> You create two types, domain type openvpn_sudo_t and file type
> openvpn_sudo_exec_t. You make your script openvpn_sudo_exec_t, and use
>
> domain_entry_file(openvpn_sudo_t, openvpn_sudo_exec_t)
> domain_auto_trans(openvpn_sudo_exec_t, openvpn_t, openvpn_sudo_t)
>
probably better to use domtrans_pattern(openvpn_t, openvpn_sudo_exec_t, openvpn_sudo_t)
also make sure to declare openvpn_sudo_t a domain_type (domain_type(openvpn_sudo_t)
I am assuming that the scripts, which are to be executed by openvpn,
should be labelled openvpn_sudo_exec_t, right? If so, how is the file
permission going to be set (both scripts are located in /var/lib/openvpn
which has openvpn_etc_t type, uid:gid is set to root:_openvpn)?
The domtrans example only applies for scripts run by openvpn
for script run by init youd use init_daemon_domain(openvpn_script_t,
openvpn_script_exec_t)
note different types since it does not need sudo (runs as root)
Same question -
would I label the scripts executed by etc/init.d/openvpn
openvpn_script_exec_t? As those are also in the same /var/lib/openvpn
directory how is this file/SELinux access going to be sorted?
I also take it these new types (openvpn_sudo_exec_t,
openvpn_script_exec_t) and the above statements need to be included in
the new openvpn_sudo module, not openvpn, right?