Two patches from Paul Moore to for ipsec to remove redundant rules and have setkey read the config file.
This commit is contained in:
parent
9e8f65c83e
commit
a26923c32e
|
@ -1,3 +1,5 @@
|
||||||
|
- Two patches from Paul Moore to for ipsec to remove redundant rules and
|
||||||
|
have setkey read the config file.
|
||||||
- Move booleans and tunables to modules when it is only used in a single
|
- Move booleans and tunables to modules when it is only used in a single
|
||||||
module.
|
module.
|
||||||
- Add support for tunables and booleans local to a module.
|
- Add support for tunables and booleans local to a module.
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(ipsec,1.2.2)
|
policy_module(ipsec,1.2.3)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -330,8 +330,6 @@ logging_send_syslog_msg(racoon_t)
|
||||||
|
|
||||||
miscfiles_read_localization(racoon_t)
|
miscfiles_read_localization(racoon_t)
|
||||||
|
|
||||||
seutil_read_config(setkey_t)
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Setkey local policy
|
# Setkey local policy
|
||||||
|
@ -341,6 +339,10 @@ allow setkey_t self:capability net_admin;
|
||||||
allow setkey_t self:key_socket { create read setopt write };
|
allow setkey_t self:key_socket { create read setopt write };
|
||||||
allow setkey_t self:netlink_route_socket create_netlink_socket_perms;
|
allow setkey_t self:netlink_route_socket create_netlink_socket_perms;
|
||||||
|
|
||||||
|
allow setkey_t ipsec_conf_file_t:dir list_dir_perms;
|
||||||
|
read_files_pattern(setkey_t,ipsec_conf_file_t,ipsec_conf_file_t)
|
||||||
|
read_lnk_files_pattern(setkey_t,ipsec_conf_file_t,ipsec_conf_file_t)
|
||||||
|
|
||||||
# allow setkey to set the context for ipsec SAs and policy.
|
# allow setkey to set the context for ipsec SAs and policy.
|
||||||
allow setkey_t ipsec_spd_t:association setcontext;
|
allow setkey_t ipsec_spd_t:association setcontext;
|
||||||
|
|
||||||
|
@ -349,6 +351,8 @@ domain_ipsec_setcontext_all_domains(setkey_t)
|
||||||
|
|
||||||
files_read_etc_files(setkey_t)
|
files_read_etc_files(setkey_t)
|
||||||
|
|
||||||
|
init_dontaudit_use_fds(setkey_t)
|
||||||
|
|
||||||
locallogin_use_fds(setkey_t)
|
locallogin_use_fds(setkey_t)
|
||||||
|
|
||||||
libs_use_ld_so(setkey_t)
|
libs_use_ld_so(setkey_t)
|
||||||
|
|
Loading…
Reference in New Issue