openvpn on fedora 7

Matthew Gillen matt at gillens.us
Thu Jun 7 17:22:05 UTC 2007


I had to add the following module before openvpn would work.  The first issue
was that openvpn didn't have permission to write a .pid file to
/var/run/openvpn.  The other problem seemed to be that a TCP socket could not
be created (the name_connect part).

The dac_override is something that I don't get.  Why would openvpn need that?
 Unix permissions problems?

Here's the additional policy:
-----------------------------
require {
        type openvpn_t;
        type openvpn_port_t;
        type openvpn_var_run_t;
        class capability dac_override;
        class tcp_socket name_connect;
        class dir { write search add_name };
}

#============= openvpn_t ==============
allow openvpn_t openvpn_port_t:tcp_socket name_connect;
allow openvpn_t openvpn_var_run_t:dir { write search add_name };
allow openvpn_t self:capability dac_override;
-----------------------------

Thanks,
Matt




More information about the fedora-selinux-list mailing list