]>
Commit | Line | Data |
---|---|---|
e08118a5 | 1 | |
f6a590d7 | 2 | policy_module(ppp,1.4.1) |
e08118a5 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
56e1b3d2 CP |
9 | ## <desc> |
10 | ## <p> | |
11 | ## Allow pppd to load kernel modules for certain modems | |
12 | ## </p> | |
13 | ## </desc> | |
14 | gen_tunable(pppd_can_insmod,false) | |
15 | ||
16 | ifdef(`strict_policy',` | |
17 | ## <desc> | |
18 | ## <p> | |
19 | ## Allow pppd to be run for a regular user | |
20 | ## </p> | |
21 | ## </desc> | |
22 | gen_tunable(pppd_for_user,false) | |
23 | ') | |
24 | ||
e08118a5 CP |
25 | # pppd_t is the domain for the pppd program. |
26 | # pppd_exec_t is the type of the pppd executable. | |
27 | type pppd_t; | |
28 | type pppd_exec_t; | |
29 | init_daemon_domain(pppd_t,pppd_exec_t) | |
30 | ||
31 | type pppd_devpts_t; | |
32 | term_pty(pppd_devpts_t) | |
33 | ||
34 | # Define a separate type for /etc/ppp | |
9bbc757a CP |
35 | type pppd_etc_t; |
36 | files_config_file(pppd_etc_t) | |
e08118a5 CP |
37 | |
38 | # Define a separate type for writable files under /etc/ppp | |
39 | type pppd_etc_rw_t; | |
40 | files_type(pppd_etc_rw_t) | |
41 | ||
42 | type pppd_script_exec_t; | |
43 | files_type(pppd_script_exec_t) | |
44 | ||
45 | # pppd_secret_t is the type of the pap and chap password files | |
46 | type pppd_secret_t; | |
47 | files_type(pppd_secret_t) | |
48 | ||
49 | type pppd_log_t; | |
50 | logging_log_file(pppd_log_t) | |
51 | ||
52 | type pppd_lock_t; | |
53 | files_lock_file(pppd_lock_t) | |
54 | ||
55 | type pppd_tmp_t; | |
56 | files_tmp_file(pppd_tmp_t) | |
57 | ||
58 | type pppd_var_run_t; | |
59 | files_pid_file(pppd_var_run_t) | |
60 | ||
61 | type pptp_t; | |
62 | type pptp_exec_t; | |
63 | init_daemon_domain(pptp_t,pptp_exec_t) | |
64 | ||
65 | type pptp_log_t; | |
66 | logging_log_file(pptp_log_t) | |
67 | ||
68 | type pptp_var_run_t; | |
69 | files_pid_file(pptp_var_run_t) | |
70 | ||
71 | ######################################## | |
72 | # | |
73 | # PPPD Local policy | |
74 | # | |
75 | ||
e08118a5 | 76 | allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override }; |
141cffdd | 77 | dontaudit pppd_t self:capability sys_tty_config; |
123a990b | 78 | allow pppd_t self:process signal; |
c0868a7a | 79 | allow pppd_t self:fifo_file rw_fifo_file_perms; |
e08118a5 CP |
80 | allow pppd_t self:socket create_socket_perms; |
81 | allow pppd_t self:unix_dgram_socket create_socket_perms; | |
82 | allow pppd_t self:unix_stream_socket create_socket_perms; | |
8708d9be | 83 | allow pppd_t self:netlink_route_socket rw_netlink_socket_perms; |
e08118a5 CP |
84 | allow pppd_t self:tcp_socket create_stream_socket_perms; |
85 | allow pppd_t self:udp_socket { connect connected_socket_perms }; | |
86 | allow pppd_t self:packet_socket create_socket_perms; | |
87 | ||
c0868a7a | 88 | domtrans_pattern(pppd_t, pptp_exec_t, pptp_t) |
e08118a5 | 89 | |
c0868a7a | 90 | allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr }; |
e08118a5 CP |
91 | |
92 | allow pppd_t pppd_etc_t:dir rw_dir_perms; | |
c0868a7a | 93 | allow pppd_t pppd_etc_t:file read_file_perms; |
e08118a5 | 94 | allow pppd_t pppd_etc_t:lnk_file { getattr read }; |
e08118a5 | 95 | |
c0868a7a | 96 | manage_files_pattern(pppd_t,pppd_etc_rw_t,pppd_etc_rw_t) |
8708d9be | 97 | # Automatically label newly created files under /etc/ppp with this type |
c0868a7a | 98 | filetrans_pattern(pppd_t,pppd_etc_t,pppd_etc_rw_t,file) |
e08118a5 | 99 | |
c0868a7a | 100 | allow pppd_t pppd_lock_t:file manage_file_perms; |
1c1ac67f | 101 | files_lock_filetrans(pppd_t,pppd_lock_t,file) |
e08118a5 | 102 | |
c0868a7a | 103 | allow pppd_t pppd_log_t:file manage_file_perms; |
1c1ac67f | 104 | logging_log_filetrans(pppd_t,pppd_log_t,file) |
e08118a5 | 105 | |
c0868a7a CP |
106 | manage_dirs_pattern(pppd_t,pppd_tmp_t,pppd_tmp_t) |
107 | manage_files_pattern(pppd_t,pppd_tmp_t,pppd_tmp_t) | |
103fe280 | 108 | files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir }) |
e08118a5 | 109 | |
c0868a7a | 110 | manage_files_pattern(pppd_t,pppd_var_run_t,pppd_var_run_t) |
1c1ac67f | 111 | files_pid_filetrans(pppd_t,pppd_var_run_t,file) |
e08118a5 CP |
112 | |
113 | allow pppd_t pptp_t:process signal; | |
114 | ||
115 | # for SSP | |
116 | # Access secret files | |
c0868a7a | 117 | allow pppd_t pppd_secret_t:file read_file_perms; |
e08118a5 | 118 | |
445522dc | 119 | kernel_read_kernel_sysctls(pppd_t) |
725926c5 | 120 | kernel_read_system_state(pppd_t) |
445522dc | 121 | kernel_read_net_sysctls(pppd_t) |
e08118a5 CP |
122 | kernel_read_network_state(pppd_t) |
123 | kernel_load_module(pppd_t) | |
124 | ||
125 | dev_read_urand(pppd_t) | |
126 | dev_search_sysfs(pppd_t) | |
127 | dev_read_sysfs(pppd_t) | |
128 | ||
141cffdd | 129 | corenet_non_ipsec_sendrecv(pppd_t) |
e08118a5 CP |
130 | corenet_tcp_sendrecv_all_if(pppd_t) |
131 | corenet_raw_sendrecv_all_if(pppd_t) | |
132 | corenet_udp_sendrecv_all_if(pppd_t) | |
133 | corenet_tcp_sendrecv_all_nodes(pppd_t) | |
134 | corenet_raw_sendrecv_all_nodes(pppd_t) | |
135 | corenet_udp_sendrecv_all_nodes(pppd_t) | |
136 | corenet_tcp_sendrecv_all_ports(pppd_t) | |
137 | corenet_udp_sendrecv_all_ports(pppd_t) | |
e08118a5 | 138 | # Access /dev/ppp. |
5b6ddb98 | 139 | corenet_rw_ppp_dev(pppd_t) |
e08118a5 CP |
140 | |
141 | fs_getattr_all_fs(pppd_t) | |
142 | fs_search_auto_mountpoints(pppd_t) | |
143 | ||
1815bad1 | 144 | term_use_unallocated_ttys(pppd_t) |
e08118a5 | 145 | term_setattr_unallocated_ttys(pppd_t) |
1815bad1 | 146 | term_ioctl_generic_ptys(pppd_t) |
e08118a5 CP |
147 | # for pppoe |
148 | term_create_pty(pppd_t,pppd_devpts_t) | |
e08118a5 CP |
149 | |
150 | # allow running ip-up and ip-down scripts and running chat. | |
151 | corecmd_exec_bin(pppd_t) | |
e08118a5 CP |
152 | corecmd_exec_shell(pppd_t) |
153 | ||
15722ec9 | 154 | domain_use_interactive_fds(pppd_t) |
e08118a5 CP |
155 | |
156 | files_exec_etc_files(pppd_t) | |
8708d9be | 157 | files_manage_etc_runtime_files(pppd_t) |
8708d9be CP |
158 | files_dontaudit_write_etc_files(pppd_t) |
159 | ||
e08118a5 CP |
160 | # for scripts |
161 | files_read_etc_files(pppd_t) | |
162 | ||
68228b33 CP |
163 | init_read_utmp(pppd_t) |
164 | init_dontaudit_write_utmp(pppd_t) | |
e08118a5 CP |
165 | |
166 | libs_use_ld_so(pppd_t) | |
167 | libs_use_shared_libs(pppd_t) | |
168 | ||
169 | logging_send_syslog_msg(pppd_t) | |
170 | ||
171 | miscfiles_read_localization(pppd_t) | |
172 | ||
e08118a5 CP |
173 | sysnet_exec_ifconfig(pppd_t) |
174 | sysnet_manage_config(pppd_t) | |
f6a590d7 | 175 | sysnet_etc_filetrans_config(pppd_t) |
e08118a5 | 176 | |
15722ec9 | 177 | userdom_dontaudit_use_unpriv_user_fds(pppd_t) |
103fe280 | 178 | userdom_dontaudit_search_sysadm_home_dirs(pppd_t) |
e08118a5 CP |
179 | # for ~/.ppprc - if it actually exists then you need some policy to read it |
180 | #allow pppd_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search; | |
103fe280 | 181 | userdom_search_sysadm_home_dirs(pppd_t) |
15722ec9 | 182 | userdom_search_unpriv_users_home_dirs(pppd_t) |
e08118a5 | 183 | |
8708d9be CP |
184 | ppp_exec(pppd_t) |
185 | ||
e08118a5 | 186 | ifdef(`targeted_policy', ` |
1815bad1 CP |
187 | term_dontaudit_use_unallocated_ttys(pppd_t) |
188 | term_dontaudit_use_generic_ptys(pppd_t) | |
9e04f5c5 | 189 | files_dontaudit_read_root_files(pppd_t) |
e08118a5 CP |
190 | ') |
191 | ||
70b8a723 CP |
192 | optional_policy(` |
193 | ddclient_domtrans(pppd_t) | |
194 | ') | |
195 | ||
bb7170f6 | 196 | optional_policy(` |
8967bf8b CP |
197 | tunable_policy(`pppd_can_insmod && ! secure_mode_insmod',` |
198 | modutils_domtrans_insmod_uncond(pppd_t) | |
e08118a5 CP |
199 | ') |
200 | ') | |
201 | ||
bb7170f6 | 202 | optional_policy(` |
88dd3896 CP |
203 | mta_send_mail(pppd_t) |
204 | ') | |
205 | ||
bb7170f6 | 206 | optional_policy(` |
e08118a5 CP |
207 | nis_use_ypbind(pppd_t) |
208 | ') | |
209 | ||
bb7170f6 | 210 | optional_policy(` |
1815bad1 | 211 | nscd_socket_use(pppd_t) |
e08118a5 CP |
212 | ') |
213 | ||
56e1b3d2 CP |
214 | optional_policy(` |
215 | postfix_domtrans_master(pppd_t) | |
216 | ') | |
217 | ||
bb7170f6 | 218 | optional_policy(` |
e08118a5 CP |
219 | seutil_sigchld_newrole(pppd_t) |
220 | ') | |
221 | ||
bb7170f6 | 222 | optional_policy(` |
e08118a5 CP |
223 | udev_read_db(pppd_t) |
224 | ') | |
225 | ||
226 | ######################################## | |
227 | # | |
228 | # PPTP Local policy | |
229 | # | |
230 | ||
231 | dontaudit pptp_t self:capability sys_tty_config; | |
232 | allow pptp_t self:capability net_raw; | |
233 | allow pptp_t self:fifo_file { read write }; | |
234 | allow pptp_t self:unix_dgram_socket create_socket_perms; | |
235 | allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms }; | |
236 | allow pptp_t self:rawip_socket create_socket_perms; | |
237 | allow pptp_t self:tcp_socket create_socket_perms; | |
238 | ||
239 | allow pptp_t pppd_etc_t:dir { getattr read search }; | |
240 | allow pptp_t pppd_etc_t:file { read getattr }; | |
241 | allow pptp_t pppd_etc_t:lnk_file { getattr read }; | |
242 | ||
243 | allow pptp_t pppd_etc_rw_t:dir { getattr read search }; | |
244 | allow pptp_t pppd_etc_rw_t:file { read getattr }; | |
245 | allow pptp_t pppd_etc_rw_t:lnk_file { getattr read }; | |
246 | can_exec(pptp_t, pppd_etc_rw_t) | |
247 | ||
248 | # Allow pptp to append to pppd log files | |
249 | allow pptp_t pppd_log_t:file append; | |
250 | ||
c0868a7a | 251 | allow pptp_t pptp_log_t:file manage_file_perms; |
1c1ac67f | 252 | logging_log_filetrans(pptp_t,pptp_log_t,file) |
e08118a5 | 253 | |
c0868a7a CP |
254 | manage_files_pattern(pptp_t,pptp_var_run_t,pptp_var_run_t) |
255 | manage_sock_files_pattern(pptp_t,pptp_var_run_t,pptp_var_run_t) | |
1c1ac67f | 256 | files_pid_filetrans(pptp_t,pptp_var_run_t,file) |
e08118a5 CP |
257 | |
258 | kernel_list_proc(pptp_t) | |
445522dc | 259 | kernel_read_kernel_sysctls(pptp_t) |
e08118a5 CP |
260 | kernel_read_proc_symlinks(pptp_t) |
261 | ||
262 | dev_read_sysfs(pptp_t) | |
263 | ||
141cffdd | 264 | corenet_non_ipsec_sendrecv(pptp_t) |
e08118a5 CP |
265 | corenet_tcp_sendrecv_all_if(pptp_t) |
266 | corenet_raw_sendrecv_all_if(pptp_t) | |
267 | corenet_tcp_sendrecv_all_nodes(pptp_t) | |
268 | corenet_raw_sendrecv_all_nodes(pptp_t) | |
269 | corenet_tcp_sendrecv_all_ports(pptp_t) | |
270 | corenet_tcp_bind_all_nodes(pptp_t) | |
271 | corenet_tcp_connect_generic_port(pptp_t) | |
272 | corenet_tcp_connect_all_reserved_ports(pptp_t) | |
141cffdd | 273 | corenet_sendrecv_generic_client_packets(pptp_t) |
e08118a5 CP |
274 | |
275 | fs_getattr_all_fs(pptp_t) | |
276 | fs_search_auto_mountpoints(pptp_t) | |
277 | ||
1815bad1 | 278 | term_ioctl_generic_ptys(pptp_t) |
e08118a5 CP |
279 | term_search_ptys(pptp_t) |
280 | term_use_ptmx(pptp_t) | |
281 | ||
15722ec9 | 282 | domain_use_interactive_fds(pptp_t) |
e08118a5 | 283 | |
e08118a5 CP |
284 | libs_use_ld_so(pptp_t) |
285 | libs_use_shared_libs(pptp_t) | |
286 | ||
287 | logging_send_syslog_msg(pptp_t) | |
288 | ||
289 | miscfiles_read_localization(pptp_t) | |
290 | ||
291 | sysnet_read_config(pptp_t) | |
292 | ||
15722ec9 | 293 | userdom_dontaudit_use_unpriv_user_fds(pptp_t) |
103fe280 | 294 | userdom_dontaudit_search_sysadm_home_dirs(pptp_t) |
e08118a5 CP |
295 | |
296 | ifdef(`targeted_policy',` | |
1815bad1 CP |
297 | term_dontaudit_use_unallocated_ttys(pptp_t) |
298 | term_dontaudit_use_generic_ptys(pptp_t) | |
9e04f5c5 | 299 | files_dontaudit_read_root_files(pptp_t) |
e08118a5 CP |
300 | ') |
301 | ||
8708d9be CP |
302 | optional_policy(` |
303 | consoletype_exec(pppd_t) | |
304 | ') | |
305 | ||
bb7170f6 | 306 | optional_policy(` |
e08118a5 CP |
307 | hostname_exec(pptp_t) |
308 | ') | |
309 | ||
bb7170f6 | 310 | optional_policy(` |
1815bad1 | 311 | nscd_socket_use(pptp_t) |
e08118a5 CP |
312 | ') |
313 | ||
bb7170f6 | 314 | optional_policy(` |
e08118a5 CP |
315 | seutil_sigchld_newrole(pptp_t) |
316 | ') | |
317 | ||
bb7170f6 | 318 | optional_policy(` |
e08118a5 CP |
319 | udev_read_db(pptp_t) |
320 | ') | |
321 | ||
bb7170f6 | 322 | optional_policy(` |
bf080a46 | 323 | postfix_read_config(pppd_t) |
e08118a5 | 324 | ') |
725926c5 | 325 | |
445522dc | 326 | # FIXME: |
c0868a7a | 327 | domtrans_pattern(pppd_t, pppd_script_exec_t, initrc_t) |