Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/services/networkmanager.if
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/services/networkmanager.if')
-rw-r--r--policy/modules/services/networkmanager.if424
1 files changed, 424 insertions, 0 deletions
diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if
new file mode 100644
index 000000000..371ebfbd2
--- /dev/null
+++ b/policy/modules/services/networkmanager.if
@@ -0,0 +1,424 @@
+## <summary>Manager for dynamically switching between networks.</summary>
+
+########################################
+## <summary>
+## Read and write networkmanager udp sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_rw_udp_sockets',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:udp_socket { read write };
+')
+
+########################################
+## <summary>
+## Read and write networkmanager packet sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_rw_packet_sockets',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:packet_socket { read write };
+')
+
+#######################################
+## <summary>
+## Relabel networkmanager tun socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_attach_tun_iface',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:tun_socket relabelfrom;
+ allow $1 self:tun_socket relabelto;
+')
+
+########################################
+## <summary>
+## Read and write networkmanager netlink
+## routing sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_rw_routing_sockets',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:netlink_route_socket { read write };
+')
+
+########################################
+## <summary>
+## Execute networkmanager with a domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`networkmanager_domtrans',`
+ gen_require(`
+ type NetworkManager_t, NetworkManager_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, NetworkManager_exec_t, NetworkManager_t)
+')
+
+########################################
+## <summary>
+## Execute networkmanager scripts with
+## an automatic domain transition to initrc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`networkmanager_initrc_domtrans',`
+ gen_require(`
+ type NetworkManager_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## networkmanager over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_dbus_chat',`
+ gen_require(`
+ type NetworkManager_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 NetworkManager_t:dbus send_msg;
+ allow NetworkManager_t $1:dbus send_msg;
+')
+
+#######################################
+## <summary>
+## Read metworkmanager process state files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_read_state',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:dir search_dir_perms;
+ allow $1 NetworkManager_t:file read_file_perms;
+ allow $1 NetworkManager_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Send generic signals to networkmanager.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_signal',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:process signal;
+')
+
+########################################
+## <summary>
+## Read networkmanager etc files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_read_etc_files',`
+ gen_require(`
+ type NetworkManager_etc_t;
+ ')
+
+ files_search_etc($1)
+ list_dirs_pattern($1, NetworkManager_etc_t, NetworkManager_etc_t)
+ read_files_pattern($1, NetworkManager_etc_t, NetworkManager_etc_t)
+')
+
+########################################
+## <summary>
+## Create, read, and write
+## networkmanager library files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_manage_lib_files',`
+ gen_require(`
+ type NetworkManager_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+ allow $1 NetworkManager_var_lib_t:file map;
+')
+
+########################################
+## <summary>
+## Read networkmanager lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_read_lib_files',`
+ gen_require(`
+ type NetworkManager_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+ read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+ allow $1 NetworkManager_var_lib_t:file map;
+')
+
+########################################
+## <summary>
+## Append networkmanager log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_append_log_files',`
+ gen_require(`
+ type NetworkManager_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 NetworkManager_log_t:dir list_dir_perms;
+ append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
+')
+
+########################################
+## <summary>
+## Read networkmanager pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_read_pid_files',`
+ gen_require(`
+ type NetworkManager_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 NetworkManager_var_run_t:dir search_dir_perms;
+ allow $1 NetworkManager_var_run_t:file read_file_perms;
+')
+
+####################################
+## <summary>
+## Connect to networkmanager over
+## a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_stream_connect',`
+ gen_require(`
+ type NetworkManager_t, NetworkManager_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an networkmanager environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`networkmanager_admin',`
+ gen_require(`
+ type NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_etc_t;
+ type NetworkManager_etc_rw_t, NetworkManager_log_t, NetworkManager_tmp_t;
+ type NetworkManager_var_lib_t, NetworkManager_var_run_t, wpa_cli_t;
+ ')
+
+ allow $1 { wpa_cli_t NetworkManager_t }:process { ptrace signal_perms };
+ ps_process_pattern($1, { wpa_cli_t NetworkManager_t })
+
+ init_startstop_service($1, $2, NetworkManager_t, NetworkManager_initrc_exec_t)
+
+ files_search_etc($1)
+ admin_pattern($1, { NetworkManager_etc_t NetworkManager_etc_rw_t })
+
+ logging_search_logs($1)
+ admin_pattern($1, NetworkManager_log_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, NetworkManager_var_lib_t)
+ allow $1 NetworkManager_var_lib_t:file map;
+
+ files_search_pids($1)
+ admin_pattern($1, NetworkManager_var_run_t)
+
+ files_search_tmp($1)
+ admin_pattern($1, NetworkManager_tmp_t)
+')
+
+########################################
+## <summary>
+## Do not audit use of wpa_cli file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to dontaudit access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_dontaudit_use_wpa_cli_fds',`
+ gen_require(`
+ type wpa_cli_t;
+ ')
+
+ dontaudit $1 wpa_cli_t:fd use;
+')
+
+
+########################################
+## <summary>
+## Execute wpa_cli in the wpa_cli domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`networkmanager_domtrans_wpa_cli',`
+ gen_require(`
+ type wpa_cli_t, wpa_cli_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, wpa_cli_exec_t, wpa_cli_t)
+')
+
+########################################
+## <summary>
+## Execute wpa cli in the wpa_cli domain, and
+## allow the specified role the wpa_cli domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`networkmanager_run_wpa_cli',`
+ gen_require(`
+ type wpa_cli_exec_t;
+ ')
+
+ networkmanager_domtrans_wpa_cli($1)
+ role $2 types wpa_cli_t;
+')
+
+# Gentoo specific interfaces follow but not allowed ifdef
+
+########################################
+## <summary>
+## Read and write networkmanager rawip sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_rw_rawip_sockets',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:rawip_socket { read write };
+')