avc { module_request, relabelfrom }: openvpn->tun
Mr Dash Four
mr.dash.four at googlemail.com
Wed Aug 18 09:21:17 UTC 2010
>>>>> kernel_request_load_module(openvpn_t)
>>>>>
>>> create module that allows openvpn_t to request the kernel to load a module:
>>>
>>> mkdir ~/myopenvpn; cd ~/myopenvpn;
>>> echo "policy_module(myopenvpn, 1.0.0)" > myopenvpn.te;
>>> echo "gen_require(\`" >> myopenvpn.te;
>>> echo "type openvpn_t;" >> myopenvpn.te;
>>> echo "')" >> myopenvpn.te;
>>> echo "kernel_request_load_module(openvpn_t)" >> myopenvpn.te;
>>> make -f /usr/share/selinux/devel/Makefile myopenvpn.pp
>>> sudo semodule -i myopenvpn.pp
>>>
I see that this change has been adopted with the -47 version of the
policy (FC13) - that was pretty quick!
There was a suggestion for change to tor.te a while ago as well (see
tor: dac_override, dac_read_search, name_bind and net_bind_service
thread) - the new version of tor (2.x) provides dns resolution as part
of the service it runs, so it needs to bind to udp/53 and the statement:
corenet_udp_bind_dns_port(tor_t)
does the trick when it is included in tor.te. Currently I do this with
patching, but it would be nice to have it as part of the policy in a
similar way it was done with openvpn.
More information about the selinux
mailing list