fedora-selinux August 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: avc { module_request, relabelfrom }: openvpn

Re: avc { module_request, relabelfrom }: openvpn->tun

From: Mr Dash Four <mr.dash.four_at_nospam>
Date: Wed Aug 18 2010 - 09:21:17 GMT
To: Dominick Grift <domg472@gmail.com>, selinux@lists.fedoraproject.org

>>>>> kernel_request_load_module(openvpn_t)
>>>>>
>>> create module that allows openvpn_t to request the kernel to load a module:
>>>
>>> mkdir ~/myopenvpn; cd ~/myopenvpn;
>>> echo "policy_module(myopenvpn, 1.0.0)" > myopenvpn.te;
>>> echo "gen_require(\`" >> myopenvpn.te;
>>> echo "type openvpn_t;" >> myopenvpn.te;
>>> echo "')" >> myopenvpn.te;
>>> echo "kernel_request_load_module(openvpn_t)" >> myopenvpn.te;
>>> make -f /usr/share/selinux/devel/Makefile myopenvpn.pp
>>> sudo semodule -i myopenvpn.pp
>>>

I see that this change has been adopted with the -47 version of the
policy (FC13) - that was pretty quick!

There was a suggestion for change to tor.te a while ago as well (see
tor: dac_override, dac_read_search, name_bind and net_bind_service
thread) - the new version of tor (2.x) provides dns resolution as part
of the service it runs, so it needs to bind to udp/53 and the statement:

corenet_udp_bind_dns_port(tor_t)

does the trick when it is included in tor.te. Currently I do this with
patching, but it would be nice to have it as part of the policy in a
similar way it was done with openvpn.

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux