> A possbile slution would be to create domains for your scripts and alloww openvpn to domain transition to th script domain when it run the scripts. > That way openvpn domain does not need access to run sudo but instead the script domains need it. > That is precisely what I have done - I created a separate domain (openvpn_sudo_t) and added the necessary permissions to it, though my SELinux knowledge is insufficient so I do not know how to 'transition' openvpn_t to openvpn_sudo_t and vice versa? The new module has the proper .fe and .fc created and has the right permissions (I did a 'dry' run and everything runs OK), though where it gets a bit 'foggy' for me is how to 'link' it with openvpn_t and tell SELinux that it can 'transition' to and from this new domain when it needs to run those scripts? >> Actually, it can - see the "touch $ROUTE_UP" statement in one of the >> scripts - it executes successfully in that directory - no problem. >> > > Are you sure its not one of the script run by init instead? > Well spotted - that is exactly what happens, though the SELinux domain on the newly created file is openvpn_etc_rw_t (I think), so I think openvpn manages OK. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
