Do that. But as in this case OpenVPN does not run under privilege account at any time, you can do this simply without any selinux code into VPN.
On Tue, Jul 28, 2009 at 11:12 AM, Sebastien Raveau<sebastien.rav...@epita.fr> wrote: > On Tue, Jul 28, 2009 at 9:59 AM, Alon Bar-Lev<alon.bar...@gmail.com> wrote: >> Why don't you use openvpn in completely unprivileged mode? >> Look at [1] search for Unprivileged mode. >> [1] >> http://openvpn.net/index.php/open-source/documentation/howto.html#security > > What makes you think I don't already? :-) > > I do, and it is *not* sufficient as this does not protect against > kernel exploits. If a hacker manages to perform remote code execution > in OpenVPN and thus exploit a vulnerable system call, (s)he obtains > kernel privileges and all of a sudden all your setuid, chroot etc are > useless... > > This can be countered with SELinux (and equivalents such as > GRSecurity, RSBAC, LIDS etc) basically by applying access control on > system calls. > > > Kind regards, > > -- > Sebastien Raveau >
