VPNClient security
zero88 opened this issue · 2 comments
zero88 commented
Is your feature request related to a problem? Please describe.
-
Mandatory Access control
Some deny access from linux security when usingvpnclient
that make DNS resolver is unable to process automatically[ 5.406136] kernel: audit: type=1400 audit(1617414198.472:17): apparmor="DENIED" operation="mknod" profile="/{,usr/}sbin/dhclient" name="/app/vpnclient/vpn_dhclient.leases" pid=753 comm="dhclient" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 [ 5.422451] kernel: audit: type=1400 audit(1617414198.492:18): apparmor="DENIED" operation="mknod" profile="/{,usr/}sbin/dhclient" name="/app/vpnclient/vpn_dhclient.pid" pid=753 comm="dhclient" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 [ 5.422513] kernel: audit: type=1400 audit(1617414198.492:19): apparmor="DENIED" operation="mknod" profile="/{,usr/}sbin/dhclient" name="/app/vpnclient/vpn_dhclient.pid" pid=753 comm="dhclient" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
Create profile to support:
- AppArmor: On
ubuntu
/debian
/archlinux
- selinux: On
centos
/fedora
/rhel
SELINUX Guide
On IoT device, it isn't enable by default, but should be in future.
So provide this enhancement as optional then let user decide whether to use it - AppArmor: On
-
Hardening option for
systemd service
zero88 commented
SELINUX
After install
sudo semanage fcontext -a -t NetworkManager_etc_t '/app/vpnclient/runtime/vpn-runtime-nameserver.conf'
sudo restorecon -v '/app/vpnclient/runtime/vpn-runtime-nameserver.conf'
sudo semanage fcontext -a -t dhcpc_state_t '/app/vpnclient/runtime'
sudo restorecon -v '/app/vpnclient/runtime'
anhcq151 commented
Pushed first commit to build SELinux policy in order to run client on Fedora or SELinux enabled systems
#82
Original quote the content of README file
SELinux policy
Tested on Fedora
-
Prerequisites packages:
- setroubleshoot
- policycoreutils
- policycoreutils-devel
-
Other prerequisites:
- The
playio-vpnc
executatble folder path is existed, it's defaulted to/app
- Enable SELinux boolean:
setsebool -P domain_can_mmap_files 1 setsebool -P domain_kernel_load_modules 1 setsebool -P daemons_enable_cluster_mode 1
- The
-
Build and install the policy:
Change to this folder
selinux
and run below command:make -f /usr/share/selinux/devel/Makefile playio_vpnc.pp semodule -i playio_vpnc.pp restorecon -FRv /app