rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity
9dc3cd1635
selinux-policy/policy/modules/admin/vpn.te
Paul Moore 9dc3cd1635 refpol: Policy for the new TUN driver access controls 
Add policy for the new TUN driver access controls which allow policy to
control which domains have the ability to create and attach to TUN/TAP
devices.  The policy rules for creating and attaching to a device are as
shown below:

  # create a new device
  allow domain_t self:tun_socket { create };

  # attach to a persistent device (created by tunlbl_t)
  allow domain_t tunlbl_t:tun_socket { relabelfrom };
  allow domain_t self:tun_socket { relabelto };

Further discussion can be found on this thread:

 * http://marc.info/?t=125080850900002&r=1&w=2

Signed-off-by: Paul Moore <paul.moore@hp.com>
2009-08-31 08:36:06 -04:00

118 lines
3.1 KiB
Plaintext
Raw Blame History

policy_module(vpn, 1.11.0)
########################################
#
# Declarations
#
type vpnc_t;
type vpnc_exec_t;
application_domain(vpnc_t, vpnc_exec_t)
role system_r types vpnc_t;
type vpnc_tmp_t;
files_tmp_file(vpnc_tmp_t)
type vpnc_var_run_t;
files_pid_file(vpnc_var_run_t)
########################################
#
# Local policy
#
allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw };
allow vpnc_t self:process { getsched signal };
allow vpnc_t self:fifo_file rw_fifo_file_perms;
allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
allow vpnc_t self:tcp_socket create_stream_socket_perms;
allow vpnc_t self:udp_socket create_socket_perms;
allow vpnc_t self:rawip_socket create_socket_perms;
allow vpnc_t self:unix_dgram_socket create_socket_perms;
allow vpnc_t self:unix_stream_socket create_socket_perms;
allow vpnc_t self:tun_socket create;
# cjp: this needs to be fixed
allow vpnc_t self:socket create_socket_perms;
manage_dirs_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t)
manage_files_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t)
files_tmp_filetrans(vpnc_t, vpnc_tmp_t, { file dir })
manage_dirs_pattern(vpnc_t, vpnc_var_run_t, vpnc_var_run_t)
manage_files_pattern(vpnc_t, vpnc_var_run_t, vpnc_var_run_t)
files_pid_filetrans(vpnc_t, vpnc_var_run_t, { file dir})
kernel_read_system_state(vpnc_t)
kernel_read_network_state(vpnc_t)
kernel_read_all_sysctls(vpnc_t)
kernel_rw_net_sysctls(vpnc_t)
corenet_all_recvfrom_unlabeled(vpnc_t)
corenet_all_recvfrom_netlabel(vpnc_t)
corenet_tcp_sendrecv_generic_if(vpnc_t)
corenet_udp_sendrecv_generic_if(vpnc_t)
corenet_raw_sendrecv_generic_if(vpnc_t)
corenet_tcp_sendrecv_generic_node(vpnc_t)
corenet_udp_sendrecv_generic_node(vpnc_t)
corenet_raw_sendrecv_generic_node(vpnc_t)
corenet_tcp_sendrecv_all_ports(vpnc_t)
corenet_udp_sendrecv_all_ports(vpnc_t)
corenet_udp_bind_generic_node(vpnc_t)
corenet_udp_bind_generic_port(vpnc_t)
corenet_udp_bind_isakmp_port(vpnc_t)
corenet_udp_bind_ipsecnat_port(vpnc_t)
corenet_tcp_connect_all_ports(vpnc_t)
corenet_sendrecv_all_client_packets(vpnc_t)
corenet_sendrecv_isakmp_server_packets(vpnc_t)
corenet_sendrecv_generic_server_packets(vpnc_t)
corenet_rw_tun_tap_dev(vpnc_t)
dev_read_rand(vpnc_t)
dev_read_urand(vpnc_t)
dev_read_sysfs(vpnc_t)
domain_use_interactive_fds(vpnc_t)
fs_getattr_xattr_fs(vpnc_t)
fs_getattr_tmpfs(vpnc_t)
term_use_all_user_ptys(vpnc_t)
term_use_all_user_ttys(vpnc_t)
corecmd_exec_all_executables(vpnc_t)
files_exec_etc_files(vpnc_t)
files_read_etc_runtime_files(vpnc_t)
files_read_etc_files(vpnc_t)
files_dontaudit_search_home(vpnc_t)
auth_use_nsswitch(vpnc_t)
libs_exec_ld_so(vpnc_t)
libs_exec_lib_files(vpnc_t)
locallogin_use_fds(vpnc_t)
logging_send_syslog_msg(vpnc_t)
logging_dontaudit_search_logs(vpnc_t)
miscfiles_read_localization(vpnc_t)
seutil_dontaudit_search_config(vpnc_t)
seutil_use_newrole_fds(vpnc_t)
sysnet_etc_filetrans_config(vpnc_t)
sysnet_manage_config(vpnc_t)
userdom_use_all_users_fds(vpnc_t)
userdom_dontaudit_search_user_home_content(vpnc_t)
optional_policy(`
dbus_system_bus_client(vpnc_t)
optional_policy(`
networkmanager_dbus_chat(vpnc_t)
')
')
Reference in New Issue View Git Blame Copy Permalink