From 1625dba935bd80a1dee091928a299b44fde09e60 Mon Sep 17 00:00:00 2001
From: Lucas Duffey <lucas.duffey@invapid.org>
Date: Tue, 21 Feb 2017 19:17:34 -0800
Subject: [PATCH] remove setuid SELinux capability for racoon.

In the master external/ipsec-tools/{main.c, racoon.rc},
racoon doesn't call setuid, and doesn't have the setuid capability.

Bug: 35642293
Signed-off-by: Lucas Duffey <lucas.duffey@invapid.org>
---
 public/racoon.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/public/racoon.te b/public/racoon.te
index 476981e43..d5d5a4ef1 100644
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -15,7 +15,7 @@ allow racoon kernel:system module_request;
 
 allow racoon self:key_socket create_socket_perms_no_ioctl;
 allow racoon self:tun_socket create_socket_perms_no_ioctl;
-allow racoon self:capability { net_admin net_bind_service net_raw setuid };
+allow racoon self:capability { net_admin net_bind_service net_raw };
 
 # XXX: should we give ip-up-vpn its own label (currently racoon domain)
 allow racoon system_file:file rx_file_perms;
-- 
GitLab