RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ipsec: add missing permissions for pluto 

When using libreswan, pluto needs permissions for building the
Security Association Database and for setting contexts on IPSec
policy and SAs.

Signed-off-by: Yuli Khodorkovskiy <yuli@crunchydata.com>
This commit is contained in:
Yuli Khodorkovskiy 2018-07-26 18:37:06 -04:00 committed by Chris PeBenito
parent 9285d9f450
commit 305bd29f65
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
policy/modules/system/ipsec.te
View File

@ -151,12 +151,16 @@ corenet_udp_bind_isakmp_port(ipsec_t)
corenet_udp_bind_ipsecnat_port(ipsec_t) corenet_udp_bind_ipsecnat_port(ipsec_t)
corenet_sendrecv_generic_server_packets(ipsec_t) corenet_sendrecv_generic_server_packets(ipsec_t)
corenet_sendrecv_isakmp_server_packets(ipsec_t) corenet_sendrecv_isakmp_server_packets(ipsec_t)
# allow pluto to build Security Association Database
corenet_setcontext_all_spds(ipsec_t)
dev_read_sysfs(ipsec_t) dev_read_sysfs(ipsec_t)
dev_read_rand(ipsec_t) dev_read_rand(ipsec_t)
dev_read_urand(ipsec_t) dev_read_urand(ipsec_t)
domain_use_interactive_fds(ipsec_t) domain_use_interactive_fds(ipsec_t)
# allow pluto to set contexts on ipsec policy and SAs
domain_ipsec_setcontext_all_domains(ipsec_t)
files_list_tmp(ipsec_t) files_list_tmp(ipsec_t)
files_read_etc_files(ipsec_t) files_read_etc_files(ipsec_t)