selinux-policy/strict/domains/program/unused/openvpn.te
2005-09-12 21:40:56 +00:00

40 lines
1.4 KiB
Plaintext

#DESC OpenVPN - Firewall-friendly SSL-based VPN
#
# Author: Colin Walters <walters@verbum.org>
#
########################################
#
daemon_domain(openvpn)
etcdir_domain(openvpn)
allow openvpn_t { etc_t etc_runtime_t }:{ file lnk_file } r_file_perms;
allow openvpn_t { random_device_t urandom_device_t }:chr_file { read getattr };
allow openvpn_t devpts_t:dir { search getattr };
allow openvpn_t tun_tap_device_t:chr_file rw_file_perms;
allow openvpn_t proc_t:file { getattr read };
allow openvpn_t self:unix_dgram_socket create_socket_perms;
allow openvpn_t self:unix_stream_socket create_stream_socket_perms;
allow openvpn_t self:unix_dgram_socket sendto;
allow openvpn_t self:unix_stream_socket connectto;
allow openvpn_t self:capability { net_admin setgid setuid };
r_dir_file(openvpn_t, sysctl_net_t)
can_network_server(openvpn_t)
allow openvpn_t openvpn_port_t:udp_socket name_bind;
# OpenVPN executes a lot of helper programs and scripts
allow openvpn_t { bin_t sbin_t }:dir { search getattr };
allow openvpn_t bin_t:lnk_file { getattr read };
can_exec(openvpn_t, { bin_t sbin_t shell_exec_t })
# Do not transition to ifconfig_t, since then it needs
# permission to access openvpn_t:udp_socket, which seems
# worse.
can_exec(openvpn_t, ifconfig_exec_t)
# The Fedora init script iterates over /etc/openvpn/*.conf, and
# starts a daemon for each file.
r_dir_file(initrc_t, openvpn_etc_t)