1ipsec_mgmt_selinux(8)      SELinux Policy ipsec_mgmt     ipsec_mgmt_selinux(8)
2
3
4

NAME

6       ipsec_mgmt_selinux  - Security Enhanced Linux Policy for the ipsec_mgmt
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the ipsec_mgmt processes  via  flexible
11       mandatory access control.
12
13       The  ipsec_mgmt  processes  execute with the ipsec_mgmt_t SELinux type.
14       You can check if you have these processes running by executing  the  ps
15       command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep ipsec_mgmt_t
20
21
22

ENTRYPOINTS

24       The ipsec_mgmt_t SELinux type can be entered via the ipsec_mgmt_exec_t,
25       shell_exec_t file types.
26
27       The default entrypoint paths for the ipsec_mgmt_t domain are  the  fol‐
28       lowing:
29
30       /usr/sbin/ipsec,        /usr/sbin/swanctl,        /usr/sbin/strongimcv,
31       /usr/sbin/strongswan,  /usr/lib/ipsec/_plutorun,   /usr/lib/ipsec/_plu‐
32       toload,   /usr/libexec/ipsec/_plutorun,  /usr/libexec/ipsec/_plutoload,
33       /usr/libexec/nm-openswan-service,    /usr/libexec/nm-libreswan-service,
34       /bin/d?ash,  /bin/ksh.*,  /bin/zsh.*,  /usr/bin/d?ash,  /usr/bin/ksh.*,
35       /usr/bin/zsh.*, /bin/esh, /bin/bash, /bin/fish,  /bin/mksh,  /bin/sash,
36       /bin/tcsh,    /bin/yash,   /bin/bash2,   /usr/bin/esh,   /sbin/nologin,
37       /usr/bin/bash,     /usr/bin/fish,     /usr/bin/mksh,     /usr/bin/sash,
38       /usr/bin/tcsh,     /usr/bin/yash,    /usr/bin/bash2,    /usr/sbin/sesh,
39       /usr/sbin/smrsh, /usr/bin/scponly,  /usr/libexec/sesh,  /usr/sbin/nolo‐
40       gin,  /usr/bin/git-shell,  /usr/sbin/scponlyc,  /usr/libexec/sudo/sesh,
41       /usr/bin/cockpit-bridge, /usr/libexec/cockpit-agent,  /usr/libexec/git-
42       core/git-shell
43

PROCESS TYPES

45       SELinux defines process types (domains) for each process running on the
46       system
47
48       You can see the context of a process using the -Z option to ps
49
50       Policy governs the access confined processes have  to  files.   SELinux
51       ipsec_mgmt  policy  is  very  flexible  allowing  users  to setup their
52       ipsec_mgmt processes in as secure a method as possible.
53
54       The following process types are defined for ipsec_mgmt:
55
56       ipsec_mgmt_t
57
58       Note: semanage permissive -a ipsec_mgmt_t  can  be  used  to  make  the
59       process  type  ipsec_mgmt_t permissive. SELinux does not deny access to
60       permissive process types, but the AVC (SELinux  denials)  messages  are
61       still generated.
62
63

BOOLEANS

65       SELinux   policy  is  customizable  based  on  least  access  required.
66       ipsec_mgmt policy is extremely flexible and has several  booleans  that
67       allow you to manipulate the policy and run ipsec_mgmt with the tightest
68       access possible.
69
70
71
72       If you want to allow all domains to execute in fips_mode, you must turn
73       on the fips_mode boolean. Enabled by default.
74
75       setsebool -P fips_mode 1
76
77
78

MANAGED FILES

80       The SELinux process type ipsec_mgmt_t can manage files labeled with the
81       following file types.  The paths listed are the default paths for these
82       file types.  Note the processes UID still need to have DAC permissions.
83
84       ipsec_key_file_t
85
86            /etc/ipsec.d(/.*)?
87            /etc/racoon/certs(/.*)?
88            /etc/ipsec.secrets.*
89            /var/lib/ipsec/nss(/.*)?
90            /etc/strongswan/ipsec.d(/.*)?
91            /etc/strongswan/swanctl/rsa(/.*)?
92            /etc/strongswan/swanctl/pkcs.*
93            /etc/strongswan/swanctl/x509.*
94            /etc/strongswan/ipsec.secrets.*
95            /etc/strongswan/swanctl/ecdsa(/.*)?
96            /etc/strongswan/swanctl/bliss/(/.*)?
97            /etc/strongswan/swanctl/pubkey(/.*)?
98            /etc/strongswan/swanctl/private(/.*)?
99            /etc/racoon/psk.txt
100
101       ipsec_mgmt_lock_t
102
103            /var/lock/subsys/ipsec
104            /var/lock/subsys/strongswan
105
106       ipsec_mgmt_var_run_t
107
108            /var/run/pluto/ipsec.info
109            /var/run/pluto/ipsec_setup.pid
110
111       ipsec_var_run_t
112
113            /var/racoon(/.*)?
114            /var/run/pluto(/.*)?
115            /var/run/charon.*
116            /var/run/strongswan(/.*)?
117            /var/run/racoon.pid
118            /var/run/charon.ctl
119            /var/run/charon.dck
120            /var/run/charon.vici
121
122       systemd_passwd_var_run_t
123
124            /var/run/systemd/ask-password(/.*)?
125            /var/run/systemd/ask-password-block(/.*)?
126
127

FILE CONTEXTS

129       SELinux requires files to have an extended attribute to define the file
130       type.
131
132       You can see the context of a file using the -Z option to ls
133
134       Policy governs the access  confined  processes  have  to  these  files.
135       SELinux  ipsec_mgmt  policy  is  very  flexible allowing users to setup
136       their ipsec_mgmt processes in as secure a method as possible.
137
138       STANDARD FILE CONTEXT
139
140       SELinux defines the file context  types  for  the  ipsec_mgmt,  if  you
141       wanted  to store files with these types in a diffent paths, you need to
142       execute the semanage command to sepecify alternate  labeling  and  then
143       use restorecon to put the labels on disk.
144
145       semanage  fcontext  -a  -t  ipsec_mgmt_devpts_t '/srv/myipsec_mgmt_con‐
146       tent(/.*)?'
147       restorecon -R -v /srv/myipsec_mgmt_content
148
149       Note: SELinux often uses regular expressions  to  specify  labels  that
150       match multiple files.
151
152       The following file types are defined for ipsec_mgmt:
153
154
155
156       ipsec_mgmt_devpts_t
157
158       - Set files with the ipsec_mgmt_devpts_t type, if you want to treat the
159       files as ipsec mgmt devpts data.
160
161
162
163       ipsec_mgmt_exec_t
164
165       - Set files with the ipsec_mgmt_exec_t type, if you want to  transition
166       an executable to the ipsec_mgmt_t domain.
167
168
169       Paths:
170            /usr/sbin/ipsec,      /usr/sbin/swanctl,     /usr/sbin/strongimcv,
171            /usr/sbin/strongswan,                    /usr/lib/ipsec/_plutorun,
172            /usr/lib/ipsec/_plutoload,           /usr/libexec/ipsec/_plutorun,
173            /usr/libexec/ipsec/_plutoload,   /usr/libexec/nm-openswan-service,
174            /usr/libexec/nm-libreswan-service
175
176
177       ipsec_mgmt_lock_t
178
179       -  Set  files with the ipsec_mgmt_lock_t type, if you want to treat the
180       files as ipsec mgmt lock data, stored under the /var/lock directory
181
182
183       Paths:
184            /var/lock/subsys/ipsec, /var/lock/subsys/strongswan
185
186
187       ipsec_mgmt_unit_file_t
188
189       - Set files with the ipsec_mgmt_unit_file_t type, if you want to  treat
190       the files as ipsec mgmt unit content.
191
192
193       Paths:
194            /usr/lib/systemd/system/ipsec.*,             /usr/lib/systemd/sys‐
195            tem/strongimcv.*,            /usr/lib/systemd/system/strongswan.*,
196            /usr/lib/systemd/system/strongswan-swanctl.*
197
198
199       ipsec_mgmt_var_run_t
200
201       -  Set  files  with the ipsec_mgmt_var_run_t type, if you want to store
202       the ipsec mgmt files under the /run or /var/run directory.
203
204
205       Paths:
206            /var/run/pluto/ipsec.info, /var/run/pluto/ipsec_setup.pid
207
208
209       Note: File context can be temporarily modified with the chcon  command.
210       If  you want to permanently change the file context you need to use the
211       semanage fcontext command.  This will modify the SELinux labeling data‐
212       base.  You will need to use restorecon to apply the labels.
213
214

COMMANDS

216       semanage  fcontext  can also be used to manipulate default file context
217       mappings.
218
219       semanage permissive can also be used to manipulate  whether  or  not  a
220       process type is permissive.
221
222       semanage  module can also be used to enable/disable/install/remove pol‐
223       icy modules.
224
225       semanage boolean can also be used to manipulate the booleans
226
227
228       system-config-selinux is a GUI tool available to customize SELinux pol‐
229       icy settings.
230
231

AUTHOR

233       This manual page was auto-generated using sepolicy manpage .
234
235

SEE ALSO

237       selinux(8), ipsec_mgmt(8), semanage(8), restorecon(8), chcon(1), sepol‐
238       icy(8), setsebool(8)
239
240
241
242ipsec_mgmt                         21-03-26              ipsec_mgmt_selinux(8)
Impressum