projects / people / stevee / selinux-policy.git / blame
| Commit | Line | Data |
|---|---|---|
| 2ba3de96 | 1 | |
| 17ec8c1f | 2 | policy_module(openvpn, 1.7.0) |
| 2ba3de96 CP |
3 | |
| 4 | ######################################## | |
| 5 | # | |
| 6 | # Declarations | |
| 7 | # | |
| 8 | ||
| 72f82c47 CP |
9 | ## <desc> |
| 10 | ## <p> | |
| 11 | ## Allow openvpn to read home directories | |
| 12 | ## </p> | |
| 13 | ## </desc> | |
| 0bfccda4 | 14 | gen_tunable(openvpn_enable_homedirs, false) |
| 72f82c47 | 15 | |
| 2ba3de96 CP |
16 | # main openvpn domain |
| 17 | type openvpn_t; | |
| 18 | type openvpn_exec_t; | |
| 19 | init_daemon_domain(openvpn_t, openvpn_exec_t) | |
| 20 | ||
| 21 | # configuration files | |
| 22 | type openvpn_etc_t; | |
| 967fd1ba CP |
23 | files_config_file(openvpn_etc_t) |
| 24 | ||
| 25 | type openvpn_initrc_exec_t; | |
| 26 | init_script_file(openvpn_initrc_exec_t) | |
| 2ba3de96 CP |
27 | |
| 28 | # log files | |
| 29 | type openvpn_var_log_t; | |
| 30 | logging_log_file(openvpn_var_log_t) | |
| 31 | ||
| 32 | # pid files | |
| 33 | type openvpn_var_run_t; | |
| 34 | files_pid_file(openvpn_var_run_t) | |
| 35 | ||
| 36 | ######################################## | |
| 37 | # | |
| 38 | # openvpn local policy | |
| 39 | # | |
| 40 | ||
| 967fd1ba | 41 | allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_chroot sys_tty_config }; |
| 72f82c47 CP |
42 | allow openvpn_t self:process { signal getsched }; |
| 43 | ||
| 2ba3de96 CP |
44 | allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto }; |
| 45 | allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto }; | |
| 46 | allow openvpn_t self:udp_socket create_socket_perms; | |
| 6b19be33 | 47 | allow openvpn_t self:tcp_socket server_stream_socket_perms; |
| a5e2133b | 48 | allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms; |
| 2ba3de96 | 49 | |
| c0868a7a | 50 | allow openvpn_t openvpn_etc_t:dir list_dir_perms; |
| 967fd1ba | 51 | can_exec(openvpn_t, openvpn_etc_t) |
| 0bfccda4 CP |
52 | read_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t) |
| 53 | read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t) | |
| 2ba3de96 | 54 | |
| c0868a7a | 55 | allow openvpn_t openvpn_var_log_t:file manage_file_perms; |
| 0bfccda4 | 56 | logging_log_filetrans(openvpn_t, openvpn_var_log_t, file) |
| 2ba3de96 | 57 | |
| 72f82c47 CP |
58 | manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t) |
| 59 | files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir }) | |
| 2ba3de96 | 60 | |
| 123a990b | 61 | kernel_read_kernel_sysctls(openvpn_t) |
| 2ba3de96 CP |
62 | kernel_read_net_sysctls(openvpn_t) |
| 63 | kernel_read_network_state(openvpn_t) | |
| 64 | kernel_read_system_state(openvpn_t) | |
| 65 | ||
| 66 | corecmd_exec_bin(openvpn_t) | |
| 2ba3de96 CP |
67 | corecmd_exec_shell(openvpn_t) |
| 68 | ||
| 19006686 CP |
69 | corenet_all_recvfrom_unlabeled(openvpn_t) |
| 70 | corenet_all_recvfrom_netlabel(openvpn_t) | |
| 2ba3de96 CP |
71 | corenet_tcp_sendrecv_all_if(openvpn_t) |
| 72 | corenet_udp_sendrecv_all_if(openvpn_t) | |
| 73 | corenet_tcp_sendrecv_generic_node(openvpn_t) | |
| 74 | corenet_udp_sendrecv_generic_node(openvpn_t) | |
| 75 | corenet_tcp_sendrecv_all_ports(openvpn_t) | |
| 76 | corenet_udp_sendrecv_all_ports(openvpn_t) | |
| 77 | corenet_tcp_bind_all_nodes(openvpn_t) | |
| 78 | corenet_udp_bind_all_nodes(openvpn_t) | |
| 79 | corenet_tcp_bind_openvpn_port(openvpn_t) | |
| 80 | corenet_udp_bind_openvpn_port(openvpn_t) | |
| 72f82c47 | 81 | corenet_tcp_connect_openvpn_port(openvpn_t) |
| 967fd1ba CP |
82 | corenet_tcp_connect_http_port(openvpn_t) |
| 83 | corenet_rw_tun_tap_dev(openvpn_t) | |
| 84 | corenet_sendrecv_openvpn_server_packets(openvpn_t) | |
| 85 | corenet_sendrecv_openvpn_client_packets(openvpn_t) | |
| 86 | corenet_sendrecv_http_client_packets(openvpn_t) | |
| 2ba3de96 | 87 | |
| 46551033 | 88 | dev_search_sysfs(openvpn_t) |
| 2ba3de96 CP |
89 | dev_read_rand(openvpn_t) |
| 90 | dev_read_urand(openvpn_t) | |
| 91 | ||
| 92 | files_read_etc_files(openvpn_t) | |
| 93 | files_read_etc_runtime_files(openvpn_t) | |
| 94 | ||
| 2ba3de96 CP |
95 | logging_send_syslog_msg(openvpn_t) |
| 96 | ||
| 97 | miscfiles_read_localization(openvpn_t) | |
| 72f82c47 | 98 | miscfiles_read_certs(openvpn_t) |
| 2ba3de96 | 99 | |
| 46551033 | 100 | sysnet_dns_name_resolve(openvpn_t) |
| 2ba3de96 CP |
101 | sysnet_exec_ifconfig(openvpn_t) |
| 102 | ||
| 296273a7 CP |
103 | userdom_use_user_terminals(openvpn_t) |
| 104 | ||
| 72f82c47 | 105 | tunable_policy(`openvpn_enable_homedirs',` |
| 296273a7 | 106 | userdom_read_user_home_content_files(openvpn_t) |
| 72f82c47 CP |
107 | ') |
| 108 | ||
| 2ba3de96 | 109 | optional_policy(` |
| 0bfccda4 | 110 | daemontools_service_domain(openvpn_t, openvpn_exec_t) |
| 2ba3de96 | 111 | ') |
| 72f82c47 CP |
112 | |
| 113 | optional_policy(` | |
| 296273a7 | 114 | dbus_system_bus_client(openvpn_t) |
| 72f82c47 | 115 | dbus_connect_system_bus(openvpn_t) |
| 72f82c47 CP |
116 | |
| 117 | networkmanager_dbus_chat(openvpn_t) | |
| 118 | ') |