1pppd_selinux(8)               SELinux Policy pppd              pppd_selinux(8)
2
3
4

NAME

6       pppd_selinux - Security Enhanced Linux Policy for the pppd processes
7

DESCRIPTION

9       Security-Enhanced  Linux secures the pppd processes via flexible manda‐
10       tory access control.
11
12       The pppd processes execute with the pppd_t SELinux type. You can  check
13       if  you  have  these processes running by executing the ps command with
14       the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep pppd_t
19
20
21

ENTRYPOINTS

23       The pppd_t SELinux type can be entered via the pppd_exec_t file type.
24
25       The default entrypoint paths for the pppd_t domain are the following:
26
27       /usr/sbin/pppd, /sbin/ppp-watch,  /usr/sbin/ipppd,  /sbin/pppoe-server,
28       /usr/sbin/ppp-watch, /usr/sbin/pppoe-server
29

PROCESS TYPES

31       SELinux defines process types (domains) for each process running on the
32       system
33
34       You can see the context of a process using the -Z option to ps
35
36       Policy governs the access confined processes have  to  files.   SELinux
37       pppd  policy  is  very flexible allowing users to setup their pppd pro‐
38       cesses in as secure a method as possible.
39
40       The following process types are defined for pppd:
41
42       pppd_t
43
44       Note: semanage permissive -a pppd_t can be used  to  make  the  process
45       type  pppd_t  permissive.  SELinux  does  not deny access to permissive
46       process types, but the AVC (SELinux denials) messages are still  gener‐
47       ated.
48
49

BOOLEANS

51       SELinux  policy  is  customizable based on least access required.  pppd
52       policy is extremely flexible and has several booleans that allow you to
53       manipulate the policy and run pppd with the tightest access possible.
54
55
56
57       If  you  want  to allow pppd to load kernel modules for certain modems,
58       you must turn on the pppd_can_insmod boolean. Disabled by default.
59
60       setsebool -P pppd_can_insmod 1
61
62
63
64       If you want to allow pppd to be run for a regular user, you  must  turn
65       on the pppd_for_user boolean. Disabled by default.
66
67       setsebool -P pppd_for_user 1
68
69
70
71       If you want to allow users to resolve user passwd entries directly from
72       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
73       gin_nsswitch_use_ldap boolean. Disabled by default.
74
75       setsebool -P authlogin_nsswitch_use_ldap 1
76
77
78
79       If you want to allow all domains to execute in fips_mode, you must turn
80       on the fips_mode boolean. Enabled by default.
81
82       setsebool -P fips_mode 1
83
84
85
86       If you want to allow confined applications to run  with  kerberos,  you
87       must turn on the kerberos_enabled boolean. Disabled by default.
88
89       setsebool -P kerberos_enabled 1
90
91
92
93       If  you  want  to  allow  system  to run with NIS, you must turn on the
94       nis_enabled boolean. Disabled by default.
95
96       setsebool -P nis_enabled 1
97
98
99
100       If you want to allow confined applications to use nscd  shared  memory,
101       you must turn on the nscd_use_shm boolean. Disabled by default.
102
103       setsebool -P nscd_use_shm 1
104
105
106

MANAGED FILES

108       The  SELinux process type pppd_t can manage files labeled with the fol‐
109       lowing file types.  The paths listed are the default  paths  for  these
110       file types.  Note the processes UID still need to have DAC permissions.
111
112       cluster_conf_t
113
114            /etc/cluster(/.*)?
115
116       cluster_var_lib_t
117
118            /var/lib/pcsd(/.*)?
119            /var/lib/cluster(/.*)?
120            /var/lib/openais(/.*)?
121            /var/lib/pengine(/.*)?
122            /var/lib/corosync(/.*)?
123            /usr/lib/heartbeat(/.*)?
124            /var/lib/heartbeat(/.*)?
125            /var/lib/pacemaker(/.*)?
126
127       cluster_var_run_t
128
129            /var/run/crm(/.*)?
130            /var/run/cman_.*
131            /var/run/rsctmp(/.*)?
132            /var/run/aisexec.*
133            /var/run/heartbeat(/.*)?
134            /var/run/corosync-qnetd(/.*)?
135            /var/run/corosync-qdevice(/.*)?
136            /var/run/corosync.pid
137            /var/run/cpglockd.pid
138            /var/run/rgmanager.pid
139            /var/run/cluster/rgmanager.sk
140
141       etc_runtime_t
142
143            /[^/]+
144            /etc/mtab.*
145            /etc/blkid(/.*)?
146            /etc/nologin.*
147            /etc/.fstab.hal..+
148            /halt
149            /fastboot
150            /poweroff
151            /.autofsck
152            /etc/cmtab
153            /forcefsck
154            /.suspended
155            /fsckoptions
156            /.autorelabel
157            /etc/.updated
158            /var/.updated
159            /etc/killpower
160            /etc/nohotplug
161            /etc/securetty
162            /etc/ioctl.save
163            /etc/fstab.REVOKE
164            /etc/network/ifstate
165            /etc/sysconfig/hwconf
166            /etc/ptal/ptal-printd-like
167            /etc/xorg.conf.d/00-system-setup-keyboard.conf
168            /etc/X11/xorg.conf.d/00-system-setup-keyboard.conf
169
170       faillog_t
171
172            /var/log/btmp.*
173            /var/log/faillog.*
174            /var/log/tallylog.*
175            /var/run/faillock(/.*)?
176
177       net_conf_t
178
179            /etc/hosts[^/]*
180            /etc/yp.conf.*
181            /etc/denyhosts.*
182            /etc/hosts.deny.*
183            /etc/resolv.conf.*
184            /etc/.resolv.conf.*
185            /etc/resolv-secure.conf.*
186            /var/run/cloud-init(/.*)?
187            /var/run/systemd/network(/.*)?
188            /etc/sysconfig/networking(/.*)?
189            /etc/sysconfig/network-scripts(/.*)?
190            /etc/sysconfig/network-scripts/.*resolv.conf
191            /var/run/NetworkManager/resolv.conf.*
192            /etc/ethers
193            /etc/ntp.conf
194            /var/run/systemd/resolve/resolv.conf
195            /var/run/systemd/resolve/stub-resolv.conf
196
197       pppd_etc_rw_t
198
199            /etc/ppp(/.*)?
200            /etc/ppp/peers(/.*)?
201            /etc/ppp/resolv.conf
202
203       pppd_lock_t
204
205            /var/lock/ppp(/.*)?
206
207       pppd_log_t
208
209            /var/log/ppp(/.*)?
210            /var/log/ppp-connect-errors.*
211
212       pppd_tmp_t
213
214
215       pppd_var_run_t
216
217            /var/run/(i)?ppp.*pid[^/]*
218            /var/run/ppp(/.*)?
219            /var/run/pppd[0-9]*.tdb
220
221       root_t
222
223            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
224            /
225            /initrd
226
227       wtmp_t
228
229            /var/log/wtmp.*
230
231

FILE CONTEXTS

233       SELinux requires files to have an extended attribute to define the file
234       type.
235
236       You can see the context of a file using the -Z option to ls
237
238       Policy governs the access  confined  processes  have  to  these  files.
239       SELinux pppd policy is very flexible allowing users to setup their pppd
240       processes in as secure a method as possible.
241
242       EQUIVALENCE DIRECTORIES
243
244
245       pppd policy stores data with  multiple  different  file  context  types
246       under  the /var/log/ppp directory.  If you would like to store the data
247       in a different directory you can use the semanage command to create  an
248       equivalence  mapping.   If you wanted to store this data under the /srv
249       dirctory you would execute the following command:
250
251       semanage fcontext -a -e /var/log/ppp /srv/ppp
252       restorecon -R -v /srv/ppp
253
254       pppd policy stores data with  multiple  different  file  context  types
255       under  the /var/run/ppp directory.  If you would like to store the data
256       in a different directory you can use the semanage command to create  an
257       equivalence  mapping.   If you wanted to store this data under the /srv
258       dirctory you would execute the following command:
259
260       semanage fcontext -a -e /var/run/ppp /srv/ppp
261       restorecon -R -v /srv/ppp
262
263       STANDARD FILE CONTEXT
264
265       SELinux defines the file context types for the pppd, if you  wanted  to
266       store  files  with  these types in a diffent paths, you need to execute
267       the semanage command  to  sepecify  alternate  labeling  and  then  use
268       restorecon to put the labels on disk.
269
270       semanage fcontext -a -t pppd_var_run_t '/srv/mypppd_content(/.*)?'
271       restorecon -R -v /srv/mypppd_content
272
273       Note:  SELinux  often  uses  regular expressions to specify labels that
274       match multiple files.
275
276       The following file types are defined for pppd:
277
278
279
280       pppd_etc_rw_t
281
282       - Set files with the pppd_etc_rw_t type, if you want to treat the files
283       as pppd etc read/write content.
284
285
286       Paths:
287            /etc/ppp(/.*)?, /etc/ppp/peers(/.*)?, /etc/ppp/resolv.conf
288
289
290       pppd_etc_t
291
292       -  Set  files with the pppd_etc_t type, if you want to store pppd files
293       in the /etc directories.
294
295
296       Paths:
297            /root/.ppprc, /etc/ppp
298
299
300       pppd_exec_t
301
302       - Set files with the pppd_exec_t type, if you  want  to  transition  an
303       executable to the pppd_t domain.
304
305
306       Paths:
307            /usr/sbin/pppd,   /sbin/ppp-watch,  /usr/sbin/ipppd,  /sbin/pppoe-
308            server, /usr/sbin/ppp-watch, /usr/sbin/pppoe-server
309
310
311       pppd_initrc_exec_t
312
313       - Set files with the pppd_initrc_exec_t type, if you want to transition
314       an executable to the pppd_initrc_t domain.
315
316
317       Paths:
318            /etc/ppp/(auth|ip(v6|x)?)-(up|down), /etc/rc.d/init.d/ppp
319
320
321       pppd_lock_t
322
323       -  Set  files with the pppd_lock_t type, if you want to treat the files
324       as pppd lock data, stored under the /var/lock directory
325
326
327
328       pppd_log_t
329
330       - Set files with the pppd_log_t type, if you want to treat the data  as
331       pppd log data, usually stored under the /var/log directory.
332
333
334       Paths:
335            /var/log/ppp(/.*)?, /var/log/ppp-connect-errors.*
336
337
338       pppd_secret_t
339
340       - Set files with the pppd_secret_t type, if you want to treat the files
341       as pppd se secret data.
342
343
344
345       pppd_tmp_t
346
347       - Set files with the pppd_tmp_t type, if you want to store pppd  tempo‐
348       rary files in the /tmp directories.
349
350
351
352       pppd_unit_file_t
353
354       -  Set  files  with the pppd_unit_file_t type, if you want to treat the
355       files as pppd unit content.
356
357
358
359       pppd_var_run_t
360
361       - Set files with the pppd_var_run_t type, if you want to store the pppd
362       files under the /run or /var/run directory.
363
364
365       Paths:
366            /var/run/(i)?ppp.*pid[^/]*,                    /var/run/ppp(/.*)?,
367            /var/run/pppd[0-9]*.tdb
368
369
370       Note: File context can be temporarily modified with the chcon  command.
371       If  you want to permanently change the file context you need to use the
372       semanage fcontext command.  This will modify the SELinux labeling data‐
373       base.  You will need to use restorecon to apply the labels.
374
375

COMMANDS

377       semanage  fcontext  can also be used to manipulate default file context
378       mappings.
379
380       semanage permissive can also be used to manipulate  whether  or  not  a
381       process type is permissive.
382
383       semanage  module can also be used to enable/disable/install/remove pol‐
384       icy modules.
385
386       semanage boolean can also be used to manipulate the booleans
387
388
389       system-config-selinux is a GUI tool available to customize SELinux pol‐
390       icy settings.
391
392

AUTHOR

394       This manual page was auto-generated using sepolicy manpage .
395
396

SEE ALSO

398       selinux(8), pppd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
399       setsebool(8)
400
401
402
403pppd                               19-12-02                    pppd_selinux(8)
Impressum