1ipsec_selinux(8)             SELinux Policy ipsec             ipsec_selinux(8)
2
3
4

NAME

6       ipsec_selinux - Security Enhanced Linux Policy for the ipsec processes
7

DESCRIPTION

9       Security-Enhanced Linux secures the ipsec processes via flexible manda‐
10       tory access control.
11
12       The ipsec processes execute with the  ipsec_t  SELinux  type.  You  can
13       check  if  you have these processes running by executing the ps command
14       with the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep ipsec_t
19
20
21

ENTRYPOINTS

23       The ipsec_t SELinux type can be entered via the ipsec_exec_t file type.
24
25       The default entrypoint paths for the ipsec_t domain are the following:
26
27       /usr/libexec/strongimcv/.*,                 /usr/libexec/strongswan/.*,
28       /usr/lib/ipsec/spi,     /usr/lib/ipsec/pluto,    /usr/lib/ipsec/eroute,
29       /usr/libexec/ipsec/spi, /usr/libexec/ipsec/pluto, /usr/lib/ipsec/klips‐
30       debug,      /usr/libexec/ipsec/eroute,      /usr/libexec/ipsec/addconn,
31       /usr/libexec/ipsec/klipsdebug
32

PROCESS TYPES

34       SELinux defines process types (domains) for each process running on the
35       system
36
37       You can see the context of a process using the -Z option to ps
38
39       Policy  governs  the  access confined processes have to files.  SELinux
40       ipsec policy is very flexible allowing users to setup their ipsec  pro‐
41       cesses in as secure a method as possible.
42
43       The following process types are defined for ipsec:
44
45       ipsec_t, ipsec_mgmt_t
46
47       Note:  semanage  permissive  -a ipsec_t can be used to make the process
48       type ipsec_t permissive. SELinux does not  deny  access  to  permissive
49       process  types, but the AVC (SELinux denials) messages are still gener‐
50       ated.
51
52

BOOLEANS

54       SELinux policy is customizable based on least access  required.   ipsec
55       policy is extremely flexible and has several booleans that allow you to
56       manipulate the policy and run ipsec with the tightest access possible.
57
58
59
60       If you want to allow users to resolve user passwd entries directly from
61       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
62       gin_nsswitch_use_ldap boolean. Disabled by default.
63
64       setsebool -P authlogin_nsswitch_use_ldap 1
65
66
67
68       If you want to allow all domains to execute in fips_mode, you must turn
69       on the fips_mode boolean. Enabled by default.
70
71       setsebool -P fips_mode 1
72
73
74
75       If  you  want  to allow confined applications to run with kerberos, you
76       must turn on the kerberos_enabled boolean. Enabled by default.
77
78       setsebool -P kerberos_enabled 1
79
80
81
82       If you want to allow system to run with  NIS,  you  must  turn  on  the
83       nis_enabled boolean. Disabled by default.
84
85       setsebool -P nis_enabled 1
86
87
88
89       If  you  want to allow confined applications to use nscd shared memory,
90       you must turn on the nscd_use_shm boolean. Disabled by default.
91
92       setsebool -P nscd_use_shm 1
93
94
95

PORT TYPES

97       SELinux defines port types to represent TCP and UDP ports.
98
99       You can see the types associated with a port  by  using  the  following
100       command:
101
102       semanage port -l
103
104
105       Policy  governs  the  access  confined  processes  have to these ports.
106       SELinux ipsec policy is very flexible allowing  users  to  setup  their
107       ipsec processes in as secure a method as possible.
108
109       The following port types are defined for ipsec:
110
111
112       ipsecnat_port_t
113
114
115
116       Default Defined Ports:
117                 tcp 4500
118                 udp 4500
119

MANAGED FILES

121       The SELinux process type ipsec_t can manage files labeled with the fol‐
122       lowing file types.  The paths listed are the default  paths  for  these
123       file types.  Note the processes UID still need to have DAC permissions.
124
125       cluster_conf_t
126
127            /etc/cluster(/.*)?
128
129       cluster_var_lib_t
130
131            /var/lib/pcsd(/.*)?
132            /var/lib/cluster(/.*)?
133            /var/lib/openais(/.*)?
134            /var/lib/pengine(/.*)?
135            /var/lib/corosync(/.*)?
136            /usr/lib/heartbeat(/.*)?
137            /var/lib/heartbeat(/.*)?
138            /var/lib/pacemaker(/.*)?
139
140       cluster_var_run_t
141
142            /var/run/crm(/.*)?
143            /var/run/cman_.*
144            /var/run/rsctmp(/.*)?
145            /var/run/aisexec.*
146            /var/run/heartbeat(/.*)?
147            /var/run/corosync-qnetd(/.*)?
148            /var/run/corosync-qdevice(/.*)?
149            /var/run/corosync.pid
150            /var/run/cpglockd.pid
151            /var/run/rgmanager.pid
152            /var/run/cluster/rgmanager.sk
153
154       faillog_t
155
156            /var/log/btmp.*
157            /var/log/faillog.*
158            /var/log/tallylog.*
159            /var/run/faillock(/.*)?
160
161       ipsec_conf_file_t
162
163            /etc/racoon(/.*)?
164            /etc/strongimcv(/.*)?
165            /etc/strongswan(/.*)?
166            /etc/ipsec.conf
167            /etc/strongswan/ipsec.conf
168
169       ipsec_key_file_t
170
171            /etc/ipsec.d(/.*)?
172            /etc/racoon/certs(/.*)?
173            /etc/ipsec.secrets.*
174            /etc/strongswan/ipsec.d(/.*)?
175            /etc/strongswan/ipsec.secrets.*
176            /etc/racoon/psk.txt
177
178       ipsec_log_t
179
180            /var/log/pluto.log.*
181
182       ipsec_tmp_t
183
184
185       ipsec_var_run_t
186
187            /var/racoon(/.*)?
188            /var/run/pluto(/.*)?
189            /var/run/charon.*
190            /var/run/racoon.pid
191            /var/run/charon.ctl
192            /var/run/charon.vici
193
194       krb5_host_rcache_t
195
196            /var/cache/krb5rcache(/.*)?
197            /var/tmp/nfs_0
198            /var/tmp/DNS_25
199            /var/tmp/host_0
200            /var/tmp/imap_0
201            /var/tmp/HTTP_23
202            /var/tmp/HTTP_48
203            /var/tmp/ldap_55
204            /var/tmp/ldap_487
205            /var/tmp/ldapmap1_0
206
207       lastlog_t
208
209            /var/log/lastlog.*
210
211       named_cache_t
212
213            /var/named/data(/.*)?
214            /var/lib/softhsm(/.*)?
215            /var/lib/unbound(/.*)?
216            /var/named/slaves(/.*)?
217            /var/named/dynamic(/.*)?
218            /var/named/chroot/var/tmp(/.*)?
219            /var/named/chroot/var/named/data(/.*)?
220            /var/named/chroot/var/named/slaves(/.*)?
221            /var/named/chroot/var/named/dynamic(/.*)?
222
223       net_conf_t
224
225            /etc/hosts[^/]*
226            /etc/yp.conf.*
227            /etc/denyhosts.*
228            /etc/hosts.deny.*
229            /etc/resolv.conf.*
230            /etc/.resolv.conf.*
231            /etc/resolv-secure.conf.*
232            /var/run/cloud-init(/.*)?
233            /var/run/systemd/network(/.*)?
234            /etc/sysconfig/networking(/.*)?
235            /etc/sysconfig/network-scripts(/.*)?
236            /etc/sysconfig/network-scripts/.*resolv.conf
237            /var/run/NetworkManager/resolv.conf.*
238            /etc/ethers
239            /etc/ntp.conf
240            /var/run/systemd/resolve/resolv.conf
241            /var/run/systemd/resolve/stub-resolv.conf
242
243       root_t
244
245            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
246            /
247            /initrd
248
249       security_t
250
251            /selinux
252
253

FILE CONTEXTS

255       SELinux requires files to have an extended attribute to define the file
256       type.
257
258       You can see the context of a file using the -Z option to ls
259
260       Policy governs the access  confined  processes  have  to  these  files.
261       SELinux  ipsec  policy  is  very flexible allowing users to setup their
262       ipsec processes in as secure a method as possible.
263
264       EQUIVALENCE DIRECTORIES
265
266
267       ipsec policy stores data with multiple  different  file  context  types
268       under  the  /var/run/pluto  directory.   If you would like to store the
269       data in a different directory you can use the semanage command to  cre‐
270       ate an equivalence mapping.  If you wanted to store this data under the
271       /srv dirctory you would execute the following command:
272
273       semanage fcontext -a -e /var/run/pluto /srv/pluto
274       restorecon -R -v /srv/pluto
275
276       STANDARD FILE CONTEXT
277
278       SELinux defines the file context types for the ipsec, if you wanted  to
279       store  files  with  these types in a diffent paths, you need to execute
280       the semanage command  to  sepecify  alternate  labeling  and  then  use
281       restorecon to put the labels on disk.
282
283       semanage   fcontext   -a   -t   ipsec_mgmt_devpts_t  '/srv/myipsec_con‐
284       tent(/.*)?'
285       restorecon -R -v /srv/myipsec_content
286
287       Note: SELinux often uses regular expressions  to  specify  labels  that
288       match multiple files.
289
290       The following file types are defined for ipsec:
291
292
293
294       ipsec_conf_file_t
295
296       -  Set  files with the ipsec_conf_file_t type, if you want to treat the
297       files as ipsec conf content.
298
299
300       Paths:
301            /etc/racoon(/.*)?,  /etc/strongimcv(/.*)?,  /etc/strongswan(/.*)?,
302            /etc/ipsec.conf, /etc/strongswan/ipsec.conf
303
304
305       ipsec_exec_t
306
307       -  Set  files  with the ipsec_exec_t type, if you want to transition an
308       executable to the ipsec_t domain.
309
310
311       Paths:
312            /usr/libexec/strongimcv/.*,            /usr/libexec/strongswan/.*,
313            /usr/lib/ipsec/spi,  /usr/lib/ipsec/pluto,  /usr/lib/ipsec/eroute,
314            /usr/libexec/ipsec/spi,                  /usr/libexec/ipsec/pluto,
315            /usr/lib/ipsec/klipsdebug,              /usr/libexec/ipsec/eroute,
316            /usr/libexec/ipsec/addconn, /usr/libexec/ipsec/klipsdebug
317
318
319       ipsec_initrc_exec_t
320
321       - Set files with the ipsec_initrc_exec_t type, if you want  to  transi‐
322       tion an executable to the ipsec_initrc_t domain.
323
324
325       Paths:
326            /etc/rc.d/init.d/ipsec,                   /etc/rc.d/init.d/racoon,
327            /etc/rc.d/init.d/strongswan
328
329
330       ipsec_key_file_t
331
332       - Set files with the ipsec_key_file_t type, if you want  to  treat  the
333       files as ipsec key content.
334
335
336       Paths:
337            /etc/ipsec.d(/.*)?, /etc/racoon/certs(/.*)?, /etc/ipsec.secrets.*,
338            /etc/strongswan/ipsec.d(/.*)?,    /etc/strongswan/ipsec.secrets.*,
339            /etc/racoon/psk.txt
340
341
342       ipsec_log_t
343
344       - Set files with the ipsec_log_t type, if you want to treat the data as
345       ipsec log data, usually stored under the /var/log directory.
346
347
348
349       ipsec_mgmt_devpts_t
350
351       - Set files with the ipsec_mgmt_devpts_t type, if you want to treat the
352       files as ipsec mgmt devpts data.
353
354
355
356       ipsec_mgmt_exec_t
357
358       -  Set files with the ipsec_mgmt_exec_t type, if you want to transition
359       an executable to the ipsec_mgmt_t domain.
360
361
362       Paths:
363            /usr/sbin/ipsec,     /usr/sbin/swanctl,      /usr/sbin/strongimcv,
364            /usr/sbin/strongswan,                    /usr/lib/ipsec/_plutorun,
365            /usr/lib/ipsec/_plutoload,           /usr/libexec/ipsec/_plutorun,
366            /usr/libexec/ipsec/_plutoload,   /usr/libexec/nm-openswan-service,
367            /usr/libexec/nm-libreswan-service
368
369
370       ipsec_mgmt_lock_t
371
372       - Set files with the ipsec_mgmt_lock_t type, if you want to  treat  the
373       files as ipsec mgmt lock data, stored under the /var/lock directory
374
375
376       Paths:
377            /var/lock/subsys/ipsec, /var/lock/subsys/strongswan
378
379
380       ipsec_mgmt_unit_file_t
381
382       -  Set files with the ipsec_mgmt_unit_file_t type, if you want to treat
383       the files as ipsec mgmt unit content.
384
385
386       Paths:
387            /usr/lib/systemd/system/ipsec.*,             /usr/lib/systemd/sys‐
388            tem/strongimcv.*,            /usr/lib/systemd/system/strongswan.*,
389            /usr/lib/systemd/system/strongswan-swanctl.*
390
391
392       ipsec_mgmt_var_run_t
393
394       - Set files with the ipsec_mgmt_var_run_t type, if you  want  to  store
395       the ipsec mgmt files under the /run or /var/run directory.
396
397
398       Paths:
399            /var/run/pluto/ipsec.info, /var/run/pluto/ipsec_setup.pid
400
401
402       ipsec_tmp_t
403
404       -  Set files with the ipsec_tmp_t type, if you want to store ipsec tem‐
405       porary files in the /tmp directories.
406
407
408
409       ipsec_var_run_t
410
411       - Set files with the ipsec_var_run_t type, if you  want  to  store  the
412       ipsec files under the /run or /var/run directory.
413
414
415       Paths:
416            /var/racoon(/.*)?,     /var/run/pluto(/.*)?,    /var/run/charon.*,
417            /var/run/racoon.pid, /var/run/charon.ctl, /var/run/charon.vici
418
419
420       Note: File context can be temporarily modified with the chcon  command.
421       If  you want to permanently change the file context you need to use the
422       semanage fcontext command.  This will modify the SELinux labeling data‐
423       base.  You will need to use restorecon to apply the labels.
424
425

COMMANDS

427       semanage  fcontext  can also be used to manipulate default file context
428       mappings.
429
430       semanage permissive can also be used to manipulate  whether  or  not  a
431       process type is permissive.
432
433       semanage  module can also be used to enable/disable/install/remove pol‐
434       icy modules.
435
436       semanage port can also be used to manipulate the port definitions
437
438       semanage boolean can also be used to manipulate the booleans
439
440
441       system-config-selinux is a GUI tool available to customize SELinux pol‐
442       icy settings.
443
444

AUTHOR

446       This manual page was auto-generated using sepolicy manpage .
447
448

SEE ALSO

450       selinux(8),  ipsec(8),  semanage(8),  restorecon(8),  chcon(1),  sepol‐
451       icy(8), setsebool(8), ipsec_mgmt_selinux(8), ipsec_mgmt_selinux(8)
452
453
454
455ipsec                              19-05-30                   ipsec_selinux(8)
Impressum