RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

tor: Added interfaces and types for obfs4proxy support. 

Signed-off-by: Jonathan Davies <jpds@protonmail.com>
This commit is contained in:
Jonathan Davies 2021-12-01 00:09:00 +00:00
parent a329633889
commit dbd08aa705
3 changed files with 36 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
policy/modules/services/tor.fc
View File

@ -8,6 +8,7 @@
/usr/lib/systemd/system/tor.*\.service -- gen_context(system_u:object_r:tor_unit_t,s0)
/var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
/var/lib/tor/data/pt_state(/.*)? gen_context(system_u:object_r:tor_pt_state_var_lib_t,s0)
/var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
/var/log/tor(/.*)? gen_context(system_u:object_r:tor_var_log_t,s0)

22
policy/modules/services/tor.if
View File

@ -59,3 +59,25 @@ interface(`tor_admin',`
files_list_runtime($1)
admin_pattern($1, tor_runtime_t)
')
########################################
## <summary>
## Read and write Tor pluggable transport state var files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`tor_rw_pt_state_var_files',`
gen_require(`
type tor_var_lib_t;
type tor_pt_state_var_lib_t;
')
files_search_var_lib($1)
allow $1 tor_var_lib_t:dir search_dir_perms;
allow $1 tor_pt_state_var_lib_t:dir search_dir_perms;
rw_files_pattern($1, tor_var_lib_t, tor_pt_state_var_lib_t)
')

13
policy/modules/services/tor.te
View File

@ -33,6 +33,9 @@ init_unit_file(tor_unit_t)
type tor_var_lib_t;
files_type(tor_var_lib_t)
type tor_pt_state_var_lib_t;
files_type(tor_pt_state_var_lib_t)
type tor_var_log_t;
logging_log_file(tor_var_log_t)
@ -59,6 +62,11 @@ allow tor_t tor_var_lib_t:file map;
manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
files_var_lib_filetrans(tor_t, tor_var_lib_t, dir)
allow tor_t tor_pt_state_var_lib_t:file append_file_perms;
manage_dirs_pattern(tor_t, tor_pt_state_var_lib_t, tor_pt_state_var_lib_t)
manage_files_pattern(tor_t, tor_pt_state_var_lib_t, tor_pt_state_var_lib_t)
filetrans_pattern(tor_t, tor_var_lib_t, tor_pt_state_var_lib_t, dir, "pt_state")
allow tor_t tor_var_log_t:dir setattr_dir_perms;
append_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
create_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
@ -119,6 +127,11 @@ tunable_policy(`tor_bind_all_unreserved_ports',`
corenet_tcp_bind_all_unreserved_ports(tor_t)
')
optional_policy(`
obfs4proxy_domtrans(tor_t)
obfs4proxy_signal(tor_t)
')
optional_policy(`
seutil_sigchld_newrole(tor_t)
')