From: dominick.grift@gmail.com (Dominick Grift) Date: Tue, 09 Oct 2012 14:28:44 +0200 Subject: [refpolicy] [PATCH v2 6/9] Include policy for the iodine IP over DNS tunnel daemon In-Reply-To: <1347106944-4861-1-git-send-email-bigon@debian.org> References: <1346794648-27101-6-git-send-email-bigon@debian.org> <1347106944-4861-1-git-send-email-bigon@debian.org> Message-ID: <1349785724.30521.12.camel@d30.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sat, 2012-09-08 at 14:22 +0200, Laurent Bigonville wrote: > From: Russell Coker > > --- > iodine.fc | 1 + > iodine.if | 1 + > iodine.te | 29 +++++++++++++++++++++++++++++ > 3 files changed, 31 insertions(+) > create mode 100644 iodine.fc > create mode 100644 iodine.if > create mode 100644 iodine.te > > diff --git a/iodine.fc b/iodine.fc > new file mode 100644 > index 0000000..71c964d > --- /dev/null > +++ b/iodine.fc > @@ -0,0 +1 @@ > +/usr/sbin/iodine.* -- gen_context(system_u:object_r:iodine_exec_t, s0) > diff --git a/iodine.if b/iodine.if > new file mode 100644 > index 0000000..4bec253 > --- /dev/null > +++ b/iodine.if > @@ -0,0 +1 @@ > +## policy for the iodine IP over DNS tunneling daemon > diff --git a/iodine.te b/iodine.te > new file mode 100644 > index 0000000..c383ad4 > --- /dev/null > +++ b/iodine.te > @@ -0,0 +1,29 @@ > +policy_module(iodine,1.0.0) > + > +type iodine_t; > +type iodine_exec_t; > +init_daemon_domain(iodine_t, iodine_exec_t) > + > +allow iodine_t self:capability { setgid setuid net_bind_service net_admin net_raw sys_chroot }; > +allow iodine_t self:rawip_socket { write read create }; > +allow iodine_t self:tun_socket create; > +allow iodine_t self:udp_socket connected_socket_perms; > +allow iodine_t self:unix_dgram_socket { create connect }; > + > +kernel_read_network_state(iodine_t) > +kernel_read_system_state(iodine_t) > +kernel_request_load_module(iodine_t) > +kernel_search_network_sysctl(iodine_t) > + > +corenet_raw_receive_generic_node(iodine_t) > +corenet_rw_tun_tap_dev(iodine_t) > +corenet_udp_bind_dns_port(iodine_t) > +corenet_udp_bind_generic_node(iodine_t) > + > +corecmd_exec_shell(iodine_t) > + > +files_read_etc_files(iodine_t) > + > +logging_send_syslog_msg(iodine_t) > + > +sysnet_domtrans_ifconfig(iodine_t) Merged with changes, thanks