selinux-policy/policy/modules/services/openvpn.te
2006-10-18 19:25:27 +00:00

98 lines
2.6 KiB
Plaintext

policy_module(openvpn,1.1.0)
########################################
#
# Declarations
#
# main openvpn domain
type openvpn_t;
type openvpn_exec_t;
init_daemon_domain(openvpn_t, openvpn_exec_t)
# configuration files
type openvpn_etc_t;
files_type(openvpn_etc_t)
# log files
type openvpn_var_log_t;
logging_log_file(openvpn_var_log_t)
# pid files
type openvpn_var_run_t;
files_pid_file(openvpn_var_run_t)
########################################
#
# openvpn local policy
#
allow openvpn_t self:capability { net_admin setgid setuid sys_tty_config };
allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow openvpn_t self:udp_socket create_socket_perms;
allow openvpn_t self:tcp_socket create_socket_perms;
allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
allow openvpn_t openvpn_etc_t:dir r_dir_perms;
allow openvpn_t openvpn_etc_t:file r_file_perms;
allow openvpn_t openvpn_etc_t:lnk_file { getattr read };
allow openvpn_t openvpn_var_log_t:file create_file_perms;
logging_log_filetrans(openvpn_t,openvpn_var_log_t,file)
allow openvpn_t openvpn_var_run_t:file create_file_perms;
files_pid_filetrans(openvpn_t, openvpn_var_run_t, file)
kernel_read_kernel_sysctls(openvpn_t)
kernel_read_net_sysctls(openvpn_t)
kernel_read_network_state(openvpn_t)
kernel_read_system_state(openvpn_t)
corecmd_exec_bin(openvpn_t)
corecmd_exec_sbin(openvpn_t)
corecmd_exec_shell(openvpn_t)
corenet_non_ipsec_sendrecv(openvpn_t)
corenet_tcp_sendrecv_all_if(openvpn_t)
corenet_udp_sendrecv_all_if(openvpn_t)
corenet_tcp_sendrecv_generic_node(openvpn_t)
corenet_udp_sendrecv_generic_node(openvpn_t)
corenet_tcp_sendrecv_all_ports(openvpn_t)
corenet_udp_sendrecv_all_ports(openvpn_t)
corenet_tcp_bind_all_nodes(openvpn_t)
corenet_udp_bind_all_nodes(openvpn_t)
corenet_tcp_bind_openvpn_port(openvpn_t)
corenet_udp_bind_openvpn_port(openvpn_t)
corenet_sendrecv_openvpn_server_packets(openvpn_t)
corenet_rw_tun_tap_dev(openvpn_t)
dev_search_sysfs(openvpn_t)
dev_read_rand(openvpn_t)
dev_read_urand(openvpn_t)
files_read_etc_files(openvpn_t)
files_read_etc_runtime_files(openvpn_t)
init_use_fds(openvpn_t)
libs_use_ld_so(openvpn_t)
libs_use_shared_libs(openvpn_t)
logging_send_syslog_msg(openvpn_t)
miscfiles_read_localization(openvpn_t)
sysnet_dns_name_resolve(openvpn_t)
sysnet_exec_ifconfig(openvpn_t)
ifdef(`targeted_policy',`
# Need to interact with terminals if config option "auth-user-pass" is used
term_use_generic_ptys(openvpn_t)
')
optional_policy(`
daemontools_service_domain(openvpn_t,openvpn_exec_t)
')