remove setuid SELinux capability for racoon.

In the master external/ipsec-tools/{main.c, racoon.rc}, racoon doesn't call setuid, and doesn't have the setuid capability. Bug: 35642293 Signed-off-by: Lucas Duffey <lucas.duffey@invapid.org>

remove setuid SELinux capability for racoon.
In the master external/ipsec-tools/{main.c, racoon.rc}, racoon doesn't call setuid, and doesn't have the setuid capability. Bug: 35642293 Signed-off-by: Lucas Duffey <lucas.duffey@invapid.org>
1625dba9 · Lucas Duffey · Nick Kralevich · 1c4014ab · 1625dba9
Commit 1625dba9 authored 8 years ago by Lucas Duffey Committed by Nick Kralevich 8 years ago
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -15,7 +15,7 @@ allow racoon kernel:system module_request;
 allow racoon self:key_socket create_socket_perms_no_ioctl;
 allow racoon self:tun_socket create_socket_perms_no_ioctl;
-allow racoon self:capability { net_admin net_bind_service net_raw setuid };
+allow racoon self:capability { net_admin net_bind_service net_raw };
 # XXX: should we give ip-up-vpn its own label (currently racoon domain)
 allow racoon system_file:file rx_file_perms;