RE: openvpn and script execution
Mr Dash Four wrote:
> It's not difficult to make new types accessible to openvpn_t
- hey, I
> just discovered some new macros! This looks as if it ought to be
close:
>
> openvpn_sudo.fc
> /var/lib/openvpn/scripts(/.*)?
> gen_context(system_u:object_r:openvpn_sudo_exec_t,s0)
>
> openvpn_sudo.te
> # Create types for script files and domain
> type openvpn_sudo_exec_t;
> type openvpn_sudo_t;
> files_type(openvpn_sudo_exec_t);
> domain_type(openvpn_sudo_t);
>
> # Allow openvpn_t to access and run the scripts
> exec_files_pattern(openvpn_t, openvpn_sudo_exec_t,
> openvpn_sudo_exec_t);
>
I haven't looked at this, but there is another macro I have been using
called can_exec(...) - it is one of the first lines in openvpn.te
> # perhaps we also need one or both of these
> allow openvpn_sudo_t openvpn_etc_t:dir search_dir_perms;
> exec_files_pattern(openvpn_sudo_t, openvpn_sudo_exec_t,
> openvpn_sudo_exec_t);
>
I think can_exec does all of this, not sure as I am not at the testing
machine, but will check this out at first opportunity.
> # Get openvpn_t to transition the scripts to the new domain
> domtrans_pattern(openvpn_t, openvpn_sudo_exec_t, openvpn_sudo_t);
>
Is this transition in both directions? In other words, once the
transition from openvpn_t -> openvpn_sudo_t has been made and the
scripts have done their job, would the old (openvpn_t) domain be
restored then?
I would expect that the openvpn daemon running in openvpn_t would fork a
new process for the script. The kernel would transition the new script
process to openvpn_sudo_t, leaving the openvpn daemon in openvpn_t.
When the script ends, its process ends. Nothing should need to be
restored.
> You put your scripts in /var/lib/openvpn/scripts. If the scripts
are
> installed from rpm and openvpn_sudo policy is already loaded, they
will
> automatically get the correct context. Otherwise you use
>
> restorecon -r /var/lib/openvpn/scripts
>
> once the policy is loaded.
>
> Assuming this works (I haven't tested it) to get your scripts
accessible
> and running in the right context, you would then work out
whatever
> access the scripts need to run, and add that to openvpn_sudo.te too.
>
I will test this during the weekend because if this works it will solve
a lot of my problems I am currently having with openvpn.
> See /usr/share/selinux/devel/include/support for the domain
transition
> and file permission macros.
>
I will look at these - thanks for posting this out!