ppp patch from dan
This commit is contained in:
parent
4aa075262a
commit
7395f80119
@ -1,16 +1,15 @@
|
||||
#
|
||||
# /etc
|
||||
#
|
||||
/etc/rc.d/init.d/ppp -- gen_context(system_u:object_r:pppd_script_exec_t,s0)
|
||||
/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
|
||||
|
||||
/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0)
|
||||
/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
|
||||
/etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0)
|
||||
/etc/ppp/.*secrets -- gen_context(system_u:object_r:pppd_secret_t,s0)
|
||||
/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
|
||||
|
||||
# Fix /etc/ppp {up,down} family scripts (see man pppd)
|
||||
/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_script_exec_t,s0)
|
||||
/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
|
||||
|
||||
#
|
||||
# /sbin
|
||||
|
@ -56,6 +56,25 @@ interface(`ppp_sigchld',`
|
||||
allow $1 pppd_t:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send ppp a kill signal
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
#
|
||||
interface(`ppp_kill',`
|
||||
gen_require(`
|
||||
type pppd_t;
|
||||
')
|
||||
|
||||
allow $1 pppd_t:process sigkill;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send a generic signal to PPP.
|
||||
@ -296,6 +315,24 @@ interface(`ppp_pid_filetrans',`
|
||||
files_pid_filetrans($1, pppd_var_run_t, file)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute ppp server in the ntpd domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`ppp_initrc_domtrans',`
|
||||
gen_require(`
|
||||
type pppd_initrc_exec_t;
|
||||
')
|
||||
|
||||
init_labeled_script_domtrans($1, pppd_initrc_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
@ -315,33 +352,39 @@ interface(`ppp_admin',`
|
||||
type pppd_etc_rw_t, pppd_var_run_t;
|
||||
|
||||
type pptp_t, pptp_log_t, pptp_var_run_t;
|
||||
type pppd_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 pppd_t:process { ptrace signal_perms getattr };
|
||||
ps_process_pattern($1, pppd_t)
|
||||
|
||||
ppp_initrc_domtrans($1)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 pppd_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_list_tmp($1)
|
||||
manage_files_pattern($1, pppd_tmp_t, pppd_tmp_t)
|
||||
admin_pattern($1, pppd_tmp_t)
|
||||
|
||||
logging_list_logs($1)
|
||||
manage_files_pattern($1, pppd_log_t, pppd_log_t)
|
||||
admin_pattern($1, pppd_log_t)
|
||||
|
||||
manage_files_pattern($1, pppd_lock_t, pppd_lock_t)
|
||||
admin_pattern($1, pppd_lock_t)
|
||||
|
||||
files_list_etc($1)
|
||||
manage_files_pattern($1, pppd_etc_t, pppd_etc_t)
|
||||
admin_pattern($1, pppd_etc_t)
|
||||
|
||||
manage_files_pattern($1, pppd_etc_rw_t, pppd_etc_rw_t)
|
||||
admin_pattern($1, pppd_etc_rw_t)
|
||||
|
||||
manage_files_pattern($1, pppd_secret_t, pppd_secret_t)
|
||||
admin_pattern($1, pppd_secret_t)
|
||||
|
||||
files_list_pids($1)
|
||||
manage_files_pattern($1, pppd_var_run_t, pppd_var_run_t)
|
||||
admin_pattern($1, pppd_var_run_t)
|
||||
|
||||
allow $1 pptp_t:process { ptrace signal_perms getattr };
|
||||
ps_process_pattern($1, pptp_t)
|
||||
|
||||
manage_files_pattern($1, pptp_log_t, pptp_log_t)
|
||||
admin_pattern($1, pptp_log_t)
|
||||
|
||||
manage_files_pattern($1, pptp_var_run_t, pptp_var_run_t)
|
||||
admin_pattern($1, pptp_var_run_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ppp, 1.10.2)
|
||||
policy_module(ppp, 1.10.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -37,8 +37,8 @@ files_config_file(pppd_etc_t)
|
||||
type pppd_etc_rw_t;
|
||||
files_type(pppd_etc_rw_t)
|
||||
|
||||
type pppd_script_exec_t;
|
||||
files_type(pppd_script_exec_t)
|
||||
type pppd_initrc_exec_t alias pppd_script_exec_t;
|
||||
files_type(pppd_initrc_exec_t)
|
||||
|
||||
# pppd_secret_t is the type of the pap and chap password files
|
||||
type pppd_secret_t;
|
||||
@ -114,6 +114,8 @@ allow pppd_t pptp_t:process signal;
|
||||
# Access secret files
|
||||
allow pppd_t pppd_secret_t:file read_file_perms;
|
||||
|
||||
ppp_initrc_domtrans(pppd_t)
|
||||
|
||||
kernel_read_kernel_sysctls(pppd_t)
|
||||
kernel_read_system_state(pppd_t)
|
||||
kernel_rw_net_sysctls(pppd_t)
|
||||
@ -161,6 +163,7 @@ files_read_etc_files(pppd_t)
|
||||
|
||||
init_read_utmp(pppd_t)
|
||||
init_dontaudit_write_utmp(pppd_t)
|
||||
init_signal_script(pppd_t)
|
||||
|
||||
auth_use_nsswitch(pppd_t)
|
||||
|
||||
@ -174,7 +177,6 @@ sysnet_etc_filetrans_config(pppd_t)
|
||||
|
||||
userdom_use_user_terminals(pppd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(pppd_t)
|
||||
# for ~/.ppprc - if it actually exists then you need some policy to read it
|
||||
userdom_search_user_home_dirs(pppd_t)
|
||||
|
||||
ppp_exec(pppd_t)
|
||||
@ -214,7 +216,7 @@ optional_policy(`
|
||||
# PPTP Local policy
|
||||
#
|
||||
|
||||
allow pptp_t self:capability net_raw;
|
||||
allow pptp_t self:capability { net_raw net_admin };
|
||||
dontaudit pptp_t self:capability sys_tty_config;
|
||||
allow pptp_t self:process signal;
|
||||
allow pptp_t self:fifo_file rw_fifo_file_perms;
|
||||
@ -222,14 +224,16 @@ allow pptp_t self:unix_dgram_socket create_socket_perms;
|
||||
allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
allow pptp_t self:rawip_socket create_socket_perms;
|
||||
allow pptp_t self:tcp_socket create_socket_perms;
|
||||
allow pptp_t self:udp_socket create_socket_perms;
|
||||
allow pptp_t self:netlink_route_socket rw_netlink_socket_perms;
|
||||
|
||||
allow pptp_t pppd_etc_t:dir list_dir_perms;
|
||||
allow pptp_t pppd_etc_t:file read_file_perms;
|
||||
allow pptp_t pppd_etc_t:lnk_file { getattr read };
|
||||
allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
|
||||
allow pptp_t pppd_etc_rw_t:file read_file_perms;
|
||||
allow pptp_t pppd_etc_rw_t:lnk_file { getattr read };
|
||||
allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms;
|
||||
can_exec(pptp_t, pppd_etc_rw_t)
|
||||
|
||||
# Allow pptp to append to pppd log files
|
||||
@ -245,9 +249,13 @@ files_pid_filetrans(pptp_t, pptp_var_run_t, file)
|
||||
kernel_list_proc(pptp_t)
|
||||
kernel_read_kernel_sysctls(pptp_t)
|
||||
kernel_read_proc_symlinks(pptp_t)
|
||||
kernel_read_system_state(pptp_t)
|
||||
|
||||
dev_read_sysfs(pptp_t)
|
||||
|
||||
corecmd_exec_shell(pptp_t)
|
||||
corecmd_read_bin_symlinks(pptp_t)
|
||||
|
||||
corenet_all_recvfrom_unlabeled(pptp_t)
|
||||
corenet_all_recvfrom_netlabel(pptp_t)
|
||||
corenet_tcp_sendrecv_generic_if(pptp_t)
|
||||
@ -260,6 +268,8 @@ corenet_tcp_connect_generic_port(pptp_t)
|
||||
corenet_tcp_connect_all_reserved_ports(pptp_t)
|
||||
corenet_sendrecv_generic_client_packets(pptp_t)
|
||||
|
||||
files_read_etc_files(pptp_t)
|
||||
|
||||
fs_getattr_all_fs(pptp_t)
|
||||
fs_search_auto_mountpoints(pptp_t)
|
||||
|
||||
@ -269,11 +279,13 @@ term_use_ptmx(pptp_t)
|
||||
|
||||
domain_use_interactive_fds(pptp_t)
|
||||
|
||||
auth_use_nsswitch(pptp_t)
|
||||
|
||||
logging_send_syslog_msg(pptp_t)
|
||||
|
||||
miscfiles_read_localization(pptp_t)
|
||||
|
||||
sysnet_read_config(pptp_t)
|
||||
sysnet_exec_ifconfig(pptp_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(pptp_t)
|
||||
userdom_dontaudit_search_user_home_dirs(pptp_t)
|
||||
@ -286,10 +298,6 @@ optional_policy(`
|
||||
hostname_exec(pptp_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(pptp_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(pptp_t)
|
||||
')
|
||||
@ -301,6 +309,3 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
postfix_read_config(pppd_t)
|
||||
')
|
||||
|
||||
# FIXME:
|
||||
domtrans_pattern(pppd_t, pppd_script_exec_t, initrc_t)
|
||||
|
Loading…
Reference in New Issue
Block a user