add ppp

2005-10-14 20:00:07 +00:00 · 2005-10-14 20:00:07 +00:00 · e08118a52f
parent fe9d17fe14
commit e08118a52f
11 changed files with 566 additions and 2 deletions
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@ -22,6 +22,7 @@
 	ftp
 	kudzu
 	mailman
+	ppp
 	radvd
 	sasl
 	webalizer
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@ -84,6 +84,12 @@ gen_tunable(httpd_unified,false)
 ## Generally this is used for dynamic DNS.
 gen_tunable(named_write_master_zones,false)

+## Allow pppd to load kernel modules for certain modems
+gen_tunable(pppd_can_insmod,false)
+
+## Allow pppd to be run for a regular user
+gen_tunable(pppd_for_user,false)
+
 ## Allow reading of default_t files.
 gen_tunable(read_default_t,false)

--- a/refpolicy/policy/modules/kernel/corenetwork.if.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.in
@ -956,6 +956,22 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
 	dontaudit $1 reserved_port_type:udp_socket name_bind;
 ')

+########################################
+## <summary>
+##      Connect TCP sockets to reserved ports.
+## </summary>
+## <param name="domain">
+##      The type of the process performing this action.
+## </param>
+#
+interface(`corenet_tcp_connect_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	allow $1 reserved_port_type:tcp_socket name_connect;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to connect TCP sockets
@ -990,6 +1006,23 @@ interface(`corenet_use_tun_tap_device',`
 	allow $1 tun_tap_device_t:chr_file { read write ioctl };
 ')

+########################################
+## <summary>
+##	Read and write the point-to-point device.
+## </summary>
+## <param name="domain">
+##	The domain allowed access.
+## </param>
+#
+interface(`corenet_use_ppp_device',`
+	gen_require(`
+		type ppp_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 ppp_device_t:chr_file rw_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Unconfined access to network objects.
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@ -294,6 +294,25 @@ interface(`term_dontaudit_manage_pty_dir',`
 	dontaudit $1 devpts_t:dir create_dir_perms;
 ')

+########################################
+## <summary>
+##	ioctl of generic pty types.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+# cjp: added for ppp
+interface(`term_ioctl_generic_pty',`
+	gen_require(`
+		type devpts_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 devpts_t:dir search;
+	allow $1 devpts_t:chr_file ioctl;
+')
+
 ########################################
 ## <summary>
 ##	Read and write the generic pty
@ -352,6 +371,22 @@ interface(`term_use_controlling_term',`
 	allow $1 devtty_t:chr_file { getattr read write ioctl };
 ')

+########################################
+## <summary>
+##	Read and write the pty multiplexor (/dev/ptmx).
+## </summary>
+## <param name="domain">
+##	The type of the process to allow access.
+## </param>
+#
+interface(`term_use_ptmx',`
+	gen_require(`
+		type ptmx_t;
+	')
+
+	allow $1 ptmx_t:chr_file rw_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read and
--- a/refpolicy/policy/modules/services/ppp.fc
+++ b/refpolicy/policy/modules/services/ppp.fc
@ -0,0 +1,30 @@
+#
+# /etc
+#
+/etc/ppp			-d	gen_context(system_u:object_r:pppd_etc_t,s0)
+/etc/ppp/.*			--	gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+/etc/ppp/.*secrets		--	gen_context(system_u:object_r:pppd_secret_t,s0)
+/etc/ppp/resolv\.conf 		--	gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+
+# Fix /etc/ppp {up,down} family scripts (see man pppd)
+/etc/ppp/(auth|ip(v6|x)?)-(up|down) --	gen_context(system_u:object_r:pppd_script_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/pppd			--	gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/sbin/pptp 			--	gen_context(system_u:object_r:pptp_exec_t,s0)
+/usr/sbin/ipppd			--	gen_context(system_u:object_r:pppd_exec_t,s0)
+
+#
+# /var
+#
+/var/run/(i)?ppp.*pid		--	gen_context(system_u:object_r:pppd_var_run_t,s0)
+/var/run/pppd[0-9]*\.tdb	--	gen_context(system_u:object_r:pppd_var_run_t,s0)
+/var/run/ppp(/.*)?		--	gen_context(system_u:object_r:pppd_var_run_t,s0)
+# Fix pptp sockets
+/var/run/pptp(/.*)?			gen_context(system_u:object_r:pptp_var_run_t,s0)
+
+/var/log/ppp-connect-errors.*	--	gen_context(system_u:object_r:pppd_log_t,s0)
+/var/log/ppp/.*			--	gen_context(system_u:object_r:pppd_log_t,s0)
+
--- a/refpolicy/policy/modules/services/ppp.if
+++ b/refpolicy/policy/modules/services/ppp.if
@ -0,0 +1,111 @@
+## <summary>Point to Point Protocol daemon creates links in ppp networks</summary>
+
+########################################
+## <summary>
+##	Use PPP file discriptors.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`ppp_use_fd',`
+	gen_require(`
+		type pppd_t;
+	')
+
+	allow $1 pppd_t:fd use;
+')
+
+########################################
+## <summary>
+##	Allow domain to send sigchld to parent of PPP domain type.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`ppp_sigchld',`
+	gen_require(`
+		type pppd_t;
+
+	')
+
+	allow $1 pppd_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Allow domain to send a signal to PPP domain type.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`ppp_signal',`
+	gen_require(`
+		type pppd_t;
+	')
+
+	allow $1 pppd_t:process signal;
+')
+
+########################################
+## <summary>
+##	 Execute domain in the ppp domain.
+## </summary>
+## <param name="domain">
+##	 Domain allowed access.
+## </param>
+#
+interface(`ppp_domtrans',`
+	gen_require(`
+		type pppd_t, pppd_exec_t;
+	')
+
+	corecmd_search_sbin($1)
+	domain_auto_trans($1, pppd_exec_t, pppd_t)
+
+	allow $1 pppd_t:fd use;
+	allow pppd_t $1:fd use;
+	allow pppd_t $1:fifo_file rw_file_perms;
+	allow pppd_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	 Conditionally execute ppp daemon on behalf of a user or staff type.
+## </summary>
+## <param name="domain">
+##	 Domain allowed access.
+## </param>
+#
+interface(`ppp_run_cond',`
+	gen_require(`
+		type pppd_t;
+	')
+
+	role $2 types pppd_t;
+
+	tunable_policy(`pppd_for_user',`
+		ppp_domtrans($1)
+		allow pppd_t $3:chr_file rw_term_perms;
+	')
+')
+
+########################################
+## <summary>
+##	 Unconditionally execute ppp daemon on behalf of a user or staff type.
+## </summary>
+## <param name="domain">
+##	 Domain allowed access.
+## </param>
+#
+interface(`ppp_run',`
+	gen_require(`
+		type pppd_t;
+	')
+
+	ppp_domtrans($1)
+	role $2 types pppd_t;
+	allow pppd_t $3:chr_file rw_term_perms;
+')
--- a/refpolicy/policy/modules/services/ppp.te
+++ b/refpolicy/policy/modules/services/ppp.te
@ -0,0 +1,318 @@
+
+policy_module(ppp,1.0)
+
+########################################
+#
+# Declarations
+#
+
+# pppd_t is the domain for the pppd program.
+# pppd_exec_t is the type of the pppd executable.
+type pppd_t;
+type pppd_exec_t;
+init_daemon_domain(pppd_t,pppd_exec_t)
+
+type pppd_devpts_t;
+term_pty(pppd_devpts_t)
+
+# Define a separate type for /etc/ppp
+type pppd_etc_t; #, usercanread;
+files_type(pppd_etc_t)
+
+# Define a separate type for writable files under /etc/ppp
+type pppd_etc_rw_t;
+files_type(pppd_etc_rw_t)
+
+type pppd_script_exec_t;
+files_type(pppd_script_exec_t)
+
+# pppd_secret_t is the type of the pap and chap password files
+type pppd_secret_t;
+files_type(pppd_secret_t)
+
+type pppd_log_t;
+logging_log_file(pppd_log_t)
+
+type pppd_lock_t;
+files_lock_file(pppd_lock_t)
+
+type pppd_tmp_t;
+files_tmp_file(pppd_tmp_t)
+
+type pppd_var_run_t;
+files_pid_file(pppd_var_run_t)
+
+type pptp_t;
+type pptp_exec_t;
+init_daemon_domain(pptp_t,pptp_exec_t)
+
+type pptp_log_t;
+logging_log_file(pptp_log_t)
+
+type pptp_var_run_t;
+files_pid_file(pptp_var_run_t)
+
+########################################
+#
+# PPPD Local policy
+#
+
+dontaudit pppd_t self:capability sys_tty_config;
+allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override };
+allow pppd_t self:fifo_file rw_file_perms;
+allow pppd_t self:file { read getattr };
+allow pppd_t self:socket create_socket_perms;
+allow pppd_t self:unix_dgram_socket create_socket_perms;
+allow pppd_t self:unix_stream_socket create_socket_perms;
+allow pppd_t self:netlink_route_socket r_netlink_socket_perms;
+allow pppd_t self:tcp_socket create_stream_socket_perms;
+allow pppd_t self:udp_socket { connect connected_socket_perms };
+allow pppd_t self:packet_socket create_socket_perms;
+
+domain_auto_trans(pppd_t, pptp_exec_t, pptp_t)
+
+allow pppd_t pppd_devpts_t:chr_file { rw_file_perms setattr };
+
+allow pppd_t pppd_etc_t:dir rw_dir_perms;
+allow pppd_t pppd_etc_t:file r_file_perms;
+allow pppd_t pppd_etc_t:lnk_file { getattr read };
+files_create_etc_config(pppd_t,pppd_etc_t)
+
+allow pppd_t pppd_etc_rw_t:file create_file_perms;
+
+allow pppd_t pppd_lock_t:file create_file_perms;
+files_create_lock(pppd_t,pppd_lock_t)
+
+allow pppd_t pppd_log_t:file create_file_perms;
+logging_create_log(pppd_t,pppd_log_t)
+
+allow pppd_t pppd_tmp_t:dir create_dir_perms;
+allow pppd_t pppd_tmp_t:file create_file_perms;
+files_create_tmp_files(pppd_t, pppd_tmp_t, { file dir })
+
+allow pppd_t pppd_var_run_t:dir rw_dir_perms;
+allow pppd_t pppd_var_run_t:file create_file_perms;
+files_create_pid(pppd_t,pppd_var_run_t)
+
+allow pppd_t pptp_t:process signal;
+
+# for SSP
+# Access secret files
+allow pppd_t pppd_secret_t:file r_file_perms;
+
+# Automatically label newly created files under /etc/ppp with this type
+type_transition pppd_t pppd_etc_t:file pppd_etc_rw_t;
+
+kernel_list_proc(pppd_t)
+kernel_read_kernel_sysctl(pppd_t)
+kernel_read_proc_symlinks(pppd_t)
+kernel_read_net_sysctl(pppd_t)
+kernel_read_network_state(pppd_t)
+kernel_load_module(pppd_t)
+
+dev_read_urand(pppd_t)
+dev_search_sysfs(pppd_t)
+dev_read_sysfs(pppd_t)
+
+corenet_tcp_sendrecv_all_if(pppd_t)
+corenet_raw_sendrecv_all_if(pppd_t)
+corenet_udp_sendrecv_all_if(pppd_t)
+corenet_tcp_sendrecv_all_nodes(pppd_t)
+corenet_raw_sendrecv_all_nodes(pppd_t)
+corenet_udp_sendrecv_all_nodes(pppd_t)
+corenet_tcp_sendrecv_all_ports(pppd_t)
+corenet_udp_sendrecv_all_ports(pppd_t)
+corenet_tcp_bind_all_nodes(pppd_t)
+corenet_udp_bind_all_nodes(pppd_t)
+# Access /dev/ppp.
+corenet_use_ppp_device(pppd_t)
+
+fs_getattr_all_fs(pppd_t)
+fs_search_auto_mountpoints(pppd_t)
+
+term_use_unallocated_tty(pppd_t)
+term_setattr_unallocated_ttys(pppd_t)
+term_ioctl_generic_pty(pppd_t)
+# for pppoe
+term_create_pty(pppd_t,pppd_devpts_t)
+term_dontaudit_use_console(pppd_t)
+
+# allow running ip-up and ip-down scripts and running chat.
+corecmd_exec_bin(pppd_t)
+corecmd_exec_sbin(pppd_t)
+corecmd_exec_shell(pppd_t)
+
+domain_use_wide_inherit_fd(pppd_t)
+
+files_exec_etc_files(pppd_t)
+files_read_etc_runtime_files(pppd_t)
+# for scripts
+files_read_etc_files(pppd_t)
+
+init_read_script_pid(pppd_t)
+init_dontaudit_write_script_pid(pppd_t)
+init_use_fd(pppd_t)
+init_use_script_pty(pppd_t)
+
+libs_use_ld_so(pppd_t)
+libs_use_shared_libs(pppd_t)
+
+logging_send_syslog_msg(pppd_t)
+
+miscfiles_read_localization(pppd_t)
+
+sysnet_read_config(pppd_t)
+sysnet_exec_ifconfig(pppd_t)
+sysnet_manage_config(pppd_t)
+
+userdom_dontaudit_use_unpriv_user_fd(pppd_t)
+userdom_dontaudit_search_sysadm_home_dir(pppd_t)
+# for ~/.ppprc - if it actually exists then you need some policy to read it
+#allow pppd_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search;
+userdom_search_sysadm_home_dir(pppd_t)
+userdom_search_unpriv_user_home_dirs(pppd_t)
+
+ifdef(`targeted_policy', `
+	term_dontaudit_use_unallocated_tty(pppd_t)
+	term_dontaudit_use_generic_pty(pppd_t)
+	files_dontaudit_read_root_file(pppd_t)
+')
+
+optional_policy(`modutils.te',`
+	tunable_policy(`pppd_can_insmod',`
+		modutils_domtrans_insmod(pppd_t)
+	')
+')
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(pppd_t)
+')
+
+optional_policy(`nscd.te',`
+	nscd_use_socket(pppd_t)
+')
+
+optional_policy(`selinuxutil.te',`
+	seutil_sigchld_newrole(pppd_t)
+')
+
+optional_policy(`udev.te', `
+	udev_read_db(pppd_t)
+')
+
+########################################
+#
+# PPTP Local policy
+#
+
+dontaudit pptp_t self:capability sys_tty_config;
+allow pptp_t self:capability net_raw;
+allow pptp_t self:fifo_file { read write };
+allow pptp_t self:unix_dgram_socket create_socket_perms;
+allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow pptp_t self:rawip_socket create_socket_perms;
+allow pptp_t self:tcp_socket create_socket_perms;
+
+allow pptp_t pppd_etc_t:dir { getattr read search };
+allow pptp_t pppd_etc_t:file { read getattr };
+allow pptp_t pppd_etc_t:lnk_file { getattr read };
+
+allow pptp_t pppd_etc_rw_t:dir { getattr read search };
+allow pptp_t pppd_etc_rw_t:file { read getattr };
+allow pptp_t pppd_etc_rw_t:lnk_file { getattr read };
+can_exec(pptp_t, pppd_etc_rw_t)
+
+# Allow pptp to append to pppd log files
+allow pptp_t pppd_log_t:file append;
+
+allow pptp_t pptp_log_t:file create_file_perms;
+logging_create_log(pptp_t,pptp_log_t)
+
+allow pptp_t pptp_var_run_t:file create_file_perms;
+allow pptp_t pptp_var_run_t:dir rw_dir_perms;
+allow pptp_t pptp_var_run_t:sock_file create_file_perms;
+files_create_pid(pptp_t,pptp_var_run_t)
+
+kernel_list_proc(pptp_t)
+kernel_read_kernel_sysctl(pptp_t)
+kernel_read_proc_symlinks(pptp_t)
+
+dev_read_sysfs(pptp_t)
+
+corenet_tcp_sendrecv_all_if(pptp_t)
+corenet_raw_sendrecv_all_if(pptp_t)
+corenet_tcp_sendrecv_all_nodes(pptp_t)
+corenet_raw_sendrecv_all_nodes(pptp_t)
+corenet_tcp_sendrecv_all_ports(pptp_t)
+corenet_tcp_bind_all_nodes(pptp_t)
+corenet_tcp_connect_generic_port(pptp_t)
+corenet_tcp_connect_all_reserved_ports(pptp_t)
+
+fs_getattr_all_fs(pptp_t)
+fs_search_auto_mountpoints(pptp_t)
+
+term_dontaudit_use_console(pptp_t)
+term_ioctl_generic_pty(pptp_t)
+term_search_ptys(pptp_t)
+term_use_ptmx(pptp_t)
+
+domain_use_wide_inherit_fd(pptp_t)
+
+init_use_fd(pptp_t)
+init_use_script_pty(pptp_t)
+
+libs_use_ld_so(pptp_t)
+libs_use_shared_libs(pptp_t)
+
+logging_send_syslog_msg(pptp_t)
+
+miscfiles_read_localization(pptp_t)
+
+sysnet_read_config(pptp_t)
+
+userdom_dontaudit_use_unpriv_user_fd(pptp_t)
+userdom_dontaudit_search_sysadm_home_dir(pptp_t)
+
+ifdef(`targeted_policy',`
+        term_dontaudit_use_unallocated_tty(pptp_t)
+        term_dontaudit_use_generic_pty(pptp_t)
+        files_dontaudit_read_root_file(pptp_t)
+')
+
+optional_policy(`hostname.te',`
+	hostname_exec(pptp_t)
+')
+
+optional_policy(`nscd.te',`
+	nscd_use_socket(pptp_t)
+')
+
+optional_policy(`selinuxutil.te',`
+        seutil_sigchld_newrole(pptp_t)
+')
+
+optional_policy(`udev.te',`
+        udev_read_db(pptp_t)
+')
+
+ifdef(`TODO',`
+ifdef(`postfix.te', `
+	allow pppd_t postfix_etc_t:dir search;
+	allow pppd_t postfix_etc_t:file r_file_perms;
+	allow pppd_t postfix_master_exec_t:file { getattr read };
+
+	ppp_use_fd(postfix_postqueue_t)
+	ppp_signal_daemon(postfix_postqueue_t)
+')
+optional_policy(`rhgb.te',`
+	rhgb_domain(pppd_t)
+')
+optional_policy(`rhgb.te',`
+        rhgb_domain(pptp_t)
+')
+ifdef(`named.te', `
+	dontaudit ndc_t pppd_t:fd use;
+')
+
+domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t)
+')
--- a/refpolicy/policy/modules/system/corecommands.fc
+++ b/refpolicy/policy/modules/system/corecommands.fc
@ -21,13 +21,16 @@
 #
 /etc/hotplug/.*agent	--	gen_context(system_u:object_r:sbin_t,s0)
 /etc/hotplug/.*rc	-- 	gen_context(system_u:object_r:sbin_t,s0)
-
 /etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:sbin_t,s0)
-
 /etc/hotplug\.d/default/default.* gen_context(system_u:object_r:sbin_t,s0)

 /etc/netplug\.d(/.*)? 	 	gen_context(system_u:object_r:sbin_t,s0)

+/etc/ppp/ip-down\..*	--	gen_context(system_u:object_r:bin_t,s0)
+/etc/ppp/ip-up\..*	--	gen_context(system_u:object_r:bin_t,s0)
+/etc/ppp/ipv6-up\..*	--	gen_context(system_u:object_r:bin_t,s0)
+/etc/ppp/ipv6-down\..*	--	gen_context(system_u:object_r:bin_t,s0)
+
 ifdef(`distro_debian',`
 /etc/mysql/debian-start	--	gen_context(system_u:object_r:bin_t,s0)
 ')
--- a/refpolicy/policy/modules/system/libraries.fc
+++ b/refpolicy/policy/modules/system/libraries.fc
@ -5,6 +5,8 @@
 /etc/ld\.so\.cache			--	gen_context(system_u:object_r:ld_so_cache_t,s0)
 /etc/ld\.so\.preload			--	gen_context(system_u:object_r:ld_so_cache_t,s0)

+/etc/ppp/plugins/rp-pppoe\.so 		--	gen_context(system_u:object_r:shlib_t,s0)
+
 #
 # /lib(64)?
 #
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@ -311,6 +311,10 @@ ifdef(`hide_broken_symptoms',`
 	')
 ')

+optional_policy(`ppp.te',`
+	ppp_use_fd(ifconfig_t)
+')
+
 optional_policy(`nis.te',`
 	nis_use_ypbind(ifconfig_t)
 ')
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@ -629,6 +629,11 @@ template(`unpriv_user_template', `
 		netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
 	')

+	# Run pppd in pppd_t by default for user
+	optional_policy(`ppp.te', `
+		ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+	')
+
 	optional_policy(`selinuxutil.te',`
 		# for when the network connection is killed
 		seutil_dontaudit_signal_newrole($1_t)
@ -2175,6 +2180,22 @@ interface(`userdom_manage_user_home_sockets',`
 	allow $1 user_home_t:sock_file create_file_perms;
 ')

+########################################
+## <summary>
+##	Search all unprivileged users home directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_search_unpriv_user_home_dirs',`
+	gen_require(`
+		attribute user_home_dir_type;
+	')
+
+	allow $1 user_home_dir_type:dir search;
+')
+
 ########################################
 ## <summary>
 ##	Read all unprivileged users home directory