From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id A8463138BED for ; Wed, 14 Oct 2015 18:36:30 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C6148E080D; Wed, 14 Oct 2015 18:36:28 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 0BF0EE080D for ; Wed, 14 Oct 2015 18:36:27 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 07E11340AA9 for ; Wed, 14 Oct 2015 18:36:27 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id B4BB710B1 for ; Wed, 14 Oct 2015 18:36:24 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1444746101.5522373aa919d8f9ee0e1937e9f031ad35c07c4a.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/ipsec.fc policy/modules/system/ipsec.te X-VCS-Directories: policy/modules/system/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 5522373aa919d8f9ee0e1937e9f031ad35c07c4a X-VCS-Branch: next Date: Wed, 14 Oct 2015 18:36:24 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 4a64ebf3-3f50-4634-9ec2-5880a373cb13 X-Archives-Hash: dceafe130350a1f52f9fd13d8b0910f5 commit: 5522373aa919d8f9ee0e1937e9f031ad35c07c4a Author: Jason Zaman perfinion com> AuthorDate: Sun Oct 11 10:37:56 2015 +0000 Commit: Jason Zaman gentoo org> CommitDate: Tue Oct 13 14:21:41 2015 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5522373a system/ipsec: Add policy for StrongSwan Adds an ipsec_supervisor_t domain for StrongSwan's starter. Thanks to Matthias Dahl for most of the work on this. policy/modules/system/ipsec.fc | 17 ++++++++++++ policy/modules/system/ipsec.te | 61 +++++++++++++++++++++++++++++++++++++++--- 2 files changed, 75 insertions(+), 3 deletions(-) diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc index 0f1e351..d42b08e 100644 --- a/policy/modules/system/ipsec.fc +++ b/policy/modules/system/ipsec.fc @@ -10,6 +10,14 @@ /etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) +/etc/strongswan\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) + +/etc/strongswan\.d(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0) + +/etc/swanctl/(.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) +/etc/swanctl -d gen_context(system_u:object_r:ipsec_conf_file_t,s0) +/etc/swanctl/swanctl.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) + /sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) /usr/lib/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) @@ -19,17 +27,25 @@ /usr/lib/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/lib/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) +/usr/libexec/ipsec/_copyright -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) /usr/libexec/ipsec/_plutorun -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) +/usr/libexec/ipsec/_updown -- gen_context(system_u:object_r:ipsec_exec_t,s0) +/usr/libexec/ipsec/charon -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0) +/usr/libexec/ipsec/lookip -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) +/usr/libexec/ipsec/scepclient -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) +/usr/libexec/ipsec/starter -- gen_context(system_u:object_r:ipsec_supervisor_exec_t,s0) +/usr/libexec/ipsec/stroke -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) /usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0) /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) +/usr/sbin/swanctl -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) /var/lib/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) @@ -39,5 +55,6 @@ /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) +/var/run/charon\.(.*)? -- gen_context(system_u:object_r:ipsec_var_run_t,s0) /var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) /var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te index 3734bd4..2d8b686 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -67,19 +67,25 @@ type setkey_exec_t; init_system_domain(setkey_t, setkey_exec_t) role system_r types setkey_t; +type ipsec_supervisor_t; +type ipsec_supervisor_exec_t; +init_daemon_domain(ipsec_supervisor_t, ipsec_supervisor_exec_t); +role system_r types ipsec_supervisor_t; + ######################################## # # ipsec Local policy # -allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice }; +allow ipsec_t self:capability { chown dac_override dac_read_search setgid setuid setpcap net_admin sys_nice }; dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config }; allow ipsec_t self:process { getcap setcap getsched signal setsched }; allow ipsec_t self:tcp_socket create_stream_socket_perms; allow ipsec_t self:udp_socket create_socket_perms; allow ipsec_t self:key_socket create_socket_perms; -allow ipsec_t self:fifo_file read_fifo_file_perms; +allow ipsec_t self:fifo_file rw_fifo_file_perms; allow ipsec_t self:netlink_xfrm_socket create_netlink_socket_perms; +allow ipsec_t self:netlink_route_socket rw_netlink_socket_perms; allow ipsec_t ipsec_initrc_exec_t:file read_file_perms; @@ -113,7 +119,7 @@ allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write }; allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld }; kernel_read_kernel_sysctls(ipsec_t) -kernel_read_net_sysctls(ipsec_t) +kernel_rw_net_sysctls(ipsec_t); kernel_list_proc(ipsec_t) kernel_read_proc_symlinks(ipsec_t) # allow pluto to access /proc/net/ipsec_eroute; @@ -196,6 +202,8 @@ allow ipsec_mgmt_t self:udp_socket create_socket_perms; allow ipsec_mgmt_t self:key_socket create_socket_perms; allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms; +allow ipsec_mgmt_t ipsec_supervisor_t:process { signal signull }; + allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file) @@ -236,6 +244,7 @@ can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t) allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read; domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t) +domtrans_pattern(ipsec_mgmt_t, ipsec_supervisor_exec_t, ipsec_supervisor_t); kernel_rw_net_sysctls(ipsec_mgmt_t) # allow pluto to access /proc/net/ipsec_eroute; @@ -444,6 +453,52 @@ seutil_read_config(setkey_t) userdom_use_user_terminals(setkey_t) +######################################## +# +# ipsec_supervisor policy +# + +allow ipsec_supervisor_t self:capability { dac_read_search dac_override kill net_admin }; +allow ipsec_supervisor_t self:process { signal }; +allow ipsec_supervisor_t self:fifo_file rw_fifo_file_perms; +allow ipsec_supervisor_t self:netlink_route_socket rw_netlink_socket_perms; +allow ipsec_supervisor_t self:netlink_xfrm_socket create_netlink_socket_perms; + +allow ipsec_supervisor_t ipsec_conf_file_t:dir list_dir_perms; +read_files_pattern(ipsec_supervisor_t, ipsec_conf_file_t, ipsec_conf_file_t); + +manage_files_pattern(ipsec_supervisor_t, ipsec_key_file_t, ipsec_key_file_t) + +allow ipsec_supervisor_t ipsec_t:unix_stream_socket { connectto }; +allow ipsec_supervisor_t ipsec_t:process { signal }; + +allow ipsec_supervisor_t ipsec_var_run_t:sock_file { rw_sock_file_perms unlink }; +manage_dirs_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t) +manage_files_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t) +files_pid_filetrans(ipsec_supervisor_t, ipsec_var_run_t, { dir file sock_file }) + +domtrans_pattern(ipsec_supervisor_t, ipsec_exec_t, ipsec_t); + +kernel_read_network_state(ipsec_supervisor_t) +kernel_read_system_state(ipsec_supervisor_t) +kernel_rw_net_sysctls(ipsec_supervisor_t); + +corecmd_exec_bin(ipsec_supervisor_t); +corecmd_exec_shell(ipsec_supervisor_t) + +dev_read_rand(ipsec_supervisor_t); +dev_read_urand(ipsec_supervisor_t); + +files_read_etc_files(ipsec_supervisor_t); + +logging_send_syslog_msg(ipsec_supervisor_t); + +miscfiles_read_localization(ipsec_supervisor_t); + +optional_policy(` + modutils_domtrans_insmod(ipsec_supervisor_t) +') + ifdef(`distro_gentoo',` ################################################ # From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 9F896138BEF for ; Tue, 13 Oct 2015 14:51:02 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id ECBF0E07C7; Tue, 13 Oct 2015 14:51:00 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 713E1E07C7 for ; Tue, 13 Oct 2015 14:50:59 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 28FD8340906 for ; Tue, 13 Oct 2015 14:50:58 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id BE4B51049 for ; Tue, 13 Oct 2015 14:50:55 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1444746101.5522373aa919d8f9ee0e1937e9f031ad35c07c4a.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/ipsec.fc policy/modules/system/ipsec.te X-VCS-Directories: policy/modules/system/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 5522373aa919d8f9ee0e1937e9f031ad35c07c4a X-VCS-Branch: master Date: Tue, 13 Oct 2015 14:50:55 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 6f422773-26d7-43d5-b1be-0b6e4628f4f4 X-Archives-Hash: 6e9ef7b85f0e6563caf5d9f937a2b4ce Message-ID: <20151013145055.-6eM-aZGJOm-TdaJkumGbDAhxfiIOsRW41S0Ln8A6BE@z> commit: 5522373aa919d8f9ee0e1937e9f031ad35c07c4a Author: Jason Zaman perfinion com> AuthorDate: Sun Oct 11 10:37:56 2015 +0000 Commit: Jason Zaman gentoo org> CommitDate: Tue Oct 13 14:21:41 2015 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5522373a system/ipsec: Add policy for StrongSwan Adds an ipsec_supervisor_t domain for StrongSwan's starter. Thanks to Matthias Dahl for most of the work on this. policy/modules/system/ipsec.fc | 17 ++++++++++++ policy/modules/system/ipsec.te | 61 +++++++++++++++++++++++++++++++++++++++--- 2 files changed, 75 insertions(+), 3 deletions(-) diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc index 0f1e351..d42b08e 100644 --- a/policy/modules/system/ipsec.fc +++ b/policy/modules/system/ipsec.fc @@ -10,6 +10,14 @@ /etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) +/etc/strongswan\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) + +/etc/strongswan\.d(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0) + +/etc/swanctl/(.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) +/etc/swanctl -d gen_context(system_u:object_r:ipsec_conf_file_t,s0) +/etc/swanctl/swanctl.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) + /sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) /usr/lib/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) @@ -19,17 +27,25 @@ /usr/lib/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/lib/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) +/usr/libexec/ipsec/_copyright -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) /usr/libexec/ipsec/_plutorun -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) +/usr/libexec/ipsec/_updown -- gen_context(system_u:object_r:ipsec_exec_t,s0) +/usr/libexec/ipsec/charon -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0) +/usr/libexec/ipsec/lookip -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) +/usr/libexec/ipsec/scepclient -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) +/usr/libexec/ipsec/starter -- gen_context(system_u:object_r:ipsec_supervisor_exec_t,s0) +/usr/libexec/ipsec/stroke -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) /usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0) /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) +/usr/sbin/swanctl -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) /var/lib/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) @@ -39,5 +55,6 @@ /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) +/var/run/charon\.(.*)? -- gen_context(system_u:object_r:ipsec_var_run_t,s0) /var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) /var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te index 3734bd4..2d8b686 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -67,19 +67,25 @@ type setkey_exec_t; init_system_domain(setkey_t, setkey_exec_t) role system_r types setkey_t; +type ipsec_supervisor_t; +type ipsec_supervisor_exec_t; +init_daemon_domain(ipsec_supervisor_t, ipsec_supervisor_exec_t); +role system_r types ipsec_supervisor_t; + ######################################## # # ipsec Local policy # -allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice }; +allow ipsec_t self:capability { chown dac_override dac_read_search setgid setuid setpcap net_admin sys_nice }; dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config }; allow ipsec_t self:process { getcap setcap getsched signal setsched }; allow ipsec_t self:tcp_socket create_stream_socket_perms; allow ipsec_t self:udp_socket create_socket_perms; allow ipsec_t self:key_socket create_socket_perms; -allow ipsec_t self:fifo_file read_fifo_file_perms; +allow ipsec_t self:fifo_file rw_fifo_file_perms; allow ipsec_t self:netlink_xfrm_socket create_netlink_socket_perms; +allow ipsec_t self:netlink_route_socket rw_netlink_socket_perms; allow ipsec_t ipsec_initrc_exec_t:file read_file_perms; @@ -113,7 +119,7 @@ allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write }; allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld }; kernel_read_kernel_sysctls(ipsec_t) -kernel_read_net_sysctls(ipsec_t) +kernel_rw_net_sysctls(ipsec_t); kernel_list_proc(ipsec_t) kernel_read_proc_symlinks(ipsec_t) # allow pluto to access /proc/net/ipsec_eroute; @@ -196,6 +202,8 @@ allow ipsec_mgmt_t self:udp_socket create_socket_perms; allow ipsec_mgmt_t self:key_socket create_socket_perms; allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms; +allow ipsec_mgmt_t ipsec_supervisor_t:process { signal signull }; + allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file) @@ -236,6 +244,7 @@ can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t) allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read; domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t) +domtrans_pattern(ipsec_mgmt_t, ipsec_supervisor_exec_t, ipsec_supervisor_t); kernel_rw_net_sysctls(ipsec_mgmt_t) # allow pluto to access /proc/net/ipsec_eroute; @@ -444,6 +453,52 @@ seutil_read_config(setkey_t) userdom_use_user_terminals(setkey_t) +######################################## +# +# ipsec_supervisor policy +# + +allow ipsec_supervisor_t self:capability { dac_read_search dac_override kill net_admin }; +allow ipsec_supervisor_t self:process { signal }; +allow ipsec_supervisor_t self:fifo_file rw_fifo_file_perms; +allow ipsec_supervisor_t self:netlink_route_socket rw_netlink_socket_perms; +allow ipsec_supervisor_t self:netlink_xfrm_socket create_netlink_socket_perms; + +allow ipsec_supervisor_t ipsec_conf_file_t:dir list_dir_perms; +read_files_pattern(ipsec_supervisor_t, ipsec_conf_file_t, ipsec_conf_file_t); + +manage_files_pattern(ipsec_supervisor_t, ipsec_key_file_t, ipsec_key_file_t) + +allow ipsec_supervisor_t ipsec_t:unix_stream_socket { connectto }; +allow ipsec_supervisor_t ipsec_t:process { signal }; + +allow ipsec_supervisor_t ipsec_var_run_t:sock_file { rw_sock_file_perms unlink }; +manage_dirs_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t) +manage_files_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t) +files_pid_filetrans(ipsec_supervisor_t, ipsec_var_run_t, { dir file sock_file }) + +domtrans_pattern(ipsec_supervisor_t, ipsec_exec_t, ipsec_t); + +kernel_read_network_state(ipsec_supervisor_t) +kernel_read_system_state(ipsec_supervisor_t) +kernel_rw_net_sysctls(ipsec_supervisor_t); + +corecmd_exec_bin(ipsec_supervisor_t); +corecmd_exec_shell(ipsec_supervisor_t) + +dev_read_rand(ipsec_supervisor_t); +dev_read_urand(ipsec_supervisor_t); + +files_read_etc_files(ipsec_supervisor_t); + +logging_send_syslog_msg(ipsec_supervisor_t); + +miscfiles_read_localization(ipsec_supervisor_t); + +optional_policy(` + modutils_domtrans_insmod(ipsec_supervisor_t) +') + ifdef(`distro_gentoo',` ################################################ #