OK, I found "semodule -DB" (http://selinux-mac.blogspot.fr/2009/07/faq-selinux-denies-access-but-avc.html) Also thanks for allowing me to skip "semodule -r" So I can continue ... 21/ #============= amzsns_t ============== allow amzsns_t self:netlink_route_socket { write read }; allow amzsns_t self:tcp_socket { write read }; allow amzsns_t self:udp_socket { write read }; #============= openvpn_t ============== allow openvpn_t amzsns_t:process { siginh rlimitinh noatsecure }; and below is my working result. Problem is: what does it do ?? (I will do some research, but if you have some idea to simplify or some warning, do not hesitate to comment) policy_module( amzsns, 1.0.0) require { type openvpn_t; type openvpn_tmp_t; type shell_exec_t; type unlabeled_t; type etc_t; type openvpn_etc_t; type openvpn_etc_rw_t; type proc_t; type usr_t; type java_exec_t; type tmp_t; type locale_t; type net_conf_t; type proc_net_t; type ephemeral_port_t; type http_port_t; type random_device_t; type urandom_device_t; type cert_t; } type amzsns_t; type amzsns_exec_t; type amzsns_lib_t; domain_type(amzsns_t) domain_entry_file(amzsns_t, amzsns_exec_t) role system_r types amzsns_t; domtrans_pattern(openvpn_t, amzsns_exec_t, amzsns_t) allow openvpn_t unlabeled_t:file { execute getattr }; # Execute unlabeled files ? But why ? allow openvpn_t amzsns_t:process { siginh rlimitinh noatsecure }; # Necessary for transition allow amzsns_t openvpn_tmp_t:file write; corecmd_exec_shell(amzsns_t) # Read some files: allow amzsns_t etc_t:file { read open getattr }; allow amzsns_t etc_t:lnk_file read; allow amzsns_t openvpn_etc_t:dir { search getattr }; allow amzsns_t openvpn_etc_rw_t:file { read write }; # This is openVPN ipp.txt (I will move it) allow amzsns_t proc_t:file { read open getattr }; allow amzsns_t usr_t:lnk_file { read getattr }; allow amzsns_t usr_t:file { getattr read open }; allow amzsns_t amzsns_exec_t:file execute_no_trans; # ? allow amzsns_t bin_t:file { read open execute getattr execute_no_trans }; # ??? allow amzsns_t amzsns_lib_t:dir { read open search getattr }; allow amzsns_t amzsns_lib_t:file { read getattr open }; allow amzsns_t self:fifo_file { read ioctl write getattr }; # ?? allow amzsns_t self:process execmem; # Network access: allow amzsns_t net_conf_t:file { read open getattr }; allow amzsns_t proc_net_t:file { read open getattr }; allow amzsns_t self:tcp_socket { create listen getattr connect accept shutdown getopt setopt read write }; allow amzsns_t self:udp_socket { create connect getattr read write }; allow amzsns_t self:netlink_route_socket { create bind getattr nlmsg_read read write }; allow amzsns_t ephemeral_port_t:tcp_socket name_connect; allow amzsns_t http_port_t:tcp_socket name_connect; allow amzsns_t tmp_t:dir { write add_name create read remove_name } ; allow amzsns_t tmp_t:file { create read write open unlink }; allow amzsns_t locale_t:dir { read open search getattr }; allow amzsns_t locale_t:file { getattr read open }; allow amzsns_t cert_t:dir search; allow amzsns_t cert_t:file { getattr read open }; allow amzsns_t random_device_t:chr_file { getattr read open }; allow amzsns_t urandom_device_t:chr_file { getattr read open }; allow amzsns_t java_exec_t:file { read open execute getattr execute_no_trans }; # ??? -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
