Changes between Version 6 and Version 7 of UnprivilegedUser

Timestamp:

09/02/12 20:08:37 (12 years ago)

Author:

David Sommerseth

Comment:

Cleaned up SELinux suggestions (not tested)

UnprivilegedUser

@@ -110 +110 @@
 Create the following files:
 {{{
-# /tmp/openvpn_read_open.te
+# /tmp/openvpn_unpriv_hack.te
 
-module openvpn_read_open 1.0;
+module openvpn_unpriv_hack 1.0;
 
 require {
         type openvpn_t;
         type sudo_exec_t;
-        class file { read open };
+        class file { read open execute getattr execute_no_trans };
+        class process setrlimit;
+        class capability sys_resource;
 }
 
 #============= openvpn_t ==============
-allow openvpn_t sudo_exec_t:file { read open };
-}}}
-{{{
-# /tmp/openvpn_execute_getattr.te
-
-module openvpn_execute_getattr 1.0;
-
-require {
-        type openvpn_t;
-        type sudo_exec_t;
-        class file { execute getattr };
-}
-
-#============= openvpn_t ==============
-allow openvpn_t sudo_exec_t:file { execute getattr };
-}}}
-{{{
-# /tmp/openvpn_execute_no_trans.te
-
-module openvpn_execute_no_trans 1.0;
-
-require {
-        type openvpn_t;
-        type sudo_exec_t;
-        class file execute_no_trans;
-}
-
-#============= openvpn_t ==============
-allow openvpn_t sudo_exec_t:file execute_no_trans;
-}}}
-{{{
-# /tmp/openvpn_setrlimit.te
-
-module openvpn_setrlimit 1.0;
-
-require {
-        type openvpn_t;
-        class process setrlimit;
-}
-
-#============= openvpn_t ==============
+allow openvpn_t sudo_exec_t:file { read open execute getattr execute_no_trans};
 allow openvpn_t self:process setrlimit;
-}}}
-{{{
-# /tmp/openvpn_sys_resource.te
-
-module openvpn_sys_resource 1.0;
-
-require {
-        type openvpn_t;
-        class capability sys_resource;
-}
-
-#============= openvpn_t ==============
 allow openvpn_t self:capability sys_resource;
 }}}
 then compile and install the security modules:
 {{{
-$ checkmodule -M -m -o /tmp/openvpn_read_open.mod /tmp/openvpn_read_open.te
-$ semodule_package -o /tmp/openvpn_read_open.pp -m /tmp/openvpn_read_open.mod
-$ semodule -i /tmp/openvpn_read_open.pp
-$ checkmodule -M -m -o /tmp/openvpn_execute_getattr.mod /tmp/openvpn_execute_getattr.te
-$ semodule_package -o /tmp/openvpn_execute_getattr.pp -m /tmp/openvpn_execute_getattr.mod
-$ semodule -i /tmp/openvpn_execute_getattr.pp
-$ checkmodule -M -m -o /tmp/openvpn_execute_no_trans.mod /tmp/openvpn_execute_no_trans.te
-$ semodule_package -o /tmp/openvpn_execute_no_trans.pp -m /tmp/openvpn_execute_no_trans.mod
-$ semodule -i /tmp/openvpn_execute_no_trans.pp
-$ checkmodule -M -m -o /tmp/openvpn_setrlimit.mod /tmp/openvpn_setrlimit.te
-$ semodule_package -o /tmp/openvpn_setrlimit.pp -m /tmp/openvpn_setrlimit.mod
-$ semodule -i /tmp/openvpn_setrlimit.pp
-$ checkmodule -M -m -o /tmp/openvpn_sys_resource.mod /tmp/openvpn_sys_resource.te
-$ semodule_package -o /tmp/openvpn_sys_resource.pp -m /tmp/openvpn_sys_resource.mod
-$ semodule -i /tmp/openvpn_sys_resource.pp
+$ checkmodule -M -m -o /tmp/openvpn_unpriv_hack.mod /tmp/openvpn_unpriv_hack.te
+$ semodule_package -o /tmp/openvpn_unpriv_hack.pp -m /tmp/openvpn_unpriv_hack.mod
+$ semodule -i /tmp/openvpn_upriv_hack.pp
 }}}
 and check if they have loaded correctly:
@@ -199 +137 @@
 $ semodule -l | grep openvpn
 openvpn 1.9.1   
-openvpn_execute_getattr    1.0
-openvpn_execute_no_trans    1.0 
-openvpn_read_open    1.0
-openvpn_setrlimit    1.0
-openvpn_sys_resource    1.0
-}}}     
+openvpn_unpriv_hack    1.0
+}}}