From 5abf92037f4ba49d23f3b1ff52398547478c9975 Mon Sep 17 00:00:00 2001
From: Jonathan Davies <jpds@protonmail.com>
Date: Tue, 4 Jan 2022 16:26:58 +0000
Subject: [PATCH 1/2] obj_perm_sets.spt: Fixed typo in rw_netlink_socket_perms.

Signed-off-by: Jonathan Davies <jpds@protonmail.com>
---
 policy/support/obj_perm_sets.spt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 82ecc2d4e..804a01b46 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -100,7 +100,7 @@ define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_wr
 #
 # Permissions for using netlink sockets for operations that modify state.
 #
-define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
+define(`rw_netlink_socket_perms', `{ rw_socket_perms nlmsg_read nlmsg_write }')
 
 #
 # Permissions for using netlink sockets for operations that observe state.

From 6178cd096b9d96857bf53b3d0ad316ffa186ede0 Mon Sep 17 00:00:00 2001
From: Jonathan Davies <jpds@protonmail.com>
Date: Tue, 11 Jan 2022 15:54:00 +0000
Subject: [PATCH 2/2] policy/*: Replaced rw_netlink_socket_perms with
 create_netlink_socket_perms.

Signed-off-by: Jonathan Davies <jpds@protonmail.com>
---
 policy/modules/admin/portage.te     | 4 ++--
 policy/modules/admin/vpn.te         | 2 +-
 policy/modules/services/iodine.te   | 2 +-
 policy/modules/services/likewise.te | 4 ++--
 policy/modules/services/zebra.te    | 2 +-
 policy/modules/system/ipsec.te      | 4 ++--
 6 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 9ddfbfd13..0c7da7add 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -156,7 +156,7 @@ allow portage_t self:process { setfscreate };
 # - kill for mysql merging, at least
 allow portage_t self:capability { kill setfcap sys_nice };
 dontaudit portage_t self:capability { dac_read_search };
-dontaudit portage_t self:netlink_route_socket rw_netlink_socket_perms;
+dontaudit portage_t self:netlink_route_socket create_netlink_socket_perms;
 
 # user post-sync scripts
 can_exec(portage_t, portage_conf_t)
@@ -342,7 +342,7 @@ optional_policy(`
 #
 
 allow portage_sandbox_t self:process ptrace;
-dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
+dontaudit portage_sandbox_t self:netlink_route_socket create_netlink_socket_perms;
 
 allow portage_sandbox_t portage_log_t:file { create_file_perms delete_file_perms setattr_file_perms append_file_perms };
 logging_log_filetrans(portage_sandbox_t, portage_log_t, file)
diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
index 69087ccb1..4d82f465e 100644
--- a/policy/modules/admin/vpn.te
+++ b/policy/modules/admin/vpn.te
@@ -27,7 +27,7 @@ files_tmp_file(vpnc_tmp_t)
 allow vpnc_t self:capability { dac_override dac_read_search ipc_lock net_admin net_raw setuid };
 allow vpnc_t self:process { getsched signal };
 allow vpnc_t self:fifo_file rw_fifo_file_perms;
-allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
+allow vpnc_t self:netlink_route_socket create_netlink_socket_perms;
 allow vpnc_t self:tcp_socket { accept listen };
 allow vpnc_t self:rawip_socket create_socket_perms;
 allow vpnc_t self:tun_socket { create_socket_perms relabelfrom };
diff --git a/policy/modules/services/iodine.te b/policy/modules/services/iodine.te
index 39ce5f52e..cb262f6a7 100644
--- a/policy/modules/services/iodine.te
+++ b/policy/modules/services/iodine.te
@@ -24,7 +24,7 @@ allow iodined_t self:capability { net_admin net_raw setgid setuid sys_chroot };
 allow iodined_t self:rawip_socket create_socket_perms;
 allow iodined_t self:tun_socket create_socket_perms;
 allow iodined_t self:udp_socket connected_socket_perms;
-allow iodined_t self:netlink_route_socket rw_netlink_socket_perms;
+allow iodined_t self:netlink_route_socket create_netlink_socket_perms;
 
 manage_dirs_pattern(iodined_t, iodined_runtime_t, iodined_runtime_t)
 manage_files_pattern(iodined_t, iodined_runtime_t, iodined_runtime_t)
diff --git a/policy/modules/services/likewise.te b/policy/modules/services/likewise.te
index 8c4a0016f..c5b0e9fd0 100644
--- a/policy/modules/services/likewise.te
+++ b/policy/modules/services/likewise.te
@@ -99,7 +99,7 @@ corenet_tcp_connect_epmap_port(eventlogd_t)
 
 allow lsassd_t self:capability { chown dac_override fowner fsetid sys_time };
 allow lsassd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms;
+allow lsassd_t self:netlink_route_socket create_netlink_socket_perms;
 
 allow lsassd_t likewise_krb5_ad_t:file read_file_perms;
 allow lsassd_t netlogond_var_lib_t:file read_file_perms;
@@ -160,7 +160,7 @@ optional_policy(`
 
 allow lwiod_t self:capability { chown dac_override fowner fsetid sys_resource };
 allow lwiod_t self:process setrlimit;
-allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms;
+allow lwiod_t self:netlink_route_socket create_netlink_socket_perms;
 
 allow lwiod_t { likewise_krb5_ad_t netlogond_var_lib_t }:file read_file_perms;
 
diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te
index 2e79998b4..23d97bda3 100644
--- a/policy/modules/services/zebra.te
+++ b/policy/modules/services/zebra.te
@@ -42,7 +42,7 @@ dontaudit zebra_t self:capability sys_tty_config;
 allow zebra_t self:process { signal_perms getcap setcap };
 allow zebra_t self:fifo_file rw_fifo_file_perms;
 allow zebra_t self:unix_stream_socket { accept connectto listen };
-allow zebra_t self:netlink_route_socket rw_netlink_socket_perms;
+allow zebra_t self:netlink_route_socket create_netlink_socket_perms;
 allow zebra_t self:tcp_socket { connect connected_stream_socket_perms };
 allow zebra_t self:udp_socket create_socket_perms;
 allow zebra_t self:rawip_socket create_socket_perms;
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 8f8609a7b..be0cccad2 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -88,7 +88,7 @@ allow ipsec_t self:udp_socket create_socket_perms;
 allow ipsec_t self:key_socket create_socket_perms;
 allow ipsec_t self:fifo_file rw_fifo_file_perms;
 allow ipsec_t self:netlink_xfrm_socket create_netlink_socket_perms;
-allow ipsec_t self:netlink_route_socket rw_netlink_socket_perms;
+allow ipsec_t self:netlink_route_socket create_netlink_socket_perms;
 
 allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
 
@@ -462,7 +462,7 @@ userdom_use_user_terminals(setkey_t)
 allow ipsec_supervisor_t self:capability { dac_override dac_read_search kill net_admin };
 allow ipsec_supervisor_t self:process { signal signull };
 allow ipsec_supervisor_t self:fifo_file rw_fifo_file_perms;
-allow ipsec_supervisor_t self:netlink_route_socket rw_netlink_socket_perms;
+allow ipsec_supervisor_t self:netlink_route_socket create_netlink_socket_perms;
 allow ipsec_supervisor_t self:netlink_xfrm_socket create_netlink_socket_perms;
 
 allow ipsec_supervisor_t ipsec_conf_file_t:dir list_dir_perms;