racoon policy.
Initial policy for racoon (IKE key management).
Signed-off-by: Robert Craig <rpcraig@tycho.ncsc.mil>
Change-Id: If1e344f39ea914e42afbaa021b272ba1b7113479
diff --git a/racoon.te b/racoon.te
new file mode 100644
index 0000000..9f556e0
--- /dev/null
+++ b/racoon.te
@@ -0,0 +1,25 @@
+# IKE key management daemon
+type racoon, domain;
+type racoon_exec, exec_type, file_type;
+
+init_daemon_domain(racoon)
+typeattribute racoon mlstrustedsubject;
+
+binder_call(racoon, servicemanager)
+binder_call(racoon, keystore)
+
+allow racoon tun_device:chr_file r_file_perms;
+allow racoon cgroup:dir { add_name create };
+allow racoon kernel:system module_request;
+allow racoon port:udp_socket name_bind;
+allow racoon node:udp_socket node_bind;
+
+allow racoon self:{ key_socket udp_socket } create_socket_perms;
+allow racoon self:tun_socket create;
+allow racoon self:capability { net_admin net_bind_service net_raw setuid };
+
+# XXX: should we give ip-up-vpn its own label (currently racoon domain)
+allow racoon ppp_system_file:file rx_file_perms;
+allow racoon ppp_system_file:dir search;
+allow racoon vpn_data_file:file create_file_perms;
+allow racoon vpn_data_file:dir w_dir_perms;