>>SELinux Mailing List

Contents

Overview

What's New

Frequently Asked Questions

Background

Documentation

License

Download

Participating

Mail List

Archive Summary

Archive by Thread

Archive by Author

Archive by Date

Archive by Subject

Remaining Work

Contributors

Related Work

Press Releases

Re: ppp security settings

From: Russell Coker <russell_at_coker.com.au>
Date: Fri, 25 Jan 2002 14:06:15 +1100

On Wed, 23 Jan 2002 01:00, Stephen Smalley wrote:
> On Sat, 19 Jan 2002, Russell Coker wrote:
> > I have attached a patch against the latest selinux-small for pppd
> > settings (granting access to /dev/ppp by the program /usr/sbin/pppd).
> >
> > Also I have added settings for /dev/vc/* (devfs equivalent of
> > /dev/tty[0-9]+) and /dev/pts/*.
> >
> > Also I have added dhclient to the domain dhcpc_exec_t and made
> > appropriate changes for it's config files.
> >
> > Let me know if I'm doing anything stupid here.
>
> A few questions and comments:
>
> 1) I would only add pppd_t to system_r. If started by an administrator,
> it should be done via run_init, so you don't need it in sysadm_r.

Your other message regarding run_init convinced me about this.

> Do you
> really want it started by ordinary users? If not, then drop it from
> user_r in rbac and drop the user_t transition from pppd.te.

In some situations yes. If someone is running a laptop to connect to the net then they will generally want to start and stop pppd as non-root and non-sysadm_r.

I think I will put in the user_t transition in a comment.

> 2) I doubt that you really need all of the "priv*" attributes on the
> pppd_t domain - you probably just cut-and-pasted from an existing domain

Yes.

> that did need those attributes. In particular, pppd_t should have no
> reason to be associated with the "privuser", "privrole", or "privowner"
> attributes.

OK.

> 3) Your diff doesn't show the type declaration for net_device_t anywhere -
> probably in types/files.te.

In types/device.te:
type net_device_t, file_type;

> 4) I'm not familiar with dhclient, so I'm not sure whether it belongs in
> the same domain as dhcpcd.

dhclient is a dhcp client program. It does exactly the same thing as dhcpcd and (IMHO) deserves to be in the same domain.

-- 
http://www.coker.com.au/bonnie++/     Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/       Postal SMTP/POP benchmark
http://www.coker.com.au/projects.html Projects I am working on
http://www.coker.com.au/~russell/     My home page

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Received on Thu 24 Jan 2002 - 22:26:22 EST

This message: [ Message body ]
Next message: Roger: "Backups"
Previous message: Stephen Smalley: "Re: network and module problems"
In reply to: Stephen Smalley: "Re: ppp security settings"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:26 EDT