enabling selinux

David Hollis dhollis at davehollis.com
Thu Dec 9 23:10:34 UTC 2004 

On Thu, 2004-12-09 at 17:35 -0500, Colin Walters wrote:
> 
> There is an openvpn.te; it's just not shipped in 
> selinux-policy-targeted-sources.  The spec file does:
> 
> for i in apache.te dhcpd.te ldconfig.te mailman.te mysqld.te mta.te named.te nscd.te ntpd.te  portmap.te postgresql.te snmpd.te squid.te syslogd.te ypbind.te; do
> mv domains/program/unused/$i domains/program/
> 
> If you just add openvpn.te to that it should work.  BTW, I wrote
> openvpn.te very quickly while I was experimenting with VPN software a
> while ago; it's only been lightly tested :)
> 

Doesn't drop in cleanly with the targeted policy.  It also wants the
ifconfig, which wants proc_net_t and run_init_t stuff that isn't in the
targeted policy.  I've wrapped the call to ifconfig_exec_t in an if
('ifconfig.te....') call so that it builds properly with the targeted
policy.  It builds, and labels the files, so thats a start!  Next
question is if it actually works :)
 

-- 
David Hollis <dhollis at davehollis.com>
-------------- next part --------------
#DESC OpenVPN - Firewall-friendly SSL-based VPN
#
# Author: Colin Walters <walters at verbum.org>
#
########################################
#

daemon_domain(openvpn)
etcdir_domain(openvpn)

type openvpn_port_t, port_type;

allow openvpn_t { etc_t etc_runtime_t }:{ file lnk_file } r_file_perms;

allow openvpn_t { random_device_t urandom_device_t }:chr_file { read getattr };
allow openvpn_t devpts_t:dir { search getattr };
allow openvpn_t tun_tap_device_t:chr_file rw_file_perms;
allow openvpn_t proc_t:file { getattr read };

allow openvpn_t self:unix_dgram_socket create_socket_perms;
allow openvpn_t self:unix_stream_socket create_stream_socket_perms;
allow openvpn_t self:unix_dgram_socket sendto;
allow openvpn_t self:unix_stream_socket connectto;
allow openvpn_t self:capability net_admin;
r_dir_file(openvpn_t, sysctl_net_t)

can_network(openvpn_t)
allow openvpn_t openvpn_port_t:udp_socket name_bind;

# OpenVPN executes a lot of helper programs and scripts
allow openvpn_t { bin_t sbin_t }:dir { search getattr };
allow openvpn_t bin_t:lnk_file { getattr read };
can_exec(openvpn_t, { bin_t sbin_t shell_exec_t })
# Do not transition to ifconfig_t, since then it needs
# permission to access openvpn_t:udp_socket, which seems
# worse.
ifdef(`ifconfig.te',
`can_exec(openvpn_t, ifconfig_exec_t)')

# The Fedora init script iterates over /etc/openvpn/*.conf, and
# starts a daemon for each file.
r_dir_file(initrc_t, openvpn_etc_t)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20041209/6860feb8/attachment.sig>

More information about the fedora-devel-list mailing list