From: dominick.grift@gmail.com (Dominick Grift)
Date: Wed, 20 Jun 2012 18:02:51 +0200
Subject: [refpolicy] [PATCH 1/2] Mark wpa_cli as a commandline utility
 for admins
In-Reply-To: <20120620154831.GA7987@siphos.be>
References: <20120528102102.GA10112@siphos.be>
	<20120528102204.GB10112@siphos.be>
	<1338213273.15707.8.camel@x220.mydomain.internal>
	<20120620154831.GA7987@siphos.be>
Message-ID: <1340208171.9690.8.camel@x220.mydomain.internal>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, 2012-06-20 at 17:48 +0200, Sven Vermeulen wrote:
> On Mon, May 28, 2012 at 03:54:33PM +0200, Dominick Grift wrote:
> > On Mon, 2012-05-28 at 12:22 +0200, Sven Vermeulen wrote:
> > 
> > > +/var/run/wpa_cli-.*		--	gen_context(system_u:object_r:wpa_cli_var_run_t,s0)
> > 
> > This applies to files only (--). However there are also dirs and
> > sock_files labeled wpi_cli_var_run_t. The context of those objects will
> > not be restored as per above file context specification.
> 
> Hmm, on my system, it is only PID files directly in /var/run.

Thats not what your policy says:

> +manage_dirs_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t)
> +manage_files_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t)
> +manage_sock_files_pattern(wpa_cli_t, wpa_cli_var_run_t,
wpa_cli_var_run_t)
> +files_pid_filetrans(wpa_cli_t, wpa_cli_var_run_t, { dir file
sock_file })

The above is a type transition for dirs files and for sock_files
So there is a conflict there if you ask me.

> The socket is stored in /tmp (but is written/managed by wpa_supplicant, not
> wpa_cli).
> 
> I'll incorporate the other changes in the next try; if you know of any other
> locations (fc's) that I need to add in case of Fedora (or other systems),
> let me know and I'll add them in.
> 
> Wkr,
> 	Sven Vermeulen
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy