From: yuli.khodorkovskiy@crunchydata.com (Yuli Khodorkovskiy)
Date: Wed, 25 Jul 2018 10:33:13 -0400
Subject: [refpolicy] [PATCH 1/1] ipsec: add missing permissions for pluto
Message-ID: <20180725143313.2387-1-yuli@crunchydata.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

When using libreswan, pluto needs permissions for building the
Security Association Database and for setting contexts on IPSec
policy and SAs.

Signed-off-by: Yuli Khodorkovskiy <yuli@crunchydata.com>
---
 policy/modules/system/ipsec.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 867aefc4..e7ac88f2 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -212,6 +212,12 @@ domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
 read_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
 read_lnk_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
 
+# allow pluto to build Security Association Database
+ipsec_setcontext_default_spd(ipsec_t)
+
+# allow pluto to set contexts on ipsec policy and SAs
+domain_ipsec_setcontext_all_domains(ipsec_t)
+
 allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
 
 manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
-- 
2.18.0