Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2015-08-12 15:13:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2015-08-05 19:17:27.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new/selinux-policy.changes 2015-08-12 15:13:36.000000000 +0200 @@ -1,0 +2,6 @@ +Tue Aug 11 08:36:17 UTC 2015 - jseg...@novell.com + +- Updated suse_modifications_ipsec.patch, removed dontaudits for + ipsec_mgmt_t and granted matching permissions + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ suse_modifications_ipsec.patch ++++++ --- /var/tmp/diff_new_pack.I7eJ6A/_old 2015-08-12 15:13:38.000000000 +0200 +++ /var/tmp/diff_new_pack.I7eJ6A/_new 2015-08-12 15:13:38.000000000 +0200 @@ -1,7 +1,7 @@ Index: serefpolicy-20140730/policy/modules/system/ipsec.te =================================================================== ---- serefpolicy-20140730.orig/policy/modules/system/ipsec.te 2015-08-05 13:56:18.127343378 +0200 -+++ serefpolicy-20140730/policy/modules/system/ipsec.te 2015-08-05 15:13:33.360764030 +0200 +--- serefpolicy-20140730.orig/policy/modules/system/ipsec.te 2015-08-10 12:55:56.098645940 +0200 ++++ serefpolicy-20140730/policy/modules/system/ipsec.te 2015-08-10 14:32:28.542764339 +0200 @@ -209,14 +209,18 @@ optional_policy(` # ipsec_mgmt Local policy # @@ -17,9 +17,9 @@ allow ipsec_mgmt_t self:key_socket create_socket_perms; allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms; +allow ipsec_mgmt_t self:netlink_route_socket nlmsg_write; -+allow ipsec_mgmt_t self:packet_socket { setopt create }; -+allow ipsec_mgmt_t self:socket { bind create }; -+allow ipsec_mgmt_t self:netlink_xfrm_socket { bind create }; ++allow ipsec_mgmt_t self:packet_socket { setopt create read write }; ++allow ipsec_mgmt_t self:socket { bind create read write }; ++allow ipsec_mgmt_t self:netlink_xfrm_socket { nlmsg_write write read bind create }; allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file) @@ -51,3 +51,15 @@ dev_read_rand(ipsec_mgmt_t) dev_read_urand(ipsec_mgmt_t) +@@ -297,10 +308,7 @@ dev_read_urand(ipsec_mgmt_t) + domain_use_interactive_fds(ipsec_mgmt_t) + # denials when ps tries to search /proc. Do not audit these denials. + domain_dontaudit_read_all_domains_state(ipsec_mgmt_t) +-# suppress audit messages about unnecessary socket access +-# cjp: this seems excessive +-domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t) +-domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t) ++# domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t) + + files_read_etc_files(ipsec_mgmt_t) + files_exec_etc_files(ipsec_mgmt_t)