From db55b65949518f75a3f0eac7a30fc74603a0cf65 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Tue, 10 Nov 2015 10:24:32 +0100 Subject: [PATCH] - Merge pull request #48 from lkundrak/contrib-openfortivpn - unbound wants to use ephemeral ports as a default configuration. Allow to use also udp sockets. --- docker-selinux.tgz | Bin 3957 -> 3957 bytes policy-rawhide-contrib.patch | 291 ++++++++++++++++++++++++++++++++--- selinux-policy.spec | 6 +- 3 files changed, 271 insertions(+), 26 deletions(-) diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 2e0c333c25610bd21d342fc528d989f99f51f3d9..4bda657c0944cb799b50e2bf16cf414a5844fc1d 100644 GIT binary patch delta 3857 zcmV+s5AN{w9`zmvABzY8kG4UP2XBAhzkh#y_1&w>tLy8ln^(c*Gxn)26&Dc;f>+sw zkuvS4J5>LFS{AQg2jBB5%ObY_@wY7rijw5-cu}#K1W{S0G>!x<@*pm95z(BmfaDwa zJpcZ}uq^;&TxqoiKTiJnK;lY}AdzYq&^!>^`d3n9(Bipdy0Ex{@5_iqS&)B68TsK< zQJwzS!TwoR1W}q6JCX#V2n36APH{Ls& zLq`6pCdpBRfpgfh8JjL_!^dkWgNKHG$q_L zsi~#tkEy9IO1x5izKn2v+FLU{QN;ftQDVziPUP2>EQ2n|vB|znmv4WsE}lqaRqZje zHPEvPnQtRTUW}M!Z$=7Q(T)&vO1VG<_DWf!xW5n1&H=tOzk3Al_*w1D=|AKu#+{Rw zB&KUh61{oiu1DIIOE#FOSx4q4?zzup&YqwRJ{$E2F?$64?EM0f9Ud(@nZA}^4re~P3K9l!+;{FM2A6S`U^(V-fqbna7*+Ua8`R|c_ zN5wXXfT|K8QbFTDj=1sB!FC~CWEr)R(R*wJDZk(hI>@>gA@;(9j}faJO0kxfRY?Rb zaV$kNr76W5#%aWPPgAn4+t!Nc=8`Gx;lHO4Z=?L9^oLWys=j|ABB|5tiqL#Bs#(vP zF!pO)OzT|{y-};B_1|2>-+TDGIie%=%fEhp2|I!GK1!NQ*aujZ_gEFc;bUD@iPC*? z+>nbCcK`Hz%%IpiIf6++?w$*h#UeeNkoo95sB$W#gqyigXo+@)478dMisX!>1$xaO z6$;8CYXV&ivz~vsb)mpZuoSxl=SJbU(Vx|gTl@&>nXlu&Ar{@0KyN|%r(s>3l%PMX zK*jdy(NO}MC{KbNqaANIBN=QvUwL)zKqT2HitcUyc3xi1ArDPn&O$_GDPSsJR_c*{bi>bnpc zKaOCrsF>+?OOn2yeT)Sp``)3v!0ygMnPlc}Ai{BW zf7pLUJx@2?hiYFLa*=g_5qtt4mcbAMPB(d!Dz`59{BcAS0zdyq9We z0$d%@Lb#a=lk-2b>JJ3KZ;laj;-WWd$Ay2)fv(ZySQh%Ln_+dphMhZLg3Ze6StXK2 z3hf#1|7c%YkY{Y;!2PeA57#%H`(M`|=KEh?qNsHqW<>&9=~8LK+u-W_^89krVqLrr zekO4WD+3J(EW(9cD+%GT&RCQ>S3xlJhm{)awgi?ltHbmtmjrR+dcj%@e*5W{pe%ow zsPh@6UWE!8SC^>rXjS*Vb{(U953xg(asnf9_Ez6jBAMw+B9aw(sI0`YT%mXy3RG)Hn=vMyabK^?Cm^dtnZXi#SRHWryH-q;q*nXaOhb`ZkWrXhl;h_TYbO#@k|- z2X_=~!y3K;!kQC7lOVgxizLX2P%gIowxW5RwwDiBv;$1B21xW!eXW5xF)<4xX|y6K z#w~EcXX&V>cLHtDC?!}3*00)yt{Xk9%Y1}xB zW%NW!pg4($hq`a^x3ih!`mbzsCt4cU_a0_vJLu`SVg7_2m)XPMbDhf_+xd) zzsAaNh;@Vvz3lBxzDI(ZvqyrX$Biz4`+LIJ2ieDs|3DA)zVieObISJwh*kRdk@%Ha zSIe8$miB&J)b|(rS^)j9-MN1CP~EXj%c0KH=b>3q<)X;PuAkm(t>g6Q5c>!{>V@zR zSXWOqCjE0$xA$5<=sAB-wF9hCq8+@lH(tTVz>HAxF)&Af7%}04F#btzz1}ck+WXE^ zhx+s+vpjgIYP^&WLDVPMPsABHTfH#8v+^MXpKR-~NGbd0zkBV&ne<(~lA3r4gDCg$ zXC0&JFvAK}oBmosEBwq!s~4@orpkZ!JQgYUQ0x$+zaB=# z<1I-BurZFbO_k37;DsESVvb@#??DL@8(tG7nE0*|c}Y#fsT$rH(!#tZC$m^9YUiI? zReVd*)Mdm$V!S9r>J9v4G!7x+CJu_B;}F*Y=6y{|*JCNCpki*YhgSAf$`|v8Jwzs3 zxD}!t0yA`Rk!62nN*+Qf{T>Dx9FH2mm$GO4E!v@RA>o*5s_A@S+E7TXvhs5_iK1vU zP-j7u5`xVgN$SF)$EBLxu%arv&FX69NAZ1@()`XL&?jzDOON4stKC+kToerLD~ooa zOu;;WACXXgXA?!0*vfU8bH1Y@-ddHit~)~TRgz+7gXn)NrRJ2#s**MMuxfR!IYz{} zlIR)V*d#3qFhv-=0ZGgMp**&xRHohNe!Eq&4Yedm^dNF}JYS_xT4RVtL9_0ZBA zn@s6V3uMnx^Ahc;h3Zm|Edxy<4G~>;5j;nftjyYu;+cA;y1H^7JEU*?pleWwBIQ0& z^l;Ep;5mQ96c&8j{$6R4bA7|%#e`}45UU#xc)D^hPntw=h?i9uO$ctS8=BxpiJ4FM ztnlZa>s%>*TNQ$GB^ zwpsbSm1y*58V#vhEbTm{7p6bMnrv8;VEyDvb_RdA>Xh?3GEe(yAl=$rl<^73=Ug}O z<00a1#MvKX*(X2RVQGw8zf-eOzR*1_Vfp6k!sqt5_u2hj@|gTZe8PlFq`ePw5xnf!dpk?WkEb&<#u^aHm=tstS-3 zUqydw*A z!=!b{-62)G4L7gzbfL5=AxUp#4u71)6{A*&;zMY6-0^(W2Hf#apr*?E>lo>)8|;5A zB<*UsbLiH4U9mc*3m>H7bodc2BCLOz_mM0_a~jp_P1FR+L+(Aew@B;A5+8Kq%7#pdtbufg;iWX0_fdq7g8F}a zs!iFdhRRJTK9-8SmhsEJW8wBh|YoJG5zgE#AHSUhy0 ztxZ7P5c4swDI+_Wl*HewH@#!6>W!u48uw7&Qzm+xc~$2+-tu9u_W7zq4jbR9c<@4- z%8rUC5|dmTBr;mmqLQ+=NnZ!+f}wwtt+|@F6GN_g?R4{PeIcjrjW!E*Lsk>76%}Y^ zg#NxJ!utkP-XgR*<2sUd2XunRb5TK^Y2ZxiJ5lvSY9#A!lzGj|m*nu}18mxM79xt} zJ#as1D{14yopvb{!XUiv>Af@}T``P&90%4pH3&Yd7cQm0R~9rE9|x~jb^d>gu8yl* zABSjX@Gys!yVgAJgv)F6O?=fGL3u8ZcAQf$wvIVGIeCaY>_n~3$&VkAD;0H10AtZK z+Mf;>U}*vyE4*xOz@yiZXZgC3NwxzE53U`N_L z_>%WORm11&_!-+6zW;l9eRF@)z5jc8J>UQR66FF@Jr}?0J4o`fy3Xk>wLVw3`ai~C zw^~c}^(BrsgfA-2E><+Z&;TbV@7|3=(f_+)g96s$LN5{hsX@=RpF1Agy7#CXAR^Xi z%Zu~Bo&Eh}98i7LNuhv|lihp-Qez(x%0ar&#!(}V0yO5e1$S4$rY~rY*s*(vea3XE z?Vz+okBF=?8uB~7{yTmqn}f)@cQzJoVgSaE0H)sto-DftPzw*LF2IYN1f*}K*(jSw zfb?nV1;!|ou)Nx(!J2n%0P#Y;FZ?X1ctCIjU_evL_;-9sdOF@0-H+#!P!AcCUJnZp T%w;Zfc})2qcUL$y0C)fZBO8%4 delta 3853 zcmV+o5AyK!9`zmvABzY8(WXF=2XB9`uHV1EzIp|p*O%YE3ND|qPj#udh*%K3$~KIY zX+Pbe`v23ic>Ox~o>y5GvHg#~ZAnm+B!9^3MknSAqnIRKtMgf!Nl+k|Ki^&n44^#T9&CMl8yLJj#E_52uRi z^v4eN&$1$j(zMu-BoIX)Sd?>$!|{P$NL2W~pt&Gy9mQn%hw4fQjY#GfL}5G+nk#J)6r4#ivZjlj@C@o{nT=4`Pzi3>*JED1S@SiB8aG+%ymb+$M$z+o8) zXcV712=z~Kwm_&O%Q^=6yexlNjkEGCy(8eJ*qM1a0uys7Hv|Bj|red9)!f%tmFhQ_o|iH1^}{ zl;Iv+56@@mx|8){Hf(=u%Fs4F!;JNryyp}5Phk7N$`q?VLBm_n8V7R3jgJnt3+W=usFjS~Vr<{JLq!{5yj9jRab_47;E38eQ?(qzIuz^c5*ssIij>#9nW?vvw& zT%54`r{`k^#ooygObT-MT#zgl>EVRTN9RG6Qz0eX%!NWrv@>L&)r3$aXCy7qYX+%M zP!?Ge=wg`l%&mV51zv)s*d;hO3dfE9tZv-mM^Mjv9sdon=&l5M3(`Lg>*AyY{b2}gS7gDIyj#UVf5cweGF0rg;EcN4;!DVVDL6_IYfyha`02{hP~FB`7AjTWh0yqM z1dBz*WK9&Nc10s#%v_UPOc5`ZZZiX7mJH)X-E5%PcoOO^qU1-4-rAFW)peAH6)lxd zi;Yx!AE4f#e1O{`Bkn}&ZA$Nfay&ho71qBEPF2M@aGah^MBwlwY{THA$vEH^*9h<8 zl!DYX1_*y<11^;mkQYTt&LE@@ajR`JAHD6HK)`C>0vO{>xk(Kz4bYu6-JFyB{y2Es zf(w2;DCy-M1&tA2r1$4I-X{X8Nx+?51A*ydU;x4>$!M;09TTzM$y6)BfSlJ;`Luwp z$a5V`XscDA{}lzW=RX8ofI-XT8X)2;pDxI*puvB_{!Ta!8|whK8<^+>AI-tB=Hu62 zergUs`HP*GG9EoQNQ)*FKE}?9dMtgH5IQPNtr|9W+*=8Li{df;QFMXsmMGMQ|MWCJ?&0LtA|Cv>PAOL=IjF=M_y-_nsGxCmi7Jm)b?BnZ6_O)?w z{tUqtinmd|Ay}J91G;Q>I8Dh4Fo^?X3)?Jc9(=UaRsi{Rsxf3TGUtZ6VYNJhc0{~v z)jHy^QVEJnw(HqOefazsB?cA%NC)--S`%&Mg3cLwY&ZM92muynykRm-FiLl zjT_)Eoh`SeB3Wt41Af>Hva-vt<}DWZ=`bOINA~_1^LQe?KAzcu>xWC9SFrG>?o=jD z?3YfB!%%0Gx;j#y_fNAI=CHVkqcl)<2%bkem#2glaFVWXzGi>CEp~Zu zN5M9%;Ts^VIT17ovb(%Uf}9BDV#{wUn%8N2`G7?`z!YnML=V;18kiFkvoMlIE0SW& z;-hRF;0=NOUa+m-)xz0-Vv|2k(m>speDCL>?ID9ddY@+>e2tvf=V_B=D z!+MaXnaAs3C6_9%cuDdEjF^A-_Cv@1*2$N)aq%6*Pvq@hoEQsmFnQDunuk%0_phrEz`lVRp8Io{k&lPuOvpJq$kAx!kdx-?+cV zcfFr=g!Xya{YmRSUTfT@!Qk_myHstSTcgS9S_GI<0Vvumu33>aCK7)Q+c+7@{j>dR ztPF=(N6662-rnSUB&a!iBshB9=mNOECyafNecbpD^g!=BPrxvzd{2N_rH>zpUzv5a zylHJ|@5e=bf3dFx&=1?4>sJre9ow`V>P&qeniW+pihS()>AluEPLB?;kI*a} z^;BchKR0!Iul0kT166-Jz#1jm!7F>?6?_cL2qhl_a|DPH6FvyzpY+!24HKrl?>u#= zPfs$-gO{qtOZgB)eS-Z&oRPED3*$R0A42fSwjPU=vVZ=&*FKy{-_3#$?)G8t>x0-FSa!d=1c25Drfe9wPlk#Y~k4l(-cVN^Wc zl4JlI<4D_7>HH5~$dM`LC>Hb{lrXX3HBo|z?<$d()HIx`;hiBZ%xiKoi?yP5{;5^P zwRVnMbBLrV1DRwr9zEXc`PKm54S%VL&R@a(iM4T&$ zp7D)M(xL!Uguxq-wEQ2+V{1xf+Kv7oSZV8A~f@-Ukkabk0Lit$_ExobH zl-{&J_8c`Y(VkkUF7?y2#dc?D+X$t zmCsv=Mt`Q!kgCPf&Qp3}`ZKJ_hBXP+PrhVlfUAE_IjRSho7Lo2?n1OnMRrdH* zhQi}Oc_@0_vnrP^DcE|57umjb=++_WEbRJ}egPh+y}8(qnpFecz(fLfs->Z-06Fnh zr1yW)DhO7%uy{co5xbAmqA2^B{D^v!HhrZWVgwY2e=pbJ$W$u7578m>?dpEYIvhVt zT8G>nQnlM~^Eyu#N~;o*^j7BZ$4Oieh$wD-zQN7+oO`tsF-h+FKw2mzCK{u{!$dt$$NOu@sN|SjXMd&D~&!>Od zl+E12cf31y&<{&i6*t)e{HopzupLKrJ4DuPqi&6w81+IM-jBmswEH=Dv#y54Ll@fG z1k?>NAM=_rvV%!U{Jnb9JJzb+SX!=e5A{7|qQ{w6b*|$rANFdWuR7$g@vVvnFSM!b zsE8sl$+bZuqeU$$DSMmrb+9fNI@y1kt9d&yRV4YKg;In$+Qu=#kL38nO@Oo9}zvzGJxXSf$ zh;{}Kb6B}+&ErnEyhh)|SG^IG=kjRBIrU=en8TBkhseWD)aso4_z}5MQMUvz7EPo5 z>3{*2Ca|%>%jO2G*N)}VBIU|2$820)$mnD$-$*0aYY)u(6tywvLFtQGckjlb=>OfYK>_P=p_hpM)S&0u&mE6#-Fwsx5D{y% z<;D5m&i;Nf4yeBBq)@=f$!9TG0%Md(SYGYYV9mQWfOsL_7k(C0JRmp%FrcYr{5!rRJst0h?#FYP%UtG@K@TJh PJf{2)#~a=W0C)fZXqtU1 diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 3f64d8ef..5c5030cc 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -9551,7 +9551,7 @@ index 531a8f2..0b86f2f 100644 + allow $1 named_unit_file_t:service all_service_perms; ') diff --git a/bind.te b/bind.te -index 1241123..5336071 100644 +index 1241123..dcaf16b 100644 --- a/bind.te +++ b/bind.te @@ -34,7 +34,7 @@ type named_checkconf_exec_t; @@ -9607,11 +9607,12 @@ index 1241123..5336071 100644 corenet_all_recvfrom_netlabel(named_t) corenet_tcp_sendrecv_generic_if(named_t) corenet_udp_sendrecv_generic_if(named_t) -@@ -141,9 +143,12 @@ corenet_sendrecv_all_client_packets(named_t) +@@ -141,9 +143,13 @@ corenet_sendrecv_all_client_packets(named_t) corenet_tcp_connect_all_ports(named_t) corenet_tcp_sendrecv_all_ports(named_t) +corenet_tcp_bind_all_ephemeral_ports(named_t) ++corenet_udp_bind_all_ephemeral_ports(named_t) + dev_read_sysfs(named_t) dev_read_rand(named_t) @@ -9620,7 +9621,7 @@ index 1241123..5336071 100644 domain_use_interactive_fds(named_t) -@@ -175,6 +180,19 @@ tunable_policy(`named_write_master_zones',` +@@ -175,6 +181,19 @@ tunable_policy(`named_write_master_zones',` ') optional_policy(` @@ -9640,7 +9641,7 @@ index 1241123..5336071 100644 dbus_system_domain(named_t, named_exec_t) init_dbus_chat_script(named_t) -@@ -187,7 +205,13 @@ optional_policy(` +@@ -187,7 +206,13 @@ optional_policy(` ') optional_policy(` @@ -9654,7 +9655,7 @@ index 1241123..5336071 100644 kerberos_use(named_t) ') -@@ -215,7 +239,8 @@ optional_policy(` +@@ -215,7 +240,8 @@ optional_policy(` # allow ndc_t self:capability { dac_override net_admin }; @@ -9664,7 +9665,7 @@ index 1241123..5336071 100644 allow ndc_t self:fifo_file rw_fifo_file_perms; allow ndc_t self:unix_stream_socket { accept listen }; -@@ -229,10 +254,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; +@@ -229,10 +255,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; allow ndc_t named_zone_t:dir search_dir_perms; @@ -9676,7 +9677,7 @@ index 1241123..5336071 100644 corenet_all_recvfrom_netlabel(ndc_t) corenet_tcp_sendrecv_generic_if(ndc_t) corenet_tcp_sendrecv_generic_node(ndc_t) -@@ -242,6 +266,9 @@ corenet_tcp_bind_generic_node(ndc_t) +@@ -242,6 +267,9 @@ corenet_tcp_bind_generic_node(ndc_t) corenet_tcp_connect_rndc_port(ndc_t) corenet_sendrecv_rndc_client_packets(ndc_t) @@ -9686,7 +9687,7 @@ index 1241123..5336071 100644 domain_use_interactive_fds(ndc_t) files_search_pids(ndc_t) -@@ -257,7 +284,7 @@ init_use_script_ptys(ndc_t) +@@ -257,7 +285,7 @@ init_use_script_ptys(ndc_t) logging_send_syslog_msg(ndc_t) @@ -44261,7 +44262,7 @@ index dff21a7..b6981c8 100644 init_labeled_script_domtrans($1, lircd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/lircd.te b/lircd.te -index 483c87b..62ca3e4 100644 +index 483c87b..0a54c6d 100644 --- a/lircd.te +++ b/lircd.te @@ -13,7 +13,7 @@ type lircd_initrc_exec_t; @@ -44273,7 +44274,12 @@ index 483c87b..62ca3e4 100644 type lircd_var_run_t alias lircd_sock_t; files_pid_file(lircd_var_run_t) -@@ -27,6 +27,7 @@ allow lircd_t self:capability { chown kill sys_admin }; +@@ -23,10 +23,11 @@ files_pid_file(lircd_var_run_t) + # Local policy + # + +-allow lircd_t self:capability { chown kill sys_admin }; ++allow lircd_t self:capability { setuid setgid dac_override chown kill sys_admin }; allow lircd_t self:process signal; allow lircd_t self:fifo_file rw_fifo_file_perms; allow lircd_t self:tcp_socket { accept listen }; @@ -44281,17 +44287,27 @@ index 483c87b..62ca3e4 100644 read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t) -@@ -64,9 +65,9 @@ files_manage_generic_locks(lircd_t) +@@ -39,6 +40,7 @@ dev_filetrans(lircd_t, lircd_var_run_t, sock_file) + + kernel_request_load_module(lircd_t) + ++ + corenet_all_recvfrom_unlabeled(lircd_t) + corenet_all_recvfrom_netlabel(lircd_t) + corenet_tcp_sendrecv_generic_if(lircd_t) +@@ -64,9 +66,11 @@ files_manage_generic_locks(lircd_t) files_read_all_locks(lircd_t) term_use_ptmx(lircd_t) +term_use_usb_ttys(lircd_t) +term_use_unallocated_ttys(lircd_t) - logging_send_syslog_msg(lircd_t) +-logging_send_syslog_msg(lircd_t) ++auth_read_passwd(lircd_t) -miscfiles_read_localization(lircd_t) -- ++logging_send_syslog_msg(lircd_t) + sysnet_dns_name_resolve(lircd_t) diff --git a/livecd.if b/livecd.if index e354181..fc614ba 100644 @@ -57389,7 +57405,7 @@ index 86dc29d..7380935 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 55f2009..d63018d 100644 +index 55f2009..2646460 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -9,15 +9,18 @@ type NetworkManager_t; @@ -57607,10 +57623,10 @@ index 55f2009..d63018d 100644 -# certificates in user home directories (cert_home_t in ~/\.pki) -userdom_read_user_home_content_files(NetworkManager_t) +systemd_machined_read_pid_files(NetworkManager_t) ++ ++term_use_unallocated_ttys(NetworkManager_t) -userdom_write_user_tmp_sockets(NetworkManager_t) -+term_use_unallocated_ttys(NetworkManager_t) -+ +userdom_stream_connect(NetworkManager_t) userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) userdom_dontaudit_use_user_ttys(NetworkManager_t) @@ -57809,7 +57825,21 @@ index 55f2009..d63018d 100644 ') optional_policy(` -@@ -357,6 +447,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -338,6 +428,13 @@ optional_policy(` + vpn_relabelfrom_tun_socket(NetworkManager_t) + ') + ++optional_policy(` ++ openfortivpn_domtrans(NetworkManager_t) ++ openfortivpn_sigkill(NetworkManager_t) ++ openfortivpn_signal(NetworkManager_t) ++ openfortivpn_signull(NetworkManager_t) ++') ++ + ######################################## + # + # wpa_cli local policy +@@ -357,6 +454,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -62271,6 +62301,210 @@ index 3b6920e..3e9b17f 100644 userdom_dontaudit_use_unpriv_user_fds(openct_t) userdom_dontaudit_search_user_home_dirs(openct_t) +diff --git a/openfortivpn.fc b/openfortivpn.fc +new file mode 100644 +index 0000000..2e4dd3f +--- /dev/null ++++ b/openfortivpn.fc +@@ -0,0 +1,4 @@ ++/usr/bin/openfortivpn -- gen_context(system_u:object_r:openfortivpn_exec_t,s0) ++/usr/libexec/nm-fortisslvpn-service -- gen_context(system_u:object_r:openfortivpn_exec_t,s0) ++ ++/var/lib/NetworkManager-fortisslvpn(/.*)? gen_context(system_u:object_r:openfortivpn_var_lib_t,s0) +diff --git a/openfortivpn.if b/openfortivpn.if +new file mode 100644 +index 0000000..7581b52 +--- /dev/null ++++ b/openfortivpn.if +@@ -0,0 +1,113 @@ ++## Fortinet compatible SSL VPN daemons. ++ ++######################################## ++## ++## Transition to openfortivpn. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`openfortivpn_domtrans',` ++ gen_require(` ++ type openfortivpn_t, openfortivpn_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, openfortivpn_exec_t, openfortivpn_t) ++') ++ ++######################################## ++## ++## Allow send a signal to openfortivpn. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openfortivpn_signal',` ++ gen_require(` ++ type openfortivpn_t; ++ ') ++ ++ allow $1 openfortivpn_t:process signal; ++') ++ ++######################################## ++## ++## Allow send signull to openfortivpn. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openfortivpn_signull',` ++ gen_require(` ++ type openfortivpn_t; ++ ') ++ ++ allow $1 openfortivpn_t:process signull; ++') ++ ++######################################## ++## ++## Allow send sigkill to openfortivpn. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openfortivpn_sigkill',` ++ gen_require(` ++ type openfortivpn_t; ++ ') ++ ++ allow $1 openfortivpn_t:process sigkill; ++') ++ ++######################################## ++## ++## Send and receive messages from ++## openfortivpn over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openfortivpn_dbus_chat',` ++ gen_require(` ++ type openfortivpn_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 openfortivpn_t:dbus send_msg; ++ allow openfortivpn_t $1:dbus send_msg; ++') ++ ++######################################## ++## ++## Read from and write to the openfortivpn devpts. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openfortivpn_use_ptys',` ++ gen_require(` ++ type openfortivpn_devpts_t; ++ ') ++ ++ allow $1 openfortivpn_devpts_t:chr_file rw_term_perms; ++') +diff --git a/openfortivpn.te b/openfortivpn.te +new file mode 100644 +index 0000000..0d22f83 +--- /dev/null ++++ b/openfortivpn.te +@@ -0,0 +1,69 @@ ++policy_module(openfortivpn, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type openfortivpn_t; ++domain_type(openfortivpn_t); ++role system_r types openfortivpn_t; ++ ++type openfortivpn_exec_t; ++domain_entry_file(openfortivpn_t, openfortivpn_exec_t) ++ ++type openfortivpn_var_lib_t; ++files_type(openfortivpn_var_lib_t) ++ ++type openfortivpn_devpts_t; ++term_pty(openfortivpn_devpts_t) ++ ++######################################## ++# ++# Local policy ++# ++ ++# User certificates are typically not world-readable and are owned by the user ++allow openfortivpn_t self:capability dac_override; ++ ++# Talking to pppd via the PTY ++allow openfortivpn_t openfortivpn_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; ++ ++manage_dirs_pattern(openfortivpn_t, openfortivpn_var_lib_t, openfortivpn_var_lib_t) ++manage_files_pattern(openfortivpn_t, openfortivpn_var_lib_t, openfortivpn_var_lib_t) ++ ++can_exec(openfortivpn_t, openfortivpn_exec_t) ++ ++# No standard port for SSLVPN ++corenet_all_recvfrom_unlabeled(openfortivpn_t) ++corenet_tcp_connect_all_ports(openfortivpn_t) ++corenet_tcp_sendrecv_all_ports(openfortivpn_t) ++corenet_tcp_sendrecv_generic_if(openfortivpn_t) ++corenet_tcp_sendrecv_generic_node(openfortivpn_t) ++ ++fs_dontaudit_getattr_xattr_fs(openfortivpn_t) ++ ++# PTY to pppd ++term_create_pty(openfortivpn_t, openfortivpn_devpts_t) ++ ++auth_dontaudit_read_passwd(openfortivpn_t) ++auth_use_nsswitch(openfortivpn_t) ++ ++logging_send_syslog_msg(openfortivpn_t) ++ ++userdom_read_home_certs(openfortivpn_t) ++ ++optional_policy(` ++ dbus_system_bus_client(openfortivpn_t) ++ dbus_connect_system_bus(openfortivpn_t) ++ ++ optional_policy(` ++ networkmanager_dbus_chat(openfortivpn_t) ++ ') ++') ++ ++optional_policy(` ++ ppp_domtrans(openfortivpn_t) ++ ppp_signal(openfortivpn_t) ++ ppp_kill(openfortivpn_t) ++') diff --git a/openhpi.te b/openhpi.te index 8de6191..1a01e99 100644 --- a/openhpi.te @@ -73802,7 +74036,7 @@ index cd8b8b9..2cfa88a 100644 + allow $1 pppd_unit_file_t:service all_service_perms; ') diff --git a/ppp.te b/ppp.te -index d616ca3..6b73bbd 100644 +index d616ca3..8ccefd5 100644 --- a/ppp.te +++ b/ppp.te @@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0) @@ -73991,14 +74225,14 @@ index d616ca3..6b73bbd 100644 -fs_getattr_all_fs(pppd_t) -fs_search_auto_mountpoints(pppd_t) -+# for scripts - +- -term_use_unallocated_ttys(pppd_t) -term_setattr_unallocated_ttys(pppd_t) -term_ioctl_generic_ptys(pppd_t) -term_create_pty(pppd_t, pppd_devpts_t) -term_use_generic_ptys(pppd_t) -- ++# for scripts + -init_labeled_script_domtrans(pppd_t, pppd_initrc_exec_t) init_read_utmp(pppd_t) -init_signal_script(pppd_t) @@ -74046,8 +74280,15 @@ index d616ca3..6b73bbd 100644 ') ') -@@ -218,16 +240,19 @@ optional_policy(` +@@ -216,18 +238,26 @@ optional_policy(` + udev_read_db(pppd_t) + ') ++optional_policy(` ++ openfortivpn_dbus_chat(pppd_t) ++ openfortivpn_use_ptys(pppd_t) ++') ++ ######################################## # -# PPTP local policy @@ -74069,7 +74310,7 @@ index d616ca3..6b73bbd 100644 allow pptp_t pppd_etc_t:dir list_dir_perms; allow pptp_t pppd_etc_t:file read_file_perms; -@@ -236,45 +261,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; +@@ -236,45 +266,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; allow pptp_t pppd_etc_rw_t:dir list_dir_perms; allow pptp_t pppd_etc_rw_t:file read_file_perms; allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms; @@ -74126,7 +74367,7 @@ index d616ca3..6b73bbd 100644 fs_getattr_all_fs(pptp_t) fs_search_auto_mountpoints(pptp_t) -@@ -282,12 +305,12 @@ term_ioctl_generic_ptys(pptp_t) +@@ -282,12 +310,12 @@ term_ioctl_generic_ptys(pptp_t) term_search_ptys(pptp_t) term_use_ptmx(pptp_t) @@ -74141,7 +74382,7 @@ index d616ca3..6b73bbd 100644 sysnet_exec_ifconfig(pptp_t) userdom_dontaudit_use_unpriv_user_fds(pptp_t) -@@ -299,6 +322,10 @@ optional_policy(` +@@ -299,6 +327,10 @@ optional_policy(` ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 1d523332..fc59b8b4 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 157%{?dist} +Release: 158%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -661,6 +661,10 @@ exit 0 %endif %changelog +* Tue Nov 10 2015 Miroslav Grepl 3.13.1-158 +- Merge pull request #48 from lkundrak/contrib-openfortivpn +- unbound wants to use ephemeral ports as a default configuration. Allow to use also udp sockets. + * Mon Nov 09 2015 Miroslav Grepl 3.13.1-157 - The ABRT coredump handler has code to emulate default core file creation The handler runs in a separate process with abrt_dump_oops_t SELinux process type. abrt-hook-ccpp also saves the core dump file in the very same way as kernel does and a user can specify CWD location for a coredump. abrt-hook-ccpp has been made as a SELinux aware apps to create this coredumps with correct labeling and with this commit the policy rules have been updated to allow access all non security files on a system. - Since /dev/log is a symlink, we need to allow relabelto also symlink. This commit update logging_relabel_devlog_dev() interface to allow it.