From a675ca60a4afb4b9a44ad7db264c5008ef04c858 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 24 Jan 2017 17:12:58 -0800
Subject: [PATCH] racoon: Add SIOCSIFNETMASK

XAUTH based VPNs
1. IPSec XAUTH PSK
2. IPSec XAUTH RSA
fail with the following error from racoon

  01-24 16:46:05.583 18712 18712 W ip-up-vpn: type=1400 audit(0.0:390):
  avc: denied { ioctl } for path="socket:[954683]" dev="sockfs" ino=954683
  ioctlcmd=891c scontext=u:r:racoon:s0 tcontext=u:r:racoon:s0
  tclass=udp_socket permissive=0

"setenforce 0" on the device fixed the issue.

Bug: 34690009
Test: Policy compiles
Change-Id: Idc0d156ec32e7a9be3825c380c3cb0359fe4fabe
---
 public/racoon.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/public/racoon.te b/public/racoon.te
index 3255b9e3c..476981e43 100644
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -5,7 +5,7 @@ type racoon_exec, exec_type, file_type;
 typeattribute racoon mlstrustedsubject;
 
 net_domain(racoon)
-allowxperm racoon self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFADDR };
+allowxperm racoon self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFADDR SIOCSIFNETMASK };
 
 binder_use(racoon)
 
-- 
GitLab