From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 11 Sep 2008 10:02:31 -0400 Subject: [refpolicy] wpa_supplicant In-Reply-To: <20080822151533.GA8177@caligula.martinorr.name> References: <20080822151533.GA8177@caligula.martinorr.name> Message-ID: <1221141751.24369.24.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, 2008-08-22 at 16:15 +0100, Martin Orr wrote: > wpa_supplicant on Debian lives in /sbin. > Also let it write a log, and talk to itself through a socket in /tmp. Merged with some distro_debian coverage in the file contexts, except for the wpa_cli context, which is a command line interactive program, so I think shouldn't be labeled as a daemon entrypoint. > Index: policy/modules/services/networkmanager.fc > =================================================================== > --- policy/modules/services/networkmanager.fc.orig > +++ policy/modules/services/networkmanager.fc > @@ -1,6 +1,11 @@ > +/sbin/wpa_cli -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) > +/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) > + > /usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) > /usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) > > +/var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_var_log_t,s0) > + > /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) > /var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) > /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) > Index: policy/modules/services/networkmanager.te > =================================================================== > --- policy/modules/services/networkmanager.te.orig > +++ policy/modules/services/networkmanager.te > @@ -10,6 +10,12 @@ > type NetworkManager_exec_t; > init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) > > +type NetworkManager_tmp_t; > +files_tmp_file(NetworkManager_tmp_t) > + > +type NetworkManager_var_log_t; > +logging_log_file(NetworkManager_var_log_t) > + > type NetworkManager_var_run_t; > files_pid_file(NetworkManager_var_run_t) > > @@ -38,6 +44,12 @@ > manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) > files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file }) > > +manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) > +files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, sock_file) > + > +manage_files_pattern(NetworkManager_t, NetworkManager_var_log_t, NetworkManager_var_log_t) > +logging_log_filetrans(NetworkManager_t, NetworkManager_var_log_t, file) > + > kernel_read_system_state(NetworkManager_t) > kernel_read_network_state(NetworkManager_t) > kernel_read_kernel_sysctls(NetworkManager_t) > -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150