From 7395f80119e0de63498741f5f961d1a3c94c551c Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Mon, 20 Jul 2009 15:41:19 -0400
Subject: [PATCH] ppp patch from dan

---
 policy/modules/services/ppp.fc |  5 ++-
 policy/modules/services/ppp.if | 61 +++++++++++++++++++++++++++++-----
 policy/modules/services/ppp.te | 35 ++++++++++---------
 3 files changed, 74 insertions(+), 27 deletions(-)

diff --git a/policy/modules/services/ppp.fc b/policy/modules/services/ppp.fc
index 43a091ae..5886bd47 100644
--- a/policy/modules/services/ppp.fc
+++ b/policy/modules/services/ppp.fc
@@ -1,16 +1,15 @@
 #
 # /etc
 #
-/etc/rc.d/init.d/ppp		--	gen_context(system_u:object_r:pppd_script_exec_t,s0)
+/etc/rc\.d/init\.d/ppp		--	gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
 
 /etc/ppp			-d	gen_context(system_u:object_r:pppd_etc_t,s0)
 /etc/ppp(/.*)?			--	gen_context(system_u:object_r:pppd_etc_rw_t,s0)
 /etc/ppp/peers(/.*)?			gen_context(system_u:object_r:pppd_etc_rw_t,s0)
 /etc/ppp/.*secrets		--	gen_context(system_u:object_r:pppd_secret_t,s0)
 /etc/ppp/resolv\.conf 		--	gen_context(system_u:object_r:pppd_etc_rw_t,s0)
-
 # Fix /etc/ppp {up,down} family scripts (see man pppd)
-/etc/ppp/(auth|ip(v6|x)?)-(up|down) --	gen_context(system_u:object_r:pppd_script_exec_t,s0)
+/etc/ppp/(auth|ip(v6|x)?)-(up|down) --	gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
 
 #
 # /sbin
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
index 5786afa9..275287d5 100644
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@@ -56,6 +56,25 @@ interface(`ppp_sigchld',`
 	allow $1 pppd_t:process sigchld;
 ')
 
+########################################
+## <summary>
+##	Send ppp a kill signal
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`ppp_kill',`
+	gen_require(`
+		type pppd_t;
+	')
+
+	allow $1 pppd_t:process sigkill;
+')
+
 ########################################
 ## <summary>
 ##	Send a generic signal to PPP.
@@ -296,6 +315,24 @@ interface(`ppp_pid_filetrans',`
 	files_pid_filetrans($1, pppd_var_run_t, file)
 ')
 
+########################################
+## <summary>
+##	Execute ppp server in the ntpd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`ppp_initrc_domtrans',`
+	gen_require(`
+		type pppd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, pppd_initrc_exec_t)
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to administrate 
@@ -315,33 +352,39 @@ interface(`ppp_admin',`
 		type pppd_etc_rw_t, pppd_var_run_t;
 
 		type pptp_t, pptp_log_t, pptp_var_run_t;
+ 		type pppd_initrc_exec_t;
 	')
 
 	allow $1 pppd_t:process { ptrace signal_perms getattr };
 	ps_process_pattern($1, pppd_t)
 
+	ppp_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 pppd_initrc_exec_t system_r;
+	allow $2 system_r;
+
 	files_list_tmp($1)
-	manage_files_pattern($1, pppd_tmp_t, pppd_tmp_t)
+	admin_pattern($1, pppd_tmp_t)
 
 	logging_list_logs($1)
-	manage_files_pattern($1, pppd_log_t, pppd_log_t)
+	admin_pattern($1, pppd_log_t)
 
-	manage_files_pattern($1, pppd_lock_t, pppd_lock_t)
+	admin_pattern($1, pppd_lock_t)
 
 	files_list_etc($1)
-	manage_files_pattern($1, pppd_etc_t, pppd_etc_t)
+	admin_pattern($1, pppd_etc_t)
 
-	manage_files_pattern($1, pppd_etc_rw_t, pppd_etc_rw_t)
+	admin_pattern($1, pppd_etc_rw_t)
 
-	manage_files_pattern($1, pppd_secret_t, pppd_secret_t)
+	admin_pattern($1, pppd_secret_t)
 
 	files_list_pids($1)
-	manage_files_pattern($1, pppd_var_run_t, pppd_var_run_t)
+	admin_pattern($1, pppd_var_run_t)
 
 	allow $1 pptp_t:process { ptrace signal_perms getattr };
 	ps_process_pattern($1, pptp_t)
 
-	manage_files_pattern($1, pptp_log_t, pptp_log_t)
+	admin_pattern($1, pptp_log_t)
 
-	manage_files_pattern($1, pptp_var_run_t, pptp_var_run_t)
+	admin_pattern($1, pptp_var_run_t)
 ')
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
index 4c13d9c3..b8e1beb0 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -1,5 +1,5 @@
 
-policy_module(ppp, 1.10.2)
+policy_module(ppp, 1.10.3)
 
 ########################################
 #
@@ -37,8 +37,8 @@ files_config_file(pppd_etc_t)
 type pppd_etc_rw_t;
 files_type(pppd_etc_rw_t)
 
-type pppd_script_exec_t;
-files_type(pppd_script_exec_t)
+type pppd_initrc_exec_t alias pppd_script_exec_t;
+files_type(pppd_initrc_exec_t)
 
 # pppd_secret_t is the type of the pap and chap password files
 type pppd_secret_t;
@@ -114,6 +114,8 @@ allow pppd_t pptp_t:process signal;
 # Access secret files
 allow pppd_t pppd_secret_t:file read_file_perms;
 
+ppp_initrc_domtrans(pppd_t)
+
 kernel_read_kernel_sysctls(pppd_t)
 kernel_read_system_state(pppd_t)
 kernel_rw_net_sysctls(pppd_t)
@@ -161,6 +163,7 @@ files_read_etc_files(pppd_t)
 
 init_read_utmp(pppd_t)
 init_dontaudit_write_utmp(pppd_t)
+init_signal_script(pppd_t)
 
 auth_use_nsswitch(pppd_t)
 
@@ -174,7 +177,6 @@ sysnet_etc_filetrans_config(pppd_t)
 
 userdom_use_user_terminals(pppd_t)
 userdom_dontaudit_use_unpriv_user_fds(pppd_t)
-# for ~/.ppprc - if it actually exists then you need some policy to read it
 userdom_search_user_home_dirs(pppd_t)
 
 ppp_exec(pppd_t)
@@ -214,7 +216,7 @@ optional_policy(`
 # PPTP Local policy
 #
 
-allow pptp_t self:capability net_raw;
+allow pptp_t self:capability { net_raw net_admin };
 dontaudit pptp_t self:capability sys_tty_config;
 allow pptp_t self:process signal;
 allow pptp_t self:fifo_file rw_fifo_file_perms;
@@ -222,14 +224,16 @@ allow pptp_t self:unix_dgram_socket create_socket_perms;
 allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow pptp_t self:rawip_socket create_socket_perms;
 allow pptp_t self:tcp_socket create_socket_perms;
+allow pptp_t self:udp_socket create_socket_perms;
+allow pptp_t self:netlink_route_socket rw_netlink_socket_perms;
 
 allow pptp_t pppd_etc_t:dir list_dir_perms;
 allow pptp_t pppd_etc_t:file read_file_perms;
-allow pptp_t pppd_etc_t:lnk_file { getattr read };
+allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
 
 allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
 allow pptp_t pppd_etc_rw_t:file read_file_perms;
-allow pptp_t pppd_etc_rw_t:lnk_file { getattr read };
+allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms;
 can_exec(pptp_t, pppd_etc_rw_t)
 
 # Allow pptp to append to pppd log files
@@ -245,9 +249,13 @@ files_pid_filetrans(pptp_t, pptp_var_run_t, file)
 kernel_list_proc(pptp_t)
 kernel_read_kernel_sysctls(pptp_t)
 kernel_read_proc_symlinks(pptp_t)
+kernel_read_system_state(pptp_t)
 
 dev_read_sysfs(pptp_t)
 
+corecmd_exec_shell(pptp_t)
+corecmd_read_bin_symlinks(pptp_t)
+
 corenet_all_recvfrom_unlabeled(pptp_t)
 corenet_all_recvfrom_netlabel(pptp_t)
 corenet_tcp_sendrecv_generic_if(pptp_t)
@@ -260,6 +268,8 @@ corenet_tcp_connect_generic_port(pptp_t)
 corenet_tcp_connect_all_reserved_ports(pptp_t)
 corenet_sendrecv_generic_client_packets(pptp_t)
 
+files_read_etc_files(pptp_t)
+
 fs_getattr_all_fs(pptp_t)
 fs_search_auto_mountpoints(pptp_t)
 
@@ -269,11 +279,13 @@ term_use_ptmx(pptp_t)
 
 domain_use_interactive_fds(pptp_t)
 
+auth_use_nsswitch(pptp_t)
+
 logging_send_syslog_msg(pptp_t)
 
 miscfiles_read_localization(pptp_t)
 
-sysnet_read_config(pptp_t)
+sysnet_exec_ifconfig(pptp_t)
 
 userdom_dontaudit_use_unpriv_user_fds(pptp_t)
 userdom_dontaudit_search_user_home_dirs(pptp_t)
@@ -286,10 +298,6 @@ optional_policy(`
 	hostname_exec(pptp_t)
 ')
 
-optional_policy(`
-	nscd_socket_use(pptp_t)
-')
-
 optional_policy(`
 	seutil_sigchld_newrole(pptp_t)
 ')
@@ -301,6 +309,3 @@ optional_policy(`
 optional_policy(`
 	postfix_read_config(pppd_t)
 ')
-
-# FIXME:
-domtrans_pattern(pppd_t, pppd_script_exec_t, initrc_t)