Re: openvpn on fedora 7

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Matthew Gillen wrote:
I had to add the following module before openvpn would work.  The first issue
was that openvpn didn't have permission to write a .pid file to
/var/run/openvpn.  The other problem seemed to be that a TCP socket could not
be created (the name_connect part).

The dac_override is something that I don't get.  Why would openvpn need that?
 Unix permissions problems?

I believe "dac_override" means that a process running as root is trying to violate the DAC policy. Consider a file owned by user Alice with rw permissions for the owner, all else denied (600). Historically the root user is identified by the kernel and all DAC checks are bypassed. SELinux prevents processes running with roots uid from doing such things. This is a good example of SELinux attempting to turn root into just another regular user.

I've run into these things when my daemon, which is typically run as a lesser privileged user, is run as root. dac_override avcs were generated for reading all of the config files and writing to the log files (the ones that were already created).

Here's the additional policy:
-----------------------------
require {
        type openvpn_t;
        type openvpn_port_t;
        type openvpn_var_run_t;
        class capability dac_override;
        class tcp_socket name_connect;
        class dir { write search add_name };
}

#============= openvpn_t ==============
allow openvpn_t openvpn_port_t:tcp_socket name_connect;
allow openvpn_t openvpn_var_run_t:dir { write search add_name };
allow openvpn_t self:capability dac_override;
-----------------------------

If I'm wrong here I trust some of the more knowledgeable folks will chime in and correct me :-)

Cheers,
- Philip

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux