openvpn and script execution

Dominick Grift domg472 at gmail.com
Mon Sep 13 18:59:02 UTC 2010 

On Mon, Sep 13, 2010 at 07:47:32PM +0100, Mr Dash Four wrote:
> 
> >>You create two types, domain type openvpn_sudo_t and file type
> >>openvpn_sudo_exec_t.  You make your script openvpn_sudo_exec_t, and use
> >>
> >>domain_entry_file(openvpn_sudo_t, openvpn_sudo_exec_t)
> >>domain_auto_trans(openvpn_sudo_exec_t, openvpn_t, openvpn_sudo_t)
> >
> >probably better to use domtrans_pattern(openvpn_t, openvpn_sudo_exec_t, openvpn_sudo_t)
> >also make sure to declare openvpn_sudo_t a domain_type (domain_type(openvpn_sudo_t)
> I am assuming that the scripts, which are to be executed by openvpn,
> should be labelled openvpn_sudo_exec_t, right? If so, how is the

Assuming that is the executable file type you have declared for your script, yes

> file permission going to be set (both scripts are located in
> /var/lib/openvpn which has openvpn_etc_t type, uid:gid is set to
> root:_openvpn)?

You would need to specify the file context for the paths to you scripts, example:

myopenvpn.if:
/var/lib/openvpn/script1 -- gen_context(system_u:object_r:openvpn_sudo_exec_t,s0)

then reset the paths context:
restorecon -v /var/lib/openvpn/script1

When its contexts (ls -alZ /var/lib/openvpn/script1) is set to openvpn_sudo_exec_t, then openvpn_t can execute it, provided youve defined the proper policy.

> 
> >The domtrans example only applies for scripts run by openvpn
> >for script run by init youd use init_daemon_domain(openvpn_script_t, openvpn_script_exec_t)
> >
> >note different types since it does not need sudo (runs as root)
> Same question - would I label the scripts executed by
> etc/init.d/openvpn openvpn_script_exec_t? As those are also in the
> same /var/lib/openvpn directory how is this file/SELinux access
> going to be sorted?

You should use a different domain and executable file type for scripts executed by init. because these domain do not need access to sudo.

myscript.te:

type myscript_t;
type myscript_exec_t;
init_daemon_domain(myscript_t, myscript_exec_t)

myscript.fc:

/var/lib/openvpn/myscript -- gen_context(system_u:object_r:myscript_exec_t,s0)


reset context:

restorecon -v /var/lib/openvpn/myscript1

That should allow init to domain transition to myscript_t when it runs /var/lib/openvpn/myscript1
ofcourse its missing much policy but the above is the start.

> 
> I also take it these new types (openvpn_sudo_exec_t,
> openvpn_script_exec_t) and the above statements need to be included
> in the new openvpn_sudo module, not openvpn, right?
> 

Sure, any type you use should be declared, made usable and types for files must be applied by specifying file contexts and resetting the files to the specified contexts.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100913/5264a278/attachment.bin

More information about the selinux mailing list