From: dominick.grift@gmail.com (grift) Date: Tue, 27 Nov 2012 14:35:21 +0100 Subject: [refpolicy] [PATCH 4/7] Support openvpn status file In-Reply-To: <1353612118-9745-5-git-send-email-sven.vermeulen@siphos.be> References: <1353612118-9745-1-git-send-email-sven.vermeulen@siphos.be> <1353612118-9745-5-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1354023321.1888.13.camel@localhost> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, 2012-11-22 at 20:21 +0100, Sven Vermeulen wrote: > OpenVPN uses a status file that it constantly writes to (rather than append, as > used for the other log files). As this is less of a log file and more of a state > file, create a separate type and allow openvpn_t manage rights on it. > > Signed-off-by: Sven Vermeulen > --- > openvpn.fc | 1 + > openvpn.if | 4 ++-- > openvpn.te | 6 ++++++ > 3 files changed, 9 insertions(+), 2 deletions(-) > > diff --git a/openvpn.fc b/openvpn.fc > index 9f86d3d..db5adfe 100644 > --- a/openvpn.fc > +++ b/openvpn.fc > @@ -5,6 +5,7 @@ > > /usr/sbin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0) > > +/var/log/openvpn-status\.log -- gen_context(system_u:object_r:openvpn_status_t,s0) > /var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0) > > /var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0) > diff --git a/openvpn.if b/openvpn.if > index c11f537..03f4e60 100644 > --- a/openvpn.if > +++ b/openvpn.if > @@ -142,7 +142,7 @@ interface(`openvpn_read_config',` > # > interface(`openvpn_admin',` > gen_require(` > - type openvpn_t, openvpn_etc_t, openvpn_var_log_t; > + type openvpn_t, openvpn_etc_t, openvpn_var_log_t, openvpn_status_t; > type openvpn_var_run_t, openvpn_initrc_exec_t, openvpn_etc_rw_t; > ') > > @@ -158,7 +158,7 @@ interface(`openvpn_admin',` > admin_pattern($1, { openvpn_etc_t openvpn_etc_rw_t }) > > logging_list_logs($1) > - admin_pattern($1, openvpn_var_log_t) > + admin_pattern($1, { openvpn_status_t openvpn_var_log_t }) > > files_list_pids($1) > admin_pattern($1, openvpn_var_run_t) > diff --git a/openvpn.te b/openvpn.te > index 58607b0..9643979 100644 > --- a/openvpn.te > +++ b/openvpn.te > @@ -29,6 +29,9 @@ files_config_file(openvpn_etc_rw_t) > type openvpn_initrc_exec_t; > init_script_file(openvpn_initrc_exec_t) > > +type openvpn_status_t; > +logging_log_file(openvpn_status_t) > + > type openvpn_var_log_t; > logging_log_file(openvpn_var_log_t) > > @@ -53,6 +56,9 @@ allow openvpn_t openvpn_etc_t:dir list_dir_perms; > allow openvpn_t openvpn_etc_t:file read_file_perms; > allow openvpn_t openvpn_etc_t:lnk_file read_lnk_file_perms; > > +allow openvpn_t openvpn_status_t:file manage_file_perms; > +logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log") > + > manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t) > filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file) > Not sure if this is worth it and where other modules store this file but i merged it with some minor clean up, thanks