NetworkManager_selinux(8)

1NetworkManager_selinux(8)SELinux Policy NetworkManagerNetworkManager_selinux(8)
2
3
4

NAME

6       NetworkManager_selinux  -  Security  Enhanced Linux Policy for the Net‐
7       workManager processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the NetworkManager processes via flexi‐
11       ble mandatory access control.
12
13       The  NetworkManager processes execute with the NetworkManager_t SELinux
14       type. You can check if you have these processes  running  by  executing
15       the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep NetworkManager_t
20
21
22

ENTRYPOINTS

24       The  NetworkManager_t  SELinux  type can be entered via the NetworkMan‐
25       ager_exec_t file type.
26
27       The default entrypoint paths for the NetworkManager_t  domain  are  the
28       following:
29
30       /usr/bin/teamd,         /usr/sbin/wicd,        /usr/bin/NetworkManager,
31       /usr/bin/wpa_supplicant,  /usr/sbin/NetworkManager,  /usr/sbin/wpa_sup‐
32       plicant, /usr/sbin/nm-system-settings
33

PROCESS TYPES

35       SELinux defines process types (domains) for each process running on the
36       system
37
38       You can see the context of a process using the -Z option to ps
39
40       Policy governs the access confined processes have  to  files.   SELinux
41       NetworkManager  policy  is  very flexible allowing users to setup their
42       NetworkManager processes in as secure a method as possible.
43
44       The following process types are defined for NetworkManager:
45
46       NetworkManager_t, NetworkManager_dispatcher_t, NetworkManager_dispatcher_custom_t, NetworkManager_dispatcher_chronyc_t, NetworkManager_dispatcher_cloud_t, NetworkManager_dispatcher_console_t, NetworkManager_dispatcher_ddclient_t, NetworkManager_dispatcher_dhclient_t, NetworkManager_dispatcher_dnssec_t, NetworkManager_dispatcher_iscsid_t, NetworkManager_dispatcher_sendmail_t, NetworkManager_dispatcher_tlp_t, NetworkManager_dispatcher_winbind_t, NetworkManager_priv_helper_t, NetworkManager_ssh_t
47
48       Note: semanage permissive -a NetworkManager_t can be used to  make  the
49       process  type NetworkManager_t permissive. SELinux does not deny access
50       to permissive process types, but the AVC (SELinux denials) messages are
51       still generated.
52
53

BOOLEANS

55       SELinux  policy  is  customizable based on least access required.  Net‐
56       workManager policy is extremely flexible and has several booleans  that
57       allow  you  to  manipulate  the  policy and run NetworkManager with the
58       tightest access possible.
59
60
61
62       If you want to deny all system processes and Linux users to  use  blue‐
63       tooth wireless technology, you must turn on the deny_bluetooth boolean.
64       Enabled by default.
65
66       setsebool -P deny_bluetooth 1
67
68
69
70       If you want to deny any process from ptracing or  debugging  any  other
71       processes,  you  must  turn  on the deny_ptrace boolean. Enabled by de‐
72       fault.
73
74       setsebool -P deny_ptrace 1
75
76
77
78       If you want to allow all domains to execute in fips_mode, you must turn
79       on the fips_mode boolean. Enabled by default.
80
81       setsebool -P fips_mode 1
82
83
84
85       If  you want to support ecryptfs home directories, you must turn on the
86       use_ecryptfs_home_dirs boolean. Disabled by default.
87
88       setsebool -P use_ecryptfs_home_dirs 1
89
90
91
92       If you want to support NFS home  directories,  you  must  turn  on  the
93       use_nfs_home_dirs boolean. Disabled by default.
94
95       setsebool -P use_nfs_home_dirs 1
96
97
98
99       If  you  want  to  support SAMBA home directories, you must turn on the
100       use_samba_home_dirs boolean. Disabled by default.
101
102       setsebool -P use_samba_home_dirs 1
103
104
105
106       If you want to allow xguest users to configure Network Manager and con‐
107       nect to apache ports, you must turn on the xguest_connect_network bool‐
108       ean. Enabled by default.
109
110       setsebool -P xguest_connect_network 1
111
112
113

MANAGED FILES

115       The SELinux process type NetworkManager_t can manage files labeled with
116       the  following  file types.  The paths listed are the default paths for
117       these file types.  Note the processes UID still need to have  DAC  per‐
118       missions.
119
120       NetworkManager_etc_rw_t
121
122            /etc/NetworkManager/system-connections(/.*)?
123            /etc/NetworkManager/NetworkManager.conf
124
125       NetworkManager_tmp_t
126
127
128       NetworkManager_var_lib_t
129
130            /var/lib/wicd(/.*)?
131            /var/lib/NetworkManager(/.*)?
132            /etc/dhcp/wired-settings.conf
133            /etc/wicd/wired-settings.conf
134            /etc/dhcp/manager-settings.conf
135            /etc/wicd/manager-settings.conf
136            /etc/dhcp/wireless-settings.conf
137            /etc/wicd/wireless-settings.conf
138
139       NetworkManager_var_run_t
140
141            /var/run/teamd(/.*)?
142            /var/run/nm-xl2tpd.conf.*
143            /var/run/nm-dhclient.*
144            /var/run/NetworkManager(/.*)?
145            /var/run/wpa_supplicant(/.*)?
146            /var/run/wicd.pid
147            /var/run/NetworkManager.pid
148            /var/run/nm-dns-dnsmasq.conf
149            /var/run/wpa_supplicant-global
150
151       cluster_conf_t
152
153            /etc/cluster(/.*)?
154
155       cluster_var_lib_t
156
157            /var/lib/pcsd(/.*)?
158            /var/lib/cluster(/.*)?
159            /var/lib/openais(/.*)?
160            /var/lib/pengine(/.*)?
161            /var/lib/corosync(/.*)?
162            /usr/lib/heartbeat(/.*)?
163            /var/lib/heartbeat(/.*)?
164            /var/lib/pacemaker(/.*)?
165
166       cluster_var_run_t
167
168            /var/run/crm(/.*)?
169            /var/run/cman_.*
170            /var/run/rsctmp(/.*)?
171            /var/run/aisexec.*
172            /var/run/heartbeat(/.*)?
173            /var/run/pcsd-ruby.socket
174            /var/run/corosync-qnetd(/.*)?
175            /var/run/corosync-qdevice(/.*)?
176            /var/run/corosync.pid
177            /var/run/cpglockd.pid
178            /var/run/rgmanager.pid
179            /var/run/cluster/rgmanager.sk
180
181       dhcpc_state_t
182
183            /var/lib/dhcp3?/dhclient.*
184            /var/lib/dhcpcd(/.*)?
185            /var/lib/dhclient(/.*)?
186            /var/lib/wifiroamd(/.*)?
187
188       krb5_host_rcache_t
189
190            /var/tmp/krb5_0.rcache2
191            /var/cache/krb5rcache(/.*)?
192            /var/tmp/nfs_0
193            /var/tmp/DNS_25
194            /var/tmp/host_0
195            /var/tmp/imap_0
196            /var/tmp/HTTP_23
197            /var/tmp/HTTP_48
198            /var/tmp/ldap_55
199            /var/tmp/ldap_487
200            /var/tmp/ldapmap1_0
201
202       named_cache_t
203
204            /var/named/data(/.*)?
205            /var/lib/softhsm(/.*)?
206            /var/lib/unbound(/.*)?
207            /var/named/slaves(/.*)?
208            /var/named/dynamic(/.*)?
209            /var/named/chroot/var/tmp(/.*)?
210            /var/named/chroot/var/named/data(/.*)?
211            /var/named/chroot/var/named/slaves(/.*)?
212            /var/named/chroot/var/named/dynamic(/.*)?
213
214       pppd_var_run_t
215
216            /var/run/(i)?ppp.*pid[^/]*
217            /var/run/ppp(/.*)?
218            /var/run/pppd[0-9]*.tdb
219
220       root_t
221
222            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
223            /
224            /initrd
225
226       security_t
227
228            /selinux
229
230       sysfs_t
231
232            /sys(/.*)?
233
234       systemd_passwd_var_run_t
235
236            /var/run/systemd/ask-password(/.*)?
237            /var/run/systemd/ask-password-block(/.*)?
238
239

FILE CONTEXTS

241       SELinux requires files to have an extended attribute to define the file
242       type.
243
244       You can see the context of a file using the -Z option to ls
245
246       Policy governs the access  confined  processes  have  to  these  files.
247       SELinux  NetworkManager policy is very flexible allowing users to setup
248       their NetworkManager processes in as secure a method as possible.
249
250       EQUIVALENCE DIRECTORIES
251
252
253       NetworkManager policy stores data with multiple different file  context
254       types  under  the /var/run/NetworkManager directory.  If you would like
255       to store the data in a different directory you  can  use  the  semanage
256       command  to create an equivalence mapping.  If you wanted to store this
257       data under the /srv directory you would execute the following command:
258
259       semanage fcontext -a -e /var/run/NetworkManager /srv/NetworkManager
260       restorecon -R -v /srv/NetworkManager
261
262       NetworkManager policy stores data with multiple different file  context
263       types  under  the /var/run/wpa_supplicant directory.  If you would like
264       to store the data in a different directory you  can  use  the  semanage
265       command  to create an equivalence mapping.  If you wanted to store this
266       data under the /srv directory you would execute the following command:
267
268       semanage fcontext -a -e /var/run/wpa_supplicant /srv/wpa_supplicant
269       restorecon -R -v /srv/wpa_supplicant
270
271       STANDARD FILE CONTEXT
272
273       SELinux defines the file context types for the NetworkManager,  if  you
274       wanted  to store files with these types in a diffent paths, you need to
275       execute the semanage command to specify alternate labeling and then use
276       restorecon to put the labels on disk.
277
278       semanage  fcontext  -a  -t  NetworkManager_dispatcher_console_var_run_t
279       '/srv/myNetworkManager_content(/.*)?'
280       restorecon -R -v /srv/myNetworkManager_content
281
282       Note: SELinux often uses regular expressions  to  specify  labels  that
283       match multiple files.
284
285       The following file types are defined for NetworkManager:
286
287
288
289       NetworkManager_dispatcher_chronyc_script_t
290
291       -  Set  files with the NetworkManager_dispatcher_chronyc_script_t type,
292       if you want to treat the files  as  NetworkManager  dispatcher  chronyc
293       script data.
294
295
296       Paths:
297            /etc/NetworkManager/dispatcher.d/20-chrony-dhcp, /usr/lib/Network‐
298            Manager/dispatcher.d/20-chrony-dhcp,      /etc/NetworkManager/dis‐
299            patcher.d/20-chrony-onoffline,        /usr/lib/NetworkManager/dis‐
300            patcher.d/20-chrony-onoffline
301
302
303       NetworkManager_dispatcher_cloud_script_t
304
305       - Set files with the NetworkManager_dispatcher_cloud_script_t type,  if
306       you  want  to treat the files as NetworkManager dispatcher cloud script
307       data.
308
309
310       Paths:
311            /etc/NetworkManager/dispatcher.d/hook-network-manager,   /etc/Net‐
312            workManager/dispatcher.d/cloud-init-azure-hook,  /usr/lib/Network‐
313            Manager/dispatcher.d/90-nm-cloud-setup.sh,    /usr/lib/NetworkMan‐
314            ager/dispatcher.d/no-wait.d/90-nm-cloud-setup.sh
315
316
317       NetworkManager_dispatcher_console_script_t
318
319       -  Set  files with the NetworkManager_dispatcher_console_script_t type,
320       if you want to treat the files  as  NetworkManager  dispatcher  console
321       script data.
322
323
324
325       NetworkManager_dispatcher_console_var_run_t
326
327       -  Set files with the NetworkManager_dispatcher_console_var_run_t type,
328       if you want to store the NetworkManager dispatcher console files  under
329       the /run or /var/run directory.
330
331
332
333       NetworkManager_dispatcher_ddclient_script_t
334
335       -  Set files with the NetworkManager_dispatcher_ddclient_script_t type,
336       if you want to treat the files as  NetworkManager  dispatcher  ddclient
337       script data.
338
339
340
341       NetworkManager_dispatcher_dhclient_script_t
342
343       -  Set files with the NetworkManager_dispatcher_dhclient_script_t type,
344       if you want to treat the files as  NetworkManager  dispatcher  dhclient
345       script data.
346
347
348       Paths:
349            /etc/NetworkManager/dispatcher.d/11-dhclient, /usr/lib/NetworkMan‐
350            ager/dispatcher.d/11-dhclient
351
352
353       NetworkManager_dispatcher_dnssec_script_t
354
355       - Set files with the NetworkManager_dispatcher_dnssec_script_t type, if
356       you  want to treat the files as NetworkManager dispatcher dnssec script
357       data.
358
359
360
361       NetworkManager_dispatcher_exec_t
362
363       - Set files with the NetworkManager_dispatcher_exec_t type, if you want
364       to transition an executable to the NetworkManager_dispatcher_t domain.
365
366
367
368       NetworkManager_dispatcher_iscsid_script_t
369
370       - Set files with the NetworkManager_dispatcher_iscsid_script_t type, if
371       you want to treat the files as NetworkManager dispatcher iscsid  script
372       data.
373
374
375
376       NetworkManager_dispatcher_script_t
377
378       -  Set  files  with the NetworkManager_dispatcher_script_t type, if you
379       want to treat the files as NetworkManager dispatcher script data.
380
381
382       Paths:
383            /etc/NetworkManager/dispatcher.d(/.*)?,       /usr/lib/NetworkMan‐
384            ager/dispatcher.d(/.*)?
385
386
387       NetworkManager_dispatcher_sendmail_script_t
388
389       -  Set files with the NetworkManager_dispatcher_sendmail_script_t type,
390       if you want to treat the files as  NetworkManager  dispatcher  sendmail
391       script data.
392
393
394
395       NetworkManager_dispatcher_tlp_script_t
396
397       -  Set  files  with the NetworkManager_dispatcher_tlp_script_t type, if
398       you want to treat the files as  NetworkManager  dispatcher  tlp  script
399       data.
400
401
402
403       NetworkManager_dispatcher_winbind_script_t
404
405       -  Set  files with the NetworkManager_dispatcher_winbind_script_t type,
406       if you want to treat the files  as  NetworkManager  dispatcher  winbind
407       script data.
408
409
410
411       NetworkManager_etc_rw_t
412
413       - Set files with the NetworkManager_etc_rw_t type, if you want to treat
414       the files as NetworkManager etc read/write content.
415
416
417       Paths:
418            /etc/NetworkManager/system-connections(/.*)?,     /etc/NetworkMan‐
419            ager/NetworkManager.conf
420
421
422       NetworkManager_etc_t
423
424       -  Set  files  with the NetworkManager_etc_t type, if you want to store
425       NetworkManager files in the /etc directories.
426
427
428
429       NetworkManager_exec_t
430
431       - Set files with the NetworkManager_exec_t type, if you want to transi‐
432       tion an executable to the NetworkManager_t domain.
433
434
435       Paths:
436            /usr/bin/teamd,      /usr/sbin/wicd,      /usr/bin/NetworkManager,
437            /usr/bin/wpa_supplicant,                 /usr/sbin/NetworkManager,
438            /usr/sbin/wpa_supplicant, /usr/sbin/nm-system-settings
439
440
441       NetworkManager_initrc_exec_t
442
443       -  Set files with the NetworkManager_initrc_exec_t type, if you want to
444       transition an executable to the NetworkManager_initrc_t domain.
445
446
447
448       NetworkManager_log_t
449
450       - Set files with the NetworkManager_log_t type, if you  want  to  treat
451       the  data as NetworkManager log data, usually stored under the /var/log
452       directory.
453
454
455       Paths:
456            /var/log/wicd.*, /var/log/wpa_supplicant.*
457
458
459       NetworkManager_priv_helper_exec_t
460
461       - Set files with the  NetworkManager_priv_helper_exec_t  type,  if  you
462       want  to  transition  an executable to the NetworkManager_priv_helper_t
463       domain.
464
465
466
467       NetworkManager_tmp_t
468
469       - Set files with the NetworkManager_tmp_t type, if you  want  to  store
470       NetworkManager temporary files in the /tmp directories.
471
472
473
474       NetworkManager_unit_file_t
475
476       -  Set  files  with the NetworkManager_unit_file_t type, if you want to
477       treat the files as NetworkManager unit content.
478
479
480       Paths:
481            /usr/lib/systemd/system/NetworkManager.*,    /usr/lib/systemd/sys‐
482            tem/nm-cloud-setup.(service|timer)
483
484
485       NetworkManager_var_lib_t
486
487       -  Set  files  with  the  NetworkManager_var_lib_t type, if you want to
488       store the NetworkManager files under the /var/lib directory.
489
490
491       Paths:
492            /var/lib/wicd(/.*)?,                /var/lib/NetworkManager(/.*)?,
493            /etc/dhcp/wired-settings.conf,      /etc/wicd/wired-settings.conf,
494            /etc/dhcp/manager-settings.conf,  /etc/wicd/manager-settings.conf,
495            /etc/dhcp/wireless-settings.conf, /etc/wicd/wireless-settings.conf
496
497
498       NetworkManager_var_run_t
499
500       -  Set  files  with  the  NetworkManager_var_run_t type, if you want to
501       store the NetworkManager files under the /run or /var/run directory.
502
503
504       Paths:
505            /var/run/teamd(/.*)?,   /var/run/nm-xl2tpd.conf.*,    /var/run/nm-
506            dhclient.*,   /var/run/NetworkManager(/.*)?,  /var/run/wpa_suppli‐
507            cant(/.*)?,    /var/run/wicd.pid,     /var/run/NetworkManager.pid,
508            /var/run/nm-dns-dnsmasq.conf, /var/run/wpa_supplicant-global
509
510
511       Note:  File context can be temporarily modified with the chcon command.
512       If you want to permanently change the file context you need to use  the
513       semanage fcontext command.  This will modify the SELinux labeling data‐
514       base.  You will need to use restorecon to apply the labels.
515
516

COMMANDS

518       semanage fcontext can also be used to manipulate default  file  context
519       mappings.
520
521       semanage  permissive  can  also  be used to manipulate whether or not a
522       process type is permissive.
523
524       semanage module can also be used to enable/disable/install/remove  pol‐
525       icy modules.
526
527       semanage boolean can also be used to manipulate the booleans
528
529
530       system-config-selinux is a GUI tool available to customize SELinux pol‐
531       icy settings.
532
533

AUTHOR

535       This manual page was auto-generated using sepolicy manpage .
536
537