[people/stevee/selinux-policy.git] / policy / modules / services / networkmanager.if

## <summary>Manager for dynamically switching between networks.</summary>

########################################
## <summary>
##	Read and write NetworkManager UDP sockets.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
# cjp: added for named.
interface(`networkmanager_rw_udp_sockets',`
	gen_require(`
		type NetworkManager_t;
	')

	allow $1 NetworkManager_t:udp_socket { read write };
')

########################################
## <summary>
##	Read and write NetworkManager packet sockets.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
# cjp: added for named.
interface(`networkmanager_rw_packet_sockets',`
	gen_require(`
		type NetworkManager_t;
	')

	allow $1 NetworkManager_t:packet_socket { read write };
')

#######################################
## <summary>
## Allow caller to relabel tun_socket
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`networkmanager_attach_tun_iface',`
	gen_require(`
		type NetworkManager_t;
	')

	allow $1 NetworkManager_t:tun_socket relabelfrom;
	allow $1 self:tun_socket relabelto;
')

########################################
## <summary>
##	Read and write NetworkManager netlink
##	routing sockets.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
# cjp: added for named.
interface(`networkmanager_rw_routing_sockets',`
	gen_require(`
		type NetworkManager_t;
	')

	allow $1 NetworkManager_t:netlink_route_socket { read write };
')

########################################
## <summary>
##	Execute NetworkManager with a domain transition.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`networkmanager_domtrans',`
	gen_require(`
		type NetworkManager_t, NetworkManager_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, NetworkManager_exec_t, NetworkManager_t)
')

########################################
## <summary>
##	Execute NetworkManager scripts with an automatic domain transition to initrc.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`networkmanager_initrc_domtrans',`
	gen_require(`
		type NetworkManager_initrc_exec_t;
	')

	init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
')

########################################
## <summary>
##	Send and receive messages from
##	NetworkManager over dbus.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`networkmanager_dbus_chat',`
	gen_require(`
		type NetworkManager_t;
		class dbus send_msg;
	')

	allow $1 NetworkManager_t:dbus send_msg;
	allow NetworkManager_t $1:dbus send_msg;
')

########################################
## <summary>
##	Send and receive messages from
##	NetworkManager over dbus.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`networkmanager_dontaudit_dbus_chat',`
	gen_require(`
		type NetworkManager_t;
		class dbus send_msg;
	')

	dontaudit $1 NetworkManager_t:dbus send_msg;
	dontaudit NetworkManager_t $1:dbus send_msg;
')

########################################
## <summary>
##	Send a generic signal to NetworkManager
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`networkmanager_signal',`
	gen_require(`
		type NetworkManager_t;
	')

	allow $1 NetworkManager_t:process signal;
')

########################################
## <summary>
##	Read NetworkManager lib files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`networkmanager_read_lib_files',`
	gen_require(`
		type NetworkManager_var_lib_t;
	')

	files_search_var_lib($1)
	list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
	read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
')

########################################
## <summary>
##	Read NetworkManager PID files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`networkmanager_read_pid_files',`
	gen_require(`
		type NetworkManager_var_run_t;
	')

	files_search_pids($1)
	allow $1 NetworkManager_var_run_t:file read_file_perms;
')

########################################
## <summary>
##	Execute NetworkManager in the NetworkManager domain, and
##	allow the specified role the NetworkManager domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed the NetworkManager domain.
##	</summary>
## </param>
## <rolecap/>
#
interface(`networkmanager_run',`
	gen_require(`
		type NetworkManager_t, NetworkManager_exec_t;
	')

	networkmanager_domtrans($1)
	role $2 types NetworkManager_t;
')

########################################
## <summary>
##	Allow the specified domain to append
##	to Network Manager log files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`networkmanager_append_log',`
	gen_require(`
		type NetworkManager_log_t;
	')

	logging_search_logs($1)
	allow $1 NetworkManager_log_t:dir list_dir_perms;
	append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
')
Commit	Line	Data
239db5e2	1	## <summary>Manager for dynamically switching between networks.</summary>
d828b5ca	2
6f81e1d3 CP	3	########################################
	4	## <summary>
	5	## Read and write NetworkManager UDP sockets.
	6	## </summary>
	7	## <param name="domain">
885b83ec	8	## <summary>
6f81e1d3	9	## Domain allowed access.
885b83ec	10	## </summary>
6f81e1d3 CP	11	## </param>
	12	#
	13	# cjp: added for named.
1815bad1	14	interface(`networkmanager_rw_udp_sockets',`
6f81e1d3 CP	15	gen_require(`
	16	type NetworkManager_t;
	17	')
	18
	19	allow $1 NetworkManager_t:udp_socket { read write };
	20	')
	21
	22	########################################
	23	## <summary>
	24	## Read and write NetworkManager packet sockets.
	25	## </summary>
	26	## <param name="domain">
885b83ec	27	## <summary>
6f81e1d3	28	## Domain allowed access.
885b83ec	29	## </summary>
6f81e1d3 CP	30	## </param>
	31	#
	32	# cjp: added for named.
1815bad1	33	interface(`networkmanager_rw_packet_sockets',`
6f81e1d3 CP	34	gen_require(`
	35	type NetworkManager_t;
	36	')
	37
	38	allow $1 NetworkManager_t:packet_socket { read write };
	39	')
	40
baea7b1d CP	41	#######################################
	42	## <summary>
	43	## Allow caller to relabel tun_socket
	44	## </summary>
	45	## <param name="domain">
	46	## <summary>
	47	## Domain allowed access.
	48	## </summary>
	49	## </param>
	50	#
	51	interface(`networkmanager_attach_tun_iface',`
	52	gen_require(`
	53	type NetworkManager_t;
	54	')
	55
	56	allow $1 NetworkManager_t:tun_socket relabelfrom;
	57	allow $1 self:tun_socket relabelto;
	58	')
	59
6f81e1d3 CP	60	########################################
	61	## <summary>
	62	## Read and write NetworkManager netlink
	63	## routing sockets.
	64	## </summary>
	65	## <param name="domain">
885b83ec	66	## <summary>
6f81e1d3	67	## Domain allowed access.
885b83ec	68	## </summary>
6f81e1d3 CP	69	## </param>
	70	#
	71	# cjp: added for named.
1815bad1	72	interface(`networkmanager_rw_routing_sockets',`
6f81e1d3 CP	73	gen_require(`
	74	type NetworkManager_t;
	75	')
	76
	77	allow $1 NetworkManager_t:netlink_route_socket { read write };
	78	')
	79
f7101c54 CP	80	########################################
f7101c54 CP	81	## <summary>
baea7b1d	82	## Execute NetworkManager with a domain transition.
f7101c54 CP	83	## </summary>
	84	## <param name="domain">
	85	## <summary>
288845a6	86	## Domain allowed to transition.
f7101c54 CP	87	## </summary>
	88	## </param>
	89	#
	90	interface(`networkmanager_domtrans',`
	91	gen_require(`
	92	type NetworkManager_t, NetworkManager_exec_t;
	93	')
	94
	95	corecmd_search_bin($1)
0bfccda4	96	domtrans_pattern($1, NetworkManager_exec_t, NetworkManager_t)
f7101c54 CP	97	')
f7101c54 CP	98
baea7b1d CP	99	########################################
	100	## <summary>
	101	## Execute NetworkManager scripts with an automatic domain transition to initrc.
	102	## </summary>
	103	## <param name="domain">
	104	## <summary>
288845a6	105	## Domain allowed to transition.
baea7b1d CP	106	## </summary>
	107	## </param>
	108	#
	109	interface(`networkmanager_initrc_domtrans',`
	110	gen_require(`
	111	type NetworkManager_initrc_exec_t;
	112	')
	113
	114	init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
	115	')
	116
d828b5ca CP	117	########################################
	118	## <summary>
	119	## Send and receive messages from
	120	## NetworkManager over dbus.
	121	## </summary>
	122	## <param name="domain">
885b83ec	123	## <summary>
d828b5ca	124	## Domain allowed access.
885b83ec	125	## </summary>
d828b5ca CP	126	## </param>
	127	#
	128	interface(`networkmanager_dbus_chat',`
	129	gen_require(`
	130	type NetworkManager_t;
	131	class dbus send_msg;
	132	')
	133
	134	allow $1 NetworkManager_t:dbus send_msg;
	135	allow NetworkManager_t $1:dbus send_msg;
	136	')
ae338637	137
3eaa9939 DW	138	########################################
	139	## <summary>
	140	## Send and receive messages from
	141	## NetworkManager over dbus.
	142	## </summary>
	143	## <param name="domain">
	144	## <summary>
	145	## Domain allowed access.
	146	## </summary>
	147	## </param>
	148	#
	149	interface(`networkmanager_dontaudit_dbus_chat',`
	150	gen_require(`
	151	type NetworkManager_t;
	152	class dbus send_msg;
	153	')
	154
	155	dontaudit $1 NetworkManager_t:dbus send_msg;
	156	dontaudit NetworkManager_t $1:dbus send_msg;
	157	')
	158
ae338637 CP	159	########################################
	160	## <summary>
	161	## Send a generic signal to NetworkManager
	162	## </summary>
	163	## <param name="domain">
	164	## <summary>
	165	## Domain allowed access.
	166	## </summary>
	167	## </param>
	168	#
	169	interface(`networkmanager_signal',`
	170	gen_require(`
	171	type NetworkManager_t;
	172	')
	173
	174	allow $1 NetworkManager_t:process signal;
	175	')
	176
baea7b1d CP	177	########################################
	178	## <summary>
	179	## Read NetworkManager lib files.
	180	## </summary>
	181	## <param name="domain">
	182	## <summary>
	183	## Domain allowed access.
	184	## </summary>
	185	## </param>
	186	#
	187	interface(`networkmanager_read_lib_files',`
	188	gen_require(`
	189	type NetworkManager_var_lib_t;
	190	')
	191
	192	files_search_var_lib($1)
	193	list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
	194	read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
	195	')
	196
ae338637 CP	197	########################################
	198	## <summary>
	199	## Read NetworkManager PID files.
	200	## </summary>
	201	## <param name="domain">
	202	## <summary>
	203	## Domain allowed access.
	204	## </summary>
	205	## </param>
	206	#
	207	interface(`networkmanager_read_pid_files',`
	208	gen_require(`
	209	type NetworkManager_var_run_t;
	210	')
	211
	212	files_search_pids($1)
	213	allow $1 NetworkManager_var_run_t:file read_file_perms;
	214	')
3eaa9939 DW	215
	216	########################################
	217	## <summary>
	218	## Execute NetworkManager in the NetworkManager domain, and
	219	## allow the specified role the NetworkManager domain.
	220	## </summary>
	221	## <param name="domain">
	222	## <summary>
	223	## Domain allowed access.
	224	## </summary>
	225	## </param>
	226	## <param name="role">
	227	## <summary>
	228	## The role to be allowed the NetworkManager domain.
	229	## </summary>
	230	## </param>
	231	## <rolecap/>
	232	#
	233	interface(`networkmanager_run',`
	234	gen_require(`
	235	type NetworkManager_t, NetworkManager_exec_t;
	236	')
	237
	238	networkmanager_domtrans($1)
	239	role $2 types NetworkManager_t;
	240	')
	241
	242	########################################
	243	## <summary>
	244	## Allow the specified domain to append
	245	## to Network Manager log files.
	246	## </summary>
	247	## <param name="domain">
	248	## <summary>
	249	## Domain allowed access.
	250	## </summary>
	251	## </param>
	252	#
	253	interface(`networkmanager_append_log',`
	254	gen_require(`
	255	type NetworkManager_log_t;
	256	')
	257
	258	logging_search_logs($1)
	259	allow $1 NetworkManager_log_t:dir list_dir_perms;
	260	append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
	261	')