> koji.fedoraproject.org/koji but i guess its for f14, so instead: > > >>> kernel_request_load_module(openvpn_t) >>> > create module that allows openvpn_t to request the kernel to load a module: > > mkdir ~/myopenvpn; cd ~/myopenvpn; > echo "policy_module(myopenvpn, 1.0.0)" > myopenvpn.te; > echo "gen_require(\`" >> myopenvpn.te; > echo "type openvpn_t;" >> myopenvpn.te; > echo "')" >> myopenvpn.te; > echo "kernel_request_load_module(openvpn_t)" >> myopenvpn.te; > make -f /usr/share/selinux/devel/Makefile myopenvpn.pp > sudo semodule -i myopenvpn.pp > That did the trick! It was good that you've included this as a separate module so that I could test it, otherwise I had to patch and recompile the whole policy, then rebuild the image in order to test it and see whether it works. I take it to make this a 'permanent' solution I have to patch and include 'kernel_request_load_module(openvpn_t)' in openvpn.te (forming part of the -44 policy), is that right? > You can not define this rule for just a single particular module. > That's a pity, but I could live with that - auditd gives me a detailed info when a module is loaded, so I can trace this anyway, so no big loss. > See if you can reproduce it. unconfined_t (you) transition to the rc > script domain when you run an rc script, the rc script domain in turn > runs the openvpn executables. > > So with that in mind why would openvpn need to relabel unconfined_t > tun_sockets? > I take it this gets called only if loading of the tun/tap module fails. May be in a similar way as to when dac_* gets called - only in case the 'normal' permissions are too restrictive. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
