From 48f969d319d6f17263fd46a58c471f4cca888750 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Nov 20 2014 10:38:07 +0000 Subject: * Thu Nov 20 2014 Lukas Vrabec 3.13.1-96 - Allow NetworkManager stream connect on openvpn. BZ(1165110) --- diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index b12d4b0..a40dcab 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -54988,7 +54988,7 @@ index 86dc29d..98fdac1 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 55f2009..4e7b106 100644 +index 55f2009..6dc7fb1 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -9,15 +9,18 @@ type NetworkManager_t; @@ -55326,7 +55326,11 @@ index 55f2009..4e7b106 100644 ') optional_policy(` -@@ -289,6 +350,7 @@ optional_policy(` +@@ -286,9 +347,11 @@ optional_policy(` + openvpn_kill(NetworkManager_t) + openvpn_signal(NetworkManager_t) + openvpn_signull(NetworkManager_t) ++ openvpn_stream_connect(NetworkManager_t) ') optional_policy(` @@ -55334,7 +55338,7 @@ index 55f2009..4e7b106 100644 policykit_domtrans_auth(NetworkManager_t) policykit_read_lib(NetworkManager_t) policykit_read_reload(NetworkManager_t) -@@ -296,7 +358,7 @@ optional_policy(` +@@ -296,7 +359,7 @@ optional_policy(` ') optional_policy(` @@ -55343,7 +55347,7 @@ index 55f2009..4e7b106 100644 ') optional_policy(` -@@ -307,6 +369,7 @@ optional_policy(` +@@ -307,6 +370,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -55351,7 +55355,7 @@ index 55f2009..4e7b106 100644 ') optional_policy(` -@@ -320,14 +383,20 @@ optional_policy(` +@@ -320,14 +384,20 @@ optional_policy(` ') optional_policy(` @@ -55377,7 +55381,7 @@ index 55f2009..4e7b106 100644 ') optional_policy(` -@@ -357,6 +426,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -357,6 +427,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -61896,7 +61900,7 @@ index 300213f..4cdfe09 100644 /var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0) diff --git a/openvpn.if b/openvpn.if -index 6837e9a..21e6dae 100644 +index 6837e9a..9bac89c 100644 --- a/openvpn.if +++ b/openvpn.if @@ -23,6 +23,25 @@ interface(`openvpn_domtrans',` @@ -61925,7 +61929,34 @@ index 6837e9a..21e6dae 100644 ## openvpn domain, and allow the ## specified role the openvpn domain. ## -@@ -147,9 +166,13 @@ interface(`openvpn_admin',` +@@ -123,6 +142,26 @@ interface(`openvpn_read_config',` + allow $1 openvpn_etc_t:lnk_file read_lnk_file_perms; + ') + ++#################################### ++## ++## Connect to openvpn over ++## a unix domain stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openvpn_stream_connect',` ++ gen_require(` ++ type openvpn_t, openvpn_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, openvpn_var_run_t, openvpn_var_run_t, openvpn_t) ++') ++ + ######################################## + ## + ## All of the rules required to +@@ -147,9 +186,13 @@ interface(`openvpn_admin',` type openvpn_status_t; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 690ebbb..8b69712 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 95%{?dist} +Release: 96%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -604,6 +604,9 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Nov 20 2014 Lukas Vrabec 3.13.1-96 +- Allow NetworkManager stream connect on openvpn. BZ(1165110) + * Wed Nov 19 2014 Lukas Vrabec 3.13.1-95 - Allow networkmanager manage also openvpn sock pid files.