On 29/07/09 03:49, Karl O. Pinc wrote:
> On 07/28/2009 04:22:09 PM, Sebastien Raveau wrote:
> 
> 
>> If I understand you correctly, that is, if you are suggesting that
>> OpenVPN should automatically apply a SELinux context if setcon() is
>> available... I'll have to disagree with you. Not that I reject the
>> idea of enforcing security measures by default, but because when you
>> google for "selinux howto", half of the first-page results are on how
>> to *disable* SELinux. Apparently not everybody likes it, and they 
>> have
>> a right to, so I believe we should not force it upon them :-)
> 
> SELinux is a great idea, in theory.  In practice I find the
> cost/benefit such that I wind up turning it off.  I'd love
> to have it available and working in "stock" situations,
> and have the (easy to do) option of turning it off if
> desired.   If nothing else it gets in the way of development/
> deployment.  After something's working then it's possible to go back
> and figure out which permissions need enabling.

I've been running Fedora with SELinux enabled for over a year, without
having any issues at all.  I've even been testing a lot of different
software setups on Fedora and Red Hat Enterprise Linux, without having
issues.

> Because of the complication it would also be highly
> desirable, except for a possible "off/monitor mode/on"
> switch, if it would integrate with the rest of SELinux
> so there's not yet more configuration.  I assume that
> this is the natural approach to take, but figured I'd
> mention it anyway.

In Fedora/RHEL you have the getenforce and setenforce programs, which
changes between "Permissive" and "Enforced" modes.  This is a
system-wide configuration change, and is effective immediately without
reboot.  With a properly designed SELinux profile for OpenVPN, usually
from a distribution, but it would be good if it also followed the
OpenVPN source code, it would not be more configuration.  It would be to
register this profile on your system.  Normally, these profiles can be
quite static, no matter which system it is setup on.  On a brand new
installation, it might be needed to label some files on the file system,
but again, this could be done via a little script.  New configuration
files for OpenVPN and certificates would need to be labelled too, but
that's usually just to either copy them into the desired directory and
to run restorecon or chcon.

http://danwalsh.livejournal.com/4208.html

In fact, Fedora and RHEL do ship OpenVPN 2.1_rc15 with SELinux profiles,
labelling files and directories for OpenVPN.  But there is no security
context shift inside the binary, AFAIK, which would be even more
beneficial, as not everything is covered by just file labelling.


kind regards,

David Sommerseth


Reply via email to