Re: OpenVPN launching scripts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2013-01-11 at 10:50 +0100, Bruno Vernay wrote:
> I am trying to allow OpenVPN to use Amazon Simple Notification Service
> (SNS), so that each time a client connects to the VPN, OpenVPN
> triggers a bash script that will use Amazon SNS.
> 
> Amazon SNS is a Java program launched via bash scripts.
> It is in aws/SimpleNotificationServiceCli/bin/ for the .sh and /lib for the .jar
> 
> OpenVPN launches a script in /etc/openvpn/client-connect.
> 
> 
> OpenVPN runs confined and I don't want to poke a big hole just to run SNS.
> 
> So I tried to "confine" SNS and allow the transition from OpenVPN, but
> it didn't went well. (config files bellow)
> I wonder if it could be just as good to allow OpenVPN to escape its
> confine to only call the relevant SNS script ?
> 
> 
> From documentation and audit2allow I got to these configuration files.
> But it still doesn't authorize the script to run and now the messages
> triggers errors in audit2allow:
> 
> libsepol.mls_from_string: invalid MLS context
> libsepol.mls_from_string: could not construct mls context structure
> libsepol.context_from_record: could not create context structure
> libsepol.context_from_string: could not create context structure
> libsepol.sepol_context_to_sid: could not convert
> system_u:object_r:proc_t: to sid
> libsepol.context_from_record: type op is not defined
> libsepol.context_from_record: could not create context structure
> libsepol.context_from_string: could not create context structure
> libsepol.sepol_context_to_sid: could not convert system_u:object_r:op:s0 to sid
> libsepol.context_from_record: type openvpn_ is not defined
> libsepol.context_from_record: could not create context structure
> libsepol.context_from_string: could not create context structure
> libsepol.sepol_context_to_sid: could not convert
> system_u:object_r:openvpn_:s0 to sid
> libsepol.context_from_record: type shell_e is not defined
> libsepol.context_from_record: could not create context structure
> libsepol.context_from_string: could not create context structure
> libsepol.sepol_context_to_sid: could not convert
> system_u:object_r:shell_e:s0 to sid
> 

Strange question maybe but what test editor did you use to create this
policy?

It almost seems that your amz_sns.fc messes up the file context
specifications (some clients append hidden symbols)

Also make sure you end your fc file with a newline

> 
> 
> $ cat amz_sns.fc
> /opt/aws/SimpleNotificationServiceCli.*/bin/.*    --
> gen_context(system_u:object_r:amz_sns_exec_t,s0)
> /opt/aws/SimpleNotificationServiceCli.*/lib(/.*)?
> gen_context(system_u:object_r:amz_sns_lib_t,s0)
> 
> 
> $ cat amz_sns.te
> policy_module( amz_sns, 1.0.0)
> 
> require {
>         type openvpn_t;
>         type openvpn_tmp_t;
>         type shell_exec_t;
> }
> 
> type amz_sns_t;
> type amz_sns_exec_t;
> type amz_sns_lib_t;
> 
> files_type(amz_sns_lib_t);
> 
> domain_type(amz_sns_t)
> domain_entry_file(amz_sns_t, amz_sns_exec_t)
> 
> allow amz_sns_t amz_sns_exec_t:file { read execute entrypoint };
> domain_auto_trans( openvpn_t, amz_sns_exec_t, amz_sns_t );
> 
> role system_r types amz_sns_t;  # ???
> 
> # The child process sends a signal to its parent as it dies
> allow amz_sns_t openvpn_t:process sigchld;
> 
> allow amz_sns_t openvpn_tmp_t:file write;   # For /tmp/debug
> 
> allow amz_sns_t shell_exec_t:file { read open execute execute_no_trans
> };  # Bash exec
> 
> 
> Bruno
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux