openvpn needs ipc_lock capability, connects to http ports,

and manages net_conf_t files - from Dan Walsh
This commit is contained in:
Jeremy Solt 2010-03-19 13:04:27 -04:00 committed by Chris PeBenito
parent 47293bd8d6
commit d3b5907ea4

View File

@ -41,7 +41,7 @@ files_pid_file(openvpn_var_run_t)
# openvpn local policy
#
allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
allow openvpn_t self:process { signal getsched };
allow openvpn_t self:fifo_file rw_fifo_file_perms;
@ -85,6 +85,7 @@ corenet_tcp_bind_generic_node(openvpn_t)
corenet_udp_bind_generic_node(openvpn_t)
corenet_tcp_bind_openvpn_port(openvpn_t)
corenet_udp_bind_openvpn_port(openvpn_t)
corenet_tcp_bind_http_port(openvpn_t)
corenet_tcp_connect_openvpn_port(openvpn_t)
corenet_tcp_connect_http_port(openvpn_t)
corenet_tcp_connect_http_cache_port(openvpn_t)
@ -100,6 +101,8 @@ dev_read_urand(openvpn_t)
files_read_etc_files(openvpn_t)
files_read_etc_runtime_files(openvpn_t)
auth_use_pam(openvpn_t)
logging_send_syslog_msg(openvpn_t)
miscfiles_read_localization(openvpn_t)
@ -107,7 +110,7 @@ miscfiles_read_certs(openvpn_t)
sysnet_dns_name_resolve(openvpn_t)
sysnet_exec_ifconfig(openvpn_t)
sysnet_write_config(openvpn_t)
sysnet_manage_config(openvpn_t)
sysnet_etc_filetrans_config(openvpn_t)
userdom_use_user_terminals(openvpn_t)