openvpn needs ipc_lock capability, connects to http ports,
and manages net_conf_t files - from Dan Walsh
This commit is contained in:
parent
47293bd8d6
commit
d3b5907ea4
@ -41,7 +41,7 @@ files_pid_file(openvpn_var_run_t)
|
||||
# openvpn local policy
|
||||
#
|
||||
|
||||
allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
|
||||
allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
|
||||
allow openvpn_t self:process { signal getsched };
|
||||
allow openvpn_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
@ -85,6 +85,7 @@ corenet_tcp_bind_generic_node(openvpn_t)
|
||||
corenet_udp_bind_generic_node(openvpn_t)
|
||||
corenet_tcp_bind_openvpn_port(openvpn_t)
|
||||
corenet_udp_bind_openvpn_port(openvpn_t)
|
||||
corenet_tcp_bind_http_port(openvpn_t)
|
||||
corenet_tcp_connect_openvpn_port(openvpn_t)
|
||||
corenet_tcp_connect_http_port(openvpn_t)
|
||||
corenet_tcp_connect_http_cache_port(openvpn_t)
|
||||
@ -100,6 +101,8 @@ dev_read_urand(openvpn_t)
|
||||
files_read_etc_files(openvpn_t)
|
||||
files_read_etc_runtime_files(openvpn_t)
|
||||
|
||||
auth_use_pam(openvpn_t)
|
||||
|
||||
logging_send_syslog_msg(openvpn_t)
|
||||
|
||||
miscfiles_read_localization(openvpn_t)
|
||||
@ -107,7 +110,7 @@ miscfiles_read_certs(openvpn_t)
|
||||
|
||||
sysnet_dns_name_resolve(openvpn_t)
|
||||
sysnet_exec_ifconfig(openvpn_t)
|
||||
sysnet_write_config(openvpn_t)
|
||||
sysnet_manage_config(openvpn_t)
|
||||
sysnet_etc_filetrans_config(openvpn_t)
|
||||
|
||||
userdom_use_user_terminals(openvpn_t)
|
||||
|
Loading…
Reference in New Issue
Block a user