On Mon, Sep 13, 2010 at 07:47:32PM +0100, Mr Dash Four wrote: > > >>You create two types, domain type openvpn_sudo_t and file type > >>openvpn_sudo_exec_t. You make your script openvpn_sudo_exec_t, and use > >> > >>domain_entry_file(openvpn_sudo_t, openvpn_sudo_exec_t) > >>domain_auto_trans(openvpn_sudo_exec_t, openvpn_t, openvpn_sudo_t) > > > >probably better to use domtrans_pattern(openvpn_t, openvpn_sudo_exec_t, openvpn_sudo_t) > >also make sure to declare openvpn_sudo_t a domain_type (domain_type(openvpn_sudo_t) > I am assuming that the scripts, which are to be executed by openvpn, > should be labelled openvpn_sudo_exec_t, right? If so, how is the Assuming that is the executable file type you have declared for your script, yes > file permission going to be set (both scripts are located in > /var/lib/openvpn which has openvpn_etc_t type, uid:gid is set to > root:_openvpn)? You would need to specify the file context for the paths to you scripts, example: myopenvpn.if: /var/lib/openvpn/script1 -- gen_context(system_u:object_r:openvpn_sudo_exec_t,s0) then reset the paths context: restorecon -v /var/lib/openvpn/script1 When its contexts (ls -alZ /var/lib/openvpn/script1) is set to openvpn_sudo_exec_t, then openvpn_t can execute it, provided youve defined the proper policy. > > >The domtrans example only applies for scripts run by openvpn > >for script run by init youd use init_daemon_domain(openvpn_script_t, openvpn_script_exec_t) > > > >note different types since it does not need sudo (runs as root) > Same question - would I label the scripts executed by > etc/init.d/openvpn openvpn_script_exec_t? As those are also in the > same /var/lib/openvpn directory how is this file/SELinux access > going to be sorted? You should use a different domain and executable file type for scripts executed by init. because these domain do not need access to sudo. myscript.te: type myscript_t; type myscript_exec_t; init_daemon_domain(myscript_t, myscript_exec_t) myscript.fc: /var/lib/openvpn/myscript -- gen_context(system_u:object_r:myscript_exec_t,s0) reset context: restorecon -v /var/lib/openvpn/myscript1 That should allow init to domain transition to myscript_t when it runs /var/lib/openvpn/myscript1 ofcourse its missing much policy but the above is the start. > > I also take it these new types (openvpn_sudo_exec_t, > openvpn_script_exec_t) and the above statements need to be included > in the new openvpn_sudo module, not openvpn, right? > Sure, any type you use should be declared, made usable and types for files must be applied by specifying file contexts and resetting the files to the specified contexts.
Attachment:
pgpnMYdZKWI3x.pgp
Description: PGP signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
