diff options
author | Jukka Rissanen <jukka.rissanen@linux.intel.com> | 2012-11-12 14:07:58 +0200 |
---|---|---|
committer | Patrik Flykt <patrik.flykt@linux.intel.com> | 2012-11-23 12:58:52 +0200 |
commit | acedf9d49b9a326771aeec755179e3ede3872cdd (patch) | |
tree | b4eff171ca55eb9a4cb1d9fdfd9f6638848e051c | |
parent | 9b45848a88af4ae202bce346062a7c8db9bc6a66 (diff) | |
download | connman-acedf9d49b9a326771aeec755179e3ede3872cdd.tar.gz connman-acedf9d49b9a326771aeec755179e3ede3872cdd.tar.bz2 connman-acedf9d49b9a326771aeec755179e3ede3872cdd.zip |
selinux: Add Type Enforcement rule compilation
The SELinux rules are needed for VPN. They allow various vpn
clients to send notifications to connman-vpnd via net.connman.Task
dbus interface if the connman processes are run under systemd
and the system is in enforcing mode.
-rw-r--r-- | Makefile.am | 10 | ||||
-rw-r--r-- | README | 11 | ||||
-rw-r--r-- | configure.ac | 5 | ||||
-rw-r--r-- | vpn/connman-task.te | 16 |
4 files changed, 42 insertions, 0 deletions
diff --git a/Makefile.am b/Makefile.am index b22213ee..21d820e7 100644 --- a/Makefile.am +++ b/Makefile.am @@ -377,6 +377,16 @@ else endif endif +if SELINUX +if VPN +EXTRA_DIST += connman-task.pp +CLEANFILES += connman-task.pp +endif + +connman-task.pp: vpn/connman-task.te + make -f /usr/share/selinux/devel/Makefile +endif + include/connman/version.h: include/version.h $(AM_V_at)$(MKDIR_P) include/connman $(AM_V_GEN)$(LN_S) $(abs_top_builddir)/$< $@ @@ -191,6 +191,17 @@ For a working system, certain configuration options need to be enabled: configured by other means, the command line client can be disabled and the dependency on readline is removed. + --enable-selinux + + Enable support for compiling SElinux type enforcement rules + + The TE rules are needed if host environment is in enforcing + mode. Without this option, the VPN client process cannot + send notification to connman-vpnd via net.connman.Task + interface. The compiled connman-task.pp module needs to + also installed using this command + # semodule -i connman-task.pp + in order to enable the dbus access. wpa_supplicant configuration ============================ diff --git a/configure.ac b/configure.ac index 51df9d60..87580c45 100644 --- a/configure.ac +++ b/configure.ac @@ -343,6 +343,11 @@ if (test "${enable_polkit}" != "no"); then fi AM_CONDITIONAL(POLKIT, test "${enable_polkit}" != "no") +AC_ARG_ENABLE(selinux, AC_HELP_STRING([--enable-selinux], + [enable selinux support]), + [enable_selinux=${enableval}], [enable_selinux="no"]) +AM_CONDITIONAL(SELINUX, test "${enable_selinux}" != "no") + AC_ARG_ENABLE(loopback, AC_HELP_STRING([--disable-loopback], [disable loopback support]), [enable_loopback=${enableval}]) diff --git a/vpn/connman-task.te b/vpn/connman-task.te new file mode 100644 index 00000000..dd777107 --- /dev/null +++ b/vpn/connman-task.te @@ -0,0 +1,16 @@ +# SElinux policy file for allowing various vpn clients +# to access net.connman.Task dbus interface + +module connman-task 1.0; + +require { + type openvpn_t; + type openconnect_t; + type vpnc_t; + type initrc_t; + class dbus send_msg; +} + +allow openvpn_t initrc_t:dbus send_msg; +allow openconnect_t initrc_t:dbus send_msg; +allow vpnc_t initrc_t:dbus send_msg; |