openvpn and script execution

[Mr Dash Four]

>> file permission going to be set (both scripts are located in
>> /var/lib/openvpn which has openvpn_etc_t type, uid:gid is set to
>> root:_openvpn)?
>>     
>
> You would need to specify the file context for the paths to you scripts, example:
>
> myopenvpn.if:
> /var/lib/openvpn/script1 -- gen_context(system_u:object_r:openvpn_sudo_exec_t,s0)
>
> then reset the paths context:
> restorecon -v /var/lib/openvpn/script1
>
> When its contexts (ls -alZ /var/lib/openvpn/script1) is set to openvpn_sudo_exec_t, then openvpn_t can execute it, provided youve defined the proper policy.
>   
My question was more to do with the directory access - this new 
domain/type (openvpn_sudo_t and openvpn_sudo_exec_t) is placed in the 
/var/lib/openvpn directory which is labelled openvpn_etc_t and I am not 
entirely sure openvpn_sudo_t would have access to it (I know from the 
above it would have access to the file itself, but am not sure it has 
access to the directory in which this file resides - /var/lib/openvpn)?

>> Same question - would I label the scripts executed by
>> etc/init.d/openvpn openvpn_script_exec_t? As those are also in the
>> same /var/lib/openvpn directory how is this file/SELinux access
>> going to be sorted?
>>     
>
> You should use a different domain and executable file type for scripts executed by init. because these domain do not need access to sudo.
>
> myscript.te:
>
> type myscript_t;
> type myscript_exec_t;
> init_daemon_domain(myscript_t, myscript_exec_t)
>
> myscript.fc:
>
> /var/lib/openvpn/myscript -- gen_context(system_u:object_r:myscript_exec_t,s0)
>
>
> reset context:
>
> restorecon -v /var/lib/openvpn/myscript1
>
> That should allow init to domain transition to myscript_t when it runs /var/lib/openvpn/myscript1
> ofcourse its missing much policy but the above is the start.
>   
That is all well and good but the same question as above - what about 
the directory access?