I'm not sure I understand you... As I explained in http://article.gmane.org/gmane.network.openvpn.devel/2700 it is indeed possible to apply SELinux "from the outside" of a program, like chroot, and just like chroot doing that is less efficient and less practical.
On Tue, Jul 28, 2009 at 10:18 AM, Alon Bar-Lev<alon.bar...@gmail.com> wrote: > Do that. > But as in this case OpenVPN does not run under privilege account at > any time, you can do this simply without any selinux code into VPN. > > On Tue, Jul 28, 2009 at 11:12 AM, Sebastien > Raveau<sebastien.rav...@epita.fr> wrote: >> On Tue, Jul 28, 2009 at 9:59 AM, Alon Bar-Lev<alon.bar...@gmail.com> wrote: >>> Why don't you use openvpn in completely unprivileged mode? >>> Look at [1] search for Unprivileged mode. >>> [1] >>> http://openvpn.net/index.php/open-source/documentation/howto.html#security >> >> What makes you think I don't already? :-) >> >> I do, and it is *not* sufficient as this does not protect against >> kernel exploits. If a hacker manages to perform remote code execution >> in OpenVPN and thus exploit a vulnerable system call, (s)he obtains >> kernel privileges and all of a sudden all your setuid, chroot etc are >> useless... >> >> This can be countered with SELinux (and equivalents such as >> GRSecurity, RSBAC, LIDS etc) basically by applying access control on >> system calls. >> >> >> Kind regards, >> >> -- >> Sebastien Raveau >> > -- Sebastien Raveau
