I'm currently using pptp (from Extras) for two different purposes: 1. to connect to my ADSL provider 2. to connect to $EMPLOYER's network pptp is a point-to-point tunnelling protocol client tightly integrated with pppd. It uses the GRE TCP protocol field to encapsulate packets to be sent down the tunnel. Some diagrams are available at http://pptpclient.sourceforge.net/diagrams.phtml Detailed information about the protocol (RFCs etc.) can be found in the pptp tarball in the SRPM. The way I start pptp is from an initscript, which does: pppd call filename where /etc/ppp/peers/filename contains the pppd options for the call, typically: pty "/usr/sbin/pptp ip.of.pptp.server --nolaunchpppd" user my.username usepeerdns updetach ... usual sorts of pppd options So pptp gets called from pppd, and hence runs as pppd_t Since pptp sends all sorts of packets down a tunnel, I find I need to add SELinux rules like these to get it to work: allow pppd_t var_log_t:file { append getattr }; allow pppd_t var_run_t:sock_file { create setattr unlink write }; allow pppd_t initrc_var_run_t:file { lock read write }; (these are standard pidfile/logfile issues I think) allow pppd_t self:rawip_socket { create connect read write }; allow pppd_t self:tcp_socket connect; allow pppd_t self:unix_stream_socket { accept connectto listen }; allow pppd_t fingerd_port_t:tcp_socket name_connect; allow pppd_t port_t:tcp_socket name_connect; allow pppd_t hostname_exec_t:file { execute execute_no_trans getattr read }; allow pppd_t pppd_etc_rw_t:file { execute execute_no_trans }; allow pppd_t smtp_port_t:tcp_socket name_connect; allow pppd_t devpts_t:chr_file ioctl; Given that I may wish to connect to arbitrary ports down the tunnel, I decided to cut my losses and do: # setsebool -P pppd_disable_trans 1 Would it be possible to separate pptp from pppd_t and specify different rules for it? Paul. -- Paul Howarth <paul@xxxxxxxxxxxx> -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
