[people/stevee/selinux-policy.git] / policy / modules / admin / vpn.te

policy_module(vpn, 1.13.1)

########################################
#
# Declarations
#

type vpnc_t;
type vpnc_exec_t;
application_domain(vpnc_t, vpnc_exec_t)
role system_r types vpnc_t;

type vpnc_tmp_t;
files_tmp_file(vpnc_tmp_t)

type vpnc_var_run_t;
files_pid_file(vpnc_var_run_t)

########################################
#
# Local policy
#

allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw };
allow vpnc_t self:process { getsched signal };
allow vpnc_t self:fifo_file rw_fifo_file_perms;
allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
allow vpnc_t self:tcp_socket create_stream_socket_perms;
allow vpnc_t self:udp_socket create_socket_perms;
allow vpnc_t self:rawip_socket create_socket_perms;
allow vpnc_t self:unix_dgram_socket create_socket_perms;
allow vpnc_t self:unix_stream_socket create_socket_perms;
allow vpnc_t self:tun_socket { create_socket_perms relabelfrom };
# cjp: this needs to be fixed
allow vpnc_t self:socket create_socket_perms;

manage_dirs_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t)
manage_files_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t)
files_tmp_filetrans(vpnc_t, vpnc_tmp_t, { file dir })

manage_dirs_pattern(vpnc_t, vpnc_var_run_t, vpnc_var_run_t)
manage_files_pattern(vpnc_t, vpnc_var_run_t, vpnc_var_run_t)
files_pid_filetrans(vpnc_t, vpnc_var_run_t, { file dir})

kernel_read_system_state(vpnc_t)
kernel_read_network_state(vpnc_t)
kernel_read_all_sysctls(vpnc_t)
kernel_request_load_module(vpnc_t)
kernel_rw_net_sysctls(vpnc_t)

corenet_all_recvfrom_unlabeled(vpnc_t)
corenet_all_recvfrom_netlabel(vpnc_t)
corenet_tcp_sendrecv_generic_if(vpnc_t)
corenet_udp_sendrecv_generic_if(vpnc_t)
corenet_raw_sendrecv_generic_if(vpnc_t)
corenet_tcp_sendrecv_generic_node(vpnc_t)
corenet_udp_sendrecv_generic_node(vpnc_t)
corenet_raw_sendrecv_generic_node(vpnc_t)
corenet_tcp_sendrecv_all_ports(vpnc_t)
corenet_udp_sendrecv_all_ports(vpnc_t)
corenet_udp_bind_generic_node(vpnc_t)
corenet_udp_bind_generic_port(vpnc_t)
corenet_udp_bind_isakmp_port(vpnc_t)
corenet_udp_bind_ipsecnat_port(vpnc_t)
corenet_tcp_connect_all_ports(vpnc_t)
corenet_sendrecv_all_client_packets(vpnc_t)
corenet_sendrecv_isakmp_server_packets(vpnc_t)
corenet_sendrecv_generic_server_packets(vpnc_t)
corenet_rw_tun_tap_dev(vpnc_t)

dev_read_rand(vpnc_t)
dev_read_urand(vpnc_t)
dev_read_sysfs(vpnc_t)

domain_use_interactive_fds(vpnc_t)

fs_getattr_xattr_fs(vpnc_t)
fs_getattr_tmpfs(vpnc_t)

term_use_all_ptys(vpnc_t)
term_use_all_ttys(vpnc_t)

corecmd_exec_all_executables(vpnc_t)

files_exec_etc_files(vpnc_t)
files_read_etc_runtime_files(vpnc_t)
files_read_etc_files(vpnc_t)
files_dontaudit_search_home(vpnc_t)

auth_use_nsswitch(vpnc_t)

libs_exec_ld_so(vpnc_t)
libs_exec_lib_files(vpnc_t)

locallogin_use_fds(vpnc_t)

logging_send_syslog_msg(vpnc_t)
logging_dontaudit_search_logs(vpnc_t)

miscfiles_read_localization(vpnc_t)

seutil_dontaudit_search_config(vpnc_t)
seutil_use_newrole_fds(vpnc_t)

sysnet_etc_filetrans_config(vpnc_t)
sysnet_manage_config(vpnc_t)

userdom_use_all_users_fds(vpnc_t)
userdom_dontaudit_search_user_home_content(vpnc_t)
userdom_read_home_certs(vpnc_t)

optional_policy(`
	dbus_system_bus_client(vpnc_t)

	optional_policy(`
		networkmanager_dbus_chat(vpnc_t)
	')
')

optional_policy(`
	networkmanager_attach_tun_iface(vpnc_t)
')
Commit	Line	Data
ab4f8205	1	policy_module(vpn, 1.13.1)
a1fcff33 CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
	8	type vpnc_t;
a1fcff33	9	type vpnc_exec_t;
f5085676	10	application_domain(vpnc_t, vpnc_exec_t)
46c69cb2	11	role system_r types vpnc_t;
a1fcff33 CP	12
	13	type vpnc_tmp_t;
	14	files_tmp_file(vpnc_tmp_t)
	15
	16	type vpnc_var_run_t;
	17	files_pid_file(vpnc_var_run_t)
	18
	19	########################################
	20	#
	21	# Local policy
	22	#
	23
12c61f36	24	allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw };
74993c4d	25	allow vpnc_t self:process { getsched signal };
12c61f36 CP	26	allow vpnc_t self:fifo_file rw_fifo_file_perms;
12c61f36 CP	27	allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
a1fcff33 CP	28	allow vpnc_t self:tcp_socket create_stream_socket_perms;
	29	allow vpnc_t self:udp_socket create_socket_perms;
	30	allow vpnc_t self:rawip_socket create_socket_perms;
	31	allow vpnc_t self:unix_dgram_socket create_socket_perms;
	32	allow vpnc_t self:unix_stream_socket create_socket_perms;
b5d89d03	33	allow vpnc_t self:tun_socket { create_socket_perms relabelfrom };
a1fcff33 CP	34	# cjp: this needs to be fixed
	35	allow vpnc_t self:socket create_socket_perms;
	36
f5085676 CP	37	manage_dirs_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t)
f5085676 CP	38	manage_files_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t)
103fe280	39	files_tmp_filetrans(vpnc_t, vpnc_tmp_t, { file dir })
a1fcff33	40
f5085676 CP	41	manage_dirs_pattern(vpnc_t, vpnc_var_run_t, vpnc_var_run_t)
	42	manage_files_pattern(vpnc_t, vpnc_var_run_t, vpnc_var_run_t)
	43	files_pid_filetrans(vpnc_t, vpnc_var_run_t, { file dir})
a1fcff33 CP	44
	45	kernel_read_system_state(vpnc_t)
	46	kernel_read_network_state(vpnc_t)
74993c4d	47	kernel_read_all_sysctls(vpnc_t)
fdc0d0f7	48	kernel_request_load_module(vpnc_t)
445522dc	49	kernel_rw_net_sysctls(vpnc_t)
a1fcff33	50
19006686 CP	51	corenet_all_recvfrom_unlabeled(vpnc_t)
19006686 CP	52	corenet_all_recvfrom_netlabel(vpnc_t)
668b3093 CP	53	corenet_tcp_sendrecv_generic_if(vpnc_t)
	54	corenet_udp_sendrecv_generic_if(vpnc_t)
	55	corenet_raw_sendrecv_generic_if(vpnc_t)
c1262146 CP	56	corenet_tcp_sendrecv_generic_node(vpnc_t)
	57	corenet_udp_sendrecv_generic_node(vpnc_t)
	58	corenet_raw_sendrecv_generic_node(vpnc_t)
a1fcff33 CP	59	corenet_tcp_sendrecv_all_ports(vpnc_t)
a1fcff33 CP	60	corenet_udp_sendrecv_all_ports(vpnc_t)
c1262146	61	corenet_udp_bind_generic_node(vpnc_t)
a1fcff33 CP	62	corenet_udp_bind_generic_port(vpnc_t)
a1fcff33 CP	63	corenet_udp_bind_isakmp_port(vpnc_t)
f5085676	64	corenet_udp_bind_ipsecnat_port(vpnc_t)
a1fcff33	65	corenet_tcp_connect_all_ports(vpnc_t)
9d0c9b3e CP	66	corenet_sendrecv_all_client_packets(vpnc_t)
	67	corenet_sendrecv_isakmp_server_packets(vpnc_t)
	68	corenet_sendrecv_generic_server_packets(vpnc_t)
5b6ddb98	69	corenet_rw_tun_tap_dev(vpnc_t)
a1fcff33 CP	70
	71	dev_read_rand(vpnc_t)
	72	dev_read_urand(vpnc_t)
	73	dev_read_sysfs(vpnc_t)
	74
f5085676 CP	75	domain_use_interactive_fds(vpnc_t)
f5085676 CP	76
a1fcff33	77	fs_getattr_xattr_fs(vpnc_t)
46c69cb2	78	fs_getattr_tmpfs(vpnc_t)
a1fcff33	79
c3c753f7 CP	80	term_use_all_ptys(vpnc_t)
c3c753f7 CP	81	term_use_all_ttys(vpnc_t)
a1fcff33	82
fb63d0b5	83	corecmd_exec_all_executables(vpnc_t)
a1fcff33 CP	84
	85	files_exec_etc_files(vpnc_t)
	86	files_read_etc_runtime_files(vpnc_t)
	87	files_read_etc_files(vpnc_t)
	88	files_dontaudit_search_home(vpnc_t)
	89
09e21686 CP	90	auth_use_nsswitch(vpnc_t)
09e21686 CP	91
a1fcff33 CP	92	libs_exec_ld_so(vpnc_t)
a1fcff33 CP	93	libs_exec_lib_files(vpnc_t)
a1fcff33	94
1c1ac67f	95	locallogin_use_fds(vpnc_t)
0f27d98d	96
a77e6524	97	logging_send_syslog_msg(vpnc_t)
f5085676	98	logging_dontaudit_search_logs(vpnc_t)
a77e6524	99
a1fcff33 CP	100	miscfiles_read_localization(vpnc_t)
	101
	102	seutil_dontaudit_search_config(vpnc_t)
6b19be33	103	seutil_use_newrole_fds(vpnc_t)
a1fcff33	104
103fe280	105	sysnet_etc_filetrans_config(vpnc_t)
a1fcff33 CP	106	sysnet_manage_config(vpnc_t)
a1fcff33 CP	107
15722ec9	108	userdom_use_all_users_fds(vpnc_t)
296273a7	109	userdom_dontaudit_search_user_home_content(vpnc_t)
3eaa9939	110	userdom_read_home_certs(vpnc_t)
a1fcff33	111
bb7170f6	112	optional_policy(`
296273a7	113	dbus_system_bus_client(vpnc_t)
bd973e3e	114
bb7170f6	115	optional_policy(`
0f27d98d CP	116	networkmanager_dbus_chat(vpnc_t)
0f27d98d CP	117	')
a77e6524	118	')
fdc0d0f7 JS	119
	120	optional_policy(`
	121	networkmanager_attach_tun_iface(vpnc_t)
	122	')