1pppd_selinux(8) SELinux Policy pppd pppd_selinux(8)
2
6 pppd_selinux - Security Enhanced Linux Policy for the pppd processes
7
9 Security-Enhanced Linux secures the pppd processes via flexible manda‐
10 tory access control.
11 The pppd processes execute with the pppd_t SELinux type. You can check
13 if you have these processes running by executing the ps command with
14 the -Z qualifier.
15 For example:
17 ps -eZ | grep pppd_t
19
23 The pppd_t SELinux type can be entered via the pppd_exec_t file type.
24 The default entrypoint paths for the pppd_t domain are the following:
26 /usr/sbin/pppd, /sbin/ppp-watch, /usr/sbin/ipppd, /sbin/pppoe-server,
28 /usr/sbin/ppp-watch, /usr/sbin/pppoe-server
29
31 SELinux defines process types (domains) for each process running on the
32 system
33 You can see the context of a process using the -Z option to ps
35 Policy governs the access confined processes have to files. SELinux
37 pppd policy is very flexible allowing users to setup their pppd pro‐
38 cesses in as secure a method as possible.
39 The following process types are defined for pppd:
41 pppd_t
43 Note: semanage permissive -a pppd_t can be used to make the process
45 type pppd_t permissive. SELinux does not deny access to permissive
46 process types, but the AVC (SELinux denials) messages are still gener‐
47 ated.
48
51 SELinux policy is customizable based on least access required. pppd
52 policy is extremely flexible and has several booleans that allow you to
53 manipulate the policy and run pppd with the tightest access possible.
54 If you want to allow pppd to load kernel modules for certain modems,
58 you must turn on the pppd_can_insmod boolean. Disabled by default.
59 setsebool -P pppd_can_insmod 1
61 If you want to allow pppd to be run for a regular user, you must turn
65 on the pppd_for_user boolean. Disabled by default.
66 setsebool -P pppd_for_user 1
68 If you want to dontaudit all daemons scheduling requests (setsched,
72 sys_nice), you must turn on the daemons_dontaudit_scheduling boolean.
73 Enabled by default.
74 setsebool -P daemons_dontaudit_scheduling 1
76 If you want to allow all domains to execute in fips_mode, you must turn
80 on the fips_mode boolean. Enabled by default.
81 setsebool -P fips_mode 1
83 If you want to allow system to run with NIS, you must turn on the
87 nis_enabled boolean. Disabled by default.
88 setsebool -P nis_enabled 1
90
94 The SELinux process type pppd_t can manage files labeled with the fol‐
95 lowing file types. The paths listed are the default paths for these
96 file types. Note the processes UID still need to have DAC permissions.
97 cluster_conf_t
99 /etc/cluster(/.*)?
101 cluster_var_lib_t
103 /var/lib/pcsd(/.*)?
105 /var/lib/cluster(/.*)?
106 /var/lib/openais(/.*)?
107 /var/lib/pengine(/.*)?
108 /var/lib/corosync(/.*)?
109 /usr/lib/heartbeat(/.*)?
110 /var/lib/heartbeat(/.*)?
111 /var/lib/pacemaker(/.*)?
112 cluster_var_run_t
114 /var/run/crm(/.*)?
116 /var/run/cman_.*
117 /var/run/rsctmp(/.*)?
118 /var/run/aisexec.*
119 /var/run/heartbeat(/.*)?
120 /var/run/pcsd-ruby.socket
121 /var/run/corosync-qnetd(/.*)?
122 /var/run/corosync-qdevice(/.*)?
123 /var/run/corosync.pid
124 /var/run/cpglockd.pid
125 /var/run/rgmanager.pid
126 /var/run/cluster/rgmanager.sk
127 faillog_t
129 /var/log/btmp.*
131 /var/log/faillog.*
132 /var/log/tallylog.*
133 /var/run/faillock(/.*)?
134 krb5_host_rcache_t
136 /var/tmp/krb5_0.rcache2
138 /var/cache/krb5rcache(/.*)?
139 /var/tmp/nfs_0
140 /var/tmp/DNS_25
141 /var/tmp/host_0
142 /var/tmp/imap_0
143 /var/tmp/HTTP_23
144 /var/tmp/HTTP_48
145 /var/tmp/ldap_55
146 /var/tmp/ldap_487
147 /var/tmp/ldapmap1_0
148 pppd_etc_rw_t
150 /etc/ppp(/.*)?
152 /etc/ppp/peers(/.*)?
153 /etc/ppp/resolv.conf
154 pppd_lock_t
156 /var/lock/ppp(/.*)?
158 pppd_log_t
160 /var/log/ppp(/.*)?
162 /var/log/ppp-connect-errors.*
163 pppd_tmp_t
165 pppd_var_run_t
168 /var/run/(i)?ppp.*pid[^/]*
170 /var/run/ppp(/.*)?
171 /var/run/pppd[0-9]*.tdb
172 root_t
174 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
176 /
177 /initrd
178 wtmp_t
180 /var/log/wtmp.*
182
185 SELinux requires files to have an extended attribute to define the file
186 type.
187 You can see the context of a file using the -Z option to ls
189 Policy governs the access confined processes have to these files.
191 SELinux pppd policy is very flexible allowing users to setup their pppd
192 processes in as secure a method as possible.
193 EQUIVALENCE DIRECTORIES
195 pppd policy stores data with multiple different file context types un‐
198 der the /var/log/ppp directory. If you would like to store the data in
199 a different directory you can use the semanage command to create an
200 equivalence mapping. If you wanted to store this data under the /srv
201 directory you would execute the following command:
202 semanage fcontext -a -e /var/log/ppp /srv/ppp
204 restorecon -R -v /srv/ppp
205 pppd policy stores data with multiple different file context types un‐
207 der the /var/run/ppp directory. If you would like to store the data in
208 a different directory you can use the semanage command to create an
209 equivalence mapping. If you wanted to store this data under the /srv
210 directory you would execute the following command:
211 semanage fcontext -a -e /var/run/ppp /srv/ppp
213 restorecon -R -v /srv/ppp
214 STANDARD FILE CONTEXT
216 SELinux defines the file context types for the pppd, if you wanted to
218 store files with these types in a different paths, you need to execute
219 the semanage command to specify alternate labeling and then use re‐
220 storecon to put the labels on disk.
221 semanage fcontext -a -t pppd_exec_t '/srv/pppd/content(/.*)?'
223 restorecon -R -v /srv/mypppd_content
224 Note: SELinux often uses regular expressions to specify labels that
226 match multiple files.
227 The following file types are defined for pppd:
229 pppd_etc_rw_t
233 - Set files with the pppd_etc_rw_t type, if you want to treat the files
235 as pppd etc read/write content.
236 Paths:
239 /etc/ppp(/.*)?, /etc/ppp/peers(/.*)?, /etc/ppp/resolv.conf
240 pppd_etc_t
243 - Set files with the pppd_etc_t type, if you want to store pppd files
245 in the /etc directories.
246 Paths:
249 /root/.ppprc, /etc/ppp
250 pppd_exec_t
253 - Set files with the pppd_exec_t type, if you want to transition an ex‐
255 ecutable to the pppd_t domain.
256 Paths:
259 /usr/sbin/pppd, /sbin/ppp-watch, /usr/sbin/ipppd, /sbin/pppoe-
260 server, /usr/sbin/ppp-watch, /usr/sbin/pppoe-server
261 pppd_initrc_exec_t
264 - Set files with the pppd_initrc_exec_t type, if you want to transition
266 an executable to the pppd_initrc_t domain.
267 Paths:
270 /etc/ppp/(auth|ip(v6|x)?)-(up|down), /etc/rc.d/init.d/ppp
271 pppd_lock_t
274 - Set files with the pppd_lock_t type, if you want to treat the files
276 as pppd lock data, stored under the /var/lock directory
277 pppd_log_t
281 - Set files with the pppd_log_t type, if you want to treat the data as
283 pppd log data, usually stored under the /var/log directory.
284 Paths:
287 /var/log/ppp(/.*)?, /var/log/ppp-connect-errors.*
288 pppd_secret_t
291 - Set files with the pppd_secret_t type, if you want to treat the files
293 as pppd secret data.
294 pppd_tmp_t
298 - Set files with the pppd_tmp_t type, if you want to store pppd tempo‐
300 rary files in the /tmp directories.
301 pppd_unit_file_t
305 - Set files with the pppd_unit_file_t type, if you want to treat the
307 files as pppd unit content.
308 pppd_var_run_t
312 - Set files with the pppd_var_run_t type, if you want to store the pppd
314 files under the /run or /var/run directory.
315 Paths:
318 /var/run/(i)?ppp.*pid[^/]*, /var/run/ppp(/.*)?,
319 /var/run/pppd[0-9]*.tdb
320 Note: File context can be temporarily modified with the chcon command.
323 If you want to permanently change the file context you need to use the
324 semanage fcontext command. This will modify the SELinux labeling data‐
325 base. You will need to use restorecon to apply the labels.
326
329 semanage fcontext can also be used to manipulate default file context
330 mappings.
331 semanage permissive can also be used to manipulate whether or not a
333 process type is permissive.
334 semanage module can also be used to enable/disable/install/remove pol‐
336 icy modules.
337 semanage boolean can also be used to manipulate the booleans
339 system-config-selinux is a GUI tool available to customize SELinux pol‐
342 icy settings.
343
346 This manual page was auto-generated using sepolicy manpage .
347
350 selinux(8), pppd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
351 setsebool(8)
352pppd 23-12-15 pppd_selinux(8)