1pppd_selinux(8) SELinux Policy pppd pppd_selinux(8)
2
6 pppd_selinux - Security Enhanced Linux Policy for the pppd processes
7
9 Security-Enhanced Linux secures the pppd processes via flexible manda‐
10 tory access control.
11 The pppd processes execute with the pppd_t SELinux type. You can check
13 if you have these processes running by executing the ps command with
14 the -Z qualifier.
15 For example:
17 ps -eZ | grep pppd_t
19
23 The pppd_t SELinux type can be entered via the pppd_exec_t file type.
24 The default entrypoint paths for the pppd_t domain are the following:
26 /usr/sbin/pppd, /sbin/ppp-watch, /usr/sbin/ipppd, /sbin/pppoe-server,
28 /usr/sbin/ppp-watch, /usr/sbin/pppoe-server
29
31 SELinux defines process types (domains) for each process running on the
32 system
33 You can see the context of a process using the -Z option to ps
35 Policy governs the access confined processes have to files. SELinux
37 pppd policy is very flexible allowing users to setup their pppd pro‐
38 cesses in as secure a method as possible.
39 The following process types are defined for pppd:
41 pppd_t
43 Note: semanage permissive -a pppd_t can be used to make the process
45 type pppd_t permissive. SELinux does not deny access to permissive
46 process types, but the AVC (SELinux denials) messages are still gener‐
47 ated.
48
51 SELinux policy is customizable based on least access required. pppd
52 policy is extremely flexible and has several booleans that allow you to
53 manipulate the policy and run pppd with the tightest access possible.
54 If you want to allow pppd to load kernel modules for certain modems,
58 you must turn on the pppd_can_insmod boolean. Disabled by default.
59 setsebool -P pppd_can_insmod 1
61 If you want to allow pppd to be run for a regular user, you must turn
65 on the pppd_for_user boolean. Disabled by default.
66 setsebool -P pppd_for_user 1
68 If you want to allow all domains to execute in fips_mode, you must turn
72 on the fips_mode boolean. Enabled by default.
73 setsebool -P fips_mode 1
75
79 The SELinux process type pppd_t can manage files labeled with the fol‐
80 lowing file types. The paths listed are the default paths for these
81 file types. Note the processes UID still need to have DAC permissions.
82 cluster_conf_t
84 /etc/cluster(/.*)?
86 cluster_var_lib_t
88 /var/lib/pcsd(/.*)?
90 /var/lib/cluster(/.*)?
91 /var/lib/openais(/.*)?
92 /var/lib/pengine(/.*)?
93 /var/lib/corosync(/.*)?
94 /usr/lib/heartbeat(/.*)?
95 /var/lib/heartbeat(/.*)?
96 /var/lib/pacemaker(/.*)?
97 cluster_var_run_t
99 /var/run/crm(/.*)?
101 /var/run/cman_.*
102 /var/run/rsctmp(/.*)?
103 /var/run/aisexec.*
104 /var/run/heartbeat(/.*)?
105 /var/run/corosync-qnetd(/.*)?
106 /var/run/corosync-qdevice(/.*)?
107 /var/run/corosync.pid
108 /var/run/cpglockd.pid
109 /var/run/rgmanager.pid
110 /var/run/cluster/rgmanager.sk
111 faillog_t
113 /var/log/btmp.*
115 /var/log/faillog.*
116 /var/log/tallylog.*
117 /var/run/faillock(/.*)?
118 pppd_etc_rw_t
120 /etc/ppp(/.*)?
122 /etc/ppp/peers(/.*)?
123 /etc/ppp/resolv.conf
124 pppd_lock_t
126 /var/lock/ppp(/.*)?
128 pppd_log_t
130 /var/log/ppp(/.*)?
132 /var/log/ppp-connect-errors.*
133 pppd_var_run_t
135 /var/run/(i)?ppp.*pid[^/]*
137 /var/run/ppp(/.*)?
138 /var/run/pppd[0-9]*.tdb
139 root_t
141 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
143 /
144 /initrd
145 wtmp_t
147 /var/log/wtmp.*
149
152 SELinux requires files to have an extended attribute to define the file
153 type.
154 You can see the context of a file using the -Z option to ls
156 Policy governs the access confined processes have to these files.
158 SELinux pppd policy is very flexible allowing users to setup their pppd
159 processes in as secure a method as possible.
160 EQUIVALENCE DIRECTORIES
162 pppd policy stores data with multiple different file context types
165 under the /var/log/ppp directory. If you would like to store the data
166 in a different directory you can use the semanage command to create an
167 equivalence mapping. If you wanted to store this data under the /srv
168 directory you would execute the following command:
169 semanage fcontext -a -e /var/log/ppp /srv/ppp
171 restorecon -R -v /srv/ppp
172 pppd policy stores data with multiple different file context types
174 under the /var/run/ppp directory. If you would like to store the data
175 in a different directory you can use the semanage command to create an
176 equivalence mapping. If you wanted to store this data under the /srv
177 directory you would execute the following command:
178 semanage fcontext -a -e /var/run/ppp /srv/ppp
180 restorecon -R -v /srv/ppp
181 STANDARD FILE CONTEXT
183 SELinux defines the file context types for the pppd, if you wanted to
185 store files with these types in a diffent paths, you need to execute
186 the semanage command to sepecify alternate labeling and then use
187 restorecon to put the labels on disk.
188 semanage fcontext -a -t pppd_var_run_t '/srv/mypppd_content(/.*)?'
190 restorecon -R -v /srv/mypppd_content
191 Note: SELinux often uses regular expressions to specify labels that
193 match multiple files.
194 The following file types are defined for pppd:
196 pppd_etc_rw_t
200 - Set files with the pppd_etc_rw_t type, if you want to treat the files
202 as pppd etc read/write content.
203 Paths:
206 /etc/ppp(/.*)?, /etc/ppp/peers(/.*)?, /etc/ppp/resolv.conf
207 pppd_etc_t
210 - Set files with the pppd_etc_t type, if you want to store pppd files
212 in the /etc directories.
213 Paths:
216 /root/.ppprc, /etc/ppp
217 pppd_exec_t
220 - Set files with the pppd_exec_t type, if you want to transition an
222 executable to the pppd_t domain.
223 Paths:
226 /usr/sbin/pppd, /sbin/ppp-watch, /usr/sbin/ipppd, /sbin/pppoe-
227 server, /usr/sbin/ppp-watch, /usr/sbin/pppoe-server
228 pppd_initrc_exec_t
231 - Set files with the pppd_initrc_exec_t type, if you want to transition
233 an executable to the pppd_initrc_t domain.
234 Paths:
237 /etc/ppp/(auth|ip(v6|x)?)-(up|down), /etc/rc.d/init.d/ppp
238 pppd_lock_t
241 - Set files with the pppd_lock_t type, if you want to treat the files
243 as pppd lock data, stored under the /var/lock directory
244 pppd_log_t
248 - Set files with the pppd_log_t type, if you want to treat the data as
250 pppd log data, usually stored under the /var/log directory.
251 Paths:
254 /var/log/ppp(/.*)?, /var/log/ppp-connect-errors.*
255 pppd_secret_t
258 - Set files with the pppd_secret_t type, if you want to treat the files
260 as pppd se secret data.
261 pppd_tmp_t
265 - Set files with the pppd_tmp_t type, if you want to store pppd tempo‐
267 rary files in the /tmp directories.
268 pppd_unit_file_t
272 - Set files with the pppd_unit_file_t type, if you want to treat the
274 files as pppd unit content.
275 pppd_var_run_t
279 - Set files with the pppd_var_run_t type, if you want to store the pppd
281 files under the /run or /var/run directory.
282 Paths:
285 /var/run/(i)?ppp.*pid[^/]*, /var/run/ppp(/.*)?,
286 /var/run/pppd[0-9]*.tdb
287 Note: File context can be temporarily modified with the chcon command.
290 If you want to permanently change the file context you need to use the
291 semanage fcontext command. This will modify the SELinux labeling data‐
292 base. You will need to use restorecon to apply the labels.
293
296 semanage fcontext can also be used to manipulate default file context
297 mappings.
298 semanage permissive can also be used to manipulate whether or not a
300 process type is permissive.
301 semanage module can also be used to enable/disable/install/remove pol‐
303 icy modules.
304 semanage boolean can also be used to manipulate the booleans
306 system-config-selinux is a GUI tool available to customize SELinux pol‐
309 icy settings.
310
313 This manual page was auto-generated using sepolicy manpage .
314
317 selinux(8), pppd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
318 setsebool(8)
319pppd 20-05-05 pppd_selinux(8)