openvpn and script execution

Mr Dash Four mr.dash.four at googlemail.com
Wed Sep 15 21:53:35 UTC 2010 

> I wouldn't alter openvpn.te from refpolicy; I leave the standard stuff
> alone and create any extensions in a specific policy for my servers.
>   
Yep, my thoughts exactly!

> It's not difficult to make new types accessible to openvpn_t - hey, I
> just discovered some new macros!  This looks as if it ought to be close:
>
> openvpn_sudo.fc
>   /var/lib/openvpn/scripts(/.*)?
> gen_context(system_u:object_r:openvpn_sudo_exec_t,s0)
>
> openvpn_sudo.te
>   # Create types for script files and domain
>   type openvpn_sudo_exec_t;
>   type openvpn_sudo_t;
>   files_type(openvpn_sudo_exec_t);
>   domain_type(openvpn_sudo_t);
>
>   # Allow openvpn_t to access and run the scripts
>   exec_files_pattern(openvpn_t, openvpn_sudo_exec_t,
> openvpn_sudo_exec_t);
>   
I haven't looked at this, but there is another macro I have been using 
called can_exec(...) - it is one of the first lines in openvpn.te

>   # perhaps we also need one or both of these
>   allow openvpn_sudo_t openvpn_etc_t:dir search_dir_perms;
>   exec_files_pattern(openvpn_sudo_t, openvpn_sudo_exec_t,
> openvpn_sudo_exec_t);
>   
I think can_exec does all of this, not sure as I am not at the testing 
machine, but will check this out at first opportunity.

>   # Get openvpn_t to transition the scripts to the new domain
>   domtrans_pattern(openvpn_t, openvpn_sudo_exec_t, openvpn_sudo_t);
>   
Is this transition in both directions? In other words, once the 
transition from openvpn_t -> openvpn_sudo_t has been made and the 
scripts have done their job, would the old (openvpn_t) domain be 
restored then?

> You put your scripts in /var/lib/openvpn/scripts.  If the scripts are
> installed from rpm and openvpn_sudo policy is already loaded, they will
> automatically get the correct context.  Otherwise you use 
>
>   restorecon -r /var/lib/openvpn/scripts
>
> once the policy is loaded.
>
> Assuming this works (I haven't tested it) to get your scripts accessible
> and running in the right context, you would then work out whatever
> access the scripts need to run, and add that to openvpn_sudo.te too.
>   
I will test this during the weekend because if this works it will solve 
a lot of my problems I am currently having with openvpn.

> See /usr/share/selinux/devel/include/support for the domain transition
> and file permission macros.
>   
I will look at these - thanks for posting this out!

More information about the selinux mailing list