openvpn on fedora 7

[Matthew Gillen]

Tony Molloy wrote:
> On Thursday 07 June 2007 18:22, Matthew Gillen wrote:
>> I had to add the following module before openvpn would work.  The first
>> issue was that openvpn didn't have permission to write a .pid file to
>> /var/run/openvpn.  The other problem seemed to be that a TCP socket could
>> not be created (the name_connect part).
>>
>> The dac_override is something that I don't get.  Why would openvpn need
>> that? Unix permissions problems?
>>
>> Here's the additional policy:
>> -----------------------------
module openvpn 1.0;
>> require {
>>         type openvpn_t;
>>         type openvpn_port_t;
>>         type openvpn_var_run_t;
>>         class capability dac_override;
>>         class tcp_socket name_connect;
>>         class dir { write search add_name };
>> }
>>
>> #============= openvpn_t ==============
>> allow openvpn_t openvpn_port_t:tcp_socket name_connect;
>> allow openvpn_t openvpn_var_run_t:dir { write search add_name };
>> allow openvpn_t self:capability dac_override;
>> -----------------------------
>>
>> Thanks,
>> Matt
>>
>> --
> 
> Matt,
> 
> Thanks very much for the policy. But as a SElinux noobe how does one actually 
> use it.

Put the text above into a file named openvpn.te (note I added a line to the
original before the 'require' section, I'm not sure if it's needed).
Then execute the following commands:

checkmodule -M -m -o openvpn.mod openvpn.te
semodule_package -o openvpn.pp -m openvpn.mod  # build .pp file
semodule -i openvpn.pp  #insert the module into the current policy

You'll need the 'checkpolicy' and 'policycoreutils' rpms installed at the very
least.

That should be all there is to it.

Matt