From: Laurent Bigonville <bigon@xxxxxxxx>
The pid file is deleted by NetworkManager itself when the vpnc process
exits
NetworkManager call vpnc the following way:
system_u:system_r:NetworkManager_t:s0 root 11692 0.0 0.0 166272 9472 ? Sl 12:58 0:00 /usr/lib/NetworkManager/nm-vpnc-service --bus-name org.freedesktop.NetworkManager.vpnc.Connection_21
system_u:system_r:vpnc_t:s0 root 11703 0.1 0.0 9900 4896 ? SL 12:58 0:00 /usr/sbin/vpnc --no-detach --pid-file /var/run/NetworkManager/nm-vpnc-fa482929-93ee-4c64-bfba-4ee31d70f35f.pid -
----
type=AVC msg=audit(07/10/19 10:38:35.131:931) : avc: denied { write } for pid=8653 comm=vpnc path=/run/NetworkManager/nm-vpnc-fa482929-93ee-4c64-bfba-4ee31d70f35f.pid dev="tmpfs" ino=112390 scontext=system_u:system_r:vpnc_t:s0 tcontext=system_u:object_r:NetworkManager_runtime_t:s0 tclass=file permissive=1
type=AVC msg=audit(07/10/19 10:38:35.131:931) : avc: denied { create } for pid=8653 comm=vpnc name=nm-vpnc-fa482929-93ee-4c64-bfba-4ee31d70f35f.pid scontext=system_u:system_r:vpnc_t:s0 tcontext=system_u:object_r:NetworkManager_runtime_t:s0 tclass=file permissive=1
type=AVC msg=audit(07/10/19 10:38:35.131:931) : avc: denied { add_name } for pid=8653 comm=vpnc name=nm-vpnc-fa482929-93ee-4c64-bfba-4ee31d70f35f.pid scontext=system_u:system_r:vpnc_t:s0 tcontext=system_u:object_r:NetworkManager_runtime_t:s0 tclass=dir permissive=1
type=AVC msg=audit(07/10/19 10:38:35.131:931) : avc: denied { write } for pid=8653 comm=vpnc name=NetworkManager dev="tmpfs" ino=30783 scontext=system_u:system_r:vpnc_t:s0 tcontext=system_u:object_r:NetworkManager_runtime_t:s0 tclass=dir permissive=1
This commit also adds the needed interfaces
Signed-off-by: Laurent Bigonville <bigon@xxxxxxxx>
---
policy/modules/admin/vpn.te | 2 ++
policy/modules/services/networkmanager.if | 38 +++++++++++++++++++++++
2 files changed, 40 insertions(+)
diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
index 01fd8340..6b2ad24c 100644
--- a/policy/modules/admin/vpn.te
+++ b/policy/modules/admin/vpn.te
@@ -124,6 +124,8 @@ optional_policy(`
optional_policy(`
networkmanager_attach_tun_iface(vpnc_t)
+ networkmanager_create_pid_files(vpnc_t)
+ networkmanager_rw_pid_files(vpnc_t)
')
optional_policy(`
diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if
index 4c6dd342..fb89f210 100644
--- a/policy/modules/services/networkmanager.if
+++ b/policy/modules/services/networkmanager.if
@@ -253,6 +253,25 @@ interface(`networkmanager_append_log_files',`
append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
')
+########################################
+## <summary>
+## Create networkmanager pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_create_pid_files',`
+ gen_require(`
+ type NetworkManager_runtime_t;
+ ')
+
+ files_search_pids($1)
+ create_files_pattern($1, NetworkManager_runtime_t, NetworkManager_runtime_t)
+')
+
########################################
## <summary>
## Read networkmanager pid files.
@@ -273,6 +292,25 @@ interface(`networkmanager_read_pid_files',`
allow $1 NetworkManager_runtime_t:file read_file_perms;
')
+########################################
+## <summary>
+## Read/Write networkmanager pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_rw_pid_files',`
+ gen_require(`
+ type NetworkManager_runtime_t;
+ ')
+
+ files_search_pids($1)
+ rw_files_pattern($1, NetworkManager_runtime_t, NetworkManager_runtime_t)
+')
+
####################################
## <summary>
## Connect to networkmanager over
--
2.23.0
