Re: OpenVPN launching scripts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



OK, I found "semodule -DB"
(http://selinux-mac.blogspot.fr/2009/07/faq-selinux-denies-access-but-avc.html)
Also thanks for allowing me to skip "semodule -r"

So I can continue ...
21/ #============= amzsns_t ==============
allow amzsns_t self:netlink_route_socket { write read };
allow amzsns_t self:tcp_socket { write read };
allow amzsns_t self:udp_socket { write read };

#============= openvpn_t ==============
allow openvpn_t amzsns_t:process { siginh rlimitinh noatsecure };


and below is my working result.
Problem is: what does it do ?? (I will do some research, but if you
have some idea to simplify or some warning, do not hesitate to
comment)

policy_module( amzsns, 1.0.0)

require {
        type openvpn_t;
        type openvpn_tmp_t;
        type shell_exec_t;
        type unlabeled_t;
        type etc_t;
        type openvpn_etc_t;
        type openvpn_etc_rw_t;
        type proc_t;
        type usr_t;
        type java_exec_t;
        type tmp_t;
        type locale_t;
        type net_conf_t;
        type proc_net_t;
        type ephemeral_port_t;
        type http_port_t;
        type random_device_t;
        type urandom_device_t;
        type cert_t;
}

type amzsns_t;
type amzsns_exec_t;
type amzsns_lib_t;
domain_type(amzsns_t)
domain_entry_file(amzsns_t, amzsns_exec_t)
role system_r types amzsns_t;

domtrans_pattern(openvpn_t, amzsns_exec_t, amzsns_t)

allow openvpn_t unlabeled_t:file { execute getattr }; # Execute
unlabeled files ? But why ?

allow openvpn_t amzsns_t:process { siginh rlimitinh noatsecure };  #
Necessary for transition

allow amzsns_t openvpn_tmp_t:file write;

corecmd_exec_shell(amzsns_t)

# Read some files:
allow amzsns_t etc_t:file  { read open getattr };
allow amzsns_t etc_t:lnk_file read;
allow amzsns_t openvpn_etc_t:dir { search getattr };
allow amzsns_t openvpn_etc_rw_t:file { read write };  # This is
openVPN ipp.txt (I will move it)
allow amzsns_t proc_t:file { read open getattr };
allow amzsns_t usr_t:lnk_file { read getattr };
allow amzsns_t usr_t:file { getattr read open };

allow amzsns_t amzsns_exec_t:file execute_no_trans; # ?

allow amzsns_t bin_t:file { read open execute getattr execute_no_trans }; # ???

allow amzsns_t amzsns_lib_t:dir { read open search getattr };
allow amzsns_t amzsns_lib_t:file { read  getattr open };

allow amzsns_t self:fifo_file { read ioctl write getattr };  # ??
allow amzsns_t self:process execmem;

# Network access:
allow amzsns_t net_conf_t:file { read open getattr };
allow amzsns_t proc_net_t:file { read open getattr };
allow amzsns_t self:tcp_socket { create listen getattr connect accept
shutdown getopt setopt read write };
allow amzsns_t self:udp_socket { create connect getattr read write };
allow amzsns_t self:netlink_route_socket { create bind getattr
nlmsg_read read write };
allow amzsns_t ephemeral_port_t:tcp_socket name_connect;
allow amzsns_t http_port_t:tcp_socket name_connect;

allow amzsns_t tmp_t:dir { write add_name create read remove_name } ;
allow amzsns_t tmp_t:file { create read write open unlink };
allow amzsns_t locale_t:dir { read open search getattr };
allow amzsns_t locale_t:file { getattr read open };
allow amzsns_t cert_t:dir search;
allow amzsns_t cert_t:file { getattr read open };

allow amzsns_t random_device_t:chr_file { getattr read open  };
allow amzsns_t urandom_device_t:chr_file { getattr read open };

allow amzsns_t java_exec_t:file { read open execute getattr
execute_no_trans };  # ???
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux