| # IKE key management daemon |
| type racoon, domain; |
| type racoon_exec, system_file_type, exec_type, file_type; |
| |
| typeattribute racoon mlstrustedsubject; |
| |
| net_domain(racoon) |
| allowxperm racoon self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFADDR SIOCSIFNETMASK }; |
| |
| binder_use(racoon) |
| |
| allow racoon tun_device:chr_file r_file_perms; |
| allowxperm racoon tun_device:chr_file ioctl TUNSETIFF; |
| allow racoon cgroup:dir { add_name create }; |
| allow racoon cgroup_v2:dir { add_name create }; |
| allow racoon kernel:system module_request; |
| |
| allow racoon self:key_socket create_socket_perms_no_ioctl; |
| allow racoon self:tun_socket create_socket_perms_no_ioctl; |
| allow racoon self:global_capability_class_set { net_admin net_bind_service net_raw }; |
| |
| # XXX: should we give ip-up-vpn its own label (currently racoon domain) |
| allow racoon system_file:file rx_file_perms; |
| not_full_treble(`allow racoon vendor_file:file rx_file_perms;') |
| allow racoon vpn_data_file:file create_file_perms; |
| allow racoon vpn_data_file:dir w_dir_perms; |
| |
| use_keystore(racoon) |
| |
| # Racoon (VPN) has a restricted set of permissions from the default. |
| allow racoon keystore:keystore_key { |
| get |
| sign |
| verify |
| }; |