openvpn and script execution

Moray Henderson Moray.Henderson at ict-software.org
Thu Sep 16 10:36:27 UTC 2010 

Mr Dash Four wrote:
>> It's not difficult to make new types accessible to openvpn_t - hey, I
>> just discovered some new macros!  This looks as if it ought to be
close:
>>
>> openvpn_sudo.fc
>>   /var/lib/openvpn/scripts(/.*)?
>> gen_context(system_u:object_r:openvpn_sudo_exec_t,s0)
>>
>> openvpn_sudo.te
>>   # Create types for script files and domain
>>   type openvpn_sudo_exec_t;
>>   type openvpn_sudo_t;
>>   files_type(openvpn_sudo_exec_t);
>>   domain_type(openvpn_sudo_t);
>>
>>   # Allow openvpn_t to access and run the scripts
>>   exec_files_pattern(openvpn_t, openvpn_sudo_exec_t,
>> openvpn_sudo_exec_t);
>>
>I haven't looked at this, but there is another macro I have been using
>called can_exec(...) - it is one of the first lines in openvpn.te
>
>>   # perhaps we also need one or both of these
>>   allow openvpn_sudo_t openvpn_etc_t:dir search_dir_perms;
>>   exec_files_pattern(openvpn_sudo_t, openvpn_sudo_exec_t,
>> openvpn_sudo_exec_t);
>>
>I think can_exec does all of this, not sure as I am not at the testing
>machine, but will check this out at first opportunity.
>
>>   # Get openvpn_t to transition the scripts to the new domain
>>   domtrans_pattern(openvpn_t, openvpn_sudo_exec_t, openvpn_sudo_t);
>>
>Is this transition in both directions? In other words, once the
>transition from openvpn_t -> openvpn_sudo_t has been made and the
>scripts have done their job, would the old (openvpn_t) domain be
>restored then?

I would expect that the openvpn daemon running in openvpn_t would fork a
new process for the script.  The kernel would transition the new script
process to openvpn_sudo_t, leaving the openvpn daemon in openvpn_t.
When the script ends, its process ends.  Nothing should need to be
restored.

>> You put your scripts in /var/lib/openvpn/scripts.  If the scripts are
>> installed from rpm and openvpn_sudo policy is already loaded, they
will
>> automatically get the correct context.  Otherwise you use
>>
>>   restorecon -r /var/lib/openvpn/scripts
>>
>> once the policy is loaded.
>>
>> Assuming this works (I haven't tested it) to get your scripts
accessible
>> and running in the right context, you would then work out whatever
>> access the scripts need to run, and add that to openvpn_sudo.te too.
>>
>I will test this during the weekend because if this works it will solve
>a lot of my problems I am currently having with openvpn.
>
>> See /usr/share/selinux/devel/include/support for the domain
transition
>> and file permission macros.
>>
>I will look at these - thanks for posting this out!

More information about the selinux mailing list