From: pebenito@ieee.org (Chris PeBenito)
Date: Sat, 28 Jul 2018 09:03:03 -0400
Subject: [refpolicy] [PATCH v3] ipsec: add missing permissions for pluto
In-Reply-To: <20180726223706.85596-1-yuli@crunchydata.com>
References: <20180726223706.85596-1-yuli@crunchydata.com>
Message-ID: <81f52340-7ca8-5f09-eafb-7902590303e9@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 07/26/2018 06:37 PM, Yuli Khodorkovskiy via refpolicy wrote:
> When using libreswan, pluto needs permissions for building the
> Security Association Database and for setting contexts on IPSec
> policy and SAs.
> 
> Signed-off-by: Yuli Khodorkovskiy <yuli@crunchydata.com>
> ---
>   policy/modules/system/ipsec.te | 4 ++++
>   1 file changed, 4 insertions(+)
> 
> diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
> index 867aefc4..fe113277 100644
> --- a/policy/modules/system/ipsec.te
> +++ b/policy/modules/system/ipsec.te
> @@ -151,12 +151,16 @@ corenet_udp_bind_isakmp_port(ipsec_t)
>   corenet_udp_bind_ipsecnat_port(ipsec_t)
>   corenet_sendrecv_generic_server_packets(ipsec_t)
>   corenet_sendrecv_isakmp_server_packets(ipsec_t)
> +# allow pluto to build Security Association Database
> +corenet_setcontext_all_spds(ipsec_t)
>   
>   dev_read_sysfs(ipsec_t)
>   dev_read_rand(ipsec_t)
>   dev_read_urand(ipsec_t)
>   
>   domain_use_interactive_fds(ipsec_t)
> +# allow pluto to set contexts on ipsec policy and SAs
> +domain_ipsec_setcontext_all_domains(ipsec_t)
>   
>   files_list_tmp(ipsec_t)
>   files_read_etc_files(ipsec_t)

Merged.

-- 
Chris PeBenito