From: dwalsh@redhat.com (Daniel J Walsh)
Date: Wed, 08 Oct 2008 21:14:33 -0400
Subject: [refpolicy] services_openvpn.patch
In-Reply-To: <1223496429.2165.122.camel@gorn.columbia.tresys.com>
References: <48DA9F75.6040201@redhat.com>
<1223496429.2165.122.camel@gorn.columbia.tresys.com>
Message-ID: <48ED5AF9.4060105@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Christopher J. PeBenito wrote:
> On Wed, 2008-09-24 at 16:13 -0400, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_openvpn.patch
>>
>> Add initrc script support
>>
>> allow admin to start/stop service
>>
>> Admin needs admin_pattern on all file types
>>
>> Addition files in /var/log/openvpn need correcl labeling
>>
>> needs setgid and sys_chroot
>>
>> can exec scrpt files in the config directory
>>
>> connect to httpd port
>>
>> Need to interact with terminals if config option "auth-user-pass" is used
>
> Merged except for the terminals change, since sysadm is redundant and
> the unconfined part is missing too.
>
Why is sysadm_use_terms redundant?
########################################
##
## allow attempts to use unconfined ttys and ptys.
##
##
##
## Domain allowed access.
##
##
#
interface(`unconfined_use_terms',`
gen_require(`
type unconfined_devpts_t;
type unconfined_tty_device_t;
')
allow $1 unconfined_tty_device_t:chr_file rw_term_perms;
allow $1 unconfined_devpts_t:chr_file rw_term_perms;
')
########################################
##
## Do not audit attempts to use unconfined ttys and ptys.
##
##
##
## Domain to not audit.
##
##
#
interface(`unconfined_dontaudit_use_terms',`
gen_require(`
type unconfined_devpts_t;
type unconfined_tty_device_t;
')
dontaudit $1 unconfined_tty_device_t:chr_file rw_term_perms;
dontaudit $1 unconfined_devpts_t:chr_file rw_term_perms;
')
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjtWvkACgkQrlYvE4MpobMPEACfarVYWetXtxVUVN6BG5tmWaz7
rLwAoKG0n4FWqS4tQpjwXM4EDDK4smrb
=jTeF
-----END PGP SIGNATURE-----