1pppd_selinux(8)               SELinux Policy pppd              pppd_selinux(8)
2
3
4

NAME

6       pppd_selinux - Security Enhanced Linux Policy for the pppd processes
7

DESCRIPTION

9       Security-Enhanced  Linux secures the pppd processes via flexible manda‐
10       tory access control.
11
12       The pppd processes execute with the pppd_t SELinux type. You can  check
13       if  you  have  these processes running by executing the ps command with
14       the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep pppd_t
19
20
21

ENTRYPOINTS

23       The pppd_t SELinux type can be entered via the pppd_exec_t file type.
24
25       The default entrypoint paths for the pppd_t domain are the following:
26
27       /usr/sbin/pppd, /sbin/ppp-watch,  /usr/sbin/ipppd,  /sbin/pppoe-server,
28       /usr/sbin/ppp-watch, /usr/sbin/pppoe-server
29

PROCESS TYPES

31       SELinux defines process types (domains) for each process running on the
32       system
33
34       You can see the context of a process using the -Z option to ps
35
36       Policy governs the access confined processes have  to  files.   SELinux
37       pppd  policy  is  very flexible allowing users to setup their pppd pro‐
38       cesses in as secure a method as possible.
39
40       The following process types are defined for pppd:
41
42       pppd_t
43
44       Note: semanage permissive -a pppd_t can be used  to  make  the  process
45       type  pppd_t  permissive.  SELinux  does  not deny access to permissive
46       process types, but the AVC (SELinux denials) messages are still  gener‐
47       ated.
48
49

BOOLEANS

51       SELinux  policy  is  customizable based on least access required.  pppd
52       policy is extremely flexible and has several booleans that allow you to
53       manipulate the policy and run pppd with the tightest access possible.
54
55
56
57       If  you  want  to allow pppd to load kernel modules for certain modems,
58       you must turn on the pppd_can_insmod boolean. Disabled by default.
59
60       setsebool -P pppd_can_insmod 1
61
62
63
64       If you want to allow pppd to be run for a regular user, you  must  turn
65       on the pppd_for_user boolean. Disabled by default.
66
67       setsebool -P pppd_for_user 1
68
69
70
71       If  you  want  to  dontaudit all daemons scheduling requests (setsched,
72       sys_nice), you must turn on the  daemons_dontaudit_scheduling  boolean.
73       Enabled by default.
74
75       setsebool -P daemons_dontaudit_scheduling 1
76
77
78
79       If you want to allow all domains to execute in fips_mode, you must turn
80       on the fips_mode boolean. Enabled by default.
81
82       setsebool -P fips_mode 1
83
84
85
86       If you want to allow system to run with  NIS,  you  must  turn  on  the
87       nis_enabled boolean. Disabled by default.
88
89       setsebool -P nis_enabled 1
90
91
92

MANAGED FILES

94       The  SELinux process type pppd_t can manage files labeled with the fol‐
95       lowing file types.  The paths listed are the default  paths  for  these
96       file types.  Note the processes UID still need to have DAC permissions.
97
98       cluster_conf_t
99
100            /etc/cluster(/.*)?
101
102       cluster_var_lib_t
103
104            /var/lib/pcsd(/.*)?
105            /var/lib/cluster(/.*)?
106            /var/lib/openais(/.*)?
107            /var/lib/pengine(/.*)?
108            /var/lib/corosync(/.*)?
109            /usr/lib/heartbeat(/.*)?
110            /var/lib/heartbeat(/.*)?
111            /var/lib/pacemaker(/.*)?
112
113       cluster_var_run_t
114
115            /var/run/crm(/.*)?
116            /var/run/cman_.*
117            /var/run/rsctmp(/.*)?
118            /var/run/aisexec.*
119            /var/run/heartbeat(/.*)?
120            /var/run/pcsd-ruby.socket
121            /var/run/corosync-qnetd(/.*)?
122            /var/run/corosync-qdevice(/.*)?
123            /var/run/corosync.pid
124            /var/run/cpglockd.pid
125            /var/run/rgmanager.pid
126            /var/run/cluster/rgmanager.sk
127
128       faillog_t
129
130            /var/log/btmp.*
131            /var/log/faillog.*
132            /var/log/tallylog.*
133            /var/run/faillock(/.*)?
134
135       krb5_host_rcache_t
136
137            /var/tmp/krb5_0.rcache2
138            /var/cache/krb5rcache(/.*)?
139            /var/tmp/nfs_0
140            /var/tmp/DNS_25
141            /var/tmp/host_0
142            /var/tmp/imap_0
143            /var/tmp/HTTP_23
144            /var/tmp/HTTP_48
145            /var/tmp/ldap_55
146            /var/tmp/ldap_487
147            /var/tmp/ldapmap1_0
148
149       pppd_etc_rw_t
150
151            /etc/ppp(/.*)?
152            /etc/ppp/peers(/.*)?
153            /etc/ppp/resolv.conf
154
155       pppd_lock_t
156
157            /var/lock/ppp(/.*)?
158
159       pppd_log_t
160
161            /var/log/ppp(/.*)?
162            /var/log/ppp-connect-errors.*
163
164       pppd_tmp_t
165
166
167       pppd_var_run_t
168
169            /var/run/(i)?ppp.*pid[^/]*
170            /var/run/ppp(/.*)?
171            /var/run/pppd[0-9]*.tdb
172
173       root_t
174
175            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
176            /
177            /initrd
178
179       wtmp_t
180
181            /var/log/wtmp.*
182
183

FILE CONTEXTS

185       SELinux requires files to have an extended attribute to define the file
186       type.
187
188       You can see the context of a file using the -Z option to ls
189
190       Policy governs the access  confined  processes  have  to  these  files.
191       SELinux pppd policy is very flexible allowing users to setup their pppd
192       processes in as secure a method as possible.
193
194       EQUIVALENCE DIRECTORIES
195
196
197       pppd policy stores data with multiple different file context types  un‐
198       der the /var/log/ppp directory.  If you would like to store the data in
199       a different directory you can use the semanage  command  to  create  an
200       equivalence  mapping.   If you wanted to store this data under the /srv
201       directory you would execute the following command:
202
203       semanage fcontext -a -e /var/log/ppp /srv/ppp
204       restorecon -R -v /srv/ppp
205
206       pppd policy stores data with multiple different file context types  un‐
207       der the /var/run/ppp directory.  If you would like to store the data in
208       a different directory you can use the semanage  command  to  create  an
209       equivalence  mapping.   If you wanted to store this data under the /srv
210       directory you would execute the following command:
211
212       semanage fcontext -a -e /var/run/ppp /srv/ppp
213       restorecon -R -v /srv/ppp
214
215       STANDARD FILE CONTEXT
216
217       SELinux defines the file context types for the pppd, if you  wanted  to
218       store  files with these types in a different paths, you need to execute
219       the semanage command to specify alternate labeling  and  then  use  re‐
220       storecon to put the labels on disk.
221
222       semanage fcontext -a -t pppd_exec_t '/srv/pppd/content(/.*)?'
223       restorecon -R -v /srv/mypppd_content
224
225       Note:  SELinux  often  uses  regular expressions to specify labels that
226       match multiple files.
227
228       The following file types are defined for pppd:
229
230
231
232       pppd_etc_rw_t
233
234       - Set files with the pppd_etc_rw_t type, if you want to treat the files
235       as pppd etc read/write content.
236
237
238       Paths:
239            /etc/ppp(/.*)?, /etc/ppp/peers(/.*)?, /etc/ppp/resolv.conf
240
241
242       pppd_etc_t
243
244       -  Set  files with the pppd_etc_t type, if you want to store pppd files
245       in the /etc directories.
246
247
248       Paths:
249            /root/.ppprc, /etc/ppp
250
251
252       pppd_exec_t
253
254       - Set files with the pppd_exec_t type, if you want to transition an ex‐
255       ecutable to the pppd_t domain.
256
257
258       Paths:
259            /usr/sbin/pppd,   /sbin/ppp-watch,  /usr/sbin/ipppd,  /sbin/pppoe-
260            server, /usr/sbin/ppp-watch, /usr/sbin/pppoe-server
261
262
263       pppd_initrc_exec_t
264
265       - Set files with the pppd_initrc_exec_t type, if you want to transition
266       an executable to the pppd_initrc_t domain.
267
268
269       Paths:
270            /etc/ppp/(auth|ip(v6|x)?)-(up|down), /etc/rc.d/init.d/ppp
271
272
273       pppd_lock_t
274
275       -  Set  files with the pppd_lock_t type, if you want to treat the files
276       as pppd lock data, stored under the /var/lock directory
277
278
279
280       pppd_log_t
281
282       - Set files with the pppd_log_t type, if you want to treat the data  as
283       pppd log data, usually stored under the /var/log directory.
284
285
286       Paths:
287            /var/log/ppp(/.*)?, /var/log/ppp-connect-errors.*
288
289
290       pppd_secret_t
291
292       - Set files with the pppd_secret_t type, if you want to treat the files
293       as pppd secret data.
294
295
296
297       pppd_tmp_t
298
299       - Set files with the pppd_tmp_t type, if you want to store pppd  tempo‐
300       rary files in the /tmp directories.
301
302
303
304       pppd_unit_file_t
305
306       -  Set  files  with the pppd_unit_file_t type, if you want to treat the
307       files as pppd unit content.
308
309
310
311       pppd_var_run_t
312
313       - Set files with the pppd_var_run_t type, if you want to store the pppd
314       files under the /run or /var/run directory.
315
316
317       Paths:
318            /var/run/(i)?ppp.*pid[^/]*,                    /var/run/ppp(/.*)?,
319            /var/run/pppd[0-9]*.tdb
320
321
322       Note: File context can be temporarily modified with the chcon  command.
323       If  you want to permanently change the file context you need to use the
324       semanage fcontext command.  This will modify the SELinux labeling data‐
325       base.  You will need to use restorecon to apply the labels.
326
327

COMMANDS

329       semanage  fcontext  can also be used to manipulate default file context
330       mappings.
331
332       semanage permissive can also be used to manipulate  whether  or  not  a
333       process type is permissive.
334
335       semanage  module can also be used to enable/disable/install/remove pol‐
336       icy modules.
337
338       semanage boolean can also be used to manipulate the booleans
339
340
341       system-config-selinux is a GUI tool available to customize SELinux pol‐
342       icy settings.
343
344

AUTHOR

346       This manual page was auto-generated using sepolicy manpage .
347
348

SEE ALSO

350       selinux(8), pppd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
351       setsebool(8)
352
353
354
355pppd                               23-12-15                    pppd_selinux(8)
Impressum