-policy_module(vpn,1.3.0)
+policy_module(vpn, 1.13.0)
########################################
#
#
type vpnc_t;
-domain_type(vpnc_t)
-
type vpnc_exec_t;
-domain_entry_file(vpnc_t,vpnc_exec_t)
+application_domain(vpnc_t, vpnc_exec_t)
role system_r types vpnc_t;
type vpnc_tmp_t;
# Local policy
#
-allow vpnc_t self:capability { net_admin ipc_lock net_raw };
-allow vpnc_t self:process getsched;
-allow vpnc_t self:fifo_file { getattr ioctl read write };
+allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw };
+allow vpnc_t self:process { getsched signal };
+allow vpnc_t self:fifo_file rw_fifo_file_perms;
allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
allow vpnc_t self:tcp_socket create_stream_socket_perms;
allow vpnc_t self:udp_socket create_socket_perms;
allow vpnc_t self:rawip_socket create_socket_perms;
allow vpnc_t self:unix_dgram_socket create_socket_perms;
allow vpnc_t self:unix_stream_socket create_socket_perms;
+allow vpnc_t self:tun_socket create_socket_perms;
# cjp: this needs to be fixed
allow vpnc_t self:socket create_socket_perms;
-manage_dirs_pattern(vpnc_t,vpnc_tmp_t,vpnc_tmp_t)
-manage_files_pattern(vpnc_t,vpnc_tmp_t,vpnc_tmp_t)
+manage_dirs_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t)
+manage_files_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t)
files_tmp_filetrans(vpnc_t, vpnc_tmp_t, { file dir })
-manage_files_pattern(vpnc_t,vpnc_var_run_t,vpnc_var_run_t)
-files_pid_filetrans(vpnc_t,vpnc_var_run_t,file)
+manage_dirs_pattern(vpnc_t, vpnc_var_run_t, vpnc_var_run_t)
+manage_files_pattern(vpnc_t, vpnc_var_run_t, vpnc_var_run_t)
+files_pid_filetrans(vpnc_t, vpnc_var_run_t, { file dir})
kernel_read_system_state(vpnc_t)
kernel_read_network_state(vpnc_t)
-kernel_read_kernel_sysctls(vpnc_t)
+kernel_read_all_sysctls(vpnc_t)
+kernel_request_load_module(vpnc_t)
kernel_rw_net_sysctls(vpnc_t)
-corenet_non_ipsec_sendrecv(vpnc_t)
-corenet_tcp_sendrecv_all_if(vpnc_t)
-corenet_udp_sendrecv_all_if(vpnc_t)
-corenet_raw_sendrecv_all_if(vpnc_t)
-corenet_tcp_sendrecv_all_nodes(vpnc_t)
-corenet_udp_sendrecv_all_nodes(vpnc_t)
-corenet_raw_sendrecv_all_nodes(vpnc_t)
+corenet_all_recvfrom_unlabeled(vpnc_t)
+corenet_all_recvfrom_netlabel(vpnc_t)
+corenet_tcp_sendrecv_generic_if(vpnc_t)
+corenet_udp_sendrecv_generic_if(vpnc_t)
+corenet_raw_sendrecv_generic_if(vpnc_t)
+corenet_tcp_sendrecv_generic_node(vpnc_t)
+corenet_udp_sendrecv_generic_node(vpnc_t)
+corenet_raw_sendrecv_generic_node(vpnc_t)
corenet_tcp_sendrecv_all_ports(vpnc_t)
corenet_udp_sendrecv_all_ports(vpnc_t)
-corenet_udp_bind_all_nodes(vpnc_t)
+corenet_udp_bind_generic_node(vpnc_t)
corenet_udp_bind_generic_port(vpnc_t)
corenet_udp_bind_isakmp_port(vpnc_t)
+corenet_udp_bind_ipsecnat_port(vpnc_t)
corenet_tcp_connect_all_ports(vpnc_t)
corenet_sendrecv_all_client_packets(vpnc_t)
corenet_sendrecv_isakmp_server_packets(vpnc_t)
dev_read_urand(vpnc_t)
dev_read_sysfs(vpnc_t)
+domain_use_interactive_fds(vpnc_t)
+
fs_getattr_xattr_fs(vpnc_t)
fs_getattr_tmpfs(vpnc_t)
-term_use_all_user_ptys(vpnc_t)
-term_use_all_user_ttys(vpnc_t)
+term_use_all_ptys(vpnc_t)
+term_use_all_ttys(vpnc_t)
corecmd_exec_all_executables(vpnc_t)
files_read_etc_files(vpnc_t)
files_dontaudit_search_home(vpnc_t)
+auth_use_nsswitch(vpnc_t)
+
libs_exec_ld_so(vpnc_t)
libs_exec_lib_files(vpnc_t)
-libs_use_ld_so(vpnc_t)
-libs_use_shared_libs(vpnc_t)
locallogin_use_fds(vpnc_t)
logging_send_syslog_msg(vpnc_t)
+logging_dontaudit_search_logs(vpnc_t)
miscfiles_read_localization(vpnc_t)
seutil_dontaudit_search_config(vpnc_t)
+seutil_use_newrole_fds(vpnc_t)
-sysnet_exec_ifconfig(vpnc_t)
sysnet_etc_filetrans_config(vpnc_t)
sysnet_manage_config(vpnc_t)
userdom_use_all_users_fds(vpnc_t)
-userdom_dontaudit_search_all_users_home_content(vpnc_t)
+userdom_dontaudit_search_user_home_content(vpnc_t)
optional_policy(`
- dbus_system_bus_client_template(vpnc,vpnc_t)
- dbus_send_system_bus(vpnc_t)
+ dbus_system_bus_client(vpnc_t)
+
optional_policy(`
networkmanager_dbus_chat(vpnc_t)
')
')
optional_policy(`
- nis_use_ypbind(vpnc_t)
-')
-
-optional_policy(`
- nscd_socket_use(vpnc_t)
+ networkmanager_attach_tun_iface(vpnc_t)
')