1ipsec_selinux(8) SELinux Policy ipsec ipsec_selinux(8)
2
3
4
6 ipsec_selinux - Security Enhanced Linux Policy for the ipsec processes
7
9 Security-Enhanced Linux secures the ipsec processes via flexible manda‐
10 tory access control.
11
12 The ipsec processes execute with the ipsec_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15
16 For example:
17
18 ps -eZ | grep ipsec_t
19
20
21
23 The ipsec_t SELinux type can be entered via the ipsec_exec_t file type.
24
25 The default entrypoint paths for the ipsec_t domain are the following:
26
27 /usr/libexec/strongimcv/.*, /usr/libexec/strongswan/.*,
28 /usr/lib/ipsec/spi, /usr/lib/ipsec/pluto, /usr/lib/ipsec/eroute,
29 /usr/libexec/ipsec/spi, /usr/libexec/ipsec/pluto, /usr/sbin/charon-sys‐
30 temd, /usr/lib/ipsec/klipsdebug, /usr/libexec/ipsec/eroute,
31 /usr/libexec/ipsec/addconn, /usr/libexec/ipsec/klipsdebug
32
34 SELinux defines process types (domains) for each process running on the
35 system
36
37 You can see the context of a process using the -Z option to ps
38
39 Policy governs the access confined processes have to files. SELinux
40 ipsec policy is very flexible allowing users to setup their ipsec pro‐
41 cesses in as secure a method as possible.
42
43 The following process types are defined for ipsec:
44
45 ipsec_t, ipsec_mgmt_t
46
47 Note: semanage permissive -a ipsec_t can be used to make the process
48 type ipsec_t permissive. SELinux does not deny access to permissive
49 process types, but the AVC (SELinux denials) messages are still gener‐
50 ated.
51
52
54 SELinux policy is customizable based on least access required. ipsec
55 policy is extremely flexible and has several booleans that allow you to
56 manipulate the policy and run ipsec with the tightest access possible.
57
58
59
60 If you want to allow all domains to execute in fips_mode, you must turn
61 on the fips_mode boolean. Enabled by default.
62
63 setsebool -P fips_mode 1
64
65
66
67 If you want to allow confined applications to run with kerberos, you
68 must turn on the kerberos_enabled boolean. Enabled by default.
69
70 setsebool -P kerberos_enabled 1
71
72
73
74 If you want to allow system to run with NIS, you must turn on the
75 nis_enabled boolean. Disabled by default.
76
77 setsebool -P nis_enabled 1
78
79
80
82 SELinux defines port types to represent TCP and UDP ports.
83
84 You can see the types associated with a port by using the following
85 command:
86
87 semanage port -l
88
89
90 Policy governs the access confined processes have to these ports.
91 SELinux ipsec policy is very flexible allowing users to setup their
92 ipsec processes in as secure a method as possible.
93
94 The following port types are defined for ipsec:
95
96
97 ipsecnat_port_t
98
99
100
101 Default Defined Ports:
102 tcp 4500
103 udp 4500
104
106 The SELinux process type ipsec_t can manage files labeled with the fol‐
107 lowing file types. The paths listed are the default paths for these
108 file types. Note the processes UID still need to have DAC permissions.
109
110 cluster_conf_t
111
112 /etc/cluster(/.*)?
113
114 cluster_var_lib_t
115
116 /var/lib/pcsd(/.*)?
117 /var/lib/cluster(/.*)?
118 /var/lib/openais(/.*)?
119 /var/lib/pengine(/.*)?
120 /var/lib/corosync(/.*)?
121 /usr/lib/heartbeat(/.*)?
122 /var/lib/heartbeat(/.*)?
123 /var/lib/pacemaker(/.*)?
124
125 cluster_var_run_t
126
127 /var/run/crm(/.*)?
128 /var/run/cman_.*
129 /var/run/rsctmp(/.*)?
130 /var/run/aisexec.*
131 /var/run/heartbeat(/.*)?
132 /var/run/pcsd-ruby.socket
133 /var/run/corosync-qnetd(/.*)?
134 /var/run/corosync-qdevice(/.*)?
135 /var/run/corosync.pid
136 /var/run/cpglockd.pid
137 /var/run/rgmanager.pid
138 /var/run/cluster/rgmanager.sk
139
140 faillog_t
141
142 /var/log/btmp.*
143 /var/log/faillog.*
144 /var/log/tallylog.*
145 /var/run/faillock(/.*)?
146
147 ipsec_conf_file_t
148
149 /etc/racoon(/.*)?
150 /etc/strongimcv(/.*)?
151 /etc/strongswan(/.*)?
152 /etc/ipsec.conf
153 /etc/strongswan/ipsec.conf
154
155 ipsec_key_file_t
156
157 /etc/ipsec.d(/.*)?
158 /etc/racoon/certs(/.*)?
159 /etc/ipsec.secrets.*
160 /var/lib/ipsec/nss(/.*)?
161 /etc/strongswan/ipsec.d(/.*)?
162 /etc/strongswan/swanctl/rsa(/.*)?
163 /etc/strongswan/swanctl/pkcs.*
164 /etc/strongswan/swanctl/x509.*
165 /etc/strongswan/ipsec.secrets.*
166 /etc/strongswan/swanctl/ecdsa(/.*)?
167 /etc/strongswan/swanctl/bliss/(/.*)?
168 /etc/strongswan/swanctl/pubkey(/.*)?
169 /etc/strongswan/swanctl/private(/.*)?
170 /etc/racoon/psk.txt
171
172 ipsec_log_t
173
174 /var/log/pluto.log.*
175
176 ipsec_tmp_t
177
178
179 ipsec_var_run_t
180
181 /var/racoon(/.*)?
182 /var/run/pluto(/.*)?
183 /var/run/charon.*
184 /var/run/strongswan(/.*)?
185 /var/run/racoon.pid
186 /var/run/charon.ctl
187 /var/run/charon.dck
188 /var/run/charon.vici
189
190 krb5_host_rcache_t
191
192 /var/tmp/krb5_0.rcache2
193 /var/cache/krb5rcache(/.*)?
194 /var/tmp/nfs_0
195 /var/tmp/DNS_25
196 /var/tmp/host_0
197 /var/tmp/imap_0
198 /var/tmp/HTTP_23
199 /var/tmp/HTTP_48
200 /var/tmp/ldap_55
201 /var/tmp/ldap_487
202 /var/tmp/ldapmap1_0
203
204 lastlog_t
205
206 /var/log/lastlog.*
207
208 named_cache_t
209
210 /var/named/data(/.*)?
211 /var/lib/softhsm(/.*)?
212 /var/lib/unbound(/.*)?
213 /var/named/slaves(/.*)?
214 /var/named/dynamic(/.*)?
215 /var/named/chroot/var/tmp(/.*)?
216 /var/named/chroot/var/named/data(/.*)?
217 /var/named/chroot/var/named/slaves(/.*)?
218 /var/named/chroot/var/named/dynamic(/.*)?
219
220 pkcs_slotd_lock_t
221
222 /var/lock/opencryptoki(/.*)?
223
224 pkcs_slotd_tmpfs_t
225
226 /dev/shm/var.lib.opencryptoki.*
227
228 pkcs_slotd_var_lib_t
229
230 /var/lib/opencryptoki(/.*)?
231
232 root_t
233
234 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
235 /
236 /initrd
237
238 security_t
239
240 /selinux
241
242
244 SELinux requires files to have an extended attribute to define the file
245 type.
246
247 You can see the context of a file using the -Z option to ls
248
249 Policy governs the access confined processes have to these files.
250 SELinux ipsec policy is very flexible allowing users to setup their
251 ipsec processes in as secure a method as possible.
252
253 EQUIVALENCE DIRECTORIES
254
255
256 ipsec policy stores data with multiple different file context types un‐
257 der the /var/run/pluto directory. If you would like to store the data
258 in a different directory you can use the semanage command to create an
259 equivalence mapping. If you wanted to store this data under the /srv
260 directory you would execute the following command:
261
262 semanage fcontext -a -e /var/run/pluto /srv/pluto
263 restorecon -R -v /srv/pluto
264
265 STANDARD FILE CONTEXT
266
267 SELinux defines the file context types for the ipsec, if you wanted to
268 store files with these types in a diffent paths, you need to execute
269 the semanage command to specify alternate labeling and then use re‐
270 storecon to put the labels on disk.
271
272 semanage fcontext -a -t ipsec_mgmt_devpts_t '/srv/myipsec_con‐
273 tent(/.*)?'
274 restorecon -R -v /srv/myipsec_content
275
276 Note: SELinux often uses regular expressions to specify labels that
277 match multiple files.
278
279 The following file types are defined for ipsec:
280
281
282
283 ipsec_conf_file_t
284
285 - Set files with the ipsec_conf_file_t type, if you want to treat the
286 files as ipsec conf content.
287
288
289 Paths:
290 /etc/racoon(/.*)?, /etc/strongimcv(/.*)?, /etc/strongswan(/.*)?,
291 /etc/ipsec.conf, /etc/strongswan/ipsec.conf
292
293
294 ipsec_exec_t
295
296 - Set files with the ipsec_exec_t type, if you want to transition an
297 executable to the ipsec_t domain.
298
299
300 Paths:
301 /usr/libexec/strongimcv/.*, /usr/libexec/strongswan/.*,
302 /usr/lib/ipsec/spi, /usr/lib/ipsec/pluto, /usr/lib/ipsec/eroute,
303 /usr/libexec/ipsec/spi, /usr/libexec/ipsec/pluto,
304 /usr/sbin/charon-systemd, /usr/lib/ipsec/klipsdebug,
305 /usr/libexec/ipsec/eroute, /usr/libexec/ipsec/addconn,
306 /usr/libexec/ipsec/klipsdebug
307
308
309 ipsec_initrc_exec_t
310
311 - Set files with the ipsec_initrc_exec_t type, if you want to transi‐
312 tion an executable to the ipsec_initrc_t domain.
313
314
315 Paths:
316 /etc/rc.d/init.d/ipsec, /etc/rc.d/init.d/racoon,
317 /etc/rc.d/init.d/strongswan
318
319
320 ipsec_key_file_t
321
322 - Set files with the ipsec_key_file_t type, if you want to treat the
323 files as ipsec key content.
324
325
326 Paths:
327 /etc/ipsec.d(/.*)?, /etc/racoon/certs(/.*)?, /etc/ipsec.secrets.*,
328 /var/lib/ipsec/nss(/.*)?, /etc/strongswan/ipsec.d(/.*)?,
329 /etc/strongswan/swanctl/rsa(/.*)?, /etc/strongswan/swanctl/pkcs.*,
330 /etc/strongswan/swanctl/x509.*, /etc/strongswan/ipsec.secrets.*,
331 /etc/strongswan/swanctl/ecdsa(/.*)?,
332 /etc/strongswan/swanctl/bliss/(/.*)?, /etc/strongswan/swanctl/pub‐
333 key(/.*)?, /etc/strongswan/swanctl/private(/.*)?,
334 /etc/racoon/psk.txt
335
336
337 ipsec_log_t
338
339 - Set files with the ipsec_log_t type, if you want to treat the data as
340 ipsec log data, usually stored under the /var/log directory.
341
342
343
344 ipsec_mgmt_devpts_t
345
346 - Set files with the ipsec_mgmt_devpts_t type, if you want to treat the
347 files as ipsec mgmt devpts data.
348
349
350
351 ipsec_mgmt_exec_t
352
353 - Set files with the ipsec_mgmt_exec_t type, if you want to transition
354 an executable to the ipsec_mgmt_t domain.
355
356
357 Paths:
358 /usr/sbin/ipsec, /usr/sbin/swanctl, /usr/sbin/strongimcv,
359 /usr/sbin/strongswan, /usr/lib/ipsec/_plutorun,
360 /usr/lib/ipsec/_plutoload, /usr/libexec/ipsec/_plutorun,
361 /usr/libexec/ipsec/_plutoload, /usr/libexec/nm-openswan-service,
362 /usr/libexec/nm-libreswan-service
363
364
365 ipsec_mgmt_lock_t
366
367 - Set files with the ipsec_mgmt_lock_t type, if you want to treat the
368 files as ipsec mgmt lock data, stored under the /var/lock directory
369
370
371 Paths:
372 /var/lock/subsys/ipsec, /var/lock/subsys/strongswan
373
374
375 ipsec_mgmt_unit_file_t
376
377 - Set files with the ipsec_mgmt_unit_file_t type, if you want to treat
378 the files as ipsec mgmt unit content.
379
380
381 Paths:
382 /usr/lib/systemd/system/ipsec.*, /usr/lib/systemd/sys‐
383 tem/strongimcv.*, /usr/lib/systemd/system/strongswan.*,
384 /usr/lib/systemd/system/strongswan-swanctl.*
385
386
387 ipsec_mgmt_var_run_t
388
389 - Set files with the ipsec_mgmt_var_run_t type, if you want to store
390 the ipsec mgmt files under the /run or /var/run directory.
391
392
393 Paths:
394 /var/run/pluto/ipsec.info, /var/run/pluto/ipsec_setup.pid
395
396
397 ipsec_tmp_t
398
399 - Set files with the ipsec_tmp_t type, if you want to store ipsec tem‐
400 porary files in the /tmp directories.
401
402
403
404 ipsec_var_run_t
405
406 - Set files with the ipsec_var_run_t type, if you want to store the
407 ipsec files under the /run or /var/run directory.
408
409
410 Paths:
411 /var/racoon(/.*)?, /var/run/pluto(/.*)?, /var/run/charon.*,
412 /var/run/strongswan(/.*)?, /var/run/racoon.pid,
413 /var/run/charon.ctl, /var/run/charon.dck, /var/run/charon.vici
414
415
416 Note: File context can be temporarily modified with the chcon command.
417 If you want to permanently change the file context you need to use the
418 semanage fcontext command. This will modify the SELinux labeling data‐
419 base. You will need to use restorecon to apply the labels.
420
421
423 semanage fcontext can also be used to manipulate default file context
424 mappings.
425
426 semanage permissive can also be used to manipulate whether or not a
427 process type is permissive.
428
429 semanage module can also be used to enable/disable/install/remove pol‐
430 icy modules.
431
432 semanage port can also be used to manipulate the port definitions
433
434 semanage boolean can also be used to manipulate the booleans
435
436
437 system-config-selinux is a GUI tool available to customize SELinux pol‐
438 icy settings.
439
440
442 This manual page was auto-generated using sepolicy manpage .
443
444
446 selinux(8), ipsec(8), semanage(8), restorecon(8), chcon(1), sepol‐
447 icy(8), setsebool(8), ipsec_mgmt_selinux(8), ipsec_mgmt_selinux(8)
448
449
450
451ipsec 22-05-27 ipsec_selinux(8)