fix ordering of interface calls in iptables.
This commit is contained in:
Chris PeBenito
parent
464ffa57fd
commit
e6985f91ab
|
|
@ -95,6 +95,9 @@ kernel_read_software_raid_state(ipsec_t)
|
|||
kernel_getattr_core_if(ipsec_t)
|
||||
kernel_getattr_message_if(ipsec_t)
|
||||
|
||||
corecmd_exec_shell(ipsec_t)
|
||||
corecmd_exec_bin(ipsec_t)
|
||||
|
||||
# Pluto needs network access
|
||||
corenet_all_recvfrom_unlabeled(ipsec_t)
|
||||
corenet_tcp_sendrecv_all_if(ipsec_t)
|
||||
|
|
@ -115,24 +118,21 @@ dev_read_sysfs(ipsec_t)
|
|||
dev_read_rand(ipsec_t)
|
||||
dev_read_urand(ipsec_t)
|
||||
|
||||
domain_use_interactive_fds(ipsec_t)
|
||||
|
||||
files_read_etc_files(ipsec_t)
|
||||
|
||||
fs_getattr_all_fs(ipsec_t)
|
||||
fs_search_auto_mountpoints(ipsec_t)
|
||||
|
||||
term_use_console(ipsec_t)
|
||||
term_dontaudit_use_all_user_ttys(ipsec_t)
|
||||
|
||||
corecmd_exec_shell(ipsec_t)
|
||||
corecmd_exec_bin(ipsec_t)
|
||||
|
||||
domain_use_interactive_fds(ipsec_t)
|
||||
|
||||
files_read_etc_files(ipsec_t)
|
||||
auth_use_nsswitch(ipsec_t)
|
||||
|
||||
init_use_fds(ipsec_t)
|
||||
init_use_script_ptys(ipsec_t)
|
||||
|
||||
auth_use_nsswitch(ipsec_t)
|
||||
|
||||
logging_send_syslog_msg(ipsec_t)
|
||||
|
||||
miscfiles_read_localization(ipsec_t)
|
||||
|
|
@ -209,21 +209,15 @@ kernel_getattr_message_if(ipsec_mgmt_t)
|
|||
files_read_kernel_symbol_table(ipsec_mgmt_t)
|
||||
files_getattr_kernel_modules(ipsec_mgmt_t)
|
||||
|
||||
dev_read_rand(ipsec_mgmt_t)
|
||||
dev_read_urand(ipsec_mgmt_t)
|
||||
|
||||
fs_getattr_xattr_fs(ipsec_mgmt_t)
|
||||
fs_list_tmpfs(ipsec_mgmt_t)
|
||||
|
||||
term_use_console(ipsec_mgmt_t)
|
||||
term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
|
||||
|
||||
# the default updown script wants to run route
|
||||
# the ipsec wrapper wants to run /usr/bin/logger (should we put
|
||||
# it in its own domain?)
|
||||
corecmd_exec_bin(ipsec_mgmt_t)
|
||||
corecmd_exec_shell(ipsec_mgmt_t)
|
||||
|
||||
dev_read_rand(ipsec_mgmt_t)
|
||||
dev_read_urand(ipsec_mgmt_t)
|
||||
|
||||
domain_use_interactive_fds(ipsec_mgmt_t)
|
||||
# denials when ps tries to search /proc. Do not audit these denials.
|
||||
domain_dontaudit_list_all_domains_state(ipsec_mgmt_t)
|
||||
|
|
@ -238,6 +232,12 @@ files_read_etc_runtime_files(ipsec_mgmt_t)
|
|||
files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
|
||||
files_dontaudit_getattr_default_files(ipsec_mgmt_t)
|
||||
|
||||
fs_getattr_xattr_fs(ipsec_mgmt_t)
|
||||
fs_list_tmpfs(ipsec_mgmt_t)
|
||||
|
||||
term_use_console(ipsec_mgmt_t)
|
||||
term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
|
||||
|
||||
init_use_script_ptys(ipsec_mgmt_t)
|
||||
init_exec_script_files(ipsec_mgmt_t)
|
||||
init_use_fds(ipsec_mgmt_t)
|
||||
|
|
@ -317,10 +317,10 @@ files_read_etc_files(racoon_t)
|
|||
# allow racoon to use avc_has_perm to check context on proposed SA
|
||||
selinux_compute_access_vector(racoon_t)
|
||||
|
||||
ipsec_setcontext_default_spd(racoon_t)
|
||||
|
||||
auth_use_nsswitch(racoon_t)
|
||||
|
||||
ipsec_setcontext_default_spd(racoon_t)
|
||||
|
||||
locallogin_use_fds(racoon_t)
|
||||
|
||||
logging_send_syslog_msg(racoon_t)
|
||||
|
|
|
|||
Loading…
Reference in New Issue