diff --git a/portslave.fc b/portslave.fc
index f3fc42d..22ca4a5 100644
--- a/portslave.fc
+++ b/portslave.fc
@@ -2,3 +2,5 @@
/usr/sbin/ctlportslave -- gen_context(system_u:object_r:portslave_exec_t,s0)
/usr/sbin/portslave -- gen_context(system_u:object_r:portslave_exec_t,s0)
+
+/var/lock/subsys/portslave -- gen_context(system_u:object_r:portslave_lock_t,s0)
diff --git a/portslave.if b/portslave.if
index b53ff77..c2919e2 100644
--- a/portslave.if
+++ b/portslave.if
@@ -1,4 +1,4 @@
-## Portslave terminal server software
+## Portslave terminal server software.
########################################
##
@@ -15,5 +15,6 @@ interface(`portslave_domtrans',`
type portslave_t, portslave_exec_t;
')
+ corecmd_search_bin($1)
domtrans_pattern($1, portslave_exec_t, portslave_t)
')
diff --git a/portslave.te b/portslave.te
index 69c331e..9aac49d 100644
--- a/portslave.te
+++ b/portslave.te
@@ -1,4 +1,4 @@
-policy_module(portslave, 1.7.0)
+policy_module(portslave, 1.7.1)
########################################
#
@@ -21,29 +21,23 @@ files_lock_file(portslave_lock_t)
# Local policy
#
-# setuid setgid net_admin fsetid for pppd
-# sys_admin for ctlportslave
-# net_bind_service for rlogin
allow portslave_t self:capability { setuid setgid net_admin fsetid net_bind_service sys_tty_config };
dontaudit portslave_t self:capability sys_admin;
allow portslave_t self:process signal_perms;
allow portslave_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow portslave_t self:fd use;
allow portslave_t self:fifo_file rw_fifo_file_perms;
-allow portslave_t self:unix_dgram_socket create_socket_perms;
-allow portslave_t self:unix_stream_socket create_stream_socket_perms;
allow portslave_t self:unix_dgram_socket sendto;
-allow portslave_t self:unix_stream_socket connectto;
+allow portslave_t self:unix_stream_socket { accept connectto listen };
allow portslave_t self:shm create_shm_perms;
allow portslave_t self:sem create_sem_perms;
allow portslave_t self:msgq create_msgq_perms;
allow portslave_t self:msg { send receive };
-allow portslave_t self:tcp_socket create_stream_socket_perms;
-allow portslave_t self:udp_socket create_socket_perms;
+allow portslave_t self:tcp_socket { accept listen };
allow portslave_t portslave_etc_t:dir list_dir_perms;
-read_files_pattern(portslave_t, portslave_etc_t, portslave_etc_t)
-read_lnk_files_pattern(portslave_t, portslave_etc_t, portslave_etc_t)
+allow portslave_t portslave_etc_t:file read_file_perms;
+allow portslave_t portslave_etc_t:lnk_file read_lnk_file_perms;
allow portslave_t portslave_lock_t:file manage_file_perms;
files_lock_filetrans(portslave_t, portslave_lock_t, file)
@@ -62,15 +56,14 @@ corenet_tcp_sendrecv_generic_node(portslave_t)
corenet_udp_sendrecv_generic_node(portslave_t)
corenet_tcp_sendrecv_all_ports(portslave_t)
corenet_udp_sendrecv_all_ports(portslave_t)
+
corenet_rw_ppp_dev(portslave_t)
dev_read_sysfs(portslave_t)
-# for ssh
dev_read_urand(portslave_t)
domain_use_interactive_fds(portslave_t)
-files_read_etc_files(portslave_t)
files_read_etc_runtime_files(portslave_t)
files_exec_etc_files(portslave_t)
@@ -82,24 +75,18 @@ term_setattr_unallocated_ttys(portslave_t)
term_use_all_ttys(portslave_t)
term_search_ptys(portslave_t)
-auth_rw_login_records(portslave_t)
auth_domtrans_chk_passwd(portslave_t)
+auth_rw_login_records(portslave_t)
+auth_use_nsswitch(portslave_t)
init_rw_utmp(portslave_t)
logging_send_syslog_msg(portslave_t)
logging_search_logs(portslave_t)
-sysnet_read_config(portslave_t)
-
userdom_use_unpriv_users_fds(portslave_t)
-# for ~/.ppprc - if it actually exists then you need some policy to read it
-userdom_search_user_home_dirs(portslave_t)
-
-mta_send_mail(portslave_t)
-# this should probably be a domtrans to pppd
-# instead of exec.
+ppp_read_home_files(portslave_t)
ppp_read_rw_config(portslave_t)
ppp_exec(portslave_t)
ppp_read_secrets(portslave_t)
@@ -113,7 +100,7 @@ optional_policy(`
')
optional_policy(`
- nis_use_ypbind(portslave_t)
+ mta_send_mail(portslave_t)
')
optional_policy(`
diff --git a/ppp.fc b/ppp.fc
index 2d82c6d..fc0cb2f 100644
--- a/ppp.fc
+++ b/ppp.fc
@@ -1,3 +1,5 @@
+HOME_DIR/\.ppprc -- gen_context(system_u:object_r:ppp_home_t,s0)
+
#
# /etc
#
diff --git a/ppp.if b/ppp.if
index de4bdb7..90da6e2 100644
--- a/ppp.if
+++ b/ppp.if
@@ -2,6 +2,50 @@
########################################
##
+## Role access for ppp.
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+##
+## User domain for the role.
+##
+##
+#
+interface(`ppp_role',`
+ gen_require(`
+ type ppp_home_t;
+ ')
+
+ allow $2 ppp_home_t:file { manage_file_perms relabel_file_perms };
+ userdom_user_home_dir_filetrans($2, ppp_home_t, file, ".ppprc")
+')
+
+########################################
+##
+## Read ppp user home content files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ppp_read_home_files',`
+ gen_require(`
+ type ppp_home_t;
+
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 ppp_home_t:file read_file_perms;
+')
+
+########################################
+##
## Use PPP file discriptors.
##
##
diff --git a/ppp.te b/ppp.te
index bcbf9ac..7139032 100644
--- a/ppp.te
+++ b/ppp.te
@@ -1,4 +1,4 @@
-policy_module(ppp, 1.13.0)
+policy_module(ppp, 1.13.1)
########################################
#
@@ -69,6 +69,9 @@ logging_log_file(pptp_log_t)
type pptp_var_run_t;
files_pid_file(pptp_var_run_t)
+type ppp_home_t;
+userdom_user_home_content(ppp_home_t)
+
########################################
#
# PPPD Local policy
@@ -91,7 +94,7 @@ domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr };
allow pppd_t pppd_etc_t:dir rw_dir_perms;
-allow pppd_t pppd_etc_t:file read_file_perms;
+allow pppd_t { pppd_etc_t ppp_home_t }:file read_file_perms;
allow pppd_t pppd_etc_t:lnk_file { getattr read };
manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t)