diff options
author | Robert Craig <rpcraig@tycho.ncsc.mil> | 2013-01-07 09:21:18 -0500 |
---|---|---|
committer | William Roberts <w.roberts@sta.samsung.com> | 2013-03-22 17:09:26 -0700 |
commit | 18b5f87ea18baaf7356a1f1729dc2737be3c141e (patch) | |
tree | 94dab2f065e2fe36b7712a2a4a17f63575048a2d /racoon.te | |
parent | dbb82fd8f063fdc5854f9d6359d2be0a570ad0cc (diff) | |
download | android_external_sepolicy-18b5f87ea18baaf7356a1f1729dc2737be3c141e.tar.gz android_external_sepolicy-18b5f87ea18baaf7356a1f1729dc2737be3c141e.tar.bz2 android_external_sepolicy-18b5f87ea18baaf7356a1f1729dc2737be3c141e.zip |
racoon policy.
Initial policy for racoon (IKE key management).
Signed-off-by: Robert Craig <rpcraig@tycho.ncsc.mil>
Change-Id: If1e344f39ea914e42afbaa021b272ba1b7113479
Diffstat (limited to 'racoon.te')
-rw-r--r-- | racoon.te | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/racoon.te b/racoon.te new file mode 100644 index 0000000..9f556e0 --- /dev/null +++ b/racoon.te @@ -0,0 +1,25 @@ +# IKE key management daemon +type racoon, domain; +type racoon_exec, exec_type, file_type; + +init_daemon_domain(racoon) +typeattribute racoon mlstrustedsubject; + +binder_call(racoon, servicemanager) +binder_call(racoon, keystore) + +allow racoon tun_device:chr_file r_file_perms; +allow racoon cgroup:dir { add_name create }; +allow racoon kernel:system module_request; +allow racoon port:udp_socket name_bind; +allow racoon node:udp_socket node_bind; + +allow racoon self:{ key_socket udp_socket } create_socket_perms; +allow racoon self:tun_socket create; +allow racoon self:capability { net_admin net_bind_service net_raw setuid }; + +# XXX: should we give ip-up-vpn its own label (currently racoon domain) +allow racoon ppp_system_file:file rx_file_perms; +allow racoon ppp_system_file:dir search; +allow racoon vpn_data_file:file create_file_perms; +allow racoon vpn_data_file:dir w_dir_perms; |