]>
Commit | Line | Data |
---|---|---|
e08118a5 | 1 | |
123a990b | 2 | policy_module(ppp,1.2.4) |
e08118a5 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
9 | # pppd_t is the domain for the pppd program. | |
10 | # pppd_exec_t is the type of the pppd executable. | |
11 | type pppd_t; | |
12 | type pppd_exec_t; | |
13 | init_daemon_domain(pppd_t,pppd_exec_t) | |
14 | ||
15 | type pppd_devpts_t; | |
16 | term_pty(pppd_devpts_t) | |
17 | ||
18 | # Define a separate type for /etc/ppp | |
9bbc757a CP |
19 | type pppd_etc_t; |
20 | files_config_file(pppd_etc_t) | |
e08118a5 CP |
21 | |
22 | # Define a separate type for writable files under /etc/ppp | |
23 | type pppd_etc_rw_t; | |
24 | files_type(pppd_etc_rw_t) | |
25 | ||
26 | type pppd_script_exec_t; | |
27 | files_type(pppd_script_exec_t) | |
28 | ||
29 | # pppd_secret_t is the type of the pap and chap password files | |
30 | type pppd_secret_t; | |
31 | files_type(pppd_secret_t) | |
32 | ||
33 | type pppd_log_t; | |
34 | logging_log_file(pppd_log_t) | |
35 | ||
36 | type pppd_lock_t; | |
37 | files_lock_file(pppd_lock_t) | |
38 | ||
39 | type pppd_tmp_t; | |
40 | files_tmp_file(pppd_tmp_t) | |
41 | ||
42 | type pppd_var_run_t; | |
43 | files_pid_file(pppd_var_run_t) | |
44 | ||
45 | type pptp_t; | |
46 | type pptp_exec_t; | |
47 | init_daemon_domain(pptp_t,pptp_exec_t) | |
48 | ||
49 | type pptp_log_t; | |
50 | logging_log_file(pptp_log_t) | |
51 | ||
52 | type pptp_var_run_t; | |
53 | files_pid_file(pptp_var_run_t) | |
54 | ||
55 | ######################################## | |
56 | # | |
57 | # PPPD Local policy | |
58 | # | |
59 | ||
e08118a5 | 60 | allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override }; |
141cffdd | 61 | dontaudit pppd_t self:capability sys_tty_config; |
123a990b | 62 | allow pppd_t self:process signal; |
e08118a5 | 63 | allow pppd_t self:fifo_file rw_file_perms; |
e08118a5 CP |
64 | allow pppd_t self:socket create_socket_perms; |
65 | allow pppd_t self:unix_dgram_socket create_socket_perms; | |
66 | allow pppd_t self:unix_stream_socket create_socket_perms; | |
67 | allow pppd_t self:netlink_route_socket r_netlink_socket_perms; | |
68 | allow pppd_t self:tcp_socket create_stream_socket_perms; | |
69 | allow pppd_t self:udp_socket { connect connected_socket_perms }; | |
70 | allow pppd_t self:packet_socket create_socket_perms; | |
71 | ||
72 | domain_auto_trans(pppd_t, pptp_exec_t, pptp_t) | |
4614e83f CP |
73 | allow pppd_t pptp_t:fd use; |
74 | allow pptp_t pppd_t:fd use; | |
75 | allow pptp_t pppd_t:fifo_file rw_file_perms; | |
76 | allow pptp_t pppd_t:process sigchld; | |
e08118a5 CP |
77 | |
78 | allow pppd_t pppd_devpts_t:chr_file { rw_file_perms setattr }; | |
79 | ||
80 | allow pppd_t pppd_etc_t:dir rw_dir_perms; | |
81 | allow pppd_t pppd_etc_t:file r_file_perms; | |
82 | allow pppd_t pppd_etc_t:lnk_file { getattr read }; | |
1c1ac67f | 83 | files_etc_filetrans(pppd_t,pppd_etc_t,file) |
e08118a5 CP |
84 | |
85 | allow pppd_t pppd_etc_rw_t:file create_file_perms; | |
86 | ||
87 | allow pppd_t pppd_lock_t:file create_file_perms; | |
1c1ac67f | 88 | files_lock_filetrans(pppd_t,pppd_lock_t,file) |
e08118a5 CP |
89 | |
90 | allow pppd_t pppd_log_t:file create_file_perms; | |
1c1ac67f | 91 | logging_log_filetrans(pppd_t,pppd_log_t,file) |
e08118a5 CP |
92 | |
93 | allow pppd_t pppd_tmp_t:dir create_dir_perms; | |
94 | allow pppd_t pppd_tmp_t:file create_file_perms; | |
103fe280 | 95 | files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir }) |
e08118a5 CP |
96 | |
97 | allow pppd_t pppd_var_run_t:dir rw_dir_perms; | |
98 | allow pppd_t pppd_var_run_t:file create_file_perms; | |
1c1ac67f | 99 | files_pid_filetrans(pppd_t,pppd_var_run_t,file) |
e08118a5 CP |
100 | |
101 | allow pppd_t pptp_t:process signal; | |
102 | ||
103 | # for SSP | |
104 | # Access secret files | |
105 | allow pppd_t pppd_secret_t:file r_file_perms; | |
106 | ||
107 | # Automatically label newly created files under /etc/ppp with this type | |
108 | type_transition pppd_t pppd_etc_t:file pppd_etc_rw_t; | |
109 | ||
445522dc | 110 | kernel_read_kernel_sysctls(pppd_t) |
725926c5 | 111 | kernel_read_system_state(pppd_t) |
445522dc | 112 | kernel_read_net_sysctls(pppd_t) |
e08118a5 CP |
113 | kernel_read_network_state(pppd_t) |
114 | kernel_load_module(pppd_t) | |
115 | ||
116 | dev_read_urand(pppd_t) | |
117 | dev_search_sysfs(pppd_t) | |
118 | dev_read_sysfs(pppd_t) | |
119 | ||
141cffdd | 120 | corenet_non_ipsec_sendrecv(pppd_t) |
e08118a5 CP |
121 | corenet_tcp_sendrecv_all_if(pppd_t) |
122 | corenet_raw_sendrecv_all_if(pppd_t) | |
123 | corenet_udp_sendrecv_all_if(pppd_t) | |
124 | corenet_tcp_sendrecv_all_nodes(pppd_t) | |
125 | corenet_raw_sendrecv_all_nodes(pppd_t) | |
126 | corenet_udp_sendrecv_all_nodes(pppd_t) | |
127 | corenet_tcp_sendrecv_all_ports(pppd_t) | |
128 | corenet_udp_sendrecv_all_ports(pppd_t) | |
e08118a5 | 129 | # Access /dev/ppp. |
5b6ddb98 | 130 | corenet_rw_ppp_dev(pppd_t) |
e08118a5 CP |
131 | |
132 | fs_getattr_all_fs(pppd_t) | |
133 | fs_search_auto_mountpoints(pppd_t) | |
134 | ||
1815bad1 | 135 | term_use_unallocated_ttys(pppd_t) |
e08118a5 | 136 | term_setattr_unallocated_ttys(pppd_t) |
1815bad1 | 137 | term_ioctl_generic_ptys(pppd_t) |
e08118a5 CP |
138 | # for pppoe |
139 | term_create_pty(pppd_t,pppd_devpts_t) | |
140 | term_dontaudit_use_console(pppd_t) | |
141 | ||
142 | # allow running ip-up and ip-down scripts and running chat. | |
143 | corecmd_exec_bin(pppd_t) | |
144 | corecmd_exec_sbin(pppd_t) | |
145 | corecmd_exec_shell(pppd_t) | |
146 | ||
15722ec9 | 147 | domain_use_interactive_fds(pppd_t) |
e08118a5 CP |
148 | |
149 | files_exec_etc_files(pppd_t) | |
150 | files_read_etc_runtime_files(pppd_t) | |
151 | # for scripts | |
152 | files_read_etc_files(pppd_t) | |
153 | ||
68228b33 CP |
154 | init_read_utmp(pppd_t) |
155 | init_dontaudit_write_utmp(pppd_t) | |
1c1ac67f | 156 | init_use_fds(pppd_t) |
1815bad1 | 157 | init_use_script_ptys(pppd_t) |
e08118a5 CP |
158 | |
159 | libs_use_ld_so(pppd_t) | |
160 | libs_use_shared_libs(pppd_t) | |
161 | ||
162 | logging_send_syslog_msg(pppd_t) | |
163 | ||
164 | miscfiles_read_localization(pppd_t) | |
165 | ||
166 | sysnet_read_config(pppd_t) | |
167 | sysnet_exec_ifconfig(pppd_t) | |
168 | sysnet_manage_config(pppd_t) | |
169 | ||
15722ec9 | 170 | userdom_dontaudit_use_unpriv_user_fds(pppd_t) |
103fe280 | 171 | userdom_dontaudit_search_sysadm_home_dirs(pppd_t) |
e08118a5 CP |
172 | # for ~/.ppprc - if it actually exists then you need some policy to read it |
173 | #allow pppd_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search; | |
103fe280 | 174 | userdom_search_sysadm_home_dirs(pppd_t) |
15722ec9 | 175 | userdom_search_unpriv_users_home_dirs(pppd_t) |
e08118a5 CP |
176 | |
177 | ifdef(`targeted_policy', ` | |
1815bad1 CP |
178 | term_dontaudit_use_unallocated_ttys(pppd_t) |
179 | term_dontaudit_use_generic_ptys(pppd_t) | |
9e04f5c5 | 180 | files_dontaudit_read_root_files(pppd_t) |
04926d07 | 181 | |
bb7170f6 | 182 | optional_policy(` |
04926d07 | 183 | gen_require(` |
4614e83f | 184 | bool postfix_disable_trans; |
04926d07 CP |
185 | ') |
186 | ||
4614e83f | 187 | if(!postfix_disable_trans) { |
04926d07 CP |
188 | postfix_domtrans_master(pppd_t) |
189 | } | |
190 | ') | |
191 | ',` | |
bb7170f6 | 192 | optional_policy(` |
04926d07 CP |
193 | postfix_domtrans_master(pppd_t) |
194 | ') | |
e08118a5 CP |
195 | ') |
196 | ||
70b8a723 CP |
197 | optional_policy(` |
198 | ddclient_domtrans(pppd_t) | |
199 | ') | |
200 | ||
bb7170f6 | 201 | optional_policy(` |
8967bf8b CP |
202 | tunable_policy(`pppd_can_insmod && ! secure_mode_insmod',` |
203 | modutils_domtrans_insmod_uncond(pppd_t) | |
e08118a5 CP |
204 | ') |
205 | ') | |
206 | ||
bb7170f6 | 207 | optional_policy(` |
88dd3896 CP |
208 | mta_send_mail(pppd_t) |
209 | ') | |
210 | ||
bb7170f6 | 211 | optional_policy(` |
e08118a5 CP |
212 | nis_use_ypbind(pppd_t) |
213 | ') | |
214 | ||
bb7170f6 | 215 | optional_policy(` |
1815bad1 | 216 | nscd_socket_use(pppd_t) |
e08118a5 CP |
217 | ') |
218 | ||
bb7170f6 | 219 | optional_policy(` |
e08118a5 CP |
220 | seutil_sigchld_newrole(pppd_t) |
221 | ') | |
222 | ||
bb7170f6 | 223 | optional_policy(` |
e08118a5 CP |
224 | udev_read_db(pppd_t) |
225 | ') | |
226 | ||
227 | ######################################## | |
228 | # | |
229 | # PPTP Local policy | |
230 | # | |
231 | ||
232 | dontaudit pptp_t self:capability sys_tty_config; | |
233 | allow pptp_t self:capability net_raw; | |
234 | allow pptp_t self:fifo_file { read write }; | |
235 | allow pptp_t self:unix_dgram_socket create_socket_perms; | |
236 | allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms }; | |
237 | allow pptp_t self:rawip_socket create_socket_perms; | |
238 | allow pptp_t self:tcp_socket create_socket_perms; | |
239 | ||
240 | allow pptp_t pppd_etc_t:dir { getattr read search }; | |
241 | allow pptp_t pppd_etc_t:file { read getattr }; | |
242 | allow pptp_t pppd_etc_t:lnk_file { getattr read }; | |
243 | ||
244 | allow pptp_t pppd_etc_rw_t:dir { getattr read search }; | |
245 | allow pptp_t pppd_etc_rw_t:file { read getattr }; | |
246 | allow pptp_t pppd_etc_rw_t:lnk_file { getattr read }; | |
247 | can_exec(pptp_t, pppd_etc_rw_t) | |
248 | ||
249 | # Allow pptp to append to pppd log files | |
250 | allow pptp_t pppd_log_t:file append; | |
251 | ||
252 | allow pptp_t pptp_log_t:file create_file_perms; | |
1c1ac67f | 253 | logging_log_filetrans(pptp_t,pptp_log_t,file) |
e08118a5 CP |
254 | |
255 | allow pptp_t pptp_var_run_t:file create_file_perms; | |
256 | allow pptp_t pptp_var_run_t:dir rw_dir_perms; | |
257 | allow pptp_t pptp_var_run_t:sock_file create_file_perms; | |
1c1ac67f | 258 | files_pid_filetrans(pptp_t,pptp_var_run_t,file) |
e08118a5 CP |
259 | |
260 | kernel_list_proc(pptp_t) | |
445522dc | 261 | kernel_read_kernel_sysctls(pptp_t) |
e08118a5 CP |
262 | kernel_read_proc_symlinks(pptp_t) |
263 | ||
264 | dev_read_sysfs(pptp_t) | |
265 | ||
141cffdd | 266 | corenet_non_ipsec_sendrecv(pptp_t) |
e08118a5 CP |
267 | corenet_tcp_sendrecv_all_if(pptp_t) |
268 | corenet_raw_sendrecv_all_if(pptp_t) | |
269 | corenet_tcp_sendrecv_all_nodes(pptp_t) | |
270 | corenet_raw_sendrecv_all_nodes(pptp_t) | |
271 | corenet_tcp_sendrecv_all_ports(pptp_t) | |
272 | corenet_tcp_bind_all_nodes(pptp_t) | |
273 | corenet_tcp_connect_generic_port(pptp_t) | |
274 | corenet_tcp_connect_all_reserved_ports(pptp_t) | |
141cffdd | 275 | corenet_sendrecv_generic_client_packets(pptp_t) |
e08118a5 CP |
276 | |
277 | fs_getattr_all_fs(pptp_t) | |
278 | fs_search_auto_mountpoints(pptp_t) | |
279 | ||
280 | term_dontaudit_use_console(pptp_t) | |
1815bad1 | 281 | term_ioctl_generic_ptys(pptp_t) |
e08118a5 CP |
282 | term_search_ptys(pptp_t) |
283 | term_use_ptmx(pptp_t) | |
284 | ||
15722ec9 | 285 | domain_use_interactive_fds(pptp_t) |
e08118a5 | 286 | |
1c1ac67f | 287 | init_use_fds(pptp_t) |
1815bad1 | 288 | init_use_script_ptys(pptp_t) |
e08118a5 CP |
289 | |
290 | libs_use_ld_so(pptp_t) | |
291 | libs_use_shared_libs(pptp_t) | |
292 | ||
293 | logging_send_syslog_msg(pptp_t) | |
294 | ||
295 | miscfiles_read_localization(pptp_t) | |
296 | ||
297 | sysnet_read_config(pptp_t) | |
298 | ||
15722ec9 | 299 | userdom_dontaudit_use_unpriv_user_fds(pptp_t) |
103fe280 | 300 | userdom_dontaudit_search_sysadm_home_dirs(pptp_t) |
e08118a5 CP |
301 | |
302 | ifdef(`targeted_policy',` | |
1815bad1 CP |
303 | term_dontaudit_use_unallocated_ttys(pptp_t) |
304 | term_dontaudit_use_generic_ptys(pptp_t) | |
9e04f5c5 | 305 | files_dontaudit_read_root_files(pptp_t) |
e08118a5 CP |
306 | ') |
307 | ||
bb7170f6 | 308 | optional_policy(` |
e08118a5 CP |
309 | hostname_exec(pptp_t) |
310 | ') | |
311 | ||
bb7170f6 | 312 | optional_policy(` |
1815bad1 | 313 | nscd_socket_use(pptp_t) |
e08118a5 CP |
314 | ') |
315 | ||
bb7170f6 | 316 | optional_policy(` |
e08118a5 CP |
317 | seutil_sigchld_newrole(pptp_t) |
318 | ') | |
319 | ||
bb7170f6 | 320 | optional_policy(` |
e08118a5 CP |
321 | udev_read_db(pptp_t) |
322 | ') | |
323 | ||
bb7170f6 | 324 | optional_policy(` |
bf080a46 | 325 | postfix_read_config(pppd_t) |
e08118a5 | 326 | ') |
725926c5 | 327 | |
445522dc | 328 | # FIXME: |
725926c5 CP |
329 | domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t) |
330 | allow pppd_t initrc_t:fd use; | |
331 | allow initrc_t pppd_t:fd use; | |
332 | allow initrc_t pppd_t:fifo_file rw_file_perms; | |
333 | allow initrc_t pppd_t:process sigchld; |