diff options
Diffstat (limited to 'policy/modules/services/l2tp.if')
| -rw-r--r-- | policy/modules/services/l2tp.if | 99 |
1 files changed, 99 insertions, 0 deletions
diff --git a/policy/modules/services/l2tp.if b/policy/modules/services/l2tp.if new file mode 100644 index 00000000..24d3c444 --- /dev/null +++ b/policy/modules/services/l2tp.if @@ -0,0 +1,99 @@ +## <summary>Layer 2 Tunneling Protocol.</summary> + +######################################## +## <summary> +## Send to l2tpd with a unix +## domain dgram socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`l2tpd_dgram_send',` + gen_require(` + type l2tpd_t, l2tpd_tmp_t, l2tpd_var_run_t; + ') + + files_search_pids($1) + files_search_tmp($1) + dgram_send_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t) +') + +######################################## +## <summary> +## Read and write l2tpd sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`l2tpd_rw_socket',` + gen_require(` + type l2tpd_t; + ') + + allow $1 l2tpd_t:socket rw_socket_perms; +') + +##################################### +## <summary> +## Connect to l2tpd with a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`l2tpd_stream_connect',` + gen_require(` + type l2tpd_t, l2tpd_var_run_t, l2tpd_tmp_t; + ') + + files_search_pids($1) + files_search_tmp($1) + stream_connect_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an l2tp environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`l2tp_admin',` + gen_require(` + type l2tpd_t, l2tpd_initrc_exec_t, l2tpd_var_run_t; + type l2tp_conf_t, l2tpd_tmp_t; + ') + + allow $1 l2tpd_t:process { ptrace signal_perms }; + ps_process_pattern($1, l2tpd_t) + + init_startstop_service($1, $2, l2tpd_t, l2tpd_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, l2tp_conf_t) + + files_search_pids($1) + admin_pattern($1, l2tpd_var_run_t) + + files_search_tmp($1) + admin_pattern($1, l2tpd_tmp_t) +') |