On Sat, Sep 11, 2010 at 06:28:42PM +0100, Mr Dash Four wrote:
>Its not significant the _u field does not enforce any restrictions in Fedora.
>So if that is your reason to use -setcon you can can skip it.
OK, 2 AVC will be gone then.
>>There is one other thing though - openvpn_t is trying to execute
>>sudo_exec_t. I wonder if sudo_exec_t does have these privileges and
>>I just need to transition to this domain (if at all)?
>
>The issue that openvpn_t needs access is a problem. Because if openvpn_t can run sudo
it can run commands as root.
>
>Therefore we must make sure its not openvpn_t that runs sudo but the scripts
domains.
>if we define domains for the script to be run in, then it is the script domain that
needs access to sudo and not openvpn_t domain.
2 questions - is it possible to drop/use sudo_exec_t and if so does
this domain have the necessary privileges to run what I want - I am
not sure. Having looked at sudo.te I can't make much sense.
The sudo policy currently only supports that sudo is run by users, not by scripts.
But we could hack around that, we could run sudo in the callers domain, but that would
mean that the caller domain needs the privileges to run sudo.
>>I am not afraid of testing, though I am not convinced that running
>>openvpn as root (even in the openvpn_t domain) is a good idea
>>either!
>
>Question is does security risk justify the work that needs to be done.
Well, the alternative, as I pointed out, is to leave openvpn running
as root under openvpn_t. Do you think that's better?
I think in your scenario it may not make that much of a difference. Your scenario being
that you have openvpn run scripts that need root.
You have selinux to confine root (openvpn)
if you use an unprivileged user you need to either allow openvpn to run sudo which
basically pretty much negates the dropping root measure.
or you have to confine your scripts so that from an selinux perspective its no longer
openvpn that needs to run sudo but its your script domains.
The benefit of that would be that your scripts cannot mess with openvpn and its files.
The downside is that you need to write/maintain a few custom modules.
Being that you are not so familair with selinux and that its hard for me to guide you by
using e-mail, it might be tempting to just run openvpn as root. Its protected by selinux
so its not that bad.
>Basically you say i want openvpn to drop privileges and once it dropped privileges
you later need it to gain privileges again to run the scripts.
That's because whoever wrote the code for openvpn was a
short-sighted idiot!!!
Well i doubt it, remember that those are options, just as running scripts from openvpn is
a option.
For openvpn to run properly it needs to execute external programs
(like /sbin/ip) in order to alter the routing table and to also
modify various ethernet devices on the host system - a set of
privileges which Linux, as an OS, can only grant to root and nobody
else.
So there are two possible ways of running openvpn: 1) run it with
root privileges and avoid all the headaches I described in my last
couple of posts, though running the risk that some clever head out
there might use openvpn vulnerabilities to take control over your
machine as it would be much easier to do that when openvpn is ran as
root;
Just because someone gains root through openvpn does not mean that he automatically has
control over your system.
That where selinux comes in. Even though the attacker is root, the attacker is still
confined to the openvpn_t selinux domain.
Basically the attacker is stuck with just the open vpn privileges. So he could mess with
open vpn and some other stuff but not the whole system.
or 2) drop openvpn privileges and escalate them only when
necessary to run the scripts which execute /sbin/ip to alter the
above parameters.
possible but relatively much work, especially if youre not familair with selinux.
also be benefit is not that great imho.
Out of the above 2 ways I know which one's safer! If there is a 3rd
way I would be glad to hear it.
I think thats basically it.
>>As far as sudo goes - if there are alternative ways which give me
>>proper security and allow me to execute /sbin/ip safely, I will
>>gladly accept those - no question!
>
>Where are the scripts located? (make sure they are in the location where they will be
in the future.
All of them a located in /var/lib/openvpn - this directory and all
its files have system_u:object_r:openvpn_etc_t:s0 SELinux context
(owner is root, group is _openvpn).
openvpn does not install /var/lib/openvpn. plus the type openvpn_etc_t is not suitable for
stateful data (open vpn can read it but not write it)