commit: 3e34841ee1b176836216f3b53bf6cd772ef807d7 Author: Yuli Khodorkovskiy <yuli.khodorkovskiy <AT> crunchydata <DOT> com> AuthorDate: Thu Jul 26 22:37:06 2018 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Sun Sep 9 03:07:46 2018 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3e34841e
ipsec: add missing permissions for pluto When using libreswan, pluto needs permissions for building the Security Association Database and for setting contexts on IPSec policy and SAs. Signed-off-by: Yuli Khodorkovskiy <yuli <AT> crunchydata.com> policy/modules/system/ipsec.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te index d7a58622..65fb1c08 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -151,12 +151,16 @@ corenet_udp_bind_isakmp_port(ipsec_t) corenet_udp_bind_ipsecnat_port(ipsec_t) corenet_sendrecv_generic_server_packets(ipsec_t) corenet_sendrecv_isakmp_server_packets(ipsec_t) +# allow pluto to build Security Association Database +corenet_setcontext_all_spds(ipsec_t) dev_read_sysfs(ipsec_t) dev_read_rand(ipsec_t) dev_read_urand(ipsec_t) domain_use_interactive_fds(ipsec_t) +# allow pluto to set contexts on ipsec policy and SAs +domain_ipsec_setcontext_all_domains(ipsec_t) files_list_tmp(ipsec_t) files_read_etc_files(ipsec_t)
