Add specialized Networkmanager dispatch domains #1055
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Antonio Enrico Russo <aerusso@aerusso.net>
Contributor
Author
|
I don't quite understand how to avoid the lint complain about the template-generated domain used in the |
pebenito
reviewed
Jan 12, 2026
Currently, NetworkManager dispatch scripts are tagged as NetworkManager_initrc_exec_t, and run in the NetworkManager_t domain itself. However, those scripts may require permissions different than those of NetworkManager_t. This patch introduces an interface to generate domains for these specialized scripts, and grants permission for NetworkManager to transition into them, as well as communicate with them. Signed-off-by: Antonio Enrico Russo <aerusso@aerusso.net>
postfix has a NetworkManager dispatch unit that copies /etc/resolv.conf into its jail on some networking events. This requires specialized permissions beyond what NetworkManager is granted via the NetworkManager_initrc_exec_t mechanism. This patch creates a specialized NetworkManager dispatch domain that is granted the appropriate additional authority. Signed-off-by: Antonio Enrico Russo <aerusso@aerusso.net>
aerusso
force-pushed
the
mrs/networkmanager-dispatch
branch
from
f8f2324 to
c73bdc4
Compare
pebenito
requested changes
Jan 13, 2026
| /etc/wicd/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) | ||
| /etc/wicd/wired-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) | ||
|
|
||
| /usr/lib/NetworkManager/dispatcher\.d(/.*)? -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) |
Member
There was a problem hiding this comment.
I think we should stick with the original bin_t for generic dispatching. We should keep NetworkManager_initrc_exec_t for init/start scripts. Arguably the below nm-dispatcher fcs should probably be NetworkManager_exec_t instead.
Comment on lines
+435
to
+464
| ######################################## | ||
| ## <summary> | ||
| ## Create a set of derived types for | ||
| ## networkmanager dispatcher scripts. | ||
| ## </summary> | ||
| ## <param name="prefix"> | ||
| ## <summary> | ||
| ## The prefix to be used for deriving type names. | ||
| ## </summary> | ||
| ## </param> | ||
| # | ||
| template(`networkmanager_dispatch_script',` | ||
| gen_require(` | ||
| attribute NetworkManager_dispatch_domains; | ||
| attribute NetworkManager_dispatch_exec_type; | ||
|
|
||
| type NetworkManager_t; | ||
| ') | ||
|
|
||
| type NetworkManager_dispatch_$1_t, NetworkManager_dispatch_domains; | ||
| domain_type(NetworkManager_dispatch_$1_t) | ||
| corecmd_shell_entry_type(NetworkManager_dispatch_$1_t) | ||
| role system_r types NetworkManager_dispatch_$1_t; | ||
|
|
||
| type NetworkManager_dispatch_$1_exec_t, NetworkManager_dispatch_exec_type; | ||
| domain_entry_file(NetworkManager_dispatch_$1_t, NetworkManager_dispatch_$1_exec_t) | ||
|
|
||
| allow NetworkManager_dispatch_$1_t NetworkManager_dispatch_$1_exec_t:file entrypoint; | ||
| domtrans_pattern(NetworkManager_t, NetworkManager_dispatch_$1_exec_t, NetworkManager_dispatch_$1_t) | ||
| ') |
Member
There was a problem hiding this comment.
Since this is a template, it should go at the top of the file.
Comment on lines
+102
to
+104
| init_rw_inherited_stream_socket(NetworkManager_dispatch_domains) | ||
| init_use_inherited_script_ptys(NetworkManager_dispatch_domains) | ||
| kernel_read_system_state(NetworkManager_dispatch_domains) |
Member
There was a problem hiding this comment.
This should go in a separate block later in the file, i.e. a block for all rules that have NetworkManager_dispatch_domains as the subject/sources.
| userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) | ||
| userdom_dontaudit_use_user_ttys(NetworkManager_t) | ||
|
|
||
| exec_files_pattern(NetworkManager_t, NetworkManager_dispatch_exec_type, NetworkManager_dispatch_exec_type) |
Member
There was a problem hiding this comment.
This shouldn't be necessary since you already have a domtrans for each of the domains/entrypoints.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently, NetworkManager dispatch scripts are tagged as
NetworkManager_initrc_exec_t, and run in theNetworkManager_tdomain itself. However, those scripts may require permissions different than those ofNetworkManager_t.This patch introduces an interface to generate domains for these specialized scripts, and grants permission for NetworkManager to transition into them, as well as communicate with it.
This patch also removes some old, incompatible tagging that used
bin_tin favor ofNetworkManager_initrc_exec_t. Alternatively, we could stop using (ab)usingNetworkManager_initrc_exec_t, and just usebin_teveywhere (the more I think about it, the more I prefer this, but I don't understand the choice, so maybe I'm missing something).The last commit actually does something useful and creates a domain for the postfix NetworkManager dispatcher script so that it can properly propagate changes in
/etc/resolv.confto its chroot.