1NetworkManager_selinux(8)SELinux Policy NetworkManagerNetworkManager_selinux(8)
2
3
4

NAME

6       NetworkManager_selinux  -  Security  Enhanced Linux Policy for the Net‐
7       workManager processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the NetworkManager processes via flexi‐
11       ble mandatory access control.
12
13       The  NetworkManager processes execute with the NetworkManager_t SELinux
14       type. You can check if you have these processes  running  by  executing
15       the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep NetworkManager_t
20
21
22

ENTRYPOINTS

24       The  NetworkManager_t  SELinux  type can be entered via the NetworkMan‐
25       ager_exec_t file type.
26
27       The default entrypoint paths for the NetworkManager_t  domain  are  the
28       following:
29
30       /usr/libexec/nm-dispatcher.*,      /usr/bin/teamd,      /usr/sbin/wicd,
31       /usr/bin/NetworkManager, /usr/bin/wpa_supplicant, /usr/sbin/NetworkMan‐
32       ager,      /usr/sbin/wpa_supplicant,      /usr/sbin/nm-system-settings,
33       /usr/sbin/NetworkManagerDispatcher
34

PROCESS TYPES

36       SELinux defines process types (domains) for each process running on the
37       system
38
39       You can see the context of a process using the -Z option to ps
40
41       Policy  governs  the  access confined processes have to files.  SELinux
42       NetworkManager policy is very flexible allowing users  to  setup  their
43       NetworkManager processes in as secure a method as possible.
44
45       The following process types are defined for NetworkManager:
46
47       NetworkManager_t, NetworkManager_ssh_t
48
49       Note:  semanage  permissive -a NetworkManager_t can be used to make the
50       process type NetworkManager_t permissive. SELinux does not deny  access
51       to permissive process types, but the AVC (SELinux denials) messages are
52       still generated.
53
54

BOOLEANS

56       SELinux policy is customizable based on least  access  required.   Net‐
57       workManager  policy is extremely flexible and has several booleans that
58       allow you to manipulate the policy  and  run  NetworkManager  with  the
59       tightest access possible.
60
61
62
63       If you want to allow users to resolve user passwd entries directly from
64       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
65       gin_nsswitch_use_ldap boolean. Disabled by default.
66
67       setsebool -P authlogin_nsswitch_use_ldap 1
68
69
70
71       If  you  want to deny all system processes and Linux users to use blue‐
72       tooth wireless technology, you must turn on the deny_bluetooth boolean.
73       Enabled by default.
74
75       setsebool -P deny_bluetooth 1
76
77
78
79       If  you  want  to deny any process from ptracing or debugging any other
80       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
81       default.
82
83       setsebool -P deny_ptrace 1
84
85
86
87       If you want to allow all domains to execute in fips_mode, you must turn
88       on the fips_mode boolean. Enabled by default.
89
90       setsebool -P fips_mode 1
91
92
93
94       If you want to allow confined applications to run  with  kerberos,  you
95       must turn on the kerberos_enabled boolean. Disabled by default.
96
97       setsebool -P kerberos_enabled 1
98
99
100
101       If  you  want  to  allow  system  to run with NIS, you must turn on the
102       nis_enabled boolean. Disabled by default.
103
104       setsebool -P nis_enabled 1
105
106
107
108       If you want to allow confined applications to use nscd  shared  memory,
109       you must turn on the nscd_use_shm boolean. Disabled by default.
110
111       setsebool -P nscd_use_shm 1
112
113
114
115       If  you want to support ecryptfs home directories, you must turn on the
116       use_ecryptfs_home_dirs boolean. Disabled by default.
117
118       setsebool -P use_ecryptfs_home_dirs 1
119
120
121
122       If you want to support NFS home  directories,  you  must  turn  on  the
123       use_nfs_home_dirs boolean. Enabled by default.
124
125       setsebool -P use_nfs_home_dirs 1
126
127
128
129       If  you  want  to  support SAMBA home directories, you must turn on the
130       use_samba_home_dirs boolean. Disabled by default.
131
132       setsebool -P use_samba_home_dirs 1
133
134
135
136       If you want to allow xguest users to configure Network Manager and con‐
137       nect to apache ports, you must turn on the xguest_connect_network bool‐
138       ean. Enabled by default.
139
140       setsebool -P xguest_connect_network 1
141
142
143

MANAGED FILES

145       The SELinux process type NetworkManager_t can manage files labeled with
146       the  following  file types.  The paths listed are the default paths for
147       these file types.  Note the processes UID still need to have  DAC  per‐
148       missions.
149
150       NetworkManager_etc_rw_t
151
152            /etc/NetworkManager/system-connections(/.*)?
153            /etc/NetworkManager/NetworkManager.conf
154
155       NetworkManager_tmp_t
156
157
158       NetworkManager_var_lib_t
159
160            /var/lib/wicd(/.*)?
161            /var/lib/NetworkManager(/.*)?
162            /etc/dhcp/wired-settings.conf
163            /etc/wicd/wired-settings.conf
164            /etc/dhcp/manager-settings.conf
165            /etc/wicd/manager-settings.conf
166            /etc/dhcp/wireless-settings.conf
167            /etc/wicd/wireless-settings.conf
168
169       NetworkManager_var_run_t
170
171            /var/run/teamd(/.*)?
172            /var/run/nm-xl2tpd.conf.*
173            /var/run/nm-dhclient.*
174            /var/run/NetworkManager(/.*)?
175            /var/run/wpa_supplicant(/.*)?
176            /var/run/wicd.pid
177            /var/run/NetworkManager.pid
178            /var/run/nm-dns-dnsmasq.conf
179            /var/run/wpa_supplicant-global
180
181       cluster_conf_t
182
183            /etc/cluster(/.*)?
184
185       cluster_var_lib_t
186
187            /var/lib/pcsd(/.*)?
188            /var/lib/cluster(/.*)?
189            /var/lib/openais(/.*)?
190            /var/lib/pengine(/.*)?
191            /var/lib/corosync(/.*)?
192            /usr/lib/heartbeat(/.*)?
193            /var/lib/heartbeat(/.*)?
194            /var/lib/pacemaker(/.*)?
195
196       cluster_var_run_t
197
198            /var/run/crm(/.*)?
199            /var/run/cman_.*
200            /var/run/rsctmp(/.*)?
201            /var/run/aisexec.*
202            /var/run/heartbeat(/.*)?
203            /var/run/corosync-qnetd(/.*)?
204            /var/run/corosync-qdevice(/.*)?
205            /var/run/corosync.pid
206            /var/run/cpglockd.pid
207            /var/run/rgmanager.pid
208            /var/run/cluster/rgmanager.sk
209
210       dhcpc_state_t
211
212            /var/lib/dhcp3?/dhclient.*
213            /var/lib/dhcpcd(/.*)?
214            /var/lib/dhclient(/.*)?
215            /var/lib/wifiroamd(/.*)?
216
217       ecryptfs_t
218
219            /home/[^/]+/.Private(/.*)?
220            /home/[^/]+/.ecryptfs(/.*)?
221
222       hostname_etc_t
223
224            /etc/.*hostname.*
225            /etc/machine-info
226
227       named_cache_t
228
229            /var/named/data(/.*)?
230            /var/lib/softhsm(/.*)?
231            /var/lib/unbound(/.*)?
232            /var/named/slaves(/.*)?
233            /var/named/dynamic(/.*)?
234            /var/named/chroot/var/tmp(/.*)?
235            /var/named/chroot/var/named/data(/.*)?
236            /var/named/chroot/var/named/slaves(/.*)?
237            /var/named/chroot/var/named/dynamic(/.*)?
238
239       net_conf_t
240
241            /etc/hosts[^/]*
242            /etc/yp.conf.*
243            /etc/denyhosts.*
244            /etc/hosts.deny.*
245            /etc/resolv.conf.*
246            /etc/.resolv.conf.*
247            /etc/resolv-secure.conf.*
248            /var/run/cloud-init(/.*)?
249            /var/run/systemd/network(/.*)?
250            /etc/sysconfig/networking(/.*)?
251            /etc/sysconfig/network-scripts(/.*)?
252            /etc/sysconfig/network-scripts/.*resolv.conf
253            /var/run/NetworkManager/resolv.conf.*
254            /etc/ethers
255            /etc/ntp.conf
256            /var/run/systemd/resolve/resolv.conf
257            /var/run/systemd/resolve/stub-resolv.conf
258
259       pppd_var_run_t
260
261            /var/run/(i)?ppp.*pid[^/]*
262            /var/run/ppp(/.*)?
263            /var/run/pppd[0-9]*.tdb
264
265       root_t
266
267            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
268            /
269            /initrd
270
271       security_t
272
273            /selinux
274
275       ssh_home_t
276
277            /var/lib/[^/]+/.ssh(/.*)?
278            /root/.ssh(/.*)?
279            /var/lib/one/.ssh(/.*)?
280            /var/lib/pgsql/.ssh(/.*)?
281            /var/lib/openshift/[^/]+/.ssh(/.*)?
282            /var/lib/amanda/.ssh(/.*)?
283            /var/lib/stickshift/[^/]+/.ssh(/.*)?
284            /var/lib/gitolite/.ssh(/.*)?
285            /var/lib/nocpulse/.ssh(/.*)?
286            /var/lib/gitolite3/.ssh(/.*)?
287            /var/lib/openshift/gear/[^/]+/.ssh(/.*)?
288            /root/.shosts
289            /home/[^/]+/.ssh(/.*)?
290            /home/[^/]+/.ansible/cp/.*
291            /home/[^/]+/.shosts
292
293       sysfs_t
294
295            /sys(/.*)?
296
297       systemd_passwd_var_run_t
298
299            /var/run/systemd/ask-password(/.*)?
300            /var/run/systemd/ask-password-block(/.*)?
301
302

FILE CONTEXTS

304       SELinux requires files to have an extended attribute to define the file
305       type.
306
307       You can see the context of a file using the -Z option to ls
308
309       Policy governs the access  confined  processes  have  to  these  files.
310       SELinux  NetworkManager policy is very flexible allowing users to setup
311       their NetworkManager processes in as secure a method as possible.
312
313       EQUIVALENCE DIRECTORIES
314
315
316       NetworkManager policy stores data with multiple different file  context
317       types  under  the /var/run/NetworkManager directory.  If you would like
318       to store the data in a different directory you  can  use  the  semanage
319       command  to create an equivalence mapping.  If you wanted to store this
320       data under the /srv dirctory you would execute the following command:
321
322       semanage fcontext -a -e /var/run/NetworkManager /srv/NetworkManager
323       restorecon -R -v /srv/NetworkManager
324
325       NetworkManager policy stores data with multiple different file  context
326       types  under  the /var/run/wpa_supplicant directory.  If you would like
327       to store the data in a different directory you  can  use  the  semanage
328       command  to create an equivalence mapping.  If you wanted to store this
329       data under the /srv dirctory you would execute the following command:
330
331       semanage fcontext -a -e /var/run/wpa_supplicant /srv/wpa_supplicant
332       restorecon -R -v /srv/wpa_supplicant
333
334       STANDARD FILE CONTEXT
335
336       SELinux defines the file context types for the NetworkManager,  if  you
337       wanted  to store files with these types in a diffent paths, you need to
338       execute the semanage command to sepecify alternate  labeling  and  then
339       use restorecon to put the labels on disk.
340
341       semanage  fcontext  -a  -t NetworkManager_var_run_t '/srv/myNetworkMan‐
342       ager_content(/.*)?'
343       restorecon -R -v /srv/myNetworkManager_content
344
345       Note: SELinux often uses regular expressions  to  specify  labels  that
346       match multiple files.
347
348       The following file types are defined for NetworkManager:
349
350
351
352       NetworkManager_etc_rw_t
353
354       - Set files with the NetworkManager_etc_rw_t type, if you want to treat
355       the files as NetworkManager etc read/write content.
356
357
358       Paths:
359            /etc/NetworkManager/system-connections(/.*)?,     /etc/NetworkMan‐
360            ager/NetworkManager.conf
361
362
363       NetworkManager_etc_t
364
365       -  Set  files  with the NetworkManager_etc_t type, if you want to store
366       NetworkManager files in the /etc directories.
367
368
369
370       NetworkManager_exec_t
371
372       - Set files with the NetworkManager_exec_t type, if you want to transi‐
373       tion an executable to the NetworkManager_t domain.
374
375
376       Paths:
377            /usr/libexec/nm-dispatcher.*,    /usr/bin/teamd,   /usr/sbin/wicd,
378            /usr/bin/NetworkManager,  /usr/bin/wpa_supplicant,  /usr/sbin/Net‐
379            workManager,   /usr/sbin/wpa_supplicant,  /usr/sbin/nm-system-set‐
380            tings, /usr/sbin/NetworkManagerDispatcher
381
382
383       NetworkManager_initrc_exec_t
384
385       - Set files with the NetworkManager_initrc_exec_t type, if you want  to
386       transition an executable to the NetworkManager_initrc_t domain.
387
388
389       Paths:
390            /etc/NetworkManager/dispatcher.d(/.*)?, /etc/rc.d/init.d/wicd
391
392
393       NetworkManager_log_t
394
395       -  Set  files  with the NetworkManager_log_t type, if you want to treat
396       the data as NetworkManager log data, usually stored under the  /var/log
397       directory.
398
399
400       Paths:
401            /var/log/wicd.*, /var/log/wpa_supplicant.*
402
403
404       NetworkManager_tmp_t
405
406       -  Set  files  with the NetworkManager_tmp_t type, if you want to store
407       NetworkManager temporary files in the /tmp directories.
408
409
410
411       NetworkManager_unit_file_t
412
413       - Set files with the NetworkManager_unit_file_t type, if  you  want  to
414       treat the files as NetworkManager unit content.
415
416
417
418       NetworkManager_var_lib_t
419
420       -  Set  files  with  the  NetworkManager_var_lib_t type, if you want to
421       store the NetworkManager files under the /var/lib directory.
422
423
424       Paths:
425            /var/lib/wicd(/.*)?,                /var/lib/NetworkManager(/.*)?,
426            /etc/dhcp/wired-settings.conf,      /etc/wicd/wired-settings.conf,
427            /etc/dhcp/manager-settings.conf,  /etc/wicd/manager-settings.conf,
428            /etc/dhcp/wireless-settings.conf, /etc/wicd/wireless-settings.conf
429
430
431       NetworkManager_var_run_t
432
433       -  Set  files  with  the  NetworkManager_var_run_t type, if you want to
434       store the NetworkManager files under the /run or /var/run directory.
435
436
437       Paths:
438            /var/run/teamd(/.*)?,   /var/run/nm-xl2tpd.conf.*,    /var/run/nm-
439            dhclient.*,   /var/run/NetworkManager(/.*)?,  /var/run/wpa_suppli‐
440            cant(/.*)?,    /var/run/wicd.pid,     /var/run/NetworkManager.pid,
441            /var/run/nm-dns-dnsmasq.conf, /var/run/wpa_supplicant-global
442
443
444       Note:  File context can be temporarily modified with the chcon command.
445       If you want to permanently change the file context you need to use  the
446       semanage fcontext command.  This will modify the SELinux labeling data‐
447       base.  You will need to use restorecon to apply the labels.
448
449

COMMANDS

451       semanage fcontext can also be used to manipulate default  file  context
452       mappings.
453
454       semanage  permissive  can  also  be used to manipulate whether or not a
455       process type is permissive.
456
457       semanage module can also be used to enable/disable/install/remove  pol‐
458       icy modules.
459
460       semanage boolean can also be used to manipulate the booleans
461
462
463       system-config-selinux is a GUI tool available to customize SELinux pol‐
464       icy settings.
465
466

AUTHOR

468       This manual page was auto-generated using sepolicy manpage .
469
470

SEE ALSO

472       selinux(8), NetworkManager(8),  semanage(8),  restorecon(8),  chcon(1),
473       sepolicy(8),  setsebool(8),  NetworkManager_ssh_selinux(8), NetworkMan‐
474       ager_ssh_selinux(8)
475
476
477
478NetworkManager                     19-12-02          NetworkManager_selinux(8)
Impressum