From: dominick.grift@gmail.com (Dominick Grift)
Date: Mon, 28 May 2012 15:54:33 +0200
Subject: [refpolicy] [PATCH 1/2] Mark wpa_cli as a commandline utility
 for admins
In-Reply-To: <20120528102204.GB10112@siphos.be>
References: <20120528102102.GA10112@siphos.be>
	<20120528102204.GB10112@siphos.be>
Message-ID: <1338213273.15707.8.camel@x220.mydomain.internal>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, 2012-05-28 at 12:22 +0200, Sven Vermeulen wrote:

> +/var/run/wpa_cli-.*		--	gen_context(system_u:object_r:wpa_cli_var_run_t,s0)

This applies to files only (--). However there are also dirs and
sock_files labeled wpi_cli_var_run_t. The context of those objects will
not be restored as per above file context specification.

> +manage_dirs_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t)
> +manage_files_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t)
> +manage_sock_files_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t)
> +files_pid_filetrans(wpa_cli_t, wpa_cli_var_run_t, { dir file sock_file })
> +

Not sure if it applies here but try to be conservative with type
transitions. If any of the dir, file, sock_file security classes do no
really need to type transition from var_run_t to wpa_cli_var_run_t, then
i would not specify a type transition for it.

So if a dir /var/run/wpa-cli-bla gets created in /var/run and files and
sock files get created in /var/run/wpa-cli-bla, then there really is no
need to add type transition rules for files and sock_files in my view.

> +       allow wpa_cli_t etc_t:file { getattr };

you dont need brace extension here because there is nothing to extent. I
would however use the getattr_file_perms permissions set for forward
compatibility.

In the unlikely scenario that in the future a new av permission is
introduced that is required to get attributes, it will be easier to
integrate if you consistently use permission sets (single point of
entry)