openvpn and script execution
Mr Dash Four
mr.dash.four at googlemail.com
Wed Sep 15 21:53:35 UTC 2010
> I wouldn't alter openvpn.te from refpolicy; I leave the standard stuff
> alone and create any extensions in a specific policy for my servers.
>
Yep, my thoughts exactly!
> It's not difficult to make new types accessible to openvpn_t - hey, I
> just discovered some new macros! This looks as if it ought to be close:
>
> openvpn_sudo.fc
> /var/lib/openvpn/scripts(/.*)?
> gen_context(system_u:object_r:openvpn_sudo_exec_t,s0)
>
> openvpn_sudo.te
> # Create types for script files and domain
> type openvpn_sudo_exec_t;
> type openvpn_sudo_t;
> files_type(openvpn_sudo_exec_t);
> domain_type(openvpn_sudo_t);
>
> # Allow openvpn_t to access and run the scripts
> exec_files_pattern(openvpn_t, openvpn_sudo_exec_t,
> openvpn_sudo_exec_t);
>
I haven't looked at this, but there is another macro I have been using
called can_exec(...) - it is one of the first lines in openvpn.te
> # perhaps we also need one or both of these
> allow openvpn_sudo_t openvpn_etc_t:dir search_dir_perms;
> exec_files_pattern(openvpn_sudo_t, openvpn_sudo_exec_t,
> openvpn_sudo_exec_t);
>
I think can_exec does all of this, not sure as I am not at the testing
machine, but will check this out at first opportunity.
> # Get openvpn_t to transition the scripts to the new domain
> domtrans_pattern(openvpn_t, openvpn_sudo_exec_t, openvpn_sudo_t);
>
Is this transition in both directions? In other words, once the
transition from openvpn_t -> openvpn_sudo_t has been made and the
scripts have done their job, would the old (openvpn_t) domain be
restored then?
> You put your scripts in /var/lib/openvpn/scripts. If the scripts are
> installed from rpm and openvpn_sudo policy is already loaded, they will
> automatically get the correct context. Otherwise you use
>
> restorecon -r /var/lib/openvpn/scripts
>
> once the policy is loaded.
>
> Assuming this works (I haven't tested it) to get your scripts accessible
> and running in the right context, you would then work out whatever
> access the scripts need to run, and add that to openvpn_sudo.te too.
>
I will test this during the weekend because if this works it will solve
a lot of my problems I am currently having with openvpn.
> See /usr/share/selinux/devel/include/support for the domain transition
> and file permission macros.
>
I will look at these - thanks for posting this out!
More information about the selinux
mailing list