openvpn and script execution
Mr Dash Four
mr.dash.four at googlemail.com
Tue Sep 14 18:08:55 UTC 2010
> The way the Samba policy module does things is to define a specific
> directory for scripts:
>
> samba.fc:
> ...
> /var/lib/samba/scripts(/.*)?
> gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
> ...
>
> This way you keep the scripts separate from ordinary system binaries,
> they automatically get the correct type when installed from rpm, and you
> don't need to create a new file context every time you add a script.
>
OK, but my initial question still stands - both openvpn_t and
openvpn_sudo_t need to have access to this directory at least. So, if I
define a new script type I have to alter openvpn.te and make the
directory where the scripts are located (and their new domain!)
available/accessible to openvpn_t. I have to do the same with
openvpn_sudo_t as well.
One other possible solution would be to leave the directory where this
scripts are as openvpn_etc_t, name the scripts with this new domain and
then alter the new module to have (read-only) access to openvpn_etc_t
and full access to this new domain for the scripts - in this way I am
not altering openvpn.te (which is part of the main policy), but I am
creating a potential security hole by granting this new domain
(openvpn_sudo_t) access to openvpn_etc_t which includes other (mainly
configuration) files, which belong to openvpn...not as straight-forward
is it? Or have I missed something?
More information about the selinux
mailing list