1ipsec_selinux(8) SELinux Policy ipsec ipsec_selinux(8)
2
3
4
6 ipsec_selinux - Security Enhanced Linux Policy for the ipsec processes
7
9 Security-Enhanced Linux secures the ipsec processes via flexible manda‐
10 tory access control.
11
12 The ipsec processes execute with the ipsec_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15
16 For example:
17
18 ps -eZ | grep ipsec_t
19
20
21
23 The ipsec_t SELinux type can be entered via the ipsec_exec_t file type.
24
25 The default entrypoint paths for the ipsec_t domain are the following:
26
27 /usr/libexec/strongimcv/.*, /usr/libexec/strongswan/.*,
28 /usr/lib/ipsec/spi, /usr/lib/ipsec/pluto, /usr/lib/ipsec/eroute,
29 /usr/libexec/ipsec/spi, /usr/libexec/ipsec/pluto, /usr/lib/ipsec/klips‐
30 debug, /usr/libexec/ipsec/eroute, /usr/libexec/ipsec/addconn,
31 /usr/libexec/ipsec/klipsdebug
32
34 SELinux defines process types (domains) for each process running on the
35 system
36
37 You can see the context of a process using the -Z option to ps
38
39 Policy governs the access confined processes have to files. SELinux
40 ipsec policy is very flexible allowing users to setup their ipsec pro‐
41 cesses in as secure a method as possible.
42
43 The following process types are defined for ipsec:
44
45 ipsec_t, ipsec_mgmt_t
46
47 Note: semanage permissive -a ipsec_t can be used to make the process
48 type ipsec_t permissive. SELinux does not deny access to permissive
49 process types, but the AVC (SELinux denials) messages are still gener‐
50 ated.
51
52
54 SELinux policy is customizable based on least access required. ipsec
55 policy is extremely flexible and has several booleans that allow you to
56 manipulate the policy and run ipsec with the tightest access possible.
57
58
59
60 If you want to allow users to resolve user passwd entries directly from
61 ldap rather then using a sssd server, you must turn on the authlo‐
62 gin_nsswitch_use_ldap boolean. Disabled by default.
63
64 setsebool -P authlogin_nsswitch_use_ldap 1
65
66
67
68 If you want to allow all domains to execute in fips_mode, you must turn
69 on the fips_mode boolean. Enabled by default.
70
71 setsebool -P fips_mode 1
72
73
74
75 If you want to allow confined applications to run with kerberos, you
76 must turn on the kerberos_enabled boolean. Disabled by default.
77
78 setsebool -P kerberos_enabled 1
79
80
81
82 If you want to allow system to run with NIS, you must turn on the
83 nis_enabled boolean. Disabled by default.
84
85 setsebool -P nis_enabled 1
86
87
88
89 If you want to allow confined applications to use nscd shared memory,
90 you must turn on the nscd_use_shm boolean. Disabled by default.
91
92 setsebool -P nscd_use_shm 1
93
94
95
97 SELinux defines port types to represent TCP and UDP ports.
98
99 You can see the types associated with a port by using the following
100 command:
101
102 semanage port -l
103
104
105 Policy governs the access confined processes have to these ports.
106 SELinux ipsec policy is very flexible allowing users to setup their
107 ipsec processes in as secure a method as possible.
108
109 The following port types are defined for ipsec:
110
111
112 ipsecnat_port_t
113
114
115
116 Default Defined Ports:
117 tcp 4500
118 udp 4500
119
121 The SELinux process type ipsec_t can manage files labeled with the fol‐
122 lowing file types. The paths listed are the default paths for these
123 file types. Note the processes UID still need to have DAC permissions.
124
125 cluster_conf_t
126
127 /etc/cluster(/.*)?
128
129 cluster_var_lib_t
130
131 /var/lib/pcsd(/.*)?
132 /var/lib/cluster(/.*)?
133 /var/lib/openais(/.*)?
134 /var/lib/pengine(/.*)?
135 /var/lib/corosync(/.*)?
136 /usr/lib/heartbeat(/.*)?
137 /var/lib/heartbeat(/.*)?
138 /var/lib/pacemaker(/.*)?
139
140 cluster_var_run_t
141
142 /var/run/crm(/.*)?
143 /var/run/cman_.*
144 /var/run/rsctmp(/.*)?
145 /var/run/aisexec.*
146 /var/run/heartbeat(/.*)?
147 /var/run/corosync-qnetd(/.*)?
148 /var/run/corosync-qdevice(/.*)?
149 /var/run/corosync.pid
150 /var/run/cpglockd.pid
151 /var/run/rgmanager.pid
152 /var/run/cluster/rgmanager.sk
153
154 faillog_t
155
156 /var/log/btmp.*
157 /var/log/faillog.*
158 /var/log/tallylog.*
159 /var/run/faillock(/.*)?
160
161 ipsec_conf_file_t
162
163 /etc/racoon(/.*)?
164 /etc/strongimcv(/.*)?
165 /etc/strongswan(/.*)?
166 /etc/ipsec.conf
167 /etc/strongswan/ipsec.conf
168
169 ipsec_key_file_t
170
171 /etc/ipsec.d(/.*)?
172 /etc/racoon/certs(/.*)?
173 /etc/ipsec.secrets.*
174 /etc/strongswan/ipsec.d(/.*)?
175 /etc/strongswan/ipsec.secrets.*
176 /etc/racoon/psk.txt
177
178 ipsec_log_t
179
180 /var/log/pluto.log.*
181
182 ipsec_tmp_t
183
184
185 ipsec_var_run_t
186
187 /var/racoon(/.*)?
188 /var/run/pluto(/.*)?
189 /var/run/charon.*
190 /var/run/racoon.pid
191 /var/run/charon.ctl
192 /var/run/charon.dck
193 /var/run/charon.vici
194
195 krb5_host_rcache_t
196
197 /var/cache/krb5rcache(/.*)?
198 /var/tmp/nfs_0
199 /var/tmp/DNS_25
200 /var/tmp/host_0
201 /var/tmp/imap_0
202 /var/tmp/HTTP_23
203 /var/tmp/HTTP_48
204 /var/tmp/ldap_55
205 /var/tmp/ldap_487
206 /var/tmp/ldapmap1_0
207
208 lastlog_t
209
210 /var/log/lastlog.*
211
212 named_cache_t
213
214 /var/named/data(/.*)?
215 /var/lib/softhsm(/.*)?
216 /var/lib/unbound(/.*)?
217 /var/named/slaves(/.*)?
218 /var/named/dynamic(/.*)?
219 /var/named/chroot/var/tmp(/.*)?
220 /var/named/chroot/var/named/data(/.*)?
221 /var/named/chroot/var/named/slaves(/.*)?
222 /var/named/chroot/var/named/dynamic(/.*)?
223
224 net_conf_t
225
226 /etc/hosts[^/]*
227 /etc/yp.conf.*
228 /etc/denyhosts.*
229 /etc/hosts.deny.*
230 /etc/resolv.conf.*
231 /etc/.resolv.conf.*
232 /etc/resolv-secure.conf.*
233 /var/run/cloud-init(/.*)?
234 /var/run/systemd/network(/.*)?
235 /etc/sysconfig/networking(/.*)?
236 /etc/sysconfig/network-scripts(/.*)?
237 /etc/sysconfig/network-scripts/.*resolv.conf
238 /var/run/NetworkManager/resolv.conf.*
239 /etc/ethers
240 /etc/ntp.conf
241 /var/run/systemd/resolve/resolv.conf
242 /var/run/systemd/resolve/stub-resolv.conf
243
244 root_t
245
246 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
247 /
248 /initrd
249
250 security_t
251
252 /selinux
253
254
256 SELinux requires files to have an extended attribute to define the file
257 type.
258
259 You can see the context of a file using the -Z option to ls
260
261 Policy governs the access confined processes have to these files.
262 SELinux ipsec policy is very flexible allowing users to setup their
263 ipsec processes in as secure a method as possible.
264
265 EQUIVALENCE DIRECTORIES
266
267
268 ipsec policy stores data with multiple different file context types
269 under the /var/run/pluto directory. If you would like to store the
270 data in a different directory you can use the semanage command to cre‐
271 ate an equivalence mapping. If you wanted to store this data under the
272 /srv dirctory you would execute the following command:
273
274 semanage fcontext -a -e /var/run/pluto /srv/pluto
275 restorecon -R -v /srv/pluto
276
277 STANDARD FILE CONTEXT
278
279 SELinux defines the file context types for the ipsec, if you wanted to
280 store files with these types in a diffent paths, you need to execute
281 the semanage command to sepecify alternate labeling and then use
282 restorecon to put the labels on disk.
283
284 semanage fcontext -a -t ipsec_mgmt_devpts_t '/srv/myipsec_con‐
285 tent(/.*)?'
286 restorecon -R -v /srv/myipsec_content
287
288 Note: SELinux often uses regular expressions to specify labels that
289 match multiple files.
290
291 The following file types are defined for ipsec:
292
293
294
295 ipsec_conf_file_t
296
297 - Set files with the ipsec_conf_file_t type, if you want to treat the
298 files as ipsec conf content.
299
300
301 Paths:
302 /etc/racoon(/.*)?, /etc/strongimcv(/.*)?, /etc/strongswan(/.*)?,
303 /etc/ipsec.conf, /etc/strongswan/ipsec.conf
304
305
306 ipsec_exec_t
307
308 - Set files with the ipsec_exec_t type, if you want to transition an
309 executable to the ipsec_t domain.
310
311
312 Paths:
313 /usr/libexec/strongimcv/.*, /usr/libexec/strongswan/.*,
314 /usr/lib/ipsec/spi, /usr/lib/ipsec/pluto, /usr/lib/ipsec/eroute,
315 /usr/libexec/ipsec/spi, /usr/libexec/ipsec/pluto,
316 /usr/lib/ipsec/klipsdebug, /usr/libexec/ipsec/eroute,
317 /usr/libexec/ipsec/addconn, /usr/libexec/ipsec/klipsdebug
318
319
320 ipsec_initrc_exec_t
321
322 - Set files with the ipsec_initrc_exec_t type, if you want to transi‐
323 tion an executable to the ipsec_initrc_t domain.
324
325
326 Paths:
327 /etc/rc.d/init.d/ipsec, /etc/rc.d/init.d/racoon,
328 /etc/rc.d/init.d/strongswan
329
330
331 ipsec_key_file_t
332
333 - Set files with the ipsec_key_file_t type, if you want to treat the
334 files as ipsec key content.
335
336
337 Paths:
338 /etc/ipsec.d(/.*)?, /etc/racoon/certs(/.*)?, /etc/ipsec.secrets.*,
339 /etc/strongswan/ipsec.d(/.*)?, /etc/strongswan/ipsec.secrets.*,
340 /etc/racoon/psk.txt
341
342
343 ipsec_log_t
344
345 - Set files with the ipsec_log_t type, if you want to treat the data as
346 ipsec log data, usually stored under the /var/log directory.
347
348
349
350 ipsec_mgmt_devpts_t
351
352 - Set files with the ipsec_mgmt_devpts_t type, if you want to treat the
353 files as ipsec mgmt devpts data.
354
355
356
357 ipsec_mgmt_exec_t
358
359 - Set files with the ipsec_mgmt_exec_t type, if you want to transition
360 an executable to the ipsec_mgmt_t domain.
361
362
363 Paths:
364 /usr/sbin/ipsec, /usr/sbin/swanctl, /usr/sbin/strongimcv,
365 /usr/sbin/strongswan, /usr/lib/ipsec/_plutorun, /usr/sbin/charon-
366 systemd, /usr/lib/ipsec/_plutoload, /usr/libexec/ipsec/_plutorun,
367 /usr/libexec/ipsec/_plutoload, /usr/libexec/nm-openswan-service,
368 /usr/libexec/nm-libreswan-service
369
370
371 ipsec_mgmt_lock_t
372
373 - Set files with the ipsec_mgmt_lock_t type, if you want to treat the
374 files as ipsec mgmt lock data, stored under the /var/lock directory
375
376
377 Paths:
378 /var/lock/subsys/ipsec, /var/lock/subsys/strongswan
379
380
381 ipsec_mgmt_unit_file_t
382
383 - Set files with the ipsec_mgmt_unit_file_t type, if you want to treat
384 the files as ipsec mgmt unit content.
385
386
387 Paths:
388 /usr/lib/systemd/system/ipsec.*, /usr/lib/systemd/sys‐
389 tem/strongimcv.*, /usr/lib/systemd/system/strongswan.*,
390 /usr/lib/systemd/system/strongswan-swanctl.*
391
392
393 ipsec_mgmt_var_run_t
394
395 - Set files with the ipsec_mgmt_var_run_t type, if you want to store
396 the ipsec mgmt files under the /run or /var/run directory.
397
398
399 Paths:
400 /var/run/pluto/ipsec.info, /var/run/pluto/ipsec_setup.pid
401
402
403 ipsec_tmp_t
404
405 - Set files with the ipsec_tmp_t type, if you want to store ipsec tem‐
406 porary files in the /tmp directories.
407
408
409
410 ipsec_var_run_t
411
412 - Set files with the ipsec_var_run_t type, if you want to store the
413 ipsec files under the /run or /var/run directory.
414
415
416 Paths:
417 /var/racoon(/.*)?, /var/run/pluto(/.*)?, /var/run/charon.*,
418 /var/run/racoon.pid, /var/run/charon.ctl, /var/run/charon.dck,
419 /var/run/charon.vici
420
421
422 Note: File context can be temporarily modified with the chcon command.
423 If you want to permanently change the file context you need to use the
424 semanage fcontext command. This will modify the SELinux labeling data‐
425 base. You will need to use restorecon to apply the labels.
426
427
429 semanage fcontext can also be used to manipulate default file context
430 mappings.
431
432 semanage permissive can also be used to manipulate whether or not a
433 process type is permissive.
434
435 semanage module can also be used to enable/disable/install/remove pol‐
436 icy modules.
437
438 semanage port can also be used to manipulate the port definitions
439
440 semanage boolean can also be used to manipulate the booleans
441
442
443 system-config-selinux is a GUI tool available to customize SELinux pol‐
444 icy settings.
445
446
448 This manual page was auto-generated using sepolicy manpage .
449
450
452 selinux(8), ipsec(8), semanage(8), restorecon(8), chcon(1), sepol‐
453 icy(8), setsebool(8), ipsec_mgmt_selinux(8), ipsec_mgmt_selinux(8)
454
455
456
457ipsec 19-12-02 ipsec_selinux(8)