Allow NetworkManager execute consolehelper and userhelper

[zpytela]

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2366041

[Klaas-]

Hi,
sorry it took me a while to get back to you. With this policy I still do not get a working vpn connection. When running in permissive I get the following denials:

Jun 16 21:05:39 hostname.tld audit[4233]: AVC avc:  denied  { execute } for  pid=4233 comm="nm-vpnc-service" name="consolehelper" dev="dm-0" ino=5491504 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:consolehelper_exec_t:s0 tclass=file permissive=1
Jun 16 21:05:39 hostname.tld audit[4233]: AVC avc:  denied  { read open } for  pid=4233 comm="nm-vpnc-service" path="/usr/bin/consolehelper" dev="dm-0" ino=5491504 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:consolehelper_exec_t:s0 tclass=file permissive=1
Jun 16 21:05:39 hostname.tld audit[4233]: AVC avc:  denied  { execute_no_trans } for  pid=4233 comm="nm-vpnc-service" path="/usr/bin/consolehelper" dev="dm-0" ino=5491504 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:consolehelper_exec_t:s0 tclass=file permissive=1
Jun 16 21:05:39 hostname.tld audit[4233]: AVC avc:  denied  { map } for  pid=4233 comm="vpnc" path="/usr/bin/consolehelper" dev="dm-0" ino=5491504 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:consolehelper_exec_t:s0 tclass=file permissive=1
Jun 16 21:05:39 hostname.tld audit[4233]: AVC avc:  denied  { execute } for  pid=4233 comm="vpnc" name="userhelper" dev="dm-0" ino=5491505 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:userhelper_exec_t:s0 tclass=file permissive=1
Jun 16 21:05:39 hostname.tld audit[4233]: AVC avc:  denied  { read open } for  pid=4233 comm="vpnc" path="/usr/bin/userhelper" dev="dm-0" ino=5491505 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:userhelper_exec_t:s0 tclass=file permissive=1
Jun 16 21:05:39 hostname.tld audit[4233]: AVC avc:  denied  { execute_no_trans } for  pid=4233 comm="vpnc" path="/usr/bin/userhelper" dev="dm-0" ino=5491505 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:userhelper_exec_t:s0 tclass=file permissive=1
Jun 16 21:05:39 hostname.tld audit[4233]: AVC avc:  denied  { map } for  pid=4233 comm="userhelper" path="/usr/bin/userhelper" dev="dm-0" ino=5491505 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:userhelper_exec_t:s0 tclass=file permissive=1
Jun 16 21:05:39 hostname.tld audit[4233]: AVC avc:  denied  { read write } for  pid=4233 comm="userhelper" name="vpnc" dev="dm-0" ino=5793166 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:userhelper_conf_t:s0 tclass=file permissive=1
Jun 16 21:05:39 hostname.tld audit[4233]: AVC avc:  denied  { open } for  pid=4233 comm="userhelper" path="/etc/security/console.apps/vpnc" dev="dm-0" ino=5793166 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:userhelper_conf_t:s0 tclass=file permissive=1
Jun 16 21:05:39 hostname.tld audit[4233]: AVC avc:  denied  { getattr } for  pid=4233 comm="userhelper" path="/etc/security/console.apps/vpnc" dev="dm-0" ino=5793166 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:userhelper_conf_t:s0 tclass=file permissive=1
Jun 16 21:05:39 hostname.tld audit[4243]: AVC avc:  denied  { compute_av } for  pid=4243 comm="userhelper" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security permissive=1