diff --git a/policy/modules/admin/vpn.if b/policy/modules/admin/vpn.if index b5272fb1..ccda6e4c 100644 --- a/policy/modules/admin/vpn.if +++ b/policy/modules/admin/vpn.if @@ -110,7 +110,7 @@ interface(`vpn_signull',` ## ## # -interface(`vpnc_dbus_chat',` +interface(`vpn_dbus_chat',` gen_require(` type vpnc_t; class dbus send_msg; @@ -119,3 +119,21 @@ interface(`vpnc_dbus_chat',` allow $1 vpnc_t:dbus send_msg; allow vpnc_t $1:dbus send_msg; ') + +######################################## +## +## Relabelfrom from vpnc socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`vpn_relabelfrom_tun_socket',` + gen_require(` + type vpnc_t; + ') + + allow $1 vpnc_t:tun_socket relabelfrom; +') diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te index 796ad452..0468e74d 100644 --- a/policy/modules/admin/vpn.te +++ b/policy/modules/admin/vpn.te @@ -30,7 +30,7 @@ allow vpnc_t self:udp_socket create_socket_perms; allow vpnc_t self:rawip_socket create_socket_perms; allow vpnc_t self:unix_dgram_socket create_socket_perms; allow vpnc_t self:unix_stream_socket create_socket_perms; -allow vpnc_t self:tun_socket create_socket_perms; +allow vpnc_t self:tun_socket { create_socket_perms relabelfrom }; # cjp: this needs to be fixed allow vpnc_t self:socket create_socket_perms;