]>
Commit | Line | Data |
---|---|---|
e08118a5 | 1 | |
17ec8c1f | 2 | policy_module(ppp, 1.10.0) |
e08118a5 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
56e1b3d2 CP |
9 | ## <desc> |
10 | ## <p> | |
11 | ## Allow pppd to load kernel modules for certain modems | |
12 | ## </p> | |
13 | ## </desc> | |
0bfccda4 | 14 | gen_tunable(pppd_can_insmod, false) |
56e1b3d2 | 15 | |
56e1b3d2 CP |
16 | ## <desc> |
17 | ## <p> | |
18 | ## Allow pppd to be run for a regular user | |
19 | ## </p> | |
20 | ## </desc> | |
0bfccda4 | 21 | gen_tunable(pppd_for_user, false) |
56e1b3d2 | 22 | |
e08118a5 CP |
23 | # pppd_t is the domain for the pppd program. |
24 | # pppd_exec_t is the type of the pppd executable. | |
25 | type pppd_t; | |
26 | type pppd_exec_t; | |
0bfccda4 | 27 | init_daemon_domain(pppd_t, pppd_exec_t) |
e08118a5 CP |
28 | |
29 | type pppd_devpts_t; | |
30 | term_pty(pppd_devpts_t) | |
31 | ||
32 | # Define a separate type for /etc/ppp | |
9bbc757a CP |
33 | type pppd_etc_t; |
34 | files_config_file(pppd_etc_t) | |
e08118a5 CP |
35 | |
36 | # Define a separate type for writable files under /etc/ppp | |
37 | type pppd_etc_rw_t; | |
38 | files_type(pppd_etc_rw_t) | |
39 | ||
40 | type pppd_script_exec_t; | |
41 | files_type(pppd_script_exec_t) | |
42 | ||
43 | # pppd_secret_t is the type of the pap and chap password files | |
44 | type pppd_secret_t; | |
45 | files_type(pppd_secret_t) | |
46 | ||
47 | type pppd_log_t; | |
48 | logging_log_file(pppd_log_t) | |
49 | ||
50 | type pppd_lock_t; | |
51 | files_lock_file(pppd_lock_t) | |
52 | ||
53 | type pppd_tmp_t; | |
54 | files_tmp_file(pppd_tmp_t) | |
55 | ||
56 | type pppd_var_run_t; | |
57 | files_pid_file(pppd_var_run_t) | |
58 | ||
59 | type pptp_t; | |
60 | type pptp_exec_t; | |
0bfccda4 | 61 | init_daemon_domain(pptp_t, pptp_exec_t) |
e08118a5 CP |
62 | |
63 | type pptp_log_t; | |
64 | logging_log_file(pptp_log_t) | |
65 | ||
66 | type pptp_var_run_t; | |
67 | files_pid_file(pptp_var_run_t) | |
68 | ||
69 | ######################################## | |
70 | # | |
71 | # PPPD Local policy | |
72 | # | |
73 | ||
ae338637 | 74 | allow pppd_t self:capability { kill net_admin setuid setgid fsetid fowner net_raw dac_override }; |
141cffdd | 75 | dontaudit pppd_t self:capability sys_tty_config; |
123a990b | 76 | allow pppd_t self:process signal; |
c0868a7a | 77 | allow pppd_t self:fifo_file rw_fifo_file_perms; |
e08118a5 CP |
78 | allow pppd_t self:socket create_socket_perms; |
79 | allow pppd_t self:unix_dgram_socket create_socket_perms; | |
80 | allow pppd_t self:unix_stream_socket create_socket_perms; | |
8708d9be | 81 | allow pppd_t self:netlink_route_socket rw_netlink_socket_perms; |
e08118a5 CP |
82 | allow pppd_t self:tcp_socket create_stream_socket_perms; |
83 | allow pppd_t self:udp_socket { connect connected_socket_perms }; | |
84 | allow pppd_t self:packet_socket create_socket_perms; | |
85 | ||
c0868a7a | 86 | domtrans_pattern(pppd_t, pptp_exec_t, pptp_t) |
e08118a5 | 87 | |
c0868a7a | 88 | allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr }; |
e08118a5 CP |
89 | |
90 | allow pppd_t pppd_etc_t:dir rw_dir_perms; | |
c0868a7a | 91 | allow pppd_t pppd_etc_t:file read_file_perms; |
e08118a5 | 92 | allow pppd_t pppd_etc_t:lnk_file { getattr read }; |
e08118a5 | 93 | |
0bfccda4 | 94 | manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t) |
8708d9be | 95 | # Automatically label newly created files under /etc/ppp with this type |
0bfccda4 | 96 | filetrans_pattern(pppd_t, pppd_etc_t, pppd_etc_rw_t, file) |
e08118a5 | 97 | |
c0868a7a | 98 | allow pppd_t pppd_lock_t:file manage_file_perms; |
0bfccda4 | 99 | files_lock_filetrans(pppd_t, pppd_lock_t, file) |
e08118a5 | 100 | |
c0868a7a | 101 | allow pppd_t pppd_log_t:file manage_file_perms; |
0bfccda4 | 102 | logging_log_filetrans(pppd_t, pppd_log_t, file) |
e08118a5 | 103 | |
0bfccda4 CP |
104 | manage_dirs_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t) |
105 | manage_files_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t) | |
103fe280 | 106 | files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir }) |
e08118a5 | 107 | |
0bfccda4 CP |
108 | manage_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) |
109 | files_pid_filetrans(pppd_t, pppd_var_run_t, file) | |
e08118a5 CP |
110 | |
111 | allow pppd_t pptp_t:process signal; | |
112 | ||
113 | # for SSP | |
114 | # Access secret files | |
c0868a7a | 115 | allow pppd_t pppd_secret_t:file read_file_perms; |
e08118a5 | 116 | |
445522dc | 117 | kernel_read_kernel_sysctls(pppd_t) |
725926c5 | 118 | kernel_read_system_state(pppd_t) |
ae338637 | 119 | kernel_rw_net_sysctls(pppd_t) |
e08118a5 CP |
120 | kernel_read_network_state(pppd_t) |
121 | kernel_load_module(pppd_t) | |
122 | ||
123 | dev_read_urand(pppd_t) | |
124 | dev_search_sysfs(pppd_t) | |
125 | dev_read_sysfs(pppd_t) | |
126 | ||
19006686 CP |
127 | corenet_all_recvfrom_unlabeled(pppd_t) |
128 | corenet_all_recvfrom_netlabel(pppd_t) | |
e08118a5 CP |
129 | corenet_tcp_sendrecv_all_if(pppd_t) |
130 | corenet_raw_sendrecv_all_if(pppd_t) | |
131 | corenet_udp_sendrecv_all_if(pppd_t) | |
132 | corenet_tcp_sendrecv_all_nodes(pppd_t) | |
133 | corenet_raw_sendrecv_all_nodes(pppd_t) | |
134 | corenet_udp_sendrecv_all_nodes(pppd_t) | |
135 | corenet_tcp_sendrecv_all_ports(pppd_t) | |
136 | corenet_udp_sendrecv_all_ports(pppd_t) | |
e08118a5 | 137 | # Access /dev/ppp. |
5b6ddb98 | 138 | corenet_rw_ppp_dev(pppd_t) |
e08118a5 CP |
139 | |
140 | fs_getattr_all_fs(pppd_t) | |
141 | fs_search_auto_mountpoints(pppd_t) | |
142 | ||
1815bad1 | 143 | term_use_unallocated_ttys(pppd_t) |
e08118a5 | 144 | term_setattr_unallocated_ttys(pppd_t) |
1815bad1 | 145 | term_ioctl_generic_ptys(pppd_t) |
e08118a5 | 146 | # for pppoe |
0bfccda4 | 147 | term_create_pty(pppd_t, pppd_devpts_t) |
e08118a5 CP |
148 | |
149 | # allow running ip-up and ip-down scripts and running chat. | |
150 | corecmd_exec_bin(pppd_t) | |
e08118a5 CP |
151 | corecmd_exec_shell(pppd_t) |
152 | ||
15722ec9 | 153 | domain_use_interactive_fds(pppd_t) |
e08118a5 CP |
154 | |
155 | files_exec_etc_files(pppd_t) | |
8708d9be | 156 | files_manage_etc_runtime_files(pppd_t) |
8708d9be CP |
157 | files_dontaudit_write_etc_files(pppd_t) |
158 | ||
e08118a5 CP |
159 | # for scripts |
160 | files_read_etc_files(pppd_t) | |
161 | ||
68228b33 CP |
162 | init_read_utmp(pppd_t) |
163 | init_dontaudit_write_utmp(pppd_t) | |
e08118a5 | 164 | |
7a5e2d8a CP |
165 | auth_use_nsswitch(pppd_t) |
166 | ||
e08118a5 CP |
167 | logging_send_syslog_msg(pppd_t) |
168 | ||
169 | miscfiles_read_localization(pppd_t) | |
170 | ||
e08118a5 CP |
171 | sysnet_exec_ifconfig(pppd_t) |
172 | sysnet_manage_config(pppd_t) | |
f6a590d7 | 173 | sysnet_etc_filetrans_config(pppd_t) |
e08118a5 | 174 | |
296273a7 | 175 | userdom_use_user_terminals(pppd_t) |
15722ec9 | 176 | userdom_dontaudit_use_unpriv_user_fds(pppd_t) |
e08118a5 | 177 | # for ~/.ppprc - if it actually exists then you need some policy to read it |
296273a7 | 178 | userdom_search_user_home_dirs(pppd_t) |
e08118a5 | 179 | |
8708d9be CP |
180 | ppp_exec(pppd_t) |
181 | ||
70b8a723 CP |
182 | optional_policy(` |
183 | ddclient_domtrans(pppd_t) | |
184 | ') | |
185 | ||
bb7170f6 | 186 | optional_policy(` |
8967bf8b CP |
187 | tunable_policy(`pppd_can_insmod && ! secure_mode_insmod',` |
188 | modutils_domtrans_insmod_uncond(pppd_t) | |
e08118a5 CP |
189 | ') |
190 | ') | |
191 | ||
bb7170f6 | 192 | optional_policy(` |
88dd3896 CP |
193 | mta_send_mail(pppd_t) |
194 | ') | |
195 | ||
ae338637 CP |
196 | optional_policy(` |
197 | networkmanager_signal(pppd_t) | |
198 | ') | |
199 | ||
56e1b3d2 CP |
200 | optional_policy(` |
201 | postfix_domtrans_master(pppd_t) | |
202 | ') | |
203 | ||
bb7170f6 | 204 | optional_policy(` |
e08118a5 CP |
205 | seutil_sigchld_newrole(pppd_t) |
206 | ') | |
207 | ||
bb7170f6 | 208 | optional_policy(` |
e08118a5 CP |
209 | udev_read_db(pppd_t) |
210 | ') | |
211 | ||
212 | ######################################## | |
213 | # | |
214 | # PPTP Local policy | |
215 | # | |
216 | ||
e08118a5 | 217 | allow pptp_t self:capability net_raw; |
7a5e2d8a CP |
218 | dontaudit pptp_t self:capability sys_tty_config; |
219 | allow pptp_t self:process signal; | |
0b36a214 | 220 | allow pptp_t self:fifo_file rw_fifo_file_perms; |
e08118a5 CP |
221 | allow pptp_t self:unix_dgram_socket create_socket_perms; |
222 | allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms }; | |
223 | allow pptp_t self:rawip_socket create_socket_perms; | |
224 | allow pptp_t self:tcp_socket create_socket_perms; | |
225 | ||
0b36a214 CP |
226 | allow pptp_t pppd_etc_t:dir list_dir_perms; |
227 | allow pptp_t pppd_etc_t:file read_file_perms; | |
e08118a5 CP |
228 | allow pptp_t pppd_etc_t:lnk_file { getattr read }; |
229 | ||
0b36a214 CP |
230 | allow pptp_t pppd_etc_rw_t:dir list_dir_perms; |
231 | allow pptp_t pppd_etc_rw_t:file read_file_perms; | |
e08118a5 CP |
232 | allow pptp_t pppd_etc_rw_t:lnk_file { getattr read }; |
233 | can_exec(pptp_t, pppd_etc_rw_t) | |
234 | ||
235 | # Allow pptp to append to pppd log files | |
0b36a214 | 236 | allow pptp_t pppd_log_t:file append_file_perms; |
e08118a5 | 237 | |
c0868a7a | 238 | allow pptp_t pptp_log_t:file manage_file_perms; |
0bfccda4 | 239 | logging_log_filetrans(pptp_t, pptp_log_t, file) |
e08118a5 | 240 | |
0bfccda4 CP |
241 | manage_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t) |
242 | manage_sock_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t) | |
243 | files_pid_filetrans(pptp_t, pptp_var_run_t, file) | |
e08118a5 CP |
244 | |
245 | kernel_list_proc(pptp_t) | |
445522dc | 246 | kernel_read_kernel_sysctls(pptp_t) |
e08118a5 CP |
247 | kernel_read_proc_symlinks(pptp_t) |
248 | ||
249 | dev_read_sysfs(pptp_t) | |
250 | ||
19006686 CP |
251 | corenet_all_recvfrom_unlabeled(pptp_t) |
252 | corenet_all_recvfrom_netlabel(pptp_t) | |
e08118a5 CP |
253 | corenet_tcp_sendrecv_all_if(pptp_t) |
254 | corenet_raw_sendrecv_all_if(pptp_t) | |
255 | corenet_tcp_sendrecv_all_nodes(pptp_t) | |
256 | corenet_raw_sendrecv_all_nodes(pptp_t) | |
257 | corenet_tcp_sendrecv_all_ports(pptp_t) | |
258 | corenet_tcp_bind_all_nodes(pptp_t) | |
259 | corenet_tcp_connect_generic_port(pptp_t) | |
260 | corenet_tcp_connect_all_reserved_ports(pptp_t) | |
141cffdd | 261 | corenet_sendrecv_generic_client_packets(pptp_t) |
e08118a5 CP |
262 | |
263 | fs_getattr_all_fs(pptp_t) | |
264 | fs_search_auto_mountpoints(pptp_t) | |
265 | ||
1815bad1 | 266 | term_ioctl_generic_ptys(pptp_t) |
e08118a5 CP |
267 | term_search_ptys(pptp_t) |
268 | term_use_ptmx(pptp_t) | |
269 | ||
15722ec9 | 270 | domain_use_interactive_fds(pptp_t) |
e08118a5 | 271 | |
e08118a5 CP |
272 | logging_send_syslog_msg(pptp_t) |
273 | ||
274 | miscfiles_read_localization(pptp_t) | |
275 | ||
276 | sysnet_read_config(pptp_t) | |
277 | ||
15722ec9 | 278 | userdom_dontaudit_use_unpriv_user_fds(pptp_t) |
296273a7 | 279 | userdom_dontaudit_search_user_home_dirs(pptp_t) |
e08118a5 | 280 | |
8708d9be CP |
281 | optional_policy(` |
282 | consoletype_exec(pppd_t) | |
283 | ') | |
284 | ||
bb7170f6 | 285 | optional_policy(` |
e08118a5 CP |
286 | hostname_exec(pptp_t) |
287 | ') | |
288 | ||
bb7170f6 | 289 | optional_policy(` |
1815bad1 | 290 | nscd_socket_use(pptp_t) |
e08118a5 CP |
291 | ') |
292 | ||
bb7170f6 | 293 | optional_policy(` |
6073ea1e | 294 | seutil_sigchld_newrole(pptp_t) |
e08118a5 CP |
295 | ') |
296 | ||
bb7170f6 | 297 | optional_policy(` |
6073ea1e | 298 | udev_read_db(pptp_t) |
e08118a5 CP |
299 | ') |
300 | ||
bb7170f6 | 301 | optional_policy(` |
bf080a46 | 302 | postfix_read_config(pppd_t) |
e08118a5 | 303 | ') |
725926c5 | 304 | |
445522dc | 305 | # FIXME: |
c0868a7a | 306 | domtrans_pattern(pppd_t, pppd_script_exec_t, initrc_t) |