updated selinux policy file and added compile script

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>

3 files changed, 70 insertions, 22 deletions

diff --git a/selinux/compile.sh b/selinux/compile.sh
new file mode 100644
index 0000000..f70ab1b
--- /dev/null
+++ b/selinux/compile.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -x
+set -e
+
+OUTDIR="$(dirname $0)"
+checkmodule -M -m -o ${OUTDIR}/ptunnel-ng.mod ${OUTDIR}/ptunnel-ng.te
+semodule_package -o ${OUTDIR}/ptunnel-ng.pp -m ${OUTDIR}/ptunnel-ng.mod
+
+exit 0
diff --git a/selinux/ptunnel-ng.te b/selinux/ptunnel-ng.te
new file mode 100644
index 0000000..79412d2
--- /dev/null
+++ b/selinux/ptunnel-ng.te
@@ -0,0 +1,60 @@
+
+module ptunnel-ng 1.0;
+
+require {
+	type local_login_t;
+	type file_context_t;
+	type unconfined_t;
+	type lvm_t;
+	type bin_t;
+	type gpmctl_t;
+	type tracefs_t;
+	type dpkg_script_t;
+	type xconsole_device_t;
+	type modules_object_t;
+	type initrc_var_run_t;
+	type var_run_t;
+	type debugfs_t;
+	type udev_var_run_t;
+	type bootloader_t;
+	type tmp_t;
+	type fsadm_run_t;
+	class file { create execmod execute execute_no_trans getattr link open read rename setattr unlink write };
+	class capability sys_module;
+	class dir { add_name getattr remove_name search write };
+	class fifo_file getattr;
+	class sock_file getattr;
+	class system module_load;
+}
+
+#============= bootloader_t ==============
+allow bootloader_t debugfs_t:dir search;
+allow bootloader_t file_context_t:dir search;
+allow bootloader_t file_context_t:file { getattr open read };
+allow bootloader_t fsadm_run_t:dir { add_name getattr remove_name write };
+allow bootloader_t fsadm_run_t:file { create getattr link open read rename setattr unlink write };
+allow bootloader_t gpmctl_t:sock_file getattr;
+allow bootloader_t modules_object_t:system module_load;
+allow bootloader_t self:capability sys_module;
+allow bootloader_t tmp_t:file { execute execute_no_trans getattr open read };
+allow bootloader_t tracefs_t:dir search;
+allow bootloader_t udev_var_run_t:file { getattr open read };
+allow bootloader_t xconsole_device_t:fifo_file getattr;
+
+#============= dpkg_script_t ==============
+
+#!!!! This avc can be allowed using the boolean 'allow_execmod'
+allow dpkg_script_t bin_t:file execmod;
+
+#============= local_login_t ==============
+allow local_login_t initrc_var_run_t:file unlink;
+allow local_login_t var_run_t:dir { add_name remove_name write };
+allow local_login_t var_run_t:file { getattr open read rename unlink };
+
+#============= lvm_t ==============
+allow lvm_t initrc_var_run_t:dir { add_name getattr write };
+
+#============= unconfined_t ==============
+
+#!!!! This avc can be allowed using the boolean 'allow_execmod'
+allow unconfined_t bin_t:file execmod;
diff --git a/selinux/ptunnel.te b/selinux/ptunnel.te
deleted file mode 100644
index 995c765..0000000
--- a/selinux/ptunnel.te
+++ /dev/null
@@ -1,22 +0,0 @@
-policy_module(ptunnel, 1.7)
-
-require {
-	type initrc_t;
-	type unconfined_t;
-	type unlabeled_t;
-	class tcp_socket { read write create connect };
-	class association recvfrom;
-	class rawip_socket { write read };
-}
-
-type ptunnel_t;
-domain_dyntrans_type(initrc_t)
-
-allow ptunnel_t self:tcp_socket { read write create connect };
-allow ptunnel_t unconfined_t:rawip_socket { write read };
-allow ptunnel_t unlabeled_t:association recvfrom;
-corenet_tcp_sendrecv_generic_if(ptunnel_t)
-corenet_tcp_sendrecv_ssh_port(ptunnel_t)
-corenet_raw_receive_generic_node(ptunnel_t)
-corenet_tcp_connect_ssh_port(ptunnel_t)
-corenet_tcp_sendrecv_lo_node(ptunnel_t)