From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 12 Sep 2008 08:12:12 -0400
Subject: [refpolicy] wpa_supplicant
In-Reply-To: <48C93C4A.2070605@redhat.com>
References: <20080822151533.GA8177@caligula.martinorr.name>
	<1221141751.24369.24.camel@gorn.columbia.tresys.com>
	<48C93C4A.2070605@redhat.com>
Message-ID: <1221221532.24369.39.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Thu, 2008-09-11 at 11:42 -0400, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Fri, 2008-08-22 at 16:15 +0100, Martin Orr wrote:
> >> wpa_supplicant on Debian lives in /sbin.
> >> Also let it write a log, and talk to itself through a socket in /tmp.
> > 
> > Merged with some distro_debian coverage in the file contexts, except for
> > the wpa_cli context, which is a command line interactive program, so I
> > think shouldn't be labeled as a daemon entrypoint.
> > 
> >> Index: policy/modules/services/networkmanager.fc
> >> ===================================================================
> >> --- policy/modules/services/networkmanager.fc.orig
> >> +++ policy/modules/services/networkmanager.fc
> >> @@ -1,6 +1,11 @@
> >> +/sbin/wpa_cli			--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
> >> +/sbin/wpa_supplicant		--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
> >> +
> >>  /usr/s?bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
> >>  /usr/s?bin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
> >>  
> >> +/var/log/wpa_supplicant.*	--	gen_context(system_u:object_r:NetworkManager_var_log_t,s0)
> >> +
> >>  /var/run/NetworkManager\.pid	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
> >>  /var/run/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
> >>  /var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)

> I don't think adding the ifdef debian to the fc file is of great use.
> Since there is a chance that wpasupplicant paths in other distributions
> might match, and it is unlikely that files named wpasupplicant for other
> distributions would have different security domains.

Good point.  I'll take it out.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150