[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Another selinux rant



Dnia 03-01-2008, czw o godzinie 13:49 -0800, Ed Swierk pisze:
> On 1/3/08, Eric Paris <eparis redhat com> wrote:
> > Could you explain how you 'copied' these configuration files?  Is this
> > tar/untar ?  I'm trying to figure out how the labels for stuff in ~/.ssh
> > got messed up for you.

tar with "--xattrs"?

> Yes, I used tar to copy /home and /etc/openvpn. Openvpn stores state
> for active connections in a file specified by the
> --ifconfig-pool-persist option. Since the openvpn configuration recipe
> I found online uses /etc/openvpn/ipp.txt, that's what I use.
> Presumably the SELinux policy wants me to store that file somewhere
> else?

  SELinux don't care about file location. It cares about labels. Policy
for *labeling* files and assorted utilities care for paths, but they are
only additional utilities, not SELinux itself..
  In your situation, ipp.txt must be writable by openvpn daemon. You can
achieve it by labeling (man chcon) ipp.txt as openvpn_var_log_t. By
default files in /etc/openvpn are labeled as openvpn_etc_t (openvpn's
configuration files). Daemons cannot modify their configuration files.

-- 
Tomasz Torcz


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]