Context Navigation

Changes between Version 3 and Version 4 of UnprivilegedUser

Timestamp:: 05/05/12 18:06:24 (12 years ago)
Author:: dinvlad
Comment:: --

Legend:

: Unmodified
: Added
: Removed
: Modified

UnprivilegedUser

-                      v3
+                      v4
 == TUN/TAP Device ==
 Because openvpn will be running as an unprivileged user, a static tun/tap device is needed. The init script already supports running a shell script before executing openvpn, so create one to handle this task('''/etc/openvpn/openvpn.sh'''):
+Because openvpn will be running as an unprivileged user, a static tun/tap device is needed. The init script already supports running a shell script before executing openvpn, so create one to handle this task('''/etc/openvpn/openvpn-startup'''):
 {{{
 …
 You should also look at permissions/ownership for your keydir and '''/etc/openvpn/'''. The openvpn user should be able to read these, but not write to them, and no user but openvpn should be able to read your keys.
+=== SELinux ===
+In case you have SELinux enabled (e.g. you're using RHEL), you will need to set up additional user policies to allow the scripts run at startup.
+Create 3 files:
+{{{
+# /tmp/openvpn_read_open.te
+module openvpn_read_open 1.0;
+require {
+        type openvpn_t;
+        type sudo_exec_t;
+        class file { read open };
+}
+#============= openvpn_t ==============
+allow openvpn_t sudo_exec_t:file { read open };
+}}}
+{{{
+# /tmp/openvpn_execute_getattr.te
+module openvpn_execute_getattr 1.0;
+require {
+        type openvpn_t;
+        type sudo_exec_t;
+        class file { execute getattr };
+}
+#============= openvpn_t ==============
+allow openvpn_t sudo_exec_t:file { execute getattr };
+}}}
+{{{
+# /tmp/openvpn_execute_no_trans.te
+module openvpn_execute_no_trans 1.0;
+require {
+        type openvpn_t;
+        type sudo_exec_t;
+        class file execute_no_trans;
+}
+#============= openvpn_t ==============
+allow openvpn_t sudo_exec_t:file execute_no_trans;
+}}}
+then compile and install the security modules:
+{{{
+$ checkmodule -M -m -o /tmp/openvpn_read_open.mod /tmp/openvpn_read_open.te
+$ semodule_package -o /tmp/openvpn_read_open.pp -m /tmp/openvpn_read_open.mod
+$ semodule -i /tmp/openvpn_read_open.pp
+$ checkmodule -M -m -o /tmp/openvpn_execute_getattr.mod /tmp/openvpn_execute_getattr.te
+$ semodule_package -o /tmp/openvpn_execute_getattr.pp -m /tmp/openvpn_execute_getattr.mod
+$ semodule -i /tmp/openvpn_execute_getattr.pp
+$ checkmodule -M -m -o /tmp/openvpn_execute_no_trans.mod /tmp/openvpn_execute_no_trans.te
+$ semodule_package -o /tmp/openvpn_execute_no_trans.pp -m /tmp/openvpn_execute_no_trans.mod
+$ semodule -i /tmp/openvpn_execute_no_trans.pp
+}}}
+and check if they have loaded correctly:
+{{{
+$ semodule -l | grep openvpn
+openvpn 1.9.1
+openvpn_execute_getattr    1.0
+openvpn_execute_no_trans    1.0
+openvpn_read_open    1.0
+}}}