[selinux-policy] * Thu Nov 20 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-96 - Allow NetworkManager stream connect

Lukas Vrabec lvrabec at fedoraproject.org
Thu Nov 20 10:38:30 UTC 2014 

commit 48f969d319d6f17263fd46a58c471f4cca888750
Author: Lukas Vrabec <lvrabec at redhat.com>
Date:   Thu Nov 20 11:38:07 2014 +0100

    * Thu Nov 20 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-96
    - Allow NetworkManager stream connect on openvpn. BZ(1165110)

 policy-rawhide-contrib.patch |   47 ++++++++++++++++++++++++++++++++++-------
 selinux-policy.spec          |    5 +++-
 2 files changed, 43 insertions(+), 9 deletions(-)
---
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index b12d4b0..a40dcab 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -54988,7 +54988,7 @@ index 86dc29d..98fdac1 100644
 +	logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
  ')
 diff --git a/networkmanager.te b/networkmanager.te
-index 55f2009..4e7b106 100644
+index 55f2009..6dc7fb1 100644
 --- a/networkmanager.te
 +++ b/networkmanager.te
 @@ -9,15 +9,18 @@ type NetworkManager_t;
@@ -55326,7 +55326,11 @@ index 55f2009..4e7b106 100644
  ')
  
  optional_policy(`
-@@ -289,6 +350,7 @@ optional_policy(`
+@@ -286,9 +347,11 @@ optional_policy(`
+ 	openvpn_kill(NetworkManager_t)
+ 	openvpn_signal(NetworkManager_t)
+ 	openvpn_signull(NetworkManager_t)
++    openvpn_stream_connect(NetworkManager_t)
  ')
  
  optional_policy(`
@@ -55334,7 +55338,7 @@ index 55f2009..4e7b106 100644
  	policykit_domtrans_auth(NetworkManager_t)
  	policykit_read_lib(NetworkManager_t)
  	policykit_read_reload(NetworkManager_t)
-@@ -296,7 +358,7 @@ optional_policy(`
+@@ -296,7 +359,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -55343,7 +55347,7 @@ index 55f2009..4e7b106 100644
  ')
  
  optional_policy(`
-@@ -307,6 +369,7 @@ optional_policy(`
+@@ -307,6 +370,7 @@ optional_policy(`
  	ppp_signal(NetworkManager_t)
  	ppp_signull(NetworkManager_t)
  	ppp_read_config(NetworkManager_t)
@@ -55351,7 +55355,7 @@ index 55f2009..4e7b106 100644
  ')
  
  optional_policy(`
-@@ -320,14 +383,20 @@ optional_policy(`
+@@ -320,14 +384,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -55377,7 +55381,7 @@ index 55f2009..4e7b106 100644
  ')
  
  optional_policy(`
-@@ -357,6 +426,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -357,6 +427,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
  init_dontaudit_use_fds(wpa_cli_t)
  init_use_script_ptys(wpa_cli_t)
  
@@ -61896,7 +61900,7 @@ index 300213f..4cdfe09 100644
  /var/log/openvpn.*	gen_context(system_u:object_r:openvpn_var_log_t,s0)
  
 diff --git a/openvpn.if b/openvpn.if
-index 6837e9a..21e6dae 100644
+index 6837e9a..9bac89c 100644
 --- a/openvpn.if
 +++ b/openvpn.if
 @@ -23,6 +23,25 @@ interface(`openvpn_domtrans',`
@@ -61925,7 +61929,34 @@ index 6837e9a..21e6dae 100644
  ##	openvpn domain, and allow the
  ##	specified role the openvpn domain.
  ## </summary>
-@@ -147,9 +166,13 @@ interface(`openvpn_admin',`
+@@ -123,6 +142,26 @@ interface(`openvpn_read_config',`
+ 	allow $1 openvpn_etc_t:lnk_file read_lnk_file_perms;
+ ')
+ 
++####################################
++## <summary>
++##  Connect to openvpn over
++##	a unix domain stream socket.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`openvpn_stream_connect',`
++	gen_require(`
++		type openvpn_t, openvpn_var_run_t;
++	')
++
++	files_search_pids($1)
++	stream_connect_pattern($1, openvpn_var_run_t, openvpn_var_run_t, openvpn_t)
++')
++
+ ########################################
+ ## <summary>
+ ##	All of the rules required to
+@@ -147,9 +186,13 @@ interface(`openvpn_admin',`
  		type openvpn_status_t;
  	')
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 690ebbb..8b69712 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 95%{?dist}
+Release: 96%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -604,6 +604,9 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Thu Nov 20 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-96
+- Allow NetworkManager stream connect on openvpn. BZ(1165110)
+
 * Wed Nov 19 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-95
 - Allow networkmanager manage also openvpn sock pid files.

More information about the scm-commits mailing list