Update dbusd policy and netowrkmanager to allow confined users to con…

…nect to vpn over NetworkManager
fedora-selinux · Jul 9, 2019 · 9e9bb01 · 9e9bb01
1 parent 7d3bcf4
commit 9e9bb01
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 2 deletions.
diff --git a/dbus.te b/dbus.te
@@ -295,7 +295,7 @@ dontaudit session_bus_type self:process setrlimit;
 allow session_bus_type self:file { getattr read write };
 allow session_bus_type self:fifo_file rw_fifo_file_perms;
 allow session_bus_type self:dbus { send_msg acquire_svc };
-allow session_bus_type self:unix_stream_socket create_stream_socket_perms;
+allow session_bus_type self:unix_stream_socket { connectto create_stream_socket_perms };
 allow session_bus_type self:unix_dgram_socket create_socket_perms;
 allow session_bus_type self:tcp_socket create_stream_socket_perms;
 allow session_bus_type self:netlink_selinux_socket create_socket_perms;
@@ -312,6 +312,8 @@ userdom_user_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { file dir soc
 
 kernel_read_kernel_sysctls(session_bus_type)
 
+can_exec(session_bus_type, dbusd_exec_t)
+
 corecmd_list_bin(session_bus_type)
 corecmd_read_bin_symlinks(session_bus_type)
 corecmd_read_bin_files(session_bus_type)
@@ -355,6 +357,7 @@ term_use_all_inherited_terms(session_bus_type)
 userdom_dontaudit_search_admin_dir(session_bus_type)
 userdom_manage_user_home_content_dirs(session_bus_type)
 userdom_manage_user_home_content_files(session_bus_type)
+userdom_write_user_tmp_sockets(session_bus_type)
 userdom_manage_tmpfs_files(session_bus_type, file)
 userdom_tmpfs_filetrans(session_bus_type, file)
 

diff --git a/openvpn.if b/openvpn.if
@@ -162,6 +162,25 @@ interface(`openvpn_stream_connect',`
 	stream_connect_pattern($1, openvpn_var_run_t, openvpn_var_run_t, openvpn_t)
 ')
 
+########################################
+## <summary>
+##	Search openvpn lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openvpn_search_lib',`
+	gen_require(`
+		type openvpn_var_lib_t;
+	')
+
+	allow $1 openvpn_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
 ########################################
 ## <summary>
 ##	Read and write to sopenvpn_image devices.
@@ -177,7 +196,7 @@ interface(`openvpn_noatsecure',`
 		type openvpn_t;
 	')
 
-    allow $1 openvpn_t:process noatsecure;
+    allow $1 openvpn_t:process { rlimitinh siginh noatsecure };
 ')
 
 ########################################

diff --git a/openvpn.te b/openvpn.te
@@ -89,6 +89,7 @@ manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t)
 files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
 
 manage_files_pattern(openvpn_t, openvpn_var_lib_t, openvpn_var_lib_t)
+manage_dirs_pattern(openvpn_t, openvpn_var_lib_t, openvpn_var_lib_t)
 files_var_lib_filetrans(openvpn_t, openvpn_var_lib_t, { dir file })
 
 allow openvpn_t openvpn_tmp_t:file manage_file_perms;