Tony Molloy wrote:
> On Thursday 07 June 2007 18:22, Matthew Gillen wrote:
>> I had to add the following module before openvpn would work. The first
>> issue was that openvpn didn't have permission to write a .pid file to
>> /var/run/openvpn. The other problem seemed to be that a TCP socket could
>> not be created (the name_connect part).
>>
>> The dac_override is something that I don't get. Why would openvpn need
>> that? Unix permissions problems?
>>
>> Here's the additional policy:
>> -----------------------------
module openvpn 1.0;
>> require {
>> type openvpn_t;
>> type openvpn_port_t;
>> type openvpn_var_run_t;
>> class capability dac_override;
>> class tcp_socket name_connect;
>> class dir { write search add_name };
>> }
>>
>> #============= openvpn_t ==============
>> allow openvpn_t openvpn_port_t:tcp_socket name_connect;
>> allow openvpn_t openvpn_var_run_t:dir { write search add_name };
>> allow openvpn_t self:capability dac_override;
>> -----------------------------
>>
>> Thanks,
>> Matt
>>
>> --
>
> Matt,
>
> Thanks very much for the policy. But as a SElinux noobe how does one actually
> use it.
Put the text above into a file named openvpn.te (note I added a line to the
original before the 'require' section, I'm not sure if it's needed).
Then execute the following commands:
checkmodule -M -m -o openvpn.mod openvpn.te
semodule_package -o openvpn.pp -m openvpn.mod # build .pp file
semodule -i openvpn.pp #insert the module into the current policy
You'll need the 'checkpolicy' and 'policycoreutils' rpms installed at the very
least.
That should be all there is to it.
Matt
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
