Mr Dash Four wrote:
> A possbile slution would be to create domains for your scripts
and
alloww openvpn to domain transition to th script domain when it run the
scripts.
> That way openvpn domain does not need access to run sudo but instead
the
script domains need it.
>
That is precisely what I have done - I created a separate domain
(openvpn_sudo_t) and added the necessary permissions to it, though my
SELinux knowledge is insufficient so I do not know how to 'transition'
openvpn_t to openvpn_sudo_t and vice versa?
I've been following this thread with interest - I'm probably going to
have to set up something like similar before long. I'm no expert
myself, but I think it works something like this:
You create two types, domain type openvpn_sudo_t and file type
openvpn_sudo_exec_t. You make your script openvpn_sudo_exec_t, and use
domain_entry_file(openvpn_sudo_t, openvpn_sudo_exec_t)
domain_auto_trans(openvpn_sudo_exec_t, openvpn_t, openvpn_sudo_t)
in your policy module to tell openvpn_t to transition to openvpn_sudo_t
when it runs a script of type openvpn_sudo_exec_t.
The new module has the proper .fe and .fc created and has the right
permissions (I did a 'dry' run and everything runs OK), though where it
gets a bit 'foggy' for me is how to 'link' it with openvpn_t and tell
SELinux that it can 'transition' to and from this new domain when it
needs to run those scripts?
>> Actually, it can - see the "touch $ROUTE_UP" statement in one of the
>> scripts - it executes successfully in that directory - no problem.
>>
>
> Are you sure its not one of the script run by init instead?
>
Well spotted - that is exactly what happens, though the SELinux domain
on the newly created file is openvpn_etc_rw_t (I think), so I think
openvpn manages OK.