The way the Samba policy module does things is to define a specific
directory for scripts:
samba.fc:
...
/var/lib/samba/scripts(/.*)?
gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
...
This way you keep the scripts separate from ordinary system binaries,
they automatically get the correct type when installed from rpm, and you
don't need to create a new file context every time you add a script.
OK, but my initial question still stands - both openvpn_t and
openvpn_sudo_t need to have access to this directory at least. So, if I
define a new script type I have to alter openvpn.te and make the
directory where the scripts are located (and their new domain!)
available/accessible to openvpn_t. I have to do the same with
openvpn_sudo_t as well.
One other possible solution would be to leave the directory where this
scripts are as openvpn_etc_t, name the scripts with this new domain and
then alter the new module to have (read-only) access to openvpn_etc_t
and full access to this new domain for the scripts - in this way I am
not altering openvpn.te (which is part of the main policy), but I am
creating a potential security hole by granting this new domain
(openvpn_sudo_t) access to openvpn_etc_t which includes other (mainly
configuration) files, which belong to openvpn...not as straight-forward
is it? Or have I missed something?