From e6985f91ab3de8cec18f27c8e5185a34cd50c455 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Wed, 5 Aug 2009 10:04:13 -0400
Subject: [PATCH] fix ordering of interface calls in iptables.

---
 policy/modules/system/ipsec.te | 38 +++++++++++++++++-----------------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index bc0fd7ff..5b30909b 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -95,6 +95,9 @@ kernel_read_software_raid_state(ipsec_t)
 kernel_getattr_core_if(ipsec_t)
 kernel_getattr_message_if(ipsec_t)
 
+corecmd_exec_shell(ipsec_t)
+corecmd_exec_bin(ipsec_t)
+
 # Pluto needs network access
 corenet_all_recvfrom_unlabeled(ipsec_t)
 corenet_tcp_sendrecv_all_if(ipsec_t)
@@ -115,24 +118,21 @@ dev_read_sysfs(ipsec_t)
 dev_read_rand(ipsec_t)
 dev_read_urand(ipsec_t)
 
+domain_use_interactive_fds(ipsec_t)
+
+files_read_etc_files(ipsec_t)
+
 fs_getattr_all_fs(ipsec_t)
 fs_search_auto_mountpoints(ipsec_t)
 
 term_use_console(ipsec_t)
 term_dontaudit_use_all_user_ttys(ipsec_t)
 
-corecmd_exec_shell(ipsec_t)
-corecmd_exec_bin(ipsec_t)
-
-domain_use_interactive_fds(ipsec_t)
-
-files_read_etc_files(ipsec_t)
+auth_use_nsswitch(ipsec_t)
 
 init_use_fds(ipsec_t)
 init_use_script_ptys(ipsec_t)
 
-auth_use_nsswitch(ipsec_t)
-
 logging_send_syslog_msg(ipsec_t)
 
 miscfiles_read_localization(ipsec_t)
@@ -209,21 +209,15 @@ kernel_getattr_message_if(ipsec_mgmt_t)
 files_read_kernel_symbol_table(ipsec_mgmt_t)
 files_getattr_kernel_modules(ipsec_mgmt_t)
 
-dev_read_rand(ipsec_mgmt_t)
-dev_read_urand(ipsec_mgmt_t)
-
-fs_getattr_xattr_fs(ipsec_mgmt_t)
-fs_list_tmpfs(ipsec_mgmt_t)
-
-term_use_console(ipsec_mgmt_t)
-term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
-
 # the default updown script wants to run route
 # the ipsec wrapper wants to run /usr/bin/logger (should we put
 # it in its own domain?)
 corecmd_exec_bin(ipsec_mgmt_t)
 corecmd_exec_shell(ipsec_mgmt_t)
 
+dev_read_rand(ipsec_mgmt_t)
+dev_read_urand(ipsec_mgmt_t)
+
 domain_use_interactive_fds(ipsec_mgmt_t)
 # denials when ps tries to search /proc. Do not audit these denials.
 domain_dontaudit_list_all_domains_state(ipsec_mgmt_t)
@@ -238,6 +232,12 @@ files_read_etc_runtime_files(ipsec_mgmt_t)
 files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
 files_dontaudit_getattr_default_files(ipsec_mgmt_t)
 
+fs_getattr_xattr_fs(ipsec_mgmt_t)
+fs_list_tmpfs(ipsec_mgmt_t)
+
+term_use_console(ipsec_mgmt_t)
+term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
+
 init_use_script_ptys(ipsec_mgmt_t)
 init_exec_script_files(ipsec_mgmt_t)
 init_use_fds(ipsec_mgmt_t)
@@ -317,10 +317,10 @@ files_read_etc_files(racoon_t)
 # allow racoon to use avc_has_perm to check context on proposed SA
 selinux_compute_access_vector(racoon_t)
 
-ipsec_setcontext_default_spd(racoon_t)
-
 auth_use_nsswitch(racoon_t)
 
+ipsec_setcontext_default_spd(racoon_t)
+
 locallogin_use_fds(racoon_t)
 
 logging_send_syslog_msg(racoon_t)