Chris PeBenito 0fbfa5
#DESC OpenVPN - Firewall-friendly SSL-based VPN
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Author: Colin Walters <walters@verbum.org>
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
########################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
daemon_domain(openvpn)
Chris PeBenito 0fbfa5
etcdir_domain(openvpn)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
type openvpn_port_t, port_type;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow openvpn_t { etc_t etc_runtime_t }:{ file lnk_file } r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow openvpn_t { random_device_t urandom_device_t }:chr_file { read getattr };
Chris PeBenito 0fbfa5
allow openvpn_t devpts_t:dir { search getattr };
Chris PeBenito 0fbfa5
allow openvpn_t tun_tap_device_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
allow openvpn_t proc_t:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow openvpn_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 0fbfa5
allow openvpn_t self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito 0fbfa5
allow openvpn_t self:unix_dgram_socket sendto;
Chris PeBenito 0fbfa5
allow openvpn_t self:unix_stream_socket connectto;
Chris PeBenito 0fbfa5
allow openvpn_t self:capability { net_admin setgid setuid };
Chris PeBenito 0fbfa5
r_dir_file(openvpn_t, sysctl_net_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
can_network_server(openvpn_t)
Chris PeBenito 0fbfa5
allow openvpn_t openvpn_port_t:udp_socket name_bind;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# OpenVPN executes a lot of helper programs and scripts
Chris PeBenito 0fbfa5
allow openvpn_t { bin_t sbin_t }:dir { search getattr };
Chris PeBenito 0fbfa5
allow openvpn_t bin_t:lnk_file { getattr read };
Chris PeBenito 0fbfa5
can_exec(openvpn_t, { bin_t sbin_t shell_exec_t })
Chris PeBenito 0fbfa5
# Do not transition to ifconfig_t, since then it needs
Chris PeBenito 0fbfa5
# permission to access openvpn_t:udp_socket, which seems
Chris PeBenito 0fbfa5
# worse.
Chris PeBenito 0fbfa5
can_exec(openvpn_t, ifconfig_exec_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The Fedora init script iterates over /etc/openvpn/*.conf, and
Chris PeBenito 0fbfa5
# starts a daemon for each file.
Chris PeBenito 0fbfa5
r_dir_file(initrc_t, openvpn_etc_t)