From d3b5907ea47ab21d88cdf6ff3ceeaa0e6b86fbe4 Mon Sep 17 00:00:00 2001 From: Jeremy Solt Date: Mar 22 2010 12:36:47 +0000 Subject: openvpn needs ipc_lock capability, connects to http ports, and manages net_conf_t files - from Dan Walsh --- diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te index 8d1f370..190a684 100644 --- a/policy/modules/services/openvpn.te +++ b/policy/modules/services/openvpn.te @@ -41,7 +41,7 @@ files_pid_file(openvpn_var_run_t) # openvpn local policy # -allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_chroot sys_tty_config }; +allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config }; allow openvpn_t self:process { signal getsched }; allow openvpn_t self:fifo_file rw_fifo_file_perms; @@ -85,6 +85,7 @@ corenet_tcp_bind_generic_node(openvpn_t) corenet_udp_bind_generic_node(openvpn_t) corenet_tcp_bind_openvpn_port(openvpn_t) corenet_udp_bind_openvpn_port(openvpn_t) +corenet_tcp_bind_http_port(openvpn_t) corenet_tcp_connect_openvpn_port(openvpn_t) corenet_tcp_connect_http_port(openvpn_t) corenet_tcp_connect_http_cache_port(openvpn_t) @@ -100,6 +101,8 @@ dev_read_urand(openvpn_t) files_read_etc_files(openvpn_t) files_read_etc_runtime_files(openvpn_t) +auth_use_pam(openvpn_t) + logging_send_syslog_msg(openvpn_t) miscfiles_read_localization(openvpn_t) @@ -107,7 +110,7 @@ miscfiles_read_certs(openvpn_t) sysnet_dns_name_resolve(openvpn_t) sysnet_exec_ifconfig(openvpn_t) -sysnet_write_config(openvpn_t) +sysnet_manage_config(openvpn_t) sysnet_etc_filetrans_config(openvpn_t) userdom_use_user_terminals(openvpn_t)