Another selinux rant
Tomasz Torcz
tomek at crocom.com.pl
Fri Jan 4 08:22:24 UTC 2008
Dnia 03-01-2008, czw o godzinie 13:49 -0800, Ed Swierk pisze:
> On 1/3/08, Eric Paris <eparis at redhat.com> wrote:
> > Could you explain how you 'copied' these configuration files? Is this
> > tar/untar ? I'm trying to figure out how the labels for stuff in ~/.ssh
> > got messed up for you.
tar with "--xattrs"?
> Yes, I used tar to copy /home and /etc/openvpn. Openvpn stores state
> for active connections in a file specified by the
> --ifconfig-pool-persist option. Since the openvpn configuration recipe
> I found online uses /etc/openvpn/ipp.txt, that's what I use.
> Presumably the SELinux policy wants me to store that file somewhere
> else?
SELinux don't care about file location. It cares about labels. Policy
for *labeling* files and assorted utilities care for paths, but they are
only additional utilities, not SELinux itself..
In your situation, ipp.txt must be writable by openvpn daemon. You can
achieve it by labeling (man chcon) ipp.txt as openvpn_var_log_t. By
default files in /etc/openvpn are labeled as openvpn_etc_t (openvpn's
configuration files). Daemons cannot modify their configuration files.
--
Tomasz Torcz
More information about the fedora-devel-list
mailing list