From 411b89e9ecb8dda287bd21a45245e6d1b64670dd5b9a05fd40fabf5d951cd3df Mon Sep 17 00:00:00 2001
From: Johannes Segitz <jsegitz@suse.com>
Date: Fri, 16 Dec 2022 07:55:17 +0000
Subject: [PATCH] Accepting request 1043182 from
 home:cahu:branches:security:SELinux

- Added fix_ipsec.patch: Allow AF_ALG socket creation for strongswan
  (bnc#1206445)

OBS-URL: https://build.opensuse.org/request/show/1043182
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=166
---
 fix_ipsec.patch        | 20 ++++++++++++++++++++
 selinux-policy.changes |  6 ++++++
 selinux-policy.spec    |  1 +
 3 files changed, 27 insertions(+)
 create mode 100644 fix_ipsec.patch

diff --git a/fix_ipsec.patch b/fix_ipsec.patch
new file mode 100644
index 0000000..42486de
--- /dev/null
+++ b/fix_ipsec.patch
@@ -0,0 +1,20 @@
+Index: fedora-policy-20221019/policy/modules/system/ipsec.te
+===================================================================
+--- fedora-policy-20221019.orig/policy/modules/system/ipsec.te
++++ fedora-policy-20221019/policy/modules/system/ipsec.te
+@@ -87,6 +87,7 @@ allow ipsec_t self:tcp_socket create_str
+ allow ipsec_t self:udp_socket create_socket_perms;
+ allow ipsec_t self:packet_socket create_socket_perms;
+ allow ipsec_t self:key_socket create_socket_perms;
++allow ipsec_t self:alg_socket create_socket_perms;
+ allow ipsec_t self:fifo_file read_fifo_file_perms;
+ allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
+ allow ipsec_t self:netlink_selinux_socket create_socket_perms;
+@@ -269,6 +270,7 @@ allow ipsec_mgmt_t self:unix_stream_sock
+ allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
+ allow ipsec_mgmt_t self:udp_socket create_socket_perms;
+ allow ipsec_mgmt_t self:key_socket create_socket_perms;
++allow ipsec_mgmt_t self:alg_socket create_socket_perms;
+ allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
+ allow ipsec_mgmt_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
+ allow ipsec_mgmt_t self:netlink_route_socket { create_netlink_socket_perms };
diff --git a/selinux-policy.changes b/selinux-policy.changes
index fe1e438..3ab948c 100644
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Dec 15 16:11:15 UTC 2022 - Hu <cathy.hu@suse.com>
+
+- Added fix_ipsec.patch: Allow AF_ALG socket creation for strongswan
+  (bnc#1206445)
+
 -------------------------------------------------------------------
 Wed Dec 14 15:40:12 UTC 2022 - Hu <cathy.hu@suse.com>
 
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f27b5e0..89d670b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -147,6 +147,7 @@ Patch062:       fix_cloudform.patch
 Patch063:       fix_alsa.patch
 Patch064:       dontaudit_interface_kmod_tmpfs.patch
 Patch065:       fix_sendmail.patch
+Patch066:       fix_ipsec.patch
 
 Patch100:       sedoctool.patch