|
Chris PeBenito |
ab58ad |
#DESC NetworkManager -
|
|
Chris PeBenito |
ab58ad |
#
|
|
Chris PeBenito |
ab58ad |
# Authors: Dan Walsh <dwalsh@redhat.com>
|
|
Chris PeBenito |
ab58ad |
#
|
|
Chris PeBenito |
ab58ad |
#
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
#################################
|
|
Chris PeBenito |
ab58ad |
#
|
|
Chris PeBenito |
ab58ad |
# Rules for the NetworkManager_t domain.
|
|
Chris PeBenito |
ab58ad |
#
|
|
Chris PeBenito |
ab58ad |
# NetworkManager_t is the domain for the NetworkManager daemon.
|
|
Chris PeBenito |
ab58ad |
# NetworkManager_exec_t is the type of the NetworkManager executable.
|
|
Chris PeBenito |
ab58ad |
#
|
|
Chris PeBenito |
ab58ad |
daemon_domain(NetworkManager, `, nscd_client_domain, privsysmod, mlsfileread' )
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
can_network(NetworkManager_t)
|
|
Chris PeBenito |
ab58ad |
allow NetworkManager_t port_type:tcp_socket name_connect;
|
|
Chris PeBenito |
ab58ad |
allow NetworkManager_t { isakmp_port_t dhcpc_port_t }:udp_socket name_bind;
|
|
Chris PeBenito |
ab58ad |
allow NetworkManager_t dhcpc_t:process signal;
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
can_ypbind(NetworkManager_t)
|
|
Chris PeBenito |
ab58ad |
uses_shlib(NetworkManager_t)
|
|
Chris PeBenito |
ab58ad |
allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service sys_module ipc_lock};
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
allow NetworkManager_t { random_device_t urandom_device_t }:chr_file { getattr read };
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
allow NetworkManager_t self:process { setcap getsched };
|
|
Chris PeBenito |
ab58ad |
allow NetworkManager_t self:fifo_file rw_file_perms;
|
|
Chris PeBenito |
ab58ad |
allow NetworkManager_t self:unix_dgram_socket create_socket_perms;
|
|
Chris PeBenito |
ab58ad |
allow NetworkManager_t self:file { getattr read };
|
|
Chris PeBenito |
ab58ad |
allow NetworkManager_t self:packet_socket create_socket_perms;
|
|
Chris PeBenito |
ab58ad |
allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
#
|
|
Chris PeBenito |
ab58ad |
# Communicate with Caching Name Server
|
|
Chris PeBenito |
ab58ad |
#
|
|
Chris PeBenito |
ab58ad |
ifdef(`named.te', `
|
|
Chris PeBenito |
ab58ad |
allow NetworkManager_t named_zone_t:dir search;
|
|
Chris PeBenito |
ab58ad |
rw_dir_create_file(NetworkManager_t, named_cache_t)
|
|
Chris PeBenito |
ab58ad |
domain_auto_trans(NetworkManager_t, named_exec_t, named_t)
|
|
Chris PeBenito |
ab58ad |
allow named_t NetworkManager_t:udp_socket { read write };
|
|
Chris PeBenito |
ab58ad |
allow named_t NetworkManager_t:netlink_route_socket { read write };
|
|
Chris PeBenito |
ab58ad |
allow NetworkManager_t named_t:process signal;
|
|
Chris PeBenito |
ab58ad |
allow named_t NetworkManager_t:packet_socket { read write };
|
|
Chris PeBenito |
ab58ad |
')
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
allow NetworkManager_t selinux_config_t:dir search;
|
|
Chris PeBenito |
ab58ad |
allow NetworkManager_t selinux_config_t:file { getattr read };
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
ifdef(`dbusd.te', `
|
|
Chris PeBenito |
ab58ad |
dbusd_client(system, NetworkManager)
|
|
Chris PeBenito |
ab58ad |
allow NetworkManager_t system_dbusd_t:dbus { acquire_svc send_msg };
|
|
Chris PeBenito |
ab58ad |
allow NetworkManager_t self:dbus send_msg;
|
|
Chris PeBenito |
ab58ad |
ifdef(`hald.te', `
|
|
Chris PeBenito |
ab58ad |
allow NetworkManager_t hald_t:dbus send_msg;
|
|
Chris PeBenito |
ab58ad |
allow hald_t NetworkManager_t:dbus send_msg;
|
|
Chris PeBenito |
ab58ad |
')
|
|
Chris PeBenito |
ab58ad |
allow NetworkManager_t initrc_t:dbus send_msg;
|
|
Chris PeBenito |
ab58ad |
allow initrc_t NetworkManager_t:dbus send_msg;
|
|
Chris PeBenito |
ab58ad |
ifdef(`targeted_policy', `
|
|
Chris PeBenito |
ab58ad |
allow NetworkManager_t unconfined_t:dbus send_msg;
|
|
Chris PeBenito |
ab58ad |
allow unconfined_t NetworkManager_t:dbus send_msg;
|
|
Chris PeBenito |
ab58ad |
')
|
|
Chris PeBenito |
ab58ad |
allow NetworkManager_t userdomain:dbus send_msg;
|
|
Chris PeBenito |
ab58ad |
allow userdomain NetworkManager_t:dbus send_msg;
|
|
Chris PeBenito |
ab58ad |
')
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
allow NetworkManager_t usr_t:file { getattr read };
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
ifdef(`ifconfig.te', `
|
|
Chris PeBenito |
ab58ad |
domain_auto_trans(NetworkManager_t, ifconfig_exec_t, ifconfig_t)
|
|
Chris PeBenito |
ab58ad |
')dnl end if def ifconfig
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
allow NetworkManager_t { sbin_t bin_t }:dir search;
|
|
Chris PeBenito |
ab58ad |
allow NetworkManager_t bin_t:lnk_file read;
|
|
Chris PeBenito |
ab58ad |
can_exec(NetworkManager_t, { ls_exec_t sbin_t bin_t shell_exec_t })
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
# in /etc created by NetworkManager will be labelled net_conf_t.
|
|
Chris PeBenito |
ab58ad |
file_type_auto_trans(NetworkManager_t, etc_t, net_conf_t, file)
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
allow NetworkManager_t { etc_t etc_runtime_t }:file { getattr read };
|
|
Chris PeBenito |
ab58ad |
allow NetworkManager_t proc_t:file { getattr read };
|
|
Chris PeBenito |
ab58ad |
r_dir_file(NetworkManager_t, proc_net_t)
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
allow NetworkManager_t { domain -unrestricted }:dir search;
|
|
Chris PeBenito |
ab58ad |
allow NetworkManager_t { domain -unrestricted }:file { getattr read };
|
|
Chris PeBenito |
ab58ad |
dontaudit NetworkManager_t unrestricted:dir search;
|
|
Chris PeBenito |
ab58ad |
dontaudit NetworkManager_t unrestricted:file { getattr read };
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
allow NetworkManager_t howl_t:process signal;
|
|
Chris PeBenito |
ab58ad |
allow NetworkManager_t initrc_var_run_t:file { getattr read };
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t)
|
|
Chris PeBenito |
ab58ad |
allow NetworkManager_t self:netlink_route_socket r_netlink_socket_perms;
|
|
Chris PeBenito |
ab58ad |
# allow vpnc connections
|
|
Chris PeBenito |
ab58ad |
allow NetworkManager_t self:rawip_socket create_socket_perms;
|
|
Chris PeBenito |
ab58ad |
allow NetworkManager_t tun_tap_device_t:chr_file rw_file_perms;
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
domain_auto_trans(NetworkManager_t, initrc_exec_t, initrc_t)
|
|
Chris PeBenito |
ab58ad |
domain_auto_trans(NetworkManager_t, dhcpc_exec_t, dhcpc_t)
|
|
Chris PeBenito |
ab58ad |
ifdef(`vpnc.te', `
|
|
Chris PeBenito |
ab58ad |
domain_auto_trans(NetworkManager_t, vpnc_exec_t, vpnc_t)
|
|
Chris PeBenito |
ab58ad |
')
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
ifdef(`dhcpc.te', `
|
|
Chris PeBenito |
ab58ad |
allow NetworkManager_t dhcp_state_t:dir search;
|
|
Chris PeBenito |
ab58ad |
allow NetworkManager_t dhcpc_var_run_t:file { getattr read unlink };
|
|
Chris PeBenito |
ab58ad |
')
|
|
Chris PeBenito |
ab58ad |
allow NetworkManager_t var_lib_t:dir search;
|
|
Chris PeBenito |
ab58ad |
dontaudit NetworkManager_t user_tty_type:chr_file { read write };
|
|
Chris PeBenito |
ab58ad |
dontaudit NetworkManager_t security_t:dir search;
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
ifdef(`consoletype.te', `
|
|
Chris PeBenito |
ab58ad |
can_exec(NetworkManager_t, consoletype_exec_t)
|
|
Chris PeBenito |
ab58ad |
')
|
|
Chris PeBenito |
ab58ad |
|