Overview

File suse_modifications_ipsec.patch of Package selinux-policy.37503

Index: serefpolicy-20140730/policy/modules/system/ipsec.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/system/ipsec.te	2015-08-10 12:55:56.098645940 +0200
+++ serefpolicy-20140730/policy/modules/system/ipsec.te	2015-08-10 14:32:28.542764339 +0200
@@ -209,14 +209,18 @@ optional_policy(`
 # ipsec_mgmt Local policy
 #
 
-allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice sys_ptrace };
+allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin net_raw setpcap sys_nice sys_ptrace };
 dontaudit ipsec_mgmt_t self:capability sys_tty_config;
-allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal };
+allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal setcap };
 allow ipsec_mgmt_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
 allow ipsec_mgmt_t self:udp_socket create_socket_perms;
 allow ipsec_mgmt_t self:key_socket create_socket_perms;
 allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
+allow ipsec_mgmt_t self:netlink_route_socket nlmsg_write;
+allow ipsec_mgmt_t self:packet_socket { setopt create read write };
+allow ipsec_mgmt_t self:socket { bind create read write };
+allow ipsec_mgmt_t self:netlink_xfrm_socket { nlmsg_write write read bind create };
 
 allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
 files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
@@ -231,6 +235,8 @@ logging_log_filetrans(ipsec_mgmt_t, ipse
 allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
 files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
 filetrans_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_mgmt_var_run_t, file)
+# temporary fix until the rules above work
+allow ipsec_mgmt_t var_run_t:sock_file { write unlink };
 
 manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
 manage_dirs_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
@@ -269,6 +275,7 @@ kernel_read_software_raid_state(ipsec_mg
 kernel_read_kernel_sysctls(ipsec_mgmt_t)
 kernel_getattr_core_if(ipsec_mgmt_t)
 kernel_getattr_message_if(ipsec_mgmt_t)
+kernel_request_load_module(ipsec_mgmt_t)
 
 domain_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
 domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t)
@@ -290,6 +297,10 @@ corecmd_exec_bin(ipsec_mgmt_t)
 corecmd_exec_shell(ipsec_mgmt_t)
 
 corenet_tcp_connect_rndc_port(ipsec_mgmt_t)
+corenet_udp_bind_dhcpc_port(ipsec_mgmt_t)
+corenet_udp_bind_isakmp_port(ipsec_mgmt_t)
+corenet_udp_bind_generic_node(ipsec_mgmt_t)
+corenet_udp_bind_ipsecnat_port(ipsec_mgmt_t)
 
 dev_read_rand(ipsec_mgmt_t)
 dev_read_urand(ipsec_mgmt_t)
@@ -297,10 +308,7 @@ dev_read_urand(ipsec_mgmt_t)
 domain_use_interactive_fds(ipsec_mgmt_t)
 # denials when ps tries to search /proc. Do not audit these denials.
 domain_dontaudit_read_all_domains_state(ipsec_mgmt_t)
-# suppress audit messages about unnecessary socket access
-# cjp: this seems excessive
-domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
-domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
+#  domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
 
 files_read_etc_files(ipsec_mgmt_t)
 files_exec_etc_files(ipsec_mgmt_t)
openSUSE Build Service is sponsored by
Places