Skip to content
Snippets Groups Projects
Commit 2a36dff6 authored by Nick Kralevich's avatar Nick Kralevich Committed by Gerrit Code Review
Browse files

Merge "Address SELinux denials with clatd."

parents a88af855 a770ee5b
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 19 additions and 1 deletion
clatd.te
+ 19
1
View file @ 2a36dff6
...@@ -3,5 +3,23 @@ type clatd, domain; ...@@ -3,5 +3,23 @@ type clatd, domain;
permissive_or_unconfined(clatd) permissive_or_unconfined(clatd)
type clatd_exec, exec_type, file_type; type clatd_exec, exec_type, file_type;
init_daemon_domain(clatd)
net_domain(clatd) net_domain(clatd)
# Access objects inherited from netd.
allow clatd netd:fd use;
allow clatd netd:fifo_file { read write };
allow clatd netd:netlink_kobject_uevent_socket { read write };
allow clatd netd:netlink_nflog_socket { read write };
allow clatd netd:netlink_route_socket { read write };
allow clatd netd:udp_socket { read write };
allow clatd netd:unix_stream_socket { read write };
allow clatd self:capability { net_admin setuid setgid };
# TODO: Run clatd in vpn group to avoid need for this on /dev/tun.
allow clatd self:capability dac_override;
allow clatd self:netlink_route_socket { create_socket_perms nlmsg_write };
allow clatd self:tun_socket create_socket_perms;
allow clatd tun_device:chr_file rw_file_perms;
allow clatd proc_net:file rw_file_perms;;
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment