Return-Path: <SRS0=ka5o=QG=vger.kernel.org=selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,
	MAILING_LIST_MULTI,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 4D9B6C169C4
	for <selinux-refpolicy@archiver.kernel.org>; Wed, 30 Jan 2019 00:00:30 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 014AC21473
	for <selinux-refpolicy@archiver.kernel.org>; Wed, 30 Jan 2019 00:00:30 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="CrplWV3D"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727396AbfA3AA3 (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Tue, 29 Jan 2019 19:00:29 -0500
Received: from mail-qt1-f177.google.com ([209.85.160.177]:43746 "EHLO
        mail-qt1-f177.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727360AbfA3AA3 (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Tue, 29 Jan 2019 19:00:29 -0500
Received: by mail-qt1-f177.google.com with SMTP id i7so24364965qtj.10
        for <selinux-refpolicy@vger.kernel.org>; Tue, 29 Jan 2019 16:00:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=ieee.org; s=google;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-language:content-transfer-encoding;
        bh=4+QHa8ur56CO5qdSY5QJA0V1ujIhMBvCGLXK/JF7fZM=;
        b=CrplWV3DK7Ozost4vO4GrQUNeNmlYBn8zOv2o/iU5k2oUO3D6KzgmwsXo0SKS1e5FR
         gCGyKWVzvEYX3h8st3LP4yhFZZMpNW3kzwTfgghgHS3N0st69Vl1vR8i4ZrCVDlf/rIc
         cHxGfVpOTtbG2W9HEOgOCibCIFepu72HNIDqk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=4+QHa8ur56CO5qdSY5QJA0V1ujIhMBvCGLXK/JF7fZM=;
        b=sSEG0F4uTYtdbpQZHi41nThK1n7EnUMcd6XPAWgVfaEYqhRtvneOe3voGX0uEPUk/I
         AnU+4zSgH9X/3N061yL64YLVaAt7I/Jhsr/FpSHDBYzszt6oZh7j48Kb5sgYs5orF3kE
         Gbw+l8SgueJ8jen/ZH17At7hICDyCTLMQ4XSzBx7ezl8mTMwqNxOWK6rRPkdW2FnwOMJ
         KlynswiZhV2lFpbUj4khG50ho9sCmopGMcNGi8/u3suUmUeN6G8sMHUbgYF+UIAvWYud
         b9UTEABgUedPyNvYA7Y6cub5ER8QWplY3Ct/XIqhcIZhfrg7BVVlMlGCFa7/ll1hwPgP
         HSUA==
X-Gm-Message-State: AJcUukcL1bn5x5XXayLfh+V7+3xCV6m0hqmWbJm+NQPtWgqo2P3MhAYS
        F04w5FTB6OnP4rlBlMkl5GYzXwGNtDs=
X-Google-Smtp-Source: ALg8bN6et4by9vpDEsw0uQJaIm147VbyO0IiDd/6PoKaI+h+0Guw/ItZubKuHCdOdOCYFTmrqKnd1g==
X-Received: by 2002:aed:26a3:: with SMTP id q32mr28527048qtd.106.1548806427916;
        Tue, 29 Jan 2019 16:00:27 -0800 (PST)
Received: from [192.168.1.190] (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247])
        by smtp.gmail.com with ESMTPSA id t43sm140024395qtc.53.2019.01.29.16.00.26
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 29 Jan 2019 16:00:27 -0800 (PST)
Subject: Re: [PATCH] Add hostapd service module
To:     Alexander Miroshnichenko <alex@millerson.name>,
        selinux-refpolicy@vger.kernel.org
References: <20190129190152.10890-1-alex@millerson.name>
From:   Chris PeBenito <pebenito@ieee.org>
Message-ID: <f521b94d-49bf-0caf-2d1c-0960710d7680@ieee.org>
Date:   Tue, 29 Jan 2019 18:42:44 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.3.0
MIME-Version: 1.0
In-Reply-To: <20190129190152.10890-1-alex@millerson.name>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

On 1/29/19 2:01 PM, Alexander Miroshnichenko wrote:
> Add a SELinux Reference Policy module for the hostapd
> IEEE 802.11 wireless LAN Host AP daemon.
> ---
>   policy/modules/services/hostapd.fc |  7 ++++
>   policy/modules/services/hostapd.if |  1 +
>   policy/modules/services/hostapd.te | 56 ++++++++++++++++++++++++++++++
>   3 files changed, 64 insertions(+)
>   create mode 100644 policy/modules/services/hostapd.fc
>   create mode 100644 policy/modules/services/hostapd.if
>   create mode 100644 policy/modules/services/hostapd.te
> 
> diff --git a/policy/modules/services/hostapd.fc b/policy/modules/services/hostapd.fc
> new file mode 100644
> index 00000000..83583a77
> --- /dev/null
> +++ b/policy/modules/services/hostapd.fc
> @@ -0,0 +1,7 @@
> +/usr/sbin/hostapd               --      gen_context(system_u:object_r:hostapd_exec_t,s0)
> +
> +/var/run/hostapd(/.*)?          gen_context(system_u:object_r:hostapd_var_run_t,s0)
> +
> +/etc/hostapd(/.*)?          gen_context(system_u:object_r:hostapd_conf_t,s0)
> +
> +/run/hostapd.pid                --      gen_context(system_u:object_r:hostapd_var_run_t,s0)
> diff --git a/policy/modules/services/hostapd.if b/policy/modules/services/hostapd.if
> new file mode 100644
> index 00000000..fce874d2
> --- /dev/null
> +++ b/policy/modules/services/hostapd.if
> @@ -0,0 +1 @@
> +## <summary>IEEE 802.11 wireless LAN Host AP daemon.</summary>
> diff --git a/policy/modules/services/hostapd.te b/policy/modules/services/hostapd.te
> new file mode 100644
> index 00000000..2db1e7de
> --- /dev/null
> +++ b/policy/modules/services/hostapd.te
> @@ -0,0 +1,56 @@
> +policy_module(hostapd, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type hostapd_t;
> +type hostapd_exec_t;
> +init_daemon_domain(hostapd_t, hostapd_exec_t)
> +
> +type hostapd_var_run_t;
> +files_pid_file(hostapd_var_run_t)
> +
> +type hostapd_conf_t;
> +files_type(hostapd_conf_t)
> +
> +########################################
> +#
> +# hostapd local policy
> +#
> +
> +allow hostapd_t self:capability { fsetid chown net_admin net_raw dac_read_search dac_override };
> +allow hostapd_t self:fifo_file rw_fifo_file_perms;
> +allow hostapd_t self:unix_stream_socket create_stream_socket_perms;
> +allow hostapd_t self:netlink_socket create_socket_perms;
> +allow hostapd_t self:netlink_generic_socket create_socket_perms;
> +allow hostapd_t self:netlink_route_socket create_netlink_socket_perms;
> +allow hostapd_t self:packet_socket create_socket_perms;
> +
> +manage_dirs_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
> +manage_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
> +manage_lnk_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
> +manage_sock_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
> +files_pid_filetrans(hostapd_t, hostapd_var_run_t, { dir file lnk_file sock_file })
> +
> +read_files_pattern(hostapd_t, hostapd_conf_t, hostapd_conf_t)
> +
> +kernel_read_system_state(hostapd_t)
> +kernel_read_network_state(hostapd_t)
> +kernel_request_load_module(hostapd_t)
> +kernel_rw_net_sysctls(hostapd_t)
> +dev_rw_sysfs(hostapd_t)
> +
> +dev_read_rand(hostapd_t)
> +dev_read_urand(hostapd_t)
> +dev_read_sysfs(hostapd_t)
> +dev_rw_wireless(hostapd_t)
> +
> +domain_use_interactive_fds(hostapd_t)
> +
> +auth_use_nsswitch(hostapd_t)
> +
> +logging_send_syslog_msg(hostapd_t)
> +
> +miscfiles_read_localization(hostapd_t)

Merged.

-- 
Chris PeBenito