1ipsec_mgmt_selinux(8)      SELinux Policy ipsec_mgmt     ipsec_mgmt_selinux(8)
2
3
4

NAME

6       ipsec_mgmt_selinux  - Security Enhanced Linux Policy for the ipsec_mgmt
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the ipsec_mgmt processes  via  flexible
11       mandatory access control.
12
13       The  ipsec_mgmt  processes  execute with the ipsec_mgmt_t SELinux type.
14       You can check if you have these processes running by executing  the  ps
15       command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep ipsec_mgmt_t
20
21
22

ENTRYPOINTS

24       The  ipsec_mgmt_t  SELinux  type  can  be entered via the shell_exec_t,
25       ipsec_mgmt_exec_t file types.
26
27       The default entrypoint paths for the ipsec_mgmt_t domain are  the  fol‐
28       lowing:
29
30       /bin/d?ash,  /bin/ksh.*,  /bin/zsh.*,  /usr/bin/d?ash,  /usr/bin/ksh.*,
31       /usr/bin/zsh.*, /bin/esh, /bin/bash, /bin/fish,  /bin/mksh,  /bin/sash,
32       /bin/tcsh,    /bin/yash,   /bin/bash2,   /usr/bin/esh,   /sbin/nologin,
33       /usr/bin/bash,     /usr/bin/fish,     /usr/bin/mksh,     /usr/bin/sash,
34       /usr/bin/tcsh,     /usr/bin/yash,    /usr/bin/bash2,    /usr/sbin/sesh,
35       /usr/sbin/smrsh, /usr/bin/scponly,  /usr/libexec/sesh,  /usr/sbin/nolo‐
36       gin,  /usr/bin/git-shell,  /usr/sbin/scponlyc,  /usr/libexec/sudo/sesh,
37       /usr/bin/cockpit-bridge, /usr/libexec/cockpit-agent,  /usr/libexec/git-
38       core/git-shell,           /usr/sbin/ipsec,           /usr/sbin/swanctl,
39       /usr/sbin/strongimcv,  /usr/sbin/strongswan,  /usr/lib/ipsec/_plutorun,
40       /usr/lib/ipsec/_plutoload,                /usr/libexec/ipsec/_plutorun,
41       /usr/libexec/ipsec/_plutoload,        /usr/libexec/nm-openswan-service,
42       /usr/libexec/nm-libreswan-service
43

PROCESS TYPES

45       SELinux defines process types (domains) for each process running on the
46       system
47
48       You can see the context of a process using the -Z option to ps
49
50       Policy governs the access confined processes have  to  files.   SELinux
51       ipsec_mgmt  policy  is  very  flexible  allowing  users  to setup their
52       ipsec_mgmt processes in as secure a method as possible.
53
54       The following process types are defined for ipsec_mgmt:
55
56       ipsec_mgmt_t
57
58       Note: semanage permissive -a ipsec_mgmt_t  can  be  used  to  make  the
59       process  type  ipsec_mgmt_t permissive. SELinux does not deny access to
60       permissive process types, but the AVC (SELinux  denials)  messages  are
61       still generated.
62
63

BOOLEANS

65       SELinux   policy  is  customizable  based  on  least  access  required.
66       ipsec_mgmt policy is extremely flexible and has several  booleans  that
67       allow you to manipulate the policy and run ipsec_mgmt with the tightest
68       access possible.
69
70
71
72       If you want to allow all domains to execute in fips_mode, you must turn
73       on the fips_mode boolean. Enabled by default.
74
75       setsebool -P fips_mode 1
76
77
78

MANAGED FILES

80       The SELinux process type ipsec_mgmt_t can manage files labeled with the
81       following file types.  The paths listed are the default paths for these
82       file types.  Note the processes UID still need to have DAC permissions.
83
84       ipsec_key_file_t
85
86            /etc/ipsec.d(/.*)?
87            /etc/racoon/certs(/.*)?
88            /etc/ipsec.secrets.*
89            /var/lib/ipsec/nss(/.*)?
90            /etc/strongswan/ipsec.d(/.*)?
91            /etc/strongswan/swanctl/rsa(/.*)?
92            /etc/strongswan/swanctl/pkcs.*
93            /etc/strongswan/swanctl/x509.*
94            /etc/strongswan/ipsec.secrets.*
95            /etc/strongswan/swanctl/ecdsa(/.*)?
96            /etc/strongswan/swanctl/bliss/(/.*)?
97            /etc/strongswan/swanctl/pubkey(/.*)?
98            /etc/strongswan/swanctl/private(/.*)?
99            /etc/racoon/psk.txt
100
101       ipsec_mgmt_lock_t
102
103            /var/lock/subsys/ipsec
104            /var/lock/subsys/strongswan
105
106       ipsec_mgmt_var_run_t
107
108            /var/run/pluto/ipsec.info
109            /var/run/pluto/ipsec_setup.pid
110
111       ipsec_tmp_t
112
113
114       ipsec_var_run_t
115
116            /var/racoon(/.*)?
117            /var/run/pluto(/.*)?
118            /var/run/charon.*
119            /var/run/strongswan(/.*)?
120            /var/run/racoon.pid
121            /var/run/charon.ctl
122            /var/run/charon.dck
123            /var/run/charon.vici
124
125       krb5_host_rcache_t
126
127            /var/tmp/krb5_0.rcache2
128            /var/cache/krb5rcache(/.*)?
129            /var/tmp/nfs_0
130            /var/tmp/DNS_25
131            /var/tmp/host_0
132            /var/tmp/imap_0
133            /var/tmp/HTTP_23
134            /var/tmp/HTTP_48
135            /var/tmp/ldap_55
136            /var/tmp/ldap_487
137            /var/tmp/ldapmap1_0
138
139       systemd_passwd_var_run_t
140
141            /var/run/systemd/ask-password(/.*)?
142            /var/run/systemd/ask-password-block(/.*)?
143
144

FILE CONTEXTS

146       SELinux requires files to have an extended attribute to define the file
147       type.
148
149       You can see the context of a file using the -Z option to ls
150
151       Policy governs the access  confined  processes  have  to  these  files.
152       SELinux  ipsec_mgmt  policy  is  very  flexible allowing users to setup
153       their ipsec_mgmt processes in as secure a method as possible.
154
155       STANDARD FILE CONTEXT
156
157       SELinux defines the file context  types  for  the  ipsec_mgmt,  if  you
158       wanted  to store files with these types in a diffent paths, you need to
159       execute the semanage command to sepecify alternate  labeling  and  then
160       use restorecon to put the labels on disk.
161
162       semanage  fcontext  -a  -t  ipsec_mgmt_devpts_t '/srv/myipsec_mgmt_con‐
163       tent(/.*)?'
164       restorecon -R -v /srv/myipsec_mgmt_content
165
166       Note: SELinux often uses regular expressions  to  specify  labels  that
167       match multiple files.
168
169       The following file types are defined for ipsec_mgmt:
170
171
172
173       ipsec_mgmt_devpts_t
174
175       - Set files with the ipsec_mgmt_devpts_t type, if you want to treat the
176       files as ipsec mgmt devpts data.
177
178
179
180       ipsec_mgmt_exec_t
181
182       - Set files with the ipsec_mgmt_exec_t type, if you want to  transition
183       an executable to the ipsec_mgmt_t domain.
184
185
186       Paths:
187            /usr/sbin/ipsec,      /usr/sbin/swanctl,     /usr/sbin/strongimcv,
188            /usr/sbin/strongswan,                    /usr/lib/ipsec/_plutorun,
189            /usr/lib/ipsec/_plutoload,           /usr/libexec/ipsec/_plutorun,
190            /usr/libexec/ipsec/_plutoload,   /usr/libexec/nm-openswan-service,
191            /usr/libexec/nm-libreswan-service
192
193
194       ipsec_mgmt_lock_t
195
196       -  Set  files with the ipsec_mgmt_lock_t type, if you want to treat the
197       files as ipsec mgmt lock data, stored under the /var/lock directory
198
199
200       Paths:
201            /var/lock/subsys/ipsec, /var/lock/subsys/strongswan
202
203
204       ipsec_mgmt_unit_file_t
205
206       - Set files with the ipsec_mgmt_unit_file_t type, if you want to  treat
207       the files as ipsec mgmt unit content.
208
209
210       Paths:
211            /usr/lib/systemd/system/ipsec.*,             /usr/lib/systemd/sys‐
212            tem/strongimcv.*,            /usr/lib/systemd/system/strongswan.*,
213            /usr/lib/systemd/system/strongswan-swanctl.*
214
215
216       ipsec_mgmt_var_run_t
217
218       -  Set  files  with the ipsec_mgmt_var_run_t type, if you want to store
219       the ipsec mgmt files under the /run or /var/run directory.
220
221
222       Paths:
223            /var/run/pluto/ipsec.info, /var/run/pluto/ipsec_setup.pid
224
225
226       Note: File context can be temporarily modified with the chcon  command.
227       If  you want to permanently change the file context you need to use the
228       semanage fcontext command.  This will modify the SELinux labeling data‐
229       base.  You will need to use restorecon to apply the labels.
230
231

COMMANDS

233       semanage  fcontext  can also be used to manipulate default file context
234       mappings.
235
236       semanage permissive can also be used to manipulate  whether  or  not  a
237       process type is permissive.
238
239       semanage  module can also be used to enable/disable/install/remove pol‐
240       icy modules.
241
242       semanage boolean can also be used to manipulate the booleans
243
244
245       system-config-selinux is a GUI tool available to customize SELinux pol‐
246       icy settings.
247
248

AUTHOR

250       This manual page was auto-generated using sepolicy manpage .
251
252

SEE ALSO

254       selinux(8), ipsec_mgmt(8), semanage(8), restorecon(8), chcon(1), sepol‐
255       icy(8), setsebool(8)
256
257
258
259ipsec_mgmt                         21-06-09              ipsec_mgmt_selinux(8)
Impressum