1900668638
The latest revision of the labeled policy patches which enable both labeled and unlabeled policy support for NetLabel. This revision takes into account Chris' feedback from the first version and reduces the number of interface calls in each domain down to two at present: one for unlabeled access, one for NetLabel access. The older, transport layer specific interfaces, are still present for use by third-party modules but are not used in the default policy modules. trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore. This patch changes the policy to use the netmsg initial SID as the "base" SID/context for NetLabel packets which only have MLS security attributes. Currently we use the unlabeled initial SID which makes it very difficult to distinquish between actual unlabeled packets and those packets which have MLS security attributes.
330 lines
7.9 KiB
Plaintext
330 lines
7.9 KiB
Plaintext
|
|
policy_module(ppp,1.4.2)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow pppd to load kernel modules for certain modems
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(pppd_can_insmod,false)
|
|
|
|
ifdef(`strict_policy',`
|
|
## <desc>
|
|
## <p>
|
|
## Allow pppd to be run for a regular user
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(pppd_for_user,false)
|
|
')
|
|
|
|
# pppd_t is the domain for the pppd program.
|
|
# pppd_exec_t is the type of the pppd executable.
|
|
type pppd_t;
|
|
type pppd_exec_t;
|
|
init_daemon_domain(pppd_t,pppd_exec_t)
|
|
|
|
type pppd_devpts_t;
|
|
term_pty(pppd_devpts_t)
|
|
|
|
# Define a separate type for /etc/ppp
|
|
type pppd_etc_t;
|
|
files_config_file(pppd_etc_t)
|
|
|
|
# Define a separate type for writable files under /etc/ppp
|
|
type pppd_etc_rw_t;
|
|
files_type(pppd_etc_rw_t)
|
|
|
|
type pppd_script_exec_t;
|
|
files_type(pppd_script_exec_t)
|
|
|
|
# pppd_secret_t is the type of the pap and chap password files
|
|
type pppd_secret_t;
|
|
files_type(pppd_secret_t)
|
|
|
|
type pppd_log_t;
|
|
logging_log_file(pppd_log_t)
|
|
|
|
type pppd_lock_t;
|
|
files_lock_file(pppd_lock_t)
|
|
|
|
type pppd_tmp_t;
|
|
files_tmp_file(pppd_tmp_t)
|
|
|
|
type pppd_var_run_t;
|
|
files_pid_file(pppd_var_run_t)
|
|
|
|
type pptp_t;
|
|
type pptp_exec_t;
|
|
init_daemon_domain(pptp_t,pptp_exec_t)
|
|
|
|
type pptp_log_t;
|
|
logging_log_file(pptp_log_t)
|
|
|
|
type pptp_var_run_t;
|
|
files_pid_file(pptp_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
# PPPD Local policy
|
|
#
|
|
|
|
allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override };
|
|
dontaudit pppd_t self:capability sys_tty_config;
|
|
allow pppd_t self:process signal;
|
|
allow pppd_t self:fifo_file rw_fifo_file_perms;
|
|
allow pppd_t self:socket create_socket_perms;
|
|
allow pppd_t self:unix_dgram_socket create_socket_perms;
|
|
allow pppd_t self:unix_stream_socket create_socket_perms;
|
|
allow pppd_t self:netlink_route_socket rw_netlink_socket_perms;
|
|
allow pppd_t self:tcp_socket create_stream_socket_perms;
|
|
allow pppd_t self:udp_socket { connect connected_socket_perms };
|
|
allow pppd_t self:packet_socket create_socket_perms;
|
|
|
|
domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
|
|
|
|
allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr };
|
|
|
|
allow pppd_t pppd_etc_t:dir rw_dir_perms;
|
|
allow pppd_t pppd_etc_t:file read_file_perms;
|
|
allow pppd_t pppd_etc_t:lnk_file { getattr read };
|
|
|
|
manage_files_pattern(pppd_t,pppd_etc_rw_t,pppd_etc_rw_t)
|
|
# Automatically label newly created files under /etc/ppp with this type
|
|
filetrans_pattern(pppd_t,pppd_etc_t,pppd_etc_rw_t,file)
|
|
|
|
allow pppd_t pppd_lock_t:file manage_file_perms;
|
|
files_lock_filetrans(pppd_t,pppd_lock_t,file)
|
|
|
|
allow pppd_t pppd_log_t:file manage_file_perms;
|
|
logging_log_filetrans(pppd_t,pppd_log_t,file)
|
|
|
|
manage_dirs_pattern(pppd_t,pppd_tmp_t,pppd_tmp_t)
|
|
manage_files_pattern(pppd_t,pppd_tmp_t,pppd_tmp_t)
|
|
files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir })
|
|
|
|
manage_files_pattern(pppd_t,pppd_var_run_t,pppd_var_run_t)
|
|
files_pid_filetrans(pppd_t,pppd_var_run_t,file)
|
|
|
|
allow pppd_t pptp_t:process signal;
|
|
|
|
# for SSP
|
|
# Access secret files
|
|
allow pppd_t pppd_secret_t:file read_file_perms;
|
|
|
|
kernel_read_kernel_sysctls(pppd_t)
|
|
kernel_read_system_state(pppd_t)
|
|
kernel_read_net_sysctls(pppd_t)
|
|
kernel_read_network_state(pppd_t)
|
|
kernel_load_module(pppd_t)
|
|
|
|
dev_read_urand(pppd_t)
|
|
dev_search_sysfs(pppd_t)
|
|
dev_read_sysfs(pppd_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(pppd_t)
|
|
corenet_all_recvfrom_netlabel(pppd_t)
|
|
corenet_tcp_sendrecv_all_if(pppd_t)
|
|
corenet_raw_sendrecv_all_if(pppd_t)
|
|
corenet_udp_sendrecv_all_if(pppd_t)
|
|
corenet_tcp_sendrecv_all_nodes(pppd_t)
|
|
corenet_raw_sendrecv_all_nodes(pppd_t)
|
|
corenet_udp_sendrecv_all_nodes(pppd_t)
|
|
corenet_tcp_sendrecv_all_ports(pppd_t)
|
|
corenet_udp_sendrecv_all_ports(pppd_t)
|
|
# Access /dev/ppp.
|
|
corenet_rw_ppp_dev(pppd_t)
|
|
|
|
fs_getattr_all_fs(pppd_t)
|
|
fs_search_auto_mountpoints(pppd_t)
|
|
|
|
term_use_unallocated_ttys(pppd_t)
|
|
term_setattr_unallocated_ttys(pppd_t)
|
|
term_ioctl_generic_ptys(pppd_t)
|
|
# for pppoe
|
|
term_create_pty(pppd_t,pppd_devpts_t)
|
|
|
|
# allow running ip-up and ip-down scripts and running chat.
|
|
corecmd_exec_bin(pppd_t)
|
|
corecmd_exec_shell(pppd_t)
|
|
|
|
domain_use_interactive_fds(pppd_t)
|
|
|
|
files_exec_etc_files(pppd_t)
|
|
files_manage_etc_runtime_files(pppd_t)
|
|
files_dontaudit_write_etc_files(pppd_t)
|
|
|
|
# for scripts
|
|
files_read_etc_files(pppd_t)
|
|
|
|
init_read_utmp(pppd_t)
|
|
init_dontaudit_write_utmp(pppd_t)
|
|
|
|
libs_use_ld_so(pppd_t)
|
|
libs_use_shared_libs(pppd_t)
|
|
|
|
logging_send_syslog_msg(pppd_t)
|
|
|
|
miscfiles_read_localization(pppd_t)
|
|
|
|
sysnet_exec_ifconfig(pppd_t)
|
|
sysnet_manage_config(pppd_t)
|
|
sysnet_etc_filetrans_config(pppd_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(pppd_t)
|
|
userdom_dontaudit_search_sysadm_home_dirs(pppd_t)
|
|
# for ~/.ppprc - if it actually exists then you need some policy to read it
|
|
#allow pppd_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search;
|
|
userdom_search_sysadm_home_dirs(pppd_t)
|
|
userdom_search_unpriv_users_home_dirs(pppd_t)
|
|
|
|
ppp_exec(pppd_t)
|
|
|
|
ifdef(`targeted_policy', `
|
|
term_dontaudit_use_unallocated_ttys(pppd_t)
|
|
term_dontaudit_use_generic_ptys(pppd_t)
|
|
files_dontaudit_read_root_files(pppd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ddclient_domtrans(pppd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
tunable_policy(`pppd_can_insmod && ! secure_mode_insmod',`
|
|
modutils_domtrans_insmod_uncond(pppd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
mta_send_mail(pppd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nis_use_ypbind(pppd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nscd_socket_use(pppd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
postfix_domtrans_master(pppd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(pppd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(pppd_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# PPTP Local policy
|
|
#
|
|
|
|
dontaudit pptp_t self:capability sys_tty_config;
|
|
allow pptp_t self:capability net_raw;
|
|
allow pptp_t self:fifo_file { read write };
|
|
allow pptp_t self:unix_dgram_socket create_socket_perms;
|
|
allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
|
allow pptp_t self:rawip_socket create_socket_perms;
|
|
allow pptp_t self:tcp_socket create_socket_perms;
|
|
|
|
allow pptp_t pppd_etc_t:dir { getattr read search };
|
|
allow pptp_t pppd_etc_t:file { read getattr };
|
|
allow pptp_t pppd_etc_t:lnk_file { getattr read };
|
|
|
|
allow pptp_t pppd_etc_rw_t:dir { getattr read search };
|
|
allow pptp_t pppd_etc_rw_t:file { read getattr };
|
|
allow pptp_t pppd_etc_rw_t:lnk_file { getattr read };
|
|
can_exec(pptp_t, pppd_etc_rw_t)
|
|
|
|
# Allow pptp to append to pppd log files
|
|
allow pptp_t pppd_log_t:file append;
|
|
|
|
allow pptp_t pptp_log_t:file manage_file_perms;
|
|
logging_log_filetrans(pptp_t,pptp_log_t,file)
|
|
|
|
manage_files_pattern(pptp_t,pptp_var_run_t,pptp_var_run_t)
|
|
manage_sock_files_pattern(pptp_t,pptp_var_run_t,pptp_var_run_t)
|
|
files_pid_filetrans(pptp_t,pptp_var_run_t,file)
|
|
|
|
kernel_list_proc(pptp_t)
|
|
kernel_read_kernel_sysctls(pptp_t)
|
|
kernel_read_proc_symlinks(pptp_t)
|
|
|
|
dev_read_sysfs(pptp_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(pptp_t)
|
|
corenet_all_recvfrom_netlabel(pptp_t)
|
|
corenet_tcp_sendrecv_all_if(pptp_t)
|
|
corenet_raw_sendrecv_all_if(pptp_t)
|
|
corenet_tcp_sendrecv_all_nodes(pptp_t)
|
|
corenet_raw_sendrecv_all_nodes(pptp_t)
|
|
corenet_tcp_sendrecv_all_ports(pptp_t)
|
|
corenet_tcp_bind_all_nodes(pptp_t)
|
|
corenet_tcp_connect_generic_port(pptp_t)
|
|
corenet_tcp_connect_all_reserved_ports(pptp_t)
|
|
corenet_sendrecv_generic_client_packets(pptp_t)
|
|
|
|
fs_getattr_all_fs(pptp_t)
|
|
fs_search_auto_mountpoints(pptp_t)
|
|
|
|
term_ioctl_generic_ptys(pptp_t)
|
|
term_search_ptys(pptp_t)
|
|
term_use_ptmx(pptp_t)
|
|
|
|
domain_use_interactive_fds(pptp_t)
|
|
|
|
libs_use_ld_so(pptp_t)
|
|
libs_use_shared_libs(pptp_t)
|
|
|
|
logging_send_syslog_msg(pptp_t)
|
|
|
|
miscfiles_read_localization(pptp_t)
|
|
|
|
sysnet_read_config(pptp_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(pptp_t)
|
|
userdom_dontaudit_search_sysadm_home_dirs(pptp_t)
|
|
|
|
ifdef(`targeted_policy',`
|
|
term_dontaudit_use_unallocated_ttys(pptp_t)
|
|
term_dontaudit_use_generic_ptys(pptp_t)
|
|
files_dontaudit_read_root_files(pptp_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
consoletype_exec(pppd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
hostname_exec(pptp_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nscd_socket_use(pptp_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(pptp_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(pptp_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
postfix_read_config(pppd_t)
|
|
')
|
|
|
|
# FIXME:
|
|
domtrans_pattern(pppd_t, pppd_script_exec_t, initrc_t)
|