From 9e9bb01a0b4a6e716368c4c73639363daae12fe7 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Tue, 9 Jul 2019 20:55:04 +0200
Subject: [PATCH] Update dbusd policy and netowrkmanager to allow confined
 users to connect to vpn over NetworkManager

---
 dbus.te    |  5 ++++-
 openvpn.if | 21 ++++++++++++++++++++-
 openvpn.te |  1 +
 3 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/dbus.te b/dbus.te
index 2c287c9415..995f07d425 100644
--- a/dbus.te
+++ b/dbus.te
@@ -295,7 +295,7 @@ dontaudit session_bus_type self:process setrlimit;
 allow session_bus_type self:file { getattr read write };
 allow session_bus_type self:fifo_file rw_fifo_file_perms;
 allow session_bus_type self:dbus { send_msg acquire_svc };
-allow session_bus_type self:unix_stream_socket create_stream_socket_perms;
+allow session_bus_type self:unix_stream_socket { connectto create_stream_socket_perms };
 allow session_bus_type self:unix_dgram_socket create_socket_perms;
 allow session_bus_type self:tcp_socket create_stream_socket_perms;
 allow session_bus_type self:netlink_selinux_socket create_socket_perms;
@@ -312,6 +312,8 @@ userdom_user_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { file dir soc
 
 kernel_read_kernel_sysctls(session_bus_type)
 
+can_exec(session_bus_type, dbusd_exec_t)
+
 corecmd_list_bin(session_bus_type)
 corecmd_read_bin_symlinks(session_bus_type)
 corecmd_read_bin_files(session_bus_type)
@@ -355,6 +357,7 @@ term_use_all_inherited_terms(session_bus_type)
 userdom_dontaudit_search_admin_dir(session_bus_type)
 userdom_manage_user_home_content_dirs(session_bus_type)
 userdom_manage_user_home_content_files(session_bus_type)
+userdom_write_user_tmp_sockets(session_bus_type)
 userdom_manage_tmpfs_files(session_bus_type, file)
 userdom_tmpfs_filetrans(session_bus_type, file)
 
diff --git a/openvpn.if b/openvpn.if
index 8d6e33b005..87fbcae79f 100644
--- a/openvpn.if
+++ b/openvpn.if
@@ -162,6 +162,25 @@ interface(`openvpn_stream_connect',`
 	stream_connect_pattern($1, openvpn_var_run_t, openvpn_var_run_t, openvpn_t)
 ')
 
+########################################
+## <summary>
+##	Search openvpn lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openvpn_search_lib',`
+	gen_require(`
+		type openvpn_var_lib_t;
+	')
+
+	allow $1 openvpn_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
 ########################################
 ## <summary>
 ##	Read and write to sopenvpn_image devices.
@@ -177,7 +196,7 @@ interface(`openvpn_noatsecure',`
 		type openvpn_t;
 	')
 
-    allow $1 openvpn_t:process noatsecure;
+    allow $1 openvpn_t:process { rlimitinh siginh noatsecure };
 ')
 
 ########################################
diff --git a/openvpn.te b/openvpn.te
index 732b66c49c..83648ab237 100644
--- a/openvpn.te
+++ b/openvpn.te
@@ -89,6 +89,7 @@ manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t)
 files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
 
 manage_files_pattern(openvpn_t, openvpn_var_lib_t, openvpn_var_lib_t)
+manage_dirs_pattern(openvpn_t, openvpn_var_lib_t, openvpn_var_lib_t)
 files_var_lib_filetrans(openvpn_t, openvpn_var_lib_t, { dir file })
 
 allow openvpn_t openvpn_tmp_t:file manage_file_perms;