18f2a72d7f
Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes.
152 lines
4.3 KiB
Plaintext
152 lines
4.3 KiB
Plaintext
policy_module(openvpn, 1.10.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow openvpn to read home directories
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(openvpn_enable_homedirs, false)
|
|
|
|
# main openvpn domain
|
|
type openvpn_t;
|
|
type openvpn_exec_t;
|
|
init_daemon_domain(openvpn_t, openvpn_exec_t)
|
|
|
|
# configuration files
|
|
type openvpn_etc_t;
|
|
files_config_file(openvpn_etc_t)
|
|
|
|
type openvpn_etc_rw_t;
|
|
files_config_file(openvpn_etc_rw_t)
|
|
|
|
type openvpn_tmp_t;
|
|
files_tmp_file(openvpn_tmp_t)
|
|
|
|
type openvpn_initrc_exec_t;
|
|
init_script_file(openvpn_initrc_exec_t)
|
|
|
|
# log files
|
|
type openvpn_var_log_t;
|
|
logging_log_file(openvpn_var_log_t)
|
|
|
|
# pid files
|
|
type openvpn_var_run_t;
|
|
files_pid_file(openvpn_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
# openvpn local policy
|
|
#
|
|
|
|
allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
|
|
allow openvpn_t self:process { signal getsched };
|
|
allow openvpn_t self:fifo_file rw_fifo_file_perms;
|
|
allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
|
|
allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
allow openvpn_t self:udp_socket create_socket_perms;
|
|
allow openvpn_t self:tcp_socket server_stream_socket_perms;
|
|
allow openvpn_t self:tun_socket { create_socket_perms relabelfrom };
|
|
allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
|
|
|
|
can_exec(openvpn_t, openvpn_etc_t)
|
|
read_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
|
|
read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
|
|
|
|
manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t)
|
|
filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
|
|
|
|
manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t)
|
|
files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
|
|
|
|
allow openvpn_t openvpn_var_log_t:file manage_file_perms;
|
|
logging_log_filetrans(openvpn_t, openvpn_var_log_t, file)
|
|
|
|
manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
|
|
manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
|
|
files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir })
|
|
|
|
kernel_read_kernel_sysctls(openvpn_t)
|
|
kernel_read_net_sysctls(openvpn_t)
|
|
kernel_read_network_state(openvpn_t)
|
|
kernel_read_system_state(openvpn_t)
|
|
kernel_request_load_module(openvpn_t)
|
|
|
|
corecmd_exec_bin(openvpn_t)
|
|
corecmd_exec_shell(openvpn_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(openvpn_t)
|
|
corenet_all_recvfrom_netlabel(openvpn_t)
|
|
corenet_tcp_sendrecv_generic_if(openvpn_t)
|
|
corenet_udp_sendrecv_generic_if(openvpn_t)
|
|
corenet_tcp_sendrecv_generic_node(openvpn_t)
|
|
corenet_udp_sendrecv_generic_node(openvpn_t)
|
|
corenet_tcp_sendrecv_all_ports(openvpn_t)
|
|
corenet_udp_sendrecv_all_ports(openvpn_t)
|
|
corenet_tcp_bind_generic_node(openvpn_t)
|
|
corenet_udp_bind_generic_node(openvpn_t)
|
|
corenet_tcp_bind_openvpn_port(openvpn_t)
|
|
corenet_udp_bind_openvpn_port(openvpn_t)
|
|
corenet_tcp_bind_http_port(openvpn_t)
|
|
corenet_tcp_connect_openvpn_port(openvpn_t)
|
|
corenet_tcp_connect_http_port(openvpn_t)
|
|
corenet_tcp_connect_http_cache_port(openvpn_t)
|
|
corenet_rw_tun_tap_dev(openvpn_t)
|
|
corenet_sendrecv_openvpn_server_packets(openvpn_t)
|
|
corenet_sendrecv_openvpn_client_packets(openvpn_t)
|
|
corenet_sendrecv_http_client_packets(openvpn_t)
|
|
|
|
dev_search_sysfs(openvpn_t)
|
|
dev_read_rand(openvpn_t)
|
|
dev_read_urand(openvpn_t)
|
|
|
|
files_read_etc_files(openvpn_t)
|
|
files_read_etc_runtime_files(openvpn_t)
|
|
|
|
auth_use_pam(openvpn_t)
|
|
|
|
logging_send_syslog_msg(openvpn_t)
|
|
|
|
miscfiles_read_localization(openvpn_t)
|
|
miscfiles_read_all_certs(openvpn_t)
|
|
|
|
sysnet_dns_name_resolve(openvpn_t)
|
|
sysnet_exec_ifconfig(openvpn_t)
|
|
sysnet_manage_config(openvpn_t)
|
|
sysnet_etc_filetrans_config(openvpn_t)
|
|
|
|
userdom_use_user_terminals(openvpn_t)
|
|
userdom_read_home_certs(openvpn_t)
|
|
userdom_attach_admin_tun_iface(openvpn_t)
|
|
|
|
tunable_policy(`openvpn_enable_homedirs',`
|
|
userdom_search_user_home_dirs(openvpn_t)
|
|
')
|
|
|
|
tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
|
|
fs_read_nfs_files(openvpn_t)
|
|
')
|
|
|
|
tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
|
|
fs_read_cifs_files(openvpn_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
daemontools_service_domain(openvpn_t, openvpn_exec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dbus_system_bus_client(openvpn_t)
|
|
dbus_connect_system_bus(openvpn_t)
|
|
|
|
networkmanager_dbus_chat(openvpn_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
unconfined_attach_tun_iface(openvpn_t)
|
|
')
|