Once upon a time, Zdenek Pytela <zpytela@xxxxxxxxxx> said: > On Sun, Nov 13, 2022 at 4:34 AM Chris Adams <linux@xxxxxxxxxxx> wrote: > > I am starting an SSH VPN connection with a systemd service. It's just a > > simple service, with an ExecStart to run ssh. If I wrap it with a shell > > (ExecStart=/bin/sh -c "/usr/bin/ssh %i"), it runs; if I take out the > > shell wrap (ExecStart=/usr/bin/ssh %i), it fails due to SELinux not > > allowing it. If I set permissive mode, there's a whole lot of different > > things that init_t is not allowed to do. :) > > > > So obviously I can just run with the shell wrapper, but is there a more > > proper way to do this? > > > You can create your own policy module and use e. g. the > init_system_domain() interface. How would I go about doing that - is there a tutorial or something? I've done basic things with local policy (mostly from running audit2allow). > Does this need to be a system service or would user service also do the job? It's setting up a network interface, so I think that's more a system than user service. -- Chris Adams <linux@xxxxxxxxxxx> _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue