## Point to Point Protocol daemon creates links in ppp networks ######################################## ## ## Use PPP file discriptors. ## ## ## ## Domain allowed access. ## ## # interface(`ppp_use_fds',` gen_require(` type pppd_t; ') allow $1 pppd_t:fd use; ') ######################################## ## ## Do not audit attempts to inherit ## and use PPP file discriptors. ## ## ## ## Domain to not audit. ## ## # interface(`ppp_dontaudit_use_fds',` gen_require(` type pppd_t; ') dontaudit $1 pppd_t:fd use; ') ######################################## ## ## Send a SIGCHLD signal to PPP. ## ## ## ## Domain allowed access. ## ## # interface(`ppp_sigchld',` gen_require(` type pppd_t; ') allow $1 pppd_t:process sigchld; ') ######################################## ## ## Send a generic signal to PPP. ## ## ## ## Domain allowed access. ## ## # interface(`ppp_signal',` gen_require(` type pppd_t; ') allow $1 pppd_t:process signal; ') ######################################## ## ## Execute domain in the ppp domain. ## ## ## ## Domain allowed access. ## ## # interface(`ppp_domtrans',` gen_require(` type pppd_t, pppd_exec_t; ') corecmd_search_sbin($1) domain_auto_trans($1, pppd_exec_t, pppd_t) allow $1 pppd_t:fd use; allow pppd_t $1:fd use; allow pppd_t $1:fifo_file rw_file_perms; allow pppd_t $1:process sigchld; ') ######################################## ## ## Conditionally execute ppp daemon on behalf of a user or staff type. ## ## ## ## Domain allowed access. ## ## ## # interface(`ppp_run_cond',` gen_require(` type pppd_t; ') role $2 types pppd_t; tunable_policy(`pppd_for_user',` ppp_domtrans($1) allow pppd_t $3:chr_file rw_term_perms; ') ') ######################################## ## ## Unconditionally execute ppp daemon on behalf of a user or staff type. ## ## ## ## Domain allowed access. ## ## ## # interface(`ppp_run',` gen_require(` type pppd_t; ') ppp_domtrans($1) role $2 types pppd_t; allow pppd_t $3:chr_file rw_term_perms; ') ######################################## ## ## Execute domain in the ppp caller. ## ## ## ## Domain allowed access. ## ## # interface(`ppp_exec',` gen_require(` type pppd_exec_t; ') corecmd_search_sbin($1) can_exec($1, pppd_exec_t) ') ######################################## ## ## Read PPP-writable configuration files. ## ## ## ## Domain allowed access. ## ## # interface(`ppp_read_rw_config',` gen_require(` type pppd_etc_t, pppd_etc_rw_t; ') allow $1 pppd_etc_t:dir list_dir_perms; allow $1 pppd_etc_rw_t:file { getattr read }; files_search_etc($1) ') ######################################## ## ## Read PPP secrets. ## ## ## ## Domain allowed access. ## ## # interface(`ppp_read_secrets',` gen_require(` type pppd_etc_t, pppd_secret_t; ') allow $1 pppd_etc_t:dir list_dir_perms; allow $1 pppd_secret_t:file { getattr read }; files_search_etc($1) ') ######################################## ## ## Create, read, write, and delete PPP pid files. ## ## ## ## Domain allowed access. ## ## # interface(`ppp_manage_pid_files',` gen_require(` type pppd_var_run_t; ') allow $1 pppd_var_run_t:file manage_file_perms; ') ######################################## ## ## Create, read, write, and delete PPP pid files. ## ## ## ## Domain allowed access. ## ## # interface(`ppp_pid_filetrans',` gen_require(` type pppd_var_run_t; ') files_pid_filetrans($1,pppd_var_run_t,file) ')