86 lines
2.1 KiB
Text
86 lines
2.1 KiB
Text
|
policy_module(openfortivpn, 1.0.0)
|
||
|
|
||
|
## <desc>
|
||
|
## <p>
|
||
|
## Determine whether openfortivpn can
|
||
|
## connect to the TCP network.
|
||
|
## </p>
|
||
|
## </desc>
|
||
|
gen_tunable(openfortivpn_can_network_connect, true)
|
||
|
|
||
|
########################################
|
||
|
#
|
||
|
# Declarations
|
||
|
#
|
||
|
|
||
|
type openfortivpn_t;
|
||
|
role system_r types openfortivpn_t;
|
||
|
type openfortivpn_exec_t;
|
||
|
init_daemon_domain(openfortivpn_t, openfortivpn_exec_t)
|
||
|
|
||
|
type openfortivpn_var_lib_t;
|
||
|
files_type(openfortivpn_var_lib_t)
|
||
|
|
||
|
type openfortivpn_devpts_t;
|
||
|
term_pty(openfortivpn_devpts_t)
|
||
|
|
||
|
########################################
|
||
|
#
|
||
|
# Local policy
|
||
|
#
|
||
|
|
||
|
# User certificates are typically not world-readable and are owned by the user
|
||
|
allow openfortivpn_t self:capability { dac_read_search };
|
||
|
|
||
|
# Talking to pppd via the PTY
|
||
|
allow openfortivpn_t openfortivpn_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
|
||
|
|
||
|
manage_dirs_pattern(openfortivpn_t, openfortivpn_var_lib_t, openfortivpn_var_lib_t)
|
||
|
manage_files_pattern(openfortivpn_t, openfortivpn_var_lib_t, openfortivpn_var_lib_t)
|
||
|
|
||
|
kernel_read_network_state(openfortivpn_t)
|
||
|
|
||
|
can_exec(openfortivpn_t, openfortivpn_exec_t)
|
||
|
|
||
|
corecmd_exec_shell(openfortivpn_t)
|
||
|
|
||
|
# No standard port for SSLVPN
|
||
|
corenet_all_recvfrom_unlabeled(openfortivpn_t)
|
||
|
corenet_sendrecv_all_client_packets(openfortivpn_t)
|
||
|
corenet_tcp_sendrecv_generic_if(openfortivpn_t)
|
||
|
corenet_tcp_sendrecv_generic_node(openfortivpn_t)
|
||
|
|
||
|
fs_dontaudit_getattr_xattr_fs(openfortivpn_t)
|
||
|
|
||
|
# PTY to pppd
|
||
|
term_create_pty(openfortivpn_t, openfortivpn_devpts_t)
|
||
|
|
||
|
auth_dontaudit_read_passwd(openfortivpn_t)
|
||
|
auth_use_nsswitch(openfortivpn_t)
|
||
|
|
||
|
logging_send_syslog_msg(openfortivpn_t)
|
||
|
|
||
|
sysnet_manage_config(openfortivpn_t)
|
||
|
|
||
|
userdom_read_home_certs(openfortivpn_t)
|
||
|
|
||
|
tunable_policy(`openfortivpn_can_network_connect',`
|
||
|
corenet_tcp_connect_all_ports(openfortivpn_t)
|
||
|
corenet_tcp_sendrecv_all_ports(openfortivpn_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
dbus_system_bus_client(openfortivpn_t)
|
||
|
dbus_connect_system_bus(openfortivpn_t)
|
||
|
|
||
|
optional_policy(`
|
||
|
networkmanager_dbus_chat(openfortivpn_t)
|
||
|
')
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
ppp_domtrans(openfortivpn_t)
|
||
|
ppp_signal(openfortivpn_t)
|
||
|
ppp_kill(openfortivpn_t)
|
||
|
')
|