Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2015-08-05 19:17:25 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "selinux-policy" Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2015-07-23 15:22:54.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new/selinux-policy.changes 2015-08-05 19:17:27.000000000 +0200 @@ -1,0 +2,6 @@ +Wed Aug 5 11:31:24 UTC 2015 - jsegitz@novell.com + +- Added suse_modifications_ipsec.patch to grant additional privileges + to ipsec_mgmt_t + +------------------------------------------------------------------- New: ---- suse_modifications_ipsec.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.zi143A/_old 2015-08-05 19:17:29.000000000 +0200 +++ /var/tmp/diff_new_pack.zi143A/_new 2015-08-05 19:17:29.000000000 +0200 @@ -99,6 +99,7 @@ Patch0020: suse_modifications_unprivuser.patch Patch0021: dont_use_xmllint_in_make_conf.patch Patch0022: suse_modifications_staff.patch +Patch0023: suse_modifications_ipsec.patch # contrib patches Patch1000: policy-rawhide-contrib.patch @@ -367,6 +368,7 @@ %patch0020 -p1 %patch0021 -p1 %patch0022 -p1 +%patch0023 -p1 refpolicy_path=`pwd` cp $contrib_path/* $refpolicy_path/policy/modules/contrib # we use distro=redhat to get all the redhat modifications but we'll still need everything that is defined for suse ++++++ suse_modifications_ipsec.patch ++++++ Index: serefpolicy-20140730/policy/modules/system/ipsec.te =================================================================== --- serefpolicy-20140730.orig/policy/modules/system/ipsec.te 2015-08-05 13:56:18.127343378 +0200 +++ serefpolicy-20140730/policy/modules/system/ipsec.te 2015-08-05 15:13:33.360764030 +0200 @@ -209,14 +209,18 @@ optional_policy(` # ipsec_mgmt Local policy # -allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice sys_ptrace }; +allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin net_raw setpcap sys_nice sys_ptrace }; dontaudit ipsec_mgmt_t self:capability sys_tty_config; -allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal }; +allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal setcap }; allow ipsec_mgmt_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; allow ipsec_mgmt_t self:key_socket create_socket_perms; allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms; +allow ipsec_mgmt_t self:netlink_route_socket nlmsg_write; +allow ipsec_mgmt_t self:packet_socket { setopt create }; +allow ipsec_mgmt_t self:socket { bind create }; +allow ipsec_mgmt_t self:netlink_xfrm_socket { bind create }; allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file) @@ -231,6 +235,8 @@ logging_log_filetrans(ipsec_mgmt_t, ipse allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) filetrans_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_mgmt_var_run_t, file) +# temporary fix until the rules above work +allow ipsec_mgmt_t var_run_t:sock_file { write unlink }; manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) manage_dirs_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) @@ -269,6 +275,7 @@ kernel_read_software_raid_state(ipsec_mg kernel_read_kernel_sysctls(ipsec_mgmt_t) kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) +kernel_request_load_module(ipsec_mgmt_t) domain_dontaudit_getattr_all_sockets(ipsec_mgmt_t) domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t) @@ -290,6 +297,10 @@ corecmd_exec_bin(ipsec_mgmt_t) corecmd_exec_shell(ipsec_mgmt_t) corenet_tcp_connect_rndc_port(ipsec_mgmt_t) +corenet_udp_bind_dhcpc_port(ipsec_mgmt_t) +corenet_udp_bind_isakmp_port(ipsec_mgmt_t) +corenet_udp_bind_generic_node(ipsec_mgmt_t) +corenet_udp_bind_ipsecnat_port(ipsec_mgmt_t) dev_read_rand(ipsec_mgmt_t) dev_read_urand(ipsec_mgmt_t)