1NetworkManager_selinux(8)SELinux Policy NetworkManagerNetworkManager_selinux(8)
2
3
4
6 NetworkManager_selinux - Security Enhanced Linux Policy for the Net‐
7 workManager processes
8
10 Security-Enhanced Linux secures the NetworkManager processes via flexi‐
11 ble mandatory access control.
12
13 The NetworkManager processes execute with the NetworkManager_t SELinux
14 type. You can check if you have these processes running by executing
15 the ps command with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep NetworkManager_t
20
21
22
24 The NetworkManager_t SELinux type can be entered via the NetworkMan‐
25 ager_exec_t file type.
26
27 The default entrypoint paths for the NetworkManager_t domain are the
28 following:
29
30 /usr/bin/teamd, /usr/sbin/wicd, /usr/bin/NetworkManager,
31 /usr/bin/wpa_supplicant, /usr/sbin/NetworkManager, /usr/sbin/wpa_sup‐
32 plicant, /usr/sbin/nm-system-settings
33
35 SELinux defines process types (domains) for each process running on the
36 system
37
38 You can see the context of a process using the -Z option to ps
39
40 Policy governs the access confined processes have to files. SELinux
41 NetworkManager policy is very flexible allowing users to setup their
42 NetworkManager processes in as secure a method as possible.
43
44 The following process types are defined for NetworkManager:
45
46 NetworkManager_t, NetworkManager_dispatcher_t, NetworkManager_dispatcher_custom_t, NetworkManager_dispatcher_chronyc_t, NetworkManager_dispatcher_cloud_t, NetworkManager_dispatcher_console_t, NetworkManager_dispatcher_ddclient_t, NetworkManager_dispatcher_dhclient_t, NetworkManager_dispatcher_dnssec_t, NetworkManager_dispatcher_iscsid_t, NetworkManager_dispatcher_sendmail_t, NetworkManager_dispatcher_tlp_t, NetworkManager_dispatcher_winbind_t, NetworkManager_priv_helper_t, NetworkManager_ssh_t
47
48 Note: semanage permissive -a NetworkManager_t can be used to make the
49 process type NetworkManager_t permissive. SELinux does not deny access
50 to permissive process types, but the AVC (SELinux denials) messages are
51 still generated.
52
53
55 SELinux policy is customizable based on least access required. Net‐
56 workManager policy is extremely flexible and has several booleans that
57 allow you to manipulate the policy and run NetworkManager with the
58 tightest access possible.
59
60
61
62 If you want to deny all system processes and Linux users to use blue‐
63 tooth wireless technology, you must turn on the deny_bluetooth boolean.
64 Enabled by default.
65
66 setsebool -P deny_bluetooth 1
67
68
69
70 If you want to deny any process from ptracing or debugging any other
71 processes, you must turn on the deny_ptrace boolean. Enabled by de‐
72 fault.
73
74 setsebool -P deny_ptrace 1
75
76
77
78 If you want to allow all domains to execute in fips_mode, you must turn
79 on the fips_mode boolean. Enabled by default.
80
81 setsebool -P fips_mode 1
82
83
84
85 If you want to support ecryptfs home directories, you must turn on the
86 use_ecryptfs_home_dirs boolean. Disabled by default.
87
88 setsebool -P use_ecryptfs_home_dirs 1
89
90
91
92 If you want to support NFS home directories, you must turn on the
93 use_nfs_home_dirs boolean. Disabled by default.
94
95 setsebool -P use_nfs_home_dirs 1
96
97
98
99 If you want to support SAMBA home directories, you must turn on the
100 use_samba_home_dirs boolean. Disabled by default.
101
102 setsebool -P use_samba_home_dirs 1
103
104
105
106 If you want to allow xguest users to configure Network Manager and con‐
107 nect to apache ports, you must turn on the xguest_connect_network bool‐
108 ean. Enabled by default.
109
110 setsebool -P xguest_connect_network 1
111
112
113
115 The SELinux process type NetworkManager_t can manage files labeled with
116 the following file types. The paths listed are the default paths for
117 these file types. Note the processes UID still need to have DAC per‐
118 missions.
119
120 NetworkManager_etc_rw_t
121
122 /etc/NetworkManager/system-connections(/.*)?
123 /etc/NetworkManager/NetworkManager.conf
124
125 NetworkManager_tmp_t
126
127
128 NetworkManager_var_lib_t
129
130 /var/lib/wicd(/.*)?
131 /var/lib/NetworkManager(/.*)?
132 /etc/dhcp/wired-settings.conf
133 /etc/wicd/wired-settings.conf
134 /etc/dhcp/manager-settings.conf
135 /etc/wicd/manager-settings.conf
136 /etc/dhcp/wireless-settings.conf
137 /etc/wicd/wireless-settings.conf
138
139 NetworkManager_var_run_t
140
141 /var/run/teamd(/.*)?
142 /var/run/nm-xl2tpd.conf.*
143 /var/run/nm-dhclient.*
144 /var/run/NetworkManager(/.*)?
145 /var/run/wpa_supplicant(/.*)?
146 /var/run/wicd.pid
147 /var/run/NetworkManager.pid
148 /var/run/nm-dns-dnsmasq.conf
149 /var/run/wpa_supplicant-global
150
151 cluster_conf_t
152
153 /etc/cluster(/.*)?
154
155 cluster_var_lib_t
156
157 /var/lib/pcsd(/.*)?
158 /var/lib/cluster(/.*)?
159 /var/lib/openais(/.*)?
160 /var/lib/pengine(/.*)?
161 /var/lib/corosync(/.*)?
162 /usr/lib/heartbeat(/.*)?
163 /var/lib/heartbeat(/.*)?
164 /var/lib/pacemaker(/.*)?
165
166 cluster_var_run_t
167
168 /var/run/crm(/.*)?
169 /var/run/cman_.*
170 /var/run/rsctmp(/.*)?
171 /var/run/aisexec.*
172 /var/run/heartbeat(/.*)?
173 /var/run/pcsd-ruby.socket
174 /var/run/corosync-qnetd(/.*)?
175 /var/run/corosync-qdevice(/.*)?
176 /var/run/corosync.pid
177 /var/run/cpglockd.pid
178 /var/run/rgmanager.pid
179 /var/run/cluster/rgmanager.sk
180
181 dhcpc_state_t
182
183 /var/lib/dhcp3?/dhclient.*
184 /var/lib/dhcpcd(/.*)?
185 /var/lib/dhclient(/.*)?
186 /var/lib/wifiroamd(/.*)?
187
188 krb5_host_rcache_t
189
190 /var/tmp/krb5_0.rcache2
191 /var/cache/krb5rcache(/.*)?
192 /var/tmp/nfs_0
193 /var/tmp/DNS_25
194 /var/tmp/host_0
195 /var/tmp/imap_0
196 /var/tmp/HTTP_23
197 /var/tmp/HTTP_48
198 /var/tmp/ldap_55
199 /var/tmp/ldap_487
200 /var/tmp/ldapmap1_0
201
202 named_cache_t
203
204 /var/named/data(/.*)?
205 /var/lib/softhsm(/.*)?
206 /var/lib/unbound(/.*)?
207 /var/named/slaves(/.*)?
208 /var/named/dynamic(/.*)?
209 /var/named/chroot/var/tmp(/.*)?
210 /var/named/chroot/var/named/data(/.*)?
211 /var/named/chroot/var/named/slaves(/.*)?
212 /var/named/chroot/var/named/dynamic(/.*)?
213
214 pppd_var_run_t
215
216 /var/run/(i)?ppp.*pid[^/]*
217 /var/run/ppp(/.*)?
218 /var/run/pppd[0-9]*.tdb
219
220 root_t
221
222 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
223 /
224 /initrd
225
226 security_t
227
228 /selinux
229
230 sysfs_t
231
232 /sys(/.*)?
233
234 systemd_passwd_var_run_t
235
236 /var/run/systemd/ask-password(/.*)?
237 /var/run/systemd/ask-password-block(/.*)?
238
239
241 SELinux requires files to have an extended attribute to define the file
242 type.
243
244 You can see the context of a file using the -Z option to ls
245
246 Policy governs the access confined processes have to these files.
247 SELinux NetworkManager policy is very flexible allowing users to setup
248 their NetworkManager processes in as secure a method as possible.
249
250 EQUIVALENCE DIRECTORIES
251
252
253 NetworkManager policy stores data with multiple different file context
254 types under the /var/run/NetworkManager directory. If you would like
255 to store the data in a different directory you can use the semanage
256 command to create an equivalence mapping. If you wanted to store this
257 data under the /srv directory you would execute the following command:
258
259 semanage fcontext -a -e /var/run/NetworkManager /srv/NetworkManager
260 restorecon -R -v /srv/NetworkManager
261
262 NetworkManager policy stores data with multiple different file context
263 types under the /var/run/wpa_supplicant directory. If you would like
264 to store the data in a different directory you can use the semanage
265 command to create an equivalence mapping. If you wanted to store this
266 data under the /srv directory you would execute the following command:
267
268 semanage fcontext -a -e /var/run/wpa_supplicant /srv/wpa_supplicant
269 restorecon -R -v /srv/wpa_supplicant
270
271 STANDARD FILE CONTEXT
272
273 SELinux defines the file context types for the NetworkManager, if you
274 wanted to store files with these types in a diffent paths, you need to
275 execute the semanage command to specify alternate labeling and then use
276 restorecon to put the labels on disk.
277
278 semanage fcontext -a -t NetworkManager_dispatcher_console_var_run_t
279 '/srv/myNetworkManager_content(/.*)?'
280 restorecon -R -v /srv/myNetworkManager_content
281
282 Note: SELinux often uses regular expressions to specify labels that
283 match multiple files.
284
285 The following file types are defined for NetworkManager:
286
287
288
289 NetworkManager_dispatcher_chronyc_script_t
290
291 - Set files with the NetworkManager_dispatcher_chronyc_script_t type,
292 if you want to treat the files as NetworkManager dispatcher chronyc
293 script data.
294
295
296 Paths:
297 /etc/NetworkManager/dispatcher.d/20-chrony-dhcp, /usr/lib/Network‐
298 Manager/dispatcher.d/20-chrony-dhcp, /etc/NetworkManager/dis‐
299 patcher.d/20-chrony-onoffline, /usr/lib/NetworkManager/dis‐
300 patcher.d/20-chrony-onoffline
301
302
303 NetworkManager_dispatcher_cloud_script_t
304
305 - Set files with the NetworkManager_dispatcher_cloud_script_t type, if
306 you want to treat the files as NetworkManager dispatcher cloud script
307 data.
308
309
310 Paths:
311 /etc/NetworkManager/dispatcher.d/hook-network-manager, /etc/Net‐
312 workManager/dispatcher.d/cloud-init-azure-hook, /usr/lib/Network‐
313 Manager/dispatcher.d/90-nm-cloud-setup.sh, /usr/lib/NetworkMan‐
314 ager/dispatcher.d/no-wait.d/90-nm-cloud-setup.sh
315
316
317 NetworkManager_dispatcher_console_script_t
318
319 - Set files with the NetworkManager_dispatcher_console_script_t type,
320 if you want to treat the files as NetworkManager dispatcher console
321 script data.
322
323
324
325 NetworkManager_dispatcher_console_var_run_t
326
327 - Set files with the NetworkManager_dispatcher_console_var_run_t type,
328 if you want to store the NetworkManager dispatcher console files under
329 the /run or /var/run directory.
330
331
332
333 NetworkManager_dispatcher_ddclient_script_t
334
335 - Set files with the NetworkManager_dispatcher_ddclient_script_t type,
336 if you want to treat the files as NetworkManager dispatcher ddclient
337 script data.
338
339
340
341 NetworkManager_dispatcher_dhclient_script_t
342
343 - Set files with the NetworkManager_dispatcher_dhclient_script_t type,
344 if you want to treat the files as NetworkManager dispatcher dhclient
345 script data.
346
347
348 Paths:
349 /etc/NetworkManager/dispatcher.d/11-dhclient, /usr/lib/NetworkMan‐
350 ager/dispatcher.d/11-dhclient
351
352
353 NetworkManager_dispatcher_dnssec_script_t
354
355 - Set files with the NetworkManager_dispatcher_dnssec_script_t type, if
356 you want to treat the files as NetworkManager dispatcher dnssec script
357 data.
358
359
360
361 NetworkManager_dispatcher_exec_t
362
363 - Set files with the NetworkManager_dispatcher_exec_t type, if you want
364 to transition an executable to the NetworkManager_dispatcher_t domain.
365
366
367
368 NetworkManager_dispatcher_iscsid_script_t
369
370 - Set files with the NetworkManager_dispatcher_iscsid_script_t type, if
371 you want to treat the files as NetworkManager dispatcher iscsid script
372 data.
373
374
375
376 NetworkManager_dispatcher_script_t
377
378 - Set files with the NetworkManager_dispatcher_script_t type, if you
379 want to treat the files as NetworkManager dispatcher script data.
380
381
382 Paths:
383 /etc/NetworkManager/dispatcher.d(/.*)?, /usr/lib/NetworkMan‐
384 ager/dispatcher.d(/.*)?
385
386
387 NetworkManager_dispatcher_sendmail_script_t
388
389 - Set files with the NetworkManager_dispatcher_sendmail_script_t type,
390 if you want to treat the files as NetworkManager dispatcher sendmail
391 script data.
392
393
394
395 NetworkManager_dispatcher_tlp_script_t
396
397 - Set files with the NetworkManager_dispatcher_tlp_script_t type, if
398 you want to treat the files as NetworkManager dispatcher tlp script
399 data.
400
401
402
403 NetworkManager_dispatcher_winbind_script_t
404
405 - Set files with the NetworkManager_dispatcher_winbind_script_t type,
406 if you want to treat the files as NetworkManager dispatcher winbind
407 script data.
408
409
410
411 NetworkManager_etc_rw_t
412
413 - Set files with the NetworkManager_etc_rw_t type, if you want to treat
414 the files as NetworkManager etc read/write content.
415
416
417 Paths:
418 /etc/NetworkManager/system-connections(/.*)?, /etc/NetworkMan‐
419 ager/NetworkManager.conf
420
421
422 NetworkManager_etc_t
423
424 - Set files with the NetworkManager_etc_t type, if you want to store
425 NetworkManager files in the /etc directories.
426
427
428
429 NetworkManager_exec_t
430
431 - Set files with the NetworkManager_exec_t type, if you want to transi‐
432 tion an executable to the NetworkManager_t domain.
433
434
435 Paths:
436 /usr/bin/teamd, /usr/sbin/wicd, /usr/bin/NetworkManager,
437 /usr/bin/wpa_supplicant, /usr/sbin/NetworkManager,
438 /usr/sbin/wpa_supplicant, /usr/sbin/nm-system-settings
439
440
441 NetworkManager_initrc_exec_t
442
443 - Set files with the NetworkManager_initrc_exec_t type, if you want to
444 transition an executable to the NetworkManager_initrc_t domain.
445
446
447
448 NetworkManager_log_t
449
450 - Set files with the NetworkManager_log_t type, if you want to treat
451 the data as NetworkManager log data, usually stored under the /var/log
452 directory.
453
454
455 Paths:
456 /var/log/wicd.*, /var/log/wpa_supplicant.*
457
458
459 NetworkManager_priv_helper_exec_t
460
461 - Set files with the NetworkManager_priv_helper_exec_t type, if you
462 want to transition an executable to the NetworkManager_priv_helper_t
463 domain.
464
465
466
467 NetworkManager_tmp_t
468
469 - Set files with the NetworkManager_tmp_t type, if you want to store
470 NetworkManager temporary files in the /tmp directories.
471
472
473
474 NetworkManager_unit_file_t
475
476 - Set files with the NetworkManager_unit_file_t type, if you want to
477 treat the files as NetworkManager unit content.
478
479
480 Paths:
481 /usr/lib/systemd/system/NetworkManager.*, /usr/lib/systemd/sys‐
482 tem/nm-cloud-setup.(service|timer)
483
484
485 NetworkManager_var_lib_t
486
487 - Set files with the NetworkManager_var_lib_t type, if you want to
488 store the NetworkManager files under the /var/lib directory.
489
490
491 Paths:
492 /var/lib/wicd(/.*)?, /var/lib/NetworkManager(/.*)?,
493 /etc/dhcp/wired-settings.conf, /etc/wicd/wired-settings.conf,
494 /etc/dhcp/manager-settings.conf, /etc/wicd/manager-settings.conf,
495 /etc/dhcp/wireless-settings.conf, /etc/wicd/wireless-settings.conf
496
497
498 NetworkManager_var_run_t
499
500 - Set files with the NetworkManager_var_run_t type, if you want to
501 store the NetworkManager files under the /run or /var/run directory.
502
503
504 Paths:
505 /var/run/teamd(/.*)?, /var/run/nm-xl2tpd.conf.*, /var/run/nm-
506 dhclient.*, /var/run/NetworkManager(/.*)?, /var/run/wpa_suppli‐
507 cant(/.*)?, /var/run/wicd.pid, /var/run/NetworkManager.pid,
508 /var/run/nm-dns-dnsmasq.conf, /var/run/wpa_supplicant-global
509
510
511 Note: File context can be temporarily modified with the chcon command.
512 If you want to permanently change the file context you need to use the
513 semanage fcontext command. This will modify the SELinux labeling data‐
514 base. You will need to use restorecon to apply the labels.
515
516
518 semanage fcontext can also be used to manipulate default file context
519 mappings.
520
521 semanage permissive can also be used to manipulate whether or not a
522 process type is permissive.
523
524 semanage module can also be used to enable/disable/install/remove pol‐
525 icy modules.
526
527 semanage boolean can also be used to manipulate the booleans
528
529
530 system-config-selinux is a GUI tool available to customize SELinux pol‐
531 icy settings.
532
533
535 This manual page was auto-generated using sepolicy manpage .
536
537
539 selinux(8), NetworkManager(8), semanage(8), restorecon(8), chcon(1),
540 sepolicy(8), setsebool(8), NetworkManager_dispatcher_selinux(8), Net‐
541 workManager_dispatcher_selinux(8), NetworkManager_dis‐
542 patcher_chronyc_selinux(8), NetworkManager_dis‐
543 patcher_chronyc_selinux(8), NetworkManager_dispatcher_cloud_selinux(8),
544 NetworkManager_dispatcher_cloud_selinux(8), NetworkManager_dis‐
545 patcher_console_selinux(8), NetworkManager_dispatcher_con‐
546 sole_selinux(8), NetworkManager_dispatcher_custom_selinux(8), Network‐
547 Manager_dispatcher_custom_selinux(8), NetworkManager_dispatcher_dd‐
548 client_selinux(8), NetworkManager_dispatcher_ddclient_selinux(8), Net‐
549 workManager_dispatcher_dhclient_selinux(8), NetworkManager_dis‐
550 patcher_dhclient_selinux(8), NetworkManager_dis‐
551 patcher_dnssec_selinux(8), NetworkManager_dispatcher_dnssec_selinux(8),
552 NetworkManager_dispatcher_iscsid_selinux(8), NetworkManager_dis‐
553 patcher_iscsid_selinux(8), NetworkManager_dispatcher_send‐
554 mail_selinux(8), NetworkManager_dispatcher_sendmail_selinux(8), Net‐
555 workManager_dispatcher_tlp_selinux(8), NetworkManager_dis‐
556 patcher_tlp_selinux(8), NetworkManager_dispatcher_winbind_selinux(8),
557 NetworkManager_dispatcher_winbind_selinux(8), NetworkMan‐
558 ager_priv_helper_selinux(8), NetworkManager_priv_helper_selinux(8),
559 NetworkManager_ssh_selinux(8), NetworkManager_ssh_selinux(8)
560
561
562
563NetworkManager 23-02-03 NetworkManager_selinux(8)