From bd1f8f1a8ce3fc38f9f88ca8df76b91632463024 Mon Sep 17 00:00:00 2001 From: Antonio Enrico Russo Date: Sun, 11 Jan 2026 04:27:14 -0700 Subject: [PATCH 1/3] Use NetworkManager_initrc_exec_t Signed-off-by: Antonio Enrico Russo --- policy/modules/kernel/corecommands.fc | 3 --- policy/modules/services/networkmanager.fc | 1 + 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index a53425b0a7..e7b954f4ca 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -227,9 +227,6 @@ ifdef(`distro_gentoo',` /usr/lib/mon/alert\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib/NetworkManager/dispatcher\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib/NetworkManager/nm-.* -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib/networkmanager/nm-.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0) /usr/lib/nut/.* -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc index 9c0fe0fcad..0e1657940d 100644 --- a/policy/modules/services/networkmanager.fc +++ b/policy/modules/services/networkmanager.fc @@ -15,6 +15,7 @@ /etc/wicd/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) /etc/wicd/wired-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) +/usr/lib/NetworkManager/dispatcher\.d(/.*)? -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) /usr/lib/NetworkManager/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) /usr/lib/networkmanager/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) /usr/libexec/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) From a15e0d734bf0d54d001ed240b9f99a77dcfd5478 Mon Sep 17 00:00:00 2001 From: Antonio Enrico Russo Date: Sun, 11 Jan 2026 04:28:47 -0700 Subject: [PATCH 2/3] networkmanager: dispatcher domains Currently, NetworkManager dispatch scripts are tagged as NetworkManager_initrc_exec_t, and run in the NetworkManager_t domain itself. However, those scripts may require permissions different than those of NetworkManager_t. This patch introduces an interface to generate domains for these specialized scripts, and grants permission for NetworkManager to transition into them, as well as communicate with them. Signed-off-by: Antonio Enrico Russo --- policy/modules/services/networkmanager.if | 34 ++++++++++++++++++++++- policy/modules/services/networkmanager.te | 11 ++++++++ 2 files changed, 44 insertions(+), 1 deletion(-) diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if index f28a9db99b..95a5cd8f24 100644 --- a/policy/modules/services/networkmanager.if +++ b/policy/modules/services/networkmanager.if @@ -404,13 +404,14 @@ interface(`networkmanager_status',` # interface(`networkmanager_admin',` gen_require(` + attribute NetworkManager_dispatch_domains; type NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_etc_t; type NetworkManager_etc_rw_t, NetworkManager_log_t, NetworkManager_tmp_t; type NetworkManager_var_lib_t, NetworkManager_runtime_t, wpa_cli_t; ') allow $1 { wpa_cli_t NetworkManager_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { wpa_cli_t NetworkManager_t }) + ps_process_pattern($1, { wpa_cli_t NetworkManager_t NetworkManager_dispatch_domains }) init_startstop_service($1, $2, NetworkManager_t, NetworkManager_initrc_exec_t) @@ -430,3 +431,34 @@ interface(`networkmanager_admin',` files_search_tmp($1) admin_pattern($1, NetworkManager_tmp_t) ') + +######################################## +## +## Create a set of derived types for +## networkmanager dispatcher scripts. +## +## +## +## The prefix to be used for deriving type names. +## +## +# +template(`networkmanager_dispatch_script',` + gen_require(` + attribute NetworkManager_dispatch_domains; + attribute NetworkManager_dispatch_exec_type; + + type NetworkManager_t; + ') + + type NetworkManager_dispatch_$1_t, NetworkManager_dispatch_domains; + domain_type(NetworkManager_dispatch_$1_t) + corecmd_shell_entry_type(NetworkManager_dispatch_$1_t) + role system_r types NetworkManager_dispatch_$1_t; + + type NetworkManager_dispatch_$1_exec_t, NetworkManager_dispatch_exec_type; + domain_entry_file(NetworkManager_dispatch_$1_t, NetworkManager_dispatch_$1_exec_t) + + allow NetworkManager_dispatch_$1_t NetworkManager_dispatch_$1_exec_t:file entrypoint; + domtrans_pattern(NetworkManager_t, NetworkManager_dispatch_$1_exec_t, NetworkManager_dispatch_$1_t) +') diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te index 79be9de597..c6cb638694 100644 --- a/policy/modules/services/networkmanager.te +++ b/policy/modules/services/networkmanager.te @@ -5,6 +5,10 @@ policy_module(networkmanager) # Declarations # +attribute NetworkManager_dispatch_domains; + +attribute NetworkManager_dispatch_exec_type; + type NetworkManager_t; type NetworkManager_exec_t; init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) @@ -94,6 +98,11 @@ files_runtime_filetrans(NetworkManager_t, NetworkManager_runtime_t, { dir file s can_exec(NetworkManager_t, { NetworkManager_exec_t NetworkManager_initrc_exec_t wpa_cli_exec_t NetworkManager_tmp_t }) +allow NetworkManager_t NetworkManager_dispatch_domains:fifo_file { rw_fifo_file_perms }; +init_rw_inherited_stream_socket(NetworkManager_dispatch_domains) +init_use_inherited_script_ptys(NetworkManager_dispatch_domains) +kernel_read_system_state(NetworkManager_dispatch_domains) + kernel_read_system_state(NetworkManager_t) kernel_read_network_state(NetworkManager_t) kernel_read_kernel_sysctls(NetworkManager_t) @@ -203,6 +212,8 @@ userdom_write_user_tmp_sockets(NetworkManager_t) userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) userdom_dontaudit_use_user_ttys(NetworkManager_t) +exec_files_pattern(NetworkManager_t, NetworkManager_dispatch_exec_type, NetworkManager_dispatch_exec_type) + optional_policy(` avahi_domtrans(NetworkManager_t) avahi_kill(NetworkManager_t) From c73bdc4f130265a3b3cd12ef973b5ab090ec5272 Mon Sep 17 00:00:00 2001 From: Antonio Enrico Russo Date: Sun, 11 Jan 2026 04:37:01 -0700 Subject: [PATCH 3/3] postfix: add NetworkManager dispatch domain postfix has a NetworkManager dispatch unit that copies /etc/resolv.conf into its jail on some networking events. This requires specialized permissions beyond what NetworkManager is granted via the NetworkManager_initrc_exec_t mechanism. This patch creates a specialized NetworkManager dispatch domain that is granted the appropriate additional authority. Signed-off-by: Antonio Enrico Russo --- policy/modules/services/postfix.fc | 2 ++ policy/modules/services/postfix.te | 9 +++++++++ 2 files changed, 11 insertions(+) diff --git a/policy/modules/services/postfix.fc b/policy/modules/services/postfix.fc index c2f3fb6a8a..9744e3b08b 100644 --- a/policy/modules/services/postfix.fc +++ b/policy/modules/services/postfix.fc @@ -67,3 +67,5 @@ /var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0) /var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0) /var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0) + +/usr/lib/NetworkManager/dispatcher\.d/postfix gen_context(system_u:object_r:NetworkManager_dispatch_postfix_exec_t,s0) diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index 60ecc4d124..198c6311f7 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -332,6 +332,15 @@ optional_policy(` mailman_search_data(postfix_pipe_t) ') +optional_policy(` + networkmanager_dispatch_script(postfix) + corecmd_exec_bin(NetworkManager_dispatch_postfix_t) + files_search_spool(NetworkManager_dispatch_postfix_t) + files_read_etc_files(NetworkManager_dispatch_postfix_t) + sysnet_read_config(NetworkManager_dispatch_postfix_t) + postfix_manage_spool_files(NetworkManager_dispatch_postfix_t) +') + optional_policy(` milter_getattr_data_dir(postfix_master_t) ')