Two patches from Paul Moore to for ipsec to remove redundant rules and have setkey read the config file.
This commit is contained in:
parent
9e8f65c83e
commit
a26923c32e
@ -1,3 +1,5 @@
|
||||
- Two patches from Paul Moore to for ipsec to remove redundant rules and
|
||||
have setkey read the config file.
|
||||
- Move booleans and tunables to modules when it is only used in a single
|
||||
module.
|
||||
- Add support for tunables and booleans local to a module.
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ipsec,1.2.2)
|
||||
policy_module(ipsec,1.2.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -330,8 +330,6 @@ logging_send_syslog_msg(racoon_t)
|
||||
|
||||
miscfiles_read_localization(racoon_t)
|
||||
|
||||
seutil_read_config(setkey_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Setkey local policy
|
||||
@ -341,6 +339,10 @@ allow setkey_t self:capability net_admin;
|
||||
allow setkey_t self:key_socket { create read setopt write };
|
||||
allow setkey_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
|
||||
allow setkey_t ipsec_conf_file_t:dir list_dir_perms;
|
||||
read_files_pattern(setkey_t,ipsec_conf_file_t,ipsec_conf_file_t)
|
||||
read_lnk_files_pattern(setkey_t,ipsec_conf_file_t,ipsec_conf_file_t)
|
||||
|
||||
# allow setkey to set the context for ipsec SAs and policy.
|
||||
allow setkey_t ipsec_spd_t:association setcontext;
|
||||
|
||||
@ -349,6 +351,8 @@ domain_ipsec_setcontext_all_domains(setkey_t)
|
||||
|
||||
files_read_etc_files(setkey_t)
|
||||
|
||||
init_dontaudit_use_fds(setkey_t)
|
||||
|
||||
locallogin_use_fds(setkey_t)
|
||||
|
||||
libs_use_ld_so(setkey_t)
|
||||
|
Loading…
Reference in New Issue
Block a user