* Thu Nov 20 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-96

- Allow NetworkManager stream connect on openvpn. BZ(1165110)
2014-11-20 11:38:07 +01:00 · 2014-11-20 11:38:07 +01:00 · 48f969d319
commit 48f969d319
parent feb8dbd59b
2 changed files with 43 additions and 9 deletions
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -54988,7 +54988,7 @@ index 86dc29d..98fdac1 100644
 +	logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
 ')
 diff --git a/networkmanager.te b/networkmanager.te
-index 55f2009..4e7b106 100644
+index 55f2009..6dc7fb1 100644
 --- a/networkmanager.te
 +++ b/networkmanager.te
@@ -9,15 +9,18 @@ type NetworkManager_t;
@ -55326,7 +55326,11 @@ index 55f2009..4e7b106 100644
 ')
 
 optional_policy(`
-@@ -289,6 +350,7 @@ optional_policy(`
+@@ -286,9 +347,11 @@ optional_policy(`
+ 	openvpn_kill(NetworkManager_t)
+ 	openvpn_signal(NetworkManager_t)
+ 	openvpn_signull(NetworkManager_t)
+    openvpn_stream_connect(NetworkManager_t)
 ')
 
 optional_policy(`
@ -55334,7 +55338,7 @@ index 55f2009..4e7b106 100644
 	policykit_domtrans_auth(NetworkManager_t)
 	policykit_read_lib(NetworkManager_t)
 	policykit_read_reload(NetworkManager_t)
-@@ -296,7 +358,7 @@ optional_policy(`
+@@ -296,7 +359,7 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -55343,7 +55347,7 @@ index 55f2009..4e7b106 100644
 ')
 
 optional_policy(`
-@@ -307,6 +369,7 @@ optional_policy(`
+@@ -307,6 +370,7 @@ optional_policy(`
 	ppp_signal(NetworkManager_t)
 	ppp_signull(NetworkManager_t)
 	ppp_read_config(NetworkManager_t)
@ -55351,7 +55355,7 @@ index 55f2009..4e7b106 100644
 ')
 
 optional_policy(`
-@@ -320,14 +383,20 @@ optional_policy(`
+@@ -320,14 +384,20 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -55377,7 +55381,7 @@ index 55f2009..4e7b106 100644
 ')
 
 optional_policy(`
-@@ -357,6 +426,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -357,6 +427,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
 init_dontaudit_use_fds(wpa_cli_t)
 init_use_script_ptys(wpa_cli_t)
 
@ -61896,7 +61900,7 @@ index 300213f..4cdfe09 100644
 /var/log/openvpn.*	gen_context(system_u:object_r:openvpn_var_log_t,s0)
 
 diff --git a/openvpn.if b/openvpn.if
-index 6837e9a..21e6dae 100644
+index 6837e9a..9bac89c 100644
 --- a/openvpn.if
 +++ b/openvpn.if
@@ -23,6 +23,25 @@ interface(`openvpn_domtrans',`
@ -61925,7 +61929,34 @@ index 6837e9a..21e6dae 100644
 ##	openvpn domain, and allow the
 ##	specified role the openvpn domain.
 ## </summary>
-@@ -147,9 +166,13 @@ interface(`openvpn_admin',`
+@@ -123,6 +142,26 @@ interface(`openvpn_read_config',`
+ 	allow $1 openvpn_etc_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+####################################
+## <summary>
+##  Connect to openvpn over
+##	a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`openvpn_stream_connect',`
+	gen_require(`
+		type openvpn_t, openvpn_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, openvpn_var_run_t, openvpn_var_run_t, openvpn_t)
+')
+
+ ########################################
+ ## <summary>
+ ##	All of the rules required to
+@@ -147,9 +186,13 @@ interface(`openvpn_admin',`
 		type openvpn_status_t;
 	')
 
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 95%{?dist}
+Release: 96%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -604,6 +604,9 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Thu Nov 20 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-96
+- Allow NetworkManager stream connect on openvpn. BZ(1165110)
+
 * Wed Nov 19 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-95
 - Allow networkmanager manage also openvpn sock pid files.