[people/stevee/selinux-policy.git] / policy / modules / services / networkmanager.te


policy_module(networkmanager, 1.12.2)

########################################
#
# Declarations
#

type NetworkManager_t;
type NetworkManager_exec_t;
init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)

type NetworkManager_initrc_exec_t;
init_script_file(NetworkManager_initrc_exec_t)

type NetworkManager_log_t;
logging_log_file(NetworkManager_log_t)

type NetworkManager_tmp_t;
files_tmp_file(NetworkManager_tmp_t)

type NetworkManager_var_run_t;
files_pid_file(NetworkManager_var_run_t)

type wpa_cli_t;
type wpa_cli_exec_t;
init_system_domain(wpa_cli_t, wpa_cli_exec_t)

########################################
#
# Local policy
#

# networkmanager will ptrace itself if gdb is installed
# and it receives a unexpected signal (rh bug #204161) 
allow NetworkManager_t self:capability { kill setgid setuid dac_override net_admin net_raw net_bind_service ipc_lock };
dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
allow NetworkManager_t self:udp_socket create_socket_perms;
allow NetworkManager_t self:packet_socket create_socket_perms;

allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;

can_exec(NetworkManager_t, NetworkManager_exec_t)

manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)

rw_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
files_search_tmp(NetworkManager_t)

manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })

kernel_read_system_state(NetworkManager_t)
kernel_read_network_state(NetworkManager_t)
kernel_read_kernel_sysctls(NetworkManager_t)
kernel_load_module(NetworkManager_t)

corenet_all_recvfrom_unlabeled(NetworkManager_t)
corenet_all_recvfrom_netlabel(NetworkManager_t)
corenet_tcp_sendrecv_generic_if(NetworkManager_t)
corenet_udp_sendrecv_generic_if(NetworkManager_t)
corenet_raw_sendrecv_generic_if(NetworkManager_t)
corenet_tcp_sendrecv_generic_node(NetworkManager_t)
corenet_udp_sendrecv_generic_node(NetworkManager_t)
corenet_raw_sendrecv_generic_node(NetworkManager_t)
corenet_tcp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_bind_generic_node(NetworkManager_t)
corenet_udp_bind_isakmp_port(NetworkManager_t)
corenet_udp_bind_dhcpc_port(NetworkManager_t)
corenet_tcp_connect_all_ports(NetworkManager_t)
corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
corenet_sendrecv_all_client_packets(NetworkManager_t)

dev_read_sysfs(NetworkManager_t)
dev_read_rand(NetworkManager_t)
dev_read_urand(NetworkManager_t)

fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)

mls_file_read_all_levels(NetworkManager_t)

selinux_dontaudit_search_fs(NetworkManager_t)

corecmd_exec_shell(NetworkManager_t)
corecmd_exec_bin(NetworkManager_t)

domain_use_interactive_fds(NetworkManager_t)
domain_read_confined_domains_state(NetworkManager_t)
domain_dontaudit_read_all_domains_state(NetworkManager_t)

files_read_etc_files(NetworkManager_t)
files_read_etc_runtime_files(NetworkManager_t)
files_read_usr_files(NetworkManager_t)

init_read_utmp(NetworkManager_t)
init_domtrans_script(NetworkManager_t)

logging_send_syslog_msg(NetworkManager_t)

miscfiles_read_localization(NetworkManager_t)
miscfiles_read_certs(NetworkManager_t)

modutils_domtrans_insmod(NetworkManager_t)

seutil_read_config(NetworkManager_t)

sysnet_domtrans_ifconfig(NetworkManager_t)
sysnet_domtrans_dhcpc(NetworkManager_t)
sysnet_signal_dhcpc(NetworkManager_t)
sysnet_read_dhcpc_pid(NetworkManager_t)
sysnet_delete_dhcpc_pid(NetworkManager_t)
sysnet_search_dhcp_state(NetworkManager_t)
# in /etc created by NetworkManager will be labelled net_conf_t.
sysnet_manage_config(NetworkManager_t)
sysnet_etc_filetrans_config(NetworkManager_t)

userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
userdom_dontaudit_use_user_ttys(NetworkManager_t)
# Read gnome-keyring
userdom_read_user_home_content_files(NetworkManager_t)

optional_policy(`
	bind_domtrans(NetworkManager_t)
	bind_manage_cache(NetworkManager_t)
	bind_signal(NetworkManager_t)
')

optional_policy(`
	bluetooth_dontaudit_read_helper_state(NetworkManager_t)
')

optional_policy(`
	consoletype_exec(NetworkManager_t)
')

optional_policy(`
	dbus_system_bus_client(NetworkManager_t)
	dbus_connect_system_bus(NetworkManager_t)
')

optional_policy(`
	howl_signal(NetworkManager_t)
')

optional_policy(`
	nis_use_ypbind(NetworkManager_t)
')

optional_policy(`
	nscd_socket_use(NetworkManager_t)
	nscd_signal(NetworkManager_t)
')

optional_policy(`
	openvpn_domtrans(NetworkManager_t)
	openvpn_signal(NetworkManager_t)
')

optional_policy(`
	ppp_domtrans(NetworkManager_t)
	ppp_read_pid_files(NetworkManager_t)
	ppp_signal(NetworkManager_t)
')

optional_policy(`
	seutil_sigchld_newrole(NetworkManager_t)
')

optional_policy(`
	udev_read_db(NetworkManager_t)
')

optional_policy(`
	vpn_domtrans(NetworkManager_t)
	vpn_signal(NetworkManager_t)
')

########################################
#
# wpa_cli local policy
#

allow wpa_cli_t self:capability dac_override;
allow wpa_cli_t self:unix_dgram_socket create_socket_perms;

allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto;

manage_sock_files_pattern(wpa_cli_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
files_tmp_filetrans(wpa_cli_t, NetworkManager_tmp_t, sock_file)

list_dirs_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)

init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)

miscfiles_read_localization(wpa_cli_t)

term_dontaudit_use_console(wpa_cli_t)
Commit	Line	Data
239db5e2	1
c1262146	2	policy_module(networkmanager, 1.12.2)
239db5e2 CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type NetworkManager_t;
	10	type NetworkManager_exec_t;
0bfccda4	11	init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
239db5e2	12
48f64563 CP	13	type NetworkManager_initrc_exec_t;
	14	init_script_file(NetworkManager_initrc_exec_t)
	15
ae338637 CP	16	type NetworkManager_log_t;
	17	logging_log_file(NetworkManager_log_t)
	18
52ceaaac CP	19	type NetworkManager_tmp_t;
	20	files_tmp_file(NetworkManager_tmp_t)
	21
239db5e2 CP	22	type NetworkManager_var_run_t;
	23	files_pid_file(NetworkManager_var_run_t)
	24
fd49feff CP	25	type wpa_cli_t;
	26	type wpa_cli_exec_t;
	27	init_system_domain(wpa_cli_t, wpa_cli_exec_t)
	28
239db5e2 CP	29	########################################
	30	#
	31	# Local policy
	32	#
	33
5dbda555 CP	34	# networkmanager will ptrace itself if gdb is installed
5dbda555 CP	35	# and it receives a unexpected signal (rh bug #204161)
4416c416	36	allow NetworkManager_t self:capability { kill setgid setuid dac_override net_admin net_raw net_bind_service ipc_lock };
8708d9be	37	dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
9af48eef	38	allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
c0868a7a	39	allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
8cf67141	40	allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
239db5e2	41	allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
95501942	42	allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
239db5e2 CP	43	allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
	44	allow NetworkManager_t self:udp_socket create_socket_perms;
	45	allow NetworkManager_t self:packet_socket create_socket_perms;
239db5e2	46
fd49feff CP	47	allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
fd49feff CP	48
72f82c47 CP	49	can_exec(NetworkManager_t, NetworkManager_exec_t)
72f82c47 CP	50
52ceaaac CP	51	manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
	52	logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
	53
fd49feff CP	54	rw_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
fd49feff CP	55	files_search_tmp(NetworkManager_t)
52ceaaac	56
0bfccda4 CP	57	manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
	58	manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
	59	manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
3f67f722	60	files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
239db5e2 CP	61
	62	kernel_read_system_state(NetworkManager_t)
	63	kernel_read_network_state(NetworkManager_t)
445522dc	64	kernel_read_kernel_sysctls(NetworkManager_t)
239db5e2 CP	65	kernel_load_module(NetworkManager_t)
239db5e2 CP	66
19006686 CP	67	corenet_all_recvfrom_unlabeled(NetworkManager_t)
19006686 CP	68	corenet_all_recvfrom_netlabel(NetworkManager_t)
668b3093 CP	69	corenet_tcp_sendrecv_generic_if(NetworkManager_t)
	70	corenet_udp_sendrecv_generic_if(NetworkManager_t)
	71	corenet_raw_sendrecv_generic_if(NetworkManager_t)
c1262146 CP	72	corenet_tcp_sendrecv_generic_node(NetworkManager_t)
	73	corenet_udp_sendrecv_generic_node(NetworkManager_t)
	74	corenet_raw_sendrecv_generic_node(NetworkManager_t)
239db5e2 CP	75	corenet_tcp_sendrecv_all_ports(NetworkManager_t)
239db5e2 CP	76	corenet_udp_sendrecv_all_ports(NetworkManager_t)
c1262146	77	corenet_udp_bind_generic_node(NetworkManager_t)
239db5e2 CP	78	corenet_udp_bind_isakmp_port(NetworkManager_t)
239db5e2 CP	79	corenet_udp_bind_dhcpc_port(NetworkManager_t)
141cffdd CP	80	corenet_tcp_connect_all_ports(NetworkManager_t)
	81	corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
	82	corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
	83	corenet_sendrecv_all_client_packets(NetworkManager_t)
239db5e2 CP	84
	85	dev_read_sysfs(NetworkManager_t)
	86	dev_read_rand(NetworkManager_t)
	87	dev_read_urand(NetworkManager_t)
	88
	89	fs_getattr_all_fs(NetworkManager_t)
	90	fs_search_auto_mountpoints(NetworkManager_t)
	91
f8233ab7	92	mls_file_read_all_levels(NetworkManager_t)
239db5e2	93
d828b5ca CP	94	selinux_dontaudit_search_fs(NetworkManager_t)
d828b5ca CP	95
239db5e2 CP	96	corecmd_exec_shell(NetworkManager_t)
239db5e2 CP	97	corecmd_exec_bin(NetworkManager_t)
239db5e2	98
15722ec9	99	domain_use_interactive_fds(NetworkManager_t)
239db5e2	100	domain_read_confined_domains_state(NetworkManager_t)
8708d9be	101	domain_dontaudit_read_all_domains_state(NetworkManager_t)
239db5e2 CP	102
	103	files_read_etc_files(NetworkManager_t)
	104	files_read_etc_runtime_files(NetworkManager_t)
	105	files_read_usr_files(NetworkManager_t)
	106
68228b33	107	init_read_utmp(NetworkManager_t)
239db5e2 CP	108	init_domtrans_script(NetworkManager_t)
239db5e2 CP	109
239db5e2 CP	110	logging_send_syslog_msg(NetworkManager_t)
	111
	112	miscfiles_read_localization(NetworkManager_t)
123a990b	113	miscfiles_read_certs(NetworkManager_t)
239db5e2 CP	114
	115	modutils_domtrans_insmod(NetworkManager_t)
	116
	117	seutil_read_config(NetworkManager_t)
	118
	119	sysnet_domtrans_ifconfig(NetworkManager_t)
	120	sysnet_domtrans_dhcpc(NetworkManager_t)
	121	sysnet_signal_dhcpc(NetworkManager_t)
d828b5ca CP	122	sysnet_read_dhcpc_pid(NetworkManager_t)
	123	sysnet_delete_dhcpc_pid(NetworkManager_t)
	124	sysnet_search_dhcp_state(NetworkManager_t)
239db5e2 CP	125	# in /etc created by NetworkManager will be labelled net_conf_t.
239db5e2 CP	126	sysnet_manage_config(NetworkManager_t)
103fe280	127	sysnet_etc_filetrans_config(NetworkManager_t)
239db5e2	128
15722ec9	129	userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
296273a7	130	userdom_dontaudit_use_user_ttys(NetworkManager_t)
350b6ab7	131	# Read gnome-keyring
296273a7	132	userdom_read_user_home_content_files(NetworkManager_t)
e9c6cda7	133
bb7170f6	134	optional_policy(`
6f81e1d3 CP	135	bind_domtrans(NetworkManager_t)
	136	bind_manage_cache(NetworkManager_t)
	137	bind_signal(NetworkManager_t)
	138	')
	139
bb7170f6	140	optional_policy(`
296273a7	141	bluetooth_dontaudit_read_helper_state(NetworkManager_t)
9c4fcf66 DM	142	')
9c4fcf66 DM	143
bb7170f6	144	optional_policy(`
239db5e2 CP	145	consoletype_exec(NetworkManager_t)
	146	')
	147
bb7170f6	148	optional_policy(`
296273a7	149	dbus_system_bus_client(NetworkManager_t)
d828b5ca	150	dbus_connect_system_bus(NetworkManager_t)
d828b5ca CP	151	')
d828b5ca CP	152
bb7170f6	153	optional_policy(`
d828b5ca CP	154	howl_signal(NetworkManager_t)
	155	')
	156
bb7170f6	157	optional_policy(`
239db5e2 CP	158	nis_use_ypbind(NetworkManager_t)
	159	')
	160
bb7170f6	161	optional_policy(`
1815bad1	162	nscd_socket_use(NetworkManager_t)
8cfa5a00	163	nscd_signal(NetworkManager_t)
239db5e2 CP	164	')
239db5e2 CP	165
72f82c47 CP	166	optional_policy(`
	167	openvpn_domtrans(NetworkManager_t)
	168	openvpn_signal(NetworkManager_t)
	169	')
	170
2dbd3824 CP	171	optional_policy(`
2dbd3824 CP	172	ppp_domtrans(NetworkManager_t)
8708d9be	173	ppp_read_pid_files(NetworkManager_t)
693d4aed	174	ppp_signal(NetworkManager_t)
2dbd3824 CP	175	')
2dbd3824 CP	176
bb7170f6	177	optional_policy(`
239db5e2 CP	178	seutil_sigchld_newrole(NetworkManager_t)
	179	')
	180
bb7170f6	181	optional_policy(`
239db5e2 CP	182	udev_read_db(NetworkManager_t)
	183	')
	184
bb7170f6	185	optional_policy(`
239db5e2	186	vpn_domtrans(NetworkManager_t)
a77e6524	187	vpn_signal(NetworkManager_t)
239db5e2	188	')
fd49feff CP	189
	190	########################################
	191	#
	192	# wpa_cli local policy
	193	#
296273a7	194
fd49feff CP	195	allow wpa_cli_t self:capability dac_override;
	196	allow wpa_cli_t self:unix_dgram_socket create_socket_perms;
	197
	198	allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto;
	199
	200	manage_sock_files_pattern(wpa_cli_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
	201	files_tmp_filetrans(wpa_cli_t, NetworkManager_tmp_t, sock_file)
	202
	203	list_dirs_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
	204	rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
	205
	206	init_dontaudit_use_fds(wpa_cli_t)
	207	init_use_script_ptys(wpa_cli_t)
	208
fd49feff CP	209	miscfiles_read_localization(wpa_cli_t)
	210
	211	term_dontaudit_use_console(wpa_cli_t)