The wpa_cli application is an interactive application to interact with
wpa_supplicant. This patch supports this within the SELinux policies.
Wkr,
Sven Vermeulen
The wpa_cli application has two functions within the network manager
environment: (1.) it acts as a commandline interface for administrators
to interact with wpa_supplicant, and (2.) it gets called from within init
scripts to perform some administrative, unattended tasks.
In this patch, we mark the wpa_cli_t domain as an application domain, introduce
a few interfaces to allow roles to run the wpa_cli application, and enhance the
wpa_cli_t local policies to reflect its dual use.
Signed-off-by: Sven Vermeulen <[email protected]>
---
networkmanager.fc | 2 +
networkmanager.if | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++
networkmanager.te | 38 ++++++++++++++++++++++++++++++-
3 files changed, 104 insertions(+), 1 deletions(-)
diff --git a/networkmanager.fc b/networkmanager.fc
index 386543b..c83ff26 100644
--- a/networkmanager.fc
+++ b/networkmanager.fc
@@ -7,6 +7,7 @@
/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
/usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
@@ -22,5 +23,6 @@
/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/wpa_cli-.* -- gen_context(system_u:object_r:wpa_cli_var_run_t,s0)
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
index 2324d9e..adb90d4 100644
--- a/networkmanager.if
+++ b/networkmanager.if
@@ -191,3 +191,68 @@ interface(`networkmanager_read_pid_files',`
files_search_pids($1)
allow $1 NetworkManager_var_run_t:file read_file_perms;
')
+
+########################################
+## <summary>
+## Do not audit use of wpa_cli file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to dontaudit access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_dontaudit_use_wpa_cli_fds',`
+ gen_require(`
+ type wpa_cli_t;
+ ')
+
+ dontaudit $1 wpa_cli_t:fd use;
+')
+
+
+########################################
+## <summary>
+## Execute wpa_cli in the wpa_cli domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`networkmanager_domtrans_wpa_cli',`
+ gen_require(`
+ type wpa_cli_t, wpa_cli_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, wpa_cli_exec_t, wpa_cli_t)
+')
+
+########################################
+## <summary>
+## Execute wpa cli in the wpa_cli domain, and
+## allow the specified role the wpa_cli domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`networkmanager_run_wpa_cli',`
+ gen_require(`
+ type wpa_cli_exec_t;
+ ')
+
+ networkmanager_domtrans_wpa_cli($1)
+ role $2 types wpa_cli_t;
+')
+
diff --git a/networkmanager.te b/networkmanager.te
index 0619395..0cb8072 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -28,6 +28,9 @@ type wpa_cli_t;
type wpa_cli_exec_t;
init_system_domain(wpa_cli_t, wpa_cli_exec_t)
+type wpa_cli_var_run_t;
+files_pid_file(wpa_cli_var_run_t)
+
########################################
#
# Local policy
@@ -68,6 +71,11 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
+manage_dirs_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t)
+manage_files_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t)
+manage_sock_files_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t)
+files_pid_filetrans(wpa_cli_t, wpa_cli_var_run_t, { dir file sock_file })
+
kernel_read_system_state(NetworkManager_t)
kernel_read_network_state(NetworkManager_t)
kernel_read_kernel_sysctls(NetworkManager_t)
@@ -281,9 +289,37 @@ files_tmp_filetrans(wpa_cli_t, NetworkManager_tmp_t, sock_file)
list_dirs_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
+corecmd_exec_bin(wpa_cli_t)
+corecmd_exec_shell(wpa_cli_t)
+
+domain_use_interactive_fds(wpa_cli_t)
+
+files_search_pids(wpa_cli_t)
+
+fs_manage_tmpfs_dirs(wpa_cli_t)
+fs_manage_tmpfs_sockets(wpa_cli_t)
+fs_manage_tmpfs_sockets(NetworkManager_t)
+fs_rw_tmpfs_files(wpa_cli_t)
+fs_rw_tmpfs_files(NetworkManager_t)
+fs_search_tmpfs(wpa_cli_t)
+fs_search_tmpfs(NetworkManager_t)
+
+term_dontaudit_use_console(wpa_cli_t)
+
+getty_use_fds(wpa_cli_t)
+
+init_domtrans_script(wpa_cli_t)
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
+logging_send_syslog_msg(wpa_cli_t)
+
miscfiles_read_localization(wpa_cli_t)
-term_dontaudit_use_console(wpa_cli_t)
+userdom_use_user_terminals(wpa_cli_t)
+
+ifdef(`distro_gentoo',`
+ allow wpa_cli_t etc_t:file { getattr };
+
+ sysnet_domtrans_dhcpc(wpa_cli_t)
+')
--
1.7.3.4
Allow system administrators to run wpa_cli to interact with wpa_supplicant.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/roles/sysadm.te | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index bd5a2ea..3c74fcb 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -241,6 +241,10 @@ optional_policy(`
')
optional_policy(`
+ networkmanager_run_wpa_cli(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
netutils_run(sysadm_t, sysadm_r)
netutils_run_ping(sysadm_t, sysadm_r)
netutils_run_traceroute(sysadm_t, sysadm_r)
--
1.7.3.4
On Mon, 2012-05-28 at 12:22 +0200, Sven Vermeulen wrote:
> +/var/run/wpa_cli-.* -- gen_context(system_u:object_r:wpa_cli_var_run_t,s0)
This applies to files only (--). However there are also dirs and
sock_files labeled wpi_cli_var_run_t. The context of those objects will
not be restored as per above file context specification.
> +manage_dirs_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t)
> +manage_files_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t)
> +manage_sock_files_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t)
> +files_pid_filetrans(wpa_cli_t, wpa_cli_var_run_t, { dir file sock_file })
> +
Not sure if it applies here but try to be conservative with type
transitions. If any of the dir, file, sock_file security classes do no
really need to type transition from var_run_t to wpa_cli_var_run_t, then
i would not specify a type transition for it.
So if a dir /var/run/wpa-cli-bla gets created in /var/run and files and
sock files get created in /var/run/wpa-cli-bla, then there really is no
need to add type transition rules for files and sock_files in my view.
> + allow wpa_cli_t etc_t:file { getattr };
you dont need brace extension here because there is nothing to extent. I
would however use the getattr_file_perms permissions set for forward
compatibility.
In the unlikely scenario that in the future a new av permission is
introduced that is required to get attributes, it will be easier to
integrate if you consistently use permission sets (single point of
entry)
On Mon, 2012-05-28 at 12:22 +0200, Sven Vermeulen wrote:
> +ifdef(`distro_gentoo',`
> + allow wpa_cli_t etc_t:file { getattr };
By the way: type etc_t is declared in the files module and is external
to the networkmanager module. You should not make direct references to
external types but use interfaces instead.
On Mon, May 28, 2012 at 03:54:33PM +0200, Dominick Grift wrote:
> On Mon, 2012-05-28 at 12:22 +0200, Sven Vermeulen wrote:
>
> > +/var/run/wpa_cli-.* -- gen_context(system_u:object_r:wpa_cli_var_run_t,s0)
>
> This applies to files only (--). However there are also dirs and
> sock_files labeled wpi_cli_var_run_t. The context of those objects will
> not be restored as per above file context specification.
Hmm, on my system, it is only PID files directly in /var/run.
The socket is stored in /tmp (but is written/managed by wpa_supplicant, not
wpa_cli).
I'll incorporate the other changes in the next try; if you know of any other
locations (fc's) that I need to add in case of Fedora (or other systems),
let me know and I'll add them in.
Wkr,
Sven Vermeulen
On Wed, 2012-06-20 at 17:48 +0200, Sven Vermeulen wrote:
> On Mon, May 28, 2012 at 03:54:33PM +0200, Dominick Grift wrote:
> > On Mon, 2012-05-28 at 12:22 +0200, Sven Vermeulen wrote:
> >
> > > +/var/run/wpa_cli-.* -- gen_context(system_u:object_r:wpa_cli_var_run_t,s0)
> >
> > This applies to files only (--). However there are also dirs and
> > sock_files labeled wpi_cli_var_run_t. The context of those objects will
> > not be restored as per above file context specification.
>
> Hmm, on my system, it is only PID files directly in /var/run.
Thats not what your policy says:
> +manage_dirs_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t)
> +manage_files_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t)
> +manage_sock_files_pattern(wpa_cli_t, wpa_cli_var_run_t,
wpa_cli_var_run_t)
> +files_pid_filetrans(wpa_cli_t, wpa_cli_var_run_t, { dir file
sock_file })
The above is a type transition for dirs files and for sock_files
So there is a conflict there if you ask me.
> The socket is stored in /tmp (but is written/managed by wpa_supplicant, not
> wpa_cli).
>
> I'll incorporate the other changes in the next try; if you know of any other
> locations (fc's) that I need to add in case of Fedora (or other systems),
> let me know and I'll add them in.
>
> Wkr,
> Sven Vermeulen
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy