1pppd_selinux(8) SELinux Policy pppd pppd_selinux(8)
2
3
4
6 pppd_selinux - Security Enhanced Linux Policy for the pppd processes
7
9 Security-Enhanced Linux secures the pppd processes via flexible manda‐
10 tory access control.
11
12 The pppd processes execute with the pppd_t SELinux type. You can check
13 if you have these processes running by executing the ps command with
14 the -Z qualifier.
15
16 For example:
17
18 ps -eZ | grep pppd_t
19
20
21
23 The pppd_t SELinux type can be entered via the pppd_exec_t file type.
24
25 The default entrypoint paths for the pppd_t domain are the following:
26
27 /usr/sbin/pppd, /sbin/ppp-watch, /usr/sbin/ipppd, /sbin/pppoe-server,
28 /usr/sbin/ppp-watch, /usr/sbin/pppoe-server
29
31 SELinux defines process types (domains) for each process running on the
32 system
33
34 You can see the context of a process using the -Z option to ps
35
36 Policy governs the access confined processes have to files. SELinux
37 pppd policy is very flexible allowing users to setup their pppd pro‐
38 cesses in as secure a method as possible.
39
40 The following process types are defined for pppd:
41
42 pppd_t
43
44 Note: semanage permissive -a pppd_t can be used to make the process
45 type pppd_t permissive. SELinux does not deny access to permissive
46 process types, but the AVC (SELinux denials) messages are still gener‐
47 ated.
48
49
51 SELinux policy is customizable based on least access required. pppd
52 policy is extremely flexible and has several booleans that allow you to
53 manipulate the policy and run pppd with the tightest access possible.
54
55
56
57 If you want to allow pppd to load kernel modules for certain modems,
58 you must turn on the pppd_can_insmod boolean. Disabled by default.
59
60 setsebool -P pppd_can_insmod 1
61
62
63
64 If you want to allow pppd to be run for a regular user, you must turn
65 on the pppd_for_user boolean. Disabled by default.
66
67 setsebool -P pppd_for_user 1
68
69
70
71 If you want to allow users to resolve user passwd entries directly from
72 ldap rather then using a sssd server, you must turn on the authlo‐
73 gin_nsswitch_use_ldap boolean. Disabled by default.
74
75 setsebool -P authlogin_nsswitch_use_ldap 1
76
77
78
79 If you want to allow all domains to execute in fips_mode, you must turn
80 on the fips_mode boolean. Enabled by default.
81
82 setsebool -P fips_mode 1
83
84
85
86 If you want to allow confined applications to run with kerberos, you
87 must turn on the kerberos_enabled boolean. Enabled by default.
88
89 setsebool -P kerberos_enabled 1
90
91
92
93 If you want to allow system to run with NIS, you must turn on the
94 nis_enabled boolean. Disabled by default.
95
96 setsebool -P nis_enabled 1
97
98
99
100 If you want to allow confined applications to use nscd shared memory,
101 you must turn on the nscd_use_shm boolean. Disabled by default.
102
103 setsebool -P nscd_use_shm 1
104
105
106
108 The SELinux process type pppd_t can manage files labeled with the fol‐
109 lowing file types. The paths listed are the default paths for these
110 file types. Note the processes UID still need to have DAC permissions.
111
112 cluster_conf_t
113
114 /etc/cluster(/.*)?
115
116 cluster_var_lib_t
117
118 /var/lib/pcsd(/.*)?
119 /var/lib/cluster(/.*)?
120 /var/lib/openais(/.*)?
121 /var/lib/pengine(/.*)?
122 /var/lib/corosync(/.*)?
123 /usr/lib/heartbeat(/.*)?
124 /var/lib/heartbeat(/.*)?
125 /var/lib/pacemaker(/.*)?
126
127 cluster_var_run_t
128
129 /var/run/crm(/.*)?
130 /var/run/cman_.*
131 /var/run/rsctmp(/.*)?
132 /var/run/aisexec.*
133 /var/run/heartbeat(/.*)?
134 /var/run/corosync-qnetd(/.*)?
135 /var/run/corosync-qdevice(/.*)?
136 /var/run/corosync.pid
137 /var/run/cpglockd.pid
138 /var/run/rgmanager.pid
139 /var/run/cluster/rgmanager.sk
140
141 etc_runtime_t
142
143 /[^/]+
144 /etc/mtab.*
145 /etc/blkid(/.*)?
146 /etc/nologin.*
147 /etc/.fstab.hal..+
148 /halt
149 /fastboot
150 /poweroff
151 /.autofsck
152 /etc/cmtab
153 /forcefsck
154 /.suspended
155 /fsckoptions
156 /.autorelabel
157 /etc/.updated
158 /var/.updated
159 /etc/killpower
160 /etc/nohotplug
161 /etc/securetty
162 /etc/ioctl.save
163 /etc/fstab.REVOKE
164 /etc/network/ifstate
165 /etc/sysconfig/hwconf
166 /etc/ptal/ptal-printd-like
167 /etc/sysconfig/iptables.save
168 /etc/xorg.conf.d/00-system-setup-keyboard.conf
169 /etc/X11/xorg.conf.d/00-system-setup-keyboard.conf
170
171 faillog_t
172
173 /var/log/btmp.*
174 /var/log/faillog.*
175 /var/log/tallylog.*
176 /var/run/faillock(/.*)?
177
178 net_conf_t
179
180 /etc/hosts[^/]*
181 /etc/yp.conf.*
182 /etc/denyhosts.*
183 /etc/hosts.deny.*
184 /etc/resolv.conf.*
185 /etc/.resolv.conf.*
186 /etc/resolv-secure.conf.*
187 /var/run/cloud-init(/.*)?
188 /var/run/systemd/network(/.*)?
189 /etc/sysconfig/networking(/.*)?
190 /etc/sysconfig/network-scripts(/.*)?
191 /etc/sysconfig/network-scripts/.*resolv.conf
192 /var/run/NetworkManager/resolv.conf.*
193 /etc/ethers
194 /etc/ntp.conf
195 /var/run/systemd/resolve/resolv.conf
196 /var/run/systemd/resolve/stub-resolv.conf
197
198 pppd_etc_rw_t
199
200 /etc/ppp(/.*)?
201 /etc/ppp/peers(/.*)?
202 /etc/ppp/resolv.conf
203
204 pppd_lock_t
205
206 /var/lock/ppp(/.*)?
207
208 pppd_log_t
209
210 /var/log/ppp(/.*)?
211 /var/log/ppp-connect-errors.*
212
213 pppd_tmp_t
214
215
216 pppd_var_run_t
217
218 /var/run/(i)?ppp.*pid[^/]*
219 /var/run/ppp(/.*)?
220 /var/run/pppd[0-9]*.tdb
221
222 root_t
223
224 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
225 /
226 /initrd
227
228 wtmp_t
229
230 /var/log/wtmp.*
231
232
234 SELinux requires files to have an extended attribute to define the file
235 type.
236
237 You can see the context of a file using the -Z option to ls
238
239 Policy governs the access confined processes have to these files.
240 SELinux pppd policy is very flexible allowing users to setup their pppd
241 processes in as secure a method as possible.
242
243 EQUIVALENCE DIRECTORIES
244
245
246 pppd policy stores data with multiple different file context types
247 under the /var/log/ppp directory. If you would like to store the data
248 in a different directory you can use the semanage command to create an
249 equivalence mapping. If you wanted to store this data under the /srv
250 dirctory you would execute the following command:
251
252 semanage fcontext -a -e /var/log/ppp /srv/ppp
253 restorecon -R -v /srv/ppp
254
255 pppd policy stores data with multiple different file context types
256 under the /var/run/ppp directory. If you would like to store the data
257 in a different directory you can use the semanage command to create an
258 equivalence mapping. If you wanted to store this data under the /srv
259 dirctory you would execute the following command:
260
261 semanage fcontext -a -e /var/run/ppp /srv/ppp
262 restorecon -R -v /srv/ppp
263
264 STANDARD FILE CONTEXT
265
266 SELinux defines the file context types for the pppd, if you wanted to
267 store files with these types in a diffent paths, you need to execute
268 the semanage command to sepecify alternate labeling and then use
269 restorecon to put the labels on disk.
270
271 semanage fcontext -a -t pppd_var_run_t '/srv/mypppd_content(/.*)?'
272 restorecon -R -v /srv/mypppd_content
273
274 Note: SELinux often uses regular expressions to specify labels that
275 match multiple files.
276
277 The following file types are defined for pppd:
278
279
280
281 pppd_etc_rw_t
282
283 - Set files with the pppd_etc_rw_t type, if you want to treat the files
284 as pppd etc read/write content.
285
286
287 Paths:
288 /etc/ppp(/.*)?, /etc/ppp/peers(/.*)?, /etc/ppp/resolv.conf
289
290
291 pppd_etc_t
292
293 - Set files with the pppd_etc_t type, if you want to store pppd files
294 in the /etc directories.
295
296
297 Paths:
298 /root/.ppprc, /etc/ppp
299
300
301 pppd_exec_t
302
303 - Set files with the pppd_exec_t type, if you want to transition an
304 executable to the pppd_t domain.
305
306
307 Paths:
308 /usr/sbin/pppd, /sbin/ppp-watch, /usr/sbin/ipppd, /sbin/pppoe-
309 server, /usr/sbin/ppp-watch, /usr/sbin/pppoe-server
310
311
312 pppd_initrc_exec_t
313
314 - Set files with the pppd_initrc_exec_t type, if you want to transition
315 an executable to the pppd_initrc_t domain.
316
317
318 Paths:
319 /etc/ppp/(auth|ip(v6|x)?)-(up|down), /etc/rc.d/init.d/ppp
320
321
322 pppd_lock_t
323
324 - Set files with the pppd_lock_t type, if you want to treat the files
325 as pppd lock data, stored under the /var/lock directory
326
327
328
329 pppd_log_t
330
331 - Set files with the pppd_log_t type, if you want to treat the data as
332 pppd log data, usually stored under the /var/log directory.
333
334
335 Paths:
336 /var/log/ppp(/.*)?, /var/log/ppp-connect-errors.*
337
338
339 pppd_secret_t
340
341 - Set files with the pppd_secret_t type, if you want to treat the files
342 as pppd se secret data.
343
344
345
346 pppd_tmp_t
347
348 - Set files with the pppd_tmp_t type, if you want to store pppd tempo‐
349 rary files in the /tmp directories.
350
351
352
353 pppd_unit_file_t
354
355 - Set files with the pppd_unit_file_t type, if you want to treat the
356 files as pppd unit content.
357
358
359
360 pppd_var_run_t
361
362 - Set files with the pppd_var_run_t type, if you want to store the pppd
363 files under the /run or /var/run directory.
364
365
366 Paths:
367 /var/run/(i)?ppp.*pid[^/]*, /var/run/ppp(/.*)?,
368 /var/run/pppd[0-9]*.tdb
369
370
371 Note: File context can be temporarily modified with the chcon command.
372 If you want to permanently change the file context you need to use the
373 semanage fcontext command. This will modify the SELinux labeling data‐
374 base. You will need to use restorecon to apply the labels.
375
376
378 semanage fcontext can also be used to manipulate default file context
379 mappings.
380
381 semanage permissive can also be used to manipulate whether or not a
382 process type is permissive.
383
384 semanage module can also be used to enable/disable/install/remove pol‐
385 icy modules.
386
387 semanage boolean can also be used to manipulate the booleans
388
389
390 system-config-selinux is a GUI tool available to customize SELinux pol‐
391 icy settings.
392
393
395 This manual page was auto-generated using sepolicy manpage .
396
397
399 selinux(8), pppd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
400 setsebool(8)
401
402
403
404pppd 19-06-18 pppd_selinux(8)