[selinux-policy: 2557/3172] openvpn needs ipc_lock capability, connects to http ports, and manages net_conf_t files - from Dan W
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:47:17 UTC 2010
commit d3b5907ea47ab21d88cdf6ff3ceeaa0e6b86fbe4
Author: Jeremy Solt <jsolt at tresys.com>
Date: Fri Mar 19 13:04:27 2010 -0400
openvpn needs ipc_lock capability, connects to http ports,
and manages net_conf_t files - from Dan Walsh
policy/modules/services/openvpn.te | 7 +++++--
1 files changed, 5 insertions(+), 2 deletions(-)
---
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index 8d1f370..190a684 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -41,7 +41,7 @@ files_pid_file(openvpn_var_run_t)
# openvpn local policy
#
-allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
+allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
allow openvpn_t self:process { signal getsched };
allow openvpn_t self:fifo_file rw_fifo_file_perms;
@@ -85,6 +85,7 @@ corenet_tcp_bind_generic_node(openvpn_t)
corenet_udp_bind_generic_node(openvpn_t)
corenet_tcp_bind_openvpn_port(openvpn_t)
corenet_udp_bind_openvpn_port(openvpn_t)
+corenet_tcp_bind_http_port(openvpn_t)
corenet_tcp_connect_openvpn_port(openvpn_t)
corenet_tcp_connect_http_port(openvpn_t)
corenet_tcp_connect_http_cache_port(openvpn_t)
@@ -100,6 +101,8 @@ dev_read_urand(openvpn_t)
files_read_etc_files(openvpn_t)
files_read_etc_runtime_files(openvpn_t)
+auth_use_pam(openvpn_t)
+
logging_send_syslog_msg(openvpn_t)
miscfiles_read_localization(openvpn_t)
@@ -107,7 +110,7 @@ miscfiles_read_certs(openvpn_t)
sysnet_dns_name_resolve(openvpn_t)
sysnet_exec_ifconfig(openvpn_t)
-sysnet_write_config(openvpn_t)
+sysnet_manage_config(openvpn_t)
sysnet_etc_filetrans_config(openvpn_t)
userdom_use_user_terminals(openvpn_t)
More information about the scm-commits
mailing list