Mr Dash Four wrote: >> It's not difficult to make new types accessible to openvpn_t - hey, I >> just discovered some new macros! This looks as if it ought to be close: >> >> openvpn_sudo.fc >> /var/lib/openvpn/scripts(/.*)? >> gen_context(system_u:object_r:openvpn_sudo_exec_t,s0) >> >> openvpn_sudo.te >> # Create types for script files and domain >> type openvpn_sudo_exec_t; >> type openvpn_sudo_t; >> files_type(openvpn_sudo_exec_t); >> domain_type(openvpn_sudo_t); >> >> # Allow openvpn_t to access and run the scripts >> exec_files_pattern(openvpn_t, openvpn_sudo_exec_t, >> openvpn_sudo_exec_t); >> >I haven't looked at this, but there is another macro I have been using >called can_exec(...) - it is one of the first lines in openvpn.te > >> # perhaps we also need one or both of these >> allow openvpn_sudo_t openvpn_etc_t:dir search_dir_perms; >> exec_files_pattern(openvpn_sudo_t, openvpn_sudo_exec_t, >> openvpn_sudo_exec_t); >> >I think can_exec does all of this, not sure as I am not at the testing >machine, but will check this out at first opportunity. > >> # Get openvpn_t to transition the scripts to the new domain >> domtrans_pattern(openvpn_t, openvpn_sudo_exec_t, openvpn_sudo_t); >> >Is this transition in both directions? In other words, once the >transition from openvpn_t -> openvpn_sudo_t has been made and the >scripts have done their job, would the old (openvpn_t) domain be >restored then? I would expect that the openvpn daemon running in openvpn_t would fork a new process for the script. The kernel would transition the new script process to openvpn_sudo_t, leaving the openvpn daemon in openvpn_t. When the script ends, its process ends. Nothing should need to be restored. >> You put your scripts in /var/lib/openvpn/scripts. If the scripts are >> installed from rpm and openvpn_sudo policy is already loaded, they will >> automatically get the correct context. Otherwise you use >> >> restorecon -r /var/lib/openvpn/scripts >> >> once the policy is loaded. >> >> Assuming this works (I haven't tested it) to get your scripts accessible >> and running in the right context, you would then work out whatever >> access the scripts need to run, and add that to openvpn_sudo.te too. >> >I will test this during the weekend because if this works it will solve >a lot of my problems I am currently having with openvpn. > >> See /usr/share/selinux/devel/include/support for the domain transition >> and file permission macros. >> >I will look at these - thanks for posting this out! -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
