Two patches from Paul Moore to for ipsec to remove redundant rules and have setkey read the config file.

Changelog

@@ -1,3 +1,5 @@
+- Two patches from Paul Moore to for ipsec to remove redundant rules and
+  have setkey read the config file.
 - Move booleans and tunables to modules when it is only used in a single
   module.
 - Add support for tunables and booleans local to a module.

policy/modules/system/ipsec.te

@@ -1,5 +1,5 @@
 
-policy_module(ipsec,1.2.2)
+policy_module(ipsec,1.2.3)
 
 ########################################
 #
@@ -330,8 +330,6 @@ logging_send_syslog_msg(racoon_t)
 
 miscfiles_read_localization(racoon_t)
 
-seutil_read_config(setkey_t)
-
 ########################################
 #
 # Setkey local policy
@@ -341,6 +339,10 @@ allow setkey_t self:capability net_admin;
 allow setkey_t self:key_socket { create read setopt write };
 allow setkey_t self:netlink_route_socket create_netlink_socket_perms;
 
+allow setkey_t ipsec_conf_file_t:dir list_dir_perms;
+read_files_pattern(setkey_t,ipsec_conf_file_t,ipsec_conf_file_t)
+read_lnk_files_pattern(setkey_t,ipsec_conf_file_t,ipsec_conf_file_t)
+
 # allow setkey to set the context for ipsec SAs and policy.
 allow setkey_t ipsec_spd_t:association setcontext;
 
@@ -349,6 +351,8 @@ domain_ipsec_setcontext_all_domains(setkey_t)
 
 files_read_etc_files(setkey_t)
 
+init_dontaudit_use_fds(setkey_t)
+
 locallogin_use_fds(setkey_t)
 
 libs_use_ld_so(setkey_t)