| 106 | In case you have SELinux enabled (e.g. you're using RHEL), you will need to set up additional user policies to allow the scripts run at startup. |
| 107 | Create 3 files: |
| 108 | {{{ |
| 109 | # /tmp/openvpn_read_open.te |
| 110 | |
| 111 | module openvpn_read_open 1.0; |
| 112 | |
| 113 | require { |
| 114 | type openvpn_t; |
| 115 | type sudo_exec_t; |
| 116 | class file { read open }; |
| 117 | } |
| 118 | |
| 119 | #============= openvpn_t ============== |
| 120 | allow openvpn_t sudo_exec_t:file { read open }; |
| 121 | }}} |
| 122 | {{{ |
| 123 | # /tmp/openvpn_execute_getattr.te |
| 124 | |
| 125 | module openvpn_execute_getattr 1.0; |
| 126 | |
| 127 | require { |
| 128 | type openvpn_t; |
| 129 | type sudo_exec_t; |
| 130 | class file { execute getattr }; |
| 131 | } |
| 132 | |
| 133 | #============= openvpn_t ============== |
| 134 | allow openvpn_t sudo_exec_t:file { execute getattr }; |
| 135 | }}} |
| 136 | {{{ |
| 137 | # /tmp/openvpn_execute_no_trans.te |
| 138 | |
| 139 | module openvpn_execute_no_trans 1.0; |
| 140 | |
| 141 | require { |
| 142 | type openvpn_t; |
| 143 | type sudo_exec_t; |
| 144 | class file execute_no_trans; |
| 145 | } |
| 146 | |
| 147 | #============= openvpn_t ============== |
| 148 | allow openvpn_t sudo_exec_t:file execute_no_trans; |
| 149 | }}} |
| 150 | then compile and install the security modules: |
| 151 | {{{ |
| 152 | $ checkmodule -M -m -o /tmp/openvpn_read_open.mod /tmp/openvpn_read_open.te |
| 153 | $ semodule_package -o /tmp/openvpn_read_open.pp -m /tmp/openvpn_read_open.mod |
| 154 | $ semodule -i /tmp/openvpn_read_open.pp |
| 155 | $ checkmodule -M -m -o /tmp/openvpn_execute_getattr.mod /tmp/openvpn_execute_getattr.te |
| 156 | $ semodule_package -o /tmp/openvpn_execute_getattr.pp -m /tmp/openvpn_execute_getattr.mod |
| 157 | $ semodule -i /tmp/openvpn_execute_getattr.pp |
| 158 | $ checkmodule -M -m -o /tmp/openvpn_execute_no_trans.mod /tmp/openvpn_execute_no_trans.te |
| 159 | $ semodule_package -o /tmp/openvpn_execute_no_trans.pp -m /tmp/openvpn_execute_no_trans.mod |
| 160 | $ semodule -i /tmp/openvpn_execute_no_trans.pp |
| 161 | }}} |
| 162 | and check if they have loaded correctly: |
| 163 | {{{ |
| 164 | $ semodule -l | grep openvpn |
| 165 | openvpn 1.9.1 |
| 166 | openvpn_execute_getattr 1.0 |
| 167 | openvpn_execute_no_trans 1.0 |
| 168 | openvpn_read_open 1.0 |
| 169 | }}} |