[selinux-policy: 1364/3172] add openvpn from petre rodan

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:03:22 UTC 2010 

commit 2ba3de96909f86c2ff03f2faf736697543821789
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Apr 14 20:07:01 2006 +0000

    add openvpn from petre rodan

 refpolicy/Changelog                          |    1 +
 refpolicy/policy/modules/services/openvpn.fc |   15 +++++
 refpolicy/policy/modules/services/openvpn.if |   23 +++++++
 refpolicy/policy/modules/services/openvpn.te |   85 ++++++++++++++++++++++++++
 refpolicy/policy/modules/system/init.te      |   16 +++--
 5 files changed, 134 insertions(+), 6 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index c5beb7e..ba84180 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -49,6 +49,7 @@
 	mplayer
 	nagios
 	nessus
+	openvpn (Petre Rodan)
 	perdition
 	postgrey
 	pxe
diff --git a/refpolicy/policy/modules/services/openvpn.fc b/refpolicy/policy/modules/services/openvpn.fc
new file mode 100644
index 0000000..046d5d7
--- /dev/null
+++ b/refpolicy/policy/modules/services/openvpn.fc
@@ -0,0 +1,15 @@
+#
+# /etc
+#
+/etc/openvpn(/.*)?		gen_context(system_u:object_r:openvpn_etc_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/openvpn	--	gen_context(system_u:object_r:openvpn_exec_t,s0)
+
+#
+# /var
+#
+/var/log/openvpn.*	--	gen_context(system_u:object_r:openvpn_var_log_t,s0)
+/var/run/openvpn.*	--	gen_context(system_u:object_r:openvpn_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/openvpn.if b/refpolicy/policy/modules/services/openvpn.if
new file mode 100644
index 0000000..78bbc4b
--- /dev/null
+++ b/refpolicy/policy/modules/services/openvpn.if
@@ -0,0 +1,23 @@
+## <summary>full-featured SSL VPN solution</summary>
+
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	OpenVPN configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openvpn_read_config',`
+	gen_require(`
+		type openvpn_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 openvpn_etc_t:dir r_dir_perms;
+	allow $1 openvpn_etc_t:file r_file_perms;
+	allow $1 openvpn_etc_t:lnk_file { getattr read };
+')
diff --git a/refpolicy/policy/modules/services/openvpn.te b/refpolicy/policy/modules/services/openvpn.te
new file mode 100644
index 0000000..7b064b3
--- /dev/null
+++ b/refpolicy/policy/modules/services/openvpn.te
@@ -0,0 +1,85 @@
+
+policy_module(openvpn,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+# main openvpn domain
+type openvpn_t;
+type openvpn_exec_t;
+init_daemon_domain(openvpn_t, openvpn_exec_t)
+
+# configuration files
+type openvpn_etc_t;
+files_type(openvpn_etc_t)
+
+# log files
+type openvpn_var_log_t;
+logging_log_file(openvpn_var_log_t)
+
+# pid files
+type openvpn_var_run_t;
+files_pid_file(openvpn_var_run_t)
+
+########################################
+#
+# openvpn local policy
+#
+
+allow openvpn_t self:capability { net_admin setgid setuid };
+allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
+allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow openvpn_t self:udp_socket create_socket_perms;
+allow openvpn_t self:tcp_socket create_socket_perms;
+
+allow openvpn_t openvpn_etc_t:dir r_dir_perms;
+allow openvpn_t openvpn_etc_t:file r_file_perms;
+allow openvpn_t openvpn_etc_t:lnk_file { getattr read };
+
+allow openvpn_t openvpn_var_log_t:file create_file_perms;
+logging_log_filetrans(openvpn_t,openvpn_var_log_t,file)
+
+allow openvpn_t openvpn_var_run_t:file create_file_perms;
+files_pid_filetrans(openvpn_t, openvpn_var_run_t, file)
+
+kernel_read_net_sysctls(openvpn_t)
+kernel_read_network_state(openvpn_t)
+kernel_read_system_state(openvpn_t)
+
+corecmd_exec_bin(openvpn_t)
+corecmd_exec_sbin(openvpn_t)
+corecmd_exec_shell(openvpn_t)
+
+corenet_non_ipsec_sendrecv(openvpn_t)
+corenet_tcp_sendrecv_all_if(openvpn_t)
+corenet_udp_sendrecv_all_if(openvpn_t)
+corenet_tcp_sendrecv_generic_node(openvpn_t)
+corenet_udp_sendrecv_generic_node(openvpn_t)
+corenet_tcp_sendrecv_all_ports(openvpn_t)
+corenet_udp_sendrecv_all_ports(openvpn_t)
+corenet_tcp_bind_all_nodes(openvpn_t)
+corenet_udp_bind_all_nodes(openvpn_t)
+corenet_tcp_bind_openvpn_port(openvpn_t)
+corenet_udp_bind_openvpn_port(openvpn_t)
+corenet_rw_tun_tap_dev(openvpn_t)
+
+dev_read_rand(openvpn_t)
+dev_read_urand(openvpn_t)
+
+files_read_etc_files(openvpn_t)
+files_read_etc_runtime_files(openvpn_t)
+
+libs_use_ld_so(openvpn_t)
+libs_use_shared_libs(openvpn_t)
+
+logging_send_syslog_msg(openvpn_t)
+
+miscfiles_read_localization(openvpn_t)
+
+sysnet_exec_ifconfig(openvpn_t)
+
+optional_policy(`
+	daemontools_service_domain(openvpn_t,openvpn_exec_t)
+')
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index f640e63..49c5ec4 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -1,5 +1,5 @@
 
-policy_module(init,1.3.7)
+policy_module(init,1.3.8)
 
 gen_require(`
 	class passwd rootok;
@@ -644,11 +644,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	raid_manage_mdadm_pid(initrc_t)
-')
-
-optional_policy(`
-	rpc_read_exports(initrc_t)
+	openvpn_read_config(initrc_t)
 ')
 
 optional_policy(`
@@ -665,6 +661,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	raid_manage_mdadm_pid(initrc_t)
+')
+
+optional_policy(`
 	corecmd_shell_entry_type(initrc_t)
 	fs_write_ramfs_sockets(initrc_t)
 	fs_search_ramfs(initrc_t)
@@ -674,6 +674,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	rpc_read_exports(initrc_t)
+')
+
+optional_policy(`
 	# bash tries to access a block device in the initrd
 	kernel_dontaudit_getattr_unlabeled_blk_files(initrc_t)

More information about the scm-commits mailing list