Networkmanager patch from Dan Walsh.
This commit is contained in:
parent
d5932a6ac4
commit
baea7b1dc6
@ -1,12 +1,26 @@
|
||||
/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
|
||||
|
||||
/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
|
||||
|
||||
/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
|
||||
|
||||
/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
|
||||
/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
|
||||
|
||||
/usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
|
||||
/usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
|
||||
/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
|
||||
/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
|
||||
/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
|
||||
|
||||
/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
|
||||
/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
|
||||
|
||||
/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0)
|
||||
/var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
|
||||
|
||||
/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||
/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||
/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||
|
@ -38,6 +38,25 @@ interface(`networkmanager_rw_packet_sockets',`
|
||||
allow $1 NetworkManager_t:packet_socket { read write };
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Allow caller to relabel tun_socket
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`networkmanager_attach_tun_iface',`
|
||||
gen_require(`
|
||||
type NetworkManager_t;
|
||||
')
|
||||
|
||||
allow $1 NetworkManager_t:tun_socket relabelfrom;
|
||||
allow $1 self:tun_socket relabelto;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write NetworkManager netlink
|
||||
@ -77,6 +96,24 @@ interface(`networkmanager_domtrans',`
|
||||
domtrans_pattern($1, NetworkManager_exec_t, NetworkManager_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute NetworkManager scripts with an automatic domain transition to initrc.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`networkmanager_initrc_domtrans',`
|
||||
gen_require(`
|
||||
type NetworkManager_initrc_exec_t;
|
||||
')
|
||||
|
||||
init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive messages from
|
||||
@ -116,6 +153,26 @@ interface(`networkmanager_signal',`
|
||||
allow $1 NetworkManager_t:process signal;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read NetworkManager lib files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`networkmanager_read_lib_files',`
|
||||
gen_require(`
|
||||
type NetworkManager_var_lib_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
|
||||
read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read NetworkManager PID files.
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(networkmanager, 1.13.0)
|
||||
policy_module(networkmanager, 1.13.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -19,6 +19,9 @@ logging_log_file(NetworkManager_log_t)
|
||||
type NetworkManager_tmp_t;
|
||||
files_tmp_file(NetworkManager_tmp_t)
|
||||
|
||||
type NetworkManager_var_lib_t;
|
||||
files_type(NetworkManager_var_lib_t)
|
||||
|
||||
type NetworkManager_var_run_t;
|
||||
files_pid_file(NetworkManager_var_run_t)
|
||||
|
||||
@ -33,14 +36,16 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
|
||||
|
||||
# networkmanager will ptrace itself if gdb is installed
|
||||
# and it receives a unexpected signal (rh bug #204161)
|
||||
allow NetworkManager_t self:capability { kill setgid setuid dac_override net_admin net_raw net_bind_service ipc_lock };
|
||||
allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock };
|
||||
dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
|
||||
allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
|
||||
allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
|
||||
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
|
||||
allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
|
||||
allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
|
||||
allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom };
|
||||
allow NetworkManager_t self:udp_socket create_socket_perms;
|
||||
allow NetworkManager_t self:packet_socket create_socket_perms;
|
||||
|
||||
@ -51,8 +56,13 @@ can_exec(NetworkManager_t, NetworkManager_exec_t)
|
||||
manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
|
||||
logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
|
||||
|
||||
rw_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
|
||||
files_search_tmp(NetworkManager_t)
|
||||
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
|
||||
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
|
||||
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
|
||||
|
||||
manage_dirs_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
|
||||
manage_files_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
|
||||
files_var_lib_filetrans(NetworkManager_t, NetworkManager_var_lib_t, dir)
|
||||
|
||||
manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
|
||||
manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
|
||||
@ -62,7 +72,9 @@ files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_
|
||||
kernel_read_system_state(NetworkManager_t)
|
||||
kernel_read_network_state(NetworkManager_t)
|
||||
kernel_read_kernel_sysctls(NetworkManager_t)
|
||||
kernel_load_module(NetworkManager_t)
|
||||
kernel_request_load_module(NetworkManager_t)
|
||||
kernel_read_debugfs(NetworkManager_t)
|
||||
kernel_rw_net_sysctls(NetworkManager_t)
|
||||
|
||||
corenet_all_recvfrom_unlabeled(NetworkManager_t)
|
||||
corenet_all_recvfrom_netlabel(NetworkManager_t)
|
||||
@ -81,13 +93,18 @@ corenet_tcp_connect_all_ports(NetworkManager_t)
|
||||
corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
|
||||
corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
|
||||
corenet_sendrecv_all_client_packets(NetworkManager_t)
|
||||
corenet_rw_tun_tap_dev(NetworkManager_t)
|
||||
corenet_getattr_ppp_dev(NetworkManager_t)
|
||||
|
||||
dev_read_sysfs(NetworkManager_t)
|
||||
dev_read_rand(NetworkManager_t)
|
||||
dev_read_urand(NetworkManager_t)
|
||||
dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
|
||||
dev_getattr_all_chr_files(NetworkManager_t)
|
||||
|
||||
fs_getattr_all_fs(NetworkManager_t)
|
||||
fs_search_auto_mountpoints(NetworkManager_t)
|
||||
fs_list_inotifyfs(NetworkManager_t)
|
||||
|
||||
mls_file_read_all_levels(NetworkManager_t)
|
||||
|
||||
@ -98,15 +115,20 @@ corecmd_exec_bin(NetworkManager_t)
|
||||
|
||||
domain_use_interactive_fds(NetworkManager_t)
|
||||
domain_read_confined_domains_state(NetworkManager_t)
|
||||
domain_dontaudit_read_all_domains_state(NetworkManager_t)
|
||||
|
||||
files_read_etc_files(NetworkManager_t)
|
||||
files_read_etc_runtime_files(NetworkManager_t)
|
||||
files_read_usr_files(NetworkManager_t)
|
||||
files_read_usr_src_files(NetworkManager_t)
|
||||
|
||||
storage_getattr_fixed_disk_dev(NetworkManager_t)
|
||||
|
||||
init_read_utmp(NetworkManager_t)
|
||||
init_dontaudit_write_utmp(NetworkManager_t)
|
||||
init_domtrans_script(NetworkManager_t)
|
||||
|
||||
auth_use_nsswitch(NetworkManager_t)
|
||||
|
||||
logging_send_syslog_msg(NetworkManager_t)
|
||||
|
||||
miscfiles_read_localization(NetworkManager_t)
|
||||
@ -131,10 +153,19 @@ userdom_dontaudit_use_user_ttys(NetworkManager_t)
|
||||
# Read gnome-keyring
|
||||
userdom_read_user_home_content_files(NetworkManager_t)
|
||||
|
||||
optional_policy(`
|
||||
avahi_domtrans(NetworkManager_t)
|
||||
avahi_kill(NetworkManager_t)
|
||||
avahi_signal(NetworkManager_t)
|
||||
avahi_signull(NetworkManager_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
bind_domtrans(NetworkManager_t)
|
||||
bind_manage_cache(NetworkManager_t)
|
||||
bind_kill(NetworkManager_t)
|
||||
bind_signal(NetworkManager_t)
|
||||
bind_signull(NetworkManager_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -146,8 +177,25 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(NetworkManager_t)
|
||||
dbus_connect_system_bus(NetworkManager_t)
|
||||
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
|
||||
|
||||
optional_policy(`
|
||||
consolekit_dbus_chat(NetworkManager_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
dnsmasq_read_pid_files(NetworkManager_t)
|
||||
dnsmasq_delete_pid_files(NetworkManager_t)
|
||||
dnsmasq_domtrans(NetworkManager_t)
|
||||
dnsmasq_initrc_domtrans(NetworkManager_t)
|
||||
dnsmasq_kill(NetworkManager_t)
|
||||
dnsmasq_signal(NetworkManager_t)
|
||||
dnsmasq_signull(NetworkManager_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
hal_write_log(NetworkManager_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -155,23 +203,51 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(NetworkManager_t)
|
||||
iptables_domtrans(NetworkManager_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(NetworkManager_t)
|
||||
nscd_domtrans(NetworkManager_t)
|
||||
nscd_signal(NetworkManager_t)
|
||||
nscd_signull(NetworkManager_t)
|
||||
nscd_kill(NetworkManager_t)
|
||||
nscd_initrc_domtrans(NetworkManager_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
# Dispatcher starting and stoping ntp
|
||||
ntp_initrc_domtrans(NetworkManager_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
openvpn_domtrans(NetworkManager_t)
|
||||
openvpn_kill(NetworkManager_t)
|
||||
openvpn_signal(NetworkManager_t)
|
||||
openvpn_signull(NetworkManager_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
policykit_dbus_chat(NetworkManager_t)
|
||||
policykit_domtrans_auth(NetworkManager_t)
|
||||
policykit_read_lib(NetworkManager_t)
|
||||
policykit_read_reload(NetworkManager_t)
|
||||
userdom_read_all_users_state(NetworkManager_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
ppp_initrc_domtrans(NetworkManager_t)
|
||||
ppp_domtrans(NetworkManager_t)
|
||||
ppp_read_pid_files(NetworkManager_t)
|
||||
ppp_manage_pid_files(NetworkManager_t)
|
||||
ppp_kill(NetworkManager_t)
|
||||
ppp_signal(NetworkManager_t)
|
||||
ppp_signull(NetworkManager_t)
|
||||
ppp_read_config(NetworkManager_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
rpm_exec(NetworkManager_t)
|
||||
rpm_read_db(NetworkManager_t)
|
||||
rpm_dontaudit_manage_db(NetworkManager_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -179,12 +255,15 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
udev_exec(NetworkManager_t)
|
||||
udev_read_db(NetworkManager_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
vpn_domtrans(NetworkManager_t)
|
||||
vpn_kill(NetworkManager_t)
|
||||
vpn_signal(NetworkManager_t)
|
||||
vpn_signull(NetworkManager_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
Loading…
Reference in New Issue
Block a user