diff options
Diffstat (limited to 'policy/modules/services/networkmanager.if')
-rw-r--r-- | policy/modules/services/networkmanager.if | 424 |
1 files changed, 424 insertions, 0 deletions
diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if new file mode 100644 index 000000000..371ebfbd2 --- /dev/null +++ b/policy/modules/services/networkmanager.if @@ -0,0 +1,424 @@ +## <summary>Manager for dynamically switching between networks.</summary> + +######################################## +## <summary> +## Read and write networkmanager udp sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`networkmanager_rw_udp_sockets',` + gen_require(` + type NetworkManager_t; + ') + + allow $1 NetworkManager_t:udp_socket { read write }; +') + +######################################## +## <summary> +## Read and write networkmanager packet sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`networkmanager_rw_packet_sockets',` + gen_require(` + type NetworkManager_t; + ') + + allow $1 NetworkManager_t:packet_socket { read write }; +') + +####################################### +## <summary> +## Relabel networkmanager tun socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`networkmanager_attach_tun_iface',` + gen_require(` + type NetworkManager_t; + ') + + allow $1 NetworkManager_t:tun_socket relabelfrom; + allow $1 self:tun_socket relabelto; +') + +######################################## +## <summary> +## Read and write networkmanager netlink +## routing sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`networkmanager_rw_routing_sockets',` + gen_require(` + type NetworkManager_t; + ') + + allow $1 NetworkManager_t:netlink_route_socket { read write }; +') + +######################################## +## <summary> +## Execute networkmanager with a domain transition. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`networkmanager_domtrans',` + gen_require(` + type NetworkManager_t, NetworkManager_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, NetworkManager_exec_t, NetworkManager_t) +') + +######################################## +## <summary> +## Execute networkmanager scripts with +## an automatic domain transition to initrc. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`networkmanager_initrc_domtrans',` + gen_require(` + type NetworkManager_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) +') + +######################################## +## <summary> +## Send and receive messages from +## networkmanager over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`networkmanager_dbus_chat',` + gen_require(` + type NetworkManager_t; + class dbus send_msg; + ') + + allow $1 NetworkManager_t:dbus send_msg; + allow NetworkManager_t $1:dbus send_msg; +') + +####################################### +## <summary> +## Read metworkmanager process state files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`networkmanager_read_state',` + gen_require(` + type NetworkManager_t; + ') + + allow $1 NetworkManager_t:dir search_dir_perms; + allow $1 NetworkManager_t:file read_file_perms; + allow $1 NetworkManager_t:lnk_file read_lnk_file_perms; +') + +######################################## +## <summary> +## Send generic signals to networkmanager. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`networkmanager_signal',` + gen_require(` + type NetworkManager_t; + ') + + allow $1 NetworkManager_t:process signal; +') + +######################################## +## <summary> +## Read networkmanager etc files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`networkmanager_read_etc_files',` + gen_require(` + type NetworkManager_etc_t; + ') + + files_search_etc($1) + list_dirs_pattern($1, NetworkManager_etc_t, NetworkManager_etc_t) + read_files_pattern($1, NetworkManager_etc_t, NetworkManager_etc_t) +') + +######################################## +## <summary> +## Create, read, and write +## networkmanager library files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`networkmanager_manage_lib_files',` + gen_require(` + type NetworkManager_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) + allow $1 NetworkManager_var_lib_t:file map; +') + +######################################## +## <summary> +## Read networkmanager lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`networkmanager_read_lib_files',` + gen_require(` + type NetworkManager_var_lib_t; + ') + + files_search_var_lib($1) + list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) + read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) + allow $1 NetworkManager_var_lib_t:file map; +') + +######################################## +## <summary> +## Append networkmanager log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`networkmanager_append_log_files',` + gen_require(` + type NetworkManager_log_t; + ') + + logging_search_logs($1) + allow $1 NetworkManager_log_t:dir list_dir_perms; + append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t) +') + +######################################## +## <summary> +## Read networkmanager pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`networkmanager_read_pid_files',` + gen_require(` + type NetworkManager_var_run_t; + ') + + files_search_pids($1) + allow $1 NetworkManager_var_run_t:dir search_dir_perms; + allow $1 NetworkManager_var_run_t:file read_file_perms; +') + +#################################### +## <summary> +## Connect to networkmanager over +## a unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`networkmanager_stream_connect',` + gen_require(` + type NetworkManager_t, NetworkManager_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an networkmanager environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`networkmanager_admin',` + gen_require(` + type NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_etc_t; + type NetworkManager_etc_rw_t, NetworkManager_log_t, NetworkManager_tmp_t; + type NetworkManager_var_lib_t, NetworkManager_var_run_t, wpa_cli_t; + ') + + allow $1 { wpa_cli_t NetworkManager_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { wpa_cli_t NetworkManager_t }) + + init_startstop_service($1, $2, NetworkManager_t, NetworkManager_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, { NetworkManager_etc_t NetworkManager_etc_rw_t }) + + logging_search_logs($1) + admin_pattern($1, NetworkManager_log_t) + + files_search_var_lib($1) + admin_pattern($1, NetworkManager_var_lib_t) + allow $1 NetworkManager_var_lib_t:file map; + + files_search_pids($1) + admin_pattern($1, NetworkManager_var_run_t) + + files_search_tmp($1) + admin_pattern($1, NetworkManager_tmp_t) +') + +######################################## +## <summary> +## Do not audit use of wpa_cli file descriptors +## </summary> +## <param name="domain"> +## <summary> +## Domain to dontaudit access. +## </summary> +## </param> +# +interface(`networkmanager_dontaudit_use_wpa_cli_fds',` + gen_require(` + type wpa_cli_t; + ') + + dontaudit $1 wpa_cli_t:fd use; +') + + +######################################## +## <summary> +## Execute wpa_cli in the wpa_cli domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`networkmanager_domtrans_wpa_cli',` + gen_require(` + type wpa_cli_t, wpa_cli_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, wpa_cli_exec_t, wpa_cli_t) +') + +######################################## +## <summary> +## Execute wpa cli in the wpa_cli domain, and +## allow the specified role the wpa_cli domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`networkmanager_run_wpa_cli',` + gen_require(` + type wpa_cli_exec_t; + ') + + networkmanager_domtrans_wpa_cli($1) + role $2 types wpa_cli_t; +') + +# Gentoo specific interfaces follow but not allowed ifdef + +######################################## +## <summary> +## Read and write networkmanager rawip sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`networkmanager_rw_rawip_sockets',` + gen_require(` + type NetworkManager_t; + ') + + allow $1 NetworkManager_t:rawip_socket { read write }; +') |