diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 17231cd..63a2b19 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -1,5 +1,5 @@
-policy_module(domain,1.4.3)
+policy_module(domain,1.4.4)
########################################
#
@@ -145,3 +145,6 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
+
+# receive from all domains over labeled networking
+domain_all_recvfrom_all_domains(unconfined_domain_type)
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
index dbb2b6e..433abf4 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@@ -114,6 +114,24 @@ interface(`ipsec_manage_pid',`
########################################
##
+## Allow to set an default security context of IPsec Policy.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ipsec_setcontext_default_spd',`
+ gen_require(`
+ type ipsec_spd_t;
+ ')
+
+ allow $1 ipsec_spd_t:association setcontext;
+')
+
+########################################
+##
## Execute racoon in the racoon domain.
##
##
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 8005483..80f58e6 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -1,5 +1,5 @@
-policy_module(ipsec,1.4.2)
+policy_module(ipsec,1.4.3)
########################################
#
@@ -297,8 +297,6 @@ allow racoon_t ipsec_key_file_t:dir list_dir_perms;
read_files_pattern(racoon_t,ipsec_key_file_t,ipsec_key_file_t)
read_lnk_files_pattern(racoon_t,ipsec_key_file_t,ipsec_key_file_t)
-allow racoon_t ipsec_spd_t:association setcontext;
-
kernel_read_network_state(racoon_t)
corenet_all_recvfrom_unlabeled(racoon_t)
@@ -315,6 +313,8 @@ files_read_etc_files(racoon_t)
# allow racoon to use avc_has_perm to check context on proposed SA
selinux_compute_access_vector(racoon_t)
+ipsec_setcontext_default_spd(racoon_t)
+
libs_use_ld_so(racoon_t)
libs_use_shared_libs(racoon_t)
@@ -338,9 +338,6 @@ allow setkey_t ipsec_conf_file_t:dir list_dir_perms;
read_files_pattern(setkey_t,ipsec_conf_file_t,ipsec_conf_file_t)
read_lnk_files_pattern(setkey_t,ipsec_conf_file_t,ipsec_conf_file_t)
-# allow setkey to set the context for ipsec SAs and policy.
-allow setkey_t ipsec_spd_t:association setcontext;
-
# allow setkey utility to set contexts on SA's and policy
domain_ipsec_setcontext_all_domains(setkey_t)
@@ -348,6 +345,9 @@ files_read_etc_files(setkey_t)
init_dontaudit_use_fds(setkey_t)
+# allow setkey to set the context for ipsec SAs and policy.
+ipsec_setcontext_default_spd(setkey_t)
+
locallogin_use_fds(setkey_t)
libs_use_ld_so(setkey_t)
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index a49911f..695ea51 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -73,6 +73,10 @@ interface(`unconfined_domain_noaudit',`
')
optional_policy(`
+ ipsec_setcontext_default_spd($1)
+ ')
+
+ optional_policy(`
# this is to handle execmod on shared
# libs with text relocations
libs_use_shared_libs($1)
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index f202cde..95a9fc8 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
-policy_module(unconfined,2.0.0)
+policy_module(unconfined,2.0.1)
########################################
#