NetworkManager_selinux(8)

1NetworkManager_selinux(8)SELinux Policy NetworkManagerNetworkManager_selinux(8)
2
3
4

NAME

6       NetworkManager_selinux  -  Security  Enhanced Linux Policy for the Net‐
7       workManager processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the NetworkManager processes via flexi‐
11       ble mandatory access control.
12
13       The  NetworkManager processes execute with the NetworkManager_t SELinux
14       type. You can check if you have these processes  running  by  executing
15       the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep NetworkManager_t
20
21
22

ENTRYPOINTS

24       The  NetworkManager_t  SELinux  type can be entered via the NetworkMan‐
25       ager_exec_t file type.
26
27       The default entrypoint paths for the NetworkManager_t  domain  are  the
28       following:
29
30       /usr/bin/teamd,         /usr/sbin/wicd,        /usr/bin/NetworkManager,
31       /usr/bin/wpa_supplicant,  /usr/sbin/NetworkManager,  /usr/sbin/wpa_sup‐
32       plicant, /usr/sbin/nm-system-settings
33

PROCESS TYPES

35       SELinux defines process types (domains) for each process running on the
36       system
37
38       You can see the context of a process using the -Z option to ps
39
40       Policy governs the access confined processes have  to  files.   SELinux
41       NetworkManager  policy  is  very flexible allowing users to setup their
42       NetworkManager processes in as secure a method as possible.
43
44       The following process types are defined for NetworkManager:
45
46       NetworkManager_t, NetworkManager_dispatcher_t, NetworkManager_dispatcher_custom_t, NetworkManager_dispatcher_chronyc_t, NetworkManager_dispatcher_cloud_t, NetworkManager_dispatcher_console_t, NetworkManager_dispatcher_ddclient_t, NetworkManager_dispatcher_dhclient_t, NetworkManager_dispatcher_dnssec_t, NetworkManager_dispatcher_iscsid_t, NetworkManager_dispatcher_sendmail_t, NetworkManager_dispatcher_tlp_t, NetworkManager_dispatcher_winbind_t, NetworkManager_priv_helper_t, NetworkManager_ssh_t
47
48       Note: semanage permissive -a NetworkManager_t can be used to  make  the
49       process  type NetworkManager_t permissive. SELinux does not deny access
50       to permissive process types, but the AVC (SELinux denials) messages are
51       still generated.
52
53

BOOLEANS

55       SELinux  policy  is  customizable based on least access required.  Net‐
56       workManager policy is extremely flexible and has several booleans  that
57       allow  you  to  manipulate  the  policy and run NetworkManager with the
58       tightest access possible.
59
60
61
62       If you want to dontaudit all  daemons  scheduling  requests  (setsched,
63       sys_nice),  you  must turn on the daemons_dontaudit_scheduling boolean.
64       Enabled by default.
65
66       setsebool -P daemons_dontaudit_scheduling 1
67
68
69
70       If you want to deny all system processes and Linux users to  use  blue‐
71       tooth wireless technology, you must turn on the deny_bluetooth boolean.
72       Disabled by default.
73
74       setsebool -P deny_bluetooth 1
75
76
77
78       If you want to deny any process from ptracing or  debugging  any  other
79       processes,  you  must  turn on the deny_ptrace boolean. Disabled by de‐
80       fault.
81
82       setsebool -P deny_ptrace 1
83
84
85
86       If you want to allow all domains to execute in fips_mode, you must turn
87       on the fips_mode boolean. Enabled by default.
88
89       setsebool -P fips_mode 1
90
91
92
93       If  you  want  to  allow  system  to run with NIS, you must turn on the
94       nis_enabled boolean. Disabled by default.
95
96       setsebool -P nis_enabled 1
97
98
99
100       If you want to support ecryptfs home directories, you must turn on  the
101       use_ecryptfs_home_dirs boolean. Disabled by default.
102
103       setsebool -P use_ecryptfs_home_dirs 1
104
105
106
107       If  you  want  to  support  NFS  home directories, you must turn on the
108       use_nfs_home_dirs boolean. Disabled by default.
109
110       setsebool -P use_nfs_home_dirs 1
111
112
113
114       If you want to support SAMBA home directories, you  must  turn  on  the
115       use_samba_home_dirs boolean. Disabled by default.
116
117       setsebool -P use_samba_home_dirs 1
118
119
120
121       If you want to allow xguest users to configure Network Manager and con‐
122       nect to apache ports, you must turn on the xguest_connect_network bool‐
123       ean. Enabled by default.
124
125       setsebool -P xguest_connect_network 1
126
127
128

MANAGED FILES

130       The SELinux process type NetworkManager_t can manage files labeled with
131       the following file types.  The paths listed are the default  paths  for
132       these  file  types.  Note the processes UID still need to have DAC per‐
133       missions.
134
135       NetworkManager_etc_rw_t
136
137            /etc/NetworkManager/system-connections(/.*)?
138            /etc/NetworkManager/NetworkManager.conf
139
140       NetworkManager_tmp_t
141
142
143       NetworkManager_var_lib_t
144
145            /var/lib/wicd(/.*)?
146            /var/lib/NetworkManager(/.*)?
147            /etc/dhcp/wired-settings.conf
148            /etc/wicd/wired-settings.conf
149            /etc/dhcp/manager-settings.conf
150            /etc/wicd/manager-settings.conf
151            /etc/dhcp/wireless-settings.conf
152            /etc/wicd/wireless-settings.conf
153
154       NetworkManager_var_run_t
155
156            /var/run/teamd(/.*)?
157            /var/run/nm-xl2tpd.conf.*
158            /var/run/nm-dhclient.*
159            /var/run/NetworkManager(/.*)?
160            /var/run/wpa_supplicant(/.*)?
161            /var/run/wicd.pid
162            /var/run/NetworkManager.pid
163            /var/run/nm-dns-dnsmasq.conf
164            /var/run/wpa_supplicant-global
165
166       cluster_conf_t
167
168            /etc/cluster(/.*)?
169
170       cluster_var_lib_t
171
172            /var/lib/pcsd(/.*)?
173            /var/lib/cluster(/.*)?
174            /var/lib/openais(/.*)?
175            /var/lib/pengine(/.*)?
176            /var/lib/corosync(/.*)?
177            /usr/lib/heartbeat(/.*)?
178            /var/lib/heartbeat(/.*)?
179            /var/lib/pacemaker(/.*)?
180
181       cluster_var_run_t
182
183            /var/run/crm(/.*)?
184            /var/run/cman_.*
185            /var/run/rsctmp(/.*)?
186            /var/run/aisexec.*
187            /var/run/heartbeat(/.*)?
188            /var/run/pcsd-ruby.socket
189            /var/run/corosync-qnetd(/.*)?
190            /var/run/corosync-qdevice(/.*)?
191            /var/run/corosync.pid
192            /var/run/cpglockd.pid
193            /var/run/rgmanager.pid
194            /var/run/cluster/rgmanager.sk
195
196       dhcpc_state_t
197
198            /var/lib/dhcp3?/dhclient.*
199            /var/lib/dhcpcd(/.*)?
200            /var/lib/dhclient(/.*)?
201            /var/lib/wifiroamd(/.*)?
202
203       krb5_host_rcache_t
204
205            /var/tmp/krb5_0.rcache2
206            /var/cache/krb5rcache(/.*)?
207            /var/tmp/nfs_0
208            /var/tmp/DNS_25
209            /var/tmp/host_0
210            /var/tmp/imap_0
211            /var/tmp/HTTP_23
212            /var/tmp/HTTP_48
213            /var/tmp/ldap_55
214            /var/tmp/ldap_487
215            /var/tmp/ldapmap1_0
216
217       named_cache_t
218
219            /var/named/data(/.*)?
220            /var/lib/softhsm(/.*)?
221            /var/lib/unbound(/.*)?
222            /var/named/slaves(/.*)?
223            /var/named/dynamic(/.*)?
224            /var/named/chroot/var/tmp(/.*)?
225            /var/named/chroot/var/named/data(/.*)?
226            /var/named/chroot/var/named/slaves(/.*)?
227            /var/named/chroot/var/named/dynamic(/.*)?
228
229       pppd_var_run_t
230
231            /var/run/(i)?ppp.*pid[^/]*
232            /var/run/ppp(/.*)?
233            /var/run/pppd[0-9]*.tdb
234
235       root_t
236
237            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
238            /
239            /initrd
240
241       security_t
242
243            /selinux
244
245       sysfs_t
246
247            /sys(/.*)?
248
249       systemd_passwd_var_run_t
250
251            /var/run/systemd/ask-password(/.*)?
252            /var/run/systemd/ask-password-block(/.*)?
253
254

FILE CONTEXTS

256       SELinux requires files to have an extended attribute to define the file
257       type.
258
259       You can see the context of a file using the -Z option to ls
260
261       Policy  governs  the  access  confined  processes  have to these files.
262       SELinux NetworkManager policy is very flexible allowing users to  setup
263       their NetworkManager processes in as secure a method as possible.
264
265       EQUIVALENCE DIRECTORIES
266
267
268       NetworkManager  policy stores data with multiple different file context
269       types under the /var/run/NetworkManager directory.  If you  would  like
270       to  store  the  data  in a different directory you can use the semanage
271       command to create an equivalence mapping.  If you wanted to store  this
272       data under the /srv directory you would execute the following command:
273
274       semanage fcontext -a -e /var/run/NetworkManager /srv/NetworkManager
275       restorecon -R -v /srv/NetworkManager
276
277       NetworkManager  policy stores data with multiple different file context
278       types under the /var/run/wpa_supplicant directory.  If you  would  like
279       to  store  the  data  in a different directory you can use the semanage
280       command to create an equivalence mapping.  If you wanted to store  this
281       data under the /srv directory you would execute the following command:
282
283       semanage fcontext -a -e /var/run/wpa_supplicant /srv/wpa_supplicant
284       restorecon -R -v /srv/wpa_supplicant
285
286       STANDARD FILE CONTEXT
287
288       SELinux  defines  the file context types for the NetworkManager, if you
289       wanted to store files with these types in a different paths,  you  need
290       to  execute the semanage command to specify alternate labeling and then
291       use restorecon to put the labels on disk.
292
293       semanage fcontext -a -t NetworkManager_exec_t '/srv/NetworkManager/con‐
294       tent(/.*)?'
295       restorecon -R -v /srv/myNetworkManager_content
296
297       Note:  SELinux  often  uses  regular expressions to specify labels that
298       match multiple files.
299
300       The following file types are defined for NetworkManager:
301
302
303
304       NetworkManager_dispatcher_chronyc_script_t
305
306       - Set files with the  NetworkManager_dispatcher_chronyc_script_t  type,
307       if  you  want  to  treat the files as NetworkManager dispatcher chronyc
308       script data.
309
310
311       Paths:
312            /etc/NetworkManager/dispatcher.d/20-chrony-dhcp, /usr/lib/Network‐
313            Manager/dispatcher.d/20-chrony-dhcp,      /etc/NetworkManager/dis‐
314            patcher.d/20-chrony-onoffline,        /usr/lib/NetworkManager/dis‐
315            patcher.d/20-chrony-onoffline
316
317
318       NetworkManager_dispatcher_cloud_script_t
319
320       -  Set files with the NetworkManager_dispatcher_cloud_script_t type, if
321       you want to treat the files as NetworkManager dispatcher  cloud  script
322       data.
323
324
325       Paths:
326            /etc/NetworkManager/dispatcher.d/hook-network-manager,   /etc/Net‐
327            workManager/dispatcher.d/cloud-init-azure-hook,  /usr/lib/Network‐
328            Manager/dispatcher.d/90-nm-cloud-setup.sh,    /usr/lib/NetworkMan‐
329            ager/dispatcher.d/no-wait.d/90-nm-cloud-setup.sh
330
331
332       NetworkManager_dispatcher_console_script_t
333
334       - Set files with the  NetworkManager_dispatcher_console_script_t  type,
335       if  you  want  to  treat the files as NetworkManager dispatcher console
336       script data.
337
338
339
340       NetworkManager_dispatcher_console_var_run_t
341
342       - Set files with the NetworkManager_dispatcher_console_var_run_t  type,
343       if  you want to store the NetworkManager dispatcher console files under
344       the /run or /var/run directory.
345
346
347
348       NetworkManager_dispatcher_ddclient_script_t
349
350       - Set files with the NetworkManager_dispatcher_ddclient_script_t  type,
351       if  you  want  to treat the files as NetworkManager dispatcher ddclient
352       script data.
353
354
355
356       NetworkManager_dispatcher_dhclient_script_t
357
358       - Set files with the NetworkManager_dispatcher_dhclient_script_t  type,
359       if  you  want  to treat the files as NetworkManager dispatcher dhclient
360       script data.
361
362
363       Paths:
364            /etc/NetworkManager/dispatcher.d/11-dhclient, /usr/lib/NetworkMan‐
365            ager/dispatcher.d/11-dhclient
366
367
368       NetworkManager_dispatcher_dnssec_script_t
369
370       - Set files with the NetworkManager_dispatcher_dnssec_script_t type, if
371       you want to treat the files as NetworkManager dispatcher dnssec  script
372       data.
373
374
375
376       NetworkManager_dispatcher_exec_t
377
378       - Set files with the NetworkManager_dispatcher_exec_t type, if you want
379       to transition an executable to the NetworkManager_dispatcher_t domain.
380
381
382
383       NetworkManager_dispatcher_iscsid_script_t
384
385       - Set files with the NetworkManager_dispatcher_iscsid_script_t type, if
386       you  want to treat the files as NetworkManager dispatcher iscsid script
387       data.
388
389
390
391       NetworkManager_dispatcher_script_t
392
393       - Set files with the NetworkManager_dispatcher_script_t  type,  if  you
394       want to treat the files as NetworkManager dispatcher script data.
395
396
397       Paths:
398            /etc/NetworkManager/dispatcher.d(/.*)?,       /usr/lib/NetworkMan‐
399            ager/dispatcher.d(/.*)?
400
401
402       NetworkManager_dispatcher_sendmail_script_t
403
404       - Set files with the NetworkManager_dispatcher_sendmail_script_t  type,
405       if  you  want  to treat the files as NetworkManager dispatcher sendmail
406       script data.
407
408
409
410       NetworkManager_dispatcher_tlp_script_t
411
412       - Set files with the  NetworkManager_dispatcher_tlp_script_t  type,  if
413       you  want  to  treat  the files as NetworkManager dispatcher tlp script
414       data.
415
416
417
418       NetworkManager_dispatcher_winbind_script_t
419
420       - Set files with the  NetworkManager_dispatcher_winbind_script_t  type,
421       if  you  want  to  treat the files as NetworkManager dispatcher winbind
422       script data.
423
424
425
426       NetworkManager_etc_rw_t
427
428       - Set files with the NetworkManager_etc_rw_t type, if you want to treat
429       the files as NetworkManager etc read/write content.
430
431
432       Paths:
433            /etc/NetworkManager/system-connections(/.*)?,     /etc/NetworkMan‐
434            ager/NetworkManager.conf
435
436
437       NetworkManager_etc_t
438
439       - Set files with the NetworkManager_etc_t type, if you  want  to  store
440       NetworkManager files in the /etc directories.
441
442
443
444       NetworkManager_exec_t
445
446       - Set files with the NetworkManager_exec_t type, if you want to transi‐
447       tion an executable to the NetworkManager_t domain.
448
449
450       Paths:
451            /usr/bin/teamd,      /usr/sbin/wicd,      /usr/bin/NetworkManager,
452            /usr/bin/wpa_supplicant,                 /usr/sbin/NetworkManager,
453            /usr/sbin/wpa_supplicant, /usr/sbin/nm-system-settings
454
455
456       NetworkManager_initrc_exec_t
457
458       - Set files with the NetworkManager_initrc_exec_t type, if you want  to
459       transition an executable to the NetworkManager_initrc_t domain.
460
461
462
463       NetworkManager_log_t
464
465       -  Set  files  with the NetworkManager_log_t type, if you want to treat
466       the data as NetworkManager log data, usually stored under the  /var/log
467       directory.
468
469
470       Paths:
471            /var/log/wicd.*, /var/log/wpa_supplicant.*
472
473
474       NetworkManager_priv_helper_exec_t
475
476       -  Set  files  with  the NetworkManager_priv_helper_exec_t type, if you
477       want to transition an executable  to  the  NetworkManager_priv_helper_t
478       domain.
479
480
481
482       NetworkManager_tmp_t
483
484       -  Set  files  with the NetworkManager_tmp_t type, if you want to store
485       NetworkManager temporary files in the /tmp directories.
486
487
488
489       NetworkManager_unit_file_t
490
491       - Set files with the NetworkManager_unit_file_t type, if  you  want  to
492       treat the files as NetworkManager unit content.
493
494
495       Paths:
496            /usr/lib/systemd/system/NetworkManager.*,    /usr/lib/systemd/sys‐
497            tem/nm-cloud-setup.(service|timer)
498
499
500       NetworkManager_var_lib_t
501
502       - Set files with the NetworkManager_var_lib_t  type,  if  you  want  to
503       store the NetworkManager files under the /var/lib directory.
504
505
506       Paths:
507            /var/lib/wicd(/.*)?,                /var/lib/NetworkManager(/.*)?,
508            /etc/dhcp/wired-settings.conf,      /etc/wicd/wired-settings.conf,
509            /etc/dhcp/manager-settings.conf,  /etc/wicd/manager-settings.conf,
510            /etc/dhcp/wireless-settings.conf, /etc/wicd/wireless-settings.conf
511
512
513       NetworkManager_var_run_t
514
515       - Set files with the NetworkManager_var_run_t  type,  if  you  want  to
516       store the NetworkManager files under the /run or /var/run directory.
517
518
519       Paths:
520            /var/run/teamd(/.*)?,    /var/run/nm-xl2tpd.conf.*,   /var/run/nm-
521            dhclient.*,  /var/run/NetworkManager(/.*)?,   /var/run/wpa_suppli‐
522            cant(/.*)?,     /var/run/wicd.pid,    /var/run/NetworkManager.pid,
523            /var/run/nm-dns-dnsmasq.conf, /var/run/wpa_supplicant-global
524
525
526       Note: File context can be temporarily modified with the chcon  command.
527       If  you want to permanently change the file context you need to use the
528       semanage fcontext command.  This will modify the SELinux labeling data‐
529       base.  You will need to use restorecon to apply the labels.
530
531

COMMANDS

533       semanage  fcontext  can also be used to manipulate default file context
534       mappings.
535
536       semanage permissive can also be used to manipulate  whether  or  not  a
537       process type is permissive.
538
539       semanage  module can also be used to enable/disable/install/remove pol‐
540       icy modules.
541
542       semanage boolean can also be used to manipulate the booleans
543
544
545       system-config-selinux is a GUI tool available to customize SELinux pol‐
546       icy settings.
547
548

AUTHOR

550       This manual page was auto-generated using sepolicy manpage .
551
552