From b5d89d03256b3451126639f3b69d39b9d8d7b998 Mon Sep 17 00:00:00 2001 From: Jeremy Solt Date: Mon, 28 Jun 2010 13:06:51 -0400 Subject: [PATCH] vpn patch from Dan Walsh fixed gen_require in vpn_relabelfrom_tun_socket interface (wrong type) removed userdom_read_home_certs (not in refpolicy) --- policy/modules/admin/vpn.if | 20 +++++++++++++++++++- policy/modules/admin/vpn.te | 2 +- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/policy/modules/admin/vpn.if b/policy/modules/admin/vpn.if index b5272fb11..ccda6e4c4 100644 --- a/policy/modules/admin/vpn.if +++ b/policy/modules/admin/vpn.if @@ -110,7 +110,7 @@ interface(`vpn_signull',` ## ## # -interface(`vpnc_dbus_chat',` +interface(`vpn_dbus_chat',` gen_require(` type vpnc_t; class dbus send_msg; @@ -119,3 +119,21 @@ interface(`vpnc_dbus_chat',` allow $1 vpnc_t:dbus send_msg; allow vpnc_t $1:dbus send_msg; ') + +######################################## +## +## Relabelfrom from vpnc socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`vpn_relabelfrom_tun_socket',` + gen_require(` + type vpnc_t; + ') + + allow $1 vpnc_t:tun_socket relabelfrom; +') diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te index 796ad4521..0468e74df 100644 --- a/policy/modules/admin/vpn.te +++ b/policy/modules/admin/vpn.te @@ -30,7 +30,7 @@ allow vpnc_t self:udp_socket create_socket_perms; allow vpnc_t self:rawip_socket create_socket_perms; allow vpnc_t self:unix_dgram_socket create_socket_perms; allow vpnc_t self:unix_stream_socket create_socket_perms; -allow vpnc_t self:tun_socket create_socket_perms; +allow vpnc_t self:tun_socket { create_socket_perms relabelfrom }; # cjp: this needs to be fixed allow vpnc_t self:socket create_socket_perms;