diff options
Diffstat (limited to 'policy/modules/contrib/networkmanager.if')
-rw-r--r-- | policy/modules/contrib/networkmanager.if | 323 |
1 files changed, 0 insertions, 323 deletions
diff --git a/policy/modules/contrib/networkmanager.if b/policy/modules/contrib/networkmanager.if deleted file mode 100644 index 15484ffac..000000000 --- a/policy/modules/contrib/networkmanager.if +++ /dev/null @@ -1,323 +0,0 @@ -## <summary>Manager for dynamically switching between networks.</summary> - -######################################## -## <summary> -## Read and write networkmanager udp sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`networkmanager_rw_udp_sockets',` - gen_require(` - type NetworkManager_t; - ') - - allow $1 NetworkManager_t:udp_socket { read write }; -') - -######################################## -## <summary> -## Read and write networkmanager packet sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`networkmanager_rw_packet_sockets',` - gen_require(` - type NetworkManager_t; - ') - - allow $1 NetworkManager_t:packet_socket { read write }; -') - -####################################### -## <summary> -## Relabel networkmanager tun socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`networkmanager_attach_tun_iface',` - gen_require(` - type NetworkManager_t; - ') - - allow $1 NetworkManager_t:tun_socket relabelfrom; - allow $1 self:tun_socket relabelto; -') - -######################################## -## <summary> -## Read and write networkmanager netlink -## routing sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`networkmanager_rw_routing_sockets',` - gen_require(` - type NetworkManager_t; - ') - - allow $1 NetworkManager_t:netlink_route_socket { read write }; -') - -######################################## -## <summary> -## Execute networkmanager with a domain transition. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`networkmanager_domtrans',` - gen_require(` - type NetworkManager_t, NetworkManager_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, NetworkManager_exec_t, NetworkManager_t) -') - -######################################## -## <summary> -## Execute networkmanager scripts with -## an automatic domain transition to initrc. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`networkmanager_initrc_domtrans',` - gen_require(` - type NetworkManager_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) -') - -######################################## -## <summary> -## Send and receive messages from -## networkmanager over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`networkmanager_dbus_chat',` - gen_require(` - type NetworkManager_t; - class dbus send_msg; - ') - - allow $1 NetworkManager_t:dbus send_msg; - allow NetworkManager_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Send generic signals to networkmanager. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`networkmanager_signal',` - gen_require(` - type NetworkManager_t; - ') - - allow $1 NetworkManager_t:process signal; -') - -######################################## -## <summary> -## Read networkmanager lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`networkmanager_read_lib_files',` - gen_require(` - type NetworkManager_var_lib_t; - ') - - files_search_var_lib($1) - list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) - read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) -') - -######################################## -## <summary> -## Append networkmanager log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`networkmanager_append_log_files',` - gen_require(` - type NetworkManager_log_t; - ') - - logging_search_logs($1) - allow $1 NetworkManager_log_t:dir list_dir_perms; - append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t) -') - -######################################## -## <summary> -## Read networkmanager pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`networkmanager_read_pid_files',` - gen_require(` - type NetworkManager_var_run_t; - ') - - files_search_pids($1) - allow $1 NetworkManager_var_run_t:file read_file_perms; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an networkmanager environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`networkmanager_admin',` - gen_require(` - type NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_etc_t; - type NetworkManager_etc_rw_t, NetworkManager_log_t, NetworkManager_tmp_t; - type NetworkManager_var_lib_t, NetworkManager_var_run_t, wpa_cli_t; - ') - - allow $1 { wpa_cli_t NetworkManager_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { wpa_cli_t NetworkManager_t }) - - init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 NetworkManager_initrc_exec_t system_r; - allow $2 system_r; - - logging_search_etc($1) - admin_pattern($1, { NetworkManager_etc_t NetworkManager_etc_rw_t }) - - logging_search_logs($1) - admin_pattern($1, NetworkManager_log_t) - - files_search_var_lib($1) - admin_pattern($1, NetworkManager_var_lib_t) - - files_search_pids($1) - admin_pattern($1, NetworkManager_var_run_t) - - files_search_tmp($1) - admin_pattern($1, NetworkManager_tmp_t) -') - -######################################## -## <summary> -## Do not audit use of wpa_cli file descriptors -## </summary> -## <param name="domain"> -## <summary> -## Domain to dontaudit access. -## </summary> -## </param> -# -interface(`networkmanager_dontaudit_use_wpa_cli_fds',` - gen_require(` - type wpa_cli_t; - ') - - dontaudit $1 wpa_cli_t:fd use; -') - - -######################################## -## <summary> -## Execute wpa_cli in the wpa_cli domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`networkmanager_domtrans_wpa_cli',` - gen_require(` - type wpa_cli_t, wpa_cli_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, wpa_cli_exec_t, wpa_cli_t) -') - -######################################## -## <summary> -## Execute wpa cli in the wpa_cli domain, and -## allow the specified role the wpa_cli domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`networkmanager_run_wpa_cli',` - gen_require(` - type wpa_cli_exec_t; - ') - - networkmanager_domtrans_wpa_cli($1) - role $2 types wpa_cli_t; -') |