add ipsec

refpolicy/Changelog

@@ -3,6 +3,7 @@
 	  module page when it is selected in the interface/template index.
 	* Added support for layer summaries.
 	* Added policies:
+		ipsec
 		nscd
 
 20050707 (7 Jul 2005)

refpolicy/policy/modules/kernel/bootloader.if

@@ -1,9 +1,9 @@
 ## <summary>Policy for the kernel modules, kernel image, and bootloader.</summary>
 
 ########################################
-## <desc>
+## <summary>
 ##	Execute bootloader in the bootloader domain.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -25,10 +25,10 @@ interface(`bootloader_domtrans',`
 ')
 
 ########################################
-## <desc>
+## <summary>
 ##	Execute bootloader interactively and do
 ##	a domain transition to the bootloader domain.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -52,9 +52,9 @@ interface(`bootloader_run',`
 ')
 
 ########################################
-## <desc>
+## <summary>
 ##	Search the /boot directory.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -69,9 +69,9 @@ interface(`bootloader_search_boot',`
 ')
 
 ########################################
-## <desc>
+## <summary>
 ##	Do not audit attempts to search the /boot directory.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -86,10 +86,10 @@ interface(`bootloader_dontaudit_search_boot',`
 ')
 
 ########################################
-## <desc>
+## <summary>
 ##	Read and write symbolic links
 ##	in the /boot directory.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -106,9 +106,9 @@ interface(`bootloader_rw_boot_symlinks',`
 ')
 
 ########################################
-## <desc>
+## <summary>
 ##	Install a kernel into the /boot directory.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -127,9 +127,9 @@ interface(`bootloader_create_kernel',`
 ')
 
 ########################################
-## <desc>
+## <summary>
 ##	Install a system.map into the /boot directory.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -146,9 +146,9 @@ interface(`bootloader_create_kernel_symbol_table',`
 ')
 
 ########################################
-## <desc>
+## <summary>
 ##	Read system.map in the /boot directory.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -165,9 +165,9 @@ interface(`bootloader_read_kernel_symbol_table',`
 ')
 
 ########################################
-## <desc>
+## <summary>
 ##	Delete a kernel from /boot.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -184,9 +184,9 @@ interface(`bootloader_delete_kernel',`
 ')
 
 ########################################
-## <desc>
+## <summary>
 ##	Delete a system.map in the /boot directory.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -203,9 +203,9 @@ interface(`bootloader_delete_kernel_symbol_table',`
 ')
 
 ########################################
-## <desc>
+## <summary>
 ##	Read the bootloader configuration file.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -220,10 +220,10 @@ interface(`bootloader_read_config',`
 ')
 
 ########################################
-## <desc>
+## <summary>
 ##	Read and write the bootloader
 ##	configuration file.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -238,10 +238,10 @@ interface(`bootloader_rw_config',`
 ')
 
 ########################################
-## <desc>
+## <summary>
 ##	Read and write the bootloader
 ##	temporary data in /tmp.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -257,10 +257,10 @@ interface(`bootloader_rw_tmp_file',`
 ')
 
 ########################################
-## <desc>
+## <summary>
 ##	Read and write the bootloader
 ##	temporary data in /tmp.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -278,9 +278,9 @@ interface(`bootloader_create_runtime_file',`
 ')
 
 ########################################
-## <desc>
+## <summary>
 ##	List the contents of the kernel module directories.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -295,9 +295,28 @@ interface(`bootloader_list_kernel_modules',`
 ')
 
 ########################################
-## <desc>
+## <summary>
+##	Get the attributes of kernel module files.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`bootloader_getattr_kernel_modules',`
+	gen_require(`
+		type modules_object_t;
+		class dir search;
+		class file getattr;
+	')
+
+	allow $1 modules_object_t:dir search;
+	allow $1 modules_object_t:dir getattr;
+')
+
+########################################
+## <summary>
 ##	Read kernel module files.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -316,9 +335,9 @@ interface(`bootloader_read_kernel_modules',`
 ')
 
 ########################################
-## <desc>
+## <summary>
 ##	Write kernel module files.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -338,10 +357,10 @@ interface(`bootloader_write_kernel_modules',`
 ')
 
 ########################################
-## <desc>
+## <summary>
 ##	Create, read, write, and delete
 ##	kernel module files.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -379,4 +398,3 @@ interface(`bootloader_create_modules',`
 		type_transition $1 modules_object_t:$3 $2;
 	')
 ')
-

refpolicy/policy/modules/services/nscd.fc

@@ -1,9 +1,9 @@
 
-/usr/sbin/nscd		--	system_u:object_r:nscd_exec_t
+/usr/sbin/nscd		--	context_template(system_u:object_r:nscd_exec_t,s0)
 
-/var/db/nscd(/.*)?		system_u:object_r:nscd_var_run_t
+/var/db/nscd(/.*)?		context_template(system_u:object_r:nscd_var_run_t,s0)
 
-/var/run/nscd\.pid	--	system_u:object_r:nscd_var_run_t
+/var/run/nscd\.pid	--	context_template(system_u:object_r:nscd_var_run_t,s0)
-/var/run/\.nscd_socket	-s	system_u:object_r:nscd_var_run_t
+/var/run/\.nscd_socket	-s	context_template(system_u:object_r:nscd_var_run_t,s0)
 
-/var/run/nscd(/.*)?		system_u:object_r:nscd_var_run_t
+/var/run/nscd(/.*)?		context_template(system_u:object_r:nscd_var_run_t,s0)

refpolicy/policy/modules/system/corecommands.fc

@@ -64,6 +64,8 @@ ifdef(`distro_gentoo', `
 
 /usr/lib(64)?/emacsen-common/.*	context_template(system_u:object_r:bin_t,s0)
 
+/usr/lib(64)?/ipsec/.*	--	context_template(system_u:object_r:sbin_t,s0)
+
 /usr/lib(64)?/misc/sftp-server	-- context_template(system_u:object_r:bin_t,s0)
 
 ifdef(`distro_suse', `
@@ -78,6 +80,8 @@ ifdef(`distro_suse', `
 /usr/libexec(/.*)?		context_template(system_u:object_r:bin_t,s0)
 /usr/libexec/openssh/sftp-server -- context_template(system_u:object_r:bin_t,s0)
 
+/usr/local/lib(64)?/ipsec/.*	-- context_template(system_u:object_r:sbin_t,s0)
+
 /usr/sbin/sesh		--	context_template(system_u:object_r:shell_exec_t,s0)
 
 /usr/share/gnucash/finance-quote-check -- context_template(system_u:object_r:bin_t,s0)

refpolicy/policy/modules/system/files.fc

@@ -33,6 +33,8 @@
 
 /etc/init\.d/functions	--	context_template(system_u:object_r:etc_t,s0)
 
+/etc/ipsec\.d/examples(/.*)?	context_template(system_u:object_r:etc_t,s0)
+
 /etc/network/ifstate	--	context_template(system_u:object_r:etc_runtime_t,s0)
 
 /etc/ptal/ptal-printd-like -- 	context_template(system_u:object_r:etc_runtime_t,s0)

refpolicy/policy/modules/system/files.if

@@ -415,6 +415,24 @@ interface(`files_unmount_rootfs',`
 	allow $1 root_t:filesystem unmount;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes of
+##	directories with the default file type.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_default_dir',`
+	gen_require(`
+		type default_t;
+		class dir getattr;
+	')
+
+	dontaudit $1 default_t:dir getattr;
+')
+
 ########################################
 ## <summary>
 ##	List contents of directories with the default file type.
@@ -449,6 +467,24 @@ interface(`files_mounton_default',`
 	allow $1 default_t:dir { getattr search mounton };
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes of
+##	files with the default file type.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_default_files',`
+	gen_require(`
+		type default_t;
+		class files getattr;
+	')
+
+	dontaudit $1 default_t:file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Read files with the default file type.

refpolicy/policy/modules/system/ipsec.fc

@@ -0,0 +1,32 @@
+/etc/ipsec\.secrets		--	context_template(system_u:object_r:ipsec_key_file_t,s0)
+/etc/ipsec\.conf		--	context_template(system_u:object_r:ipsec_conf_file_t,s0)
+/etc/racoon/psk\.txt		--	context_template(system_u:object_r:ipsec_key_file_t,s0)
+
+/etc/racoon(/.*)?			context_template(system_u:object_r:ipsec_conf_file_t,s0)
+/etc/racoon/certs(/.*)?			context_template(system_u:object_r:ipsec_key_file_t,s0)
+
+/etc/ipsec\.d(/.*)?			context_template(system_u:object_r:ipsec_key_file_t,s0)
+
+/sbin/setkey			--	context_template(system_u:object_r:ipsec_exec_t,s0)
+
+/usr/lib(64)?/ipsec/_plutoload	-- 	context_template(system_u:object_r:ipsec_mgmt_exec_t,s0)
+/usr/lib(64)?/ipsec/_plutorun	--	context_template(system_u:object_r:ipsec_mgmt_exec_t,s0)
+/usr/lib(64)?/ipsec/eroute	--	context_template(system_u:object_r:ipsec_exec_t,s0)
+/usr/lib(64)?/ipsec/klipsdebug	--	context_template(system_u:object_r:ipsec_exec_t,s0)
+/usr/lib(64)?/ipsec/pluto	--	context_template(system_u:object_r:ipsec_exec_t,s0)
+/usr/lib(64)?/ipsec/spi		--	context_template(system_u:object_r:ipsec_exec_t,s0)
+
+/usr/libexec/ipsec/eroute	--	context_template(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/klipsdebug	--	context_template(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/pluto	--	context_template(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/spi		--	context_template(system_u:object_r:ipsec_exec_t,s0)
+
+/usr/local/lib(64)?/ipsec/eroute --	context_template(system_u:object_r:ipsec_exec_t,s0)
+/usr/local/lib(64)?/ipsec/klipsdebug -- context_template(system_u:object_r:ipsec_exec_t,s0)
+/usr/local/lib(64)?/ipsec/pluto --	context_template(system_u:object_r:ipsec_exec_t,s0)
+/usr/local/lib(64)?/ipsec/spi	--	context_template(system_u:object_r:ipsec_exec_t,s0)
+
+/usr/sbin/racoon		--	context_template(system_u:object_r:ipsec_exec_t,s0)
+/usr/sbin/setkey		--	context_template(system_u:object_r:ipsec_exec_t,s0)
+
+/var/run/pluto(/.*)?			context_template(system_u:object_r:ipsec_var_run_t,s0)

refpolicy/policy/modules/system/ipsec.if

@@ -0,0 +1,25 @@
+## <summary>TCP/IP encryption</summary>
+
+########################################
+## <summary>
+##	Execute ipsec in the ipsec domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`ipsec_domtrans',`
+	gen_require(`
+		type ipsec_t, ipsec_exec_t;
+		class process sigchld;
+		class fd use;
+		class fifo_file rw_file_perms;
+	')
+
+	domain_auto_trans($1,ipsec_exec_t,ipsec_t)
+
+	allow $1 ipsec_t:fd use;
+	allow ipsec_t $1:fd use;
+	allow ipsec_t $1:fifo_file rw_file_perms;
+	allow ipsec_t $1:process sigchld;
+')

refpolicy/policy/modules/system/ipsec.te

@@ -0,0 +1,274 @@
+
+policy_module(ipsec,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type ipsec_t;
+type ipsec_exec_t;
+init_daemon_domain(ipsec_t,ipsec_exec_t)
+role system_r types ipsec_t;
+
+# type for ipsec configuration file(s) - not for keys
+type ipsec_conf_file_t;
+
+# type for file(s) containing ipsec keys - RSA or preshared
+type ipsec_key_file_t;
+
+# type for runtime files, including pluto.ctl
+type ipsec_var_run_t;
+files_pid_file(ipsec_var_run_t)
+
+type ipsec_mgmt_t; #, privlog, admin, privmodule, nscd_client_domain;
+type ipsec_mgmt_exec_t;
+init_system_domain(ipsec_mgmt_t,ipsec_mgmt_exec_t)
+role system_r types ipsec_mgmt_t;
+
+type ipsec_mgmt_var_run_t;
+files_pid_file(ipsec_mgmt_var_run_t)
+
+########################################
+#
+# ipsec Local policy
+#
+
+allow ipsec_t self:capability { net_admin dac_override dac_read_search };
+dontaudit ipsec_t self:capability sys_tty_config;
+allow ipsec_t self:process signal;
+allow ipsec_t self:key_socket { create write read setopt };
+allow ipsec_t self:fifo_file { read getattr };
+
+allow ipsec_t ipsec_conf_file_t:dir r_dir_perms;
+allow ipsec_t ipsec_conf_file_t:file r_file_perms;
+allow ipsec_t ipsec_conf_file_t:lnk_file r_file_perms;
+
+allow ipsec_t ipsec_key_file_t:dir r_dir_perms;
+allow ipsec_t ipsec_key_file_t:file r_file_perms;
+allow ipsec_t ipsec_key_file_t:lnk_file r_file_perms;
+
+allow ipsec_t ipsec_var_run_t:file create_file_perms;
+allow ipsec_t ipsec_var_run_t:sock_file create_file_perms;
+files_create_pid(ipsec_t,ipsec_var_run_t,{ file sock_file })
+
+can_exec(ipsec_t, ipsec_mgmt_exec_t)
+
+# pluto runs an updown script (by calling popen()!); as this is by default
+# a shell script, we need to find a way to make things work without
+# letting all sorts of stuff possibly be run...
+# so try flipping back into the ipsec_mgmt_t domain
+corecmd_shell_domtrans(ipsec_t,ipsec_mgmt_t)
+allow ipsec_t ipsec_mgmt_t:fd use;
+allow ipsec_mgmt_t ipsec_t:fd use;
+allow ipsec_mgmt_t ipsec_t:fifo_file rw_file_perms;
+allow ipsec_mgmt_t ipsec_t:process sigchld;
+
+kernel_read_kernel_sysctl(ipsec_t)
+kernel_list_proc(ipsec_t)
+kernel_read_proc_symlinks(ipsec_t)
+# allow pluto to access /proc/net/ipsec_eroute;
+kernel_read_system_state(ipsec_t)
+kernel_read_network_state(ipsec_t)
+kernel_read_software_raid_state(ipsec_t)
+kernel_getattr_core(ipsec_t)
+kernel_getattr_message_if(ipsec_t)
+
+corenet_udp_bind_reserved_port(ipsec_t)
+
+dev_read_sysfs(ipsec_t)
+dev_read_rand(ipsec_t)
+dev_read_urand(ipsec_t)
+
+fs_getattr_all_fs(ipsec_t)
+fs_search_auto_mountpoints(ipsec_t)
+
+term_use_console(ipsec_t)
+
+corecmd_exec_shell(ipsec_t)
+corecmd_exec_bin(ipsec_t)
+
+domain_use_wide_inherit_fd(ipsec_t)
+
+files_read_etc_files(ipsec_t)
+
+init_use_fd(ipsec_t)
+init_use_script_pty(ipsec_t)
+
+libs_use_ld_so(ipsec_t)
+libs_use_shared_libs(ipsec_t)
+
+logging_send_syslog_msg(ipsec_t)
+
+miscfiles_read_localization(ipsec_t)
+
+userdom_dontaudit_use_unpriv_user_fd(ipsec_t)
+userdom_dontaudit_search_sysadm_home_dir(ipsec_t)
+
+ifdef(`targeted_policy', `
+	term_dontaudit_use_unallocated_tty(ipsec_t)
+	term_dontaudit_use_generic_pty(ipsec_t)
+	files_dontaudit_read_root_file(ipsec_t)
+')
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(ipsec_t)
+')
+
+optional_policy(`rhgb.te',`
+	rhgb_domain(ipsec_t)
+')
+
+optional_policy(`selinuxutils.te',`
+	seutil_sigchld_newrole(ipsec_t)
+')
+
+optional_policy(`udev.te', `
+	udev_read_db(ipsec_t)
+')
+
+ifdef(`TODO',`
+allow ipsec_t etc_t:lnk_file read;
+allow ipsec_t initrc_t:fifo_file write;
+dontaudit ipsec_t ttyfile:chr_file { read write };
+# Pluto needs network access
+can_network_server(ipsec_t)
+') dnl end TODO
+
+########################################
+#
+# ipsec_mgmt Local policy
+#
+
+allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
+allow ipsec_mgmt_t self:process { signal setrlimit };
+allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
+allow ipsec_mgmt_t self:tcp_socket create_socket_perms;
+allow ipsec_mgmt_t self:udp_socket create_socket_perms;
+allow ipsec_mgmt_t self:key_socket { create setopt };
+allow ipsec_mgmt_t self:fifo_file rw_file_perms;
+
+allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file create_file_perms;
+files_create_pid(ipsec_mgmt_t,ipsec_mgmt_var_run_t)
+
+allow ipsec_mgmt_t ipsec_var_run_t:dir rw_dir_perms;
+allow ipsec_mgmt_t ipsec_var_run_t:file create_file_perms;
+allow ipsec_mgmt_t ipsec_var_run_t:lnk_file create_lnk_perms;
+
+allow ipsec_mgmt_t ipsec_var_run_t:sock_file create_file_perms;
+files_create_pid(ipsec_mgmt_t,ipsec_var_run_t,sock_file)
+
+# _realsetup needs to be able to cat /var/run/pluto.pid,
+# run ps on that pid, and delete the file
+allow ipsec_mgmt_t ipsec_t:{ file lnk_file } r_file_perms;
+
+# logger, running in ipsec_mgmt_t needs to use sockets
+allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
+allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };
+
+allow ipsec_mgmt_t ipsec_conf_file_t:file { getattr read ioctl };
+
+allow ipsec_mgmt_t ipsec_key_file_t:dir rw_dir_perms;
+allow ipsec_mgmt_t ipsec_key_file_t:lnk_file create_lnk_perms;
+# cjp: combo of file_type_auto_trans and rw_dir_create_file
+allow ipsec_mgmt_t ipsec_key_file_t:file create_file_perms;
+files_create_etc_config(ipsec_mgmt_t,ipsec_key_file_t)
+
+# whack needs to connect to pluto
+allow ipsec_mgmt_t ipsec_var_run_t:sock_file { read write };
+allow ipsec_mgmt_t ipsec_t:unix_stream_socket { connectto read write };
+
+can_exec(ipsec_mgmt_t, ipsec_exec_t)
+can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
+allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
+
+domain_auto_trans(ipsec_mgmt_t,ipsec_exec_t,ipsec_t)
+allow ipsec_mgmt_t ipsec_t:fd use;
+allow ipsec_t ipsec_mgmt_t:fd use;
+allow ipsec_t ipsec_mgmt_t:fifo_file rw_file_perms;
+allow ipsec_t ipsec_mgmt_t:process sigchld;
+
+kernel_rw_net_sysctl(ipsec_mgmt_t)
+# allow pluto to access /proc/net/ipsec_eroute;
+kernel_read_system_state(ipsec_mgmt_t)
+kernel_read_network_state(ipsec_mgmt_t)
+kernel_read_software_raid_state(ipsec_mgmt_t)
+kernel_read_kernel_sysctl(ipsec_mgmt_t)
+kernel_getattr_core(ipsec_mgmt_t)
+kernel_getattr_message_if(ipsec_mgmt_t)
+
+bootloader_read_kernel_symbol_table(ipsec_mgmt_t)
+bootloader_getattr_kernel_modules(ipsec_mgmt_t)
+
+dev_read_rand(ipsec_mgmt_t)
+dev_read_urand(ipsec_mgmt_t)
+
+fs_getattr_xattr_fs(ipsec_mgmt_t)
+
+term_use_console(ipsec_mgmt_t)
+
+# the default updown script wants to run route
+corecmd_exec_sbin(ipsec_mgmt_t)
+# the ipsec wrapper wants to run /usr/bin/logger (should we put
+# it in its own domain?)
+corecmd_exec_bin(ipsec_mgmt_t)
+
+domain_use_wide_inherit_fd(ipsec_mgmt_t)
+
+files_read_etc_files(ipsec_mgmt_t)
+files_exec_etc_files(ipsec_mgmt_t)
+files_read_etc_runtime_files(ipsec_mgmt_t)
+files_dontaudit_getattr_default_dir(ipsec_mgmt_t)
+files_dontaudit_getattr_default_files(ipsec_mgmt_t)
+# Allow scripts to use /var/locl/subsys/ipsec
+# cjp: need a lock type
+files_manage_generic_locks(ipsec_mgmt_t)
+
+init_use_script_pty(ipsec_mgmt_t)
+init_exec_script(ipsec_mgmt_t)
+init_use_fd(ipsec_mgmt_t)
+
+libs_use_ld_so(ipsec_mgmt_t)
+libs_use_shared_libs(ipsec_mgmt_t)
+
+miscfiles_read_localization(ipsec_mgmt_t)
+
+seutil_dontaudit_search_config(ipsec_mgmt_t)
+
+sysnet_domtrans_ifconfig(ipsec_mgmt_t)
+
+userdom_use_sysadm_terms(ipsec_mgmt_t)
+
+optional_policy(`consoletype.te',`
+	consoletype_exec(ipsec_mgmt_t)
+')
+
+ifdef(`TODO',`
+# denials when ps tries to search /proc. Do not audit these denials.
+dontaudit ipsec_mgmt_t domain:dir r_dir_perms;
+
+# suppress audit messages about unnecessary socket access
+dontaudit ipsec_mgmt_t domain:key_socket { read write };
+dontaudit ipsec_mgmt_t domain:udp_socket { read write };
+
+# allow pluto to search the root directory (not sure why, but mostly harmless)
+# Are these all really necessary?
+dontaudit ipsec_mgmt_t tty_device_t:chr_file getattr;
+
+# ideally it would not need this.  It wants to write to /root/.rnd
+file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
+
+allow ipsec_mgmt_t tmpfs_t:dir { getattr read };
+allow ipsec_mgmt_t dev_fs:file_class_set getattr;
+
+# allow system administrator to use the ipsec script to look
+# at things (e.g., ipsec auto --status)
+# probably should create an ipsec_admin role for this kind of thing
+can_exec(sysadm_t, ipsec_mgmt_exec_t)
+allow sysadm_t ipsec_t:unix_stream_socket connectto;
+# for lsof
+allow sysadm_t ipsec_t:key_socket getattr;
+
+rw_dir_create_file(initrc_t, ipsec_var_run_t)
+allow initrc_t ipsec_conf_file_t:file { getattr read ioctl };
+') dnl end TODO