Re: openvpn and script execution

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> A possbile slution would be to create domains for your scripts and alloww openvpn to domain transition to th script domain when it run the scripts.
> That way openvpn domain does not need access to run sudo but instead the script domains need it.
>   
That is precisely what I have done - I created a separate domain 
(openvpn_sudo_t) and added the necessary permissions to it, though my 
SELinux knowledge is insufficient so I do not know how to 'transition' 
openvpn_t to openvpn_sudo_t and vice versa?

The new module has the proper .fe and .fc created and has the right 
permissions (I did a 'dry' run and everything runs OK), though where it 
gets a bit 'foggy' for me is how to 'link' it with openvpn_t and tell 
SELinux that it can 'transition' to and from this new domain when it 
needs to run those scripts?

>> Actually, it can - see the "touch $ROUTE_UP" statement in one of the
>> scripts - it executes successfully in that directory - no problem.
>>     
>
> Are you sure its not one of the script run by init instead?
>   
Well spotted - that is exactly what happens, though the SELinux domain 
on the newly created file is openvpn_etc_rw_t (I think), so I think 
openvpn manages OK.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux