From 9938544706154aa7849596f68204d152aa564154 Mon Sep 17 00:00:00 2001 From: james Date: Fri, 4 Sep 2009 23:50:35 +0000 Subject: Added "setcon" directive for interoperability with SELinux (Sebastien Raveau). git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4932 e7ae566f-a301-0410-adde-c780ea21d3b5 --- openvpn.8 | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) (limited to 'openvpn.8') diff --git a/openvpn.8 b/openvpn.8 index 9f31f20..6e2541a 100644 --- a/openvpn.8 +++ b/openvpn.8 @@ -1889,6 +1889,39 @@ complications can result when scripts or restarts are executed after the chroot operation. .\"********************************************************* .TP +.B --setcon context +Apply SELinux +.B context +after initialization. This +essentially provides the ability to restrict OpenVPN's +rights to only network I/O operations, thanks to +SELinux. This goes further than +.B --user +and +.B --chroot +in that those two, while being great security features, +unfortunately do not protect against privilege escalation +by exploitation of a vulnerable system call. You can of +course combine all three, but please note that since +setcon requires access to /proc you will have to provide +it inside the chroot directory (e.g. with mount --bind). + +Since the setcon operation is delayed until after +initialization, OpenVPN can be restricted to just +network-related system calls, whereas by applying the +context before startup (such as the OpenVPN one provided +in the SELinux Reference Policies) you will have to +allow many things required only during initialization. + +Like with chroot, complications can result when scripts +or restarts are executed after the setcon operation, +which is why you should really consider using the +.B --persist-key +and +.B --persist-tun +options. +.\"********************************************************* +.TP .B --daemon [progname] Become a daemon after all initialization functions are completed. This option will cause all message and error output to -- cgit v1.2.3