Newer
Older
# 464xlat daemon
type clatd, domain;
type clatd_exec, exec_type, file_type;
net_domain(clatd)
# Access objects inherited from netd.
allow clatd netd:fd use;
allow clatd netd:fifo_file { read write };
allow clatd netd:netlink_kobject_uevent_socket { read write };
allow clatd netd:netlink_nflog_socket { read write };
allow clatd netd:netlink_route_socket { read write };
allow clatd netd:udp_socket { read write };
allow clatd netd:unix_stream_socket { read write };
allow clatd self:capability { net_admin setuid setgid };
# TODO: Run clatd in vpn group to avoid need for this on /dev/tun.
allow clatd self:capability dac_override;
allow clatd self:netlink_route_socket { create_socket_perms nlmsg_write };
allow clatd self:tun_socket create_socket_perms;
allow clatd tun_device:chr_file rw_file_perms;
allow clatd proc_net:file rw_file_perms;;