From 2dcac3720ac4ff6faae3cb87dc36fe038c343b4a Mon Sep 17 00:00:00 2001
From: Sam Hadow <sam.hadow@inbox.lv>
Date: Thu, 5 Feb 2026 10:06:20 +0100
Subject: [PATCH] vpn policy

---
 local_vpn.te | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 local_vpn.te

diff --git a/local_vpn.te b/local_vpn.te
new file mode 100644
index 0000000..c015b35
--- /dev/null
+++ b/local_vpn.te
@@ -0,0 +1,32 @@
+module local_openvpn 1.0;
+
+require {
+	type lib_t;
+	type NetworkManager_runtime_t;
+	type openvpn_t;
+	type NetworkManager_t;
+	type systemd_machined_t;
+	type selinux_config_t;
+	type xdg_data_t;
+	class file { execute_no_trans getattr open read };
+	class unix_stream_socket connectto;
+	class dir { add_name search };
+	class process { getcap setcap };
+	class sock_file create;
+	class lnk_file read;
+}
+
+#============= NetworkManager_t ==============
+allow NetworkManager_t lib_t:file execute_no_trans;
+allow NetworkManager_t openvpn_t:unix_stream_socket connectto;
+allow NetworkManager_t systemd_machined_t:unix_stream_socket connectto;
+
+#============= openvpn_t ==============
+allow openvpn_t NetworkManager_runtime_t:dir add_name;
+allow openvpn_t NetworkManager_runtime_t:sock_file create;
+allow openvpn_t lib_t:file execute_no_trans;
+allow openvpn_t self:process { getcap setcap };
+allow openvpn_t selinux_config_t:lnk_file read;
+allow openvpn_t systemd_machined_t:unix_stream_socket connectto;
+allow openvpn_t xdg_data_t:dir search;
+allow openvpn_t xdg_data_t:file { getattr open read };