add l2tpd daemon policy

diff --git a/policy/modules/services/l2tpd.fc b/policy/modules/services/l2tpd.fc
new file mode 100644 (file)
index 0000000..5e6d472
--- /dev/null
+++ b/policy/modules/services/l2tpd.fc
@@ -0,0 +1,9 @@
+
+/etc/rc\.d/init\.d/xl2tpd      --      gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0)
+
+/usr/sbin/xl2tpd               --      gen_context(system_u:object_r:l2tpd_exec_t,s0)
+
+/var/run/xl2tpd(/.*)?                  gen_context(system_u:object_r:l2tpd_var_run_t,s0)
+
+/var/run/xl2tpd\.pid                   gen_context(system_u:object_r:l2tpd_var_run_t,s0)
+

diff --git a/policy/modules/services/l2tpd.if b/policy/modules/services/l2tpd.if
new file mode 100644 (file)
index 0000000..5783d58
--- /dev/null
+++ b/policy/modules/services/l2tpd.if
@@ -0,0 +1,115 @@
+
+## <summary>policy for l2tpd</summary>
+
+########################################
+## <summary>
+##     Transition to l2tpd.
+## </summary>
+## <param name="domain">
+## <summary>
+##     Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`l2tpd_domtrans',`
+       gen_require(`
+               type l2tpd_t, l2tpd_exec_t;
+       ')
+
+       corecmd_search_bin($1)
+       domtrans_pattern($1, l2tpd_exec_t, l2tpd_t)
+')
+
+
+########################################
+## <summary>
+##     Execute l2tpd server in the l2tpd domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`l2tpd_initrc_domtrans',`
+       gen_require(`
+               type l2tpd_initrc_exec_t;
+       ')
+
+       init_labeled_script_domtrans($1, l2tpd_initrc_exec_t)
+')
+
+
+########################################
+## <summary>
+##     Read l2tpd PID files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`l2tpd_read_pid_files',`
+       gen_require(`
+               type l2tpd_var_run_t;
+       ')
+
+       files_search_pids($1)
+       allow $1 l2tpd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##     Read and write l2tpd unnamed pipes.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`l2tpd_rw_pipes',`
+       gen_require(`
+               type l2tpd_t;
+       ')
+
+       allow $1 l2tpd_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##     All of the rules required to administrate
+##     an l2tpd environment
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     Role allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`l2tpd_admin',`
+       gen_require(`
+               type l2tpd_t;
+       type l2tpd_initrc_exec_t;
+       type l2tpd_var_run_t;
+       ')
+
+       allow $1 l2tpd_t:process { ptrace signal_perms };
+       ps_process_pattern($1, l2tpd_t)
+
+       l2tpd_initrc_domtrans($1)
+       domain_system_change_exemption($1)
+       role_transition $2 l2tpd_initrc_exec_t system_r;
+       allow $2 system_r;
+
+       files_search_pids($1)
+       admin_pattern($1, l2tpd_var_run_t)
+')
+

diff --git a/policy/modules/services/l2tpd.te b/policy/modules/services/l2tpd.te
new file mode 100644 (file)
index 0000000..b9637a3
--- /dev/null
+++ b/policy/modules/services/l2tpd.te
@@ -0,0 +1,46 @@
+policy_module(l2tpd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type l2tpd_t;
+type l2tpd_exec_t;
+init_daemon_domain(l2tpd_t, l2tpd_exec_t)
+
+permissive l2tpd_t;
+
+type l2tpd_initrc_exec_t;
+init_script_file(l2tpd_initrc_exec_t)
+
+type l2tpd_var_run_t;
+files_pid_file(l2tpd_var_run_t)
+
+########################################
+#
+# l2tpd local policy
+#
+allow l2tpd_t self:capability { kill };
+allow l2tpd_t self:process { fork signal };
+
+allow l2tpd_t self:fifo_file rw_fifo_file_perms;
+allow l2tpd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
+manage_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
+manage_fifo_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
+files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file })
+
+corenet_udp_bind_generic_node(l2tpd_t)
+corenet_udp_bind_generic_port(l2tpd_t)
+
+domain_use_interactive_fds(l2tpd_t)
+
+files_read_etc_files(l2tpd_t)
+
+logging_send_syslog_msg(l2tpd_t)
+
+miscfiles_read_localization(l2tpd_t)
+
+sysnet_dns_name_resolve(l2tpd_t)