2012-06-20 15:52:11

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH v2 0/2] Mark wpa_cli as interactive application

The wpa_cli application is an interactive application to interact with
wpa_supplicant. This patch supports this within the SELinux policies.

Updates since v1
----------------

- Only manage the file class for wpa_cli_t -> wpa_cli_var_run_t, including
transition (files_pid_filetrans)
- Drop the direct etc_t call

Wkr,
Sven Vermeulen


2012-06-20 15:53:30

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH v2 1/2] Mark wpa_cli as a commandline utility for admins

The wpa_cli application has two functions within the network manager
environment: (1.) it acts as a commandline interface for administrators
to interact with wpa_supplicant, and (2.) it gets called from within init
scripts to perform some administrative, unattended tasks.

In this patch, we mark the wpa_cli_t domain as an application domain, introduce
a few interfaces to allow roles to run the wpa_cli application, and enhance the
wpa_cli_t local policies to reflect its dual use.

Signed-off-by: Sven Vermeulen <[email protected]>
---
networkmanager.fc | 2 +
networkmanager.if | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++
networkmanager.te | 34 +++++++++++++++++++++++++++-
3 files changed, 100 insertions(+), 1 deletions(-)

diff --git a/networkmanager.fc b/networkmanager.fc
index 386543b..c83ff26 100644
--- a/networkmanager.fc
+++ b/networkmanager.fc
@@ -7,6 +7,7 @@
/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)

+/usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
/usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
@@ -22,5 +23,6 @@
/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/wpa_cli-.* -- gen_context(system_u:object_r:wpa_cli_var_run_t,s0)
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
index 2324d9e..adb90d4 100644
--- a/networkmanager.if
+++ b/networkmanager.if
@@ -191,3 +191,68 @@ interface(`networkmanager_read_pid_files',`
files_search_pids($1)
allow $1 NetworkManager_var_run_t:file read_file_perms;
')
+
+########################################
+## <summary>
+## Do not audit use of wpa_cli file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to dontaudit access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_dontaudit_use_wpa_cli_fds',`
+ gen_require(`
+ type wpa_cli_t;
+ ')
+
+ dontaudit $1 wpa_cli_t:fd use;
+')
+
+
+########################################
+## <summary>
+## Execute wpa_cli in the wpa_cli domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`networkmanager_domtrans_wpa_cli',`
+ gen_require(`
+ type wpa_cli_t, wpa_cli_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, wpa_cli_exec_t, wpa_cli_t)
+')
+
+########################################
+## <summary>
+## Execute wpa cli in the wpa_cli domain, and
+## allow the specified role the wpa_cli domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`networkmanager_run_wpa_cli',`
+ gen_require(`
+ type wpa_cli_exec_t;
+ ')
+
+ networkmanager_domtrans_wpa_cli($1)
+ role $2 types wpa_cli_t;
+')
+
diff --git a/networkmanager.te b/networkmanager.te
index 0619395..1303185 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -28,6 +28,9 @@ type wpa_cli_t;
type wpa_cli_exec_t;
init_system_domain(wpa_cli_t, wpa_cli_exec_t)

+type wpa_cli_var_run_t;
+files_pid_file(wpa_cli_var_run_t)
+
########################################
#
# Local policy
@@ -281,9 +284,38 @@ files_tmp_filetrans(wpa_cli_t, NetworkManager_tmp_t, sock_file)
list_dirs_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)

+manage_files_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t)
+files_pid_filetrans(wpa_cli_t, wpa_cli_var_run_t, file)
+
+corecmd_exec_bin(wpa_cli_t)
+corecmd_exec_shell(wpa_cli_t)
+
+domain_use_interactive_fds(wpa_cli_t)
+
+files_search_pids(wpa_cli_t)
+
+fs_manage_tmpfs_dirs(wpa_cli_t)
+fs_manage_tmpfs_sockets(wpa_cli_t)
+fs_manage_tmpfs_sockets(NetworkManager_t)
+fs_rw_tmpfs_files(wpa_cli_t)
+fs_rw_tmpfs_files(NetworkManager_t)
+fs_search_tmpfs(wpa_cli_t)
+fs_search_tmpfs(NetworkManager_t)
+
+term_dontaudit_use_console(wpa_cli_t)
+
+getty_use_fds(wpa_cli_t)
+
+init_domtrans_script(wpa_cli_t)
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)

+logging_send_syslog_msg(wpa_cli_t)
+
miscfiles_read_localization(wpa_cli_t)

-term_dontaudit_use_console(wpa_cli_t)
+userdom_use_user_terminals(wpa_cli_t)
+
+ifdef(`distro_gentoo',`
+ sysnet_domtrans_dhcpc(wpa_cli_t)
+')
--
1.7.3.4

2012-06-20 15:54:10

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH v2 2/2] Allow sysadm_r role to call wpa_cli

Allow system administrators to run wpa_cli to interact with wpa_supplicant.

Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/roles/sysadm.te | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index bd5a2ea..3c74fcb 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -241,6 +241,10 @@ optional_policy(`
')

optional_policy(`
+ networkmanager_run_wpa_cli(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
netutils_run(sysadm_t, sysadm_r)
netutils_run_ping(sysadm_t, sysadm_r)
netutils_run_traceroute(sysadm_t, sysadm_r)
--
1.7.3.4

2012-06-26 14:14:34

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH v2 1/2] Mark wpa_cli as a commandline utility for admins

On 06/20/12 11:53, Sven Vermeulen wrote:
> The wpa_cli application has two functions within the network manager
> environment: (1.) it acts as a commandline interface for administrators
> to interact with wpa_supplicant, and (2.) it gets called from within init
> scripts to perform some administrative, unattended tasks.
>
> In this patch, we mark the wpa_cli_t domain as an application domain, introduce
> a few interfaces to allow roles to run the wpa_cli application, and enhance the
> wpa_cli_t local policies to reflect its dual use.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> networkmanager.fc | 2 +
> networkmanager.if | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++
> networkmanager.te | 34 +++++++++++++++++++++++++++-
> 3 files changed, 100 insertions(+), 1 deletions(-)


> diff --git a/networkmanager.te b/networkmanager.te
> index 0619395..1303185 100644
> --- a/networkmanager.te
> +++ b/networkmanager.te
> @@ -281,9 +284,38 @@ files_tmp_filetrans(wpa_cli_t, NetworkManager_tmp_t, sock_file)
> list_dirs_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
> rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
>
> +manage_files_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t)
> +files_pid_filetrans(wpa_cli_t, wpa_cli_var_run_t, file)
> +
> +corecmd_exec_bin(wpa_cli_t)
> +corecmd_exec_shell(wpa_cli_t)
> +
> +domain_use_interactive_fds(wpa_cli_t)
> +
> +files_search_pids(wpa_cli_t)
> +
> +fs_manage_tmpfs_dirs(wpa_cli_t)
> +fs_manage_tmpfs_sockets(wpa_cli_t)
> +fs_manage_tmpfs_sockets(NetworkManager_t)
> +fs_rw_tmpfs_files(wpa_cli_t)
> +fs_rw_tmpfs_files(NetworkManager_t)
> +fs_search_tmpfs(wpa_cli_t)
> +fs_search_tmpfs(NetworkManager_t)

tmpfs_t usage? It looks like there should be either a NetworkManager_tmpfs_t or wpa_cli_tmpfs_t (my guess is the former). Also the NetworkManager_t rules should be moved over with the other NetworkManager_t rules.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com