File suse_additions_sslh.patch of Package selinux-policy.37503
Index: serefpolicy-contrib-20140730/sslh.fc
===================================================================
--- /dev/null
+++ serefpolicy-contrib-20140730/sslh.fc
@@ -0,0 +1,9 @@
+/etc/conf.d/sslh -- gen_context(system_u:object_r:sslh_conf_t,s0)
+/etc/default/sslh -- gen_context(system_u:object_r:sslh_conf_t,s0)
+
+/etc/init.d/sslh -- gen_context(system_u:object_r:sslh_initrc_exec_t,s0)
+/usr/lib/systemd/system/sslh.service -- gen_context(system_u:object_r:sslh_unit_file_t,s0)
+
+#/usr/sbin/rcsslh -- gen_context(system_u:object_r:sslh_exec_t,s0)
+/usr/sbin/sslh -- gen_context(system_u:object_r:sslh_exec_t,s0)
+
Index: serefpolicy-contrib-20140730/sslh.if
===================================================================
--- /dev/null
+++ serefpolicy-contrib-20140730/sslh.if
@@ -0,0 +1,77 @@
+## <summary>sslh Applicative Protocol Multiplexer</summary>
+
+#######################################
+## <summary>
+## Allow a domain to getattr on sslh binary.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`sslh_getattr_exec',`
+ gen_require(`
+ type sslh_exec_t;
+ ')
+
+ allow $1 sslh_exec_t:file getattr;
+')
+
+#######################################
+## <summary>
+## Read sslh configuration.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sslh_read_config',`
+ gen_require(`
+ type sslh_conf_t;
+ ')
+
+ files_search_etc($1)
+ list_dirs_pattern($1, sslh_conf_t, sslh_conf_t)
+ read_files_pattern($1, sslh_conf_t, sslh_conf_t)
+')
+
+######################################
+## <summary>
+## Write sslh configuration.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sslh_write_config',`
+ gen_require(`
+ type sslh_conf_t;
+ ')
+
+ files_search_etc($1)
+ write_files_pattern($1, sslh_conf_t, sslh_conf_t)
+')
+
+####################################
+## <summary>
+## Manage sslh configuration.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sslh_manage_config',`
+ gen_require(`
+ type sslh_conf_t;
+ ')
+
+ files_search_etc($1)
+ manage_files_pattern($1, sslh_conf_t, sslh_conf_t)
+')
Index: serefpolicy-contrib-20140730/sslh.te
===================================================================
--- /dev/null
+++ serefpolicy-contrib-20140730/sslh.te
@@ -0,0 +1,48 @@
+policy_module(sslh, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type sslh_t;
+type sslh_exec_t;
+init_daemon_domain(sslh_t, sslh_exec_t)
+
+type sslh_initrc_exec_t;
+init_script_file(sslh_initrc_exec_t)
+
+type sslh_conf_t;
+files_config_file(sslh_conf_t)
+
+type sslh_unit_file_t;
+systemd_unit_file(sslh_unit_file_t)
+
+########################################
+#
+# sslh local policy
+#
+
+allow sslh_t self:capability { setuid net_bind_service setgid };
+allow sslh_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow sslh_t self:process { setcap signal };
+allow sslh_t self:tcp_socket { getattr setopt bind create listen accept connect write read };
+
+corenet_tcp_bind_generic_node(sslh_t)
+corenet_tcp_bind_all_ports(sslh_t)
+corenet_tcp_connect_all_ports(sslh_t)
+
+corenet_udp_bind_all_ports(sslh_t)
+corenet_udp_send_generic_if(sslh_t)
+corenet_udp_receive_generic_if(sslh_t)
+
+read_files_pattern(sslh_t, sslh_conf_t, sslh_conf_t)
+
+nscd_shm_use(sslh_t)
+
+allow sslh_t nscd_var_run_t:file read;
+
+# dontaudit?
+#allow sshd_t chkpwd_t:process { siginh rlimitinh noatsecure };
+#allow sshd_t unconfined_t:process { siginh noatsecure };
+
