selinux-policy/policy/modules/services/openvpn.te
Paul Moore 9dc3cd1635 refpol: Policy for the new TUN driver access controls
Add policy for the new TUN driver access controls which allow policy to
control which domains have the ability to create and attach to TUN/TAP
devices.  The policy rules for creating and attaching to a device are as
shown below:

  # create a new device
  allow domain_t self:tun_socket { create };

  # attach to a persistent device (created by tunlbl_t)
  allow domain_t tunlbl_t:tun_socket { relabelfrom };
  allow domain_t self:tun_socket { relabelto };

Further discussion can be found on this thread:

 * http://marc.info/?t=125080850900002&r=1&w=2

Signed-off-by: Paul Moore <paul.moore@hp.com>
2009-08-31 08:36:06 -04:00

128 lines
3.5 KiB
Plaintext

policy_module(openvpn, 1.8.0)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow openvpn to read home directories
## </p>
## </desc>
gen_tunable(openvpn_enable_homedirs, false)
# main openvpn domain
type openvpn_t;
type openvpn_exec_t;
init_daemon_domain(openvpn_t, openvpn_exec_t)
# configuration files
type openvpn_etc_t;
files_config_file(openvpn_etc_t)
type openvpn_etc_rw_t;
files_config_file(openvpn_etc_rw_t)
type openvpn_initrc_exec_t;
init_script_file(openvpn_initrc_exec_t)
# log files
type openvpn_var_log_t;
logging_log_file(openvpn_var_log_t)
# pid files
type openvpn_var_run_t;
files_pid_file(openvpn_var_run_t)
########################################
#
# openvpn local policy
#
allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
allow openvpn_t self:process { signal getsched };
allow openvpn_t self:fifo_file rw_fifo_file_perms;
allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow openvpn_t self:udp_socket create_socket_perms;
allow openvpn_t self:tcp_socket server_stream_socket_perms;
allow openvpn_t self:tun_socket create;
allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
can_exec(openvpn_t, openvpn_etc_t)
read_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t)
filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
allow openvpn_t openvpn_var_log_t:file manage_file_perms;
logging_log_filetrans(openvpn_t, openvpn_var_log_t, file)
manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir })
kernel_read_kernel_sysctls(openvpn_t)
kernel_read_net_sysctls(openvpn_t)
kernel_read_network_state(openvpn_t)
kernel_read_system_state(openvpn_t)
corecmd_exec_bin(openvpn_t)
corecmd_exec_shell(openvpn_t)
corenet_all_recvfrom_unlabeled(openvpn_t)
corenet_all_recvfrom_netlabel(openvpn_t)
corenet_tcp_sendrecv_generic_if(openvpn_t)
corenet_udp_sendrecv_generic_if(openvpn_t)
corenet_tcp_sendrecv_generic_node(openvpn_t)
corenet_udp_sendrecv_generic_node(openvpn_t)
corenet_tcp_sendrecv_all_ports(openvpn_t)
corenet_udp_sendrecv_all_ports(openvpn_t)
corenet_tcp_bind_generic_node(openvpn_t)
corenet_udp_bind_generic_node(openvpn_t)
corenet_tcp_bind_openvpn_port(openvpn_t)
corenet_udp_bind_openvpn_port(openvpn_t)
corenet_tcp_connect_openvpn_port(openvpn_t)
corenet_tcp_connect_http_port(openvpn_t)
corenet_rw_tun_tap_dev(openvpn_t)
corenet_sendrecv_openvpn_server_packets(openvpn_t)
corenet_sendrecv_openvpn_client_packets(openvpn_t)
corenet_sendrecv_http_client_packets(openvpn_t)
dev_search_sysfs(openvpn_t)
dev_read_rand(openvpn_t)
dev_read_urand(openvpn_t)
files_read_etc_files(openvpn_t)
files_read_etc_runtime_files(openvpn_t)
logging_send_syslog_msg(openvpn_t)
miscfiles_read_localization(openvpn_t)
miscfiles_read_certs(openvpn_t)
sysnet_dns_name_resolve(openvpn_t)
sysnet_exec_ifconfig(openvpn_t)
sysnet_write_config(openvpn_t)
sysnet_etc_filetrans_config(openvpn_t)
userdom_use_user_terminals(openvpn_t)
tunable_policy(`openvpn_enable_homedirs',`
userdom_read_user_home_content_files(openvpn_t)
')
optional_policy(`
daemontools_service_domain(openvpn_t, openvpn_exec_t)
')
optional_policy(`
dbus_system_bus_client(openvpn_t)
dbus_connect_system_bus(openvpn_t)
networkmanager_dbus_chat(openvpn_t)
')