#DESC NetworkManager - # # Authors: Dan Walsh # # ################################# # # Rules for the NetworkManager_t domain. # # NetworkManager_t is the domain for the NetworkManager daemon. # NetworkManager_exec_t is the type of the NetworkManager executable. # daemon_domain(NetworkManager, `, nscd_client_domain, privsysmod, mlsfileread' ) can_network(NetworkManager_t) allow NetworkManager_t port_type:tcp_socket name_connect; allow NetworkManager_t { isakmp_port_t dhcpc_port_t }:udp_socket name_bind; allow NetworkManager_t dhcpc_t:process signal; can_ypbind(NetworkManager_t) uses_shlib(NetworkManager_t) allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service sys_module ipc_lock}; allow NetworkManager_t { random_device_t urandom_device_t }:chr_file { getattr read }; allow NetworkManager_t self:process { setcap getsched }; allow NetworkManager_t self:fifo_file rw_file_perms; allow NetworkManager_t self:unix_dgram_socket create_socket_perms; allow NetworkManager_t self:file { getattr read }; allow NetworkManager_t self:packet_socket create_socket_perms; allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; # # Communicate with Caching Name Server # ifdef(`named.te', ` allow NetworkManager_t named_zone_t:dir search; rw_dir_create_file(NetworkManager_t, named_cache_t) domain_auto_trans(NetworkManager_t, named_exec_t, named_t) allow named_t NetworkManager_t:udp_socket { read write }; allow named_t NetworkManager_t:netlink_route_socket { read write }; allow NetworkManager_t named_t:process signal; allow named_t NetworkManager_t:packet_socket { read write }; ') allow NetworkManager_t selinux_config_t:dir search; allow NetworkManager_t selinux_config_t:file { getattr read }; ifdef(`dbusd.te', ` dbusd_client(system, NetworkManager) allow NetworkManager_t system_dbusd_t:dbus { acquire_svc send_msg }; allow NetworkManager_t self:dbus send_msg; ifdef(`hald.te', ` allow NetworkManager_t hald_t:dbus send_msg; allow hald_t NetworkManager_t:dbus send_msg; ') allow NetworkManager_t initrc_t:dbus send_msg; allow initrc_t NetworkManager_t:dbus send_msg; ifdef(`targeted_policy', ` allow NetworkManager_t unconfined_t:dbus send_msg; allow unconfined_t NetworkManager_t:dbus send_msg; ') allow NetworkManager_t userdomain:dbus send_msg; allow userdomain NetworkManager_t:dbus send_msg; ') allow NetworkManager_t usr_t:file { getattr read }; ifdef(`ifconfig.te', ` domain_auto_trans(NetworkManager_t, ifconfig_exec_t, ifconfig_t) ')dnl end if def ifconfig allow NetworkManager_t { sbin_t bin_t }:dir search; allow NetworkManager_t bin_t:lnk_file read; can_exec(NetworkManager_t, { ls_exec_t sbin_t bin_t shell_exec_t }) # in /etc created by NetworkManager will be labelled net_conf_t. file_type_auto_trans(NetworkManager_t, etc_t, net_conf_t, file) allow NetworkManager_t { etc_t etc_runtime_t }:file { getattr read }; allow NetworkManager_t proc_t:file { getattr read }; r_dir_file(NetworkManager_t, proc_net_t) allow NetworkManager_t { domain -unrestricted }:dir search; allow NetworkManager_t { domain -unrestricted }:file { getattr read }; dontaudit NetworkManager_t unrestricted:dir search; dontaudit NetworkManager_t unrestricted:file { getattr read }; allow NetworkManager_t howl_t:process signal; allow NetworkManager_t initrc_var_run_t:file { getattr read }; ifdef(`modutil.te', ` if (!secure_mode_insmod) { domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t) } ') allow NetworkManager_t self:netlink_route_socket r_netlink_socket_perms; # allow vpnc connections allow NetworkManager_t self:rawip_socket create_socket_perms; allow NetworkManager_t tun_tap_device_t:chr_file rw_file_perms; domain_auto_trans(NetworkManager_t, initrc_exec_t, initrc_t) domain_auto_trans(NetworkManager_t, dhcpc_exec_t, dhcpc_t) ifdef(`vpnc.te', ` domain_auto_trans(NetworkManager_t, vpnc_exec_t, vpnc_t) ') ifdef(`dhcpc.te', ` allow NetworkManager_t dhcp_state_t:dir search; allow NetworkManager_t dhcpc_var_run_t:file { getattr read unlink }; ') allow NetworkManager_t var_lib_t:dir search; dontaudit NetworkManager_t user_tty_type:chr_file { read write }; dontaudit NetworkManager_t security_t:dir search; ifdef(`consoletype.te', ` can_exec(NetworkManager_t, consoletype_exec_t) ')