Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Sven Vermeulen <sven.vermeulen@××××××.be>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date: Tue, 27 Nov 2012 19:15:51
Message-Id: 1354043258.d5a9014c1445bcb70c51bfe159cf6282288f18c7.SwifT@gentoo
1 commit: d5a9014c1445bcb70c51bfe159cf6282288f18c7
2 Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3 AuthorDate: Thu Nov 22 19:21:55 2012 +0000
4 Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5 CommitDate: Tue Nov 27 19:07:38 2012 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d5a9014c
7
8 Support openvpn status file
9
10 OpenVPN uses a status file that it constantly writes to (rather than append, as
11 used for the other log files). As this is less of a log file and more of a state
12 file, create a separate type and allow openvpn_t manage rights on it.
13
14 Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
15
16 ---
17 policy/modules/contrib/openvpn.fc | 1 +
18 policy/modules/contrib/openvpn.if | 4 ++--
19 policy/modules/contrib/openvpn.te | 6 ++++++
20 3 files changed, 9 insertions(+), 2 deletions(-)
21
22 diff --git a/policy/modules/contrib/openvpn.fc b/policy/modules/contrib/openvpn.fc
23 index 8817db4..987b85c 100644
24 --- a/policy/modules/contrib/openvpn.fc
25 +++ b/policy/modules/contrib/openvpn.fc
26 @@ -5,6 +5,7 @@
27
28 /usr/sbin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0)
29
30 +/var/log/openvpn-status\.log -- gen_context(system_u:object_r:openvpn_status_t,s0)
31 /var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0)
32
33 /var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0)
34
35 diff --git a/policy/modules/contrib/openvpn.if b/policy/modules/contrib/openvpn.if
36 index 1960f3a..0bf23e7 100644
37 --- a/policy/modules/contrib/openvpn.if
38 +++ b/policy/modules/contrib/openvpn.if
39 @@ -142,7 +142,7 @@ interface(`openvpn_read_config',`
40 #
41 interface(`openvpn_admin',`
42 gen_require(`
43 - type openvpn_t, openvpn_etc_t, openvpn_var_log_t;
44 + type openvpn_t, openvpn_etc_t, openvpn_var_log_t, openvpn_status_t;
45 type openvpn_var_run_t, openvpn_initrc_exec_t, openvpn_etc_rw_t;
46 ')
47
48 @@ -158,7 +158,7 @@ interface(`openvpn_admin',`
49 admin_pattern($1, { openvpn_etc_t openvpn_etc_rw_t })
50
51 logging_list_logs($1)
52 - admin_pattern($1, openvpn_var_log_t)
53 + admin_pattern($1, { openvpn_status_t openvpn_var_log_t })
54
55 files_list_pids($1)
56 admin_pattern($1, openvpn_var_run_t)
57
58 diff --git a/policy/modules/contrib/openvpn.te b/policy/modules/contrib/openvpn.te
59 index 7f71224..151ad36 100644
60 --- a/policy/modules/contrib/openvpn.te
61 +++ b/policy/modules/contrib/openvpn.te
62 @@ -29,6 +29,9 @@ files_config_file(openvpn_etc_rw_t)
63 type openvpn_initrc_exec_t;
64 init_script_file(openvpn_initrc_exec_t)
65
66 +type openvpn_status_t;
67 +logging_log_file(openvpn_status_t)
68 +
69 type openvpn_var_log_t;
70 logging_log_file(openvpn_var_log_t)
71
72 @@ -58,6 +61,9 @@ allow openvpn_t openvpn_etc_t:dir list_dir_perms;
73 allow openvpn_t openvpn_etc_t:file read_file_perms;
74 allow openvpn_t openvpn_etc_t:lnk_file read_lnk_file_perms;
75
76 +allow openvpn_t openvpn_status_t:file manage_file_perms;
77 +logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log")
78 +
79 manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t)
80 filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
Report Message
Find on MARC Find on Google Groups