SELinux prevents OpenVPN to send mail

Support for security such as Firewalls and securing linux

SELinux prevents OpenVPN to send mail

Postby BrnVrn » 2012/11/07 17:05:08

Hi

OpenVPN can be configured to launch a script each time a client connect.
In this script, I would like to send a mail using the classic /bin/mail command.

SELinux doesn't allow this.

It would be nice to have a boolean like Apache: httpd_can_sendmail or maybe a different context for the scripts.
Currently OpenVPN has only openvpn_enable_homedirs.

Since I am no SELinux expert, I used a simple workaround:
(inspired from http://darkness.codefu.org/wordpress/20 ... -centos-5/)
Code: Select all
$ cat openvpn_cc.te
policy_module(openvpn_cc, 1.0)

require {
        type openvpn_t;
};

corecmd_exec_bin(openvpn_t)
mta_send_mail(openvpn_t)


I am using CentOS 6.3 and openvpn-2.2.2


My questions are:
- Should I post upstream to Fedora ??
- Should I try to set a context for the script or is it OK to allow openvpn to send mail ?

Regards
Bruno
BrnVrn
 
Posts: 2
Joined: 2012/11/07 15:07:28

Re: SELinux prevents OpenVPN to send mail

Postby BrnVrn » 2012/11/08 10:25:51

It can even be simplified to

Code: Select all
policy_module(openvpn_cc, 1.0)

require {
        type openvpn_t;
};

mta_send_mail(openvpn_t)
BrnVrn
 
Posts: 2
Joined: 2012/11/07 15:07:28


Return to CentOS 6 - Security Support

Who is online

Users browsing this forum: No registered users and 1 guest