Blob Blame History Raw

policy_module(openvpn,1.3.0)

########################################
#
# Declarations
#

# main openvpn domain
type openvpn_t;
type openvpn_exec_t;
init_daemon_domain(openvpn_t, openvpn_exec_t)

# configuration files
type openvpn_etc_t;
files_type(openvpn_etc_t)

# log files
type openvpn_var_log_t;
logging_log_file(openvpn_var_log_t)

# pid files
type openvpn_var_run_t;
files_pid_file(openvpn_var_run_t)

########################################
#
# openvpn local policy
#

allow openvpn_t self:capability { net_bind_service net_admin setgid setuid sys_tty_config };
allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow openvpn_t self:udp_socket create_socket_perms;
allow openvpn_t self:tcp_socket server_stream_socket_perms;
allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;

allow openvpn_t openvpn_etc_t:dir list_dir_perms;
read_files_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_t)
read_lnk_files_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_t)

allow openvpn_t openvpn_var_log_t:file manage_file_perms;
logging_log_filetrans(openvpn_t,openvpn_var_log_t,file)

allow openvpn_t openvpn_var_run_t:file manage_file_perms;
files_pid_filetrans(openvpn_t, openvpn_var_run_t, file)

kernel_read_kernel_sysctls(openvpn_t)
kernel_read_net_sysctls(openvpn_t)
kernel_read_network_state(openvpn_t)
kernel_read_system_state(openvpn_t)

corecmd_exec_bin(openvpn_t)
corecmd_exec_shell(openvpn_t)

corenet_all_recvfrom_unlabeled(openvpn_t)
corenet_all_recvfrom_netlabel(openvpn_t)
corenet_tcp_sendrecv_all_if(openvpn_t)
corenet_udp_sendrecv_all_if(openvpn_t)
corenet_tcp_sendrecv_generic_node(openvpn_t)
corenet_udp_sendrecv_generic_node(openvpn_t)
corenet_tcp_sendrecv_all_ports(openvpn_t)
corenet_udp_sendrecv_all_ports(openvpn_t)
corenet_tcp_bind_all_nodes(openvpn_t)
corenet_udp_bind_all_nodes(openvpn_t)
corenet_tcp_bind_openvpn_port(openvpn_t)
corenet_udp_bind_openvpn_port(openvpn_t)
corenet_sendrecv_openvpn_server_packets(openvpn_t)
corenet_rw_tun_tap_dev(openvpn_t)

dev_search_sysfs(openvpn_t)
dev_read_rand(openvpn_t)
dev_read_urand(openvpn_t)

files_read_etc_files(openvpn_t)
files_read_etc_runtime_files(openvpn_t)

libs_use_ld_so(openvpn_t)
libs_use_shared_libs(openvpn_t)

logging_send_syslog_msg(openvpn_t)

miscfiles_read_localization(openvpn_t)

sysnet_dns_name_resolve(openvpn_t)
sysnet_exec_ifconfig(openvpn_t)

ifdef(`targeted_policy',`
	# Need to interact with terminals if config option "auth-user-pass" is used
	term_use_generic_ptys(openvpn_t)
')

optional_policy(`
	daemontools_service_domain(openvpn_t,openvpn_exec_t)
')