From: paul.moore@hp.com (Paul Moore)
Date: Tue, 25 Aug 2009 17:12:26 -0400
Subject: [refpolicy] [RFC PATCH v1 0/2] Policy support for the new TUN hooks
Message-ID: <20090825210647.6250.56266.stgit@flek.lan>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

These patches are my first attempt at drafting policy for the new TUN hooks,
any comments or feedback you have would be great.  It is worth noting that
permission to create/attach to TUN/TAP devices was not granted to every
domain that has r/w access to the /dev/net/tun device as the operations are
very different; r/w access to /dev/net/tun does not mean the domain needs
the ability to create/attach TUN/TAP devices.

I've done some basic testing but I'm not having a lot of luck running the
current refpolicy on Fedora/Rawhide (unfortunately refpolicy and the current
Rawhide policy diverge quite a bit in a few important areas touched by these
patches), if anyone has any tips I'd love to hear them.

---

Paul Moore (2):
      refpol: Policy for the new TUN driver access controls
      refpol: Add the "tun_socket" object class flask definitions


 policy/flask/access_vectors         |    2 ++
 policy/flask/security_classes       |    2 ++
 policy/modules/admin/vpn.te         |    1 +
 policy/modules/apps/qemu.if         |    3 +++
 policy/modules/apps/uml.te          |    3 +++
 policy/modules/services/openvpn.te  |    1 +
 policy/modules/services/virt.if     |   19 +++++++++++++++++++
 policy/modules/services/virt.te     |    1 +
 policy/modules/system/userdomain.if |   23 +++++++++++++++++++++++
 policy/modules/system/userdomain.te |    2 ++
 policy/modules/system/xen.te        |    1 +
 11 files changed, 58 insertions(+), 0 deletions(-)