From: dwalsh@redhat.com (Daniel J Walsh)
Date: Wed, 08 Oct 2008 21:14:33 -0400
Subject: [refpolicy] services_openvpn.patch
In-Reply-To: <1223496429.2165.122.camel@gorn.columbia.tresys.com>
References: <48DA9F75.6040201@redhat.com>
	<1223496429.2165.122.camel@gorn.columbia.tresys.com>
Message-ID: <48ED5AF9.4060105@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christopher J. PeBenito wrote:
> On Wed, 2008-09-24 at 16:13 -0400, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_openvpn.patch
>>
>> Add initrc script support
>>
>> allow admin to start/stop service
>>
>> Admin needs admin_pattern on all file types
>>
>> Addition files in /var/log/openvpn need correcl labeling
>>
>> needs setgid and sys_chroot
>>
>> can exec scrpt files in the config directory
>>
>> connect to httpd port
>>
>>  Need to interact with terminals if config option "auth-user-pass" is used
> 
> Merged except for the terminals change, since sysadm is redundant and
> the unconfined part is missing too.
> 
Why is sysadm_use_terms redundant?

########################################
## <summary>
##	allow attempts to use unconfined ttys and ptys.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unconfined_use_terms',`
	gen_require(`
		type unconfined_devpts_t;
		type unconfined_tty_device_t;
	')

	allow $1 unconfined_tty_device_t:chr_file rw_term_perms;
	allow $1 unconfined_devpts_t:chr_file rw_term_perms;
')

########################################
## <summary>
##	Do not audit attempts to use unconfined ttys and ptys.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`unconfined_dontaudit_use_terms',`
	gen_require(`
		type unconfined_devpts_t;
		type unconfined_tty_device_t;
	')

	dontaudit $1 unconfined_tty_device_t:chr_file rw_term_perms;
	dontaudit $1 unconfined_devpts_t:chr_file rw_term_perms;
')

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjtWvkACgkQrlYvE4MpobMPEACfarVYWetXtxVUVN6BG5tmWaz7
rLwAoKG0n4FWqS4tQpjwXM4EDDK4smrb
=jTeF
-----END PGP SIGNATURE-----