Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:GA
selinux-policy
suse_modifications_ipsec.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File suse_modifications_ipsec.patch of Package selinux-policy
Index: serefpolicy-20140730/policy/modules/system/ipsec.te =================================================================== --- serefpolicy-20140730.orig/policy/modules/system/ipsec.te 2015-08-10 12:55:56.098645940 +0200 +++ serefpolicy-20140730/policy/modules/system/ipsec.te 2015-08-10 14:32:28.542764339 +0200 @@ -209,14 +209,18 @@ optional_policy(` # ipsec_mgmt Local policy # -allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice sys_ptrace }; +allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin net_raw setpcap sys_nice sys_ptrace }; dontaudit ipsec_mgmt_t self:capability sys_tty_config; -allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal }; +allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal setcap }; allow ipsec_mgmt_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; allow ipsec_mgmt_t self:key_socket create_socket_perms; allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms; +allow ipsec_mgmt_t self:netlink_route_socket nlmsg_write; +allow ipsec_mgmt_t self:packet_socket { setopt create read write }; +allow ipsec_mgmt_t self:socket { bind create read write }; +allow ipsec_mgmt_t self:netlink_xfrm_socket { nlmsg_write write read bind create }; allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file) @@ -231,6 +235,8 @@ logging_log_filetrans(ipsec_mgmt_t, ipse allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) filetrans_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_mgmt_var_run_t, file) +# temporary fix until the rules above work +allow ipsec_mgmt_t var_run_t:sock_file { write unlink }; manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) manage_dirs_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) @@ -269,6 +275,7 @@ kernel_read_software_raid_state(ipsec_mg kernel_read_kernel_sysctls(ipsec_mgmt_t) kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) +kernel_request_load_module(ipsec_mgmt_t) domain_dontaudit_getattr_all_sockets(ipsec_mgmt_t) domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t) @@ -290,6 +297,10 @@ corecmd_exec_bin(ipsec_mgmt_t) corecmd_exec_shell(ipsec_mgmt_t) corenet_tcp_connect_rndc_port(ipsec_mgmt_t) +corenet_udp_bind_dhcpc_port(ipsec_mgmt_t) +corenet_udp_bind_isakmp_port(ipsec_mgmt_t) +corenet_udp_bind_generic_node(ipsec_mgmt_t) +corenet_udp_bind_ipsecnat_port(ipsec_mgmt_t) dev_read_rand(ipsec_mgmt_t) dev_read_urand(ipsec_mgmt_t) @@ -297,10 +308,7 @@ dev_read_urand(ipsec_mgmt_t) domain_use_interactive_fds(ipsec_mgmt_t) # denials when ps tries to search /proc. Do not audit these denials. domain_dontaudit_read_all_domains_state(ipsec_mgmt_t) -# suppress audit messages about unnecessary socket access -# cjp: this seems excessive -domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t) -domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t) +# domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t) files_read_etc_files(ipsec_mgmt_t) files_exec_etc_files(ipsec_mgmt_t)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor