diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te index bc0fd7f..5b30909 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -95,6 +95,9 @@ kernel_read_software_raid_state(ipsec_t) kernel_getattr_core_if(ipsec_t) kernel_getattr_message_if(ipsec_t) +corecmd_exec_shell(ipsec_t) +corecmd_exec_bin(ipsec_t) + # Pluto needs network access corenet_all_recvfrom_unlabeled(ipsec_t) corenet_tcp_sendrecv_all_if(ipsec_t) @@ -115,24 +118,21 @@ dev_read_sysfs(ipsec_t) dev_read_rand(ipsec_t) dev_read_urand(ipsec_t) +domain_use_interactive_fds(ipsec_t) + +files_read_etc_files(ipsec_t) + fs_getattr_all_fs(ipsec_t) fs_search_auto_mountpoints(ipsec_t) term_use_console(ipsec_t) term_dontaudit_use_all_user_ttys(ipsec_t) -corecmd_exec_shell(ipsec_t) -corecmd_exec_bin(ipsec_t) - -domain_use_interactive_fds(ipsec_t) - -files_read_etc_files(ipsec_t) +auth_use_nsswitch(ipsec_t) init_use_fds(ipsec_t) init_use_script_ptys(ipsec_t) -auth_use_nsswitch(ipsec_t) - logging_send_syslog_msg(ipsec_t) miscfiles_read_localization(ipsec_t) @@ -209,21 +209,15 @@ kernel_getattr_message_if(ipsec_mgmt_t) files_read_kernel_symbol_table(ipsec_mgmt_t) files_getattr_kernel_modules(ipsec_mgmt_t) -dev_read_rand(ipsec_mgmt_t) -dev_read_urand(ipsec_mgmt_t) - -fs_getattr_xattr_fs(ipsec_mgmt_t) -fs_list_tmpfs(ipsec_mgmt_t) - -term_use_console(ipsec_mgmt_t) -term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t) - # the default updown script wants to run route # the ipsec wrapper wants to run /usr/bin/logger (should we put # it in its own domain?) corecmd_exec_bin(ipsec_mgmt_t) corecmd_exec_shell(ipsec_mgmt_t) +dev_read_rand(ipsec_mgmt_t) +dev_read_urand(ipsec_mgmt_t) + domain_use_interactive_fds(ipsec_mgmt_t) # denials when ps tries to search /proc. Do not audit these denials. domain_dontaudit_list_all_domains_state(ipsec_mgmt_t) @@ -238,6 +232,12 @@ files_read_etc_runtime_files(ipsec_mgmt_t) files_dontaudit_getattr_default_dirs(ipsec_mgmt_t) files_dontaudit_getattr_default_files(ipsec_mgmt_t) +fs_getattr_xattr_fs(ipsec_mgmt_t) +fs_list_tmpfs(ipsec_mgmt_t) + +term_use_console(ipsec_mgmt_t) +term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t) + init_use_script_ptys(ipsec_mgmt_t) init_exec_script_files(ipsec_mgmt_t) init_use_fds(ipsec_mgmt_t) @@ -317,10 +317,10 @@ files_read_etc_files(racoon_t) # allow racoon to use avc_has_perm to check context on proposed SA selinux_compute_access_vector(racoon_t) -ipsec_setcontext_default_spd(racoon_t) - auth_use_nsswitch(racoon_t) +ipsec_setcontext_default_spd(racoon_t) + locallogin_use_fds(racoon_t) logging_send_syslog_msg(racoon_t)