Accepting request 1043182 from home:cahu:branches:security:SELinux

- Added fix_ipsec.patch: Allow AF_ALG socket creation for strongswan (bnc#1206445) OBS-URL: https://build.opensuse.org/request/show/1043182 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=166
2022-12-16 07:55:17 +00:00 · 2022-12-16 07:55:17 +00:00 · 411b89e9ec
commit 411b89e9ec
parent 60d1d0d29a
3 changed files with 27 additions and 0 deletions
--- a/fix_ipsec.patch
+++ b/fix_ipsec.patch
@ -0,0 +1,20 @@
+Index: fedora-policy-20221019/policy/modules/system/ipsec.te
+===================================================================
+--- fedora-policy-20221019.orig/policy/modules/system/ipsec.te
+++ fedora-policy-20221019/policy/modules/system/ipsec.te
+@@ -87,6 +87,7 @@ allow ipsec_t self:tcp_socket create_str
+ allow ipsec_t self:udp_socket create_socket_perms;
+ allow ipsec_t self:packet_socket create_socket_perms;
+ allow ipsec_t self:key_socket create_socket_perms;
+allow ipsec_t self:alg_socket create_socket_perms;
+ allow ipsec_t self:fifo_file read_fifo_file_perms;
+ allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
+ allow ipsec_t self:netlink_selinux_socket create_socket_perms;
+@@ -269,6 +270,7 @@ allow ipsec_mgmt_t self:unix_stream_sock
+ allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
+ allow ipsec_mgmt_t self:udp_socket create_socket_perms;
+ allow ipsec_mgmt_t self:key_socket create_socket_perms;
+allow ipsec_mgmt_t self:alg_socket create_socket_perms;
+ allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
+ allow ipsec_mgmt_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
+ allow ipsec_mgmt_t self:netlink_route_socket { create_netlink_socket_perms };
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Dec 15 16:11:15 UTC 2022 - Hu <cathy.hu@suse.com>
+
+- Added fix_ipsec.patch: Allow AF_ALG socket creation for strongswan
+  (bnc#1206445)
+
 -------------------------------------------------------------------
 Wed Dec 14 15:40:12 UTC 2022 - Hu <cathy.hu@suse.com>

--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -147,6 +147,7 @@ Patch062:       fix_cloudform.patch
 Patch063:       fix_alsa.patch
 Patch064:       dontaudit_interface_kmod_tmpfs.patch
 Patch065:       fix_sendmail.patch
+Patch066:       fix_ipsec.patch

 Patch100:       sedoctool.patch