sepolicy: fix denial in netmgrd

avc: denied { nlmsg_read } for comm="ip" scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=netlink_xfrm_socket permissive=0 Change-Id: I219cfc63a0d1a01afa756893aa0c4a08b66d5f21
author: Jeff Vander Stoep <jeffv@google.com> 2015-08-28 11:04:02 -0700
committer: Jeff Vander Stoep <jeffv@google.com> 2015-08-28 11:09:17 -0700
commit: 6b9566bf406963f3b62a04f8f36a27d1807639c3 (patch)
tree: e8ecd60463859d4fe5b692eb32029131028a02ee /sepolicy
parent: c94406f53f8a540d5944a7f923960e804698318a (diff)
download: bullhead-6b9566bf406963f3b62a04f8f36a27d1807639c3.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
index cb17e5d..5349e89 100644
--- a/sepolicy/netmgrd.te
+++ b/sepolicy/netmgrd.te
@@ -28,7 +28,7 @@ allow netmgrd system_file:file rx_file_perms;
 
 allow netmgrd self:netlink_socket create_socket_perms;
 allow netmgrd self:netlink_route_socket nlmsg_write;
-allow netmgrd self:netlink_xfrm_socket { create_socket_perms nlmsg_write };
+allow netmgrd self:netlink_xfrm_socket { create_socket_perms nlmsg_write nlmsg_read };
 
 # b/17065650
 allow netmgrd self:socket {create ioctl read write};
author	Jeff Vander Stoep <jeffv@google.com>	2015-08-28 11:04:02 -0700
committer	Jeff Vander Stoep <jeffv@google.com>	2015-08-28 11:09:17 -0700
commit	6b9566bf406963f3b62a04f8f36a27d1807639c3 (patch)
tree	e8ecd60463859d4fe5b692eb32029131028a02ee /sepolicy
parent	c94406f53f8a540d5944a7f923960e804698318a (diff)
download	bullhead-6b9566bf406963f3b62a04f8f36a27d1807639c3.tar.gz