1pppd_selinux(8)               SELinux Policy pppd              pppd_selinux(8)
2
3
4

NAME

6       pppd_selinux - Security Enhanced Linux Policy for the pppd processes
7

DESCRIPTION

9       Security-Enhanced  Linux secures the pppd processes via flexible manda‐
10       tory access control.
11
12       The pppd processes execute with the pppd_t SELinux type. You can  check
13       if  you  have  these processes running by executing the ps command with
14       the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep pppd_t
19
20
21

ENTRYPOINTS

23       The pppd_t SELinux type can be entered via the pppd_exec_t file type.
24
25       The default entrypoint paths for the pppd_t domain are the following:
26
27       /usr/sbin/pppd, /sbin/ppp-watch,  /usr/sbin/ipppd,  /sbin/pppoe-server,
28       /usr/sbin/ppp-watch, /usr/sbin/pppoe-server
29

PROCESS TYPES

31       SELinux defines process types (domains) for each process running on the
32       system
33
34       You can see the context of a process using the -Z option to ps
35
36       Policy governs the access confined processes have  to  files.   SELinux
37       pppd  policy  is  very flexible allowing users to setup their pppd pro‐
38       cesses in as secure a method as possible.
39
40       The following process types are defined for pppd:
41
42       pppd_t
43
44       Note: semanage permissive -a pppd_t can be used  to  make  the  process
45       type  pppd_t  permissive.  SELinux  does  not deny access to permissive
46       process types, but the AVC (SELinux denials) messages are still  gener‐
47       ated.
48
49

BOOLEANS

51       SELinux  policy  is  customizable based on least access required.  pppd
52       policy is extremely flexible and has several booleans that allow you to
53       manipulate the policy and run pppd with the tightest access possible.
54
55
56
57       If  you  want  to allow pppd to load kernel modules for certain modems,
58       you must turn on the pppd_can_insmod boolean. Disabled by default.
59
60       setsebool -P pppd_can_insmod 1
61
62
63
64       If you want to allow pppd to be run for a regular user, you  must  turn
65       on the pppd_for_user boolean. Disabled by default.
66
67       setsebool -P pppd_for_user 1
68
69
70
71       If you want to allow users to resolve user passwd entries directly from
72       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
73       gin_nsswitch_use_ldap boolean. Disabled by default.
74
75       setsebool -P authlogin_nsswitch_use_ldap 1
76
77
78
79       If you want to allow all domains to execute in fips_mode, you must turn
80       on the fips_mode boolean. Enabled by default.
81
82       setsebool -P fips_mode 1
83
84
85
86       If you want to allow confined applications to run  with  kerberos,  you
87       must turn on the kerberos_enabled boolean. Enabled by default.
88
89       setsebool -P kerberos_enabled 1
90
91
92
93       If  you  want  to  allow  system  to run with NIS, you must turn on the
94       nis_enabled boolean. Disabled by default.
95
96       setsebool -P nis_enabled 1
97
98
99
100       If you want to allow confined applications to use nscd  shared  memory,
101       you must turn on the nscd_use_shm boolean. Disabled by default.
102
103       setsebool -P nscd_use_shm 1
104
105
106

MANAGED FILES

108       The  SELinux process type pppd_t can manage files labeled with the fol‐
109       lowing file types.  The paths listed are the default  paths  for  these
110       file types.  Note the processes UID still need to have DAC permissions.
111
112       cluster_conf_t
113
114            /etc/cluster(/.*)?
115
116       cluster_var_lib_t
117
118            /var/lib/pcsd(/.*)?
119            /var/lib/cluster(/.*)?
120            /var/lib/openais(/.*)?
121            /var/lib/pengine(/.*)?
122            /var/lib/corosync(/.*)?
123            /usr/lib/heartbeat(/.*)?
124            /var/lib/heartbeat(/.*)?
125            /var/lib/pacemaker(/.*)?
126
127       cluster_var_run_t
128
129            /var/run/crm(/.*)?
130            /var/run/cman_.*
131            /var/run/rsctmp(/.*)?
132            /var/run/aisexec.*
133            /var/run/heartbeat(/.*)?
134            /var/run/corosync-qnetd(/.*)?
135            /var/run/corosync-qdevice(/.*)?
136            /var/run/corosync.pid
137            /var/run/cpglockd.pid
138            /var/run/rgmanager.pid
139            /var/run/cluster/rgmanager.sk
140
141       etc_runtime_t
142
143            /[^/]+
144            /etc/mtab.*
145            /etc/blkid(/.*)?
146            /etc/nologin.*
147            /etc/.fstab.hal..+
148            /halt
149            /fastboot
150            /poweroff
151            /.autofsck
152            /etc/cmtab
153            /forcefsck
154            /.suspended
155            /fsckoptions
156            /.autorelabel
157            /etc/.updated
158            /var/.updated
159            /etc/killpower
160            /etc/nohotplug
161            /etc/securetty
162            /etc/ioctl.save
163            /etc/fstab.REVOKE
164            /etc/network/ifstate
165            /etc/sysconfig/hwconf
166            /etc/ptal/ptal-printd-like
167            /etc/sysconfig/iptables.save
168            /etc/xorg.conf.d/00-system-setup-keyboard.conf
169            /etc/X11/xorg.conf.d/00-system-setup-keyboard.conf
170
171       faillog_t
172
173            /var/log/btmp.*
174            /var/log/faillog.*
175            /var/log/tallylog.*
176            /var/run/faillock(/.*)?
177
178       net_conf_t
179
180            /etc/hosts[^/]*
181            /etc/yp.conf.*
182            /etc/denyhosts.*
183            /etc/hosts.deny.*
184            /etc/resolv.conf.*
185            /etc/.resolv.conf.*
186            /etc/resolv-secure.conf.*
187            /var/run/cloud-init(/.*)?
188            /var/run/systemd/network(/.*)?
189            /etc/sysconfig/networking(/.*)?
190            /etc/sysconfig/network-scripts(/.*)?
191            /etc/sysconfig/network-scripts/.*resolv.conf
192            /var/run/NetworkManager/resolv.conf.*
193            /etc/ethers
194            /etc/ntp.conf
195            /var/run/systemd/resolve/resolv.conf
196            /var/run/systemd/resolve/stub-resolv.conf
197
198       pppd_etc_rw_t
199
200            /etc/ppp(/.*)?
201            /etc/ppp/peers(/.*)?
202            /etc/ppp/resolv.conf
203
204       pppd_lock_t
205
206            /var/lock/ppp(/.*)?
207
208       pppd_log_t
209
210            /var/log/ppp(/.*)?
211            /var/log/ppp-connect-errors.*
212
213       pppd_tmp_t
214
215
216       pppd_var_run_t
217
218            /var/run/(i)?ppp.*pid[^/]*
219            /var/run/ppp(/.*)?
220            /var/run/pppd[0-9]*.tdb
221
222       root_t
223
224            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
225            /
226            /initrd
227
228       wtmp_t
229
230            /var/log/wtmp.*
231
232

FILE CONTEXTS

234       SELinux requires files to have an extended attribute to define the file
235       type.
236
237       You can see the context of a file using the -Z option to ls
238
239       Policy governs the access  confined  processes  have  to  these  files.
240       SELinux pppd policy is very flexible allowing users to setup their pppd
241       processes in as secure a method as possible.
242
243       EQUIVALENCE DIRECTORIES
244
245
246       pppd policy stores data with  multiple  different  file  context  types
247       under  the /var/log/ppp directory.  If you would like to store the data
248       in a different directory you can use the semanage command to create  an
249       equivalence  mapping.   If you wanted to store this data under the /srv
250       dirctory you would execute the following command:
251
252       semanage fcontext -a -e /var/log/ppp /srv/ppp
253       restorecon -R -v /srv/ppp
254
255       pppd policy stores data with  multiple  different  file  context  types
256       under  the /var/run/ppp directory.  If you would like to store the data
257       in a different directory you can use the semanage command to create  an
258       equivalence  mapping.   If you wanted to store this data under the /srv
259       dirctory you would execute the following command:
260
261       semanage fcontext -a -e /var/run/ppp /srv/ppp
262       restorecon -R -v /srv/ppp
263
264       STANDARD FILE CONTEXT
265
266       SELinux defines the file context types for the pppd, if you  wanted  to
267       store  files  with  these types in a diffent paths, you need to execute
268       the semanage command  to  sepecify  alternate  labeling  and  then  use
269       restorecon to put the labels on disk.
270
271       semanage fcontext -a -t pppd_var_run_t '/srv/mypppd_content(/.*)?'
272       restorecon -R -v /srv/mypppd_content
273
274       Note:  SELinux  often  uses  regular expressions to specify labels that
275       match multiple files.
276
277       The following file types are defined for pppd:
278
279
280
281       pppd_etc_rw_t
282
283       - Set files with the pppd_etc_rw_t type, if you want to treat the files
284       as pppd etc read/write content.
285
286
287       Paths:
288            /etc/ppp(/.*)?, /etc/ppp/peers(/.*)?, /etc/ppp/resolv.conf
289
290
291       pppd_etc_t
292
293       -  Set  files with the pppd_etc_t type, if you want to store pppd files
294       in the /etc directories.
295
296
297       Paths:
298            /root/.ppprc, /etc/ppp
299
300
301       pppd_exec_t
302
303       - Set files with the pppd_exec_t type, if you  want  to  transition  an
304       executable to the pppd_t domain.
305
306
307       Paths:
308            /usr/sbin/pppd,   /sbin/ppp-watch,  /usr/sbin/ipppd,  /sbin/pppoe-
309            server, /usr/sbin/ppp-watch, /usr/sbin/pppoe-server
310
311
312       pppd_initrc_exec_t
313
314       - Set files with the pppd_initrc_exec_t type, if you want to transition
315       an executable to the pppd_initrc_t domain.
316
317
318       Paths:
319            /etc/ppp/(auth|ip(v6|x)?)-(up|down), /etc/rc.d/init.d/ppp
320
321
322       pppd_lock_t
323
324       -  Set  files with the pppd_lock_t type, if you want to treat the files
325       as pppd lock data, stored under the /var/lock directory
326
327
328
329       pppd_log_t
330
331       - Set files with the pppd_log_t type, if you want to treat the data  as
332       pppd log data, usually stored under the /var/log directory.
333
334
335       Paths:
336            /var/log/ppp(/.*)?, /var/log/ppp-connect-errors.*
337
338
339       pppd_secret_t
340
341       - Set files with the pppd_secret_t type, if you want to treat the files
342       as pppd se secret data.
343
344
345
346       pppd_tmp_t
347
348       - Set files with the pppd_tmp_t type, if you want to store pppd  tempo‐
349       rary files in the /tmp directories.
350
351
352
353       pppd_unit_file_t
354
355       -  Set  files  with the pppd_unit_file_t type, if you want to treat the
356       files as pppd unit content.
357
358
359
360       pppd_var_run_t
361
362       - Set files with the pppd_var_run_t type, if you want to store the pppd
363       files under the /run or /var/run directory.
364
365
366       Paths:
367            /var/run/(i)?ppp.*pid[^/]*,                    /var/run/ppp(/.*)?,
368            /var/run/pppd[0-9]*.tdb
369
370
371       Note: File context can be temporarily modified with the chcon  command.
372       If  you want to permanently change the file context you need to use the
373       semanage fcontext command.  This will modify the SELinux labeling data‐
374       base.  You will need to use restorecon to apply the labels.
375
376

COMMANDS

378       semanage  fcontext  can also be used to manipulate default file context
379       mappings.
380
381       semanage permissive can also be used to manipulate  whether  or  not  a
382       process type is permissive.
383
384       semanage  module can also be used to enable/disable/install/remove pol‐
385       icy modules.
386
387       semanage boolean can also be used to manipulate the booleans
388
389
390       system-config-selinux is a GUI tool available to customize SELinux pol‐
391       icy settings.
392
393

AUTHOR

395       This manual page was auto-generated using sepolicy manpage .
396
397

SEE ALSO

399       selinux(8), pppd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
400       setsebool(8)
401
402
403
404pppd                               19-05-30                    pppd_selinux(8)
Impressum