## Manager for dynamically switching between networks. ######################################## ## ## Read and write NetworkManager UDP sockets. ## ## ## ## Domain allowed access. ## ## # # cjp: added for named. interface(`networkmanager_rw_udp_sockets',` gen_require(` type NetworkManager_t; ') allow $1 NetworkManager_t:udp_socket { read write }; ') ######################################## ## ## Read and write NetworkManager packet sockets. ## ## ## ## Domain allowed access. ## ## # # cjp: added for named. interface(`networkmanager_rw_packet_sockets',` gen_require(` type NetworkManager_t; ') allow $1 NetworkManager_t:packet_socket { read write }; ') ####################################### ## ## Allow caller to relabel tun_socket ## ## ## ## Domain allowed access. ## ## # interface(`networkmanager_attach_tun_iface',` gen_require(` type NetworkManager_t; ') allow $1 NetworkManager_t:tun_socket relabelfrom; allow $1 self:tun_socket relabelto; ') ######################################## ## ## Read and write NetworkManager netlink ## routing sockets. ## ## ## ## Domain allowed access. ## ## # # cjp: added for named. interface(`networkmanager_rw_routing_sockets',` gen_require(` type NetworkManager_t; ') allow $1 NetworkManager_t:netlink_route_socket { read write }; ') ######################################## ## ## Read networkmanager unnamed pipes ## ## ## ## Domain allowed access. ## ## # interface(`networkmanager_read_pipes',` gen_require(` type NetworkManager_t; ') allow $1 NetworkManager_t:fifo_file read_fifo_file_perms; ') ######################################## ## ## Execute NetworkManager with a domain transition. ## ## ## ## Domain allowed to transition. ## ## # interface(`networkmanager_domtrans',` gen_require(` type NetworkManager_t, NetworkManager_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, NetworkManager_exec_t, NetworkManager_t) ') ####################################### ## ## Execute NetworkManager scripts with an automatic domain transition to initrc. ## ## ## ## Domain allowed to transition. ## ## # interface(`networkmanager_initrc_domtrans',` gen_require(` type NetworkManager_initrc_exec_t; ') init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) ') ######################################## ## ## Execute NetworkManager server in the NetworkManager domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`networkmanager_systemctl',` gen_require(` type NetworkManager_unit_file_t; type NetworkManager_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 NetworkManager_unit_file_t:file read_file_perms; allow $1 NetworkManager_unit_file_t:service manage_service_perms; ps_process_pattern($1, NetworkManager_t) ') ######################################## ## ## Send and receive messages from ## NetworkManager over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`networkmanager_dbus_chat',` gen_require(` type NetworkManager_t; class dbus send_msg; ') allow $1 NetworkManager_t:dbus send_msg; allow NetworkManager_t $1:dbus send_msg; ') ####################################### ## ## Read metworkmanager process state files. ## ## ## ## Domain allowed access. ## ## # interface(`networkmanager_read_state',` gen_require(` type NetworkManager_t; ') allow $1 NetworkManager_t:dir search_dir_perms; allow $1 NetworkManager_t:file read_file_perms; allow $1 NetworkManager_t:lnk_file read_lnk_file_perms; ') ######################################## ## ## Do not audit attempts to send and ## receive messages from NetworkManager ## over dbus. ## ## ## ## Domain to not audit. ## ## # interface(`networkmanager_dontaudit_dbus_chat',` gen_require(` type NetworkManager_t; class dbus send_msg; ') dontaudit $1 NetworkManager_t:dbus send_msg; dontaudit NetworkManager_t $1:dbus send_msg; ') ######################################## ## ## Send a generic signal to NetworkManager ## ## ## ## Domain allowed access. ## ## # interface(`networkmanager_signal',` gen_require(` type NetworkManager_t; ') allow $1 NetworkManager_t:process signal; ') ######################################## ## ## Create, read, and write ## networkmanager library files. ## ## ## ## Domain allowed access. ## ## # interface(`networkmanager_manage_lib_files',` gen_require(` type NetworkManager_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) allow $1 NetworkManager_var_lib_t:file map; ') ######################################## ## ## Read networkmanager lib files. ## ## ## ## Domain allowed access. ## ## # interface(`networkmanager_read_lib_files',` gen_require(` type NetworkManager_var_lib_t; ') files_search_var_lib($1) list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) allow $1 NetworkManager_var_lib_t:file map; ') ####################################### ## ## Write NetworkManager rw conf files. ## ## ## ## Domain allowed access. ## ## # interface(`networkmanager_write_rw_conf',` gen_require(` type NetworkManager_etc_t; type NetworkManager_etc_rw_t; ') allow $1 NetworkManager_etc_t:dir list_dir_perms; create_files_pattern($1, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) write_files_pattern($1, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) ') ####################################### ## ## Read NetworkManager conf files. ## ## ## ## Domain allowed access. ## ## # interface(`networkmanager_read_conf',` gen_require(` type NetworkManager_etc_t; type NetworkManager_etc_rw_t; ') allow $1 NetworkManager_etc_t:dir list_dir_perms; read_files_pattern($1,NetworkManager_etc_t,NetworkManager_etc_t) read_files_pattern($1,NetworkManager_etc_rw_t,NetworkManager_etc_rw_t) ') ######################################## ## ## Read NetworkManager PID files. ## ## ## ## Domain allowed access. ## ## # interface(`networkmanager_read_pid_files',` gen_require(` type NetworkManager_var_run_t; ') files_search_pids($1) list_dirs_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) read_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) ') ######################################## ## ## Manage NetworkManager PID files. ## ## ## ## Domain allowed access. ## ## # interface(`networkmanager_manage_pid_files',` gen_require(` type NetworkManager_var_run_t; ') files_search_pids($1) manage_dirs_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) allow $1 NetworkManager_var_run_t:file map; ') ######################################## ## ## Manage NetworkManager PID sock files. ## ## ## ## Domain allowed access. ## ## # interface(`networkmanager_manage_pid_sock_files',` gen_require(` type NetworkManager_var_run_t; ') files_search_pids($1) manage_sock_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) ') ######################################## ## ## Watch NetworkManager PID directories. ## ## ## ## Domain allowed access. ## ## # interface(`networkmanager_watch_pid_dirs',` gen_require(` type NetworkManager_var_run_t; ') files_search_pids($1) watch_dirs_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) ') ######################################## ## ## Create objects in /etc with a private ## type using a type_transition. ## ## ## ## Domain allowed access. ## ## ## ## ## Private file type. ## ## ## ## ## Object classes to be created. ## ## ## ## ## The name of the object being created. ## ## # interface(`networkmanager_pid_filetrans',` gen_require(` type NetworkManager_var_run_t; ') filetrans_pattern($1, NetworkManager_var_run_t, $2, $3, $4) ') #################################### ## ## Connect to networkmanager over ## a unix domain stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`networkmanager_stream_connect',` gen_require(` type NetworkManager_t, NetworkManager_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t) ') ######################################## ## ## Delete NetworkManager PID files. ## ## ## ## Domain allowed access. ## ## # interface(`networkmanager_delete_pid_files',` gen_require(` type NetworkManager_var_run_t; ') files_search_pids($1) delete_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) ') ######################################## ## ## Execute NetworkManager in the NetworkManager domain, and ## allow the specified role the NetworkManager domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # interface(`networkmanager_run',` gen_require(` type NetworkManager_t, NetworkManager_exec_t; ') networkmanager_domtrans($1) role $2 types NetworkManager_t; ') ######################################## ## ## Allow the specified domain to append ## to Network Manager log files. ## ## ## ## Domain allowed access. ## ## # interface(`networkmanager_append_log',` gen_require(` type NetworkManager_log_t; ') logging_search_logs($1) allow $1 NetworkManager_log_t:dir list_dir_perms; append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t) allow $1 NetworkManager_log_t:file map; ') ####################################### ## ## Allow the specified domain to manage ## to Network Manager lib files. ## ## ## ## Domain allowed access. ## ## # interface(`networkmanager_manage_lib',` gen_require(` type NetworkManager_var_lib_t; ') manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) allow $1 NetworkManager_var_lib_t:file map; ') ####################################### ## ## Read the process state (/proc/pid) of NetworkManager. ## ## ## ## Domain allowed access. ## ## # interface(`NetworkManager_read_state',` gen_require(` type NetworkManager_t; ') allow $1 NetworkManager_t:dir search_dir_perms; allow $1 NetworkManager_t:file read_file_perms; allow $1 NetworkManager_t:lnk_file read_lnk_file_perms; ') ####################################### ## ## Send to NetworkManager with a unix dgram socket. ## ## ## ## Domain allowed access. ## ## # interface(`networkmanager_dgram_send',` gen_require(` type NetworkManager_t, NetworkManager_var_run_t; ') files_search_pids($1) dgram_send_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t) ') ######################################## ## ## Send sigchld to networkmanager. ## ## ## ## Domain allowed access. ## ## # # interface(`networkmanager_sigchld',` gen_require(` type NetworkManager_t; ') allow $1 NetworkManager_t:process sigchld; ') ######################################## ## ## Send signull to networkmanager. ## ## ## ## Domain allowed access. ## ## # # interface(`networkmanager_signull',` gen_require(` type NetworkManager_t; ') allow $1 NetworkManager_t:process signull; ') ######################################## ## ## Send sigkill to networkmanager. ## ## ## ## Domain allowed access. ## ## # # interface(`networkmanager_sigkill',` gen_require(` type NetworkManager_t; ') allow $1 NetworkManager_t:process sigkill; ') ######################################## ## ## Transition to networkmanager named content ## ## ## ## Domain allowed access. ## ## # interface(`networkmanager_filetrans_named_content',` gen_require(` type NetworkManager_var_run_t; type NetworkManager_var_lib_t; ') files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth0.conf") files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth1.conf") files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth2.conf") files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth3.conf") files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth4.conf") files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth5.conf") files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth6.conf") files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth7.conf") files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth8.conf") files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth9.conf") files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em0.conf") files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em1.conf") files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em2.conf") files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em3.conf") files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em4.conf") files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em5.conf") files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em6.conf") files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em7.conf") files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em8.conf") files_pid_filetrans($1, NetworkManager_var_run_t, dir, "teamd") files_pid_filetrans($1, NetworkManager_var_run_t, file, "wicd.pid") files_etc_filetrans($1, NetworkManager_var_lib_t, file, "manager-settings.conf") files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireless-settings.conf") files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wired-settings.conf") logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') # ######################################## ## ## Create a set of derived types for various ## NetworkManager-dispatcher plugins ## ## ## ## The name to be used for deriving type names. ## ## # template(`networkmanager_dispatcher_plugin_template',` gen_require(` attribute networkmanager_dispatcher_plugin, networkmanager_dispatcher_script; type NetworkManager_dispatcher_t; ') type NetworkManager_dispatcher_$1_t, networkmanager_dispatcher_plugin; type NetworkManager_dispatcher_$1_script_t, networkmanager_dispatcher_script; application_domain(NetworkManager_dispatcher_$1_t, NetworkManager_dispatcher_$1_script_t) role system_r types NetworkManager_dispatcher_$1_t; domtrans_pattern(NetworkManager_dispatcher_t, NetworkManager_dispatcher_$1_script_t, NetworkManager_dispatcher_$1_t) ')