openvpn and script execution

Sat Sep 11 17:28:42 UTC 2010

> Its not significant the _u field does not enforce any restrictions in Fedora.
> So if that is your reason to use -setcon you can can skip it.
>   
OK, 2 AVC will be gone then.

>> There is one other thing though - openvpn_t is trying to execute
>> sudo_exec_t. I wonder if sudo_exec_t does have these privileges and
>> I just need to transition to this domain (if at all)?
>>     
>
> The issue that openvpn_t needs access is a problem. Because if openvpn_t can run sudo it can run commands as root.
>
> Therefore we must make sure its not openvpn_t that runs sudo but the scripts domains.
> if we define domains for the script to be run in, then it is the script domain that needs access to sudo and not openvpn_t domain.
>   
2 questions - is it possible to drop/use sudo_exec_t and if so does this 
domain have the necessary privileges to run what I want - I am not sure. 
Having looked at sudo.te I can't make much sense.

>> I am not afraid of testing, though I am not convinced that running
>> openvpn as root (even in the openvpn_t domain) is a good idea
>> either!
>>     
>
> Question is does security risk justify the work that needs to be done.
>   
Well, the alternative, as I pointed out, is to leave openvpn running as 
root under openvpn_t. Do you think that's better?

> Basically you say i want openvpn to drop privileges and once it dropped privileges you later need it to gain privileges again to run the scripts.
>   
That's because whoever wrote the code for openvpn was a short-sighted 
idiot!!!

For openvpn to run properly it needs to execute external programs (like 
/sbin/ip) in order to alter the routing table and to also modify various 
ethernet devices on the host system - a set of privileges which Linux, 
as an OS, can only grant to root and nobody else.

So there are two possible ways of running openvpn: 1) run it with root 
privileges and avoid all the headaches I described in my last couple of 
posts, though running the risk that some clever head out there might use 
openvpn vulnerabilities to take control over your machine as it would be 
much easier to do that when openvpn is ran as root; or 2) drop openvpn 
privileges and escalate them only when necessary to run the scripts 
which execute /sbin/ip to alter the above parameters.

Out of the above 2 ways I know which one's safer! If there is a 3rd way 
I would be glad to hear it.

>> As far as sudo goes - if there are alternative ways which give me
>> proper security and allow me to execute /sbin/ip safely, I will
>> gladly accept those - no question!
>>     
>
> Where are the scripts located? (make sure they are in the location where they will be in the future.
>   
All of them a located in /var/lib/openvpn - this directory and all its 
files have system_u:object_r:openvpn_etc_t:s0 SELinux context (owner is 
root, group is _openvpn).