From d063d23032ec82613765188434045b15deb3366f Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Sat, 15 Oct 2016 14:09:45 -0700
Subject: [PATCH] racoon: allow setting options on tun interface

Fixes failure in VPN connection

avc: denied { ioctl } for pid=2870 comm="ip-up-vpn" ioctlcmd=8914
scontext=u:r:racoon:s0 tcontext=u:r:racoon:s0 tclass=udp_socket
avc: denied { ioctl } for pid=2870 comm="ip-up-vpn" ioctlcmd=8916
scontext=u:r:racoon:s0 tcontext=u:r:racoon:s0 tclass=udp_socket

Test: VPN works
Bug: 32011648
Change-Id: I28c4dc7ffbf7e35ef582176674c4e9764719a2a9
---
 public/racoon.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/public/racoon.te b/public/racoon.te
index c99740fee..b0fe669e6 100644
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -5,6 +5,7 @@ type racoon_exec, exec_type, file_type;
 typeattribute racoon mlstrustedsubject;
 
 net_domain(racoon)
+allowxperm racoon self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFADDR };
 
 binder_use(racoon)
 
-- 
GitLab