openvpn and script execution
Moray Henderson
Moray.Henderson at ict-software.org
Thu Sep 16 10:36:27 UTC 2010
Mr Dash Four wrote:
>> It's not difficult to make new types accessible to openvpn_t - hey, I
>> just discovered some new macros! This looks as if it ought to be
close:
>>
>> openvpn_sudo.fc
>> /var/lib/openvpn/scripts(/.*)?
>> gen_context(system_u:object_r:openvpn_sudo_exec_t,s0)
>>
>> openvpn_sudo.te
>> # Create types for script files and domain
>> type openvpn_sudo_exec_t;
>> type openvpn_sudo_t;
>> files_type(openvpn_sudo_exec_t);
>> domain_type(openvpn_sudo_t);
>>
>> # Allow openvpn_t to access and run the scripts
>> exec_files_pattern(openvpn_t, openvpn_sudo_exec_t,
>> openvpn_sudo_exec_t);
>>
>I haven't looked at this, but there is another macro I have been using
>called can_exec(...) - it is one of the first lines in openvpn.te
>
>> # perhaps we also need one or both of these
>> allow openvpn_sudo_t openvpn_etc_t:dir search_dir_perms;
>> exec_files_pattern(openvpn_sudo_t, openvpn_sudo_exec_t,
>> openvpn_sudo_exec_t);
>>
>I think can_exec does all of this, not sure as I am not at the testing
>machine, but will check this out at first opportunity.
>
>> # Get openvpn_t to transition the scripts to the new domain
>> domtrans_pattern(openvpn_t, openvpn_sudo_exec_t, openvpn_sudo_t);
>>
>Is this transition in both directions? In other words, once the
>transition from openvpn_t -> openvpn_sudo_t has been made and the
>scripts have done their job, would the old (openvpn_t) domain be
>restored then?
I would expect that the openvpn daemon running in openvpn_t would fork a
new process for the script. The kernel would transition the new script
process to openvpn_sudo_t, leaving the openvpn daemon in openvpn_t.
When the script ends, its process ends. Nothing should need to be
restored.
>> You put your scripts in /var/lib/openvpn/scripts. If the scripts are
>> installed from rpm and openvpn_sudo policy is already loaded, they
will
>> automatically get the correct context. Otherwise you use
>>
>> restorecon -r /var/lib/openvpn/scripts
>>
>> once the policy is loaded.
>>
>> Assuming this works (I haven't tested it) to get your scripts
accessible
>> and running in the right context, you would then work out whatever
>> access the scripts need to run, and add that to openvpn_sudo.te too.
>>
>I will test this during the weekend because if this works it will solve
>a lot of my problems I am currently having with openvpn.
>
>> See /usr/share/selinux/devel/include/support for the domain
transition
>> and file permission macros.
>>
>I will look at these - thanks for posting this out!
More information about the selinux
mailing list