github/dndx-phantun
1
0
Fork 0
mirror of https://github.com/dndx/phantun.git synced 2025-09-20 06:04:31 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

chore(package): add Debian and RedHat package files (#173)

Browse Source 
---------

Signed-off-by: Randy Li <ayaka@soulik.info>
This commit is contained in:
Randy Li
2025-08-23 00:03:21 +08:00
committed by GitHub
parent f5aac38969
commit 2a37a2fc92
14 changed files with 344 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
selinux/phantun.te Normal file
View File

@@ -0,0 +1,60 @@
policy_module(phantun, 1.0)
gen_require(`
type wireguard_t;
type wireguard_exec_t;
class capability net_admin;
class tun_socket { append bind connect create getattr getopt ioctl lock read relabelfrom relabelto setattr setopt shutdown write };
class tcp_socket { name_bind listen accept connect };
class udp_socket { name_bind };
class file { getattr open read write create unlink execute };
class process { transition };
')
# Define custom types
type phantun_server_exec_t;
type phantun_client_exec_t;
type phantun_server_port_t;
type phantun_client_port_t;
type phantun_var_run_t;
# Allow the wrapper scripts to execute the phantun client and server binaries
allow wireguard_exec_t phantun_client_exec_t:file { getattr open read execute };
allow wireguard_exec_t phantun_server_exec_t:file { getattr open read execute };
# Allow the wrapper scripts to write to the PID file
allow wireguard_exec_t phantun_var_run_t:file { getattr open read write create unlink };
allow wireguard_t self:process transition;
####################################
# Server
#
# Allow wireguard_t to execute the server binary
allow wireguard_t phantun_server_exec_t:file { getattr open read execute };
# Allow the server to create and manage tun devices
allow phantun_server_exec_t self:tun_socket { append bind connect create getattr getopt ioctl lock read relabelfrom relabelto setattr setopt shutdown write };
# Allow the server to bind to the custom TCP port and listen for incoming connections
allow phantun_server_exec_t phantun_server_port_t:tcp_socket { name_bind listen accept };
# Allow the server to use net_admin capability
allow phantun_server_exec_t self:capability net_admin;
####################################
# Client
#
# Allow wireguard_t to execute the client binary
allow wireguard_t phantun_client_exec_t:file { getattr open read execute };
# Allow the client to create and manage tun devices
allow phantun_client_exec_t self:tun_socket { append bind connect create getattr getopt ioctl lock read relabelfrom relabelto setattr setopt shutdown write };
# Allow the client to bind to the custom UDP port
#allow phantun_client_exec_t phantun_client_port_t:udp_socket { name_bind };
# Allow the client to use net_admin capability
allow phantun_client_exec_t self:capability net_admin;