Daniel J Walsh dwalsh at redhat.com
Thu Jul 14 15:20:42 UTC 2005

Paul Howarth wrote:

>I'm currently using pptp (from Extras) for two different purposes:
>1. to connect to my ADSL provider
>2. to connect to $EMPLOYER's network
>pptp is a point-to-point tunnelling protocol client tightly integrated
>with pppd. It uses the GRE TCP protocol field to encapsulate packets to
>be sent down the tunnel. Some diagrams are available at
>Detailed information about the protocol (RFCs etc.) can be found in the
>pptp tarball in the SRPM.
>The way I start pptp is from an initscript, which does:
>pppd call filename
>where /etc/ppp/peers/filename contains the pppd options for the call,
>pty "/usr/sbin/pptp ip.of.pptp.server --nolaunchpppd"
>user my.username
>... usual sorts of pppd options
>So pptp gets called from pppd, and hence runs as pppd_t
>Since pptp sends all sorts of packets down a tunnel, I find I need to
>add SELinux rules like these to get it to work:
>allow pppd_t var_log_t:file { append getattr };
>allow pppd_t var_run_t:sock_file { create setattr unlink write };
>allow pppd_t initrc_var_run_t:file { lock read write };
>(these are standard pidfile/logfile issues I think)
>allow pppd_t self:rawip_socket { create connect read write };
>allow pppd_t self:tcp_socket connect;
>allow pppd_t self:unix_stream_socket { accept connectto listen };
>allow pppd_t fingerd_port_t:tcp_socket name_connect;
>allow pppd_t port_t:tcp_socket name_connect;
>allow pppd_t hostname_exec_t:file { execute execute_no_trans getattr
>read };
>allow pppd_t pppd_etc_rw_t:file { execute execute_no_trans };
>allow pppd_t smtp_port_t:tcp_socket name_connect;
>allow pppd_t devpts_t:chr_file ioctl;
>Given that I may wish to connect to arbitrary ports down the tunnel, I
>decided to cut my losses and do:
># setsebool -P pppd_disable_trans 1
>Would it be possible to separate pptp from pppd_t and specify different
>rules for it?
Add the following to pppd.te, (I will also)

allow pptp_t { reserved_port_type port_t }:tcp_socket name_connect;
can_exec(pptp_t, hostname_exec_t)
domain_auto_trans(pppd_t, pptp_exec_t, pptp_t)
allow pptp_t self:rawip_socket create_socket_perms;
allow pptp_t self:unix_stream_socket create_stream_socket_perms;
can_exec(pptp_t, pppd_etc_rw_t)
allow pptp_t devpts_t:chr_file ioctl;
r_dir_file(pptp_t, pppd_etc_rw_t)
r_dir_file(pptp_t, pppd_etc_t)

And add
/usr/sbin/pptp         --    system_u:object_r:pptp_exec_t
to pppd.fc

Make load
restorecon /usr/sbin/pptp

Then try it.  I am sure there will need to be rules to allow pptp to 
communicate with pppd files?


More information about the fedora-selinux-list mailing list