Re: Correct way to handle SELinux for a systemd-started SSH VPN

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Once upon a time, Zdenek Pytela <zpytela@xxxxxxxxxx> said:
> On Sun, Nov 13, 2022 at 4:34 AM Chris Adams <linux@xxxxxxxxxxx> wrote:
> > I am starting an SSH VPN connection with a systemd service.  It's just a
> > simple service, with an ExecStart to run ssh.  If I wrap it with a shell
> > (ExecStart=/bin/sh -c "/usr/bin/ssh %i"), it runs; if I take out the
> > shell wrap (ExecStart=/usr/bin/ssh %i), it fails due to SELinux not
> > allowing it.  If I set permissive mode, there's a whole lot of different
> > things that init_t is not allowed to do. :)
> >
> > So obviously I can just run with the shell wrapper, but is there a more
> > proper way to do this?
> >
> You can create your own policy module and use e. g. the
> init_system_domain() interface.

How would I go about doing that - is there a tutorial or something?
I've done basic things with local policy (mostly from running
audit2allow).

> Does this need to be a system service or would user service also do the job?

It's setting up a network interface, so I think that's more a system
than user service.
-- 
Chris Adams <linux@xxxxxxxxxxx>
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux