From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 12 Sep 2008 08:12:12 -0400 Subject: [refpolicy] wpa_supplicant In-Reply-To: <48C93C4A.2070605@redhat.com> References: <20080822151533.GA8177@caligula.martinorr.name> <1221141751.24369.24.camel@gorn.columbia.tresys.com> <48C93C4A.2070605@redhat.com> Message-ID: <1221221532.24369.39.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, 2008-09-11 at 11:42 -0400, Daniel J Walsh wrote: > Christopher J. PeBenito wrote: > > On Fri, 2008-08-22 at 16:15 +0100, Martin Orr wrote: > >> wpa_supplicant on Debian lives in /sbin. > >> Also let it write a log, and talk to itself through a socket in /tmp. > > > > Merged with some distro_debian coverage in the file contexts, except for > > the wpa_cli context, which is a command line interactive program, so I > > think shouldn't be labeled as a daemon entrypoint. > > > >> Index: policy/modules/services/networkmanager.fc > >> =================================================================== > >> --- policy/modules/services/networkmanager.fc.orig > >> +++ policy/modules/services/networkmanager.fc > >> @@ -1,6 +1,11 @@ > >> +/sbin/wpa_cli -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) > >> +/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) > >> + > >> /usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) > >> /usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) > >> > >> +/var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_var_log_t,s0) > >> + > >> /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) > >> /var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) > >> /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) > I don't think adding the ifdef debian to the fc file is of great use. > Since there is a chance that wpasupplicant paths in other distributions > might match, and it is unlikely that files named wpasupplicant for other > distributions would have different security domains. Good point. I'll take it out. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150