pptp

[Paul Howarth]

I'm currently using pptp (from Extras) for two different purposes:

1. to connect to my ADSL provider
2. to connect to $EMPLOYER's network

pptp is a point-to-point tunnelling protocol client tightly integrated
with pppd. It uses the GRE TCP protocol field to encapsulate packets to
be sent down the tunnel. Some diagrams are available at
http://pptpclient.sourceforge.net/diagrams.phtml

Detailed information about the protocol (RFCs etc.) can be found in the
pptp tarball in the SRPM.

The way I start pptp is from an initscript, which does:

pppd call filename

where /etc/ppp/peers/filename contains the pppd options for the call,
typically:

pty "/usr/sbin/pptp ip.of.pptp.server --nolaunchpppd"
user my.username
usepeerdns
updetach
... usual sorts of pppd options

So pptp gets called from pppd, and hence runs as pppd_t

Since pptp sends all sorts of packets down a tunnel, I find I need to
add SELinux rules like these to get it to work:

allow pppd_t var_log_t:file { append getattr };
allow pppd_t var_run_t:sock_file { create setattr unlink write };
allow pppd_t initrc_var_run_t:file { lock read write };

(these are standard pidfile/logfile issues I think)

allow pppd_t self:rawip_socket { create connect read write };
allow pppd_t self:tcp_socket connect;
allow pppd_t self:unix_stream_socket { accept connectto listen };
allow pppd_t fingerd_port_t:tcp_socket name_connect;
allow pppd_t port_t:tcp_socket name_connect;
allow pppd_t hostname_exec_t:file { execute execute_no_trans getattr
read };
allow pppd_t pppd_etc_rw_t:file { execute execute_no_trans };
allow pppd_t smtp_port_t:tcp_socket name_connect;
allow pppd_t devpts_t:chr_file ioctl;

Given that I may wish to connect to arbitrary ports down the tunnel, I
decided to cut my losses and do:

# setsebool -P pppd_disable_trans 1

Would it be possible to separate pptp from pppd_t and specify different
rules for it?

Paul.
-- 
Paul Howarth <paul at city-fan.org>