Mr Dash Four wrote: >> A possbile slution would be to create domains for your scripts and >alloww openvpn to domain transition to th script domain when it run the >scripts. >> That way openvpn domain does not need access to run sudo but instead the >script domains need it. >> >That is precisely what I have done - I created a separate domain >(openvpn_sudo_t) and added the necessary permissions to it, though my >SELinux knowledge is insufficient so I do not know how to 'transition' >openvpn_t to openvpn_sudo_t and vice versa? I've been following this thread with interest - I'm probably going to have to set up something like similar before long. I'm no expert myself, but I think it works something like this: You create two types, domain type openvpn_sudo_t and file type openvpn_sudo_exec_t. You make your script openvpn_sudo_exec_t, and use domain_entry_file(openvpn_sudo_t, openvpn_sudo_exec_t) domain_auto_trans(openvpn_sudo_exec_t, openvpn_t, openvpn_sudo_t) in your policy module to tell openvpn_t to transition to openvpn_sudo_t when it runs a script of type openvpn_sudo_exec_t. >The new module has the proper .fe and .fc created and has the right >permissions (I did a 'dry' run and everything runs OK), though where it >gets a bit 'foggy' for me is how to 'link' it with openvpn_t and tell >SELinux that it can 'transition' to and from this new domain when it >needs to run those scripts? > >>> Actually, it can - see the "touch $ROUTE_UP" statement in one of the >>> scripts - it executes successfully in that directory - no problem. >>> >> >> Are you sure its not one of the script run by init instead? >> >Well spotted - that is exactly what happens, though the SELinux domain >on the newly created file is openvpn_etc_rw_t (I think), so I think >openvpn manages OK. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
