A possbile slution would be to create domains for your scripts and
alloww openvpn to domain transition to th script domain when it run the scripts.
That way openvpn domain does not need access to run sudo but instead the script domains
need it.
That is precisely what I have done - I created a separate domain
(openvpn_sudo_t) and added the necessary permissions to it, though my
SELinux knowledge is insufficient so I do not know how to 'transition'
openvpn_t to openvpn_sudo_t and vice versa?
The new module has the proper .fe and .fc created and has the right
permissions (I did a 'dry' run and everything runs OK), though where it
gets a bit 'foggy' for me is how to 'link' it with openvpn_t and tell
SELinux that it can 'transition' to and from this new domain when it
needs to run those scripts?
> Actually, it can - see the "touch $ROUTE_UP" statement
in one of the
> scripts - it executes successfully in that directory - no problem.
>
Are you sure its not one of the script run by init instead?
Well spotted - that is exactly what happens, though the SELinux domain
on the newly created file is openvpn_etc_rw_t (I think), so I think
openvpn manages OK.