obfs4proxy: Added policy.
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
This commit is contained in:
Jonathan Davies
parent
9788933467
commit
a329633889
1
policy/modules/services/obfs4proxy.fc
Normal file
1
policy/modules/services/obfs4proxy.fc
Normal file
@ -0,0 +1 @@
|
|||||||
|
/usr/bin/obfs4proxy -- gen_context(system_u:object_r:obfs4proxy_exec_t,s0)
|
||||||
38
policy/modules/services/obfs4proxy.if
Normal file
38
policy/modules/services/obfs4proxy.if
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
## <summary>obfs4proxy.</summary>
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute a domain transition to run obfs4proxy.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed to transition.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`obfs4proxy_domtrans',`
|
||||||
|
gen_require(`
|
||||||
|
type obfs4proxy_t, obfs4proxy_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
corecmd_search_bin($1)
|
||||||
|
domtrans_pattern($1, obfs4proxy_exec_t, obfs4proxy_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
######################################
|
||||||
|
## <summary>
|
||||||
|
## Send terminated signals to obfs4proxy.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`obfs4proxy_signal',`
|
||||||
|
gen_require(`
|
||||||
|
type obfs4proxy_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 obfs4proxy_t:process signal;
|
||||||
|
')
|
||||||
50
policy/modules/services/obfs4proxy.te
Normal file
50
policy/modules/services/obfs4proxy.te
Normal file
@ -0,0 +1,50 @@
|
|||||||
|
policy_module(obfs4proxy, 1.0.0)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Determine whether obfs4proxy can bind
|
||||||
|
## tcp sockets to all unreserved ports.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(obfs4proxy_bind_all_unreserved_ports, false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Determine whether obfs4proxy can bind
|
||||||
|
## tcp sockets to all http ports.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(obfs4proxy_bind_http_ports, false)
|
||||||
|
|
||||||
|
type obfs4proxy_t;
|
||||||
|
type obfs4proxy_exec_t;
|
||||||
|
init_daemon_domain(obfs4proxy_t, obfs4proxy_exec_t)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
allow obfs4proxy_t self:process signal;
|
||||||
|
allow obfs4proxy_t self:tcp_socket create_stream_socket_perms;
|
||||||
|
|
||||||
|
corenet_tcp_bind_generic_node(obfs4proxy_t)
|
||||||
|
corenet_tcp_connect_all_unreserved_ports(obfs4proxy_t)
|
||||||
|
|
||||||
|
files_search_var_lib(obfs4proxy_t)
|
||||||
|
fs_getattr_all_dirs(obfs4proxy_t)
|
||||||
|
tor_rw_pt_state_var_files(obfs4proxy_t)
|
||||||
|
|
||||||
|
tunable_policy(`obfs4proxy_bind_all_unreserved_ports',`
|
||||||
|
corenet_sendrecv_all_server_packets(obfs4proxy_t)
|
||||||
|
corenet_tcp_bind_all_unreserved_ports(obfs4proxy_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
tunable_policy(`obfs4proxy_bind_http_ports',`
|
||||||
|
corenet_tcp_bind_http_port(obfs4proxy_t)
|
||||||
|
')
|
||||||
Loading…
Reference in New Issue
Block a user