openvpn and script execution

Dominick Grift domg472 at gmail.com
Mon Sep 13 11:58:10 UTC 2010 

On Mon, Sep 13, 2010 at 10:19:20AM +0100, Moray Henderson wrote:
> Mr Dash Four wrote:
> >> A possbile slution would be to create domains for your scripts and
> >alloww openvpn to domain transition to th script domain when it run the
> >scripts.
> >> That way openvpn domain does not need access to run sudo but instead
> the
> >script domains need it.
> >>
> >That is precisely what I have done - I created a separate domain
> >(openvpn_sudo_t) and added the necessary permissions to it, though my
> >SELinux knowledge is insufficient so I do not know how to 'transition'
> >openvpn_t to openvpn_sudo_t and vice versa?
> 
> I've been following this thread with interest - I'm probably going to
> have to set up something like similar before long.  I'm no expert
> myself, but I think it works something like this:
> 
> You create two types, domain type openvpn_sudo_t and file type
> openvpn_sudo_exec_t.  You make your script openvpn_sudo_exec_t, and use
> 
> domain_entry_file(openvpn_sudo_t, openvpn_sudo_exec_t)
> domain_auto_trans(openvpn_sudo_exec_t, openvpn_t, openvpn_sudo_t)

probably better to use domtrans_pattern(openvpn_t, openvpn_sudo_exec_t, openvpn_sudo_t)
also make sure to declare openvpn_sudo_t a domain_type (domain_type(openvpn_sudo_t)

The domtrans example only applies for scripts run by openvpn
for script run by init youd use init_daemon_domain(openvpn_script_t, openvpn_script_exec_t)

note different types since it does not need sudo (runs as root)

> 
> in your policy module to tell openvpn_t to transition to openvpn_sudo_t
> when it runs a script of type openvpn_sudo_exec_t.
>  
> 
> >The new module has the proper .fe and .fc created and has the right
> >permissions (I did a 'dry' run and everything runs OK), though where it
> >gets a bit 'foggy' for me is how to 'link' it with openvpn_t and tell
> >SELinux that it can 'transition' to and from this new domain when it
> >needs to run those scripts?
> >
> >>> Actually, it can - see the "touch $ROUTE_UP" statement in one of the
> >>> scripts - it executes successfully in that directory - no problem.
> >>>
> >>
> >> Are you sure its not one of the script run by init instead?
> >>
> >Well spotted - that is exactly what happens, though the SELinux domain
> >on the newly created file is openvpn_etc_rw_t (I think), so I think
> >openvpn manages OK.
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100913/64eaf0e6/attachment.bin

More information about the selinux mailing list