From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 11 Sep 2008 10:02:31 -0400
Subject: [refpolicy] wpa_supplicant
In-Reply-To: <20080822151533.GA8177@caligula.martinorr.name>
References: <20080822151533.GA8177@caligula.martinorr.name>
Message-ID: <1221141751.24369.24.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, 2008-08-22 at 16:15 +0100, Martin Orr wrote:
> wpa_supplicant on Debian lives in /sbin.
> Also let it write a log, and talk to itself through a socket in /tmp.

Merged with some distro_debian coverage in the file contexts, except for
the wpa_cli context, which is a command line interactive program, so I
think shouldn't be labeled as a daemon entrypoint.

> Index: policy/modules/services/networkmanager.fc
> ===================================================================
> --- policy/modules/services/networkmanager.fc.orig
> +++ policy/modules/services/networkmanager.fc
> @@ -1,6 +1,11 @@
> +/sbin/wpa_cli			--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
> +/sbin/wpa_supplicant		--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
> +
>  /usr/s?bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
>  /usr/s?bin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
>  
> +/var/log/wpa_supplicant.*	--	gen_context(system_u:object_r:NetworkManager_var_log_t,s0)
> +
>  /var/run/NetworkManager\.pid	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
>  /var/run/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
>  /var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
> Index: policy/modules/services/networkmanager.te
> ===================================================================
> --- policy/modules/services/networkmanager.te.orig
> +++ policy/modules/services/networkmanager.te
> @@ -10,6 +10,12 @@
>  type NetworkManager_exec_t;
>  init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
>  
> +type NetworkManager_tmp_t;
> +files_tmp_file(NetworkManager_tmp_t)
> +
> +type NetworkManager_var_log_t;
> +logging_log_file(NetworkManager_var_log_t)
> +
>  type NetworkManager_var_run_t;
>  files_pid_file(NetworkManager_var_run_t)
>  
> @@ -38,6 +44,12 @@
>  manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
>  files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file })
>  
> +manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
> +files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, sock_file)
> +
> +manage_files_pattern(NetworkManager_t, NetworkManager_var_log_t, NetworkManager_var_log_t)
> +logging_log_filetrans(NetworkManager_t, NetworkManager_var_log_t, file)
> +
>  kernel_read_system_state(NetworkManager_t)
>  kernel_read_network_state(NetworkManager_t)
>  kernel_read_kernel_sysctls(NetworkManager_t)
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150