On Thursday 07 June 2007 18:22, Matthew Gillen wrote:
> I had to add the following module before openvpn would work. The first
> issue was that openvpn didn't have permission to write a .pid file to
> /var/run/openvpn. The other problem seemed to be that a TCP socket could
> not be created (the name_connect part).
>
> The dac_override is something that I don't get. Why would openvpn need
> that? Unix permissions problems?
>
> Here's the additional policy:
> -----------------------------
> require {
> type openvpn_t;
> type openvpn_port_t;
> type openvpn_var_run_t;
> class capability dac_override;
> class tcp_socket name_connect;
> class dir { write search add_name };
> }
>
> #============= openvpn_t ==============
> allow openvpn_t openvpn_port_t:tcp_socket name_connect;
> allow openvpn_t openvpn_var_run_t:dir { write search add_name };
> allow openvpn_t self:capability dac_override;
> -----------------------------
>
> Thanks,
> Matt
>
> --
Matt,
Thanks very much for the policy. But as a SElinux noobe how does one actually
use it.
Regards,
Tony
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
