diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 160a73e5..772c47e1 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -22,6 +22,7 @@
ftp
kudzu
mailman
+ ppp
radvd
sasl
webalizer
diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
index 1a06638d..3af5cadd 100644
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@@ -84,6 +84,12 @@ gen_tunable(httpd_unified,false)
## Generally this is used for dynamic DNS.
gen_tunable(named_write_master_zones,false)
+## Allow pppd to load kernel modules for certain modems
+gen_tunable(pppd_can_insmod,false)
+
+## Allow pppd to be run for a regular user
+gen_tunable(pppd_for_user,false)
+
## Allow reading of default_t files.
gen_tunable(read_default_t,false)
diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in
index 8e8e2a03..eb8dbb43 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.if.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.in
@@ -956,6 +956,22 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
dontaudit $1 reserved_port_type:udp_socket name_bind;
')
+########################################
+##
+## Connect TCP sockets to reserved ports.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`corenet_tcp_connect_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ allow $1 reserved_port_type:tcp_socket name_connect;
+')
+
########################################
##
## Do not audit attempts to connect TCP sockets
@@ -990,6 +1006,23 @@ interface(`corenet_use_tun_tap_device',`
allow $1 tun_tap_device_t:chr_file { read write ioctl };
')
+########################################
+##
+## Read and write the point-to-point device.
+##
+##
+## The domain allowed access.
+##
+#
+interface(`corenet_use_ppp_device',`
+ gen_require(`
+ type ppp_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 ppp_device_t:chr_file rw_file_perms;
+')
+
########################################
##
## Unconfined access to network objects.
diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index 0cc73669..b257b2bb 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -294,6 +294,25 @@ interface(`term_dontaudit_manage_pty_dir',`
dontaudit $1 devpts_t:dir create_dir_perms;
')
+########################################
+##
+## ioctl of generic pty types.
+##
+##
+## The type of the process performing this action.
+##
+#
+# cjp: added for ppp
+interface(`term_ioctl_generic_pty',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir search;
+ allow $1 devpts_t:chr_file ioctl;
+')
+
########################################
##
## Read and write the generic pty
@@ -352,6 +371,22 @@ interface(`term_use_controlling_term',`
allow $1 devtty_t:chr_file { getattr read write ioctl };
')
+########################################
+##
+## Read and write the pty multiplexor (/dev/ptmx).
+##
+##
+## The type of the process to allow access.
+##
+#
+interface(`term_use_ptmx',`
+ gen_require(`
+ type ptmx_t;
+ ')
+
+ allow $1 ptmx_t:chr_file rw_file_perms;
+')
+
########################################
##
## Do not audit attempts to read and
diff --git a/refpolicy/policy/modules/services/ppp.fc b/refpolicy/policy/modules/services/ppp.fc
new file mode 100644
index 00000000..faa0c9e2
--- /dev/null
+++ b/refpolicy/policy/modules/services/ppp.fc
@@ -0,0 +1,30 @@
+#
+# /etc
+#
+/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0)
+/etc/ppp/.* -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+/etc/ppp/.*secrets -- gen_context(system_u:object_r:pppd_secret_t,s0)
+/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+
+# Fix /etc/ppp {up,down} family scripts (see man pppd)
+/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_script_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/sbin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0)
+/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
+
+#
+# /var
+#
+/var/run/(i)?ppp.*pid -- gen_context(system_u:object_r:pppd_var_run_t,s0)
+/var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0)
+/var/run/ppp(/.*)? -- gen_context(system_u:object_r:pppd_var_run_t,s0)
+# Fix pptp sockets
+/var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0)
+
+/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0)
+/var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0)
+
diff --git a/refpolicy/policy/modules/services/ppp.if b/refpolicy/policy/modules/services/ppp.if
new file mode 100644
index 00000000..88c7fbac
--- /dev/null
+++ b/refpolicy/policy/modules/services/ppp.if
@@ -0,0 +1,111 @@
+## Point to Point Protocol daemon creates links in ppp networks
+
+########################################
+##
+## Use PPP file discriptors.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`ppp_use_fd',`
+ gen_require(`
+ type pppd_t;
+ ')
+
+ allow $1 pppd_t:fd use;
+')
+
+########################################
+##
+## Allow domain to send sigchld to parent of PPP domain type.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`ppp_sigchld',`
+ gen_require(`
+ type pppd_t;
+
+ ')
+
+ allow $1 pppd_t:process sigchld;
+')
+
+########################################
+##
+## Allow domain to send a signal to PPP domain type.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`ppp_signal',`
+ gen_require(`
+ type pppd_t;
+ ')
+
+ allow $1 pppd_t:process signal;
+')
+
+########################################
+##
+## Execute domain in the ppp domain.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`ppp_domtrans',`
+ gen_require(`
+ type pppd_t, pppd_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1, pppd_exec_t, pppd_t)
+
+ allow $1 pppd_t:fd use;
+ allow pppd_t $1:fd use;
+ allow pppd_t $1:fifo_file rw_file_perms;
+ allow pppd_t $1:process sigchld;
+')
+
+########################################
+##
+## Conditionally execute ppp daemon on behalf of a user or staff type.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`ppp_run_cond',`
+ gen_require(`
+ type pppd_t;
+ ')
+
+ role $2 types pppd_t;
+
+ tunable_policy(`pppd_for_user',`
+ ppp_domtrans($1)
+ allow pppd_t $3:chr_file rw_term_perms;
+ ')
+')
+
+########################################
+##
+## Unconditionally execute ppp daemon on behalf of a user or staff type.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`ppp_run',`
+ gen_require(`
+ type pppd_t;
+ ')
+
+ ppp_domtrans($1)
+ role $2 types pppd_t;
+ allow pppd_t $3:chr_file rw_term_perms;
+')
diff --git a/refpolicy/policy/modules/services/ppp.te b/refpolicy/policy/modules/services/ppp.te
new file mode 100644
index 00000000..c410f18e
--- /dev/null
+++ b/refpolicy/policy/modules/services/ppp.te
@@ -0,0 +1,318 @@
+
+policy_module(ppp,1.0)
+
+########################################
+#
+# Declarations
+#
+
+# pppd_t is the domain for the pppd program.
+# pppd_exec_t is the type of the pppd executable.
+type pppd_t;
+type pppd_exec_t;
+init_daemon_domain(pppd_t,pppd_exec_t)
+
+type pppd_devpts_t;
+term_pty(pppd_devpts_t)
+
+# Define a separate type for /etc/ppp
+type pppd_etc_t; #, usercanread;
+files_type(pppd_etc_t)
+
+# Define a separate type for writable files under /etc/ppp
+type pppd_etc_rw_t;
+files_type(pppd_etc_rw_t)
+
+type pppd_script_exec_t;
+files_type(pppd_script_exec_t)
+
+# pppd_secret_t is the type of the pap and chap password files
+type pppd_secret_t;
+files_type(pppd_secret_t)
+
+type pppd_log_t;
+logging_log_file(pppd_log_t)
+
+type pppd_lock_t;
+files_lock_file(pppd_lock_t)
+
+type pppd_tmp_t;
+files_tmp_file(pppd_tmp_t)
+
+type pppd_var_run_t;
+files_pid_file(pppd_var_run_t)
+
+type pptp_t;
+type pptp_exec_t;
+init_daemon_domain(pptp_t,pptp_exec_t)
+
+type pptp_log_t;
+logging_log_file(pptp_log_t)
+
+type pptp_var_run_t;
+files_pid_file(pptp_var_run_t)
+
+########################################
+#
+# PPPD Local policy
+#
+
+dontaudit pppd_t self:capability sys_tty_config;
+allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override };
+allow pppd_t self:fifo_file rw_file_perms;
+allow pppd_t self:file { read getattr };
+allow pppd_t self:socket create_socket_perms;
+allow pppd_t self:unix_dgram_socket create_socket_perms;
+allow pppd_t self:unix_stream_socket create_socket_perms;
+allow pppd_t self:netlink_route_socket r_netlink_socket_perms;
+allow pppd_t self:tcp_socket create_stream_socket_perms;
+allow pppd_t self:udp_socket { connect connected_socket_perms };
+allow pppd_t self:packet_socket create_socket_perms;
+
+domain_auto_trans(pppd_t, pptp_exec_t, pptp_t)
+
+allow pppd_t pppd_devpts_t:chr_file { rw_file_perms setattr };
+
+allow pppd_t pppd_etc_t:dir rw_dir_perms;
+allow pppd_t pppd_etc_t:file r_file_perms;
+allow pppd_t pppd_etc_t:lnk_file { getattr read };
+files_create_etc_config(pppd_t,pppd_etc_t)
+
+allow pppd_t pppd_etc_rw_t:file create_file_perms;
+
+allow pppd_t pppd_lock_t:file create_file_perms;
+files_create_lock(pppd_t,pppd_lock_t)
+
+allow pppd_t pppd_log_t:file create_file_perms;
+logging_create_log(pppd_t,pppd_log_t)
+
+allow pppd_t pppd_tmp_t:dir create_dir_perms;
+allow pppd_t pppd_tmp_t:file create_file_perms;
+files_create_tmp_files(pppd_t, pppd_tmp_t, { file dir })
+
+allow pppd_t pppd_var_run_t:dir rw_dir_perms;
+allow pppd_t pppd_var_run_t:file create_file_perms;
+files_create_pid(pppd_t,pppd_var_run_t)
+
+allow pppd_t pptp_t:process signal;
+
+# for SSP
+# Access secret files
+allow pppd_t pppd_secret_t:file r_file_perms;
+
+# Automatically label newly created files under /etc/ppp with this type
+type_transition pppd_t pppd_etc_t:file pppd_etc_rw_t;
+
+kernel_list_proc(pppd_t)
+kernel_read_kernel_sysctl(pppd_t)
+kernel_read_proc_symlinks(pppd_t)
+kernel_read_net_sysctl(pppd_t)
+kernel_read_network_state(pppd_t)
+kernel_load_module(pppd_t)
+
+dev_read_urand(pppd_t)
+dev_search_sysfs(pppd_t)
+dev_read_sysfs(pppd_t)
+
+corenet_tcp_sendrecv_all_if(pppd_t)
+corenet_raw_sendrecv_all_if(pppd_t)
+corenet_udp_sendrecv_all_if(pppd_t)
+corenet_tcp_sendrecv_all_nodes(pppd_t)
+corenet_raw_sendrecv_all_nodes(pppd_t)
+corenet_udp_sendrecv_all_nodes(pppd_t)
+corenet_tcp_sendrecv_all_ports(pppd_t)
+corenet_udp_sendrecv_all_ports(pppd_t)
+corenet_tcp_bind_all_nodes(pppd_t)
+corenet_udp_bind_all_nodes(pppd_t)
+# Access /dev/ppp.
+corenet_use_ppp_device(pppd_t)
+
+fs_getattr_all_fs(pppd_t)
+fs_search_auto_mountpoints(pppd_t)
+
+term_use_unallocated_tty(pppd_t)
+term_setattr_unallocated_ttys(pppd_t)
+term_ioctl_generic_pty(pppd_t)
+# for pppoe
+term_create_pty(pppd_t,pppd_devpts_t)
+term_dontaudit_use_console(pppd_t)
+
+# allow running ip-up and ip-down scripts and running chat.
+corecmd_exec_bin(pppd_t)
+corecmd_exec_sbin(pppd_t)
+corecmd_exec_shell(pppd_t)
+
+domain_use_wide_inherit_fd(pppd_t)
+
+files_exec_etc_files(pppd_t)
+files_read_etc_runtime_files(pppd_t)
+# for scripts
+files_read_etc_files(pppd_t)
+
+init_read_script_pid(pppd_t)
+init_dontaudit_write_script_pid(pppd_t)
+init_use_fd(pppd_t)
+init_use_script_pty(pppd_t)
+
+libs_use_ld_so(pppd_t)
+libs_use_shared_libs(pppd_t)
+
+logging_send_syslog_msg(pppd_t)
+
+miscfiles_read_localization(pppd_t)
+
+sysnet_read_config(pppd_t)
+sysnet_exec_ifconfig(pppd_t)
+sysnet_manage_config(pppd_t)
+
+userdom_dontaudit_use_unpriv_user_fd(pppd_t)
+userdom_dontaudit_search_sysadm_home_dir(pppd_t)
+# for ~/.ppprc - if it actually exists then you need some policy to read it
+#allow pppd_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search;
+userdom_search_sysadm_home_dir(pppd_t)
+userdom_search_unpriv_user_home_dirs(pppd_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_tty(pppd_t)
+ term_dontaudit_use_generic_pty(pppd_t)
+ files_dontaudit_read_root_file(pppd_t)
+')
+
+optional_policy(`modutils.te',`
+ tunable_policy(`pppd_can_insmod',`
+ modutils_domtrans_insmod(pppd_t)
+ ')
+')
+
+optional_policy(`nis.te',`
+ nis_use_ypbind(pppd_t)
+')
+
+optional_policy(`nscd.te',`
+ nscd_use_socket(pppd_t)
+')
+
+optional_policy(`selinuxutil.te',`
+ seutil_sigchld_newrole(pppd_t)
+')
+
+optional_policy(`udev.te', `
+ udev_read_db(pppd_t)
+')
+
+########################################
+#
+# PPTP Local policy
+#
+
+dontaudit pptp_t self:capability sys_tty_config;
+allow pptp_t self:capability net_raw;
+allow pptp_t self:fifo_file { read write };
+allow pptp_t self:unix_dgram_socket create_socket_perms;
+allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow pptp_t self:rawip_socket create_socket_perms;
+allow pptp_t self:tcp_socket create_socket_perms;
+
+allow pptp_t pppd_etc_t:dir { getattr read search };
+allow pptp_t pppd_etc_t:file { read getattr };
+allow pptp_t pppd_etc_t:lnk_file { getattr read };
+
+allow pptp_t pppd_etc_rw_t:dir { getattr read search };
+allow pptp_t pppd_etc_rw_t:file { read getattr };
+allow pptp_t pppd_etc_rw_t:lnk_file { getattr read };
+can_exec(pptp_t, pppd_etc_rw_t)
+
+# Allow pptp to append to pppd log files
+allow pptp_t pppd_log_t:file append;
+
+allow pptp_t pptp_log_t:file create_file_perms;
+logging_create_log(pptp_t,pptp_log_t)
+
+allow pptp_t pptp_var_run_t:file create_file_perms;
+allow pptp_t pptp_var_run_t:dir rw_dir_perms;
+allow pptp_t pptp_var_run_t:sock_file create_file_perms;
+files_create_pid(pptp_t,pptp_var_run_t)
+
+kernel_list_proc(pptp_t)
+kernel_read_kernel_sysctl(pptp_t)
+kernel_read_proc_symlinks(pptp_t)
+
+dev_read_sysfs(pptp_t)
+
+corenet_tcp_sendrecv_all_if(pptp_t)
+corenet_raw_sendrecv_all_if(pptp_t)
+corenet_tcp_sendrecv_all_nodes(pptp_t)
+corenet_raw_sendrecv_all_nodes(pptp_t)
+corenet_tcp_sendrecv_all_ports(pptp_t)
+corenet_tcp_bind_all_nodes(pptp_t)
+corenet_tcp_connect_generic_port(pptp_t)
+corenet_tcp_connect_all_reserved_ports(pptp_t)
+
+fs_getattr_all_fs(pptp_t)
+fs_search_auto_mountpoints(pptp_t)
+
+term_dontaudit_use_console(pptp_t)
+term_ioctl_generic_pty(pptp_t)
+term_search_ptys(pptp_t)
+term_use_ptmx(pptp_t)
+
+domain_use_wide_inherit_fd(pptp_t)
+
+init_use_fd(pptp_t)
+init_use_script_pty(pptp_t)
+
+libs_use_ld_so(pptp_t)
+libs_use_shared_libs(pptp_t)
+
+logging_send_syslog_msg(pptp_t)
+
+miscfiles_read_localization(pptp_t)
+
+sysnet_read_config(pptp_t)
+
+userdom_dontaudit_use_unpriv_user_fd(pptp_t)
+userdom_dontaudit_search_sysadm_home_dir(pptp_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_tty(pptp_t)
+ term_dontaudit_use_generic_pty(pptp_t)
+ files_dontaudit_read_root_file(pptp_t)
+')
+
+optional_policy(`hostname.te',`
+ hostname_exec(pptp_t)
+')
+
+optional_policy(`nscd.te',`
+ nscd_use_socket(pptp_t)
+')
+
+optional_policy(`selinuxutil.te',`
+ seutil_sigchld_newrole(pptp_t)
+')
+
+optional_policy(`udev.te',`
+ udev_read_db(pptp_t)
+')
+
+ifdef(`TODO',`
+ifdef(`postfix.te', `
+ allow pppd_t postfix_etc_t:dir search;
+ allow pppd_t postfix_etc_t:file r_file_perms;
+ allow pppd_t postfix_master_exec_t:file { getattr read };
+
+ ppp_use_fd(postfix_postqueue_t)
+ ppp_signal_daemon(postfix_postqueue_t)
+')
+optional_policy(`rhgb.te',`
+ rhgb_domain(pppd_t)
+')
+optional_policy(`rhgb.te',`
+ rhgb_domain(pptp_t)
+')
+ifdef(`named.te', `
+ dontaudit ndc_t pppd_t:fd use;
+')
+
+domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t)
+')
diff --git a/refpolicy/policy/modules/system/corecommands.fc b/refpolicy/policy/modules/system/corecommands.fc
index cdfb1f41..6f1686dc 100644
--- a/refpolicy/policy/modules/system/corecommands.fc
+++ b/refpolicy/policy/modules/system/corecommands.fc
@@ -21,13 +21,16 @@
#
/etc/hotplug/.*agent -- gen_context(system_u:object_r:sbin_t,s0)
/etc/hotplug/.*rc -- gen_context(system_u:object_r:sbin_t,s0)
-
/etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:sbin_t,s0)
-
/etc/hotplug\.d/default/default.* gen_context(system_u:object_r:sbin_t,s0)
/etc/netplug\.d(/.*)? gen_context(system_u:object_r:sbin_t,s0)
+/etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/ppp/ip-up\..* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/ppp/ipv6-down\..* -- gen_context(system_u:object_r:bin_t,s0)
+
ifdef(`distro_debian',`
/etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0)
')
diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc
index fa75578c..0245e0cc 100644
--- a/refpolicy/policy/modules/system/libraries.fc
+++ b/refpolicy/policy/modules/system/libraries.fc
@@ -5,6 +5,8 @@
/etc/ld\.so\.cache -- gen_context(system_u:object_r:ld_so_cache_t,s0)
/etc/ld\.so\.preload -- gen_context(system_u:object_r:ld_so_cache_t,s0)
+/etc/ppp/plugins/rp-pppoe\.so -- gen_context(system_u:object_r:shlib_t,s0)
+
#
# /lib(64)?
#
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index df4f0895..5a6217d8 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -311,6 +311,10 @@ ifdef(`hide_broken_symptoms',`
')
')
+optional_policy(`ppp.te',`
+ ppp_use_fd(ifconfig_t)
+')
+
optional_policy(`nis.te',`
nis_use_ypbind(ifconfig_t)
')
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 227f6fda..18d669fe 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -629,6 +629,11 @@ template(`unpriv_user_template', `
netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
')
+ # Run pppd in pppd_t by default for user
+ optional_policy(`ppp.te', `
+ ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ ')
+
optional_policy(`selinuxutil.te',`
# for when the network connection is killed
seutil_dontaudit_signal_newrole($1_t)
@@ -2175,6 +2180,22 @@ interface(`userdom_manage_user_home_sockets',`
allow $1 user_home_t:sock_file create_file_perms;
')
+########################################
+##
+## Search all unprivileged users home directories.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`userdom_search_unpriv_user_home_dirs',`
+ gen_require(`
+ attribute user_home_dir_type;
+ ')
+
+ allow $1 user_home_dir_type:dir search;
+')
+
########################################
##
## Read all unprivileged users home directory