> I wouldn't alter openvpn.te from refpolicy; I leave the standard stuff > alone and create any extensions in a specific policy for my servers. > Yep, my thoughts exactly! > It's not difficult to make new types accessible to openvpn_t - hey, I > just discovered some new macros! This looks as if it ought to be close: > > openvpn_sudo.fc > /var/lib/openvpn/scripts(/.*)? > gen_context(system_u:object_r:openvpn_sudo_exec_t,s0) > > openvpn_sudo.te > # Create types for script files and domain > type openvpn_sudo_exec_t; > type openvpn_sudo_t; > files_type(openvpn_sudo_exec_t); > domain_type(openvpn_sudo_t); > > # Allow openvpn_t to access and run the scripts > exec_files_pattern(openvpn_t, openvpn_sudo_exec_t, > openvpn_sudo_exec_t); > I haven't looked at this, but there is another macro I have been using called can_exec(...) - it is one of the first lines in openvpn.te > # perhaps we also need one or both of these > allow openvpn_sudo_t openvpn_etc_t:dir search_dir_perms; > exec_files_pattern(openvpn_sudo_t, openvpn_sudo_exec_t, > openvpn_sudo_exec_t); > I think can_exec does all of this, not sure as I am not at the testing machine, but will check this out at first opportunity. > # Get openvpn_t to transition the scripts to the new domain > domtrans_pattern(openvpn_t, openvpn_sudo_exec_t, openvpn_sudo_t); > Is this transition in both directions? In other words, once the transition from openvpn_t -> openvpn_sudo_t has been made and the scripts have done their job, would the old (openvpn_t) domain be restored then? > You put your scripts in /var/lib/openvpn/scripts. If the scripts are > installed from rpm and openvpn_sudo policy is already loaded, they will > automatically get the correct context. Otherwise you use > > restorecon -r /var/lib/openvpn/scripts > > once the policy is loaded. > > Assuming this works (I haven't tested it) to get your scripts accessible > and running in the right context, you would then work out whatever > access the scripts need to run, and add that to openvpn_sudo.te too. > I will test this during the weekend because if this works it will solve a lot of my problems I am currently having with openvpn. > See /usr/share/selinux/devel/include/support for the domain transition > and file permission macros. > I will look at these - thanks for posting this out! -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
