diff options
| -rw-r--r-- | Makefile.am | 10 | ||||
| -rw-r--r-- | README | 11 | ||||
| -rw-r--r-- | configure.ac | 5 | ||||
| -rw-r--r-- | vpn/connman-task.te | 16 |
4 files changed, 42 insertions, 0 deletions
diff --git a/Makefile.am b/Makefile.am index b22213ee..21d820e7 100644 --- a/Makefile.am +++ b/Makefile.am @@ -377,6 +377,16 @@ else endif endif +if SELINUX +if VPN +EXTRA_DIST += connman-task.pp +CLEANFILES += connman-task.pp +endif + +connman-task.pp: vpn/connman-task.te + make -f /usr/share/selinux/devel/Makefile +endif + include/connman/version.h: include/version.h $(AM_V_at)$(MKDIR_P) include/connman $(AM_V_GEN)$(LN_S) $(abs_top_builddir)/$< $@ @@ -191,6 +191,17 @@ For a working system, certain configuration options need to be enabled: configured by other means, the command line client can be disabled and the dependency on readline is removed. + --enable-selinux + + Enable support for compiling SElinux type enforcement rules + + The TE rules are needed if host environment is in enforcing + mode. Without this option, the VPN client process cannot + send notification to connman-vpnd via net.connman.Task + interface. The compiled connman-task.pp module needs to + also installed using this command + # semodule -i connman-task.pp + in order to enable the dbus access. wpa_supplicant configuration ============================ diff --git a/configure.ac b/configure.ac index 51df9d60..87580c45 100644 --- a/configure.ac +++ b/configure.ac @@ -343,6 +343,11 @@ if (test "${enable_polkit}" != "no"); then fi AM_CONDITIONAL(POLKIT, test "${enable_polkit}" != "no") +AC_ARG_ENABLE(selinux, AC_HELP_STRING([--enable-selinux], + [enable selinux support]), + [enable_selinux=${enableval}], [enable_selinux="no"]) +AM_CONDITIONAL(SELINUX, test "${enable_selinux}" != "no") + AC_ARG_ENABLE(loopback, AC_HELP_STRING([--disable-loopback], [disable loopback support]), [enable_loopback=${enableval}]) diff --git a/vpn/connman-task.te b/vpn/connman-task.te new file mode 100644 index 00000000..dd777107 --- /dev/null +++ b/vpn/connman-task.te @@ -0,0 +1,16 @@ +# SElinux policy file for allowing various vpn clients +# to access net.connman.Task dbus interface + +module connman-task 1.0; + +require { + type openvpn_t; + type openconnect_t; + type vpnc_t; + type initrc_t; + class dbus send_msg; +} + +allow openvpn_t initrc_t:dbus send_msg; +allow openconnect_t initrc_t:dbus send_msg; +allow vpnc_t initrc_t:dbus send_msg; |