|Main Archive Page > Month Archives > fedora-selinux archives|
> koji.fedoraproject.org/koji but i guess its for f14, so instead:
> create module that allows openvpn_t to request the kernel to load a module:
> mkdir ~/myopenvpn; cd ~/myopenvpn;
> echo "policy_module(myopenvpn, 1.0.0)" > myopenvpn.te;
> echo "gen_require(\`" >> myopenvpn.te;
> echo "type openvpn_t;" >> myopenvpn.te;
> echo "')" >> myopenvpn.te;
> echo "kernel_request_load_module(openvpn_t)" >> myopenvpn.te;
> make -f /usr/share/selinux/devel/Makefile myopenvpn.pp
> sudo semodule -i myopenvpn.pp
That did the trick!
It was good that you've included this as a separate module so that I
could test it, otherwise I had to patch and recompile the whole policy,
then rebuild the image in order to test it and see whether it works.
I take it to make this a 'permanent' solution I have to patch and
include 'kernel_request_load_module(openvpn_t)' in openvpn.te (forming
part of the -44 policy), is that right?
> You can not define this rule for just a single particular module.
That's a pity, but I could live with that - auditd gives me a detailed
info when a module is loaded, so I can trace this anyway, so no big loss.
> See if you can reproduce it. unconfined_t (you) transition to the rc
> script domain when you run an rc script, the rc script domain in turn
> runs the openvpn executables.
> So with that in mind why would openvpn need to relabel unconfined_t
I take it this gets called only if loading of the tun/tap module fails.
May be in a similar way as to when dac_* gets called - only in case the
'normal' permissions are too restrictive.
-- selinux mailing list email@example.com https://admin.fedoraproject.org/mailman/listinfo/selinux