openvpn and script execution

Dominick Grift domg472 at gmail.com
Mon Sep 13 19:10:26 UTC 2010 

On Mon, Sep 13, 2010 at 08:07:15PM +0100, Mr Dash Four wrote:
> 
> >>file permission going to be set (both scripts are located in
> >>/var/lib/openvpn which has openvpn_etc_t type, uid:gid is set to
> >>root:_openvpn)?
> >
> >You would need to specify the file context for the paths to you scripts, example:
> >
> >myopenvpn.if:
> >/var/lib/openvpn/script1 -- gen_context(system_u:object_r:openvpn_sudo_exec_t,s0)
> >
> >then reset the paths context:
> >restorecon -v /var/lib/openvpn/script1
> >
> >When its contexts (ls -alZ /var/lib/openvpn/script1) is set to openvpn_sudo_exec_t, then openvpn_t can execute it, provided youve defined the proper policy.
> My question was more to do with the directory access - this new
> domain/type (openvpn_sudo_t and openvpn_sudo_exec_t) is placed in
> the /var/lib/openvpn directory which is labelled openvpn_etc_t and I
> am not entirely sure openvpn_sudo_t would have access to it (I know
> from the above it would have access to the file itself, but am not
> sure it has access to the directory in which this file resides -
> /var/lib/openvpn)?

whether they have any access at all depends on what access you specify.
So unless you allow your new domain to interact with the type foro that location, access is denied.

> 
> >>Same question - would I label the scripts executed by
> >>etc/init.d/openvpn openvpn_script_exec_t? As those are also in the
> >>same /var/lib/openvpn directory how is this file/SELinux access
> >>going to be sorted?
> >
> >You should use a different domain and executable file type for scripts executed by init. because these domain do not need access to sudo.
> >
> >myscript.te:
> >
> >type myscript_t;
> >type myscript_exec_t;
> >init_daemon_domain(myscript_t, myscript_exec_t)
> >
> >myscript.fc:
> >
> >/var/lib/openvpn/myscript -- gen_context(system_u:object_r:myscript_exec_t,s0)
> >
> >
> >reset context:
> >
> >restorecon -v /var/lib/openvpn/myscript1
> >
> >That should allow init to domain transition to myscript_t when it runs /var/lib/openvpn/myscript1
> >ofcourse its missing much policy but the above is the start.
> That is all well and good but the same question as above - what
> about the directory access?
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100913/f19fa4dc/attachment.bin

More information about the selinux mailing list