1ipsec_mgmt_selinux(8)      SELinux Policy ipsec_mgmt     ipsec_mgmt_selinux(8)
2
3
4

NAME

6       ipsec_mgmt_selinux  - Security Enhanced Linux Policy for the ipsec_mgmt
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the ipsec_mgmt processes  via  flexible
11       mandatory access control.
12
13       The  ipsec_mgmt  processes  execute with the ipsec_mgmt_t SELinux type.
14       You can check if you have these processes running by executing  the  ps
15       command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep ipsec_mgmt_t
20
21
22

ENTRYPOINTS

24       The  ipsec_mgmt_t  SELinux  type  can  be entered via the shell_exec_t,
25       ipsec_mgmt_exec_t file types.
26
27       The default entrypoint paths for the ipsec_mgmt_t domain are  the  fol‐
28       lowing:
29
30       /bin/d?ash,  /bin/ksh.*,  /bin/zsh.*,  /usr/bin/d?ash,  /usr/bin/ksh.*,
31       /usr/bin/zsh.*, /bin/esh, /bin/bash, /bin/fish,  /bin/mksh,  /bin/sash,
32       /bin/tcsh,    /bin/yash,   /bin/bash2,   /usr/bin/esh,   /sbin/nologin,
33       /usr/bin/bash,     /usr/bin/fish,     /usr/bin/mksh,     /usr/bin/sash,
34       /usr/bin/tcsh,     /usr/bin/yash,    /usr/bin/bash2,    /usr/sbin/sesh,
35       /usr/sbin/smrsh, /usr/bin/scponly,  /usr/libexec/sesh,  /usr/sbin/nolo‐
36       gin,  /usr/bin/git-shell,  /usr/sbin/scponlyc,  /usr/libexec/sudo/sesh,
37       /usr/bin/cockpit-bridge, /usr/libexec/cockpit-agent,  /usr/libexec/git-
38       core/git-shell,           /usr/sbin/ipsec,           /usr/sbin/swanctl,
39       /usr/sbin/strongimcv,  /usr/sbin/strongswan,  /usr/lib/ipsec/_plutorun,
40       /usr/sbin/charon-systemd,                    /usr/lib/ipsec/_plutoload,
41       /usr/libexec/ipsec/_plutorun,            /usr/libexec/ipsec/_plutoload,
42       /usr/libexec/nm-openswan-service, /usr/libexec/nm-libreswan-service
43

PROCESS TYPES

45       SELinux defines process types (domains) for each process running on the
46       system
47
48       You can see the context of a process using the -Z option to ps
49
50       Policy governs the access confined processes have  to  files.   SELinux
51       ipsec_mgmt  policy  is  very  flexible  allowing  users  to setup their
52       ipsec_mgmt processes in as secure a method as possible.
53
54       The following process types are defined for ipsec_mgmt:
55
56       ipsec_mgmt_t
57
58       Note: semanage permissive -a ipsec_mgmt_t  can  be  used  to  make  the
59       process  type  ipsec_mgmt_t permissive. SELinux does not deny access to
60       permissive process types, but the AVC (SELinux  denials)  messages  are
61       still generated.
62
63

BOOLEANS

65       SELinux   policy  is  customizable  based  on  least  access  required.
66       ipsec_mgmt policy is extremely flexible and has several  booleans  that
67       allow you to manipulate the policy and run ipsec_mgmt with the tightest
68       access possible.
69
70
71
72       If you want to allow all domains to execute in fips_mode, you must turn
73       on the fips_mode boolean. Enabled by default.
74
75       setsebool -P fips_mode 1
76
77
78

MANAGED FILES

80       The SELinux process type ipsec_mgmt_t can manage files labeled with the
81       following file types.  The paths listed are the default paths for these
82       file types.  Note the processes UID still need to have DAC permissions.
83
84       ipsec_key_file_t
85
86            /etc/ipsec.d(/.*)?
87            /etc/racoon/certs(/.*)?
88            /etc/ipsec.secrets.*
89            /etc/strongswan/ipsec.d(/.*)?
90            /etc/strongswan/swanctl/rsa(/.*)?
91            /etc/strongswan/swanctl/pkcs.*
92            /etc/strongswan/swanctl/x509.*
93            /etc/strongswan/ipsec.secrets.*
94            /etc/strongswan/swanctl/ecdsa(/.*)?
95            /etc/strongswan/swanctl/bliss/(/.*)?
96            /etc/strongswan/swanctl/pubkey(/.*)?
97            /etc/strongswan/swanctl/private(/.*)?
98            /etc/racoon/psk.txt
99
100       ipsec_mgmt_lock_t
101
102            /var/lock/subsys/ipsec
103            /var/lock/subsys/strongswan
104
105       ipsec_mgmt_var_run_t
106
107            /var/run/pluto/ipsec.info
108            /var/run/pluto/ipsec_setup.pid
109
110       ipsec_var_run_t
111
112            /var/racoon(/.*)?
113            /var/run/pluto(/.*)?
114            /var/run/charon.*
115            /var/run/strongswan(/.*)?
116            /var/run/racoon.pid
117            /var/run/charon.ctl
118            /var/run/charon.dck
119            /var/run/charon.vici
120
121       systemd_passwd_var_run_t
122
123            /var/run/systemd/ask-password(/.*)?
124            /var/run/systemd/ask-password-block(/.*)?
125
126

FILE CONTEXTS

128       SELinux requires files to have an extended attribute to define the file
129       type.
130
131       You can see the context of a file using the -Z option to ls
132
133       Policy governs the access  confined  processes  have  to  these  files.
134       SELinux  ipsec_mgmt  policy  is  very  flexible allowing users to setup
135       their ipsec_mgmt processes in as secure a method as possible.
136
137       STANDARD FILE CONTEXT
138
139       SELinux defines the file context  types  for  the  ipsec_mgmt,  if  you
140       wanted  to store files with these types in a diffent paths, you need to
141       execute the semanage command to sepecify alternate  labeling  and  then
142       use restorecon to put the labels on disk.
143
144       semanage  fcontext  -a  -t  ipsec_mgmt_devpts_t '/srv/myipsec_mgmt_con‐
145       tent(/.*)?'
146       restorecon -R -v /srv/myipsec_mgmt_content
147
148       Note: SELinux often uses regular expressions  to  specify  labels  that
149       match multiple files.
150
151       The following file types are defined for ipsec_mgmt:
152
153
154
155       ipsec_mgmt_devpts_t
156
157       - Set files with the ipsec_mgmt_devpts_t type, if you want to treat the
158       files as ipsec mgmt devpts data.
159
160
161
162       ipsec_mgmt_exec_t
163
164       - Set files with the ipsec_mgmt_exec_t type, if you want to  transition
165       an executable to the ipsec_mgmt_t domain.
166
167
168       Paths:
169            /usr/sbin/ipsec,      /usr/sbin/swanctl,     /usr/sbin/strongimcv,
170            /usr/sbin/strongswan, /usr/lib/ipsec/_plutorun,  /usr/sbin/charon-
171            systemd,  /usr/lib/ipsec/_plutoload, /usr/libexec/ipsec/_plutorun,
172            /usr/libexec/ipsec/_plutoload,   /usr/libexec/nm-openswan-service,
173            /usr/libexec/nm-libreswan-service
174
175
176       ipsec_mgmt_lock_t
177
178       -  Set  files with the ipsec_mgmt_lock_t type, if you want to treat the
179       files as ipsec mgmt lock data, stored under the /var/lock directory
180
181
182       Paths:
183            /var/lock/subsys/ipsec, /var/lock/subsys/strongswan
184
185
186       ipsec_mgmt_unit_file_t
187
188       - Set files with the ipsec_mgmt_unit_file_t type, if you want to  treat
189       the files as ipsec mgmt unit content.
190
191
192       Paths:
193            /usr/lib/systemd/system/ipsec.*,             /usr/lib/systemd/sys‐
194            tem/strongimcv.*,            /usr/lib/systemd/system/strongswan.*,
195            /usr/lib/systemd/system/strongswan-swanctl.*
196
197
198       ipsec_mgmt_var_run_t
199
200       -  Set  files  with the ipsec_mgmt_var_run_t type, if you want to store
201       the ipsec mgmt files under the /run or /var/run directory.
202
203
204       Paths:
205            /var/run/pluto/ipsec.info, /var/run/pluto/ipsec_setup.pid
206
207
208       Note: File context can be temporarily modified with the chcon  command.
209       If  you want to permanently change the file context you need to use the
210       semanage fcontext command.  This will modify the SELinux labeling data‐
211       base.  You will need to use restorecon to apply the labels.
212
213

COMMANDS

215       semanage  fcontext  can also be used to manipulate default file context
216       mappings.
217
218       semanage permissive can also be used to manipulate  whether  or  not  a
219       process type is permissive.
220
221       semanage  module can also be used to enable/disable/install/remove pol‐
222       icy modules.
223
224       semanage boolean can also be used to manipulate the booleans
225
226
227       system-config-selinux is a GUI tool available to customize SELinux pol‐
228       icy settings.
229
230

AUTHOR

232       This manual page was auto-generated using sepolicy manpage .
233
234

SEE ALSO

236       selinux(8), ipsec_mgmt(8), semanage(8), restorecon(8), chcon(1), sepol‐
237       icy(8), setsebool(8)
238
239
240
241ipsec_mgmt                         20-05-05              ipsec_mgmt_selinux(8)
Impressum