[refpolicy] [PATCH 4/7] Support openvpn status file

All of lore.kernel.org
 help / color / mirror / Atom feed

From: dominick.grift@gmail.com (grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 4/7] Support openvpn status file
Date: Tue, 27 Nov 2012 14:35:21 +0100	[thread overview]
Message-ID: <1354023321.1888.13.camel@localhost> (raw)
In-Reply-To: <1353612118-9745-5-git-send-email-sven.vermeulen@siphos.be>

On Thu, 2012-11-22 at 20:21 +0100, Sven Vermeulen wrote:
> OpenVPN uses a status file that it constantly writes to (rather than append, as
> used for the other log files). As this is less of a log file and more of a state
> file, create a separate type and allow openvpn_t manage rights on it.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  openvpn.fc |    1 +
>  openvpn.if |    4 ++--
>  openvpn.te |    6 ++++++
>  3 files changed, 9 insertions(+), 2 deletions(-)
> 
> diff --git a/openvpn.fc b/openvpn.fc
> index 9f86d3d..db5adfe 100644
> --- a/openvpn.fc
> +++ b/openvpn.fc
> @@ -5,6 +5,7 @@
>  
>  /usr/sbin/openvpn	--	gen_context(system_u:object_r:openvpn_exec_t,s0)
>  
> +/var/log/openvpn-status\.log	--	gen_context(system_u:object_r:openvpn_status_t,s0)
>  /var/log/openvpn.*	gen_context(system_u:object_r:openvpn_var_log_t,s0)
>  
>  /var/run/openvpn(/.*)?	gen_context(system_u:object_r:openvpn_var_run_t,s0)
> diff --git a/openvpn.if b/openvpn.if
> index c11f537..03f4e60 100644
> --- a/openvpn.if
> +++ b/openvpn.if
> @@ -142,7 +142,7 @@ interface(`openvpn_read_config',`
>  #
>  interface(`openvpn_admin',`
>  	gen_require(`
> -		type openvpn_t, openvpn_etc_t, openvpn_var_log_t;
> +		type openvpn_t, openvpn_etc_t, openvpn_var_log_t, openvpn_status_t;
>  		type openvpn_var_run_t, openvpn_initrc_exec_t, openvpn_etc_rw_t;
>  	')
>  
> @@ -158,7 +158,7 @@ interface(`openvpn_admin',`
>  	admin_pattern($1, { openvpn_etc_t openvpn_etc_rw_t })
>  
>  	logging_list_logs($1)
> -	admin_pattern($1, openvpn_var_log_t)
> +	admin_pattern($1, { openvpn_status_t openvpn_var_log_t })
>  
>  	files_list_pids($1)
>  	admin_pattern($1, openvpn_var_run_t)
> diff --git a/openvpn.te b/openvpn.te
> index 58607b0..9643979 100644
> --- a/openvpn.te
> +++ b/openvpn.te
> @@ -29,6 +29,9 @@ files_config_file(openvpn_etc_rw_t)
>  type openvpn_initrc_exec_t;
>  init_script_file(openvpn_initrc_exec_t)
>  
> +type openvpn_status_t;
> +logging_log_file(openvpn_status_t)
> +
>  type openvpn_var_log_t;
>  logging_log_file(openvpn_var_log_t)
>  
> @@ -53,6 +56,9 @@ allow openvpn_t openvpn_etc_t:dir list_dir_perms;
>  allow openvpn_t openvpn_etc_t:file read_file_perms;
>  allow openvpn_t openvpn_etc_t:lnk_file read_lnk_file_perms;
>  
> +allow openvpn_t openvpn_status_t:file manage_file_perms;
> +logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log")
> +
>  manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t)
>  filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
>  

Not sure if this is worth it and where other modules store this file but
i merged it with some minor clean up, thanks

next prev parent reply	other threads:[~2012-11-27 13:35 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-11-22 19:21 [refpolicy] [PATCH 0/7] Updates on contrib Sven Vermeulen
2012-11-22 19:21 ` [refpolicy] [PATCH 1/7] Moving sandbox code to sandbox section Sven Vermeulen
2012-11-27 12:53   ` grift
2012-11-22 19:21 ` [refpolicy] [PATCH 2/7] Allow sandbox to log violations Sven Vermeulen
2012-11-27 12:59   ` grift
2012-11-27 20:05     ` Sven Vermeulen
2012-11-22 19:21 ` [refpolicy] [PATCH 3/7] Fix typo in clockspeed comment Sven Vermeulen
2012-11-27 13:33   ` grift
2012-11-22 19:21 ` [refpolicy] [PATCH 4/7] Support openvpn status file Sven Vermeulen
2012-11-27 13:35   ` grift [this message]
2012-11-27 13:36     ` grift
2012-11-22 19:21 ` [refpolicy] [PATCH 5/7] Asterisk voicemail messages are generated from tmp Sven Vermeulen
2012-11-27 13:37   ` grift
2012-11-22 19:21 ` [refpolicy] [PATCH 6/7] Make rtkit calls optional Sven Vermeulen
2012-11-27 13:39   ` grift
2012-11-22 19:21 ` [refpolicy] [PATCH 7/7] Gentoo installs dovecot certs in /etc/ssl/dovecot Sven Vermeulen
2012-11-27 13:40   ` grift

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1354023321.1888.13.camel@localhost \
    --to=dominick.grift@gmail.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.