Chris PeBenito 0fbfa5
#DESC vpnc
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Author:  Dan Walsh <dwalsh@redhat.com>
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Rules for the vpnc_t domain, et al.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# vpnc_t is the domain for the vpnc program.
Chris PeBenito 0fbfa5
# vpnc_exec_t is the type of the vpnc executable.
Chris PeBenito 0fbfa5
#
Chris PeBenito a1fcff
application_domain(vpnc, `, sysctl_net_writer, nscd_client_domain')
Chris PeBenito 0fbfa5
Chris PeBenito a1fcff
allow vpnc_t { random_device_t urandom_device_t }:chr_file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Use the network.
Chris PeBenito 0fbfa5
can_network(vpnc_t)
Chris PeBenito 2705f9
allow vpnc_t port_type:tcp_socket name_connect;
Chris PeBenito 2705f9
allow vpnc_t isakmp_port_t:udp_socket name_bind;
Chris PeBenito 2705f9
Chris PeBenito 0fbfa5
can_ypbind(vpnc_t)
Chris PeBenito 0fbfa5
allow vpnc_t self:socket create_socket_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Use capabilities.
Chris PeBenito 0fbfa5
allow vpnc_t self:capability { net_admin ipc_lock net_bind_service net_raw };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow vpnc_t devpts_t:dir search;
Chris PeBenito 0fbfa5
allow vpnc_t etc_t:file { getattr read };
Chris PeBenito 0fbfa5
allow vpnc_t tun_tap_device_t:chr_file { ioctl read write };
Chris PeBenito 0fbfa5
allow vpnc_t self:rawip_socket create_socket_perms;
Chris PeBenito 0fbfa5
allow vpnc_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 0fbfa5
allow vpnc_t self:unix_stream_socket create_socket_perms;
Chris PeBenito a1fcff
allow vpnc_t { devtty_t user_tty_type admin_tty_type }:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
allow vpnc_t port_t:udp_socket name_bind;
Chris PeBenito 0fbfa5
allow vpnc_t etc_runtime_t:file { getattr read };
Chris PeBenito 0fbfa5
allow vpnc_t proc_t:file { getattr read };
Chris PeBenito 0fbfa5
dontaudit vpnc_t selinux_config_t:dir search;
Chris PeBenito 0fbfa5
can_exec(vpnc_t, {bin_t sbin_t ifconfig_exec_t shell_exec_t })
Chris PeBenito 0fbfa5
allow vpnc_t sysctl_net_t:dir search;
Chris PeBenito 2705f9
allow vpnc_t sysctl_net_t:file write;
Chris PeBenito 0fbfa5
allow vpnc_t sbin_t:dir search;
Chris PeBenito 0fbfa5
allow vpnc_t bin_t:dir search;
Chris PeBenito 0fbfa5
allow vpnc_t bin_t:lnk_file read;
Chris PeBenito a1fcff
allow vpnc_t self:dir search;
Chris PeBenito a1fcff
r_dir_file(vpnc_t, proc_t)
Chris PeBenito 0fbfa5
r_dir_file(vpnc_t, proc_net_t)
Chris PeBenito 2705f9
tmp_domain(vpnc)
Chris PeBenito 2705f9
allow vpnc_t self:fifo_file { getattr ioctl read write };
Chris PeBenito 2705f9
allow vpnc_t self:file { getattr read };
Chris PeBenito 2705f9
allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
Chris PeBenito 2705f9
file_type_auto_trans(vpnc_t, etc_t, net_conf_t, file)
Chris PeBenito 2705f9
allow vpnc_t etc_t:file { execute execute_no_trans ioctl };
Chris PeBenito a1fcff
dontaudit vpnc_t home_root_t:dir search;
Chris PeBenito a1fcff
dontaudit vpnc_t user_home_dir_type:dir search;
Chris PeBenito a1fcff
var_run_domain(vpnc)
Chris PeBenito a1fcff
allow vpnc_t userdomain:fd use;
Chris PeBenito a1fcff
r_dir_file(vpnc_t, sysfs_t)
Chris PeBenito a1fcff
allow vpnc_t self:process { fork sigchld };
Chris PeBenito a1fcff
read_locale(vpnc_t)
Chris PeBenito a1fcff
read_sysctl(vpnc_t)
Chris PeBenito a1fcff
allow vpnc_t fs_t:filesystem getattr;