From: dwalsh@redhat.com (Daniel J Walsh)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] services_openvpn.patch
Date: Wed, 08 Oct 2008 21:14:33 -0400 [thread overview]
Message-ID: <48ED5AF9.4060105@redhat.com> (raw)
In-Reply-To: <1223496429.2165.122.camel@gorn.columbia.tresys.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Christopher J. PeBenito wrote:
> On Wed, 2008-09-24 at 16:13 -0400, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_openvpn.patch
>>
>> Add initrc script support
>>
>> allow admin to start/stop service
>>
>> Admin needs admin_pattern on all file types
>>
>> Addition files in /var/log/openvpn need correcl labeling
>>
>> needs setgid and sys_chroot
>>
>> can exec scrpt files in the config directory
>>
>> connect to httpd port
>>
>> Need to interact with terminals if config option "auth-user-pass" is used
>
> Merged except for the terminals change, since sysadm is redundant and
> the unconfined part is missing too.
>
Why is sysadm_use_terms redundant?
########################################
## <summary>
## allow attempts to use unconfined ttys and ptys.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unconfined_use_terms',`
gen_require(`
type unconfined_devpts_t;
type unconfined_tty_device_t;
')
allow $1 unconfined_tty_device_t:chr_file rw_term_perms;
allow $1 unconfined_devpts_t:chr_file rw_term_perms;
')
########################################
## <summary>
## Do not audit attempts to use unconfined ttys and ptys.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`unconfined_dontaudit_use_terms',`
gen_require(`
type unconfined_devpts_t;
type unconfined_tty_device_t;
')
dontaudit $1 unconfined_tty_device_t:chr_file rw_term_perms;
dontaudit $1 unconfined_devpts_t:chr_file rw_term_perms;
')
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjtWvkACgkQrlYvE4MpobMPEACfarVYWetXtxVUVN6BG5tmWaz7
rLwAoKG0n4FWqS4tQpjwXM4EDDK4smrb
=jTeF
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2008-10-09 1:14 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-24 20:13 [refpolicy] services_openvpn.patch Daniel J Walsh
2008-10-08 20:07 ` Christopher J. PeBenito
2008-10-09 1:14 ` Daniel J Walsh [this message]
-- strict thread matches above, loose matches on Subject: below --
2008-11-20 15:43 Daniel J Walsh
2009-03-05 16:51 Daniel J Walsh
2009-03-23 15:24 ` Christopher J. PeBenito
2009-08-31 18:07 Daniel J Walsh
2009-09-01 8:31 ` Paul Howarth
2009-09-01 12:26 ` Daniel J Walsh
2009-09-01 13:32 ` Paul Howarth
2009-09-01 14:01 ` Daniel J Walsh
2009-09-02 13:24 ` Christopher J. PeBenito
2009-11-12 21:48 Daniel J Walsh
2010-02-23 20:31 Daniel J Walsh
2010-08-26 22:05 Daniel J Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48ED5AF9.4060105@redhat.com \
--to=dwalsh@redhat.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.