obfs4proxy: Added policy.
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
This commit is contained in:
Jonathan Davies
parent
9788933467
commit
a329633889
|
|
@ -0,0 +1 @@
|
|||
/usr/bin/obfs4proxy -- gen_context(system_u:object_r:obfs4proxy_exec_t,s0)
|
||||
|
|
@ -0,0 +1,38 @@
|
|||
## <summary>obfs4proxy.</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run obfs4proxy.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`obfs4proxy_domtrans',`
|
||||
gen_require(`
|
||||
type obfs4proxy_t, obfs4proxy_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, obfs4proxy_exec_t, obfs4proxy_t)
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Send terminated signals to obfs4proxy.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`obfs4proxy_signal',`
|
||||
gen_require(`
|
||||
type obfs4proxy_t;
|
||||
')
|
||||
|
||||
allow $1 obfs4proxy_t:process signal;
|
||||
')
|
||||
|
|
@ -0,0 +1,50 @@
|
|||
policy_module(obfs4proxy, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Determine whether obfs4proxy can bind
|
||||
## tcp sockets to all unreserved ports.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(obfs4proxy_bind_all_unreserved_ports, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Determine whether obfs4proxy can bind
|
||||
## tcp sockets to all http ports.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(obfs4proxy_bind_http_ports, false)
|
||||
|
||||
type obfs4proxy_t;
|
||||
type obfs4proxy_exec_t;
|
||||
init_daemon_domain(obfs4proxy_t, obfs4proxy_exec_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow obfs4proxy_t self:process signal;
|
||||
allow obfs4proxy_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
corenet_tcp_bind_generic_node(obfs4proxy_t)
|
||||
corenet_tcp_connect_all_unreserved_ports(obfs4proxy_t)
|
||||
|
||||
files_search_var_lib(obfs4proxy_t)
|
||||
fs_getattr_all_dirs(obfs4proxy_t)
|
||||
tor_rw_pt_state_var_files(obfs4proxy_t)
|
||||
|
||||
tunable_policy(`obfs4proxy_bind_all_unreserved_ports',`
|
||||
corenet_sendrecv_all_server_packets(obfs4proxy_t)
|
||||
corenet_tcp_bind_all_unreserved_ports(obfs4proxy_t)
|
||||
')
|
||||
|
||||
tunable_policy(`obfs4proxy_bind_http_ports',`
|
||||
corenet_tcp_bind_http_port(obfs4proxy_t)
|
||||
')
|
||||
Loading…
Reference in New Issue