selinux-policy/suse_additions_sslh.patch

Index: serefpolicy-contrib-20140730/sslh.fc
===================================================================
--- /dev/null
+++ serefpolicy-contrib-20140730/sslh.fc
@@ -0,0 +1,9 @@
+/etc/conf.d/sslh 			-- 	gen_context(system_u:object_r:sslh_conf_t,s0)
+/etc/default/sslh 			-- 	gen_context(system_u:object_r:sslh_conf_t,s0)
+
+/etc/init.d/sslh 			-- 	gen_context(system_u:object_r:sslh_initrc_exec_t,s0)
+/usr/lib/systemd/system/sslh.service  	-- 	gen_context(system_u:object_r:sslh_unit_file_t,s0)
+
+#/usr/sbin/rcsslh			--	gen_context(system_u:object_r:sslh_exec_t,s0)
+/usr/sbin/sslh				--	gen_context(system_u:object_r:sslh_exec_t,s0)
+
Index: serefpolicy-contrib-20140730/sslh.if
===================================================================
--- /dev/null
+++ serefpolicy-contrib-20140730/sslh.if
@@ -0,0 +1,77 @@
+## <summary>sslh Applicative Protocol Multiplexer</summary>
+
+#######################################
+## <summary>
+##  Allow a domain to getattr on sslh binary.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`sslh_getattr_exec',`
+	gen_require(`
+		type sslh_exec_t;
+	')
+
+	allow $1 sslh_exec_t:file getattr;
+')
+
+#######################################
+## <summary>
+##  Read sslh configuration.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`sslh_read_config',`
+    gen_require(`
+        type sslh_conf_t;
+    ')
+
+    files_search_etc($1)
+    list_dirs_pattern($1, sslh_conf_t, sslh_conf_t)
+    read_files_pattern($1, sslh_conf_t, sslh_conf_t)
+')
+
+######################################
+## <summary>
+##  Write sslh configuration.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`sslh_write_config',`
+    gen_require(`
+        type sslh_conf_t;
+    ')
+
+    files_search_etc($1)
+    write_files_pattern($1, sslh_conf_t, sslh_conf_t)
+')
+
+####################################
+## <summary>
+##  Manage sslh configuration.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`sslh_manage_config',`
+    gen_require(`
+        type sslh_conf_t;
+    ')
+
+    files_search_etc($1)
+    manage_files_pattern($1, sslh_conf_t, sslh_conf_t)
+')
Index: serefpolicy-contrib-20140730/sslh.te
===================================================================
--- /dev/null
+++ serefpolicy-contrib-20140730/sslh.te
@@ -0,0 +1,48 @@
+policy_module(sslh, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type sslh_t;
+type sslh_exec_t;
+init_daemon_domain(sslh_t, sslh_exec_t)
+
+type sslh_initrc_exec_t;
+init_script_file(sslh_initrc_exec_t)
+
+type sslh_conf_t;
+files_config_file(sslh_conf_t)
+
+type sslh_unit_file_t;
+systemd_unit_file(sslh_unit_file_t)
+
+########################################
+#
+# sslh local policy
+#
+
+allow sslh_t self:capability { setuid net_bind_service setgid };
+allow sslh_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow sslh_t self:process { setcap signal };
+allow sslh_t self:tcp_socket { getattr setopt bind create listen accept connect write read };
+
+corenet_tcp_bind_generic_node(sslh_t)
+corenet_tcp_bind_all_ports(sslh_t)
+corenet_tcp_connect_all_ports(sslh_t)
+
+corenet_udp_bind_all_ports(sslh_t)
+corenet_udp_send_generic_if(sslh_t)
+corenet_udp_receive_generic_if(sslh_t)
+
+read_files_pattern(sslh_t, sslh_conf_t, sslh_conf_t)
+
+nscd_shm_use(sslh_t)
+
+allow sslh_t nscd_var_run_t:file read;
+
+# dontaudit?
+#allow sshd_t chkpwd_t:process { siginh rlimitinh noatsecure };
+#allow sshd_t unconfined_t:process { siginh noatsecure };
+