|
Chris PeBenito |
0fbfa5 |
#DESC OpenVPN - Firewall-friendly SSL-based VPN
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Author: Colin Walters <walters@verbum.org>
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
########################################
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
daemon_domain(openvpn)
|
|
Chris PeBenito |
0fbfa5 |
etcdir_domain(openvpn)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
type openvpn_port_t, port_type;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow openvpn_t { etc_t etc_runtime_t }:{ file lnk_file } r_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow openvpn_t { random_device_t urandom_device_t }:chr_file { read getattr };
|
|
Chris PeBenito |
0fbfa5 |
allow openvpn_t devpts_t:dir { search getattr };
|
|
Chris PeBenito |
0fbfa5 |
allow openvpn_t tun_tap_device_t:chr_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow openvpn_t proc_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow openvpn_t self:unix_dgram_socket create_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow openvpn_t self:unix_stream_socket create_stream_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow openvpn_t self:unix_dgram_socket sendto;
|
|
Chris PeBenito |
0fbfa5 |
allow openvpn_t self:unix_stream_socket connectto;
|
|
Chris PeBenito |
0fbfa5 |
allow openvpn_t self:capability { net_admin setgid setuid };
|
|
Chris PeBenito |
0fbfa5 |
r_dir_file(openvpn_t, sysctl_net_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
can_network_server(openvpn_t)
|
|
Chris PeBenito |
0fbfa5 |
allow openvpn_t openvpn_port_t:udp_socket name_bind;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# OpenVPN executes a lot of helper programs and scripts
|
|
Chris PeBenito |
0fbfa5 |
allow openvpn_t { bin_t sbin_t }:dir { search getattr };
|
|
Chris PeBenito |
0fbfa5 |
allow openvpn_t bin_t:lnk_file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
can_exec(openvpn_t, { bin_t sbin_t shell_exec_t })
|
|
Chris PeBenito |
0fbfa5 |
# Do not transition to ifconfig_t, since then it needs
|
|
Chris PeBenito |
0fbfa5 |
# permission to access openvpn_t:udp_socket, which seems
|
|
Chris PeBenito |
0fbfa5 |
# worse.
|
|
Chris PeBenito |
0fbfa5 |
can_exec(openvpn_t, ifconfig_exec_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The Fedora init script iterates over /etc/openvpn/*.conf, and
|
|
Chris PeBenito |
0fbfa5 |
# starts a daemon for each file.
|
|
Chris PeBenito |
0fbfa5 |
r_dir_file(initrc_t, openvpn_etc_t)
|