OpenVPN launching scripts

Dominick Grift dominick.grift at gmail.com
Mon Jan 14 11:42:25 UTC 2013 

On Mon, 2013-01-14 at 11:05 +0100, Bruno Vernay wrote:
> On Fri, Jan 11, 2013 at 1:29 PM, Dominick Grift
> <dominick.grift at gmail.com> wrote:
> > On Fri, 2013-01-11 at 10:50 +0100, Bruno Vernay wrote:
> >> I am trying to allow OpenVPN to use Amazon Simple Notification Service
> >> (SNS), so that each time a client connects to the VPN, OpenVPN
> >> triggers a bash script that will use Amazon SNS.
> >>
> >> Amazon SNS is a Java program launched via bash scripts.
> >> It is in aws/SimpleNotificationServiceCli/bin/ for the .sh and /lib for the .jar
> >>
> >> OpenVPN launches a script in /etc/openvpn/client-connect.
> >>
> >>
> >> OpenVPN runs confined and I don't want to poke a big hole just to run SNS.
> >>
> >> So I tried to "confine" SNS and allow the transition from OpenVPN, but
> >> it didn't went well. (config files bellow)
> >> I wonder if it could be just as good to allow OpenVPN to escape its
> >> confine to only call the relevant SNS script ?
> >>
> >>
> >> From documentation and audit2allow I got to these configuration files.
> >> But it still doesn't authorize the script to run and now the messages
> >> triggers errors in audit2allow:
> >>
> >> libsepol.mls_from_string: invalid MLS context
> >> libsepol.mls_from_string: could not construct mls context structure
> >> libsepol.context_from_record: could not create context structure
> >> libsepol.context_from_string: could not create context structure
> >> libsepol.sepol_context_to_sid: could not convert
> >> system_u:object_r:proc_t: to sid
> >> libsepol.context_from_record: type op is not defined
> >> libsepol.context_from_record: could not create context structure
> >> libsepol.context_from_string: could not create context structure
> >> libsepol.sepol_context_to_sid: could not convert system_u:object_r:op:s0 to sid
> >> libsepol.context_from_record: type openvpn_ is not defined
> >> libsepol.context_from_record: could not create context structure
> >> libsepol.context_from_string: could not create context structure
> >> libsepol.sepol_context_to_sid: could not convert
> >> system_u:object_r:openvpn_:s0 to sid
> >> libsepol.context_from_record: type shell_e is not defined
> >> libsepol.context_from_record: could not create context structure
> >> libsepol.context_from_string: could not create context structure
> >> libsepol.sepol_context_to_sid: could not convert
> >> system_u:object_r:shell_e:s0 to sid
> >>
> >
> > Strange question maybe but what test editor did you use to create this
> > policy?
> >
> > It almost seems that your amz_sns.fc messes up the file context
> > specifications (some clients append hidden symbols)
> >
> > Also make sure you end your fc file with a newline
> >
> >>
> >>
> >> $ cat amz_sns.fc
> >> /opt/aws/SimpleNotificationServiceCli.*/bin/.*    --
> >> gen_context(system_u:object_r:amz_sns_exec_t,s0)
> >> /opt/aws/SimpleNotificationServiceCli.*/lib(/.*)?
> >> gen_context(system_u:object_r:amz_sns_lib_t,s0)
> >>
> >>
> >> $ cat amz_sns.te
> >> policy_module( amz_sns, 1.0.0)
> >>
> >> require {
> >>         type openvpn_t;
> >>         type openvpn_tmp_t;
> >>         type shell_exec_t;
> >> }
> >>
> >> type amz_sns_t;
> >> type amz_sns_exec_t;
> >> type amz_sns_lib_t;
> >>
> >> files_type(amz_sns_lib_t);
> >>
> >> domain_type(amz_sns_t)
> >> domain_entry_file(amz_sns_t, amz_sns_exec_t)
> >>
> >> allow amz_sns_t amz_sns_exec_t:file { read execute entrypoint };
> >> domain_auto_trans( openvpn_t, amz_sns_exec_t, amz_sns_t );
> >>
> >> role system_r types amz_sns_t;  # ???
> >>
> >> # The child process sends a signal to its parent as it dies
> >> allow amz_sns_t openvpn_t:process sigchld;
> >>
> >> allow amz_sns_t openvpn_tmp_t:file write;   # For /tmp/debug
> >>
> >> allow amz_sns_t shell_exec_t:file { read open execute execute_no_trans
> >> };  # Bash exec
> >>
> >>
> >> Bruno
> >> --
> >> selinux mailing list
> >> selinux at lists.fedoraproject.org
> >> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> >
> 
> - I used vi (it is a headless Amazon AMI free tier).
> - it ends with a new line
> - I even checked with hexdump for alien characters and it seems clean to me

Strange, ok shot in the dark but you might try cleaning up the TE file a
bit:

policy_module(amz_sns, 1.0.0)

gen_require(`
	type openvpn_t;
	type openvpn_tmp_t;
')

type amz_sns_t;
type amz_sns_exec_t;
domain_type(amz_sns_t)
domain_entry_file(amz_sns_t, amz_sns_exec_t)
role system_r types amz_sns_t;

domtrans_pattern(openvpn_t, amz_sns_exec_t, amz_sns_t)

allow amz_sns_t openvpn_tmp_t:file write;

corecmd_exec_shell(amz_sns_t)

Also i am not sure how selinux deals with the underscore in module and type names (amz_sns)

More information about the selinux mailing list