## Manager for dynamically switching between networks. ######################################## ## ## Read and write wicked UDP sockets. ## ## ## ## Domain allowed access. ## ## # # cjp: added for named. interface(`wicked_rw_udp_sockets',` gen_require(` type wicked_t; ') allow $1 wicked_t:udp_socket { read write }; ') ######################################## ## ## Read and write wicked packet sockets. ## ## ## ## Domain allowed access. ## ## # # cjp: added for named. interface(`wicked_rw_packet_sockets',` gen_require(` type wicked_t; ') allow $1 wicked_t:packet_socket { read write }; ') ####################################### ## ## Allow caller to relabel tun_socket ## ## ## ## Domain allowed access. ## ## # interface(`wicked_attach_tun_iface',` gen_require(` type wicked_t; ') allow $1 wicked_t:tun_socket relabelfrom; allow $1 self:tun_socket relabelto; ') ######################################## ## ## Read and write wicked netlink ## routing sockets. ## ## ## ## Domain allowed access. ## ## # # cjp: added for named. interface(`wicked_rw_routing_sockets',` gen_require(` type wicked_t; ') allow $1 wicked_t:netlink_route_socket { read write }; ') ######################################## ## ## Execute wicked with a domain transition. ## ## ## ## Domain allowed to transition. ## ## # interface(`wicked_domtrans',` gen_require(` type wicked_t, wicked_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, wicked_exec_t, wicked_t) ') ####################################### ## ## Execute wicked scripts with an automatic domain transition to initrc. ## ## ## ## Domain allowed to transition. ## ## # interface(`wicked_initrc_domtrans',` gen_require(` type wicked_initrc_exec_t; ') init_labeled_script_domtrans($1, wicked_initrc_exec_t) ') ####################################### ## ## Allow reading of wicked link files ## ## ## ## Domain allowed to read the links ## ## # interface(`wicked_initrc_read_lnk_files',` gen_require(` type wicked_initrc_exec_t; ') read_lnk_files_pattern($1, wicked_initrc_exec_t, wicked_initrc_exec_t) ') ######################################## ## ## Execute wicked server in the wicked domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`wicked_systemctl',` gen_require(` type wicked_unit_file_t; type wicked_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 wicked_unit_file_t:file read_file_perms; allow $1 wicked_unit_file_t:service manage_service_perms; ps_process_pattern($1, wicked_t) ') ######################################## ## ## Send and receive messages from ## wicked over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`wicked_dbus_chat',` gen_require(` type wicked_t; class dbus send_msg; ') allow $1 wicked_t:dbus send_msg; allow wicked_t $1:dbus send_msg; ') ####################################### ## ## Read metworkmanager process state files. ## ## ## ## Domain allowed access. ## ## # interface(`wicked_read_state',` gen_require(` type wicked_t; ') allow $1 wicked_t:dir search_dir_perms; allow $1 wicked_t:file read_file_perms; allow $1 wicked_t:lnk_file read_lnk_file_perms; ') ######################################## ## ## Do not audit attempts to send and ## receive messages from wicked ## over dbus. ## ## ## ## Domain to not audit. ## ## # interface(`wicked_dontaudit_dbus_chat',` gen_require(` type wicked_t; class dbus send_msg; ') dontaudit $1 wicked_t:dbus send_msg; dontaudit wicked_t $1:dbus send_msg; ') ######################################## ## ## Send a generic signal to wicked ## ## ## ## Domain allowed access. ## ## # interface(`wicked_signal',` gen_require(` type wicked_t; ') allow $1 wicked_t:process signal; ') ######################################## ## ## Create, read, and write ## wicked library files. ## ## ## ## Domain allowed access. ## ## # interface(`wicked_manage_lib_files',` gen_require(` type wicked_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, wicked_var_lib_t, wicked_var_lib_t) allow $1 wicked_var_lib_t:file map; ') ######################################## ## ## Read wicked lib files. ## ## ## ## Domain allowed access. ## ## # interface(`wicked_read_lib_files',` gen_require(` type wicked_var_lib_t; ') files_search_var_lib($1) list_dirs_pattern($1, wicked_var_lib_t, wicked_var_lib_t) read_files_pattern($1, wicked_var_lib_t, wicked_var_lib_t) allow $1 wicked_var_lib_t:file map; ') ####################################### ## ## Read wicked conf files. ## ## ## ## Domain allowed access. ## ## # interface(`wicked_read_conf',` gen_require(` type wicked_etc_t; type wicked_etc_rw_t; ') allow $1 wicked_etc_t:dir list_dir_perms; read_files_pattern($1,wicked_etc_t,wicked_etc_t) read_files_pattern($1,wicked_etc_rw_t,wicked_etc_rw_t) ') ######################################## ## ## Read wicked PID files. ## ## ## ## Domain allowed access. ## ## # interface(`wicked_read_pid_files',` gen_require(` type wicked_var_run_t; ') files_search_pids($1) read_files_pattern($1, wicked_var_run_t, wicked_var_run_t) ') ######################################## ## ## Manage wicked PID files. ## ## ## ## Domain allowed access. ## ## # interface(`wicked_manage_pid_files',` gen_require(` type wicked_var_run_t; ') files_search_pids($1) manage_dirs_pattern($1, wicked_var_run_t, wicked_var_run_t) manage_files_pattern($1, wicked_var_run_t, wicked_var_run_t) ') ######################################## ## ## Manage wicked PID sock files. ## ## ## ## Domain allowed access. ## ## # interface(`wicked_manage_pid_sock_files',` gen_require(` type wicked_var_run_t; ') files_search_pids($1) manage_sock_files_pattern($1, wicked_var_run_t, wicked_var_run_t) ') ######################################## ## ## Create objects in /etc with a private ## type using a type_transition. ## ## ## ## Domain allowed access. ## ## ## ## ## Private file type. ## ## ## ## ## Object classes to be created. ## ## ## ## ## The name of the object being created. ## ## # interface(`wicked_pid_filetrans',` gen_require(` type wicked_var_run_t; ') filetrans_pattern($1, wicked_var_run_t, $2, $3, $4) ') #################################### ## ## Connect to wicked over ## a unix domain stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`wicked_stream_connect',` gen_require(` type wicked_t, wicked_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, wicked_var_run_t, wicked_var_run_t, wicked_t) ') ######################################## ## ## Delete wicked PID files. ## ## ## ## Domain allowed access. ## ## # interface(`wicked_delete_pid_files',` gen_require(` type wicked_var_run_t; ') files_search_pids($1) delete_files_pattern($1, wicked_var_run_t, wicked_var_run_t) ') ######################################## ## ## Execute wicked in the wicked domain, and ## allow the specified role the wicked domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # interface(`wicked_run',` gen_require(` type wicked_t, wicked_exec_t; ') wicked_domtrans($1) role $2 types wicked_t; ') ######################################## ## ## Allow the specified domain to append ## to Network Manager log files. ## ## ## ## Domain allowed access. ## ## # interface(`wicked_append_log',` gen_require(` type wicked_log_t; ') logging_search_logs($1) allow $1 wicked_log_t:dir list_dir_perms; append_files_pattern($1, wicked_log_t, wicked_log_t) allow $1 wicked_log_t:file map; ') ####################################### ## ## Allow the specified domain to manage ## to Network Manager lib files. ## ## ## ## Domain allowed access. ## ## # interface(`wicked_manage_lib',` gen_require(` type wicked_var_lib_t; ') manage_files_pattern($1, wicked_var_lib_t, wicked_var_lib_t) allow $1 wicked_var_lib_t:file map; ') ####################################### ## ## Send to wicked with a unix dgram socket. ## ## ## ## Domain allowed access. ## ## # interface(`wicked_dgram_send',` gen_require(` type wicked_t, wicked_var_run_t; ') files_search_pids($1) dgram_send_pattern($1, wicked_var_run_t, wicked_var_run_t, wicked_t) ') ######################################## ## ## Send sigchld to wicked. ## ## ## ## Domain allowed access. ## ## # # interface(`wicked_sigchld',` gen_require(` type wicked_t; ') allow $1 wicked_t:process sigchld; ') ######################################## ## ## Send signull to wicked. ## ## ## ## Domain allowed access. ## ## # # interface(`wicked_signull',` gen_require(` type wicked_t; ') allow $1 wicked_t:process signull; ') ######################################## ## ## Send sigkill to wicked. ## ## ## ## Domain allowed access. ## ## # # interface(`wicked_sigkill',` gen_require(` type wicked_t; ') allow $1 wicked_t:process sigkill; ') ######################################## ## ## Transition to wicked named content ## ## ## ## Domain allowed access. ## ## # interface(`wicked_filetrans_named_content',` gen_require(` type wicked_var_run_t; type wicked_var_lib_t; ') files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth0.dhcp.ipv4") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth1.dhcp.ipv4") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth2.dhcp.ipv4") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth3.dhcp.ipv4") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth4.dhcp.ipv4") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth5.dhcp.ipv4") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth6.dhcp.ipv4") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth7.dhcp.ipv4") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth8.dhcp.ipv4") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth9.dhcp.ipv4") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth0.dhcp.ipv6") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth1.dhcp.ipv6") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth2.dhcp.ipv6") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth3.dhcp.ipv6") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth4.dhcp.ipv6") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth5.dhcp.ipv6") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth6.dhcp.ipv6") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth7.dhcp.ipv6") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth8.dhcp.ipv6") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth9.dhcp.ipv6") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em0.dhcp.ipv4") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em1.dhcp.ipv4") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em2.dhcp.ipv4") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em3.dhcp.ipv4") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em4.dhcp.ipv4") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em5.dhcp.ipv4") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em6.dhcp.ipv4") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em7.dhcp.ipv4") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em8.dhcp.ipv4") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em9.dhcp.ipv4") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em0.dhcp.ipv6") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em1.dhcp.ipv6") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em2.dhcp.ipv6") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em3.dhcp.ipv6") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em4.dhcp.ipv6") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em5.dhcp.ipv6") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em6.dhcp.ipv6") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em7.dhcp.ipv6") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em8.dhcp.ipv6") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em9.dhcp.ipv6") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.lo.dhcp.ipv4") files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.lo.dhcp.ipv6") files_pid_filetrans($1, wicked_var_run_t, dir, "extension") files_pid_filetrans($1, wicked_var_run_t, dir, "nanny") files_etc_filetrans($1, wicked_var_lib_t, file, "state-1.xml") files_etc_filetrans($1, wicked_var_lib_t, file, "state-2.xml") files_etc_filetrans($1, wicked_var_lib_t, file, "state-3.xml") files_etc_filetrans($1, wicked_var_lib_t, file, "state-4.xml") files_etc_filetrans($1, wicked_var_lib_t, file, "state-5.xml") files_etc_filetrans($1, wicked_var_lib_t, file, "state-6.xml") files_etc_filetrans($1, wicked_var_lib_t, file, "state-7.xml") files_etc_filetrans($1, wicked_var_lib_t, file, "state-8.xml") files_etc_filetrans($1, wicked_var_lib_t, file, "state-9.xml") ') ######################################## ## ## Create a set of derived types for various wicked scripts ## ## ## ## The name to be used for deriving type names. ## ## # template(`wicked_script_template',` gen_require(` attribute wicked_plugin, wicked_script; type wicked_t; ') type wicked_$1_t, wicked_plugin; type wicked_$1_script_t, wicked_script; application_domain(wicked_$1_t, wicked_$1_script_t) role system_r types wicked_$1_t; domtrans_pattern(wicked_t, wicked_$1_script_t, wicked_$1_t) ')