]>
Commit | Line | Data |
---|---|---|
239db5e2 | 1 | |
c1262146 | 2 | policy_module(networkmanager, 1.12.2) |
239db5e2 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
9 | type NetworkManager_t; | |
10 | type NetworkManager_exec_t; | |
0bfccda4 | 11 | init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) |
239db5e2 | 12 | |
48f64563 CP |
13 | type NetworkManager_initrc_exec_t; |
14 | init_script_file(NetworkManager_initrc_exec_t) | |
15 | ||
ae338637 CP |
16 | type NetworkManager_log_t; |
17 | logging_log_file(NetworkManager_log_t) | |
18 | ||
52ceaaac CP |
19 | type NetworkManager_tmp_t; |
20 | files_tmp_file(NetworkManager_tmp_t) | |
21 | ||
239db5e2 CP |
22 | type NetworkManager_var_run_t; |
23 | files_pid_file(NetworkManager_var_run_t) | |
24 | ||
fd49feff CP |
25 | type wpa_cli_t; |
26 | type wpa_cli_exec_t; | |
27 | init_system_domain(wpa_cli_t, wpa_cli_exec_t) | |
28 | ||
239db5e2 CP |
29 | ######################################## |
30 | # | |
31 | # Local policy | |
32 | # | |
33 | ||
5dbda555 CP |
34 | # networkmanager will ptrace itself if gdb is installed |
35 | # and it receives a unexpected signal (rh bug #204161) | |
4416c416 | 36 | allow NetworkManager_t self:capability { kill setgid setuid dac_override net_admin net_raw net_bind_service ipc_lock }; |
8708d9be | 37 | dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace }; |
9af48eef | 38 | allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms }; |
c0868a7a | 39 | allow NetworkManager_t self:fifo_file rw_fifo_file_perms; |
8cf67141 | 40 | allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms }; |
239db5e2 | 41 | allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; |
95501942 | 42 | allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms; |
239db5e2 CP |
43 | allow NetworkManager_t self:tcp_socket create_stream_socket_perms; |
44 | allow NetworkManager_t self:udp_socket create_socket_perms; | |
45 | allow NetworkManager_t self:packet_socket create_socket_perms; | |
239db5e2 | 46 | |
fd49feff CP |
47 | allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto; |
48 | ||
72f82c47 CP |
49 | can_exec(NetworkManager_t, NetworkManager_exec_t) |
50 | ||
52ceaaac CP |
51 | manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) |
52 | logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) | |
53 | ||
fd49feff CP |
54 | rw_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) |
55 | files_search_tmp(NetworkManager_t) | |
52ceaaac | 56 | |
0bfccda4 CP |
57 | manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) |
58 | manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) | |
59 | manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) | |
3f67f722 | 60 | files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file }) |
239db5e2 CP |
61 | |
62 | kernel_read_system_state(NetworkManager_t) | |
63 | kernel_read_network_state(NetworkManager_t) | |
445522dc | 64 | kernel_read_kernel_sysctls(NetworkManager_t) |
239db5e2 CP |
65 | kernel_load_module(NetworkManager_t) |
66 | ||
19006686 CP |
67 | corenet_all_recvfrom_unlabeled(NetworkManager_t) |
68 | corenet_all_recvfrom_netlabel(NetworkManager_t) | |
668b3093 CP |
69 | corenet_tcp_sendrecv_generic_if(NetworkManager_t) |
70 | corenet_udp_sendrecv_generic_if(NetworkManager_t) | |
71 | corenet_raw_sendrecv_generic_if(NetworkManager_t) | |
c1262146 CP |
72 | corenet_tcp_sendrecv_generic_node(NetworkManager_t) |
73 | corenet_udp_sendrecv_generic_node(NetworkManager_t) | |
74 | corenet_raw_sendrecv_generic_node(NetworkManager_t) | |
239db5e2 CP |
75 | corenet_tcp_sendrecv_all_ports(NetworkManager_t) |
76 | corenet_udp_sendrecv_all_ports(NetworkManager_t) | |
c1262146 | 77 | corenet_udp_bind_generic_node(NetworkManager_t) |
239db5e2 CP |
78 | corenet_udp_bind_isakmp_port(NetworkManager_t) |
79 | corenet_udp_bind_dhcpc_port(NetworkManager_t) | |
141cffdd CP |
80 | corenet_tcp_connect_all_ports(NetworkManager_t) |
81 | corenet_sendrecv_isakmp_server_packets(NetworkManager_t) | |
82 | corenet_sendrecv_dhcpc_server_packets(NetworkManager_t) | |
83 | corenet_sendrecv_all_client_packets(NetworkManager_t) | |
239db5e2 CP |
84 | |
85 | dev_read_sysfs(NetworkManager_t) | |
86 | dev_read_rand(NetworkManager_t) | |
87 | dev_read_urand(NetworkManager_t) | |
88 | ||
89 | fs_getattr_all_fs(NetworkManager_t) | |
90 | fs_search_auto_mountpoints(NetworkManager_t) | |
91 | ||
f8233ab7 | 92 | mls_file_read_all_levels(NetworkManager_t) |
239db5e2 | 93 | |
d828b5ca CP |
94 | selinux_dontaudit_search_fs(NetworkManager_t) |
95 | ||
239db5e2 CP |
96 | corecmd_exec_shell(NetworkManager_t) |
97 | corecmd_exec_bin(NetworkManager_t) | |
239db5e2 | 98 | |
15722ec9 | 99 | domain_use_interactive_fds(NetworkManager_t) |
239db5e2 | 100 | domain_read_confined_domains_state(NetworkManager_t) |
8708d9be | 101 | domain_dontaudit_read_all_domains_state(NetworkManager_t) |
239db5e2 CP |
102 | |
103 | files_read_etc_files(NetworkManager_t) | |
104 | files_read_etc_runtime_files(NetworkManager_t) | |
105 | files_read_usr_files(NetworkManager_t) | |
106 | ||
68228b33 | 107 | init_read_utmp(NetworkManager_t) |
239db5e2 CP |
108 | init_domtrans_script(NetworkManager_t) |
109 | ||
239db5e2 CP |
110 | logging_send_syslog_msg(NetworkManager_t) |
111 | ||
112 | miscfiles_read_localization(NetworkManager_t) | |
123a990b | 113 | miscfiles_read_certs(NetworkManager_t) |
239db5e2 CP |
114 | |
115 | modutils_domtrans_insmod(NetworkManager_t) | |
116 | ||
117 | seutil_read_config(NetworkManager_t) | |
118 | ||
119 | sysnet_domtrans_ifconfig(NetworkManager_t) | |
120 | sysnet_domtrans_dhcpc(NetworkManager_t) | |
121 | sysnet_signal_dhcpc(NetworkManager_t) | |
d828b5ca CP |
122 | sysnet_read_dhcpc_pid(NetworkManager_t) |
123 | sysnet_delete_dhcpc_pid(NetworkManager_t) | |
124 | sysnet_search_dhcp_state(NetworkManager_t) | |
239db5e2 CP |
125 | # in /etc created by NetworkManager will be labelled net_conf_t. |
126 | sysnet_manage_config(NetworkManager_t) | |
103fe280 | 127 | sysnet_etc_filetrans_config(NetworkManager_t) |
239db5e2 | 128 | |
15722ec9 | 129 | userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) |
296273a7 | 130 | userdom_dontaudit_use_user_ttys(NetworkManager_t) |
350b6ab7 | 131 | # Read gnome-keyring |
296273a7 | 132 | userdom_read_user_home_content_files(NetworkManager_t) |
e9c6cda7 | 133 | |
bb7170f6 | 134 | optional_policy(` |
6f81e1d3 CP |
135 | bind_domtrans(NetworkManager_t) |
136 | bind_manage_cache(NetworkManager_t) | |
137 | bind_signal(NetworkManager_t) | |
138 | ') | |
139 | ||
bb7170f6 | 140 | optional_policy(` |
296273a7 | 141 | bluetooth_dontaudit_read_helper_state(NetworkManager_t) |
9c4fcf66 DM |
142 | ') |
143 | ||
bb7170f6 | 144 | optional_policy(` |
239db5e2 CP |
145 | consoletype_exec(NetworkManager_t) |
146 | ') | |
147 | ||
bb7170f6 | 148 | optional_policy(` |
296273a7 | 149 | dbus_system_bus_client(NetworkManager_t) |
d828b5ca | 150 | dbus_connect_system_bus(NetworkManager_t) |
d828b5ca CP |
151 | ') |
152 | ||
bb7170f6 | 153 | optional_policy(` |
d828b5ca CP |
154 | howl_signal(NetworkManager_t) |
155 | ') | |
156 | ||
bb7170f6 | 157 | optional_policy(` |
239db5e2 CP |
158 | nis_use_ypbind(NetworkManager_t) |
159 | ') | |
160 | ||
bb7170f6 | 161 | optional_policy(` |
1815bad1 | 162 | nscd_socket_use(NetworkManager_t) |
8cfa5a00 | 163 | nscd_signal(NetworkManager_t) |
239db5e2 CP |
164 | ') |
165 | ||
72f82c47 CP |
166 | optional_policy(` |
167 | openvpn_domtrans(NetworkManager_t) | |
168 | openvpn_signal(NetworkManager_t) | |
169 | ') | |
170 | ||
2dbd3824 CP |
171 | optional_policy(` |
172 | ppp_domtrans(NetworkManager_t) | |
8708d9be | 173 | ppp_read_pid_files(NetworkManager_t) |
693d4aed | 174 | ppp_signal(NetworkManager_t) |
2dbd3824 CP |
175 | ') |
176 | ||
bb7170f6 | 177 | optional_policy(` |
239db5e2 CP |
178 | seutil_sigchld_newrole(NetworkManager_t) |
179 | ') | |
180 | ||
bb7170f6 | 181 | optional_policy(` |
239db5e2 CP |
182 | udev_read_db(NetworkManager_t) |
183 | ') | |
184 | ||
bb7170f6 | 185 | optional_policy(` |
239db5e2 | 186 | vpn_domtrans(NetworkManager_t) |
a77e6524 | 187 | vpn_signal(NetworkManager_t) |
239db5e2 | 188 | ') |
fd49feff CP |
189 | |
190 | ######################################## | |
191 | # | |
192 | # wpa_cli local policy | |
193 | # | |
296273a7 | 194 | |
fd49feff CP |
195 | allow wpa_cli_t self:capability dac_override; |
196 | allow wpa_cli_t self:unix_dgram_socket create_socket_perms; | |
197 | ||
198 | allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto; | |
199 | ||
200 | manage_sock_files_pattern(wpa_cli_t, NetworkManager_tmp_t, NetworkManager_tmp_t) | |
201 | files_tmp_filetrans(wpa_cli_t, NetworkManager_tmp_t, sock_file) | |
202 | ||
203 | list_dirs_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t) | |
204 | rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t) | |
205 | ||
206 | init_dontaudit_use_fds(wpa_cli_t) | |
207 | init_use_script_ptys(wpa_cli_t) | |
208 | ||
fd49feff CP |
209 | miscfiles_read_localization(wpa_cli_t) |
210 | ||
211 | term_dontaudit_use_console(wpa_cli_t) |