* [refpolicy] services_openvpn.patch
@ 2009-11-12 21:48 Daniel J Walsh
0 siblings, 0 replies; 15+ messages in thread
From: Daniel J Walsh @ 2009-11-12 21:48 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_openvpn.patch
openvpn uses pam stack.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] services_openvpn.patch
@ 2010-08-26 22:05 Daniel J Walsh
0 siblings, 0 replies; 15+ messages in thread
From: Daniel J Walsh @ 2010-08-26 22:05 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F14/services_openvpn.patch
openvpn uses tmp files
tmpfs on var/run
Request kernel load tum module
reads certs in homedir
uses tun iface
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkx25SwACgkQrlYvE4MpobOfQgCff+LHTySLT+OVp1wcHUceJO7s
BhAAoKSCoGuJ695Zd2kVXFOQKjHENLEo
=2xDQ
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] services_openvpn.patch
@ 2010-02-23 20:31 Daniel J Walsh
0 siblings, 0 replies; 15+ messages in thread
From: Daniel J Walsh @ 2010-02-23 20:31 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_openvpn.patch
Needs ipc_lock
Connects to http ports
Manage net_conf_t files.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] services_openvpn.patch
@ 2009-08-31 18:07 Daniel J Walsh
2009-09-01 8:31 ` Paul Howarth
2009-09-02 13:24 ` Christopher J. PeBenito
0 siblings, 2 replies; 15+ messages in thread
From: Daniel J Walsh @ 2009-08-31 18:07 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_openvpn.patch
Openvpn connects to cache ports and stores files in nfs and cifs directories.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] services_openvpn.patch
2009-08-31 18:07 Daniel J Walsh
@ 2009-09-01 8:31 ` Paul Howarth
2009-09-01 12:26 ` Daniel J Walsh
2009-09-02 13:24 ` Christopher J. PeBenito
1 sibling, 1 reply; 15+ messages in thread
From: Paul Howarth @ 2009-09-01 8:31 UTC (permalink / raw)
To: refpolicy
On 31/08/09 19:07, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_openvpn.patch
>
> Openvpn connects to cache ports and stores files in nfs and cifs directories.
Under what circumstances does openvpn connect to http or http_cache ports?
Paul.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] services_openvpn.patch
2009-09-01 8:31 ` Paul Howarth
@ 2009-09-01 12:26 ` Daniel J Walsh
2009-09-01 13:32 ` Paul Howarth
0 siblings, 1 reply; 15+ messages in thread
From: Daniel J Walsh @ 2009-09-01 12:26 UTC (permalink / raw)
To: refpolicy
On 09/01/2009 04:31 AM, Paul Howarth wrote:
> On 31/08/09 19:07, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_openvpn.patch
>>
>>
>> Openvpn connects to cache ports and stores files in nfs and cifs
>> directories.
>
> Under what circumstances does openvpn connect to http or http_cache ports?
>
> Paul.
I think they are using it to connect through firewalls.
Google openvpn and 80 gives you 174000 messages talking about running openvpn through port 80.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] services_openvpn.patch
2009-09-01 12:26 ` Daniel J Walsh
@ 2009-09-01 13:32 ` Paul Howarth
2009-09-01 14:01 ` Daniel J Walsh
0 siblings, 1 reply; 15+ messages in thread
From: Paul Howarth @ 2009-09-01 13:32 UTC (permalink / raw)
To: refpolicy
On 01/09/09 13:26, Daniel J Walsh wrote:
> On 09/01/2009 04:31 AM, Paul Howarth wrote:
>> On 31/08/09 19:07, Daniel J Walsh wrote:
>>> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_openvpn.patch
>>>
>>>
>>> Openvpn connects to cache ports and stores files in nfs and cifs
>>> directories.
>>
>> Under what circumstances does openvpn connect to http or http_cache ports?
>>
>> Paul.
>
> I think they are using it to connect through firewalls.
>
> Google openvpn and 80 gives you 174000 messages talking about running openvpn through port 80.
Ah right, so it'll use http_cache_t to do this with a proxy too.
Understood.
Paul.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] services_openvpn.patch
2009-09-01 13:32 ` Paul Howarth
@ 2009-09-01 14:01 ` Daniel J Walsh
0 siblings, 0 replies; 15+ messages in thread
From: Daniel J Walsh @ 2009-09-01 14:01 UTC (permalink / raw)
To: refpolicy
On 09/01/2009 09:32 AM, Paul Howarth wrote:
> On 01/09/09 13:26, Daniel J Walsh wrote:
>> On 09/01/2009 04:31 AM, Paul Howarth wrote:
>>> On 31/08/09 19:07, Daniel J Walsh wrote:
>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_openvpn.patch
>>>>
>>>>
>>>>
>>>> Openvpn connects to cache ports and stores files in nfs and cifs
>>>> directories.
>>>
>>> Under what circumstances does openvpn connect to http or http_cache
>>> ports?
>>>
>>> Paul.
>>
>> I think they are using it to connect through firewalls.
>>
>> Google openvpn and 80 gives you 174000 messages talking about running
>> openvpn through port 80.
>
> Ah right, so it'll use http_cache_t to do this with a proxy too.
>
> Understood.
>
> Paul.
Not that I have ever set one up. I allow the Rawhide/Fedora users/testers to train me how people setup these apps.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] services_openvpn.patch
2009-08-31 18:07 Daniel J Walsh
2009-09-01 8:31 ` Paul Howarth
@ 2009-09-02 13:24 ` Christopher J. PeBenito
1 sibling, 0 replies; 15+ messages in thread
From: Christopher J. PeBenito @ 2009-09-02 13:24 UTC (permalink / raw)
To: refpolicy
On Mon, 2009-08-31 at 14:07 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_openvpn.patch
>
> Openvpn connects to cache ports and stores files in nfs and cifs
> directories.
Merged.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] services_openvpn.patch
@ 2009-03-05 16:51 Daniel J Walsh
2009-03-23 15:24 ` Christopher J. PeBenito
0 siblings, 1 reply; 15+ messages in thread
From: Daniel J Walsh @ 2009-03-05 16:51 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_openvpn.patch
openvpn want to write /etc/openvpn/ipp.txt
networkmanager needs lots of signal interfaces to communicate with it.
Write /etc/resolv.conf and friends.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmwAvUACgkQrlYvE4MpobNDQwCfX1pagK3IQPgs3TtF3LOiTMW8
zZUAoKsqY0qDIHJw5eERw0E2sLjXX908
=T3f0
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] services_openvpn.patch
@ 2008-11-20 15:43 Daniel J Walsh
0 siblings, 0 replies; 15+ messages in thread
From: Daniel J Walsh @ 2008-11-20 15:43 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_openvpn.patch
openvpn needs to write to /etc/openvpn/ipp.txt
Add kill and signull interfaces to be called by network manager.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkklhY8ACgkQrlYvE4MpobNTqACgrCqwjD3MMqM4enV+KO9Z5cxa
UiYAoND7/CvYrpA26S3GM2Bn1EcE0seU
=sJ7S
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] services_openvpn.patch
@ 2008-09-24 20:13 Daniel J Walsh
2008-10-08 20:07 ` Christopher J. PeBenito
0 siblings, 1 reply; 15+ messages in thread
From: Daniel J Walsh @ 2008-09-24 20:13 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_openvpn.patch
Add initrc script support
allow admin to start/stop service
Admin needs admin_pattern on all file types
Addition files in /var/log/openvpn need correcl labeling
needs setgid and sys_chroot
can exec scrpt files in the config directory
connect to httpd port
Need to interact with terminals if config option "auth-user-pass" is used
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjan3UACgkQrlYvE4MpobPvgQCgvUa+2msek9gwAat5q0ciXzdC
V3AAnA5MDBh/Y4RUawqAP0FCejWWiBUA
=Rrq9
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] services_openvpn.patch
2008-09-24 20:13 Daniel J Walsh
@ 2008-10-08 20:07 ` Christopher J. PeBenito
2008-10-09 1:14 ` Daniel J Walsh
0 siblings, 1 reply; 15+ messages in thread
From: Christopher J. PeBenito @ 2008-10-08 20:07 UTC (permalink / raw)
To: refpolicy
On Wed, 2008-09-24 at 16:13 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_openvpn.patch
>
> Add initrc script support
>
> allow admin to start/stop service
>
> Admin needs admin_pattern on all file types
>
> Addition files in /var/log/openvpn need correcl labeling
>
> needs setgid and sys_chroot
>
> can exec scrpt files in the config directory
>
> connect to httpd port
>
> Need to interact with terminals if config option "auth-user-pass" is used
Merged except for the terminals change, since sysadm is redundant and
the unconfined part is missing too.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] services_openvpn.patch
2008-10-08 20:07 ` Christopher J. PeBenito
@ 2008-10-09 1:14 ` Daniel J Walsh
0 siblings, 0 replies; 15+ messages in thread
From: Daniel J Walsh @ 2008-10-09 1:14 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Christopher J. PeBenito wrote:
> On Wed, 2008-09-24 at 16:13 -0400, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_openvpn.patch
>>
>> Add initrc script support
>>
>> allow admin to start/stop service
>>
>> Admin needs admin_pattern on all file types
>>
>> Addition files in /var/log/openvpn need correcl labeling
>>
>> needs setgid and sys_chroot
>>
>> can exec scrpt files in the config directory
>>
>> connect to httpd port
>>
>> Need to interact with terminals if config option "auth-user-pass" is used
>
> Merged except for the terminals change, since sysadm is redundant and
> the unconfined part is missing too.
>
Why is sysadm_use_terms redundant?
########################################
## <summary>
## allow attempts to use unconfined ttys and ptys.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unconfined_use_terms',`
gen_require(`
type unconfined_devpts_t;
type unconfined_tty_device_t;
')
allow $1 unconfined_tty_device_t:chr_file rw_term_perms;
allow $1 unconfined_devpts_t:chr_file rw_term_perms;
')
########################################
## <summary>
## Do not audit attempts to use unconfined ttys and ptys.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`unconfined_dontaudit_use_terms',`
gen_require(`
type unconfined_devpts_t;
type unconfined_tty_device_t;
')
dontaudit $1 unconfined_tty_device_t:chr_file rw_term_perms;
dontaudit $1 unconfined_devpts_t:chr_file rw_term_perms;
')
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjtWvkACgkQrlYvE4MpobMPEACfarVYWetXtxVUVN6BG5tmWaz7
rLwAoKG0n4FWqS4tQpjwXM4EDDK4smrb
=jTeF
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2010-08-26 22:05 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-11-12 21:48 [refpolicy] services_openvpn.patch Daniel J Walsh
-- strict thread matches above, loose matches on Subject: below --
2010-08-26 22:05 Daniel J Walsh
2010-02-23 20:31 Daniel J Walsh
2009-08-31 18:07 Daniel J Walsh
2009-09-01 8:31 ` Paul Howarth
2009-09-01 12:26 ` Daniel J Walsh
2009-09-01 13:32 ` Paul Howarth
2009-09-01 14:01 ` Daniel J Walsh
2009-09-02 13:24 ` Christopher J. PeBenito
2009-03-05 16:51 Daniel J Walsh
2009-03-23 15:24 ` Christopher J. PeBenito
2008-11-20 15:43 Daniel J Walsh
2008-09-24 20:13 Daniel J Walsh
2008-10-08 20:07 ` Christopher J. PeBenito
2008-10-09 1:14 ` Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.