]>
Commit | Line | Data |
---|---|---|
e08118a5 CP |
1 | |
2 | policy_module(ppp,1.0) | |
3 | ||
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
9 | # pppd_t is the domain for the pppd program. | |
10 | # pppd_exec_t is the type of the pppd executable. | |
11 | type pppd_t; | |
12 | type pppd_exec_t; | |
13 | init_daemon_domain(pppd_t,pppd_exec_t) | |
14 | ||
15 | type pppd_devpts_t; | |
16 | term_pty(pppd_devpts_t) | |
17 | ||
18 | # Define a separate type for /etc/ppp | |
19 | type pppd_etc_t; #, usercanread; | |
20 | files_type(pppd_etc_t) | |
21 | ||
22 | # Define a separate type for writable files under /etc/ppp | |
23 | type pppd_etc_rw_t; | |
24 | files_type(pppd_etc_rw_t) | |
25 | ||
26 | type pppd_script_exec_t; | |
27 | files_type(pppd_script_exec_t) | |
28 | ||
29 | # pppd_secret_t is the type of the pap and chap password files | |
30 | type pppd_secret_t; | |
31 | files_type(pppd_secret_t) | |
32 | ||
33 | type pppd_log_t; | |
34 | logging_log_file(pppd_log_t) | |
35 | ||
36 | type pppd_lock_t; | |
37 | files_lock_file(pppd_lock_t) | |
38 | ||
39 | type pppd_tmp_t; | |
40 | files_tmp_file(pppd_tmp_t) | |
41 | ||
42 | type pppd_var_run_t; | |
43 | files_pid_file(pppd_var_run_t) | |
44 | ||
45 | type pptp_t; | |
46 | type pptp_exec_t; | |
47 | init_daemon_domain(pptp_t,pptp_exec_t) | |
48 | ||
49 | type pptp_log_t; | |
50 | logging_log_file(pptp_log_t) | |
51 | ||
52 | type pptp_var_run_t; | |
53 | files_pid_file(pptp_var_run_t) | |
54 | ||
55 | ######################################## | |
56 | # | |
57 | # PPPD Local policy | |
58 | # | |
59 | ||
60 | dontaudit pppd_t self:capability sys_tty_config; | |
61 | allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override }; | |
62 | allow pppd_t self:fifo_file rw_file_perms; | |
63 | allow pppd_t self:file { read getattr }; | |
64 | allow pppd_t self:socket create_socket_perms; | |
65 | allow pppd_t self:unix_dgram_socket create_socket_perms; | |
66 | allow pppd_t self:unix_stream_socket create_socket_perms; | |
67 | allow pppd_t self:netlink_route_socket r_netlink_socket_perms; | |
68 | allow pppd_t self:tcp_socket create_stream_socket_perms; | |
69 | allow pppd_t self:udp_socket { connect connected_socket_perms }; | |
70 | allow pppd_t self:packet_socket create_socket_perms; | |
71 | ||
72 | domain_auto_trans(pppd_t, pptp_exec_t, pptp_t) | |
73 | ||
74 | allow pppd_t pppd_devpts_t:chr_file { rw_file_perms setattr }; | |
75 | ||
76 | allow pppd_t pppd_etc_t:dir rw_dir_perms; | |
77 | allow pppd_t pppd_etc_t:file r_file_perms; | |
78 | allow pppd_t pppd_etc_t:lnk_file { getattr read }; | |
79 | files_create_etc_config(pppd_t,pppd_etc_t) | |
80 | ||
81 | allow pppd_t pppd_etc_rw_t:file create_file_perms; | |
82 | ||
83 | allow pppd_t pppd_lock_t:file create_file_perms; | |
84 | files_create_lock(pppd_t,pppd_lock_t) | |
85 | ||
86 | allow pppd_t pppd_log_t:file create_file_perms; | |
87 | logging_create_log(pppd_t,pppd_log_t) | |
88 | ||
89 | allow pppd_t pppd_tmp_t:dir create_dir_perms; | |
90 | allow pppd_t pppd_tmp_t:file create_file_perms; | |
91 | files_create_tmp_files(pppd_t, pppd_tmp_t, { file dir }) | |
92 | ||
93 | allow pppd_t pppd_var_run_t:dir rw_dir_perms; | |
94 | allow pppd_t pppd_var_run_t:file create_file_perms; | |
95 | files_create_pid(pppd_t,pppd_var_run_t) | |
96 | ||
97 | allow pppd_t pptp_t:process signal; | |
98 | ||
99 | # for SSP | |
100 | # Access secret files | |
101 | allow pppd_t pppd_secret_t:file r_file_perms; | |
102 | ||
103 | # Automatically label newly created files under /etc/ppp with this type | |
104 | type_transition pppd_t pppd_etc_t:file pppd_etc_rw_t; | |
105 | ||
106 | kernel_list_proc(pppd_t) | |
107 | kernel_read_kernel_sysctl(pppd_t) | |
108 | kernel_read_proc_symlinks(pppd_t) | |
109 | kernel_read_net_sysctl(pppd_t) | |
110 | kernel_read_network_state(pppd_t) | |
111 | kernel_load_module(pppd_t) | |
112 | ||
113 | dev_read_urand(pppd_t) | |
114 | dev_search_sysfs(pppd_t) | |
115 | dev_read_sysfs(pppd_t) | |
116 | ||
117 | corenet_tcp_sendrecv_all_if(pppd_t) | |
118 | corenet_raw_sendrecv_all_if(pppd_t) | |
119 | corenet_udp_sendrecv_all_if(pppd_t) | |
120 | corenet_tcp_sendrecv_all_nodes(pppd_t) | |
121 | corenet_raw_sendrecv_all_nodes(pppd_t) | |
122 | corenet_udp_sendrecv_all_nodes(pppd_t) | |
123 | corenet_tcp_sendrecv_all_ports(pppd_t) | |
124 | corenet_udp_sendrecv_all_ports(pppd_t) | |
125 | corenet_tcp_bind_all_nodes(pppd_t) | |
126 | corenet_udp_bind_all_nodes(pppd_t) | |
127 | # Access /dev/ppp. | |
128 | corenet_use_ppp_device(pppd_t) | |
129 | ||
130 | fs_getattr_all_fs(pppd_t) | |
131 | fs_search_auto_mountpoints(pppd_t) | |
132 | ||
133 | term_use_unallocated_tty(pppd_t) | |
134 | term_setattr_unallocated_ttys(pppd_t) | |
135 | term_ioctl_generic_pty(pppd_t) | |
136 | # for pppoe | |
137 | term_create_pty(pppd_t,pppd_devpts_t) | |
138 | term_dontaudit_use_console(pppd_t) | |
139 | ||
140 | # allow running ip-up and ip-down scripts and running chat. | |
141 | corecmd_exec_bin(pppd_t) | |
142 | corecmd_exec_sbin(pppd_t) | |
143 | corecmd_exec_shell(pppd_t) | |
144 | ||
145 | domain_use_wide_inherit_fd(pppd_t) | |
146 | ||
147 | files_exec_etc_files(pppd_t) | |
148 | files_read_etc_runtime_files(pppd_t) | |
149 | # for scripts | |
150 | files_read_etc_files(pppd_t) | |
151 | ||
152 | init_read_script_pid(pppd_t) | |
153 | init_dontaudit_write_script_pid(pppd_t) | |
154 | init_use_fd(pppd_t) | |
155 | init_use_script_pty(pppd_t) | |
156 | ||
157 | libs_use_ld_so(pppd_t) | |
158 | libs_use_shared_libs(pppd_t) | |
159 | ||
160 | logging_send_syslog_msg(pppd_t) | |
161 | ||
162 | miscfiles_read_localization(pppd_t) | |
163 | ||
164 | sysnet_read_config(pppd_t) | |
165 | sysnet_exec_ifconfig(pppd_t) | |
166 | sysnet_manage_config(pppd_t) | |
167 | ||
168 | userdom_dontaudit_use_unpriv_user_fd(pppd_t) | |
169 | userdom_dontaudit_search_sysadm_home_dir(pppd_t) | |
170 | # for ~/.ppprc - if it actually exists then you need some policy to read it | |
171 | #allow pppd_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search; | |
172 | userdom_search_sysadm_home_dir(pppd_t) | |
173 | userdom_search_unpriv_user_home_dirs(pppd_t) | |
174 | ||
175 | ifdef(`targeted_policy', ` | |
176 | term_dontaudit_use_unallocated_tty(pppd_t) | |
177 | term_dontaudit_use_generic_pty(pppd_t) | |
178 | files_dontaudit_read_root_file(pppd_t) | |
04926d07 CP |
179 | |
180 | optional_policy(`postfix.te',` | |
181 | gen_require(` | |
182 | bool postfix_master_disable_transgre; | |
183 | ') | |
184 | ||
185 | if(!postfix_master_disable_trans) { | |
186 | postfix_domtrans_master(pppd_t) | |
187 | } | |
188 | ') | |
189 | ',` | |
190 | optional_policy(`postfix.te',` | |
191 | postfix_domtrans_master(pppd_t) | |
192 | ') | |
e08118a5 CP |
193 | ') |
194 | ||
195 | optional_policy(`modutils.te',` | |
196 | tunable_policy(`pppd_can_insmod',` | |
197 | modutils_domtrans_insmod(pppd_t) | |
198 | ') | |
199 | ') | |
200 | ||
201 | optional_policy(`nis.te',` | |
202 | nis_use_ypbind(pppd_t) | |
203 | ') | |
204 | ||
205 | optional_policy(`nscd.te',` | |
206 | nscd_use_socket(pppd_t) | |
207 | ') | |
208 | ||
209 | optional_policy(`selinuxutil.te',` | |
210 | seutil_sigchld_newrole(pppd_t) | |
211 | ') | |
212 | ||
213 | optional_policy(`udev.te', ` | |
214 | udev_read_db(pppd_t) | |
215 | ') | |
216 | ||
217 | ######################################## | |
218 | # | |
219 | # PPTP Local policy | |
220 | # | |
221 | ||
222 | dontaudit pptp_t self:capability sys_tty_config; | |
223 | allow pptp_t self:capability net_raw; | |
224 | allow pptp_t self:fifo_file { read write }; | |
225 | allow pptp_t self:unix_dgram_socket create_socket_perms; | |
226 | allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms }; | |
227 | allow pptp_t self:rawip_socket create_socket_perms; | |
228 | allow pptp_t self:tcp_socket create_socket_perms; | |
229 | ||
230 | allow pptp_t pppd_etc_t:dir { getattr read search }; | |
231 | allow pptp_t pppd_etc_t:file { read getattr }; | |
232 | allow pptp_t pppd_etc_t:lnk_file { getattr read }; | |
233 | ||
234 | allow pptp_t pppd_etc_rw_t:dir { getattr read search }; | |
235 | allow pptp_t pppd_etc_rw_t:file { read getattr }; | |
236 | allow pptp_t pppd_etc_rw_t:lnk_file { getattr read }; | |
237 | can_exec(pptp_t, pppd_etc_rw_t) | |
238 | ||
239 | # Allow pptp to append to pppd log files | |
240 | allow pptp_t pppd_log_t:file append; | |
241 | ||
242 | allow pptp_t pptp_log_t:file create_file_perms; | |
243 | logging_create_log(pptp_t,pptp_log_t) | |
244 | ||
245 | allow pptp_t pptp_var_run_t:file create_file_perms; | |
246 | allow pptp_t pptp_var_run_t:dir rw_dir_perms; | |
247 | allow pptp_t pptp_var_run_t:sock_file create_file_perms; | |
248 | files_create_pid(pptp_t,pptp_var_run_t) | |
249 | ||
250 | kernel_list_proc(pptp_t) | |
251 | kernel_read_kernel_sysctl(pptp_t) | |
252 | kernel_read_proc_symlinks(pptp_t) | |
253 | ||
254 | dev_read_sysfs(pptp_t) | |
255 | ||
256 | corenet_tcp_sendrecv_all_if(pptp_t) | |
257 | corenet_raw_sendrecv_all_if(pptp_t) | |
258 | corenet_tcp_sendrecv_all_nodes(pptp_t) | |
259 | corenet_raw_sendrecv_all_nodes(pptp_t) | |
260 | corenet_tcp_sendrecv_all_ports(pptp_t) | |
261 | corenet_tcp_bind_all_nodes(pptp_t) | |
262 | corenet_tcp_connect_generic_port(pptp_t) | |
263 | corenet_tcp_connect_all_reserved_ports(pptp_t) | |
264 | ||
265 | fs_getattr_all_fs(pptp_t) | |
266 | fs_search_auto_mountpoints(pptp_t) | |
267 | ||
268 | term_dontaudit_use_console(pptp_t) | |
269 | term_ioctl_generic_pty(pptp_t) | |
270 | term_search_ptys(pptp_t) | |
271 | term_use_ptmx(pptp_t) | |
272 | ||
273 | domain_use_wide_inherit_fd(pptp_t) | |
274 | ||
275 | init_use_fd(pptp_t) | |
276 | init_use_script_pty(pptp_t) | |
277 | ||
278 | libs_use_ld_so(pptp_t) | |
279 | libs_use_shared_libs(pptp_t) | |
280 | ||
281 | logging_send_syslog_msg(pptp_t) | |
282 | ||
283 | miscfiles_read_localization(pptp_t) | |
284 | ||
285 | sysnet_read_config(pptp_t) | |
286 | ||
287 | userdom_dontaudit_use_unpriv_user_fd(pptp_t) | |
288 | userdom_dontaudit_search_sysadm_home_dir(pptp_t) | |
289 | ||
290 | ifdef(`targeted_policy',` | |
291 | term_dontaudit_use_unallocated_tty(pptp_t) | |
292 | term_dontaudit_use_generic_pty(pptp_t) | |
293 | files_dontaudit_read_root_file(pptp_t) | |
294 | ') | |
295 | ||
296 | optional_policy(`hostname.te',` | |
297 | hostname_exec(pptp_t) | |
298 | ') | |
299 | ||
300 | optional_policy(`nscd.te',` | |
301 | nscd_use_socket(pptp_t) | |
302 | ') | |
303 | ||
304 | optional_policy(`selinuxutil.te',` | |
305 | seutil_sigchld_newrole(pptp_t) | |
306 | ') | |
307 | ||
308 | optional_policy(`udev.te',` | |
309 | udev_read_db(pptp_t) | |
310 | ') | |
311 | ||
312 | ifdef(`TODO',` | |
313 | ifdef(`postfix.te', ` | |
314 | allow pppd_t postfix_etc_t:dir search; | |
315 | allow pppd_t postfix_etc_t:file r_file_perms; | |
316 | allow pppd_t postfix_master_exec_t:file { getattr read }; | |
317 | ||
318 | ppp_use_fd(postfix_postqueue_t) | |
319 | ppp_signal_daemon(postfix_postqueue_t) | |
320 | ') | |
321 | optional_policy(`rhgb.te',` | |
322 | rhgb_domain(pppd_t) | |
323 | ') | |
324 | optional_policy(`rhgb.te',` | |
325 | rhgb_domain(pptp_t) | |
326 | ') | |
327 | ifdef(`named.te', ` | |
328 | dontaudit ndc_t pppd_t:fd use; | |
329 | ') | |
330 | ||
331 | domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t) | |
332 | ') |