#DESC vpnc

#

# Author:  Dan Walsh <dwalsh@redhat.com>

#

#################################

#

# Rules for the vpnc_t domain, et al.

#

# vpnc_t is the domain for the vpnc program.

# vpnc_exec_t is the type of the vpnc executable.

#

daemon_domain(vpnc)

allow vpnc_t { random_device_t urandom_device_t }:chr_file read;

# Use the network.

can_network(vpnc_t)

can_ypbind(vpnc_t)

allow vpnc_t self:socket create_socket_perms;

# Use capabilities.

allow vpnc_t self:capability { net_admin ipc_lock net_bind_service net_raw };

allow vpnc_t devpts_t:dir search;

allow vpnc_t etc_t:file { getattr read };

allow vpnc_t tun_tap_device_t:chr_file { ioctl read write };

allow vpnc_t self:rawip_socket create_socket_perms;

allow vpnc_t self:unix_dgram_socket create_socket_perms;

allow vpnc_t self:unix_stream_socket create_socket_perms;

allow vpnc_t admin_tty_type:chr_file rw_file_perms;

allow vpnc_t port_t:udp_socket name_bind;

allow vpnc_t etc_runtime_t:file { getattr read };

allow vpnc_t proc_t:file { getattr read };

dontaudit vpnc_t selinux_config_t:dir search;

can_exec(vpnc_t, {bin_t sbin_t ifconfig_exec_t shell_exec_t })

allow vpnc_t sysctl_net_t:dir search;

allow vpnc_t sbin_t:dir search;

allow vpnc_t bin_t:dir search;

allow vpnc_t bin_t:lnk_file read;

r_dir_file(vpnc_t, proc_net_t)