David Hollis wrote:
On Thu, 2004-12-09 at 18:10 -0500, David Hollis wrote:I added this to the Rawhide policy. If you are going to be experimenting with targeted policy, you might want to
Doesn't drop in cleanly with the targeted policy. It also wants the ifconfig, which wants proc_net_t and run_init_t stuff that isn't in the targeted policy. I've wrapped the call to ifconfig_exec_t in an if ('ifconfig.te....') call so that it builds properly with the targeted policy. It builds, and labels the files, so thats a start! Next question is if it actually works :)
A quick test turns up that I need to change the line for self:capability to:
allow openvpn_t self:capability { net_admin setgid setuid };
To allow the daemon to switch to the nobody user.
grab the one in rawhide, since this would have the proc_net stuff in it. Basically FC3 is somewhat frozen for stability
purposes. The new experimental stuff is in rawhide (Rewrite of can_network patches, additional proc_*_t ...)
Dan
