Merge changes from topic 'ipsec-svc-pick' into oc-dev

* changes:
  Add IpSecService SEPolicy
  Update Common NetD SEPolicy to allow Netlink XFRM

private/service_contexts

@@ -66,6 +66,7 @@ iphonesubinfo2                            u:object_r:radio_service:s0
 iphonesubinfo                             u:object_r:radio_service:s0
 ims                                       u:object_r:radio_service:s0
 imms                                      u:object_r:imms_service:s0
+ipsec                                     u:object_r:ipsec_service:s0
 isms_msim                                 u:object_r:radio_service:s0
 isms2                                     u:object_r:radio_service:s0
 isms                                      u:object_r:radio_service:s0

public/netd.te

@@ -83,6 +83,9 @@ allow netd netdomain:{
 } { read write getattr setattr getopt setopt };
 allow netd netdomain:fd use;
 
+# give netd permission to read and write netlink xfrm
+allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+
 ###
 ### Neverallow rules
 ###

public/service.te

@@ -81,6 +81,7 @@ type hdmi_control_service, system_api_service, system_server_service, service_ma
 type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;