• 1

what about the 4th option?

How about creating a label rule for ~/.vpnc.conf that labels it as vpnc_t which vpnc_exec_t is allowed to read. Then the user is advised to run restorecon, which is generally a safe and good idea, but also gets to have a per user vpnc config.

Re: what about the 4th option?

You could add a rule for ~/vpnc.conf. But I guess you could argue this is option 1. You would not label it vpnc_t since this is a domain label and is not allowed to be placed on a file system. But you could label it etc_t and set up a label for it.

I guess the option you are suggesting is

# cat myvpnc.te
policy_module(myvpnc, 1.0)

type vpnc_t;

type vpnc_home_t;

read_files_pattern(vpnc_t, vpnc_home_t, vpnc_home_t)

# cat myvpnc.fc

HOME_DIR/vpnc.conf gen_context(system_u:object_r:vpnc_home_t,s0)

# make -f /usr/share/selinux/devel/Makefile
# semodule myvpnc.pp
# restorecon ~dwalsh/vpnc.conf

SELinux many ways to solve the same problem. Some more secure then others.

Re: what about the 4th option?

I guess the good solution also is just create /etc/vpnc/user.conf and set user or group write permitions for it. But this solution is on another level :-)

  • 1

Log in