openvpn and script execution
Mr Dash Four
mr.dash.four at googlemail.com
Sun Sep 12 22:32:36 UTC 2010
> A possbile slution would be to create domains for your scripts and alloww openvpn to domain transition to th script domain when it run the scripts.
> That way openvpn domain does not need access to run sudo but instead the script domains need it.
>
That is precisely what I have done - I created a separate domain
(openvpn_sudo_t) and added the necessary permissions to it, though my
SELinux knowledge is insufficient so I do not know how to 'transition'
openvpn_t to openvpn_sudo_t and vice versa?
The new module has the proper .fe and .fc created and has the right
permissions (I did a 'dry' run and everything runs OK), though where it
gets a bit 'foggy' for me is how to 'link' it with openvpn_t and tell
SELinux that it can 'transition' to and from this new domain when it
needs to run those scripts?
>> Actually, it can - see the "touch $ROUTE_UP" statement in one of the
>> scripts - it executes successfully in that directory - no problem.
>>
>
> Are you sure its not one of the script run by init instead?
>
Well spotted - that is exactly what happens, though the SELinux domain
on the newly created file is openvpn_etc_rw_t (I think), so I think
openvpn manages OK.
More information about the selinux
mailing list