diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index a53425b0a7..e7b954f4ca 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -227,9 +227,6 @@ ifdef(`distro_gentoo',`
/usr/lib/mon/alert\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/NetworkManager/dispatcher\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/NetworkManager/nm-.* -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/networkmanager/nm-.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/nut/.* -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc
index 9c0fe0fcad..0e1657940d 100644
--- a/policy/modules/services/networkmanager.fc
+++ b/policy/modules/services/networkmanager.fc
@@ -15,6 +15,7 @@
/etc/wicd/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
/etc/wicd/wired-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
+/usr/lib/NetworkManager/dispatcher\.d(/.*)? -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
/usr/lib/NetworkManager/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
/usr/lib/networkmanager/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
/usr/libexec/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if
index f28a9db99b..95a5cd8f24 100644
--- a/policy/modules/services/networkmanager.if
+++ b/policy/modules/services/networkmanager.if
@@ -404,13 +404,14 @@ interface(`networkmanager_status',`
#
interface(`networkmanager_admin',`
gen_require(`
+ attribute NetworkManager_dispatch_domains;
type NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_etc_t;
type NetworkManager_etc_rw_t, NetworkManager_log_t, NetworkManager_tmp_t;
type NetworkManager_var_lib_t, NetworkManager_runtime_t, wpa_cli_t;
')
allow $1 { wpa_cli_t NetworkManager_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { wpa_cli_t NetworkManager_t })
+ ps_process_pattern($1, { wpa_cli_t NetworkManager_t NetworkManager_dispatch_domains })
init_startstop_service($1, $2, NetworkManager_t, NetworkManager_initrc_exec_t)
@@ -430,3 +431,34 @@ interface(`networkmanager_admin',`
files_search_tmp($1)
admin_pattern($1, NetworkManager_tmp_t)
')
+
+########################################
+##
+## Create a set of derived types for
+## networkmanager dispatcher scripts.
+##
+##
+##
+## The prefix to be used for deriving type names.
+##
+##
+#
+template(`networkmanager_dispatch_script',`
+ gen_require(`
+ attribute NetworkManager_dispatch_domains;
+ attribute NetworkManager_dispatch_exec_type;
+
+ type NetworkManager_t;
+ ')
+
+ type NetworkManager_dispatch_$1_t, NetworkManager_dispatch_domains;
+ domain_type(NetworkManager_dispatch_$1_t)
+ corecmd_shell_entry_type(NetworkManager_dispatch_$1_t)
+ role system_r types NetworkManager_dispatch_$1_t;
+
+ type NetworkManager_dispatch_$1_exec_t, NetworkManager_dispatch_exec_type;
+ domain_entry_file(NetworkManager_dispatch_$1_t, NetworkManager_dispatch_$1_exec_t)
+
+ allow NetworkManager_dispatch_$1_t NetworkManager_dispatch_$1_exec_t:file entrypoint;
+ domtrans_pattern(NetworkManager_t, NetworkManager_dispatch_$1_exec_t, NetworkManager_dispatch_$1_t)
+')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index 79be9de597..c6cb638694 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -5,6 +5,10 @@ policy_module(networkmanager)
# Declarations
#
+attribute NetworkManager_dispatch_domains;
+
+attribute NetworkManager_dispatch_exec_type;
+
type NetworkManager_t;
type NetworkManager_exec_t;
init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -94,6 +98,11 @@ files_runtime_filetrans(NetworkManager_t, NetworkManager_runtime_t, { dir file s
can_exec(NetworkManager_t, { NetworkManager_exec_t NetworkManager_initrc_exec_t wpa_cli_exec_t NetworkManager_tmp_t })
+allow NetworkManager_t NetworkManager_dispatch_domains:fifo_file { rw_fifo_file_perms };
+init_rw_inherited_stream_socket(NetworkManager_dispatch_domains)
+init_use_inherited_script_ptys(NetworkManager_dispatch_domains)
+kernel_read_system_state(NetworkManager_dispatch_domains)
+
kernel_read_system_state(NetworkManager_t)
kernel_read_network_state(NetworkManager_t)
kernel_read_kernel_sysctls(NetworkManager_t)
@@ -203,6 +212,8 @@ userdom_write_user_tmp_sockets(NetworkManager_t)
userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
userdom_dontaudit_use_user_ttys(NetworkManager_t)
+exec_files_pattern(NetworkManager_t, NetworkManager_dispatch_exec_type, NetworkManager_dispatch_exec_type)
+
optional_policy(`
avahi_domtrans(NetworkManager_t)
avahi_kill(NetworkManager_t)
diff --git a/policy/modules/services/postfix.fc b/policy/modules/services/postfix.fc
index c2f3fb6a8a..9744e3b08b 100644
--- a/policy/modules/services/postfix.fc
+++ b/policy/modules/services/postfix.fc
@@ -67,3 +67,5 @@
/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0)
+
+/usr/lib/NetworkManager/dispatcher\.d/postfix gen_context(system_u:object_r:NetworkManager_dispatch_postfix_exec_t,s0)
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 60ecc4d124..198c6311f7 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -332,6 +332,15 @@ optional_policy(`
mailman_search_data(postfix_pipe_t)
')
+optional_policy(`
+ networkmanager_dispatch_script(postfix)
+ corecmd_exec_bin(NetworkManager_dispatch_postfix_t)
+ files_search_spool(NetworkManager_dispatch_postfix_t)
+ files_read_etc_files(NetworkManager_dispatch_postfix_t)
+ sysnet_read_config(NetworkManager_dispatch_postfix_t)
+ postfix_manage_spool_files(NetworkManager_dispatch_postfix_t)
+')
+
optional_policy(`
milter_getattr_data_dir(postfix_master_t)
')