On Fri, Jan 11, 2013 at 1:29 PM, Dominick Grift
<dominick.grift@xxxxxxxxx> wrote:
> On Fri, 2013-01-11 at 10:50 +0100, Bruno Vernay wrote:
>> I am trying to allow OpenVPN to use Amazon Simple Notification Service
>> (SNS), so that each time a client connects to the VPN, OpenVPN
>> triggers a bash script that will use Amazon SNS.
>>
>> Amazon SNS is a Java program launched via bash scripts.
>> It is in aws/SimpleNotificationServiceCli/bin/ for the .sh and /lib for the .jar
>>
>> OpenVPN launches a script in /etc/openvpn/client-connect.
>>
>>
>> OpenVPN runs confined and I don't want to poke a big hole just to run SNS.
>>
>> So I tried to "confine" SNS and allow the transition from OpenVPN, but
>> it didn't went well. (config files bellow)
>> I wonder if it could be just as good to allow OpenVPN to escape its
>> confine to only call the relevant SNS script ?
>>
>>
>> From documentation and audit2allow I got to these configuration files.
>> But it still doesn't authorize the script to run and now the messages
>> triggers errors in audit2allow:
>>
>> libsepol.mls_from_string: invalid MLS context
>> libsepol.mls_from_string: could not construct mls context structure
>> libsepol.context_from_record: could not create context structure
>> libsepol.context_from_string: could not create context structure
>> libsepol.sepol_context_to_sid: could not convert
>> system_u:object_r:proc_t: to sid
>> libsepol.context_from_record: type op is not defined
>> libsepol.context_from_record: could not create context structure
>> libsepol.context_from_string: could not create context structure
>> libsepol.sepol_context_to_sid: could not convert system_u:object_r:op:s0 to sid
>> libsepol.context_from_record: type openvpn_ is not defined
>> libsepol.context_from_record: could not create context structure
>> libsepol.context_from_string: could not create context structure
>> libsepol.sepol_context_to_sid: could not convert
>> system_u:object_r:openvpn_:s0 to sid
>> libsepol.context_from_record: type shell_e is not defined
>> libsepol.context_from_record: could not create context structure
>> libsepol.context_from_string: could not create context structure
>> libsepol.sepol_context_to_sid: could not convert
>> system_u:object_r:shell_e:s0 to sid
>>
>
> Strange question maybe but what test editor did you use to create this
> policy?
>
> It almost seems that your amz_sns.fc messes up the file context
> specifications (some clients append hidden symbols)
>
> Also make sure you end your fc file with a newline
>
>>
>>
>> $ cat amz_sns.fc
>> /opt/aws/SimpleNotificationServiceCli.*/bin/.* --
>> gen_context(system_u:object_r:amz_sns_exec_t,s0)
>> /opt/aws/SimpleNotificationServiceCli.*/lib(/.*)?
>> gen_context(system_u:object_r:amz_sns_lib_t,s0)
>>
>>
>> $ cat amz_sns.te
>> policy_module( amz_sns, 1.0.0)
>>
>> require {
>> type openvpn_t;
>> type openvpn_tmp_t;
>> type shell_exec_t;
>> }
>>
>> type amz_sns_t;
>> type amz_sns_exec_t;
>> type amz_sns_lib_t;
>>
>> files_type(amz_sns_lib_t);
>>
>> domain_type(amz_sns_t)
>> domain_entry_file(amz_sns_t, amz_sns_exec_t)
>>
>> allow amz_sns_t amz_sns_exec_t:file { read execute entrypoint };
>> domain_auto_trans( openvpn_t, amz_sns_exec_t, amz_sns_t );
>>
>> role system_r types amz_sns_t; # ???
>>
>> # The child process sends a signal to its parent as it dies
>> allow amz_sns_t openvpn_t:process sigchld;
>>
>> allow amz_sns_t openvpn_tmp_t:file write; # For /tmp/debug
>>
>> allow amz_sns_t shell_exec_t:file { read open execute execute_no_trans
>> }; # Bash exec
>>
>>
>> Bruno
>> --
>> selinux mailing list
>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
- I used vi (it is a headless Amazon AMI free tier).
- it ends with a new line
- I even checked with hexdump for alien characters and it seems clean to me
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
