diff --git a/policy/modules/services/obfs4proxy.fc b/policy/modules/services/obfs4proxy.fc new file mode 100644 index 000000000..716715db3 --- /dev/null +++ b/policy/modules/services/obfs4proxy.fc @@ -0,0 +1 @@ +/usr/bin/obfs4proxy -- gen_context(system_u:object_r:obfs4proxy_exec_t,s0) diff --git a/policy/modules/services/obfs4proxy.if b/policy/modules/services/obfs4proxy.if new file mode 100644 index 000000000..7b3229fe4 --- /dev/null +++ b/policy/modules/services/obfs4proxy.if @@ -0,0 +1,38 @@ +## obfs4proxy. + +######################################## +## +## Execute a domain transition to run obfs4proxy. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`obfs4proxy_domtrans',` + gen_require(` + type obfs4proxy_t, obfs4proxy_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, obfs4proxy_exec_t, obfs4proxy_t) +') + +###################################### +## +## Send terminated signals to obfs4proxy. +## +## +## +## Domain allowed access. +## +## +# +interface(`obfs4proxy_signal',` + gen_require(` + type obfs4proxy_t; + ') + + allow $1 obfs4proxy_t:process signal; +') diff --git a/policy/modules/services/obfs4proxy.te b/policy/modules/services/obfs4proxy.te new file mode 100644 index 000000000..450e6872c --- /dev/null +++ b/policy/modules/services/obfs4proxy.te @@ -0,0 +1,50 @@ +policy_module(obfs4proxy, 1.0.0) + +######################################## +# +# Declarations +# + +## +##

+## Determine whether obfs4proxy can bind +## tcp sockets to all unreserved ports. +##

+##
+gen_tunable(obfs4proxy_bind_all_unreserved_ports, false) + +## +##

+## Determine whether obfs4proxy can bind +## tcp sockets to all http ports. +##

+##
+gen_tunable(obfs4proxy_bind_http_ports, false) + +type obfs4proxy_t; +type obfs4proxy_exec_t; +init_daemon_domain(obfs4proxy_t, obfs4proxy_exec_t) + +######################################## +# +# Local policy +# + +allow obfs4proxy_t self:process signal; +allow obfs4proxy_t self:tcp_socket create_stream_socket_perms; + +corenet_tcp_bind_generic_node(obfs4proxy_t) +corenet_tcp_connect_all_unreserved_ports(obfs4proxy_t) + +files_search_var_lib(obfs4proxy_t) +fs_getattr_all_dirs(obfs4proxy_t) +tor_rw_pt_state_var_files(obfs4proxy_t) + +tunable_policy(`obfs4proxy_bind_all_unreserved_ports',` + corenet_sendrecv_all_server_packets(obfs4proxy_t) + corenet_tcp_bind_all_unreserved_ports(obfs4proxy_t) +') + +tunable_policy(`obfs4proxy_bind_http_ports',` + corenet_tcp_bind_http_port(obfs4proxy_t) +')