ppp patch from dan

2009-07-20 15:41:19 -04:00 · 2009-07-20 15:41:19 -04:00 · 7395f80119
commit 7395f80119
parent 4aa075262a
3 changed files with 74 additions and 27 deletions
--- a/policy/modules/services/ppp.fc
+++ b/policy/modules/services/ppp.fc
@ -1,16 +1,15 @@
 #
 # /etc
 #
-/etc/rc.d/init.d/ppp		--	gen_context(system_u:object_r:pppd_script_exec_t,s0)
+/etc/rc\.d/init\.d/ppp		--	gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
 /etc/ppp			-d	gen_context(system_u:object_r:pppd_etc_t,s0)
 /etc/ppp(/.*)?			--	gen_context(system_u:object_r:pppd_etc_rw_t,s0)
 /etc/ppp/peers(/.*)?			gen_context(system_u:object_r:pppd_etc_rw_t,s0)
 /etc/ppp/.*secrets		--	gen_context(system_u:object_r:pppd_secret_t,s0)
 /etc/ppp/resolv\.conf 		--	gen_context(system_u:object_r:pppd_etc_rw_t,s0)
 # Fix /etc/ppp {up,down} family scripts (see man pppd)
-/etc/ppp/(auth|ip(v6|x)?)-(up|down) --	gen_context(system_u:object_r:pppd_script_exec_t,s0)
+/etc/ppp/(auth|ip(v6|x)?)-(up|down) --	gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
 #
 # /sbin
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@ -56,6 +56,25 @@ interface(`ppp_sigchld',`
 	allow $1 pppd_t:process sigchld;
 ')
 ########################################
 ## <summary>
 ##	Send ppp a kill signal
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 #
 interface(`ppp_kill',`
 	gen_require(`
 		type pppd_t;
 	')
 	allow $1 pppd_t:process sigkill;
 ')
 ########################################
 ## <summary>
 ##	Send a generic signal to PPP.
@ -296,6 +315,24 @@ interface(`ppp_pid_filetrans',`
 	files_pid_filetrans($1, pppd_var_run_t, file)
 ')
 ########################################
 ## <summary>
 ##	Execute ppp server in the ntpd domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	The type of the process performing this action.
 ##	</summary>
 ## </param>
 #
 interface(`ppp_initrc_domtrans',`
 	gen_require(`
 		type pppd_initrc_exec_t;
 	')
 	init_labeled_script_domtrans($1, pppd_initrc_exec_t)
 ')
 ########################################
 ## <summary>
 ##	All of the rules required to administrate 
@ -315,33 +352,39 @@ interface(`ppp_admin',`
 		type pppd_etc_rw_t, pppd_var_run_t;
 		type pptp_t, pptp_log_t, pptp_var_run_t;
 		type pppd_initrc_exec_t;
 	')
 	allow $1 pppd_t:process { ptrace signal_perms getattr };
 	ps_process_pattern($1, pppd_t)
 	ppp_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 pppd_initrc_exec_t system_r;
 	allow $2 system_r;
 	files_list_tmp($1)
-	manage_files_pattern($1, pppd_tmp_t, pppd_tmp_t)
+	admin_pattern($1, pppd_tmp_t)
 	logging_list_logs($1)
-	manage_files_pattern($1, pppd_log_t, pppd_log_t)
+	admin_pattern($1, pppd_log_t)
-	manage_files_pattern($1, pppd_lock_t, pppd_lock_t)
+	admin_pattern($1, pppd_lock_t)
 	files_list_etc($1)
-	manage_files_pattern($1, pppd_etc_t, pppd_etc_t)
+	admin_pattern($1, pppd_etc_t)
-	manage_files_pattern($1, pppd_etc_rw_t, pppd_etc_rw_t)
+	admin_pattern($1, pppd_etc_rw_t)
-	manage_files_pattern($1, pppd_secret_t, pppd_secret_t)
+	admin_pattern($1, pppd_secret_t)
 	files_list_pids($1)
-	manage_files_pattern($1, pppd_var_run_t, pppd_var_run_t)
+	admin_pattern($1, pppd_var_run_t)
 	allow $1 pptp_t:process { ptrace signal_perms getattr };
 	ps_process_pattern($1, pptp_t)
-	manage_files_pattern($1, pptp_log_t, pptp_log_t)
+	admin_pattern($1, pptp_log_t)
-	manage_files_pattern($1, pptp_var_run_t, pptp_var_run_t)
+	admin_pattern($1, pptp_var_run_t)
 ')
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@ -1,5 +1,5 @@
-policy_module(ppp, 1.10.2)
+policy_module(ppp, 1.10.3)
 ########################################
 #
@ -37,8 +37,8 @@ files_config_file(pppd_etc_t)
 type pppd_etc_rw_t;
 files_type(pppd_etc_rw_t)
-type pppd_script_exec_t;
+type pppd_initrc_exec_t alias pppd_script_exec_t;
-files_type(pppd_script_exec_t)
+files_type(pppd_initrc_exec_t)
 # pppd_secret_t is the type of the pap and chap password files
 type pppd_secret_t;
@ -114,6 +114,8 @@ allow pppd_t pptp_t:process signal;
 # Access secret files
 allow pppd_t pppd_secret_t:file read_file_perms;
 ppp_initrc_domtrans(pppd_t)
 kernel_read_kernel_sysctls(pppd_t)
 kernel_read_system_state(pppd_t)
 kernel_rw_net_sysctls(pppd_t)
@ -161,6 +163,7 @@ files_read_etc_files(pppd_t)
 init_read_utmp(pppd_t)
 init_dontaudit_write_utmp(pppd_t)
 init_signal_script(pppd_t)
 auth_use_nsswitch(pppd_t)
@ -174,7 +177,6 @@ sysnet_etc_filetrans_config(pppd_t)
 userdom_use_user_terminals(pppd_t)
 userdom_dontaudit_use_unpriv_user_fds(pppd_t)
 # for ~/.ppprc - if it actually exists then you need some policy to read it
 userdom_search_user_home_dirs(pppd_t)
 ppp_exec(pppd_t)
@ -214,7 +216,7 @@ optional_policy(`
 # PPTP Local policy
 #
-allow pptp_t self:capability net_raw;
+allow pptp_t self:capability { net_raw net_admin };
 dontaudit pptp_t self:capability sys_tty_config;
 allow pptp_t self:process signal;
 allow pptp_t self:fifo_file rw_fifo_file_perms;
@ -222,14 +224,16 @@ allow pptp_t self:unix_dgram_socket create_socket_perms;
 allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow pptp_t self:rawip_socket create_socket_perms;
 allow pptp_t self:tcp_socket create_socket_perms;
 allow pptp_t self:udp_socket create_socket_perms;
 allow pptp_t self:netlink_route_socket rw_netlink_socket_perms;
 allow pptp_t pppd_etc_t:dir list_dir_perms;
 allow pptp_t pppd_etc_t:file read_file_perms;
-allow pptp_t pppd_etc_t:lnk_file { getattr read };
+allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
 allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
 allow pptp_t pppd_etc_rw_t:file read_file_perms;
-allow pptp_t pppd_etc_rw_t:lnk_file { getattr read };
+allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms;
 can_exec(pptp_t, pppd_etc_rw_t)
 # Allow pptp to append to pppd log files
@ -245,9 +249,13 @@ files_pid_filetrans(pptp_t, pptp_var_run_t, file)
 kernel_list_proc(pptp_t)
 kernel_read_kernel_sysctls(pptp_t)
 kernel_read_proc_symlinks(pptp_t)
 kernel_read_system_state(pptp_t)
 dev_read_sysfs(pptp_t)
 corecmd_exec_shell(pptp_t)
 corecmd_read_bin_symlinks(pptp_t)
 corenet_all_recvfrom_unlabeled(pptp_t)
 corenet_all_recvfrom_netlabel(pptp_t)
 corenet_tcp_sendrecv_generic_if(pptp_t)
@ -260,6 +268,8 @@ corenet_tcp_connect_generic_port(pptp_t)
 corenet_tcp_connect_all_reserved_ports(pptp_t)
 corenet_sendrecv_generic_client_packets(pptp_t)
 files_read_etc_files(pptp_t)
 fs_getattr_all_fs(pptp_t)
 fs_search_auto_mountpoints(pptp_t)
@ -269,11 +279,13 @@ term_use_ptmx(pptp_t)
 domain_use_interactive_fds(pptp_t)
 auth_use_nsswitch(pptp_t)
 logging_send_syslog_msg(pptp_t)
 miscfiles_read_localization(pptp_t)
-sysnet_read_config(pptp_t)
+sysnet_exec_ifconfig(pptp_t)
 userdom_dontaudit_use_unpriv_user_fds(pptp_t)
 userdom_dontaudit_search_user_home_dirs(pptp_t)
@ -286,10 +298,6 @@ optional_policy(`
 	hostname_exec(pptp_t)
 ')
 optional_policy(`
 	nscd_socket_use(pptp_t)
 ')
 optional_policy(`
 	seutil_sigchld_newrole(pptp_t)
 ')
@ -301,6 +309,3 @@ optional_policy(`
 optional_policy(`
 	postfix_read_config(pppd_t)
 ')
 # FIXME:
 domtrans_pattern(pppd_t, pppd_script_exec_t, initrc_t)