[selinux-policy: 2604/3172] PPP patch from Dan Walsh.

Thu Oct 7 22:51:33 UTC 2010

commit 38db49c545da9adbf29a24f35d58556eab132a8b
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Apr 5 14:38:30 2010 -0400

    PPP patch from Dan Walsh.

 policy/modules/services/ppp.fc |    2 ++
 policy/modules/services/ppp.if |    6 +++++-
 policy/modules/services/ppp.te |    7 +++++--
 3 files changed, 12 insertions(+), 3 deletions(-)
---

diff --git a/policy/modules/services/ppp.fc b/policy/modules/services/ppp.fc
index 5886bd4..2d82c6d 100644
--- a/policy/modules/services/ppp.fc
+++ b/policy/modules/services/ppp.fc
@@ -11,6 +11,8 @@
 # Fix /etc/ppp {up,down} family scripts (see man pppd)
 /etc/ppp/(auth|ip(v6|x)?)-(up|down) --	gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
 
+/root/.ppprc			--	gen_context(system_u:object_r:pppd_etc_t,s0)
+
 #
 # /sbin
 #
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
index 821f3bc..3657795 100644
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@@ -182,6 +182,10 @@ interface(`ppp_run',`
 	ppp_domtrans($1)
 	role $2 types pppd_t;
 	role $2 types pptp_t;
+
+	optional_policy(`
+		ddclient_run(pppd_t, $2)
+	')
 ')
 
 ########################################
@@ -336,7 +340,7 @@ interface(`ppp_initrc_domtrans',`
 
 ########################################
 ## <summary>
-##	All of the rules required to administrate 
+##	All of the rules required to administrate
 ##	an ppp environment
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
index 8fa30e6..82a7677 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -1,5 +1,5 @@
 
-policy_module(ppp, 1.11.1)
+policy_module(ppp, 1.11.2)
 
 ########################################
 #
@@ -73,7 +73,7 @@ files_pid_file(pptp_var_run_t)
 
 allow pppd_t self:capability { kill net_admin setuid setgid fsetid fowner net_raw dac_override };
 dontaudit pppd_t self:capability sys_tty_config;
-allow pppd_t self:process signal;
+allow pppd_t self:process { getsched signal };
 allow pppd_t self:fifo_file rw_fifo_file_perms;
 allow pppd_t self:socket create_socket_perms;
 allow pppd_t self:unix_dgram_socket create_socket_perms;
@@ -125,6 +125,7 @@ kernel_request_load_module(pppd_t)
 dev_read_urand(pppd_t)
 dev_search_sysfs(pppd_t)
 dev_read_sysfs(pppd_t)
+dev_rw_modem(pppd_t)
 
 corenet_all_recvfrom_unlabeled(pppd_t)
 corenet_all_recvfrom_netlabel(pppd_t)
@@ -168,6 +169,7 @@ init_signal_script(pppd_t)
 auth_use_nsswitch(pppd_t)
 
 logging_send_syslog_msg(pppd_t)
+logging_send_audit_msgs(pppd_t)
 
 miscfiles_read_localization(pppd_t)
 
@@ -289,6 +291,7 @@ sysnet_exec_ifconfig(pptp_t)
 
 userdom_dontaudit_use_unpriv_user_fds(pptp_t)
 userdom_dontaudit_search_user_home_dirs(pptp_t)
+userdom_signal_unpriv_users(pptp_t)
 
 optional_policy(`
 	consoletype_exec(pppd_t)
