OpenVPN launching scripts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I am trying to allow OpenVPN to use Amazon Simple Notification Service
(SNS), so that each time a client connects to the VPN, OpenVPN
triggers a bash script that will use Amazon SNS.

Amazon SNS is a Java program launched via bash scripts.
It is in aws/SimpleNotificationServiceCli/bin/ for the .sh and /lib for the .jar

OpenVPN launches a script in /etc/openvpn/client-connect.


OpenVPN runs confined and I don't want to poke a big hole just to run SNS.

So I tried to "confine" SNS and allow the transition from OpenVPN, but
it didn't went well. (config files bellow)
I wonder if it could be just as good to allow OpenVPN to escape its
confine to only call the relevant SNS script ?


>From documentation and audit2allow I got to these configuration files.
But it still doesn't authorize the script to run and now the messages
triggers errors in audit2allow:

libsepol.mls_from_string: invalid MLS context
libsepol.mls_from_string: could not construct mls context structure
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert
system_u:object_r:proc_t: to sid
libsepol.context_from_record: type op is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:object_r:op:s0 to sid
libsepol.context_from_record: type openvpn_ is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert
system_u:object_r:openvpn_:s0 to sid
libsepol.context_from_record: type shell_e is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert
system_u:object_r:shell_e:s0 to sid




$ cat amz_sns.fc
/opt/aws/SimpleNotificationServiceCli.*/bin/.*    --
gen_context(system_u:object_r:amz_sns_exec_t,s0)
/opt/aws/SimpleNotificationServiceCli.*/lib(/.*)?
gen_context(system_u:object_r:amz_sns_lib_t,s0)


$ cat amz_sns.te
policy_module( amz_sns, 1.0.0)

require {
        type openvpn_t;
        type openvpn_tmp_t;
        type shell_exec_t;
}

type amz_sns_t;
type amz_sns_exec_t;
type amz_sns_lib_t;

files_type(amz_sns_lib_t);

domain_type(amz_sns_t)
domain_entry_file(amz_sns_t, amz_sns_exec_t)

allow amz_sns_t amz_sns_exec_t:file { read execute entrypoint };
domain_auto_trans( openvpn_t, amz_sns_exec_t, amz_sns_t );

role system_r types amz_sns_t;  # ???

# The child process sends a signal to its parent as it dies
allow amz_sns_t openvpn_t:process sigchld;

allow amz_sns_t openvpn_tmp_t:file write;   # For /tmp/debug

allow amz_sns_t shell_exec_t:file { read open execute execute_no_trans
};  # Bash exec


Bruno
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux