[refpolicy] [PATCH v2 6/9] Include policy for the iodine IP over DNS tunnel daemon

Laurent Bigonville bigon at debian.org
Sat Sep 8 07:22:24 CDT 2012


From: Russell Coker <russell at coker.com.au>

---
 iodine.fc |    1 +
 iodine.if |    1 +
 iodine.te |   29 +++++++++++++++++++++++++++++
 3 files changed, 31 insertions(+)
 create mode 100644 iodine.fc
 create mode 100644 iodine.if
 create mode 100644 iodine.te

diff --git a/iodine.fc b/iodine.fc
new file mode 100644
index 0000000..71c964d
--- /dev/null
+++ b/iodine.fc
@@ -0,0 +1 @@
+/usr/sbin/iodine.*	-- gen_context(system_u:object_r:iodine_exec_t, s0)
diff --git a/iodine.if b/iodine.if
new file mode 100644
index 0000000..4bec253
--- /dev/null
+++ b/iodine.if
@@ -0,0 +1 @@
+## <summary>policy for the iodine IP over DNS tunneling daemon</summary>
diff --git a/iodine.te b/iodine.te
new file mode 100644
index 0000000..c383ad4
--- /dev/null
+++ b/iodine.te
@@ -0,0 +1,29 @@
+policy_module(iodine,1.0.0)
+
+type iodine_t;
+type iodine_exec_t;
+init_daemon_domain(iodine_t, iodine_exec_t)
+
+allow iodine_t self:capability { setgid setuid net_bind_service net_admin net_raw sys_chroot };
+allow iodine_t self:rawip_socket { write read create };
+allow iodine_t self:tun_socket create;
+allow iodine_t self:udp_socket connected_socket_perms;
+allow iodine_t self:unix_dgram_socket { create connect };
+
+kernel_read_network_state(iodine_t)
+kernel_read_system_state(iodine_t)
+kernel_request_load_module(iodine_t)
+kernel_search_network_sysctl(iodine_t)
+
+corenet_raw_receive_generic_node(iodine_t)
+corenet_rw_tun_tap_dev(iodine_t)
+corenet_udp_bind_dns_port(iodine_t)
+corenet_udp_bind_generic_node(iodine_t)
+
+corecmd_exec_shell(iodine_t)
+
+files_read_etc_files(iodine_t)
+
+logging_send_syslog_msg(iodine_t)
+
+sysnet_domtrans_ifconfig(iodine_t)
-- 
1.7.10.4



More information about the refpolicy mailing list