Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 0 additions & 3 deletions policy/modules/kernel/corecommands.fc
Original file line number Diff line number Diff line change
Expand Up @@ -227,9 +227,6 @@ ifdef(`distro_gentoo',`
/usr/lib/mon/alert\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/NetworkManager/dispatcher\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/NetworkManager/nm-.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/networkmanager/nm-.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/nut/.* -- gen_context(system_u:object_r:bin_t,s0)
Expand Down
1 change: 1 addition & 0 deletions policy/modules/services/networkmanager.fc
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
/etc/wicd/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
/etc/wicd/wired-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)

/usr/lib/NetworkManager/dispatcher\.d(/.*)? -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should stick with the original bin_t for generic dispatching. We should keep NetworkManager_initrc_exec_t for init/start scripts. Arguably the below nm-dispatcher fcs should probably be NetworkManager_exec_t instead.

/usr/lib/NetworkManager/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
/usr/lib/networkmanager/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
/usr/libexec/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
Expand Down
34 changes: 33 additions & 1 deletion policy/modules/services/networkmanager.if
Original file line number Diff line number Diff line change
Expand Up @@ -404,13 +404,14 @@ interface(`networkmanager_status',`
#
interface(`networkmanager_admin',`
gen_require(`
attribute NetworkManager_dispatch_domains;
type NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_etc_t;
type NetworkManager_etc_rw_t, NetworkManager_log_t, NetworkManager_tmp_t;
type NetworkManager_var_lib_t, NetworkManager_runtime_t, wpa_cli_t;
')

allow $1 { wpa_cli_t NetworkManager_t }:process { ptrace signal_perms };
ps_process_pattern($1, { wpa_cli_t NetworkManager_t })
ps_process_pattern($1, { wpa_cli_t NetworkManager_t NetworkManager_dispatch_domains })

init_startstop_service($1, $2, NetworkManager_t, NetworkManager_initrc_exec_t)

Expand All @@ -430,3 +431,34 @@ interface(`networkmanager_admin',`
files_search_tmp($1)
admin_pattern($1, NetworkManager_tmp_t)
')

########################################
## <summary>
## Create a set of derived types for
## networkmanager dispatcher scripts.
## </summary>
## <param name="prefix">
## <summary>
## The prefix to be used for deriving type names.
## </summary>
## </param>
#
template(`networkmanager_dispatch_script',`
gen_require(`
attribute NetworkManager_dispatch_domains;
attribute NetworkManager_dispatch_exec_type;

type NetworkManager_t;
')

type NetworkManager_dispatch_$1_t, NetworkManager_dispatch_domains;
domain_type(NetworkManager_dispatch_$1_t)
corecmd_shell_entry_type(NetworkManager_dispatch_$1_t)
role system_r types NetworkManager_dispatch_$1_t;

type NetworkManager_dispatch_$1_exec_t, NetworkManager_dispatch_exec_type;
domain_entry_file(NetworkManager_dispatch_$1_t, NetworkManager_dispatch_$1_exec_t)

allow NetworkManager_dispatch_$1_t NetworkManager_dispatch_$1_exec_t:file entrypoint;
domtrans_pattern(NetworkManager_t, NetworkManager_dispatch_$1_exec_t, NetworkManager_dispatch_$1_t)
')
Comment on lines +435 to +464

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this is a template, it should go at the top of the file.

11 changes: 11 additions & 0 deletions policy/modules/services/networkmanager.te
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@ policy_module(networkmanager)
# Declarations
#

attribute NetworkManager_dispatch_domains;

attribute NetworkManager_dispatch_exec_type;

type NetworkManager_t;
type NetworkManager_exec_t;
init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
Expand Down Expand Up @@ -94,6 +98,11 @@ files_runtime_filetrans(NetworkManager_t, NetworkManager_runtime_t, { dir file s

can_exec(NetworkManager_t, { NetworkManager_exec_t NetworkManager_initrc_exec_t wpa_cli_exec_t NetworkManager_tmp_t })

allow NetworkManager_t NetworkManager_dispatch_domains:fifo_file { rw_fifo_file_perms };
init_rw_inherited_stream_socket(NetworkManager_dispatch_domains)
init_use_inherited_script_ptys(NetworkManager_dispatch_domains)
kernel_read_system_state(NetworkManager_dispatch_domains)
Comment on lines +102 to +104

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should go in a separate block later in the file, i.e. a block for all rules that have NetworkManager_dispatch_domains as the subject/sources.


kernel_read_system_state(NetworkManager_t)
kernel_read_network_state(NetworkManager_t)
kernel_read_kernel_sysctls(NetworkManager_t)
Expand Down Expand Up @@ -203,6 +212,8 @@ userdom_write_user_tmp_sockets(NetworkManager_t)
userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
userdom_dontaudit_use_user_ttys(NetworkManager_t)

exec_files_pattern(NetworkManager_t, NetworkManager_dispatch_exec_type, NetworkManager_dispatch_exec_type)

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This shouldn't be necessary since you already have a domtrans for each of the domains/entrypoints.


optional_policy(`
avahi_domtrans(NetworkManager_t)
avahi_kill(NetworkManager_t)
Expand Down
2 changes: 2 additions & 0 deletions policy/modules/services/postfix.fc
Original file line number Diff line number Diff line change
Expand Up @@ -67,3 +67,5 @@
/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0)

/usr/lib/NetworkManager/dispatcher\.d/postfix gen_context(system_u:object_r:NetworkManager_dispatch_postfix_exec_t,s0)
9 changes: 9 additions & 0 deletions policy/modules/services/postfix.te
Original file line number Diff line number Diff line change
Expand Up @@ -332,6 +332,15 @@ optional_policy(`
mailman_search_data(postfix_pipe_t)
')

optional_policy(`
networkmanager_dispatch_script(postfix)
corecmd_exec_bin(NetworkManager_dispatch_postfix_t)
files_search_spool(NetworkManager_dispatch_postfix_t)
files_read_etc_files(NetworkManager_dispatch_postfix_t)
sysnet_read_config(NetworkManager_dispatch_postfix_t)
postfix_manage_spool_files(NetworkManager_dispatch_postfix_t)
')

optional_policy(`
milter_getattr_data_dir(postfix_master_t)
')
Expand Down
Loading