-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_openvpn.patch
Add initrc script support
allow admin to start/stop service
Admin needs admin_pattern on all file types
Addition files in /var/log/openvpn need correcl labeling
needs setgid and sys_chroot
can exec scrpt files in the config directory
connect to httpd port
Need to interact with terminals if config option "auth-user-pass" is used
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjan3UACgkQrlYvE4MpobPvgQCgvUa+2msek9gwAat5q0ciXzdC
V3AAnA5MDBh/Y4RUawqAP0FCejWWiBUA
=Rrq9
-----END PGP SIGNATURE-----
On Wed, 2008-09-24 at 16:13 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_openvpn.patch
>
> Add initrc script support
>
> allow admin to start/stop service
>
> Admin needs admin_pattern on all file types
>
> Addition files in /var/log/openvpn need correcl labeling
>
> needs setgid and sys_chroot
>
> can exec scrpt files in the config directory
>
> connect to httpd port
>
> Need to interact with terminals if config option "auth-user-pass" is used
Merged except for the terminals change, since sysadm is redundant and
the unconfined part is missing too.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Christopher J. PeBenito wrote:
> On Wed, 2008-09-24 at 16:13 -0400, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_openvpn.patch
>>
>> Add initrc script support
>>
>> allow admin to start/stop service
>>
>> Admin needs admin_pattern on all file types
>>
>> Addition files in /var/log/openvpn need correcl labeling
>>
>> needs setgid and sys_chroot
>>
>> can exec scrpt files in the config directory
>>
>> connect to httpd port
>>
>> Need to interact with terminals if config option "auth-user-pass" is used
>
> Merged except for the terminals change, since sysadm is redundant and
> the unconfined part is missing too.
>
Why is sysadm_use_terms redundant?
########################################
## <summary>
## allow attempts to use unconfined ttys and ptys.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unconfined_use_terms',`
gen_require(`
type unconfined_devpts_t;
type unconfined_tty_device_t;
')
allow $1 unconfined_tty_device_t:chr_file rw_term_perms;
allow $1 unconfined_devpts_t:chr_file rw_term_perms;
')
########################################
## <summary>
## Do not audit attempts to use unconfined ttys and ptys.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`unconfined_dontaudit_use_terms',`
gen_require(`
type unconfined_devpts_t;
type unconfined_tty_device_t;
')
dontaudit $1 unconfined_tty_device_t:chr_file rw_term_perms;
dontaudit $1 unconfined_devpts_t:chr_file rw_term_perms;
')
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjtWvkACgkQrlYvE4MpobMPEACfarVYWetXtxVUVN6BG5tmWaz7
rLwAoKG0n4FWqS4tQpjwXM4EDDK4smrb
=jTeF
-----END PGP SIGNATURE-----