* Thu Nov 20 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-96

- Allow NetworkManager stream connect on openvpn. BZ(1165110)
This commit is contained in:
Lukas Vrabec 2014-11-20 11:38:07 +01:00
parent feb8dbd59b
commit 48f969d319
2 changed files with 43 additions and 9 deletions

View File

@ -54988,7 +54988,7 @@ index 86dc29d..98fdac1 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
index 55f2009..4e7b106 100644
index 55f2009..6dc7fb1 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -9,15 +9,18 @@ type NetworkManager_t;
@ -55326,7 +55326,11 @@ index 55f2009..4e7b106 100644
')
optional_policy(`
@@ -289,6 +350,7 @@ optional_policy(`
@@ -286,9 +347,11 @@ optional_policy(`
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
openvpn_signull(NetworkManager_t)
+ openvpn_stream_connect(NetworkManager_t)
')
optional_policy(`
@ -55334,7 +55338,7 @@ index 55f2009..4e7b106 100644
policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t)
@@ -296,7 +358,7 @@ optional_policy(`
@@ -296,7 +359,7 @@ optional_policy(`
')
optional_policy(`
@ -55343,7 +55347,7 @@ index 55f2009..4e7b106 100644
')
optional_policy(`
@@ -307,6 +369,7 @@ optional_policy(`
@@ -307,6 +370,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@ -55351,7 +55355,7 @@ index 55f2009..4e7b106 100644
')
optional_policy(`
@@ -320,14 +383,20 @@ optional_policy(`
@@ -320,14 +384,20 @@ optional_policy(`
')
optional_policy(`
@ -55377,7 +55381,7 @@ index 55f2009..4e7b106 100644
')
optional_policy(`
@@ -357,6 +426,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
@@ -357,6 +427,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@ -61896,7 +61900,7 @@ index 300213f..4cdfe09 100644
/var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0)
diff --git a/openvpn.if b/openvpn.if
index 6837e9a..21e6dae 100644
index 6837e9a..9bac89c 100644
--- a/openvpn.if
+++ b/openvpn.if
@@ -23,6 +23,25 @@ interface(`openvpn_domtrans',`
@ -61925,7 +61929,34 @@ index 6837e9a..21e6dae 100644
## openvpn domain, and allow the
## specified role the openvpn domain.
## </summary>
@@ -147,9 +166,13 @@ interface(`openvpn_admin',`
@@ -123,6 +142,26 @@ interface(`openvpn_read_config',`
allow $1 openvpn_etc_t:lnk_file read_lnk_file_perms;
')
+####################################
+## <summary>
+## Connect to openvpn over
+## a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openvpn_stream_connect',`
+ gen_require(`
+ type openvpn_t, openvpn_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, openvpn_var_run_t, openvpn_var_run_t, openvpn_t)
+')
+
########################################
## <summary>
## All of the rules required to
@@ -147,9 +186,13 @@ interface(`openvpn_admin',`
type openvpn_status_t;
')

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 95%{?dist}
Release: 96%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -604,6 +604,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Thu Nov 20 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-96
- Allow NetworkManager stream connect on openvpn. BZ(1165110)
* Wed Nov 19 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-95
- Allow networkmanager manage also openvpn sock pid files.