Daniel J Walsh wrote:
Paul Howarth wrote:
I'm currently using pptp (from Extras) for two different purposes:
1. to connect to my ADSL provider
2. to connect to $EMPLOYER's network
pptp is a point-to-point tunnelling protocol client tightly integrated
with pppd. It uses the GRE TCP protocol field to encapsulate packets to
be sent down the tunnel. Some diagrams are available at
http://pptpclient.sourceforge.net/diagrams.phtml
Detailed information about the protocol (RFCs etc.) can be found in the
pptp tarball in the SRPM.
The way I start pptp is from an initscript, which does:
pppd call filename
where /etc/ppp/peers/filename contains the pppd options for the call,
typically:
pty "/usr/sbin/pptp ip.of.pptp.server --nolaunchpppd"
user my.username
usepeerdns
updetach
... usual sorts of pppd options
So pptp gets called from pppd, and hence runs as pppd_t
Since pptp sends all sorts of packets down a tunnel, I find I need to
add SELinux rules like these to get it to work:
allow pppd_t var_log_t:file { append getattr };
allow pppd_t var_run_t:sock_file { create setattr unlink write };
allow pppd_t initrc_var_run_t:file { lock read write };
(these are standard pidfile/logfile issues I think)
allow pppd_t self:rawip_socket { create connect read write };
allow pppd_t self:tcp_socket connect;
allow pppd_t self:unix_stream_socket { accept connectto listen };
allow pppd_t fingerd_port_t:tcp_socket name_connect;
allow pppd_t port_t:tcp_socket name_connect;
allow pppd_t hostname_exec_t:file { execute execute_no_trans getattr
read };
allow pppd_t pppd_etc_rw_t:file { execute execute_no_trans };
allow pppd_t smtp_port_t:tcp_socket name_connect;
allow pppd_t devpts_t:chr_file ioctl;
Given that I may wish to connect to arbitrary ports down the tunnel, I
decided to cut my losses and do:
# setsebool -P pppd_disable_trans 1
Would it be possible to separate pptp from pppd_t and specify different
rules for it?
Paul.
Add the following to pppd.te, (I will also)
daemon_domain(pptp)
can_network_client_tcp(pptp_t)
allow pptp_t { reserved_port_type port_t }:tcp_socket name_connect;
can_exec(pptp_t, hostname_exec_t)
domain_auto_trans(pppd_t, pptp_exec_t, pptp_t)
allow pptp_t self:rawip_socket create_socket_perms;
allow pptp_t self:unix_stream_socket create_stream_socket_perms;
can_exec(pptp_t, pppd_etc_rw_t)
allow pptp_t devpts_t:chr_file ioctl;
r_dir_file(pptp_t, pppd_etc_rw_t)
r_dir_file(pptp_t, pppd_etc_t)
And add
/usr/sbin/pptp -- system_u:object_r:pptp_exec_t
to pppd.fc
Make load
restorecon /usr/sbin/pptp
Then try it. I am sure there will need to be rules to allow pptp to
communicate with pppd files?
So far I've needed to add the following rules:
allow pppd_t devpts_t:chr_file ioctl;
allow pppd_t pptp_t:process signal;
allow pppd_t var_log_t:file { append getattr };
allow pptp_t devpts_t:dir search;
allow pptp_t self:capability net_raw;
allow pptp_t self:fifo_file { read write };
allow pptp_t self:unix_dgram_socket { connect create write };
allow pptp_t self:unix_stream_socket connectto;
allow pptp_t ptmx_t:chr_file { ioctl read write };
allow pptp_t var_log_t:file append;
allow pptp_t var_run_t:sock_file { create setattr unlink write };
I can investigate the audit messages leading to these rules to try to
find the actual thing being accessed if it's useful.
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
