pptp
Paul Howarth
paul at city-fan.org
Thu Jul 14 11:44:02 UTC 2005
I'm currently using pptp (from Extras) for two different purposes:
1. to connect to my ADSL provider
2. to connect to $EMPLOYER's network
pptp is a point-to-point tunnelling protocol client tightly integrated
with pppd. It uses the GRE TCP protocol field to encapsulate packets to
be sent down the tunnel. Some diagrams are available at
http://pptpclient.sourceforge.net/diagrams.phtml
Detailed information about the protocol (RFCs etc.) can be found in the
pptp tarball in the SRPM.
The way I start pptp is from an initscript, which does:
pppd call filename
where /etc/ppp/peers/filename contains the pppd options for the call,
typically:
pty "/usr/sbin/pptp ip.of.pptp.server --nolaunchpppd"
user my.username
usepeerdns
updetach
... usual sorts of pppd options
So pptp gets called from pppd, and hence runs as pppd_t
Since pptp sends all sorts of packets down a tunnel, I find I need to
add SELinux rules like these to get it to work:
allow pppd_t var_log_t:file { append getattr };
allow pppd_t var_run_t:sock_file { create setattr unlink write };
allow pppd_t initrc_var_run_t:file { lock read write };
(these are standard pidfile/logfile issues I think)
allow pppd_t self:rawip_socket { create connect read write };
allow pppd_t self:tcp_socket connect;
allow pppd_t self:unix_stream_socket { accept connectto listen };
allow pppd_t fingerd_port_t:tcp_socket name_connect;
allow pppd_t port_t:tcp_socket name_connect;
allow pppd_t hostname_exec_t:file { execute execute_no_trans getattr
read };
allow pppd_t pppd_etc_rw_t:file { execute execute_no_trans };
allow pppd_t smtp_port_t:tcp_socket name_connect;
allow pppd_t devpts_t:chr_file ioctl;
Given that I may wish to connect to arbitrary ports down the tunnel, I
decided to cut my losses and do:
# setsebool -P pppd_disable_trans 1
Would it be possible to separate pptp from pppd_t and specify different
rules for it?
Paul.
--
Paul Howarth <paul at city-fan.org>
More information about the fedora-selinux-list
mailing list