openvpn and script execution

[Moray Henderson]

Mr Dash Four wrote:
>> A possbile slution would be to create domains for your scripts and
>alloww openvpn to domain transition to th script domain when it run the
>scripts.
>> That way openvpn domain does not need access to run sudo but instead
the
>script domains need it.
>>
>That is precisely what I have done - I created a separate domain
>(openvpn_sudo_t) and added the necessary permissions to it, though my
>SELinux knowledge is insufficient so I do not know how to 'transition'
>openvpn_t to openvpn_sudo_t and vice versa?

I've been following this thread with interest - I'm probably going to
have to set up something like similar before long.  I'm no expert
myself, but I think it works something like this:

You create two types, domain type openvpn_sudo_t and file type
openvpn_sudo_exec_t.  You make your script openvpn_sudo_exec_t, and use

domain_entry_file(openvpn_sudo_t, openvpn_sudo_exec_t)
domain_auto_trans(openvpn_sudo_exec_t, openvpn_t, openvpn_sudo_t)

in your policy module to tell openvpn_t to transition to openvpn_sudo_t
when it runs a script of type openvpn_sudo_exec_t.
 

>The new module has the proper .fe and .fc created and has the right
>permissions (I did a 'dry' run and everything runs OK), though where it
>gets a bit 'foggy' for me is how to 'link' it with openvpn_t and tell
>SELinux that it can 'transition' to and from this new domain when it
>needs to run those scripts?
>
>>> Actually, it can - see the "touch $ROUTE_UP" statement in one of the
>>> scripts - it executes successfully in that directory - no problem.
>>>
>>
>> Are you sure its not one of the script run by init instead?
>>
>Well spotted - that is exactly what happens, though the SELinux domain
>on the newly created file is openvpn_etc_rw_t (I think), so I think
>openvpn manages OK.