1900668638
The latest revision of the labeled policy patches which enable both labeled and unlabeled policy support for NetLabel. This revision takes into account Chris' feedback from the first version and reduces the number of interface calls in each domain down to two at present: one for unlabeled access, one for NetLabel access. The older, transport layer specific interfaces, are still present for use by third-party modules but are not used in the default policy modules. trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore. This patch changes the policy to use the netmsg initial SID as the "base" SID/context for NetLabel packets which only have MLS security attributes. Currently we use the unlabeled initial SID which makes it very difficult to distinquish between actual unlabeled packets and those packets which have MLS security attributes.
96 lines
2.6 KiB
Plaintext
96 lines
2.6 KiB
Plaintext
|
|
policy_module(openvpn,1.2.2)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
# main openvpn domain
|
|
type openvpn_t;
|
|
type openvpn_exec_t;
|
|
init_daemon_domain(openvpn_t, openvpn_exec_t)
|
|
|
|
# configuration files
|
|
type openvpn_etc_t;
|
|
files_type(openvpn_etc_t)
|
|
|
|
# log files
|
|
type openvpn_var_log_t;
|
|
logging_log_file(openvpn_var_log_t)
|
|
|
|
# pid files
|
|
type openvpn_var_run_t;
|
|
files_pid_file(openvpn_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
# openvpn local policy
|
|
#
|
|
|
|
allow openvpn_t self:capability { net_bind_service net_admin setgid setuid sys_tty_config };
|
|
allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
|
|
allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
allow openvpn_t self:udp_socket create_socket_perms;
|
|
allow openvpn_t self:tcp_socket server_stream_socket_perms;
|
|
allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
|
|
|
|
allow openvpn_t openvpn_etc_t:dir list_dir_perms;
|
|
read_files_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_t)
|
|
read_lnk_files_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_t)
|
|
|
|
allow openvpn_t openvpn_var_log_t:file manage_file_perms;
|
|
logging_log_filetrans(openvpn_t,openvpn_var_log_t,file)
|
|
|
|
allow openvpn_t openvpn_var_run_t:file manage_file_perms;
|
|
files_pid_filetrans(openvpn_t, openvpn_var_run_t, file)
|
|
|
|
kernel_read_kernel_sysctls(openvpn_t)
|
|
kernel_read_net_sysctls(openvpn_t)
|
|
kernel_read_network_state(openvpn_t)
|
|
kernel_read_system_state(openvpn_t)
|
|
|
|
corecmd_exec_bin(openvpn_t)
|
|
corecmd_exec_shell(openvpn_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(openvpn_t)
|
|
corenet_all_recvfrom_netlabel(openvpn_t)
|
|
corenet_tcp_sendrecv_all_if(openvpn_t)
|
|
corenet_udp_sendrecv_all_if(openvpn_t)
|
|
corenet_tcp_sendrecv_generic_node(openvpn_t)
|
|
corenet_udp_sendrecv_generic_node(openvpn_t)
|
|
corenet_tcp_sendrecv_all_ports(openvpn_t)
|
|
corenet_udp_sendrecv_all_ports(openvpn_t)
|
|
corenet_tcp_bind_all_nodes(openvpn_t)
|
|
corenet_udp_bind_all_nodes(openvpn_t)
|
|
corenet_tcp_bind_openvpn_port(openvpn_t)
|
|
corenet_udp_bind_openvpn_port(openvpn_t)
|
|
corenet_sendrecv_openvpn_server_packets(openvpn_t)
|
|
corenet_rw_tun_tap_dev(openvpn_t)
|
|
|
|
dev_search_sysfs(openvpn_t)
|
|
dev_read_rand(openvpn_t)
|
|
dev_read_urand(openvpn_t)
|
|
|
|
files_read_etc_files(openvpn_t)
|
|
files_read_etc_runtime_files(openvpn_t)
|
|
|
|
libs_use_ld_so(openvpn_t)
|
|
libs_use_shared_libs(openvpn_t)
|
|
|
|
logging_send_syslog_msg(openvpn_t)
|
|
|
|
miscfiles_read_localization(openvpn_t)
|
|
|
|
sysnet_dns_name_resolve(openvpn_t)
|
|
sysnet_exec_ifconfig(openvpn_t)
|
|
|
|
ifdef(`targeted_policy',`
|
|
# Need to interact with terminals if config option "auth-user-pass" is used
|
|
term_use_generic_ptys(openvpn_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
daemontools_service_domain(openvpn_t,openvpn_exec_t)
|
|
')
|