policy_module(openvpn,1.1.1) ######################################## # # Declarations # # main openvpn domain type openvpn_t; type openvpn_exec_t; init_daemon_domain(openvpn_t, openvpn_exec_t) # configuration files type openvpn_etc_t; files_type(openvpn_etc_t) # log files type openvpn_var_log_t; logging_log_file(openvpn_var_log_t) # pid files type openvpn_var_run_t; files_pid_file(openvpn_var_run_t) ######################################## # # openvpn local policy # allow openvpn_t self:capability { net_bind_service net_admin setgid setuid sys_tty_config }; allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto }; allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow openvpn_t self:udp_socket create_socket_perms; allow openvpn_t self:tcp_socket server_stream_socket_perms; allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms; allow openvpn_t openvpn_etc_t:dir list_dir_perms; read_files_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_t) read_lnk_files_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_t) allow openvpn_t openvpn_var_log_t:file manage_file_perms; logging_log_filetrans(openvpn_t,openvpn_var_log_t,file) allow openvpn_t openvpn_var_run_t:file manage_file_perms; files_pid_filetrans(openvpn_t, openvpn_var_run_t, file) kernel_read_kernel_sysctls(openvpn_t) kernel_read_net_sysctls(openvpn_t) kernel_read_network_state(openvpn_t) kernel_read_system_state(openvpn_t) corecmd_exec_bin(openvpn_t) corecmd_exec_sbin(openvpn_t) corecmd_exec_shell(openvpn_t) corenet_non_ipsec_sendrecv(openvpn_t) corenet_tcp_sendrecv_all_if(openvpn_t) corenet_udp_sendrecv_all_if(openvpn_t) corenet_tcp_sendrecv_generic_node(openvpn_t) corenet_udp_sendrecv_generic_node(openvpn_t) corenet_tcp_sendrecv_all_ports(openvpn_t) corenet_udp_sendrecv_all_ports(openvpn_t) corenet_tcp_bind_all_nodes(openvpn_t) corenet_udp_bind_all_nodes(openvpn_t) corenet_tcp_bind_openvpn_port(openvpn_t) corenet_udp_bind_openvpn_port(openvpn_t) corenet_sendrecv_openvpn_server_packets(openvpn_t) corenet_rw_tun_tap_dev(openvpn_t) dev_search_sysfs(openvpn_t) dev_read_rand(openvpn_t) dev_read_urand(openvpn_t) files_read_etc_files(openvpn_t) files_read_etc_runtime_files(openvpn_t) init_use_fds(openvpn_t) libs_use_ld_so(openvpn_t) libs_use_shared_libs(openvpn_t) logging_send_syslog_msg(openvpn_t) miscfiles_read_localization(openvpn_t) sysnet_dns_name_resolve(openvpn_t) sysnet_exec_ifconfig(openvpn_t) ifdef(`targeted_policy',` # Need to interact with terminals if config option "auth-user-pass" is used term_use_generic_ptys(openvpn_t) ') optional_policy(` daemontools_service_domain(openvpn_t,openvpn_exec_t) ')