selinux-policy/targeted/domains/program/NetworkManager.te
2005-10-21 18:05:21 +00:00

118 lines
4.2 KiB
Plaintext

#DESC NetworkManager -
#
# Authors: Dan Walsh <dwalsh@redhat.com>
#
#
#################################
#
# Rules for the NetworkManager_t domain.
#
# NetworkManager_t is the domain for the NetworkManager daemon.
# NetworkManager_exec_t is the type of the NetworkManager executable.
#
daemon_domain(NetworkManager, `, nscd_client_domain, privsysmod, mlsfileread' )
can_network(NetworkManager_t)
allow NetworkManager_t port_type:tcp_socket name_connect;
allow NetworkManager_t { isakmp_port_t dhcpc_port_t }:udp_socket name_bind;
allow NetworkManager_t dhcpc_t:process signal;
can_ypbind(NetworkManager_t)
uses_shlib(NetworkManager_t)
allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service sys_module ipc_lock};
allow NetworkManager_t { random_device_t urandom_device_t }:chr_file { getattr read };
allow NetworkManager_t self:process { setcap getsched };
allow NetworkManager_t self:fifo_file rw_file_perms;
allow NetworkManager_t self:unix_dgram_socket create_socket_perms;
allow NetworkManager_t self:file { getattr read };
allow NetworkManager_t self:packet_socket create_socket_perms;
allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
#
# Communicate with Caching Name Server
#
ifdef(`named.te', `
allow NetworkManager_t named_zone_t:dir search;
rw_dir_create_file(NetworkManager_t, named_cache_t)
domain_auto_trans(NetworkManager_t, named_exec_t, named_t)
allow named_t NetworkManager_t:udp_socket { read write };
allow named_t NetworkManager_t:netlink_route_socket { read write };
allow NetworkManager_t named_t:process signal;
allow named_t NetworkManager_t:packet_socket { read write };
')
allow NetworkManager_t selinux_config_t:dir search;
allow NetworkManager_t selinux_config_t:file { getattr read };
ifdef(`dbusd.te', `
dbusd_client(system, NetworkManager)
allow NetworkManager_t system_dbusd_t:dbus { acquire_svc send_msg };
allow NetworkManager_t self:dbus send_msg;
ifdef(`hald.te', `
allow NetworkManager_t hald_t:dbus send_msg;
allow hald_t NetworkManager_t:dbus send_msg;
')
allow NetworkManager_t initrc_t:dbus send_msg;
allow initrc_t NetworkManager_t:dbus send_msg;
ifdef(`targeted_policy', `
allow NetworkManager_t unconfined_t:dbus send_msg;
allow unconfined_t NetworkManager_t:dbus send_msg;
')
allow NetworkManager_t userdomain:dbus send_msg;
allow userdomain NetworkManager_t:dbus send_msg;
')
allow NetworkManager_t usr_t:file { getattr read };
ifdef(`ifconfig.te', `
domain_auto_trans(NetworkManager_t, ifconfig_exec_t, ifconfig_t)
')dnl end if def ifconfig
allow NetworkManager_t { sbin_t bin_t }:dir search;
allow NetworkManager_t bin_t:lnk_file read;
can_exec(NetworkManager_t, { ls_exec_t sbin_t bin_t shell_exec_t })
# in /etc created by NetworkManager will be labelled net_conf_t.
file_type_auto_trans(NetworkManager_t, etc_t, net_conf_t, file)
allow NetworkManager_t { etc_t etc_runtime_t }:file { getattr read };
allow NetworkManager_t proc_t:file { getattr read };
r_dir_file(NetworkManager_t, proc_net_t)
allow NetworkManager_t { domain -unrestricted }:dir search;
allow NetworkManager_t { domain -unrestricted }:file { getattr read };
dontaudit NetworkManager_t unrestricted:dir search;
dontaudit NetworkManager_t unrestricted:file { getattr read };
allow NetworkManager_t howl_t:process signal;
allow NetworkManager_t initrc_var_run_t:file { getattr read };
domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t)
allow NetworkManager_t self:netlink_route_socket r_netlink_socket_perms;
# allow vpnc connections
allow NetworkManager_t self:rawip_socket create_socket_perms;
allow NetworkManager_t tun_tap_device_t:chr_file rw_file_perms;
domain_auto_trans(NetworkManager_t, initrc_exec_t, initrc_t)
domain_auto_trans(NetworkManager_t, dhcpc_exec_t, dhcpc_t)
ifdef(`vpnc.te', `
domain_auto_trans(NetworkManager_t, vpnc_exec_t, vpnc_t)
')
ifdef(`dhcpc.te', `
allow NetworkManager_t dhcp_state_t:dir search;
allow NetworkManager_t dhcpc_var_run_t:file { getattr read unlink };
')
allow NetworkManager_t var_lib_t:dir search;
dontaudit NetworkManager_t user_tty_type:chr_file { read write };
dontaudit NetworkManager_t security_t:dir search;
ifdef(`consoletype.te', `
can_exec(NetworkManager_t, consoletype_exec_t)
')