verify
};