nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
242e371ac2
selinux-refpolicy/policy/modules/services/networkmanager.if
Markus Linnala 9127219358 policy: interfaces: doc: indent param blocks consistently 
There is more than 5000 parameter documentations. Only about 300 are
differently done. Change them to be consistently indented.

param with one space
and content inside with one tab

This was done with:

sed -ri '
/^##[[:space:]]*<param/,/^##[[:space:]]*<[/]param>/{
	s/^##[[:space:]]*/##\t/;
	s/^##[[:space:]]*(<[/]?summary)/##\t\1/;
	s/^##[[:space:]]*(<[/]?param)/## \1/;
}' policy/modules/*/*.if

Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
2021-07-02 12:19:25 +03:00

430 lines
9.3 KiB
Plaintext
Raw Blame History

## <summary>Manager for dynamically switching between networks.</summary>
########################################
## <summary>
## Read and write networkmanager udp sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`networkmanager_rw_udp_sockets',`
gen_require(`
type NetworkManager_t;
')
allow $1 NetworkManager_t:udp_socket { read write };
')
########################################
## <summary>
## Read and write networkmanager packet sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`networkmanager_rw_packet_sockets',`
gen_require(`
type NetworkManager_t;
')
allow $1 NetworkManager_t:packet_socket { read write };
')
#######################################
## <summary>
## Relabel networkmanager tun socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`networkmanager_attach_tun_iface',`
gen_require(`
type NetworkManager_t;
')
allow $1 NetworkManager_t:tun_socket relabelfrom;
allow $1 self:tun_socket relabelto;
')
########################################
## <summary>
## Read and write networkmanager netlink
## routing sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`networkmanager_rw_routing_sockets',`
gen_require(`
type NetworkManager_t;
')
allow $1 NetworkManager_t:netlink_route_socket { read write };
')
########################################
## <summary>
## Execute networkmanager with a domain transition.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`networkmanager_domtrans',`
gen_require(`
type NetworkManager_t, NetworkManager_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, NetworkManager_exec_t, NetworkManager_t)
')
########################################
## <summary>
## Execute networkmanager scripts with
## an automatic domain transition to initrc.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`networkmanager_initrc_domtrans',`
gen_require(`
type NetworkManager_initrc_exec_t;
')
init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
')
########################################
## <summary>
## Send and receive messages from
## networkmanager over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`networkmanager_dbus_chat',`
gen_require(`
type NetworkManager_t;
class dbus send_msg;
')
allow $1 NetworkManager_t:dbus send_msg;
allow NetworkManager_t $1:dbus send_msg;
')
#######################################
## <summary>
## Read metworkmanager process state files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`networkmanager_read_state',`
gen_require(`
type NetworkManager_t;
')
allow $1 NetworkManager_t:dir search_dir_perms;
allow $1 NetworkManager_t:file read_file_perms;
allow $1 NetworkManager_t:lnk_file read_lnk_file_perms;
')
########################################
## <summary>
## Send generic signals to networkmanager.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`networkmanager_signal',`
gen_require(`
type NetworkManager_t;
')
allow $1 NetworkManager_t:process signal;
')
########################################
## <summary>
## Watch networkmanager etc dirs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`networkmanager_watch_etc_dirs',`
gen_require(`
type NetworkManager_etc_t;
')
allow $1 NetworkManager_etc_t:dir watch;
')
########################################
## <summary>
## Read networkmanager etc files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`networkmanager_read_etc_files',`
gen_require(`
type NetworkManager_etc_t;
')
files_search_etc($1)
list_dirs_pattern($1, NetworkManager_etc_t, NetworkManager_etc_t)
read_files_pattern($1, NetworkManager_etc_t, NetworkManager_etc_t)
')
########################################
## <summary>
## Create, read, and write
## networkmanager library files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`networkmanager_manage_lib_files',`
gen_require(`
type NetworkManager_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
allow $1 NetworkManager_var_lib_t:file map;
')
########################################
## <summary>
## Read networkmanager lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`networkmanager_read_lib_files',`
gen_require(`
type NetworkManager_var_lib_t;
')
files_search_var_lib($1)
list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
allow $1 NetworkManager_var_lib_t:file map;
')
########################################
## <summary>
## Append networkmanager log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`networkmanager_append_log_files',`
gen_require(`
type NetworkManager_log_t;
')
logging_search_logs($1)
allow $1 NetworkManager_log_t:dir list_dir_perms;
append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
')
########################################
## <summary>
## Read networkmanager pid files. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`networkmanager_read_pid_files',`
refpolicywarn(`$0($*) has been deprecated, please use networkmanager_read_runtime_files() instead.')
networkmanager_read_runtime_files($1)
')
########################################
## <summary>
## Read networkmanager runtime files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`networkmanager_read_runtime_files',`
gen_require(`
type NetworkManager_runtime_t;
')
files_search_runtime($1)
read_files_pattern($1, NetworkManager_runtime_t, NetworkManager_runtime_t)
')
####################################
## <summary>
## Connect to networkmanager over
## a unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`networkmanager_stream_connect',`
gen_require(`
type NetworkManager_t, NetworkManager_runtime_t;
')
files_search_runtime($1)
stream_connect_pattern($1, NetworkManager_runtime_t, NetworkManager_runtime_t, NetworkManager_t)
')
########################################
## <summary>
## Allow specified domain to enable/disable NetworkManager units
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`networkmanager_enabledisable',`
gen_require(`
type NetworkManager_unit_t;
class service { enable disable };
')
allow $1 NetworkManager_unit_t:service { enable disable };
')
########################################
## <summary>
## Allow specified domain to start/stop NetworkManager units
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`networkmanager_startstop',`
gen_require(`
type NetworkManager_unit_t;
class service { start stop };
')
allow $1 NetworkManager_unit_t:service { start stop };
')
########################################
## <summary>
## Allow specified domain to get status of NetworkManager
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`networkmanager_status',`
gen_require(`
type NetworkManager_unit_t;
class service status;
')
allow $1 NetworkManager_unit_t:service status;
')
########################################
## <summary>
## All of the rules required to
## administrate an networkmanager environment.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`networkmanager_admin',`
gen_require(`
type NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_etc_t;
type NetworkManager_etc_rw_t, NetworkManager_log_t, NetworkManager_tmp_t;
type NetworkManager_var_lib_t, NetworkManager_runtime_t, wpa_cli_t;
')
allow $1 { wpa_cli_t NetworkManager_t }:process { ptrace signal_perms };
ps_process_pattern($1, { wpa_cli_t NetworkManager_t })
init_startstop_service($1, $2, NetworkManager_t, NetworkManager_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, { NetworkManager_etc_t NetworkManager_etc_rw_t })
logging_search_logs($1)
admin_pattern($1, NetworkManager_log_t)
files_search_var_lib($1)
admin_pattern($1, NetworkManager_var_lib_t)
allow $1 NetworkManager_var_lib_t:file map;
files_search_runtime($1)
admin_pattern($1, NetworkManager_runtime_t)
files_search_tmp($1)
admin_pattern($1, NetworkManager_tmp_t)
')
Reference in New Issue View Git Blame Copy Permalink