commit 97f7c82703e2cbebbb2e250d5223137360c1c3ae
author Stephen Smalley <sds@tycho.nsa.gov> Tue Oct 29 14:42:38 2013 -0400
committer Stephen Smalley <sds@tycho.nsa.gov> Tue Feb 11 10:09:10 2014 -0500
tree 92ddb5d1998afb86bcf5045d924ea1f9c03c5627
parent e21871c8b7250f5dfc746298ab170a869e6be94d

Make racoon permissive or unconfined.

Also add allow rules from our policy.

Change-Id: Id480eb7c8cd4e5544a1ec46cb39a55abc653ddb9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

racoon.te

diff --git a/racoon.te b/racoon.te
index 12955f2..596cf7e 100644
--- a/racoon.te
+++ b/racoon.te
@@ -1,5 +1,25 @@
 # IKE key management daemon
 type racoon, domain;
+permissive_or_unconfined(racoon)
 type racoon_exec, exec_type, file_type;
 
-unconfined_domain(racoon)
+init_daemon_domain(racoon)
+typeattribute racoon mlstrustedsubject;
+
+binder_call(racoon, servicemanager)
+binder_call(racoon, keystore)
+
+allow racoon tun_device:chr_file r_file_perms;
+allow racoon cgroup:dir { add_name create };
+allow racoon kernel:system module_request;
+allow racoon port:udp_socket name_bind;
+allow racoon node:udp_socket node_bind;
+
+allow racoon self:{ key_socket udp_socket } create_socket_perms;
+allow racoon self:tun_socket create;
+allow racoon self:capability { net_admin net_bind_service net_raw setuid };
+
+# XXX: should we give ip-up-vpn its own label (currently racoon domain)
+allow racoon system_file:file rx_file_perms;
+allow racoon vpn_data_file:file create_file_perms;
+allow racoon vpn_data_file:dir w_dir_perms;