> The way the Samba policy module does things is to define a specific > directory for scripts: > > samba.fc: > ... > /var/lib/samba/scripts(/.*)? > gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) > ... > > This way you keep the scripts separate from ordinary system binaries, > they automatically get the correct type when installed from rpm, and you > don't need to create a new file context every time you add a script. > OK, but my initial question still stands - both openvpn_t and openvpn_sudo_t need to have access to this directory at least. So, if I define a new script type I have to alter openvpn.te and make the directory where the scripts are located (and their new domain!) available/accessible to openvpn_t. I have to do the same with openvpn_sudo_t as well. One other possible solution would be to leave the directory where this scripts are as openvpn_etc_t, name the scripts with this new domain and then alter the new module to have (read-only) access to openvpn_etc_t and full access to this new domain for the scripts - in this way I am not altering openvpn.te (which is part of the main policy), but I am creating a potential security hole by granting this new domain (openvpn_sudo_t) access to openvpn_etc_t which includes other (mainly configuration) files, which belong to openvpn...not as straight-forward is it? Or have I missed something? -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
