[people/stevee/selinux-policy.git] / refpolicy / policy / modules / services / ppp.te


policy_module(ppp,1.0)

########################################
#
# Declarations
#

# pppd_t is the domain for the pppd program.
# pppd_exec_t is the type of the pppd executable.
type pppd_t;
type pppd_exec_t;
init_daemon_domain(pppd_t,pppd_exec_t)

type pppd_devpts_t;
term_pty(pppd_devpts_t)

# Define a separate type for /etc/ppp
type pppd_etc_t; #, usercanread;
files_type(pppd_etc_t)

# Define a separate type for writable files under /etc/ppp
type pppd_etc_rw_t;
files_type(pppd_etc_rw_t)

type pppd_script_exec_t;
files_type(pppd_script_exec_t)

# pppd_secret_t is the type of the pap and chap password files
type pppd_secret_t;
files_type(pppd_secret_t)

type pppd_log_t;
logging_log_file(pppd_log_t)

type pppd_lock_t;
files_lock_file(pppd_lock_t)

type pppd_tmp_t;
files_tmp_file(pppd_tmp_t)

type pppd_var_run_t;
files_pid_file(pppd_var_run_t)

type pptp_t;
type pptp_exec_t;
init_daemon_domain(pptp_t,pptp_exec_t)

type pptp_log_t;
logging_log_file(pptp_log_t)

type pptp_var_run_t;
files_pid_file(pptp_var_run_t)

########################################
#
# PPPD Local policy
#

dontaudit pppd_t self:capability sys_tty_config;
allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override };
allow pppd_t self:fifo_file rw_file_perms;
allow pppd_t self:file { read getattr };
allow pppd_t self:socket create_socket_perms;
allow pppd_t self:unix_dgram_socket create_socket_perms;
allow pppd_t self:unix_stream_socket create_socket_perms;
allow pppd_t self:netlink_route_socket r_netlink_socket_perms;
allow pppd_t self:tcp_socket create_stream_socket_perms;
allow pppd_t self:udp_socket { connect connected_socket_perms };
allow pppd_t self:packet_socket create_socket_perms;

domain_auto_trans(pppd_t, pptp_exec_t, pptp_t)

allow pppd_t pppd_devpts_t:chr_file { rw_file_perms setattr };

allow pppd_t pppd_etc_t:dir rw_dir_perms;
allow pppd_t pppd_etc_t:file r_file_perms;
allow pppd_t pppd_etc_t:lnk_file { getattr read };
files_create_etc_config(pppd_t,pppd_etc_t)

allow pppd_t pppd_etc_rw_t:file create_file_perms;

allow pppd_t pppd_lock_t:file create_file_perms;
files_create_lock(pppd_t,pppd_lock_t)

allow pppd_t pppd_log_t:file create_file_perms;
logging_create_log(pppd_t,pppd_log_t)

allow pppd_t pppd_tmp_t:dir create_dir_perms;
allow pppd_t pppd_tmp_t:file create_file_perms;
files_create_tmp_files(pppd_t, pppd_tmp_t, { file dir })

allow pppd_t pppd_var_run_t:dir rw_dir_perms;
allow pppd_t pppd_var_run_t:file create_file_perms;
files_create_pid(pppd_t,pppd_var_run_t)

allow pppd_t pptp_t:process signal;

# for SSP
# Access secret files
allow pppd_t pppd_secret_t:file r_file_perms;

# Automatically label newly created files under /etc/ppp with this type
type_transition pppd_t pppd_etc_t:file pppd_etc_rw_t;

kernel_list_proc(pppd_t)
kernel_read_kernel_sysctl(pppd_t)
kernel_read_proc_symlinks(pppd_t)
kernel_read_net_sysctl(pppd_t)
kernel_read_network_state(pppd_t)
kernel_load_module(pppd_t)

dev_read_urand(pppd_t)
dev_search_sysfs(pppd_t)
dev_read_sysfs(pppd_t)

corenet_tcp_sendrecv_all_if(pppd_t)
corenet_raw_sendrecv_all_if(pppd_t)
corenet_udp_sendrecv_all_if(pppd_t)
corenet_tcp_sendrecv_all_nodes(pppd_t)
corenet_raw_sendrecv_all_nodes(pppd_t)
corenet_udp_sendrecv_all_nodes(pppd_t)
corenet_tcp_sendrecv_all_ports(pppd_t)
corenet_udp_sendrecv_all_ports(pppd_t)
corenet_tcp_bind_all_nodes(pppd_t)
corenet_udp_bind_all_nodes(pppd_t)
# Access /dev/ppp.
corenet_use_ppp_device(pppd_t)

fs_getattr_all_fs(pppd_t)
fs_search_auto_mountpoints(pppd_t)

term_use_unallocated_tty(pppd_t)
term_setattr_unallocated_ttys(pppd_t)
term_ioctl_generic_pty(pppd_t)
# for pppoe
term_create_pty(pppd_t,pppd_devpts_t)
term_dontaudit_use_console(pppd_t)

# allow running ip-up and ip-down scripts and running chat.
corecmd_exec_bin(pppd_t)
corecmd_exec_sbin(pppd_t)
corecmd_exec_shell(pppd_t)

domain_use_wide_inherit_fd(pppd_t)

files_exec_etc_files(pppd_t)
files_read_etc_runtime_files(pppd_t)
# for scripts
files_read_etc_files(pppd_t)

init_read_script_pid(pppd_t)
init_dontaudit_write_script_pid(pppd_t)
init_use_fd(pppd_t)
init_use_script_pty(pppd_t)

libs_use_ld_so(pppd_t)
libs_use_shared_libs(pppd_t)

logging_send_syslog_msg(pppd_t)

miscfiles_read_localization(pppd_t)

sysnet_read_config(pppd_t)
sysnet_exec_ifconfig(pppd_t)
sysnet_manage_config(pppd_t)

userdom_dontaudit_use_unpriv_user_fd(pppd_t)
userdom_dontaudit_search_sysadm_home_dir(pppd_t)
# for ~/.ppprc - if it actually exists then you need some policy to read it
#allow pppd_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search;
userdom_search_sysadm_home_dir(pppd_t)
userdom_search_unpriv_user_home_dirs(pppd_t)

ifdef(`targeted_policy', `
	term_dontaudit_use_unallocated_tty(pppd_t)
	term_dontaudit_use_generic_pty(pppd_t)
	files_dontaudit_read_root_file(pppd_t)

	optional_policy(`postfix.te',`
		gen_require(`
			bool postfix_master_disable_transgre;
		')

		if(!postfix_master_disable_trans) {
			postfix_domtrans_master(pppd_t)
		}
	')
',`
	optional_policy(`postfix.te',`
		postfix_domtrans_master(pppd_t)
	')
')

optional_policy(`modutils.te',`
	tunable_policy(`pppd_can_insmod',`
		modutils_domtrans_insmod(pppd_t)
	')
')

optional_policy(`nis.te',`
	nis_use_ypbind(pppd_t)
')

optional_policy(`nscd.te',`
	nscd_use_socket(pppd_t)
')

optional_policy(`selinuxutil.te',`
	seutil_sigchld_newrole(pppd_t)
')

optional_policy(`udev.te', `
	udev_read_db(pppd_t)
')

########################################
#
# PPTP Local policy
#

dontaudit pptp_t self:capability sys_tty_config;
allow pptp_t self:capability net_raw;
allow pptp_t self:fifo_file { read write };
allow pptp_t self:unix_dgram_socket create_socket_perms;
allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow pptp_t self:rawip_socket create_socket_perms;
allow pptp_t self:tcp_socket create_socket_perms;

allow pptp_t pppd_etc_t:dir { getattr read search };
allow pptp_t pppd_etc_t:file { read getattr };
allow pptp_t pppd_etc_t:lnk_file { getattr read };

allow pptp_t pppd_etc_rw_t:dir { getattr read search };
allow pptp_t pppd_etc_rw_t:file { read getattr };
allow pptp_t pppd_etc_rw_t:lnk_file { getattr read };
can_exec(pptp_t, pppd_etc_rw_t)

# Allow pptp to append to pppd log files
allow pptp_t pppd_log_t:file append;

allow pptp_t pptp_log_t:file create_file_perms;
logging_create_log(pptp_t,pptp_log_t)

allow pptp_t pptp_var_run_t:file create_file_perms;
allow pptp_t pptp_var_run_t:dir rw_dir_perms;
allow pptp_t pptp_var_run_t:sock_file create_file_perms;
files_create_pid(pptp_t,pptp_var_run_t)

kernel_list_proc(pptp_t)
kernel_read_kernel_sysctl(pptp_t)
kernel_read_proc_symlinks(pptp_t)

dev_read_sysfs(pptp_t)

corenet_tcp_sendrecv_all_if(pptp_t)
corenet_raw_sendrecv_all_if(pptp_t)
corenet_tcp_sendrecv_all_nodes(pptp_t)
corenet_raw_sendrecv_all_nodes(pptp_t)
corenet_tcp_sendrecv_all_ports(pptp_t)
corenet_tcp_bind_all_nodes(pptp_t)
corenet_tcp_connect_generic_port(pptp_t)
corenet_tcp_connect_all_reserved_ports(pptp_t)

fs_getattr_all_fs(pptp_t)
fs_search_auto_mountpoints(pptp_t)

term_dontaudit_use_console(pptp_t)
term_ioctl_generic_pty(pptp_t)
term_search_ptys(pptp_t)
term_use_ptmx(pptp_t)

domain_use_wide_inherit_fd(pptp_t)

init_use_fd(pptp_t)
init_use_script_pty(pptp_t)

libs_use_ld_so(pptp_t)
libs_use_shared_libs(pptp_t)

logging_send_syslog_msg(pptp_t)

miscfiles_read_localization(pptp_t)

sysnet_read_config(pptp_t)

userdom_dontaudit_use_unpriv_user_fd(pptp_t)
userdom_dontaudit_search_sysadm_home_dir(pptp_t)

ifdef(`targeted_policy',`
        term_dontaudit_use_unallocated_tty(pptp_t)
        term_dontaudit_use_generic_pty(pptp_t)
        files_dontaudit_read_root_file(pptp_t)
')

optional_policy(`hostname.te',`
	hostname_exec(pptp_t)
')

optional_policy(`nscd.te',`
	nscd_use_socket(pptp_t)
')

optional_policy(`selinuxutil.te',`
        seutil_sigchld_newrole(pptp_t)
')

optional_policy(`udev.te',`
        udev_read_db(pptp_t)
')

ifdef(`TODO',`
ifdef(`postfix.te', `
	allow pppd_t postfix_etc_t:dir search;
	allow pppd_t postfix_etc_t:file r_file_perms;
	allow pppd_t postfix_master_exec_t:file { getattr read };

	ppp_use_fd(postfix_postqueue_t)
	ppp_signal_daemon(postfix_postqueue_t)
')
optional_policy(`rhgb.te',`
	rhgb_domain(pppd_t)
')
optional_policy(`rhgb.te',`
        rhgb_domain(pptp_t)
')
ifdef(`named.te', `
	dontaudit ndc_t pppd_t:fd use;
')

domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t)
')
Commit	Line	Data
e08118a5 CP	1
	2	policy_module(ppp,1.0)
	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	# pppd_t is the domain for the pppd program.
	10	# pppd_exec_t is the type of the pppd executable.
	11	type pppd_t;
	12	type pppd_exec_t;
	13	init_daemon_domain(pppd_t,pppd_exec_t)
	14
	15	type pppd_devpts_t;
	16	term_pty(pppd_devpts_t)
	17
	18	# Define a separate type for /etc/ppp
	19	type pppd_etc_t; #, usercanread;
	20	files_type(pppd_etc_t)
	21
	22	# Define a separate type for writable files under /etc/ppp
	23	type pppd_etc_rw_t;
	24	files_type(pppd_etc_rw_t)
	25
	26	type pppd_script_exec_t;
	27	files_type(pppd_script_exec_t)
	28
	29	# pppd_secret_t is the type of the pap and chap password files
	30	type pppd_secret_t;
	31	files_type(pppd_secret_t)
	32
	33	type pppd_log_t;
	34	logging_log_file(pppd_log_t)
	35
	36	type pppd_lock_t;
	37	files_lock_file(pppd_lock_t)
	38
	39	type pppd_tmp_t;
	40	files_tmp_file(pppd_tmp_t)
	41
	42	type pppd_var_run_t;
	43	files_pid_file(pppd_var_run_t)
	44
	45	type pptp_t;
	46	type pptp_exec_t;
	47	init_daemon_domain(pptp_t,pptp_exec_t)
	48
	49	type pptp_log_t;
	50	logging_log_file(pptp_log_t)
	51
	52	type pptp_var_run_t;
	53	files_pid_file(pptp_var_run_t)
	54
	55	########################################
	56	#
	57	# PPPD Local policy
	58	#
	59
	60	dontaudit pppd_t self:capability sys_tty_config;
	61	allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override };
	62	allow pppd_t self:fifo_file rw_file_perms;
	63	allow pppd_t self:file { read getattr };
	64	allow pppd_t self:socket create_socket_perms;
65	allow pppd_t self:unix_dgram_socket create_socket_perms;
66	allow pppd_t self:unix_stream_socket create_socket_perms;
67	allow pppd_t self:netlink_route_socket r_netlink_socket_perms;
68	allow pppd_t self:tcp_socket create_stream_socket_perms;
69	allow pppd_t self:udp_socket { connect connected_socket_perms };
70	allow pppd_t self:packet_socket create_socket_perms;
71
72	domain_auto_trans(pppd_t, pptp_exec_t, pptp_t)
73
74	allow pppd_t pppd_devpts_t:chr_file { rw_file_perms setattr };
75
76	allow pppd_t pppd_etc_t:dir rw_dir_perms;
77	allow pppd_t pppd_etc_t:file r_file_perms;
78	allow pppd_t pppd_etc_t:lnk_file { getattr read };
79	files_create_etc_config(pppd_t,pppd_etc_t)
80
81	allow pppd_t pppd_etc_rw_t:file create_file_perms;
82
83	allow pppd_t pppd_lock_t:file create_file_perms;
84	files_create_lock(pppd_t,pppd_lock_t)
85
86	allow pppd_t pppd_log_t:file create_file_perms;
87	logging_create_log(pppd_t,pppd_log_t)
88
89	allow pppd_t pppd_tmp_t:dir create_dir_perms;
90	allow pppd_t pppd_tmp_t:file create_file_perms;
91	files_create_tmp_files(pppd_t, pppd_tmp_t, { file dir })
92
93	allow pppd_t pppd_var_run_t:dir rw_dir_perms;
94	allow pppd_t pppd_var_run_t:file create_file_perms;
95	files_create_pid(pppd_t,pppd_var_run_t)
96
97	allow pppd_t pptp_t:process signal;
98
99	# for SSP
100	# Access secret files
101	allow pppd_t pppd_secret_t:file r_file_perms;
102
103	# Automatically label newly created files under /etc/ppp with this type
104	type_transition pppd_t pppd_etc_t:file pppd_etc_rw_t;
105
106	kernel_list_proc(pppd_t)
107	kernel_read_kernel_sysctl(pppd_t)
108	kernel_read_proc_symlinks(pppd_t)
109	kernel_read_net_sysctl(pppd_t)
110	kernel_read_network_state(pppd_t)
111	kernel_load_module(pppd_t)
112
113	dev_read_urand(pppd_t)
114	dev_search_sysfs(pppd_t)
115	dev_read_sysfs(pppd_t)
116
117	corenet_tcp_sendrecv_all_if(pppd_t)
118	corenet_raw_sendrecv_all_if(pppd_t)
119	corenet_udp_sendrecv_all_if(pppd_t)
120	corenet_tcp_sendrecv_all_nodes(pppd_t)
121	corenet_raw_sendrecv_all_nodes(pppd_t)
122	corenet_udp_sendrecv_all_nodes(pppd_t)
123	corenet_tcp_sendrecv_all_ports(pppd_t)
124	corenet_udp_sendrecv_all_ports(pppd_t)
125	corenet_tcp_bind_all_nodes(pppd_t)
126	corenet_udp_bind_all_nodes(pppd_t)
127	# Access /dev/ppp.
128	corenet_use_ppp_device(pppd_t)
129
130	fs_getattr_all_fs(pppd_t)
131	fs_search_auto_mountpoints(pppd_t)
132
133	term_use_unallocated_tty(pppd_t)
134	term_setattr_unallocated_ttys(pppd_t)
135	term_ioctl_generic_pty(pppd_t)
136	# for pppoe
137	term_create_pty(pppd_t,pppd_devpts_t)
138	term_dontaudit_use_console(pppd_t)
139
140	# allow running ip-up and ip-down scripts and running chat.
141	corecmd_exec_bin(pppd_t)
142	corecmd_exec_sbin(pppd_t)
143	corecmd_exec_shell(pppd_t)
144
145	domain_use_wide_inherit_fd(pppd_t)
146
147	files_exec_etc_files(pppd_t)
148	files_read_etc_runtime_files(pppd_t)
149	# for scripts
150	files_read_etc_files(pppd_t)
151
152	init_read_script_pid(pppd_t)
153	init_dontaudit_write_script_pid(pppd_t)
154	init_use_fd(pppd_t)
155	init_use_script_pty(pppd_t)
156
157	libs_use_ld_so(pppd_t)
158	libs_use_shared_libs(pppd_t)
159
160	logging_send_syslog_msg(pppd_t)
161
162	miscfiles_read_localization(pppd_t)
163
164	sysnet_read_config(pppd_t)
165	sysnet_exec_ifconfig(pppd_t)
166	sysnet_manage_config(pppd_t)
167
168	userdom_dontaudit_use_unpriv_user_fd(pppd_t)
169	userdom_dontaudit_search_sysadm_home_dir(pppd_t)
170	# for ~/.ppprc - if it actually exists then you need some policy to read it
171	#allow pppd_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search;
172	userdom_search_sysadm_home_dir(pppd_t)
173	userdom_search_unpriv_user_home_dirs(pppd_t)
174
175	ifdef(`targeted_policy', `
176	term_dontaudit_use_unallocated_tty(pppd_t)
177	term_dontaudit_use_generic_pty(pppd_t)
178	files_dontaudit_read_root_file(pppd_t)
04926d07 CP	179
	180	optional_policy(`postfix.te',`
	181	gen_require(`
	182	bool postfix_master_disable_transgre;
	183	')
	184
	185	if(!postfix_master_disable_trans) {
	186	postfix_domtrans_master(pppd_t)
	187	}
	188	')
	189	',`
	190	optional_policy(`postfix.te',`
	191	postfix_domtrans_master(pppd_t)
	192	')
e08118a5 CP	193	')
	194
	195	optional_policy(`modutils.te',`
	196	tunable_policy(`pppd_can_insmod',`
	197	modutils_domtrans_insmod(pppd_t)
	198	')
	199	')
	200
	201	optional_policy(`nis.te',`
	202	nis_use_ypbind(pppd_t)
	203	')
	204
	205	optional_policy(`nscd.te',`
	206	nscd_use_socket(pppd_t)
	207	')
	208
	209	optional_policy(`selinuxutil.te',`
	210	seutil_sigchld_newrole(pppd_t)
	211	')
	212
	213	optional_policy(`udev.te', `
	214	udev_read_db(pppd_t)
	215	')
	216
	217	########################################
	218	#
	219	# PPTP Local policy
	220	#
	221
	222	dontaudit pptp_t self:capability sys_tty_config;
	223	allow pptp_t self:capability net_raw;
	224	allow pptp_t self:fifo_file { read write };
	225	allow pptp_t self:unix_dgram_socket create_socket_perms;
	226	allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
	227	allow pptp_t self:rawip_socket create_socket_perms;
	228	allow pptp_t self:tcp_socket create_socket_perms;
	229
	230	allow pptp_t pppd_etc_t:dir { getattr read search };
	231	allow pptp_t pppd_etc_t:file { read getattr };
	232	allow pptp_t pppd_etc_t:lnk_file { getattr read };
	233
	234	allow pptp_t pppd_etc_rw_t:dir { getattr read search };
	235	allow pptp_t pppd_etc_rw_t:file { read getattr };
	236	allow pptp_t pppd_etc_rw_t:lnk_file { getattr read };
	237	can_exec(pptp_t, pppd_etc_rw_t)
	238
	239	# Allow pptp to append to pppd log files
	240	allow pptp_t pppd_log_t:file append;
	241
	242	allow pptp_t pptp_log_t:file create_file_perms;
	243	logging_create_log(pptp_t,pptp_log_t)
	244
	245	allow pptp_t pptp_var_run_t:file create_file_perms;
	246	allow pptp_t pptp_var_run_t:dir rw_dir_perms;
	247	allow pptp_t pptp_var_run_t:sock_file create_file_perms;
	248	files_create_pid(pptp_t,pptp_var_run_t)
	249
	250	kernel_list_proc(pptp_t)
	251	kernel_read_kernel_sysctl(pptp_t)
	252	kernel_read_proc_symlinks(pptp_t)
	253
	254	dev_read_sysfs(pptp_t)
	255
	256	corenet_tcp_sendrecv_all_if(pptp_t)
257	corenet_raw_sendrecv_all_if(pptp_t)
258	corenet_tcp_sendrecv_all_nodes(pptp_t)
259	corenet_raw_sendrecv_all_nodes(pptp_t)
260	corenet_tcp_sendrecv_all_ports(pptp_t)
261	corenet_tcp_bind_all_nodes(pptp_t)
262	corenet_tcp_connect_generic_port(pptp_t)
263	corenet_tcp_connect_all_reserved_ports(pptp_t)
264
265	fs_getattr_all_fs(pptp_t)
266	fs_search_auto_mountpoints(pptp_t)
267
268	term_dontaudit_use_console(pptp_t)
269	term_ioctl_generic_pty(pptp_t)
270	term_search_ptys(pptp_t)
271	term_use_ptmx(pptp_t)
272
273	domain_use_wide_inherit_fd(pptp_t)
274
275	init_use_fd(pptp_t)
276	init_use_script_pty(pptp_t)
277
278	libs_use_ld_so(pptp_t)
279	libs_use_shared_libs(pptp_t)
280
281	logging_send_syslog_msg(pptp_t)
282
283	miscfiles_read_localization(pptp_t)
284
285	sysnet_read_config(pptp_t)
286
287	userdom_dontaudit_use_unpriv_user_fd(pptp_t)
288	userdom_dontaudit_search_sysadm_home_dir(pptp_t)
289
290	ifdef(`targeted_policy',`
291	term_dontaudit_use_unallocated_tty(pptp_t)
292	term_dontaudit_use_generic_pty(pptp_t)
293	files_dontaudit_read_root_file(pptp_t)
294	')
295
296	optional_policy(`hostname.te',`
297	hostname_exec(pptp_t)
298	')
299
300	optional_policy(`nscd.te',`
301	nscd_use_socket(pptp_t)
302	')
303
304	optional_policy(`selinuxutil.te',`
305	seutil_sigchld_newrole(pptp_t)
306	')
307
308	optional_policy(`udev.te',`
309	udev_read_db(pptp_t)
310	')
311
312	ifdef(`TODO',`
313	ifdef(`postfix.te', `
314	allow pppd_t postfix_etc_t:dir search;
315	allow pppd_t postfix_etc_t:file r_file_perms;
316	allow pppd_t postfix_master_exec_t:file { getattr read };
317
318	ppp_use_fd(postfix_postqueue_t)
319	ppp_signal_daemon(postfix_postqueue_t)
320	')
321	optional_policy(`rhgb.te',`
322	rhgb_domain(pppd_t)
323	')
324	optional_policy(`rhgb.te',`
325	rhgb_domain(pptp_t)
326	')
327	ifdef(`named.te', `
328	dontaudit ndc_t pppd_t:fd use;
329	')
330
331	domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t)
332	')