pptp

Fri Jul 15 10:15:35 UTC 2005

Daniel J Walsh wrote:
> Paul Howarth wrote:
> 
>> I'm currently using pptp (from Extras) for two different purposes:
>>
>> 1. to connect to my ADSL provider
>> 2. to connect to $EMPLOYER's network
>>
>> pptp is a point-to-point tunnelling protocol client tightly integrated
>> with pppd. It uses the GRE TCP protocol field to encapsulate packets to
>> be sent down the tunnel. Some diagrams are available at
>> http://pptpclient.sourceforge.net/diagrams.phtml
>>
>> Detailed information about the protocol (RFCs etc.) can be found in the
>> pptp tarball in the SRPM.
>>
>> The way I start pptp is from an initscript, which does:
>>
>> pppd call filename
>>
>> where /etc/ppp/peers/filename contains the pppd options for the call,
>> typically:
>>
>> pty "/usr/sbin/pptp ip.of.pptp.server --nolaunchpppd"
>> user my.username
>> usepeerdns
>> updetach
>> ... usual sorts of pppd options
>>
>> So pptp gets called from pppd, and hence runs as pppd_t
>>
>> Since pptp sends all sorts of packets down a tunnel, I find I need to
>> add SELinux rules like these to get it to work:
>>
>> allow pppd_t var_log_t:file { append getattr };
>> allow pppd_t var_run_t:sock_file { create setattr unlink write };
>> allow pppd_t initrc_var_run_t:file { lock read write };
>>
>> (these are standard pidfile/logfile issues I think)
>>
>> allow pppd_t self:rawip_socket { create connect read write };
>> allow pppd_t self:tcp_socket connect;
>> allow pppd_t self:unix_stream_socket { accept connectto listen };
>> allow pppd_t fingerd_port_t:tcp_socket name_connect;
>> allow pppd_t port_t:tcp_socket name_connect;
>> allow pppd_t hostname_exec_t:file { execute execute_no_trans getattr
>> read };
>> allow pppd_t pppd_etc_rw_t:file { execute execute_no_trans };
>> allow pppd_t smtp_port_t:tcp_socket name_connect;
>> allow pppd_t devpts_t:chr_file ioctl;
>>
>> Given that I may wish to connect to arbitrary ports down the tunnel, I
>> decided to cut my losses and do:
>>
>> # setsebool -P pppd_disable_trans 1
>>
>> Would it be possible to separate pptp from pppd_t and specify different
>> rules for it?
>>
>> Paul.
>>  
>>
> Add the following to pppd.te, (I will also)
> 
> daemon_domain(pptp)
> can_network_client_tcp(pptp_t)
> allow pptp_t { reserved_port_type port_t }:tcp_socket name_connect;
> can_exec(pptp_t, hostname_exec_t)
> domain_auto_trans(pppd_t, pptp_exec_t, pptp_t)
> allow pptp_t self:rawip_socket create_socket_perms;
> allow pptp_t self:unix_stream_socket create_stream_socket_perms;
> can_exec(pptp_t, pppd_etc_rw_t)
> allow pptp_t devpts_t:chr_file ioctl;
> r_dir_file(pptp_t, pppd_etc_rw_t)
> r_dir_file(pptp_t, pppd_etc_t)
> 
> 
> And add
> /usr/sbin/pptp         --    system_u:object_r:pptp_exec_t
> to pppd.fc
> 
> 
> Make load
> restorecon /usr/sbin/pptp
> 
> Then try it.  I am sure there will need to be rules to allow pptp to 
> communicate with pppd files?

So far I've needed to add the following rules:

allow pppd_t devpts_t:chr_file ioctl;
allow pppd_t pptp_t:process signal;
allow pppd_t var_log_t:file { append getattr };
allow pptp_t devpts_t:dir search;
allow pptp_t self:capability net_raw;
allow pptp_t self:fifo_file { read write };
allow pptp_t self:unix_dgram_socket { connect create write };
allow pptp_t self:unix_stream_socket connectto;
allow pptp_t ptmx_t:chr_file { ioctl read write };
allow pptp_t var_log_t:file append;
allow pptp_t var_run_t:sock_file { create setattr unlink write };

I can investigate the audit messages leading to these rules to try to 
find the actual thing being accessed if it's useful.

Paul.