From: dwalsh@redhat.com (Daniel J Walsh) Date: Thu, 11 Sep 2008 11:42:02 -0400 Subject: [refpolicy] wpa_supplicant In-Reply-To: <1221141751.24369.24.camel@gorn.columbia.tresys.com> References: <20080822151533.GA8177@caligula.martinorr.name> <1221141751.24369.24.camel@gorn.columbia.tresys.com> Message-ID: <48C93C4A.2070605@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Christopher J. PeBenito wrote: > On Fri, 2008-08-22 at 16:15 +0100, Martin Orr wrote: >> wpa_supplicant on Debian lives in /sbin. >> Also let it write a log, and talk to itself through a socket in /tmp. > > Merged with some distro_debian coverage in the file contexts, except for > the wpa_cli context, which is a command line interactive program, so I > think shouldn't be labeled as a daemon entrypoint. > >> Index: policy/modules/services/networkmanager.fc >> =================================================================== >> --- policy/modules/services/networkmanager.fc.orig >> +++ policy/modules/services/networkmanager.fc >> @@ -1,6 +1,11 @@ >> +/sbin/wpa_cli -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) >> +/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) >> + >> /usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) >> /usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) >> >> +/var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_var_log_t,s0) >> + >> /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) >> /var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) >> /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) >> Index: policy/modules/services/networkmanager.te >> =================================================================== >> --- policy/modules/services/networkmanager.te.orig >> +++ policy/modules/services/networkmanager.te >> @@ -10,6 +10,12 @@ >> type NetworkManager_exec_t; >> init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) >> >> +type NetworkManager_tmp_t; >> +files_tmp_file(NetworkManager_tmp_t) >> + >> +type NetworkManager_var_log_t; >> +logging_log_file(NetworkManager_var_log_t) >> + >> type NetworkManager_var_run_t; >> files_pid_file(NetworkManager_var_run_t) >> >> @@ -38,6 +44,12 @@ >> manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) >> files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file }) >> >> +manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) >> +files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, sock_file) >> + >> +manage_files_pattern(NetworkManager_t, NetworkManager_var_log_t, NetworkManager_var_log_t) >> +logging_log_filetrans(NetworkManager_t, NetworkManager_var_log_t, file) >> + >> kernel_read_system_state(NetworkManager_t) >> kernel_read_network_state(NetworkManager_t) >> kernel_read_kernel_sysctls(NetworkManager_t) >> I don't think adding the ifdef debian to the fc file is of great use. Since there is a chance that wpasupplicant paths in other distributions might match, and it is unlikely that files named wpasupplicant for other distributions would have different security domains. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkjJPEoACgkQrlYvE4MpobPjMgCfevVQIaXV5a0cSdOI0BMwPvbW GeoAoNgCyN6TiV68R8lk9rVpPQYGiv5e =PCiZ -----END PGP SIGNATURE-----