]>
Commit | Line | Data |
---|---|---|
239db5e2 | 1 | ## <summary>Manager for dynamically switching between networks.</summary> |
d828b5ca | 2 | |
6f81e1d3 CP |
3 | ######################################## |
4 | ## <summary> | |
5 | ## Read and write NetworkManager UDP sockets. | |
6 | ## </summary> | |
7 | ## <param name="domain"> | |
885b83ec | 8 | ## <summary> |
6f81e1d3 | 9 | ## Domain allowed access. |
885b83ec | 10 | ## </summary> |
6f81e1d3 CP |
11 | ## </param> |
12 | # | |
13 | # cjp: added for named. | |
1815bad1 | 14 | interface(`networkmanager_rw_udp_sockets',` |
6f81e1d3 CP |
15 | gen_require(` |
16 | type NetworkManager_t; | |
17 | ') | |
18 | ||
19 | allow $1 NetworkManager_t:udp_socket { read write }; | |
20 | ') | |
21 | ||
22 | ######################################## | |
23 | ## <summary> | |
24 | ## Read and write NetworkManager packet sockets. | |
25 | ## </summary> | |
26 | ## <param name="domain"> | |
885b83ec | 27 | ## <summary> |
6f81e1d3 | 28 | ## Domain allowed access. |
885b83ec | 29 | ## </summary> |
6f81e1d3 CP |
30 | ## </param> |
31 | # | |
32 | # cjp: added for named. | |
1815bad1 | 33 | interface(`networkmanager_rw_packet_sockets',` |
6f81e1d3 CP |
34 | gen_require(` |
35 | type NetworkManager_t; | |
36 | ') | |
37 | ||
38 | allow $1 NetworkManager_t:packet_socket { read write }; | |
39 | ') | |
40 | ||
baea7b1d CP |
41 | ####################################### |
42 | ## <summary> | |
43 | ## Allow caller to relabel tun_socket | |
44 | ## </summary> | |
45 | ## <param name="domain"> | |
46 | ## <summary> | |
47 | ## Domain allowed access. | |
48 | ## </summary> | |
49 | ## </param> | |
50 | # | |
51 | interface(`networkmanager_attach_tun_iface',` | |
52 | gen_require(` | |
53 | type NetworkManager_t; | |
54 | ') | |
55 | ||
56 | allow $1 NetworkManager_t:tun_socket relabelfrom; | |
57 | allow $1 self:tun_socket relabelto; | |
58 | ') | |
59 | ||
6f81e1d3 CP |
60 | ######################################## |
61 | ## <summary> | |
62 | ## Read and write NetworkManager netlink | |
63 | ## routing sockets. | |
64 | ## </summary> | |
65 | ## <param name="domain"> | |
885b83ec | 66 | ## <summary> |
6f81e1d3 | 67 | ## Domain allowed access. |
885b83ec | 68 | ## </summary> |
6f81e1d3 CP |
69 | ## </param> |
70 | # | |
71 | # cjp: added for named. | |
1815bad1 | 72 | interface(`networkmanager_rw_routing_sockets',` |
6f81e1d3 CP |
73 | gen_require(` |
74 | type NetworkManager_t; | |
75 | ') | |
76 | ||
77 | allow $1 NetworkManager_t:netlink_route_socket { read write }; | |
78 | ') | |
79 | ||
f7101c54 CP |
80 | ######################################## |
81 | ## <summary> | |
baea7b1d | 82 | ## Execute NetworkManager with a domain transition. |
f7101c54 CP |
83 | ## </summary> |
84 | ## <param name="domain"> | |
85 | ## <summary> | |
288845a6 | 86 | ## Domain allowed to transition. |
f7101c54 CP |
87 | ## </summary> |
88 | ## </param> | |
89 | # | |
90 | interface(`networkmanager_domtrans',` | |
91 | gen_require(` | |
92 | type NetworkManager_t, NetworkManager_exec_t; | |
93 | ') | |
94 | ||
95 | corecmd_search_bin($1) | |
0bfccda4 | 96 | domtrans_pattern($1, NetworkManager_exec_t, NetworkManager_t) |
f7101c54 CP |
97 | ') |
98 | ||
baea7b1d CP |
99 | ######################################## |
100 | ## <summary> | |
101 | ## Execute NetworkManager scripts with an automatic domain transition to initrc. | |
102 | ## </summary> | |
103 | ## <param name="domain"> | |
104 | ## <summary> | |
288845a6 | 105 | ## Domain allowed to transition. |
baea7b1d CP |
106 | ## </summary> |
107 | ## </param> | |
108 | # | |
109 | interface(`networkmanager_initrc_domtrans',` | |
110 | gen_require(` | |
111 | type NetworkManager_initrc_exec_t; | |
112 | ') | |
113 | ||
114 | init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) | |
115 | ') | |
116 | ||
d828b5ca CP |
117 | ######################################## |
118 | ## <summary> | |
119 | ## Send and receive messages from | |
120 | ## NetworkManager over dbus. | |
121 | ## </summary> | |
122 | ## <param name="domain"> | |
885b83ec | 123 | ## <summary> |
d828b5ca | 124 | ## Domain allowed access. |
885b83ec | 125 | ## </summary> |
d828b5ca CP |
126 | ## </param> |
127 | # | |
128 | interface(`networkmanager_dbus_chat',` | |
129 | gen_require(` | |
130 | type NetworkManager_t; | |
131 | class dbus send_msg; | |
132 | ') | |
133 | ||
134 | allow $1 NetworkManager_t:dbus send_msg; | |
135 | allow NetworkManager_t $1:dbus send_msg; | |
136 | ') | |
ae338637 | 137 | |
3eaa9939 DW |
138 | ######################################## |
139 | ## <summary> | |
140 | ## Send and receive messages from | |
141 | ## NetworkManager over dbus. | |
142 | ## </summary> | |
143 | ## <param name="domain"> | |
144 | ## <summary> | |
145 | ## Domain allowed access. | |
146 | ## </summary> | |
147 | ## </param> | |
148 | # | |
149 | interface(`networkmanager_dontaudit_dbus_chat',` | |
150 | gen_require(` | |
151 | type NetworkManager_t; | |
152 | class dbus send_msg; | |
153 | ') | |
154 | ||
155 | dontaudit $1 NetworkManager_t:dbus send_msg; | |
156 | dontaudit NetworkManager_t $1:dbus send_msg; | |
157 | ') | |
158 | ||
ae338637 CP |
159 | ######################################## |
160 | ## <summary> | |
161 | ## Send a generic signal to NetworkManager | |
162 | ## </summary> | |
163 | ## <param name="domain"> | |
164 | ## <summary> | |
165 | ## Domain allowed access. | |
166 | ## </summary> | |
167 | ## </param> | |
168 | # | |
169 | interface(`networkmanager_signal',` | |
170 | gen_require(` | |
171 | type NetworkManager_t; | |
172 | ') | |
173 | ||
174 | allow $1 NetworkManager_t:process signal; | |
175 | ') | |
176 | ||
baea7b1d CP |
177 | ######################################## |
178 | ## <summary> | |
179 | ## Read NetworkManager lib files. | |
180 | ## </summary> | |
181 | ## <param name="domain"> | |
182 | ## <summary> | |
183 | ## Domain allowed access. | |
184 | ## </summary> | |
185 | ## </param> | |
186 | # | |
187 | interface(`networkmanager_read_lib_files',` | |
188 | gen_require(` | |
189 | type NetworkManager_var_lib_t; | |
190 | ') | |
191 | ||
192 | files_search_var_lib($1) | |
193 | list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) | |
194 | read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) | |
195 | ') | |
196 | ||
ae338637 CP |
197 | ######################################## |
198 | ## <summary> | |
199 | ## Read NetworkManager PID files. | |
200 | ## </summary> | |
201 | ## <param name="domain"> | |
202 | ## <summary> | |
203 | ## Domain allowed access. | |
204 | ## </summary> | |
205 | ## </param> | |
206 | # | |
207 | interface(`networkmanager_read_pid_files',` | |
208 | gen_require(` | |
209 | type NetworkManager_var_run_t; | |
210 | ') | |
211 | ||
212 | files_search_pids($1) | |
213 | allow $1 NetworkManager_var_run_t:file read_file_perms; | |
214 | ') | |
3eaa9939 DW |
215 | |
216 | ######################################## | |
217 | ## <summary> | |
218 | ## Execute NetworkManager in the NetworkManager domain, and | |
219 | ## allow the specified role the NetworkManager domain. | |
220 | ## </summary> | |
221 | ## <param name="domain"> | |
222 | ## <summary> | |
223 | ## Domain allowed access. | |
224 | ## </summary> | |
225 | ## </param> | |
226 | ## <param name="role"> | |
227 | ## <summary> | |
228 | ## The role to be allowed the NetworkManager domain. | |
229 | ## </summary> | |
230 | ## </param> | |
231 | ## <rolecap/> | |
232 | # | |
233 | interface(`networkmanager_run',` | |
234 | gen_require(` | |
235 | type NetworkManager_t, NetworkManager_exec_t; | |
236 | ') | |
237 | ||
238 | networkmanager_domtrans($1) | |
239 | role $2 types NetworkManager_t; | |
240 | ') | |
241 | ||
242 | ######################################## | |
243 | ## <summary> | |
244 | ## Allow the specified domain to append | |
245 | ## to Network Manager log files. | |
246 | ## </summary> | |
247 | ## <param name="domain"> | |
248 | ## <summary> | |
249 | ## Domain allowed access. | |
250 | ## </summary> | |
251 | ## </param> | |
252 | # | |
253 | interface(`networkmanager_append_log',` | |
254 | gen_require(` | |
255 | type NetworkManager_log_t; | |
256 | ') | |
257 | ||
258 | logging_search_logs($1) | |
259 | allow $1 NetworkManager_log_t:dir list_dir_perms; | |
260 | append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t) | |
261 | ') |