Skip to content
Snippets Groups Projects
Commit bfa785af authored by Nick Kralevich's avatar Nick Kralevich Committed by Gerrit Code Review
Browse files

Merge "Make racoon permissive or unconfined."

parents 9f5241ea 97f7c827
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 21 additions and 1 deletion
racoon.te
+ 21
1
View file @ bfa785af
# IKE key management daemon
type racoon, domain;
permissive_or_unconfined(racoon)
type racoon_exec, exec_type, file_type;
unconfined_domain(racoon)
init_daemon_domain(racoon)
typeattribute racoon mlstrustedsubject;
binder_call(racoon, servicemanager)
binder_call(racoon, keystore)
allow racoon tun_device:chr_file r_file_perms;
allow racoon cgroup:dir { add_name create };
allow racoon kernel:system module_request;
allow racoon port:udp_socket name_bind;
allow racoon node:udp_socket node_bind;
allow racoon self:{ key_socket udp_socket } create_socket_perms;
allow racoon self:tun_socket create;
allow racoon self:capability { net_admin net_bind_service net_raw setuid };
# XXX: should we give ip-up-vpn its own label (currently racoon domain)
allow racoon system_file:file rx_file_perms;
allow racoon vpn_data_file:file create_file_perms;
allow racoon vpn_data_file:dir w_dir_perms;
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment