Hi
OpenVPN can be configured to launch a script each time a client connect.
In this script, I would like to send a mail using the classic /bin/mail command.
SELinux doesn't allow this.
It would be nice to have a boolean like Apache: httpd_can_sendmail or maybe a different context for the scripts.
Currently OpenVPN has only openvpn_enable_homedirs.
Since I am no SELinux expert, I used a simple workaround:
(inspired from http://darkness.codefu.org/wordpress/2007/11/letting-cyrus-sieve-send-e-mail-on-centos-5/)
[code]$ cat openvpn_cc.te
policy_module(openvpn_cc, 1.0)
require {
type openvpn_t;
};
corecmd_exec_bin(openvpn_t)
mta_send_mail(openvpn_t)
[/code]
I am using CentOS 6.3 and openvpn-2.2.2
My questions are:
- Should I post upstream to Fedora ??
- Should I try to set a context for the script or is it OK to allow openvpn to send mail ?
Regards
Bruno
SELinux prevents OpenVPN to send mail
Re: SELinux prevents OpenVPN to send mail
It can even be simplified to
[code]policy_module(openvpn_cc, 1.0)
require {
type openvpn_t;
};
mta_send_mail(openvpn_t)[/code]
[code]policy_module(openvpn_cc, 1.0)
require {
type openvpn_t;
};
mta_send_mail(openvpn_t)[/code]