From: martin@martinorr.name (Martin Orr)
Date: Fri, 22 Aug 2008 16:15:33 +0100
Subject: [refpolicy]  wpa_supplicant
Message-ID: <20080822151533.GA8177@caligula.martinorr.name>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

wpa_supplicant on Debian lives in /sbin.
Also let it write a log, and talk to itself through a socket in /tmp.


Index: policy/modules/services/networkmanager.fc
===================================================================
--- policy/modules/services/networkmanager.fc.orig
+++ policy/modules/services/networkmanager.fc
@@ -1,6 +1,11 @@
+/sbin/wpa_cli			--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/sbin/wpa_supplicant		--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+
 /usr/s?bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 /usr/s?bin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 
+/var/log/wpa_supplicant.*	--	gen_context(system_u:object_r:NetworkManager_var_log_t,s0)
+
 /var/run/NetworkManager\.pid	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /var/run/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
Index: policy/modules/services/networkmanager.te
===================================================================
--- policy/modules/services/networkmanager.te.orig
+++ policy/modules/services/networkmanager.te
@@ -10,6 +10,12 @@
 type NetworkManager_exec_t;
 init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
 
+type NetworkManager_tmp_t;
+files_tmp_file(NetworkManager_tmp_t)
+
+type NetworkManager_var_log_t;
+logging_log_file(NetworkManager_var_log_t)
+
 type NetworkManager_var_run_t;
 files_pid_file(NetworkManager_var_run_t)
 
@@ -38,6 +44,12 @@
 manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
 files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file })
 
+manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
+files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, sock_file)
+
+manage_files_pattern(NetworkManager_t, NetworkManager_var_log_t, NetworkManager_var_log_t)
+logging_log_filetrans(NetworkManager_t, NetworkManager_var_log_t, file)
+
 kernel_read_system_state(NetworkManager_t)
 kernel_read_network_state(NetworkManager_t)
 kernel_read_kernel_sysctls(NetworkManager_t)

-- 
Martin Orr