1 |
commit: d5a9014c1445bcb70c51bfe159cf6282288f18c7 |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Thu Nov 22 19:21:55 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Tue Nov 27 19:07:38 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d5a9014c |
7 |
|
8 |
Support openvpn status file |
9 |
|
10 |
OpenVPN uses a status file that it constantly writes to (rather than append, as |
11 |
used for the other log files). As this is less of a log file and more of a state |
12 |
file, create a separate type and allow openvpn_t manage rights on it. |
13 |
|
14 |
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be> |
15 |
|
16 |
--- |
17 |
policy/modules/contrib/openvpn.fc | 1 + |
18 |
policy/modules/contrib/openvpn.if | 4 ++-- |
19 |
policy/modules/contrib/openvpn.te | 6 ++++++ |
20 |
3 files changed, 9 insertions(+), 2 deletions(-) |
21 |
|
22 |
diff --git a/policy/modules/contrib/openvpn.fc b/policy/modules/contrib/openvpn.fc |
23 |
index 8817db4..987b85c 100644 |
24 |
--- a/policy/modules/contrib/openvpn.fc |
25 |
+++ b/policy/modules/contrib/openvpn.fc |
26 |
@@ -5,6 +5,7 @@ |
27 |
|
28 |
/usr/sbin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0) |
29 |
|
30 |
+/var/log/openvpn-status\.log -- gen_context(system_u:object_r:openvpn_status_t,s0) |
31 |
/var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0) |
32 |
|
33 |
/var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0) |
34 |
|
35 |
diff --git a/policy/modules/contrib/openvpn.if b/policy/modules/contrib/openvpn.if |
36 |
index 1960f3a..0bf23e7 100644 |
37 |
--- a/policy/modules/contrib/openvpn.if |
38 |
+++ b/policy/modules/contrib/openvpn.if |
39 |
@@ -142,7 +142,7 @@ interface(`openvpn_read_config',` |
40 |
# |
41 |
interface(`openvpn_admin',` |
42 |
gen_require(` |
43 |
- type openvpn_t, openvpn_etc_t, openvpn_var_log_t; |
44 |
+ type openvpn_t, openvpn_etc_t, openvpn_var_log_t, openvpn_status_t; |
45 |
type openvpn_var_run_t, openvpn_initrc_exec_t, openvpn_etc_rw_t; |
46 |
') |
47 |
|
48 |
@@ -158,7 +158,7 @@ interface(`openvpn_admin',` |
49 |
admin_pattern($1, { openvpn_etc_t openvpn_etc_rw_t }) |
50 |
|
51 |
logging_list_logs($1) |
52 |
- admin_pattern($1, openvpn_var_log_t) |
53 |
+ admin_pattern($1, { openvpn_status_t openvpn_var_log_t }) |
54 |
|
55 |
files_list_pids($1) |
56 |
admin_pattern($1, openvpn_var_run_t) |
57 |
|
58 |
diff --git a/policy/modules/contrib/openvpn.te b/policy/modules/contrib/openvpn.te |
59 |
index 7f71224..151ad36 100644 |
60 |
--- a/policy/modules/contrib/openvpn.te |
61 |
+++ b/policy/modules/contrib/openvpn.te |
62 |
@@ -29,6 +29,9 @@ files_config_file(openvpn_etc_rw_t) |
63 |
type openvpn_initrc_exec_t; |
64 |
init_script_file(openvpn_initrc_exec_t) |
65 |
|
66 |
+type openvpn_status_t; |
67 |
+logging_log_file(openvpn_status_t) |
68 |
+ |
69 |
type openvpn_var_log_t; |
70 |
logging_log_file(openvpn_var_log_t) |
71 |
|
72 |
@@ -58,6 +61,9 @@ allow openvpn_t openvpn_etc_t:dir list_dir_perms; |
73 |
allow openvpn_t openvpn_etc_t:file read_file_perms; |
74 |
allow openvpn_t openvpn_etc_t:lnk_file read_lnk_file_perms; |
75 |
|
76 |
+allow openvpn_t openvpn_status_t:file manage_file_perms; |
77 |
+logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log") |
78 |
+ |
79 |
manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t) |
80 |
filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file) |