From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 18 Sep 2008 11:05:54 -0400 Subject: [refpolicy] wpa_supplicant In-Reply-To: <48CC070B.1020302@martinorr.name> References: <20080822151533.GA8177@caligula.martinorr.name> <1221141751.24369.24.camel@gorn.columbia.tresys.com> <48CC070B.1020302@martinorr.name> Message-ID: <1221750354.24369.64.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sat, 2008-09-13 at 19:31 +0100, Martin Orr wrote: > On 11/09/08 15:02, Christopher J. PeBenito wrote: > > On Fri, 2008-08-22 at 16:15 +0100, Martin Orr wrote: > >> wpa_supplicant on Debian lives in /sbin. > >> Also let it write a log, and talk to itself through a socket in /tmp. > > > > Merged with some distro_debian coverage in the file contexts, except for > > the wpa_cli context, which is a command line interactive program, so I > > think shouldn't be labeled as a daemon entrypoint. > > Makes sense. But then wpa_cli needs a domain of its own so it can use its sockets. Merged. > Index: policy/modules/services/networkmanager.fc > =================================================================== > --- policy/modules/services/networkmanager.fc.orig > +++ policy/modules/services/networkmanager.fc > @@ -1,4 +1,5 @@ > /sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) > +/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) > > /usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) > /usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) > Index: policy/modules/services/networkmanager.te > =================================================================== > --- policy/modules/services/networkmanager.te.orig > +++ policy/modules/services/networkmanager.te > @@ -22,6 +22,10 @@ > type NetworkManager_var_run_t; > files_pid_file(NetworkManager_var_run_t) > > +type wpa_cli_t; > +type wpa_cli_exec_t; > +init_system_domain(wpa_cli_t, wpa_cli_exec_t) > + > ######################################## > # > # Local policy > @@ -40,13 +44,15 @@ > allow NetworkManager_t self:udp_socket create_socket_perms; > allow NetworkManager_t self:packet_socket create_socket_perms; > > +allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto; > + > can_exec(NetworkManager_t, NetworkManager_exec_t) > > manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) > logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) > > -manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) > -files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, sock_file) > +files_search_tmp(NetworkManager_t) > +rw_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) > > manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) > manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) > @@ -190,3 +196,28 @@ > vpn_domtrans(NetworkManager_t) > vpn_signal(NetworkManager_t) > ') > + > +######################################## > +# > +# wpa_cli local policy > +# > +allow wpa_cli_t self:capability dac_override; > +allow wpa_cli_t self:unix_dgram_socket create_socket_perms; > + > +allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto; > + > +manage_sock_files_pattern(wpa_cli_t, NetworkManager_tmp_t, NetworkManager_tmp_t) > +files_tmp_filetrans(wpa_cli_t, NetworkManager_tmp_t, sock_file) > + > +list_dirs_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t) > +rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t) > + > +init_dontaudit_use_fds(wpa_cli_t) > +init_use_script_ptys(wpa_cli_t) > + > +libs_use_ld_so(wpa_cli_t) > +libs_use_shared_libs(wpa_cli_t) > + > +miscfiles_read_localization(wpa_cli_t) > + > +term_dontaudit_use_console(wpa_cli_t) > -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150