Like discussed with Jason, here the additions to the ipsec policy for supporting strongswan (tested w/ 5.3.2). Any feedback is very welcome... especially since this is my first policy work. :) It has been tested on my newest server for weeks now and works without any problems. I have taken great care to assign permissions only where needed by also checking the source code for the actual reasons. I have introduced an ipsec_supervisor_t domain which is basically for the "starter" daemon (a supervisor for charon) -- simply to avoid having to assign even more permissions to ipsec_t and to better segregate the domains from each other. Since I have no SELinux desktop system available, I have exclusively tested this as a server setup, not as a client. Testing in that regard would be very welcome (even though I expect no problems). Also, I have not tested each and every strongswan plugin, so there might still be denials to be worked out if some of the more exotic plugins are used. Thanks for any feedback... Reproducible: Always
Created attachment 406754 [details] file context additions
Created attachment 406756 [details] type enforcement additions
I made a few small changes to this, mostly {create_netlink + write} ==> rw_netlink. I sent it upstream, lets see what comments come back. http://oss.tresys.com/pipermail/refpolicy/2015-October/007760.html
in master. thanks for the help! will be in the next policy release
r10 released in ~arch
stable now