From: dominick.grift@gmail.com (grift) Date: Tue, 27 Nov 2012 14:36:56 +0100 Subject: [refpolicy] [PATCH 4/7] Support openvpn status file In-Reply-To: <1354023321.1888.13.camel@localhost> References: <1353612118-9745-1-git-send-email-sven.vermeulen@siphos.be> <1353612118-9745-5-git-send-email-sven.vermeulen@siphos.be> <1354023321.1888.13.camel@localhost> Message-ID: <1354023416.1888.14.camel@localhost> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 2012-11-27 at 14:35 +0100, grift wrote: > On Thu, 2012-11-22 at 20:21 +0100, Sven Vermeulen wrote: > > OpenVPN uses a status file that it constantly writes to (rather than append, as > > used for the other log files). As this is less of a log file and more of a state > > file, create a separate type and allow openvpn_t manage rights on it. > > > > Signed-off-by: Sven Vermeulen > > --- > > openvpn.fc | 1 + > > openvpn.if | 4 ++-- > > openvpn.te | 6 ++++++ > > 3 files changed, 9 insertions(+), 2 deletions(-) > > > > diff --git a/openvpn.fc b/openvpn.fc > > index 9f86d3d..db5adfe 100644 > > --- a/openvpn.fc > > +++ b/openvpn.fc > > @@ -5,6 +5,7 @@ > > > > /usr/sbin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0) > > > > +/var/log/openvpn-status\.log -- gen_context(system_u:object_r:openvpn_status_t,s0) > > /var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0) > > > > /var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0) > > diff --git a/openvpn.if b/openvpn.if > > index c11f537..03f4e60 100644 > > --- a/openvpn.if > > +++ b/openvpn.if > > @@ -142,7 +142,7 @@ interface(`openvpn_read_config',` > > # > > interface(`openvpn_admin',` > > gen_require(` > > - type openvpn_t, openvpn_etc_t, openvpn_var_log_t; > > + type openvpn_t, openvpn_etc_t, openvpn_var_log_t, openvpn_status_t; > > type openvpn_var_run_t, openvpn_initrc_exec_t, openvpn_etc_rw_t; > > ') > > > > @@ -158,7 +158,7 @@ interface(`openvpn_admin',` > > admin_pattern($1, { openvpn_etc_t openvpn_etc_rw_t }) > > > > logging_list_logs($1) > > - admin_pattern($1, openvpn_var_log_t) > > + admin_pattern($1, { openvpn_status_t openvpn_var_log_t }) > > > > files_list_pids($1) > > admin_pattern($1, openvpn_var_run_t) > > diff --git a/openvpn.te b/openvpn.te > > index 58607b0..9643979 100644 > > --- a/openvpn.te > > +++ b/openvpn.te > > @@ -29,6 +29,9 @@ files_config_file(openvpn_etc_rw_t) > > type openvpn_initrc_exec_t; > > init_script_file(openvpn_initrc_exec_t) > > > > +type openvpn_status_t; > > +logging_log_file(openvpn_status_t) > > + > > type openvpn_var_log_t; > > logging_log_file(openvpn_var_log_t) > > > > @@ -53,6 +56,9 @@ allow openvpn_t openvpn_etc_t:dir list_dir_perms; > > allow openvpn_t openvpn_etc_t:file read_file_perms; > > allow openvpn_t openvpn_etc_t:lnk_file read_lnk_file_perms; > > > > +allow openvpn_t openvpn_status_t:file manage_file_perms; > > +logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log") > > + > > manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t) > > filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file) > > > > Not sure if this is worth it and where other modules store this file but > i merged it with some minor clean up, thanks > I meant "other distributions"