On Fri, 2013-01-11 at 10:50 +0100, Bruno Vernay wrote: > I am trying to allow OpenVPN to use Amazon Simple Notification Service > (SNS), so that each time a client connects to the VPN, OpenVPN > triggers a bash script that will use Amazon SNS. > > Amazon SNS is a Java program launched via bash scripts. > It is in aws/SimpleNotificationServiceCli/bin/ for the .sh and /lib for the .jar > > OpenVPN launches a script in /etc/openvpn/client-connect. > > > OpenVPN runs confined and I don't want to poke a big hole just to run SNS. > > So I tried to "confine" SNS and allow the transition from OpenVPN, but > it didn't went well. (config files bellow) > I wonder if it could be just as good to allow OpenVPN to escape its > confine to only call the relevant SNS script ? > > > From documentation and audit2allow I got to these configuration files. > But it still doesn't authorize the script to run and now the messages > triggers errors in audit2allow: > > libsepol.mls_from_string: invalid MLS context > libsepol.mls_from_string: could not construct mls context structure > libsepol.context_from_record: could not create context structure > libsepol.context_from_string: could not create context structure > libsepol.sepol_context_to_sid: could not convert > system_u:object_r:proc_t: to sid > libsepol.context_from_record: type op is not defined > libsepol.context_from_record: could not create context structure > libsepol.context_from_string: could not create context structure > libsepol.sepol_context_to_sid: could not convert system_u:object_r:op:s0 to sid > libsepol.context_from_record: type openvpn_ is not defined > libsepol.context_from_record: could not create context structure > libsepol.context_from_string: could not create context structure > libsepol.sepol_context_to_sid: could not convert > system_u:object_r:openvpn_:s0 to sid > libsepol.context_from_record: type shell_e is not defined > libsepol.context_from_record: could not create context structure > libsepol.context_from_string: could not create context structure > libsepol.sepol_context_to_sid: could not convert > system_u:object_r:shell_e:s0 to sid > Strange question maybe but what test editor did you use to create this policy? It almost seems that your amz_sns.fc messes up the file context specifications (some clients append hidden symbols) Also make sure you end your fc file with a newline > > > $ cat amz_sns.fc > /opt/aws/SimpleNotificationServiceCli.*/bin/.* -- > gen_context(system_u:object_r:amz_sns_exec_t,s0) > /opt/aws/SimpleNotificationServiceCli.*/lib(/.*)? > gen_context(system_u:object_r:amz_sns_lib_t,s0) > > > $ cat amz_sns.te > policy_module( amz_sns, 1.0.0) > > require { > type openvpn_t; > type openvpn_tmp_t; > type shell_exec_t; > } > > type amz_sns_t; > type amz_sns_exec_t; > type amz_sns_lib_t; > > files_type(amz_sns_lib_t); > > domain_type(amz_sns_t) > domain_entry_file(amz_sns_t, amz_sns_exec_t) > > allow amz_sns_t amz_sns_exec_t:file { read execute entrypoint }; > domain_auto_trans( openvpn_t, amz_sns_exec_t, amz_sns_t ); > > role system_r types amz_sns_t; # ??? > > # The child process sends a signal to its parent as it dies > allow amz_sns_t openvpn_t:process sigchld; > > allow amz_sns_t openvpn_tmp_t:file write; # For /tmp/debug > > allow amz_sns_t shell_exec_t:file { read open execute execute_no_trans > }; # Bash exec > > > Bruno > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux