OK, I found "semodule -DB"
(
http://selinux-mac.blogspot.fr/2009/07/faq-selinux-denies-access-but-avc....)
Also thanks for allowing me to skip "semodule -r"
So I can continue ...
21/ #============= amzsns_t ==============
allow amzsns_t self:netlink_route_socket { write read };
allow amzsns_t self:tcp_socket { write read };
allow amzsns_t self:udp_socket { write read };
#============= openvpn_t ==============
allow openvpn_t amzsns_t:process { siginh rlimitinh noatsecure };
and below is my working result.
Problem is: what does it do ?? (I will do some research, but if you
have some idea to simplify or some warning, do not hesitate to
comment)
policy_module( amzsns, 1.0.0)
require {
type openvpn_t;
type openvpn_tmp_t;
type shell_exec_t;
type unlabeled_t;
type etc_t;
type openvpn_etc_t;
type openvpn_etc_rw_t;
type proc_t;
type usr_t;
type java_exec_t;
type tmp_t;
type locale_t;
type net_conf_t;
type proc_net_t;
type ephemeral_port_t;
type http_port_t;
type random_device_t;
type urandom_device_t;
type cert_t;
}
type amzsns_t;
type amzsns_exec_t;
type amzsns_lib_t;
domain_type(amzsns_t)
domain_entry_file(amzsns_t, amzsns_exec_t)
role system_r types amzsns_t;
domtrans_pattern(openvpn_t, amzsns_exec_t, amzsns_t)
allow openvpn_t unlabeled_t:file { execute getattr }; # Execute
unlabeled files ? But why ?
allow openvpn_t amzsns_t:process { siginh rlimitinh noatsecure }; #
Necessary for transition
allow amzsns_t openvpn_tmp_t:file write;
corecmd_exec_shell(amzsns_t)
# Read some files:
allow amzsns_t etc_t:file { read open getattr };
allow amzsns_t etc_t:lnk_file read;
allow amzsns_t openvpn_etc_t:dir { search getattr };
allow amzsns_t openvpn_etc_rw_t:file { read write }; # This is
openVPN ipp.txt (I will move it)
allow amzsns_t proc_t:file { read open getattr };
allow amzsns_t usr_t:lnk_file { read getattr };
allow amzsns_t usr_t:file { getattr read open };
allow amzsns_t amzsns_exec_t:file execute_no_trans; # ?
allow amzsns_t bin_t:file { read open execute getattr execute_no_trans }; # ???
allow amzsns_t amzsns_lib_t:dir { read open search getattr };
allow amzsns_t amzsns_lib_t:file { read getattr open };
allow amzsns_t self:fifo_file { read ioctl write getattr }; # ??
allow amzsns_t self:process execmem;
# Network access:
allow amzsns_t net_conf_t:file { read open getattr };
allow amzsns_t proc_net_t:file { read open getattr };
allow amzsns_t self:tcp_socket { create listen getattr connect accept
shutdown getopt setopt read write };
allow amzsns_t self:udp_socket { create connect getattr read write };
allow amzsns_t self:netlink_route_socket { create bind getattr
nlmsg_read read write };
allow amzsns_t ephemeral_port_t:tcp_socket name_connect;
allow amzsns_t http_port_t:tcp_socket name_connect;
allow amzsns_t tmp_t:dir { write add_name create read remove_name } ;
allow amzsns_t tmp_t:file { create read write open unlink };
allow amzsns_t locale_t:dir { read open search getattr };
allow amzsns_t locale_t:file { getattr read open };
allow amzsns_t cert_t:dir search;
allow amzsns_t cert_t:file { getattr read open };
allow amzsns_t random_device_t:chr_file { getattr read open };
allow amzsns_t urandom_device_t:chr_file { getattr read open };
allow amzsns_t java_exec_t:file { read open execute getattr
execute_no_trans }; # ???