openvpn and script execution

Moray Henderson Moray.Henderson at ict-software.org
Wed Sep 15 12:23:05 UTC 2010 

(Odd - I only saw my copy of this, not the one that went to the list)

Mr Dash Four wrote:
>> The way the Samba policy module does things is to define a specific
>> directory for scripts:
>>
>> samba.fc:
>> ...
>> /var/lib/samba/scripts(/.*)?
>> gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
>> ...
>>
>> This way you keep the scripts separate from ordinary system binaries,
>> they automatically get the correct type when installed from rpm, and
you
>> don't need to create a new file context every time you add a script.
>>
>OK, but my initial question still stands - both openvpn_t and
>openvpn_sudo_t need to have access to this directory at least. So, if I
>define a new script type I have to alter openvpn.te and make the
>directory where the scripts are located (and their new domain!)
>available/accessible to openvpn_t. I have to do the same with
>openvpn_sudo_t as well.
>
>One other possible solution would be to leave the directory where this
>scripts are as openvpn_etc_t, name the scripts with this new domain and
>then alter the new module to have (read-only) access to openvpn_etc_t
>and full access to this new domain for the scripts - in this way I am
>not altering openvpn.te (which is part of the main policy), but I am
>creating a potential security hole by granting this new domain
>(openvpn_sudo_t) access to openvpn_etc_t which includes other (mainly
>configuration) files, which belong to openvpn...not as straight-forward
>is it? Or have I missed something?

I wouldn't alter openvpn.te from refpolicy; I leave the standard stuff
alone and create any extensions in a specific policy for my servers.

It's not difficult to make new types accessible to openvpn_t - hey, I
just discovered some new macros!  This looks as if it ought to be close:

openvpn_sudo.fc
  /var/lib/openvpn/scripts(/.*)?
gen_context(system_u:object_r:openvpn_sudo_exec_t,s0)

openvpn_sudo.te
  # Create types for script files and domain
  type openvpn_sudo_exec_t;
  type openvpn_sudo_t;
  files_type(openvpn_sudo_exec_t);
  domain_type(openvpn_sudo_t);

  # Allow openvpn_t to access and run the scripts
  exec_files_pattern(openvpn_t, openvpn_sudo_exec_t,
openvpn_sudo_exec_t);
  # perhaps we also need one or both of these
  allow openvpn_sudo_t openvpn_etc_t:dir search_dir_perms;
  exec_files_pattern(openvpn_sudo_t, openvpn_sudo_exec_t,
openvpn_sudo_exec_t);

  # Get openvpn_t to transition the scripts to the new domain
  domtrans_pattern(openvpn_t, openvpn_sudo_exec_t, openvpn_sudo_t);

You put your scripts in /var/lib/openvpn/scripts.  If the scripts are
installed from rpm and openvpn_sudo policy is already loaded, they will
automatically get the correct context.  Otherwise you use 

  restorecon -r /var/lib/openvpn/scripts

once the policy is loaded.

Assuming this works (I haven't tested it) to get your scripts accessible
and running in the right context, you would then work out whatever
access the scripts need to run, and add that to openvpn_sudo.te too.

See /usr/share/selinux/devel/include/support for the domain transition
and file permission macros.

More information about the selinux mailing list