[selinux-policy: 2211/3172] fix ordering of interface calls in iptables.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:16:19 UTC 2010 

commit e6985f91ab3de8cec18f27c8e5185a34cd50c455
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Aug 5 10:04:13 2009 -0400

    fix ordering of interface calls in iptables.

 policy/modules/system/ipsec.te |   38 +++++++++++++++++++-------------------
 1 files changed, 19 insertions(+), 19 deletions(-)
---
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index bc0fd7f..5b30909 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -95,6 +95,9 @@ kernel_read_software_raid_state(ipsec_t)
 kernel_getattr_core_if(ipsec_t)
 kernel_getattr_message_if(ipsec_t)
 
+corecmd_exec_shell(ipsec_t)
+corecmd_exec_bin(ipsec_t)
+
 # Pluto needs network access
 corenet_all_recvfrom_unlabeled(ipsec_t)
 corenet_tcp_sendrecv_all_if(ipsec_t)
@@ -115,24 +118,21 @@ dev_read_sysfs(ipsec_t)
 dev_read_rand(ipsec_t)
 dev_read_urand(ipsec_t)
 
+domain_use_interactive_fds(ipsec_t)
+
+files_read_etc_files(ipsec_t)
+
 fs_getattr_all_fs(ipsec_t)
 fs_search_auto_mountpoints(ipsec_t)
 
 term_use_console(ipsec_t)
 term_dontaudit_use_all_user_ttys(ipsec_t)
 
-corecmd_exec_shell(ipsec_t)
-corecmd_exec_bin(ipsec_t)
-
-domain_use_interactive_fds(ipsec_t)
-
-files_read_etc_files(ipsec_t)
+auth_use_nsswitch(ipsec_t)
 
 init_use_fds(ipsec_t)
 init_use_script_ptys(ipsec_t)
 
-auth_use_nsswitch(ipsec_t)
-
 logging_send_syslog_msg(ipsec_t)
 
 miscfiles_read_localization(ipsec_t)
@@ -209,21 +209,15 @@ kernel_getattr_message_if(ipsec_mgmt_t)
 files_read_kernel_symbol_table(ipsec_mgmt_t)
 files_getattr_kernel_modules(ipsec_mgmt_t)
 
-dev_read_rand(ipsec_mgmt_t)
-dev_read_urand(ipsec_mgmt_t)
-
-fs_getattr_xattr_fs(ipsec_mgmt_t)
-fs_list_tmpfs(ipsec_mgmt_t)
-
-term_use_console(ipsec_mgmt_t)
-term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
-
 # the default updown script wants to run route
 # the ipsec wrapper wants to run /usr/bin/logger (should we put
 # it in its own domain?)
 corecmd_exec_bin(ipsec_mgmt_t)
 corecmd_exec_shell(ipsec_mgmt_t)
 
+dev_read_rand(ipsec_mgmt_t)
+dev_read_urand(ipsec_mgmt_t)
+
 domain_use_interactive_fds(ipsec_mgmt_t)
 # denials when ps tries to search /proc. Do not audit these denials.
 domain_dontaudit_list_all_domains_state(ipsec_mgmt_t)
@@ -238,6 +232,12 @@ files_read_etc_runtime_files(ipsec_mgmt_t)
 files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
 files_dontaudit_getattr_default_files(ipsec_mgmt_t)
 
+fs_getattr_xattr_fs(ipsec_mgmt_t)
+fs_list_tmpfs(ipsec_mgmt_t)
+
+term_use_console(ipsec_mgmt_t)
+term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
+
 init_use_script_ptys(ipsec_mgmt_t)
 init_exec_script_files(ipsec_mgmt_t)
 init_use_fds(ipsec_mgmt_t)
@@ -317,10 +317,10 @@ files_read_etc_files(racoon_t)
 # allow racoon to use avc_has_perm to check context on proposed SA
 selinux_compute_access_vector(racoon_t)
 
-ipsec_setcontext_default_spd(racoon_t)
-
 auth_use_nsswitch(racoon_t)
 
+ipsec_setcontext_default_spd(racoon_t)
+
 locallogin_use_fds(racoon_t)
 
 logging_send_syslog_msg(racoon_t)

More information about the scm-commits mailing list