[PATCH v5 42/42] selinux: Add Type Enforcement rule compilation

Jukka Rissanen jukka.rissanen at linux.intel.com
Mon Nov 12 04:07:58 PST 2012


The SELinux rules are needed for VPN. They allow various vpn
clients to send notifications to connman-vpnd via net.connman.Task
dbus interface if the connman processes are run under systemd
and the system is in enforcing mode.
---
 Makefile.am         | 10 ++++++++++
 README              | 11 +++++++++++
 configure.ac        |  5 +++++
 vpn/connman-task.te | 16 ++++++++++++++++
 4 files changed, 42 insertions(+)
 create mode 100644 vpn/connman-task.te

diff --git a/Makefile.am b/Makefile.am
index b22213e..21d820e 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -377,6 +377,16 @@ else
 endif
 endif
 
+if SELINUX
+if VPN
+EXTRA_DIST += connman-task.pp
+CLEANFILES += connman-task.pp
+endif
+
+connman-task.pp: vpn/connman-task.te
+	make -f /usr/share/selinux/devel/Makefile
+endif
+
 include/connman/version.h: include/version.h
 	$(AM_V_at)$(MKDIR_P) include/connman
 	$(AM_V_GEN)$(LN_S) $(abs_top_builddir)/$< $@
diff --git a/README b/README
index 4ae17a9..52a2e4d 100644
--- a/README
+++ b/README
@@ -191,6 +191,17 @@ For a working system, certain configuration options need to be enabled:
 		configured by other means, the command line client can be
 		disabled and the dependency on readline is removed.
 
+	--enable-selinux
+
+		Enable support for compiling SElinux type enforcement rules
+
+		The TE rules are needed if host environment is in enforcing
+		mode. Without this option, the VPN client process cannot
+		send notification to connman-vpnd via net.connman.Task
+		interface. The compiled connman-task.pp module needs to
+		also installed using this command
+			# semodule -i connman-task.pp
+		in order to enable the dbus access.
 
 wpa_supplicant configuration
 ============================
diff --git a/configure.ac b/configure.ac
index 51df9d6..87580c4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -343,6 +343,11 @@ if (test "${enable_polkit}" != "no"); then
 fi
 AM_CONDITIONAL(POLKIT, test "${enable_polkit}" != "no")
 
+AC_ARG_ENABLE(selinux, AC_HELP_STRING([--enable-selinux],
+				[enable selinux support]),
+			[enable_selinux=${enableval}], [enable_selinux="no"])
+AM_CONDITIONAL(SELINUX, test "${enable_selinux}" != "no")
+
 AC_ARG_ENABLE(loopback, AC_HELP_STRING([--disable-loopback],
 				[disable loopback support]),
 					[enable_loopback=${enableval}])
diff --git a/vpn/connman-task.te b/vpn/connman-task.te
new file mode 100644
index 0000000..dd77710
--- /dev/null
+++ b/vpn/connman-task.te
@@ -0,0 +1,16 @@
+# SElinux policy file for allowing various vpn clients
+# to access net.connman.Task dbus interface
+
+module connman-task 1.0;
+
+require {
+	type openvpn_t;
+	type openconnect_t;
+	type vpnc_t;
+	type initrc_t;
+	class dbus send_msg;
+}
+
+allow openvpn_t initrc_t:dbus send_msg;
+allow openconnect_t initrc_t:dbus send_msg;
+allow vpnc_t initrc_t:dbus send_msg;
-- 
1.7.11.4




More information about the connman mailing list