[selinux-policy: 2557/3172] openvpn needs ipc_lock capability, connects to http ports, and manages net_conf_t files - from Dan W

[Daniel J Walsh]

commit d3b5907ea47ab21d88cdf6ff3ceeaa0e6b86fbe4
Author: Jeremy Solt <jsolt at tresys.com>
Date:   Fri Mar 19 13:04:27 2010 -0400

    openvpn needs ipc_lock capability, connects to http ports,
    and manages net_conf_t files - from Dan Walsh

 policy/modules/services/openvpn.te |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)
---
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index 8d1f370..190a684 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -41,7 +41,7 @@ files_pid_file(openvpn_var_run_t)
 # openvpn local policy
 #
 
-allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
+allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
 allow openvpn_t self:process { signal getsched };
 allow openvpn_t self:fifo_file rw_fifo_file_perms;
 
@@ -85,6 +85,7 @@ corenet_tcp_bind_generic_node(openvpn_t)
 corenet_udp_bind_generic_node(openvpn_t)
 corenet_tcp_bind_openvpn_port(openvpn_t)
 corenet_udp_bind_openvpn_port(openvpn_t)
+corenet_tcp_bind_http_port(openvpn_t)
 corenet_tcp_connect_openvpn_port(openvpn_t)
 corenet_tcp_connect_http_port(openvpn_t)
 corenet_tcp_connect_http_cache_port(openvpn_t)
@@ -100,6 +101,8 @@ dev_read_urand(openvpn_t)
 files_read_etc_files(openvpn_t)
 files_read_etc_runtime_files(openvpn_t)
 
+auth_use_pam(openvpn_t)
+
 logging_send_syslog_msg(openvpn_t)
 
 miscfiles_read_localization(openvpn_t)
@@ -107,7 +110,7 @@ miscfiles_read_certs(openvpn_t)
 
 sysnet_dns_name_resolve(openvpn_t)
 sysnet_exec_ifconfig(openvpn_t)
-sysnet_write_config(openvpn_t)
+sysnet_manage_config(openvpn_t)
 sysnet_etc_filetrans_config(openvpn_t)
 
 userdom_use_user_terminals(openvpn_t)