Chris PeBenito 31b7c0
#DESC PPPD - PPP daemon
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Author:  Russell Coker
Chris PeBenito 31b7c0
# X-Debian-Packages: ppp
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
#################################
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Rules for the pppd_t domain, et al.
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# pppd_t is the domain for the pppd program.
Chris PeBenito 31b7c0
# pppd_exec_t is the type of the pppd executable.
Chris PeBenito 31b7c0
# pppd_secret_t is the type of the pap and chap password files
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
bool pppd_for_user false;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
daemon_domain(pppd, `, privmail, privsysmod, nscd_client_domain')
Chris PeBenito 31b7c0
type pppd_secret_t, file_type, sysadmfile;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Define a separate type for /etc/ppp
Chris PeBenito 31b7c0
etcdir_domain(pppd)
Chris PeBenito 31b7c0
# Define a separate type for writable files under /etc/ppp
Chris PeBenito 31b7c0
type pppd_etc_rw_t, file_type, sysadmfile;
Chris PeBenito 31b7c0
# Automatically label newly created files under /etc/ppp with this type
Chris PeBenito 31b7c0
file_type_auto_trans(pppd_t, pppd_etc_t, pppd_etc_rw_t, file)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# for SSP
Chris PeBenito 31b7c0
allow pppd_t urandom_device_t:chr_file read;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow pppd_t sysfs_t:dir search;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
log_domain(pppd)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Use the network.
Chris PeBenito 31b7c0
can_network_server(pppd_t)
Chris PeBenito 31b7c0
can_ypbind(pppd_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Use capabilities.
Chris PeBenito 31b7c0
allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override sys_module };
Chris PeBenito 31b7c0
lock_domain(pppd)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Access secret files
Chris PeBenito 31b7c0
allow pppd_t pppd_secret_t:file r_file_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
ifdef(`postfix.te', `
Chris PeBenito 31b7c0
allow pppd_t postfix_etc_t:dir search;
Chris PeBenito 31b7c0
allow pppd_t postfix_etc_t:file r_file_perms;
Chris PeBenito 31b7c0
allow pppd_t postfix_master_exec_t:file { getattr read };
Chris PeBenito 31b7c0
allow postfix_postqueue_t pppd_t:fd use;
Chris PeBenito 31b7c0
allow postfix_postqueue_t pppd_t:process sigchld;
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# allow running ip-up and ip-down scripts and running chat.
Chris PeBenito 31b7c0
can_exec(pppd_t, { shell_exec_t bin_t sbin_t etc_t ifconfig_exec_t })
Chris PeBenito 31b7c0
allow pppd_t { bin_t sbin_t }:dir search;
Chris PeBenito 31b7c0
allow pppd_t { sbin_t bin_t }:lnk_file read;
Chris PeBenito 31b7c0
allow ifconfig_t pppd_t:fd use;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Access /dev/ppp.
Chris PeBenito 31b7c0
allow pppd_t ppp_device_t:chr_file rw_file_perms;
Chris PeBenito 31b7c0
allow pppd_t devtty_t:chr_file { read write };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow pppd_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 31b7c0
allow pppd_t self:unix_stream_socket create_socket_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow pppd_t proc_t:dir search;
Chris PeBenito 31b7c0
allow pppd_t proc_t:{ file lnk_file } r_file_perms;
Chris PeBenito 31b7c0
allow pppd_t proc_net_t:dir { read search };
Chris PeBenito 31b7c0
allow pppd_t proc_net_t:file r_file_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow pppd_t etc_runtime_t:file r_file_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow pppd_t self:socket create_socket_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow pppd_t tty_device_t:chr_file { setattr rw_file_perms };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow pppd_t devpts_t:dir search;
Chris PeBenito 31b7c0
allow pppd_t devpts_t:chr_file ioctl;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# for scripts
Chris PeBenito 31b7c0
allow pppd_t self:fifo_file rw_file_perms;
Chris PeBenito 31b7c0
allow pppd_t etc_t:lnk_file read;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# for ~/.ppprc - if it actually exists then you need some policy to read it
Chris PeBenito 31b7c0
allow pppd_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
in_user_role(pppd_t)
Chris PeBenito 31b7c0
if (pppd_for_user)  {
Chris PeBenito 31b7c0
# Run pppd in pppd_t by default for user
Chris PeBenito 31b7c0
domain_auto_trans(unpriv_userdomain, pppd_exec_t, pppd_t)
Chris PeBenito 31b7c0
allow unpriv_userdomain pppd_t:process signal;
Chris PeBenito 31b7c0
}
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# for pppoe
Chris PeBenito 31b7c0
can_create_pty(pppd)
Chris PeBenito 31b7c0
allow pppd_t self:file { read getattr };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow pppd_t self:packet_socket create_socket_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
file_type_auto_trans(pppd_t, etc_t, net_conf_t, file)
Chris PeBenito 31b7c0
tmp_domain(pppd)
Chris PeBenito 31b7c0
allow pppd_t sysctl_net_t:dir search;
Chris PeBenito 31b7c0
allow pppd_t sysctl_net_t:file r_file_perms;
Chris PeBenito 31b7c0
allow pppd_t self:netlink_route_socket r_netlink_socket_perms;
Chris PeBenito 31b7c0
allow pppd_t initrc_var_run_t:file r_file_perms;
Chris PeBenito 31b7c0
dontaudit pppd_t initrc_var_run_t:file { lock write };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# pppd needs to load kernel modules for certain modems
Chris PeBenito 31b7c0
ifdef(`modutil.te', `
Chris PeBenito 31b7c0
bool pppd_can_insmod false;
Chris PeBenito 31b7c0
typeattribute ifconfig_t privsysmod;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
if (pppd_can_insmod && !secure_mode_insmod) {
Chris PeBenito 31b7c0
domain_auto_trans(pppd_t, insmod_exec_t, insmod_t)
Chris PeBenito 31b7c0
allow ifconfig_t self:capability sys_module;
Chris PeBenito 31b7c0
}
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
daemon_domain(pptp, `, nscd_client_domain')
Chris PeBenito 31b7c0
can_network_client_tcp(pptp_t)
Chris PeBenito 31b7c0
allow pptp_t { reserved_port_type port_t }:tcp_socket name_connect;
Chris PeBenito 31b7c0
can_exec(pptp_t, hostname_exec_t)
Chris PeBenito 31b7c0
domain_auto_trans(pppd_t, pptp_exec_t, pptp_t)
Chris PeBenito 31b7c0
allow pptp_t self:rawip_socket create_socket_perms;
Chris PeBenito 31b7c0
allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
Chris PeBenito 31b7c0
allow pptp_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 31b7c0
can_exec(pptp_t, pppd_etc_rw_t)
Chris PeBenito 31b7c0
allow pptp_t devpts_t:dir search;
Chris PeBenito 31b7c0
allow pptp_t pppd_devpts_t:chr_file rw_file_perms;
Chris PeBenito 31b7c0
allow pptp_t devpts_t:chr_file ioctl;
Chris PeBenito 31b7c0
r_dir_file(pptp_t, pppd_etc_rw_t)
Chris PeBenito 31b7c0
r_dir_file(pptp_t, pppd_etc_t)
Chris PeBenito 31b7c0
allow pppd_t pptp_t:process signal;
Chris PeBenito 31b7c0
allow pptp_t self:capability net_raw;
Chris PeBenito 31b7c0
allow pptp_t self:fifo_file { read write };
Chris PeBenito 31b7c0
allow pptp_t ptmx_t:chr_file rw_file_perms;
Chris PeBenito 31b7c0
log_domain(pptp)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Fix sockets
Chris PeBenito 31b7c0
allow pptp_t pptp_var_run_t:sock_file create_file_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Allow pptp to append to pppd log files
Chris PeBenito 31b7c0
allow pptp_t pppd_log_t:file append;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
ifdef(`named.te', `
Chris PeBenito 31b7c0
dontaudit ndc_t pppd_t:fd use;
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Allow /etc/ppp/ip-{up,down} to run most anything
Chris PeBenito 31b7c0
type pppd_script_exec_t, file_type, sysadmfile;
Chris PeBenito 31b7c0
domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t)
Chris PeBenito 31b7c0
allow pppd_t initrc_t:process noatsecure;