Paul Howarth paul at city-fan.org
Thu Jul 14 11:44:02 UTC 2005

I'm currently using pptp (from Extras) for two different purposes:

1. to connect to my ADSL provider
2. to connect to $EMPLOYER's network

pptp is a point-to-point tunnelling protocol client tightly integrated
with pppd. It uses the GRE TCP protocol field to encapsulate packets to
be sent down the tunnel. Some diagrams are available at

Detailed information about the protocol (RFCs etc.) can be found in the
pptp tarball in the SRPM.

The way I start pptp is from an initscript, which does:

pppd call filename

where /etc/ppp/peers/filename contains the pppd options for the call,

pty "/usr/sbin/pptp ip.of.pptp.server --nolaunchpppd"
user my.username
... usual sorts of pppd options

So pptp gets called from pppd, and hence runs as pppd_t

Since pptp sends all sorts of packets down a tunnel, I find I need to
add SELinux rules like these to get it to work:

allow pppd_t var_log_t:file { append getattr };
allow pppd_t var_run_t:sock_file { create setattr unlink write };
allow pppd_t initrc_var_run_t:file { lock read write };

(these are standard pidfile/logfile issues I think)

allow pppd_t self:rawip_socket { create connect read write };
allow pppd_t self:tcp_socket connect;
allow pppd_t self:unix_stream_socket { accept connectto listen };
allow pppd_t fingerd_port_t:tcp_socket name_connect;
allow pppd_t port_t:tcp_socket name_connect;
allow pppd_t hostname_exec_t:file { execute execute_no_trans getattr
read };
allow pppd_t pppd_etc_rw_t:file { execute execute_no_trans };
allow pppd_t smtp_port_t:tcp_socket name_connect;
allow pppd_t devpts_t:chr_file ioctl;

Given that I may wish to connect to arbitrary ports down the tunnel, I
decided to cut my losses and do:

# setsebool -P pppd_disable_trans 1

Would it be possible to separate pptp from pppd_t and specify different
rules for it?

Paul Howarth <paul at city-fan.org>

More information about the fedora-selinux-list mailing list