On Fri, 2013-01-11 at 10:50 +0100, Bruno Vernay wrote:
> I am trying to allow OpenVPN to use Amazon Simple Notification Service
> (SNS), so that each time a client connects to the VPN, OpenVPN
> triggers a bash script that will use Amazon SNS.
>
> Amazon SNS is a Java program launched via bash scripts.
> It is in aws/SimpleNotificationServiceCli/bin/ for the .sh and /lib for the .jar
>
> OpenVPN launches a script in /etc/openvpn/client-connect.
>
>
> OpenVPN runs confined and I don't want to poke a big hole just to run SNS.
>
> So I tried to "confine" SNS and allow the transition from OpenVPN, but
> it didn't went well. (config files bellow)
> I wonder if it could be just as good to allow OpenVPN to escape its
> confine to only call the relevant SNS script ?
>
>
> From documentation and audit2allow I got to these configuration files.
> But it still doesn't authorize the script to run and now the messages
> triggers errors in audit2allow:
>
> libsepol.mls_from_string: invalid MLS context
> libsepol.mls_from_string: could not construct mls context structure
> libsepol.context_from_record: could not create context structure
> libsepol.context_from_string: could not create context structure
> libsepol.sepol_context_to_sid: could not convert
> system_u:object_r:proc_t: to sid
> libsepol.context_from_record: type op is not defined
> libsepol.context_from_record: could not create context structure
> libsepol.context_from_string: could not create context structure
> libsepol.sepol_context_to_sid: could not convert system_u:object_r:op:s0 to sid
> libsepol.context_from_record: type openvpn_ is not defined
> libsepol.context_from_record: could not create context structure
> libsepol.context_from_string: could not create context structure
> libsepol.sepol_context_to_sid: could not convert
> system_u:object_r:openvpn_:s0 to sid
> libsepol.context_from_record: type shell_e is not defined
> libsepol.context_from_record: could not create context structure
> libsepol.context_from_string: could not create context structure
> libsepol.sepol_context_to_sid: could not convert
> system_u:object_r:shell_e:s0 to sid
>
Strange question maybe but what test editor did you use to create this
policy?
It almost seems that your amz_sns.fc messes up the file context
specifications (some clients append hidden symbols)
Also make sure you end your fc file with a newline
>
>
> $ cat amz_sns.fc
> /opt/aws/SimpleNotificationServiceCli.*/bin/.* --
> gen_context(system_u:object_r:amz_sns_exec_t,s0)
> /opt/aws/SimpleNotificationServiceCli.*/lib(/.*)?
> gen_context(system_u:object_r:amz_sns_lib_t,s0)
>
>
> $ cat amz_sns.te
> policy_module( amz_sns, 1.0.0)
>
> require {
> type openvpn_t;
> type openvpn_tmp_t;
> type shell_exec_t;
> }
>
> type amz_sns_t;
> type amz_sns_exec_t;
> type amz_sns_lib_t;
>
> files_type(amz_sns_lib_t);
>
> domain_type(amz_sns_t)
> domain_entry_file(amz_sns_t, amz_sns_exec_t)
>
> allow amz_sns_t amz_sns_exec_t:file { read execute entrypoint };
> domain_auto_trans( openvpn_t, amz_sns_exec_t, amz_sns_t );
>
> role system_r types amz_sns_t; # ???
>
> # The child process sends a signal to its parent as it dies
> allow amz_sns_t openvpn_t:process sigchld;
>
> allow amz_sns_t openvpn_tmp_t:file write; # For /tmp/debug
>
> allow amz_sns_t shell_exec_t:file { read open execute execute_no_trans
> }; # Bash exec
>
>
> Bruno
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
