1pppd_selinux(8)               SELinux Policy pppd              pppd_selinux(8)
2
3
4

NAME

6       pppd_selinux - Security Enhanced Linux Policy for the pppd processes
7

DESCRIPTION

9       Security-Enhanced  Linux secures the pppd processes via flexible manda‐
10       tory access control.
11
12       The pppd processes execute with the pppd_t SELinux type. You can  check
13       if  you  have  these processes running by executing the ps command with
14       the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep pppd_t
19
20
21

ENTRYPOINTS

23       The pppd_t SELinux type can be entered via the pppd_exec_t file type.
24
25       The default entrypoint paths for the pppd_t domain are the following:
26
27       /usr/sbin/pppd, /sbin/ppp-watch,  /usr/sbin/ipppd,  /sbin/pppoe-server,
28       /usr/sbin/ppp-watch, /usr/sbin/pppoe-server
29

PROCESS TYPES

31       SELinux defines process types (domains) for each process running on the
32       system
33
34       You can see the context of a process using the -Z option to ps
35
36       Policy governs the access confined processes have  to  files.   SELinux
37       pppd  policy  is  very flexible allowing users to setup their pppd pro‐
38       cesses in as secure a method as possible.
39
40       The following process types are defined for pppd:
41
42       pppd_t
43
44       Note: semanage permissive -a pppd_t can be used  to  make  the  process
45       type  pppd_t  permissive.  SELinux  does  not deny access to permissive
46       process types, but the AVC (SELinux denials) messages are still  gener‐
47       ated.
48
49

BOOLEANS

51       SELinux  policy  is  customizable based on least access required.  pppd
52       policy is extremely flexible and has several booleans that allow you to
53       manipulate the policy and run pppd with the tightest access possible.
54
55
56
57       If  you  want  to allow pppd to load kernel modules for certain modems,
58       you must turn on the pppd_can_insmod boolean. Disabled by default.
59
60       setsebool -P pppd_can_insmod 1
61
62
63
64       If you want to allow pppd to be run for a regular user, you  must  turn
65       on the pppd_for_user boolean. Disabled by default.
66
67       setsebool -P pppd_for_user 1
68
69
70
71       If you want to allow all domains to execute in fips_mode, you must turn
72       on the fips_mode boolean. Enabled by default.
73
74       setsebool -P fips_mode 1
75
76
77

MANAGED FILES

79       The SELinux process type pppd_t can manage files labeled with the  fol‐
80       lowing  file  types.   The paths listed are the default paths for these
81       file types.  Note the processes UID still need to have DAC permissions.
82
83       cluster_conf_t
84
85            /etc/cluster(/.*)?
86
87       cluster_var_lib_t
88
89            /var/lib/pcsd(/.*)?
90            /var/lib/cluster(/.*)?
91            /var/lib/openais(/.*)?
92            /var/lib/pengine(/.*)?
93            /var/lib/corosync(/.*)?
94            /usr/lib/heartbeat(/.*)?
95            /var/lib/heartbeat(/.*)?
96            /var/lib/pacemaker(/.*)?
97
98       cluster_var_run_t
99
100            /var/run/crm(/.*)?
101            /var/run/cman_.*
102            /var/run/rsctmp(/.*)?
103            /var/run/aisexec.*
104            /var/run/heartbeat(/.*)?
105            /var/run/corosync-qnetd(/.*)?
106            /var/run/corosync-qdevice(/.*)?
107            /var/run/corosync.pid
108            /var/run/cpglockd.pid
109            /var/run/rgmanager.pid
110            /var/run/cluster/rgmanager.sk
111
112       faillog_t
113
114            /var/log/btmp.*
115            /var/log/faillog.*
116            /var/log/tallylog.*
117            /var/run/faillock(/.*)?
118
119       pppd_etc_rw_t
120
121            /etc/ppp(/.*)?
122            /etc/ppp/peers(/.*)?
123            /etc/ppp/resolv.conf
124
125       pppd_lock_t
126
127            /var/lock/ppp(/.*)?
128
129       pppd_log_t
130
131            /var/log/ppp(/.*)?
132            /var/log/ppp-connect-errors.*
133
134       pppd_var_run_t
135
136            /var/run/(i)?ppp.*pid[^/]*
137            /var/run/ppp(/.*)?
138            /var/run/pppd[0-9]*.tdb
139
140       root_t
141
142            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
143            /
144            /initrd
145
146       wtmp_t
147
148            /var/log/wtmp.*
149
150

FILE CONTEXTS

152       SELinux requires files to have an extended attribute to define the file
153       type.
154
155       You can see the context of a file using the -Z option to ls
156
157       Policy  governs  the  access  confined  processes  have to these files.
158       SELinux pppd policy is very flexible allowing users to setup their pppd
159       processes in as secure a method as possible.
160
161       EQUIVALENCE DIRECTORIES
162
163
164       pppd  policy  stores  data  with  multiple different file context types
165       under the /var/log/ppp directory.  If you would like to store the  data
166       in  a different directory you can use the semanage command to create an
167       equivalence mapping.  If you wanted to store this data under  the  /srv
168       directory you would execute the following command:
169
170       semanage fcontext -a -e /var/log/ppp /srv/ppp
171       restorecon -R -v /srv/ppp
172
173       pppd  policy  stores  data  with  multiple different file context types
174       under the /var/run/ppp directory.  If you would like to store the  data
175       in  a different directory you can use the semanage command to create an
176       equivalence mapping.  If you wanted to store this data under  the  /srv
177       directory you would execute the following command:
178
179       semanage fcontext -a -e /var/run/ppp /srv/ppp
180       restorecon -R -v /srv/ppp
181
182       STANDARD FILE CONTEXT
183
184       SELinux  defines  the file context types for the pppd, if you wanted to
185       store files with these types in a diffent paths, you  need  to  execute
186       the  semanage  command  to  sepecify  alternate  labeling  and then use
187       restorecon to put the labels on disk.
188
189       semanage fcontext -a -t pppd_var_run_t '/srv/mypppd_content(/.*)?'
190       restorecon -R -v /srv/mypppd_content
191
192       Note: SELinux often uses regular expressions  to  specify  labels  that
193       match multiple files.
194
195       The following file types are defined for pppd:
196
197
198
199       pppd_etc_rw_t
200
201       - Set files with the pppd_etc_rw_t type, if you want to treat the files
202       as pppd etc read/write content.
203
204
205       Paths:
206            /etc/ppp(/.*)?, /etc/ppp/peers(/.*)?, /etc/ppp/resolv.conf
207
208
209       pppd_etc_t
210
211       - Set files with the pppd_etc_t type, if you want to store  pppd  files
212       in the /etc directories.
213
214
215       Paths:
216            /root/.ppprc, /etc/ppp
217
218
219       pppd_exec_t
220
221       -  Set  files  with  the pppd_exec_t type, if you want to transition an
222       executable to the pppd_t domain.
223
224
225       Paths:
226            /usr/sbin/pppd,  /sbin/ppp-watch,  /usr/sbin/ipppd,   /sbin/pppoe-
227            server, /usr/sbin/ppp-watch, /usr/sbin/pppoe-server
228
229
230       pppd_initrc_exec_t
231
232       - Set files with the pppd_initrc_exec_t type, if you want to transition
233       an executable to the pppd_initrc_t domain.
234
235
236       Paths:
237            /etc/ppp/(auth|ip(v6|x)?)-(up|down), /etc/rc.d/init.d/ppp
238
239
240       pppd_lock_t
241
242       - Set files with the pppd_lock_t type, if you want to treat  the  files
243       as pppd lock data, stored under the /var/lock directory
244
245
246
247       pppd_log_t
248
249       -  Set files with the pppd_log_t type, if you want to treat the data as
250       pppd log data, usually stored under the /var/log directory.
251
252
253       Paths:
254            /var/log/ppp(/.*)?, /var/log/ppp-connect-errors.*
255
256
257       pppd_secret_t
258
259       - Set files with the pppd_secret_t type, if you want to treat the files
260       as pppd se secret data.
261
262
263
264       pppd_tmp_t
265
266       -  Set files with the pppd_tmp_t type, if you want to store pppd tempo‐
267       rary files in the /tmp directories.
268
269
270
271       pppd_unit_file_t
272
273       - Set files with the pppd_unit_file_t type, if you want  to  treat  the
274       files as pppd unit content.
275
276
277
278       pppd_var_run_t
279
280       - Set files with the pppd_var_run_t type, if you want to store the pppd
281       files under the /run or /var/run directory.
282
283
284       Paths:
285            /var/run/(i)?ppp.*pid[^/]*,                    /var/run/ppp(/.*)?,
286            /var/run/pppd[0-9]*.tdb
287
288
289       Note:  File context can be temporarily modified with the chcon command.
290       If you want to permanently change the file context you need to use  the
291       semanage fcontext command.  This will modify the SELinux labeling data‐
292       base.  You will need to use restorecon to apply the labels.
293
294

COMMANDS

296       semanage fcontext can also be used to manipulate default  file  context
297       mappings.
298
299       semanage  permissive  can  also  be used to manipulate whether or not a
300       process type is permissive.
301
302       semanage module can also be used to enable/disable/install/remove  pol‐
303       icy modules.
304
305       semanage boolean can also be used to manipulate the booleans
306
307
308       system-config-selinux is a GUI tool available to customize SELinux pol‐
309       icy settings.
310
311

AUTHOR

313       This manual page was auto-generated using sepolicy manpage .
314
315

SEE ALSO

317       selinux(8), pppd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
318       setsebool(8)
319
320
321
322pppd                               20-05-05                    pppd_selinux(8)
Impressum