SELinux prevents OpenVPN to send mail

Support for security such as Firewalls and securing linux
Post Reply
BrnVrn
Posts: 3
Joined: 2012/11/07 15:07:28
Location: Grenoble
Contact:

SELinux prevents OpenVPN to send mail

Post by BrnVrn » 2012/11/07 17:05:08

Hi

OpenVPN can be configured to launch a script each time a client connect.
In this script, I would like to send a mail using the classic /bin/mail command.

SELinux doesn't allow this.

It would be nice to have a boolean like Apache: httpd_can_sendmail or maybe a different context for the scripts.
Currently OpenVPN has only openvpn_enable_homedirs.

Since I am no SELinux expert, I used a simple workaround:
(inspired from http://darkness.codefu.org/wordpress/2007/11/letting-cyrus-sieve-send-e-mail-on-centos-5/)
[code]$ cat openvpn_cc.te
policy_module(openvpn_cc, 1.0)

require {
type openvpn_t;
};

corecmd_exec_bin(openvpn_t)
mta_send_mail(openvpn_t)
[/code]

I am using CentOS 6.3 and openvpn-2.2.2


My questions are:
- Should I post upstream to Fedora ??
- Should I try to set a context for the script or is it OK to allow openvpn to send mail ?

Regards
Bruno

BrnVrn
Posts: 3
Joined: 2012/11/07 15:07:28
Location: Grenoble
Contact:

Re: SELinux prevents OpenVPN to send mail

Post by BrnVrn » 2012/11/08 10:25:51

It can even be simplified to

[code]policy_module(openvpn_cc, 1.0)

require {
type openvpn_t;
};

mta_send_mail(openvpn_t)[/code]

Post Reply