| 1 |
commit: 3e34841ee1b176836216f3b53bf6cd772ef807d7 |
| 2 |
Author: Yuli Khodorkovskiy <yuli.khodorkovskiy <AT> crunchydata <DOT> com> |
| 3 |
AuthorDate: Thu Jul 26 22:37:06 2018 +0000 |
| 4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Sun Sep 9 03:07:46 2018 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3e34841e |
| 7 |
|
| 8 |
ipsec: add missing permissions for pluto |
| 9 |
|
| 10 |
When using libreswan, pluto needs permissions for building the |
| 11 |
Security Association Database and for setting contexts on IPSec |
| 12 |
policy and SAs. |
| 13 |
|
| 14 |
Signed-off-by: Yuli Khodorkovskiy <yuli <AT> crunchydata.com> |
| 15 |
|
| 16 |
policy/modules/system/ipsec.te | 4 ++++ |
| 17 |
1 file changed, 4 insertions(+) |
| 18 |
|
| 19 |
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te |
| 20 |
index d7a58622..65fb1c08 100644 |
| 21 |
--- a/policy/modules/system/ipsec.te |
| 22 |
+++ b/policy/modules/system/ipsec.te |
| 23 |
@@ -151,12 +151,16 @@ corenet_udp_bind_isakmp_port(ipsec_t) |
| 24 |
corenet_udp_bind_ipsecnat_port(ipsec_t) |
| 25 |
corenet_sendrecv_generic_server_packets(ipsec_t) |
| 26 |
corenet_sendrecv_isakmp_server_packets(ipsec_t) |
| 27 |
+# allow pluto to build Security Association Database |
| 28 |
+corenet_setcontext_all_spds(ipsec_t) |
| 29 |
|
| 30 |
dev_read_sysfs(ipsec_t) |
| 31 |
dev_read_rand(ipsec_t) |
| 32 |
dev_read_urand(ipsec_t) |
| 33 |
|
| 34 |
domain_use_interactive_fds(ipsec_t) |
| 35 |
+# allow pluto to set contexts on ipsec policy and SAs |
| 36 |
+domain_ipsec_setcontext_all_domains(ipsec_t) |
| 37 |
|
| 38 |
files_list_tmp(ipsec_t) |
| 39 |
files_read_etc_files(ipsec_t) |
Archives