]> git.ipfire.org Git - people/stevee/selinux-policy.git/commitdiff
projects / people / stevee / selinux-policy.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ce3666e)
Make labeled ipsec work in MLS machines
authorDan Walsh <dwalsh@redhat.com>
Fri, 11 Feb 2011 15:53:16 +0000 (10:53 -0500)
committerDan Walsh <dwalsh@redhat.com>
Fri, 11 Feb 2011 15:53:16 +0000 (10:53 -0500)
policy/modules/kernel/domain.te patch | blob | blame | history
policy/modules/services/ssh.te patch | blob | blame | history
policy/modules/system/ipsec.if patch | blob | blame | history

diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 778d512efca685d606d2052c3790b5f58109e914..2a6b5e18fe59dd1a957bf3cf423d0d978142b9cc 100644 (file)
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -258,6 +258,10 @@ optional_policy(`
        hal_dontaudit_read_pid_files(domain)
 ')
 
+optional_policy(`
+       ipsec_match_default_spd(domain)
+')
+
 optional_policy(`
        ifdef(`hide_broken_symptoms',`
                afs_rw_udp_sockets(domain)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 7230490577a7acb6a2b5ec9e6040da005e526d3a..9a289e228166204e87469f728cba83cee8386438 100644 (file)
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -120,6 +120,7 @@ userdom_stream_connect(ssh_t)
 stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
 
 allow ssh_t sshd_t:unix_stream_socket connectto;
+allow ssh_t sshd_t:peer recv;
 
 # ssh client can manage the keys and config
 manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
index cba1b300a53bb32ab874f8290f0cc957e496242a..8897e328918d35b888c23c6a46b9e26367ef7d87 100644 (file)
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@@ -147,6 +147,7 @@ interface(`ipsec_match_default_spd',`
 
        allow $1 ipsec_spd_t:association polmatch;
        allow $1 self:association sendto;
+       allow $1 self:peer recv;
 ')
 
 ########################################
The IPFire selinux policy.