Allow pptp to connect only to pptp port

diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te
index a6beb8f3bfb784d288891c8609a2b4d81899f08c..f0dbe884c6db0063bf5cfa0b5963ff4276d3cdcf 100644 (file)
--- a/policy/modules/admin/permissivedomains.te
+++ b/policy/modules/admin/permissivedomains.te
@@ -8,6 +8,14 @@ optional_policy(`
       permissive polipo_t;
 ')
 
+optional_policy(`
+       gen_require(`
+               type pptp_t;
+       ')
+
+       permissive pptp_t;
+')
+
 optional_policy(`
       gen_require(`
              type bootloader_t;

diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 17d942f03a962c3a09ea341fa8ec5b412c816bdd..740d4b13cc1b029bab57ea30b381c5ed4a825ed7 100644 (file)
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -223,6 +223,7 @@ network_port(portmap, udp,111,s0, tcp,111,s0)
 network_port(postfix_policyd, tcp,10031,s0)
 network_port(postgresql, tcp,5432,s0)
 network_port(postgrey, tcp,60000,s0)
+network_port(pptp, tcp, 1723,s0, udp, 1723, s0)
 network_port(prelude, tcp,4690,s0, udp,4690,s0)
 network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
 network_port(printer, tcp,515,s0)

diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
index 605815aa6dbb91589648064adc204fc559869f78..399a45243e185fe3a311d4845836e2d2737080cc 100644 (file)
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -277,10 +277,8 @@ corenet_tcp_sendrecv_generic_node(pptp_t)
 corenet_raw_sendrecv_generic_node(pptp_t)
 corenet_tcp_sendrecv_all_ports(pptp_t)
 corenet_tcp_bind_generic_node(pptp_t)
-corenet_tcp_connect_generic_port(pptp_t)
-corenet_tcp_connect_unreserved_ports(pptp_t)
-corenet_tcp_connect_all_reserved_ports(pptp_t)
 corenet_sendrecv_generic_client_packets(pptp_t)
+corenet_tcp_connect_pptp_port(pptp_t)
 
 files_read_etc_files(pptp_t)