43 lines
1.8 KiB
Diff
43 lines
1.8 KiB
Diff
diff -up ./contrib/selinux/cjdns.te.selinux ./contrib/selinux/cjdns.te
|
|
--- ./contrib/selinux/cjdns.te.selinux 2015-11-02 17:59:41.000000000 -0500
|
|
+++ ./contrib/selinux/cjdns.te 2015-11-03 00:10:49.098890187 -0500
|
|
@@ -7,8 +7,8 @@ require {
|
|
type port_t;
|
|
type unreserved_port_t;
|
|
type tmp_t;
|
|
- type kernel_t;
|
|
type passwd_file_t;
|
|
+ type net_conf_t;
|
|
}
|
|
|
|
type cjdns_t;
|
|
@@ -18,23 +18,23 @@ init_daemon_domain(cjdns_t,cjdns_exec_t)
|
|
#============= cjdns_t ==============
|
|
# Let master process run further restricted subprocess
|
|
allow cjdns_t cjdns_exec_t:file { execute_no_trans execmod };
|
|
-allow cjdns_t self:capability { net_admin net_raw setuid setgid sys_chroot sys_module };
|
|
+allow cjdns_t self:capability { net_admin net_raw setuid setgid sys_chroot };
|
|
allow cjdns_t self:process { signal getcap setrlimit setcap };
|
|
-allow cjdns_t kernel_t:system module_request;
|
|
# translate username to uid
|
|
allow cjdns_t passwd_file_t:file { read getattr open };
|
|
|
|
+# translate host names
|
|
+allow cjdns_t net_conf_t:file { read getattr open };
|
|
# allow network access
|
|
allow cjdns_t node_t:udp_socket node_bind;
|
|
allow cjdns_t port_t:udp_socket name_bind;
|
|
allow cjdns_t unreserved_port_t:udp_socket name_bind;
|
|
-allow cjdns_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
|
|
+allow cjdns_t self:netlink_route_socket { bind create getattr nlmsg_read read write nlmsg_write };
|
|
allow cjdns_t self:packet_socket { bind create ioctl read write };
|
|
allow cjdns_t self:tun_socket create;
|
|
-allow cjdns_t self:udp_socket { create setopt bind ioctl getattr read write };
|
|
+allow cjdns_t self:udp_socket { create setopt bind ioctl getattr read write connect };
|
|
allow cjdns_t tun_tap_device_t:chr_file { read write open ioctl };
|
|
|
|
-
|
|
# management API
|
|
allow cjdns_t self:unix_stream_socket connectto;
|
|
allow cjdns_t tmp_t:sock_file { write create unlink };
|