[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/

Mon, 13 Feb 2023 07:35:40 -0800 

commit:     a196620b5a540acc33ced5f9541974489bd30605
Author:     David Sommerseth <davids <AT> openvpn <DOT> net>
AuthorDate: Fri Jan 27 08:50:22 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Feb 13 15:24:07 2023 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a196620b

openvpn: Allow netlink genl

OpenVPN 2.6 can use an OpenVPN specific kernel module to handle the VPN
data channel.  The communication via userspace and kernel space happens
over a generic netlink interface.

Without this access, the following denials can be found in the logs

  [...] denied  { create } for pid=... comm="openvpn" 
scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:openvpn_t:s0 
tclass=netlink_generic_socket
  [...] denied  { setopt } for pid=... comm="openvpn" 
scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:openvpn_t:s0 
tclass=netlink_generic_socket
  [...] denied  { bind } for pid=... comm="openvpn" 
scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:openvpn_t:s0 
tclass=netlink_generic_socket
  [...] denied  { getattr } for pid=... comm="openvpn" 
scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:openvpn_t:s0 
tclass=netlink_generic_socket

Signed-off-by: David Sommerseth <davids <AT> openvpn.net>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/openvpn.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/openvpn.te 
b/policy/modules/services/openvpn.te
index be3642ec6..e97730fbd 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -62,6 +62,7 @@ allow openvpn_t self:unix_stream_socket { accept connectto 
listen };
 allow openvpn_t self:tcp_socket server_stream_socket_perms;
 allow openvpn_t self:tun_socket { create_socket_perms relabelfrom relabelto };
 allow openvpn_t self:netlink_route_socket nlmsg_write;
+allow openvpn_t self:netlink_generic_socket create_socket_perms;
 
 allow openvpn_t openvpn_etc_t:dir list_dir_perms;
 allow openvpn_t openvpn_etc_t:file read_file_perms;

Reply via email to