>> You create two types, domain type openvpn_sudo_t and file type >> openvpn_sudo_exec_t. You make your script openvpn_sudo_exec_t, and use >> >> domain_entry_file(openvpn_sudo_t, openvpn_sudo_exec_t) >> domain_auto_trans(openvpn_sudo_exec_t, openvpn_t, openvpn_sudo_t) >> > > probably better to use domtrans_pattern(openvpn_t, openvpn_sudo_exec_t, openvpn_sudo_t) > also make sure to declare openvpn_sudo_t a domain_type (domain_type(openvpn_sudo_t) > I am assuming that the scripts, which are to be executed by openvpn, should be labelled openvpn_sudo_exec_t, right? If so, how is the file permission going to be set (both scripts are located in /var/lib/openvpn which has openvpn_etc_t type, uid:gid is set to root:_openvpn)? > The domtrans example only applies for scripts run by openvpn > for script run by init youd use init_daemon_domain(openvpn_script_t, openvpn_script_exec_t) > > note different types since it does not need sudo (runs as root) Same question - would I label the scripts executed by etc/init.d/openvpn openvpn_script_exec_t? As those are also in the same /var/lib/openvpn directory how is this file/SELinux access going to be sorted? I also take it these new types (openvpn_sudo_exec_t, openvpn_script_exec_t) and the above statements need to be included in the new openvpn_sudo module, not openvpn, right? -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
