Skip to main content

Posts

Showing posts from November, 2012

Bash Script debugging and SELinux

OpenVPN can launch a script client-connect each time a client connect to the VPN.
The script used to work when OpenVPN is launched directly, but not when launched via /etc/init.d/openvpn start ...

A good way to debug is to put this at the beginning of the file:
#!/bin/sh
"client-connect
exec > /tmp/debug.$$ 2>&1; set -x
...

Reading the /tmp/debug.pid will give a first hint: "Permission denied" when trying to launch "/bin/mail" in the script.

I put a ME=$(whoami) in the script but both (working and non-working) returned the same: nobody. So, it leaves only one suspect: SELinux. (I didn't though about SELinux because I didn't see it in the services. But it is there, in the Kernel.)

Quick info about SELinux:
sestatus to get informationsetenforce Permissive will give only warning (it creates less problems than disabling it)./usr/sbin/selinuxenabled && SEL="SELinux ON" to use in scripts.
To be really sure, I did the following:
# ls -Z…