From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id EBB61138334 for ; Tue, 11 Sep 2018 09:06:52 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 701CEE0DC7; Tue, 11 Sep 2018 09:06:50 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 487D6E0DC7 for ; Tue, 11 Sep 2018 09:06:50 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id CC2AD335D4C for ; Tue, 11 Sep 2018 09:06:45 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 810703D6 for ; Tue, 11 Sep 2018 09:06:44 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1536462466.3e34841ee1b176836216f3b53bf6cd772ef807d7.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/ipsec.te X-VCS-Directories: policy/modules/system/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 3e34841ee1b176836216f3b53bf6cd772ef807d7 X-VCS-Branch: master Date: Tue, 11 Sep 2018 09:06:44 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: dce44df4-9098-4604-a3e0-f8b7d101da98 X-Archives-Hash: 7b0036dd905a2aecbd0e82266cb7919c commit: 3e34841ee1b176836216f3b53bf6cd772ef807d7 Author: Yuli Khodorkovskiy crunchydata com> AuthorDate: Thu Jul 26 22:37:06 2018 +0000 Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 9 03:07:46 2018 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3e34841e ipsec: add missing permissions for pluto When using libreswan, pluto needs permissions for building the Security Association Database and for setting contexts on IPSec policy and SAs. Signed-off-by: Yuli Khodorkovskiy crunchydata.com> policy/modules/system/ipsec.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te index d7a58622..65fb1c08 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -151,12 +151,16 @@ corenet_udp_bind_isakmp_port(ipsec_t) corenet_udp_bind_ipsecnat_port(ipsec_t) corenet_sendrecv_generic_server_packets(ipsec_t) corenet_sendrecv_isakmp_server_packets(ipsec_t) +# allow pluto to build Security Association Database +corenet_setcontext_all_spds(ipsec_t) dev_read_sysfs(ipsec_t) dev_read_rand(ipsec_t) dev_read_urand(ipsec_t) domain_use_interactive_fds(ipsec_t) +# allow pluto to set contexts on ipsec policy and SAs +domain_ipsec_setcontext_all_domains(ipsec_t) files_list_tmp(ipsec_t) files_read_etc_files(ipsec_t)