From: bigon@debian.org (Laurent Bigonville) Date: Sat, 8 Sep 2012 14:22:24 +0200 Subject: [refpolicy] [PATCH v2 6/9] Include policy for the iodine IP over DNS tunnel daemon In-Reply-To: <1346794648-27101-6-git-send-email-bigon@debian.org> References: <1346794648-27101-6-git-send-email-bigon@debian.org> Message-ID: <1347106944-4861-1-git-send-email-bigon@debian.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com From: Russell Coker --- iodine.fc | 1 + iodine.if | 1 + iodine.te | 29 +++++++++++++++++++++++++++++ 3 files changed, 31 insertions(+) create mode 100644 iodine.fc create mode 100644 iodine.if create mode 100644 iodine.te diff --git a/iodine.fc b/iodine.fc new file mode 100644 index 0000000..71c964d --- /dev/null +++ b/iodine.fc @@ -0,0 +1 @@ +/usr/sbin/iodine.* -- gen_context(system_u:object_r:iodine_exec_t, s0) diff --git a/iodine.if b/iodine.if new file mode 100644 index 0000000..4bec253 --- /dev/null +++ b/iodine.if @@ -0,0 +1 @@ +## policy for the iodine IP over DNS tunneling daemon diff --git a/iodine.te b/iodine.te new file mode 100644 index 0000000..c383ad4 --- /dev/null +++ b/iodine.te @@ -0,0 +1,29 @@ +policy_module(iodine,1.0.0) + +type iodine_t; +type iodine_exec_t; +init_daemon_domain(iodine_t, iodine_exec_t) + +allow iodine_t self:capability { setgid setuid net_bind_service net_admin net_raw sys_chroot }; +allow iodine_t self:rawip_socket { write read create }; +allow iodine_t self:tun_socket create; +allow iodine_t self:udp_socket connected_socket_perms; +allow iodine_t self:unix_dgram_socket { create connect }; + +kernel_read_network_state(iodine_t) +kernel_read_system_state(iodine_t) +kernel_request_load_module(iodine_t) +kernel_search_network_sysctl(iodine_t) + +corenet_raw_receive_generic_node(iodine_t) +corenet_rw_tun_tap_dev(iodine_t) +corenet_udp_bind_dns_port(iodine_t) +corenet_udp_bind_generic_node(iodine_t) + +corecmd_exec_shell(iodine_t) + +files_read_etc_files(iodine_t) + +logging_send_syslog_msg(iodine_t) + +sysnet_domtrans_ifconfig(iodine_t) -- 1.7.10.4