From 2ba3de96909f86c2ff03f2faf736697543821789 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Apr 14 2006 20:07:01 +0000 Subject: add openvpn from petre rodan --- diff --git a/refpolicy/Changelog b/refpolicy/Changelog index c5beb7e..ba84180 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -49,6 +49,7 @@ mplayer nagios nessus + openvpn (Petre Rodan) perdition postgrey pxe diff --git a/refpolicy/policy/modules/services/openvpn.fc b/refpolicy/policy/modules/services/openvpn.fc new file mode 100644 index 0000000..046d5d7 --- /dev/null +++ b/refpolicy/policy/modules/services/openvpn.fc @@ -0,0 +1,15 @@ +# +# /etc +# +/etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0) + +# +# /usr +# +/usr/sbin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0) + +# +# /var +# +/var/log/openvpn.* -- gen_context(system_u:object_r:openvpn_var_log_t,s0) +/var/run/openvpn.* -- gen_context(system_u:object_r:openvpn_var_run_t,s0) diff --git a/refpolicy/policy/modules/services/openvpn.if b/refpolicy/policy/modules/services/openvpn.if new file mode 100644 index 0000000..78bbc4b --- /dev/null +++ b/refpolicy/policy/modules/services/openvpn.if @@ -0,0 +1,23 @@ +## full-featured SSL VPN solution + +######################################## +## +## Allow the specified domain to read +## OpenVPN configuration files. +## +## +## +## Domain allowed access. +## +## +# +interface(`openvpn_read_config',` + gen_require(` + type openvpn_etc_t; + ') + + files_search_etc($1) + allow $1 openvpn_etc_t:dir r_dir_perms; + allow $1 openvpn_etc_t:file r_file_perms; + allow $1 openvpn_etc_t:lnk_file { getattr read }; +') diff --git a/refpolicy/policy/modules/services/openvpn.te b/refpolicy/policy/modules/services/openvpn.te new file mode 100644 index 0000000..7b064b3 --- /dev/null +++ b/refpolicy/policy/modules/services/openvpn.te @@ -0,0 +1,85 @@ + +policy_module(openvpn,1.0.0) + +######################################## +# +# Declarations +# + +# main openvpn domain +type openvpn_t; +type openvpn_exec_t; +init_daemon_domain(openvpn_t, openvpn_exec_t) + +# configuration files +type openvpn_etc_t; +files_type(openvpn_etc_t) + +# log files +type openvpn_var_log_t; +logging_log_file(openvpn_var_log_t) + +# pid files +type openvpn_var_run_t; +files_pid_file(openvpn_var_run_t) + +######################################## +# +# openvpn local policy +# + +allow openvpn_t self:capability { net_admin setgid setuid }; +allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto }; +allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow openvpn_t self:udp_socket create_socket_perms; +allow openvpn_t self:tcp_socket create_socket_perms; + +allow openvpn_t openvpn_etc_t:dir r_dir_perms; +allow openvpn_t openvpn_etc_t:file r_file_perms; +allow openvpn_t openvpn_etc_t:lnk_file { getattr read }; + +allow openvpn_t openvpn_var_log_t:file create_file_perms; +logging_log_filetrans(openvpn_t,openvpn_var_log_t,file) + +allow openvpn_t openvpn_var_run_t:file create_file_perms; +files_pid_filetrans(openvpn_t, openvpn_var_run_t, file) + +kernel_read_net_sysctls(openvpn_t) +kernel_read_network_state(openvpn_t) +kernel_read_system_state(openvpn_t) + +corecmd_exec_bin(openvpn_t) +corecmd_exec_sbin(openvpn_t) +corecmd_exec_shell(openvpn_t) + +corenet_non_ipsec_sendrecv(openvpn_t) +corenet_tcp_sendrecv_all_if(openvpn_t) +corenet_udp_sendrecv_all_if(openvpn_t) +corenet_tcp_sendrecv_generic_node(openvpn_t) +corenet_udp_sendrecv_generic_node(openvpn_t) +corenet_tcp_sendrecv_all_ports(openvpn_t) +corenet_udp_sendrecv_all_ports(openvpn_t) +corenet_tcp_bind_all_nodes(openvpn_t) +corenet_udp_bind_all_nodes(openvpn_t) +corenet_tcp_bind_openvpn_port(openvpn_t) +corenet_udp_bind_openvpn_port(openvpn_t) +corenet_rw_tun_tap_dev(openvpn_t) + +dev_read_rand(openvpn_t) +dev_read_urand(openvpn_t) + +files_read_etc_files(openvpn_t) +files_read_etc_runtime_files(openvpn_t) + +libs_use_ld_so(openvpn_t) +libs_use_shared_libs(openvpn_t) + +logging_send_syslog_msg(openvpn_t) + +miscfiles_read_localization(openvpn_t) + +sysnet_exec_ifconfig(openvpn_t) + +optional_policy(` + daemontools_service_domain(openvpn_t,openvpn_exec_t) +') diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index f640e63..49c5ec4 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -1,5 +1,5 @@ -policy_module(init,1.3.7) +policy_module(init,1.3.8) gen_require(` class passwd rootok; @@ -644,11 +644,7 @@ optional_policy(` ') optional_policy(` - raid_manage_mdadm_pid(initrc_t) -') - -optional_policy(` - rpc_read_exports(initrc_t) + openvpn_read_config(initrc_t) ') optional_policy(` @@ -665,6 +661,10 @@ optional_policy(` ') optional_policy(` + raid_manage_mdadm_pid(initrc_t) +') + +optional_policy(` corecmd_shell_entry_type(initrc_t) fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) @@ -674,6 +674,10 @@ optional_policy(` ') optional_policy(` + rpc_read_exports(initrc_t) +') + +optional_policy(` # bash tries to access a block device in the initrd kernel_dontaudit_getattr_unlabeled_blk_files(initrc_t)