On Thu, 2004-12-09 at 17:35 -0500, Colin Walters wrote:
>
> There is an openvpn.te; it's just not shipped in
> selinux-policy-targeted-sources. The spec file does:
>
> for i in apache.te dhcpd.te ldconfig.te mailman.te mysqld.te mta.te named.te nscd.te ntpd.te portmap.te postgresql.te snmpd.te squid.te syslogd.te ypbind.te; do
> mv domains/program/unused/$i domains/program/
>
> If you just add openvpn.te to that it should work. BTW, I wrote
> openvpn.te very quickly while I was experimenting with VPN software a
> while ago; it's only been lightly tested :)
>
Doesn't drop in cleanly with the targeted policy. It also wants the
ifconfig, which wants proc_net_t and run_init_t stuff that isn't in the
targeted policy. I've wrapped the call to ifconfig_exec_t in an if
('ifconfig.te....') call so that it builds properly with the targeted
policy. It builds, and labels the files, so thats a start! Next
question is if it actually works :)
--
David Hollis <dhollis@xxxxxxxxxxxxxx>
#DESC OpenVPN - Firewall-friendly SSL-based VPN
#
# Author: Colin Walters <walters@xxxxxxxxxx>
#
########################################
#
daemon_domain(openvpn)
etcdir_domain(openvpn)
type openvpn_port_t, port_type;
allow openvpn_t { etc_t etc_runtime_t }:{ file lnk_file } r_file_perms;
allow openvpn_t { random_device_t urandom_device_t }:chr_file { read getattr };
allow openvpn_t devpts_t:dir { search getattr };
allow openvpn_t tun_tap_device_t:chr_file rw_file_perms;
allow openvpn_t proc_t:file { getattr read };
allow openvpn_t self:unix_dgram_socket create_socket_perms;
allow openvpn_t self:unix_stream_socket create_stream_socket_perms;
allow openvpn_t self:unix_dgram_socket sendto;
allow openvpn_t self:unix_stream_socket connectto;
allow openvpn_t self:capability net_admin;
r_dir_file(openvpn_t, sysctl_net_t)
can_network(openvpn_t)
allow openvpn_t openvpn_port_t:udp_socket name_bind;
# OpenVPN executes a lot of helper programs and scripts
allow openvpn_t { bin_t sbin_t }:dir { search getattr };
allow openvpn_t bin_t:lnk_file { getattr read };
can_exec(openvpn_t, { bin_t sbin_t shell_exec_t })
# Do not transition to ifconfig_t, since then it needs
# permission to access openvpn_t:udp_socket, which seems
# worse.
ifdef(`ifconfig.te',
`can_exec(openvpn_t, ifconfig_exec_t)')
# The Fedora init script iterates over /etc/openvpn/*.conf, and
# starts a daemon for each file.
r_dir_file(initrc_t, openvpn_etc_t)
Attachment:
signature.asc
Description: This is a digitally signed message part
