From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Mon, 28 May 2012 12:22:04 +0200 Subject: [refpolicy] [PATCH 1/2] Mark wpa_cli as a commandline utility for admins In-Reply-To: <20120528102102.GA10112@siphos.be> References: <20120528102102.GA10112@siphos.be> Message-ID: <20120528102204.GB10112@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The wpa_cli application has two functions within the network manager environment: (1.) it acts as a commandline interface for administrators to interact with wpa_supplicant, and (2.) it gets called from within init scripts to perform some administrative, unattended tasks. In this patch, we mark the wpa_cli_t domain as an application domain, introduce a few interfaces to allow roles to run the wpa_cli application, and enhance the wpa_cli_t local policies to reflect its dual use. Signed-off-by: Sven Vermeulen --- networkmanager.fc | 2 + networkmanager.if | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++ networkmanager.te | 38 ++++++++++++++++++++++++++++++- 3 files changed, 104 insertions(+), 1 deletions(-) diff --git a/networkmanager.fc b/networkmanager.fc index 386543b..c83ff26 100644 --- a/networkmanager.fc +++ b/networkmanager.fc @@ -7,6 +7,7 @@ /sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) /sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +/usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) /usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) /usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) /usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) @@ -22,5 +23,6 @@ /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/wpa_cli-.* -- gen_context(system_u:object_r:wpa_cli_var_run_t,s0) /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff --git a/networkmanager.if b/networkmanager.if index 2324d9e..adb90d4 100644 --- a/networkmanager.if +++ b/networkmanager.if @@ -191,3 +191,68 @@ interface(`networkmanager_read_pid_files',` files_search_pids($1) allow $1 NetworkManager_var_run_t:file read_file_perms; ') + +######################################## +## +## Do not audit use of wpa_cli file descriptors +## +## +## +## Domain to dontaudit access. +## +## +# +interface(`networkmanager_dontaudit_use_wpa_cli_fds',` + gen_require(` + type wpa_cli_t; + ') + + dontaudit $1 wpa_cli_t:fd use; +') + + +######################################## +## +## Execute wpa_cli in the wpa_cli domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`networkmanager_domtrans_wpa_cli',` + gen_require(` + type wpa_cli_t, wpa_cli_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, wpa_cli_exec_t, wpa_cli_t) +') + +######################################## +## +## Execute wpa cli in the wpa_cli domain, and +## allow the specified role the wpa_cli domain. +## +## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`networkmanager_run_wpa_cli',` + gen_require(` + type wpa_cli_exec_t; + ') + + networkmanager_domtrans_wpa_cli($1) + role $2 types wpa_cli_t; +') + diff --git a/networkmanager.te b/networkmanager.te index 0619395..0cb8072 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -28,6 +28,9 @@ type wpa_cli_t; type wpa_cli_exec_t; init_system_domain(wpa_cli_t, wpa_cli_exec_t) +type wpa_cli_var_run_t; +files_pid_file(wpa_cli_var_run_t) + ######################################## # # Local policy @@ -68,6 +71,11 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_ manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file }) +manage_dirs_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t) +manage_files_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t) +manage_sock_files_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t) +files_pid_filetrans(wpa_cli_t, wpa_cli_var_run_t, { dir file sock_file }) + kernel_read_system_state(NetworkManager_t) kernel_read_network_state(NetworkManager_t) kernel_read_kernel_sysctls(NetworkManager_t) @@ -281,9 +289,37 @@ files_tmp_filetrans(wpa_cli_t, NetworkManager_tmp_t, sock_file) list_dirs_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t) rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t) +corecmd_exec_bin(wpa_cli_t) +corecmd_exec_shell(wpa_cli_t) + +domain_use_interactive_fds(wpa_cli_t) + +files_search_pids(wpa_cli_t) + +fs_manage_tmpfs_dirs(wpa_cli_t) +fs_manage_tmpfs_sockets(wpa_cli_t) +fs_manage_tmpfs_sockets(NetworkManager_t) +fs_rw_tmpfs_files(wpa_cli_t) +fs_rw_tmpfs_files(NetworkManager_t) +fs_search_tmpfs(wpa_cli_t) +fs_search_tmpfs(NetworkManager_t) + +term_dontaudit_use_console(wpa_cli_t) + +getty_use_fds(wpa_cli_t) + +init_domtrans_script(wpa_cli_t) init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) +logging_send_syslog_msg(wpa_cli_t) + miscfiles_read_localization(wpa_cli_t) -term_dontaudit_use_console(wpa_cli_t) +userdom_use_user_terminals(wpa_cli_t) + +ifdef(`distro_gentoo',` + allow wpa_cli_t etc_t:file { getattr }; + + sysnet_domtrans_dhcpc(wpa_cli_t) +') -- 1.7.3.4