]>
Commit | Line | Data |
---|---|---|
e08118a5 | 1 | |
29af4c13 | 2 | policy_module(ppp, 1.12.0) |
e08118a5 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
56e1b3d2 CP |
9 | ## <desc> |
10 | ## <p> | |
11 | ## Allow pppd to load kernel modules for certain modems | |
12 | ## </p> | |
13 | ## </desc> | |
0bfccda4 | 14 | gen_tunable(pppd_can_insmod, false) |
56e1b3d2 | 15 | |
56e1b3d2 CP |
16 | ## <desc> |
17 | ## <p> | |
18 | ## Allow pppd to be run for a regular user | |
19 | ## </p> | |
20 | ## </desc> | |
0bfccda4 | 21 | gen_tunable(pppd_for_user, false) |
56e1b3d2 | 22 | |
e08118a5 CP |
23 | # pppd_t is the domain for the pppd program. |
24 | # pppd_exec_t is the type of the pppd executable. | |
25 | type pppd_t; | |
26 | type pppd_exec_t; | |
0bfccda4 | 27 | init_daemon_domain(pppd_t, pppd_exec_t) |
e08118a5 CP |
28 | |
29 | type pppd_devpts_t; | |
30 | term_pty(pppd_devpts_t) | |
31 | ||
32 | # Define a separate type for /etc/ppp | |
9bbc757a CP |
33 | type pppd_etc_t; |
34 | files_config_file(pppd_etc_t) | |
e08118a5 CP |
35 | |
36 | # Define a separate type for writable files under /etc/ppp | |
37 | type pppd_etc_rw_t; | |
38 | files_type(pppd_etc_rw_t) | |
39 | ||
7395f801 | 40 | type pppd_initrc_exec_t alias pppd_script_exec_t; |
82b5d290 | 41 | init_script_file(pppd_initrc_exec_t) |
e08118a5 CP |
42 | |
43 | # pppd_secret_t is the type of the pap and chap password files | |
44 | type pppd_secret_t; | |
45 | files_type(pppd_secret_t) | |
46 | ||
47 | type pppd_log_t; | |
48 | logging_log_file(pppd_log_t) | |
49 | ||
50 | type pppd_lock_t; | |
51 | files_lock_file(pppd_lock_t) | |
52 | ||
53 | type pppd_tmp_t; | |
54 | files_tmp_file(pppd_tmp_t) | |
55 | ||
56 | type pppd_var_run_t; | |
57 | files_pid_file(pppd_var_run_t) | |
58 | ||
59 | type pptp_t; | |
60 | type pptp_exec_t; | |
0bfccda4 | 61 | init_daemon_domain(pptp_t, pptp_exec_t) |
e08118a5 CP |
62 | |
63 | type pptp_log_t; | |
64 | logging_log_file(pptp_log_t) | |
65 | ||
66 | type pptp_var_run_t; | |
67 | files_pid_file(pptp_var_run_t) | |
68 | ||
69 | ######################################## | |
70 | # | |
71 | # PPPD Local policy | |
72 | # | |
73 | ||
ae338637 | 74 | allow pppd_t self:capability { kill net_admin setuid setgid fsetid fowner net_raw dac_override }; |
141cffdd | 75 | dontaudit pppd_t self:capability sys_tty_config; |
38db49c5 | 76 | allow pppd_t self:process { getsched signal }; |
c0868a7a | 77 | allow pppd_t self:fifo_file rw_fifo_file_perms; |
e08118a5 CP |
78 | allow pppd_t self:socket create_socket_perms; |
79 | allow pppd_t self:unix_dgram_socket create_socket_perms; | |
80 | allow pppd_t self:unix_stream_socket create_socket_perms; | |
8708d9be | 81 | allow pppd_t self:netlink_route_socket rw_netlink_socket_perms; |
e08118a5 CP |
82 | allow pppd_t self:tcp_socket create_stream_socket_perms; |
83 | allow pppd_t self:udp_socket { connect connected_socket_perms }; | |
84 | allow pppd_t self:packet_socket create_socket_perms; | |
85 | ||
c0868a7a | 86 | domtrans_pattern(pppd_t, pptp_exec_t, pptp_t) |
e08118a5 | 87 | |
c0868a7a | 88 | allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr }; |
e08118a5 CP |
89 | |
90 | allow pppd_t pppd_etc_t:dir rw_dir_perms; | |
c0868a7a | 91 | allow pppd_t pppd_etc_t:file read_file_perms; |
e08118a5 | 92 | allow pppd_t pppd_etc_t:lnk_file { getattr read }; |
e08118a5 | 93 | |
0bfccda4 | 94 | manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t) |
8708d9be | 95 | # Automatically label newly created files under /etc/ppp with this type |
0bfccda4 | 96 | filetrans_pattern(pppd_t, pppd_etc_t, pppd_etc_rw_t, file) |
e08118a5 | 97 | |
c0868a7a | 98 | allow pppd_t pppd_lock_t:file manage_file_perms; |
0bfccda4 | 99 | files_lock_filetrans(pppd_t, pppd_lock_t, file) |
e08118a5 | 100 | |
c0868a7a | 101 | allow pppd_t pppd_log_t:file manage_file_perms; |
0bfccda4 | 102 | logging_log_filetrans(pppd_t, pppd_log_t, file) |
e08118a5 | 103 | |
0bfccda4 CP |
104 | manage_dirs_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t) |
105 | manage_files_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t) | |
103fe280 | 106 | files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir }) |
e08118a5 | 107 | |
0bfccda4 CP |
108 | manage_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) |
109 | files_pid_filetrans(pppd_t, pppd_var_run_t, file) | |
e08118a5 CP |
110 | |
111 | allow pppd_t pptp_t:process signal; | |
112 | ||
113 | # for SSP | |
114 | # Access secret files | |
c0868a7a | 115 | allow pppd_t pppd_secret_t:file read_file_perms; |
e08118a5 | 116 | |
7395f801 CP |
117 | ppp_initrc_domtrans(pppd_t) |
118 | ||
445522dc | 119 | kernel_read_kernel_sysctls(pppd_t) |
725926c5 | 120 | kernel_read_system_state(pppd_t) |
ae338637 | 121 | kernel_rw_net_sysctls(pppd_t) |
e08118a5 | 122 | kernel_read_network_state(pppd_t) |
82b5d290 | 123 | kernel_request_load_module(pppd_t) |
e08118a5 CP |
124 | |
125 | dev_read_urand(pppd_t) | |
126 | dev_search_sysfs(pppd_t) | |
127 | dev_read_sysfs(pppd_t) | |
38db49c5 | 128 | dev_rw_modem(pppd_t) |
e08118a5 | 129 | |
19006686 CP |
130 | corenet_all_recvfrom_unlabeled(pppd_t) |
131 | corenet_all_recvfrom_netlabel(pppd_t) | |
668b3093 CP |
132 | corenet_tcp_sendrecv_generic_if(pppd_t) |
133 | corenet_raw_sendrecv_generic_if(pppd_t) | |
134 | corenet_udp_sendrecv_generic_if(pppd_t) | |
c1262146 CP |
135 | corenet_tcp_sendrecv_generic_node(pppd_t) |
136 | corenet_raw_sendrecv_generic_node(pppd_t) | |
137 | corenet_udp_sendrecv_generic_node(pppd_t) | |
e08118a5 CP |
138 | corenet_tcp_sendrecv_all_ports(pppd_t) |
139 | corenet_udp_sendrecv_all_ports(pppd_t) | |
e08118a5 | 140 | # Access /dev/ppp. |
5b6ddb98 | 141 | corenet_rw_ppp_dev(pppd_t) |
e08118a5 CP |
142 | |
143 | fs_getattr_all_fs(pppd_t) | |
144 | fs_search_auto_mountpoints(pppd_t) | |
145 | ||
1815bad1 | 146 | term_use_unallocated_ttys(pppd_t) |
e08118a5 | 147 | term_setattr_unallocated_ttys(pppd_t) |
1815bad1 | 148 | term_ioctl_generic_ptys(pppd_t) |
e08118a5 | 149 | # for pppoe |
0bfccda4 | 150 | term_create_pty(pppd_t, pppd_devpts_t) |
e08118a5 CP |
151 | |
152 | # allow running ip-up and ip-down scripts and running chat. | |
153 | corecmd_exec_bin(pppd_t) | |
e08118a5 CP |
154 | corecmd_exec_shell(pppd_t) |
155 | ||
15722ec9 | 156 | domain_use_interactive_fds(pppd_t) |
e08118a5 CP |
157 | |
158 | files_exec_etc_files(pppd_t) | |
8708d9be | 159 | files_manage_etc_runtime_files(pppd_t) |
8708d9be CP |
160 | files_dontaudit_write_etc_files(pppd_t) |
161 | ||
e08118a5 CP |
162 | # for scripts |
163 | files_read_etc_files(pppd_t) | |
164 | ||
68228b33 CP |
165 | init_read_utmp(pppd_t) |
166 | init_dontaudit_write_utmp(pppd_t) | |
7395f801 | 167 | init_signal_script(pppd_t) |
e08118a5 | 168 | |
7a5e2d8a CP |
169 | auth_use_nsswitch(pppd_t) |
170 | ||
e08118a5 | 171 | logging_send_syslog_msg(pppd_t) |
38db49c5 | 172 | logging_send_audit_msgs(pppd_t) |
e08118a5 CP |
173 | |
174 | miscfiles_read_localization(pppd_t) | |
175 | ||
e08118a5 CP |
176 | sysnet_exec_ifconfig(pppd_t) |
177 | sysnet_manage_config(pppd_t) | |
f6a590d7 | 178 | sysnet_etc_filetrans_config(pppd_t) |
e08118a5 | 179 | |
296273a7 | 180 | userdom_use_user_terminals(pppd_t) |
15722ec9 | 181 | userdom_dontaudit_use_unpriv_user_fds(pppd_t) |
296273a7 | 182 | userdom_search_user_home_dirs(pppd_t) |
e08118a5 | 183 | |
8708d9be CP |
184 | ppp_exec(pppd_t) |
185 | ||
70b8a723 CP |
186 | optional_policy(` |
187 | ddclient_domtrans(pppd_t) | |
188 | ') | |
189 | ||
bb7170f6 | 190 | optional_policy(` |
8967bf8b CP |
191 | tunable_policy(`pppd_can_insmod && ! secure_mode_insmod',` |
192 | modutils_domtrans_insmod_uncond(pppd_t) | |
e08118a5 CP |
193 | ') |
194 | ') | |
195 | ||
bb7170f6 | 196 | optional_policy(` |
88dd3896 CP |
197 | mta_send_mail(pppd_t) |
198 | ') | |
199 | ||
ae338637 CP |
200 | optional_policy(` |
201 | networkmanager_signal(pppd_t) | |
202 | ') | |
203 | ||
56e1b3d2 CP |
204 | optional_policy(` |
205 | postfix_domtrans_master(pppd_t) | |
206 | ') | |
207 | ||
bb7170f6 | 208 | optional_policy(` |
e08118a5 CP |
209 | seutil_sigchld_newrole(pppd_t) |
210 | ') | |
211 | ||
bb7170f6 | 212 | optional_policy(` |
e08118a5 CP |
213 | udev_read_db(pppd_t) |
214 | ') | |
215 | ||
216 | ######################################## | |
217 | # | |
218 | # PPTP Local policy | |
219 | # | |
220 | ||
82b5d290 | 221 | allow pptp_t self:capability { dac_override dac_read_search net_raw net_admin }; |
7a5e2d8a CP |
222 | dontaudit pptp_t self:capability sys_tty_config; |
223 | allow pptp_t self:process signal; | |
0b36a214 | 224 | allow pptp_t self:fifo_file rw_fifo_file_perms; |
e08118a5 CP |
225 | allow pptp_t self:unix_dgram_socket create_socket_perms; |
226 | allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms }; | |
227 | allow pptp_t self:rawip_socket create_socket_perms; | |
228 | allow pptp_t self:tcp_socket create_socket_perms; | |
7395f801 CP |
229 | allow pptp_t self:udp_socket create_socket_perms; |
230 | allow pptp_t self:netlink_route_socket rw_netlink_socket_perms; | |
e08118a5 | 231 | |
0b36a214 CP |
232 | allow pptp_t pppd_etc_t:dir list_dir_perms; |
233 | allow pptp_t pppd_etc_t:file read_file_perms; | |
7395f801 | 234 | allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; |
e08118a5 | 235 | |
0b36a214 CP |
236 | allow pptp_t pppd_etc_rw_t:dir list_dir_perms; |
237 | allow pptp_t pppd_etc_rw_t:file read_file_perms; | |
7395f801 | 238 | allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms; |
e08118a5 CP |
239 | can_exec(pptp_t, pppd_etc_rw_t) |
240 | ||
241 | # Allow pptp to append to pppd log files | |
0b36a214 | 242 | allow pptp_t pppd_log_t:file append_file_perms; |
e08118a5 | 243 | |
c0868a7a | 244 | allow pptp_t pptp_log_t:file manage_file_perms; |
0bfccda4 | 245 | logging_log_filetrans(pptp_t, pptp_log_t, file) |
e08118a5 | 246 | |
0bfccda4 CP |
247 | manage_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t) |
248 | manage_sock_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t) | |
249 | files_pid_filetrans(pptp_t, pptp_var_run_t, file) | |
e08118a5 CP |
250 | |
251 | kernel_list_proc(pptp_t) | |
445522dc | 252 | kernel_read_kernel_sysctls(pptp_t) |
e08118a5 | 253 | kernel_read_proc_symlinks(pptp_t) |
7395f801 | 254 | kernel_read_system_state(pptp_t) |
e08118a5 CP |
255 | |
256 | dev_read_sysfs(pptp_t) | |
257 | ||
7395f801 CP |
258 | corecmd_exec_shell(pptp_t) |
259 | corecmd_read_bin_symlinks(pptp_t) | |
260 | ||
19006686 CP |
261 | corenet_all_recvfrom_unlabeled(pptp_t) |
262 | corenet_all_recvfrom_netlabel(pptp_t) | |
668b3093 CP |
263 | corenet_tcp_sendrecv_generic_if(pptp_t) |
264 | corenet_raw_sendrecv_generic_if(pptp_t) | |
c1262146 CP |
265 | corenet_tcp_sendrecv_generic_node(pptp_t) |
266 | corenet_raw_sendrecv_generic_node(pptp_t) | |
e08118a5 | 267 | corenet_tcp_sendrecv_all_ports(pptp_t) |
c1262146 | 268 | corenet_tcp_bind_generic_node(pptp_t) |
e08118a5 CP |
269 | corenet_tcp_connect_generic_port(pptp_t) |
270 | corenet_tcp_connect_all_reserved_ports(pptp_t) | |
141cffdd | 271 | corenet_sendrecv_generic_client_packets(pptp_t) |
e08118a5 | 272 | |
7395f801 CP |
273 | files_read_etc_files(pptp_t) |
274 | ||
e08118a5 CP |
275 | fs_getattr_all_fs(pptp_t) |
276 | fs_search_auto_mountpoints(pptp_t) | |
277 | ||
1815bad1 | 278 | term_ioctl_generic_ptys(pptp_t) |
e08118a5 CP |
279 | term_search_ptys(pptp_t) |
280 | term_use_ptmx(pptp_t) | |
281 | ||
15722ec9 | 282 | domain_use_interactive_fds(pptp_t) |
e08118a5 | 283 | |
7395f801 CP |
284 | auth_use_nsswitch(pptp_t) |
285 | ||
e08118a5 CP |
286 | logging_send_syslog_msg(pptp_t) |
287 | ||
288 | miscfiles_read_localization(pptp_t) | |
289 | ||
7395f801 | 290 | sysnet_exec_ifconfig(pptp_t) |
e08118a5 | 291 | |
15722ec9 | 292 | userdom_dontaudit_use_unpriv_user_fds(pptp_t) |
296273a7 | 293 | userdom_dontaudit_search_user_home_dirs(pptp_t) |
38db49c5 | 294 | userdom_signal_unpriv_users(pptp_t) |
e08118a5 | 295 | |
8708d9be CP |
296 | optional_policy(` |
297 | consoletype_exec(pppd_t) | |
298 | ') | |
299 | ||
82b5d290 CP |
300 | optional_policy(` |
301 | dbus_system_domain(pppd_t, pppd_exec_t) | |
302 | ||
303 | optional_policy(` | |
304 | networkmanager_dbus_chat(pppd_t) | |
305 | ') | |
306 | ') | |
307 | ||
bb7170f6 | 308 | optional_policy(` |
e08118a5 CP |
309 | hostname_exec(pptp_t) |
310 | ') | |
311 | ||
bb7170f6 | 312 | optional_policy(` |
6073ea1e | 313 | seutil_sigchld_newrole(pptp_t) |
e08118a5 CP |
314 | ') |
315 | ||
bb7170f6 | 316 | optional_policy(` |
6073ea1e | 317 | udev_read_db(pptp_t) |
e08118a5 CP |
318 | ') |
319 | ||
bb7170f6 | 320 | optional_policy(` |
bf080a46 | 321 | postfix_read_config(pppd_t) |
e08118a5 | 322 | ') |