endif
endif
+if SELINUX
+if VPN
+EXTRA_DIST += connman-task.pp
+CLEANFILES += connman-task.pp
+endif
+
+connman-task.pp: vpn/connman-task.te
+ make -f /usr/share/selinux/devel/Makefile
+endif
+
include/connman/version.h: include/version.h
$(AM_V_at)$(MKDIR_P) include/connman
$(AM_V_GEN)$(LN_S) $(abs_top_builddir)/$< $@
configured by other means, the command line client can be
disabled and the dependency on readline is removed.
+ --enable-selinux
+
+ Enable support for compiling SElinux type enforcement rules
+
+ The TE rules are needed if host environment is in enforcing
+ mode. Without this option, the VPN client process cannot
+ send notification to connman-vpnd via net.connman.Task
+ interface. The compiled connman-task.pp module needs to
+ also installed using this command
+ # semodule -i connman-task.pp
+ in order to enable the dbus access.
wpa_supplicant configuration
============================
fi
AM_CONDITIONAL(POLKIT, test "${enable_polkit}" != "no")
+AC_ARG_ENABLE(selinux, AC_HELP_STRING([--enable-selinux],
+ [enable selinux support]),
+ [enable_selinux=${enableval}], [enable_selinux="no"])
+AM_CONDITIONAL(SELINUX, test "${enable_selinux}" != "no")
+
AC_ARG_ENABLE(loopback, AC_HELP_STRING([--disable-loopback],
[disable loopback support]),
[enable_loopback=${enableval}])
--- /dev/null
+# SElinux policy file for allowing various vpn clients
+# to access net.connman.Task dbus interface
+
+module connman-task 1.0;
+
+require {
+ type openvpn_t;
+ type openconnect_t;
+ type vpnc_t;
+ type initrc_t;
+ class dbus send_msg;
+}
+
+allow openvpn_t initrc_t:dbus send_msg;
+allow openconnect_t initrc_t:dbus send_msg;
+allow vpnc_t initrc_t:dbus send_msg;