summaryrefslogtreecommitdiff
path: root/debian/usr.sbin.swanctl
diff options
context:
space:
mode:
Diffstat (limited to 'debian/usr.sbin.swanctl')
-rw-r--r--debian/usr.sbin.swanctl32
1 files changed, 32 insertions, 0 deletions
diff --git a/debian/usr.sbin.swanctl b/debian/usr.sbin.swanctl
new file mode 100644
index 000000000..627f5c0b3
--- /dev/null
+++ b/debian/usr.sbin.swanctl
@@ -0,0 +1,32 @@
+#include <tunables/global>
+
+/usr/sbin/swanctl {
+ #include <abstractions/base>
+
+ # Allow /etc/swanctl/x509ca/ files to symlink to system-wide ca-certificates
+ #include <abstractions/ssl_certs>
+
+ # CAP_DAC_OVERRIDE is needed for optional charon.user/charon.group
+ # configuration
+ capability dac_override,
+
+ # Allow reading strongswan.conf configuration files
+ /etc/strongswan.conf r,
+ /etc/strongswan.d/ r,
+ /etc/strongswan.d/** r,
+
+ # All reading configuration, certificate, and key files beneath /etc/swanctl/
+ /etc/swanctl/** r,
+
+ # Allow communication with VICI plugin UNIX domain socket
+ /run/charon.vici rw,
+
+ # As of 5.5.2, swanctl unnecessarily loads plugins by default, even though no
+ # plugins are actually used by swanctl. The following can be removed if
+ # plugin loading is disabled.
+ #include <abstractions/nameservice>
+ #include <abstractions/openssl>
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.swanctl>
+}
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-10 00:44:18 +0000