From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 26 Jun 2012 10:14:34 -0400 Subject: [refpolicy] [PATCH v2 1/2] Mark wpa_cli as a commandline utility for admins In-Reply-To: <20120620155330.GC7987@siphos.be> References: <20120620155211.GB7987@siphos.be> <20120620155330.GC7987@siphos.be> Message-ID: <4FE9C3CA.7080209@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 06/20/12 11:53, Sven Vermeulen wrote: > The wpa_cli application has two functions within the network manager > environment: (1.) it acts as a commandline interface for administrators > to interact with wpa_supplicant, and (2.) it gets called from within init > scripts to perform some administrative, unattended tasks. > > In this patch, we mark the wpa_cli_t domain as an application domain, introduce > a few interfaces to allow roles to run the wpa_cli application, and enhance the > wpa_cli_t local policies to reflect its dual use. > > Signed-off-by: Sven Vermeulen > --- > networkmanager.fc | 2 + > networkmanager.if | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++ > networkmanager.te | 34 +++++++++++++++++++++++++++- > 3 files changed, 100 insertions(+), 1 deletions(-) > diff --git a/networkmanager.te b/networkmanager.te > index 0619395..1303185 100644 > --- a/networkmanager.te > +++ b/networkmanager.te > @@ -281,9 +284,38 @@ files_tmp_filetrans(wpa_cli_t, NetworkManager_tmp_t, sock_file) > list_dirs_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t) > rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t) > > +manage_files_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t) > +files_pid_filetrans(wpa_cli_t, wpa_cli_var_run_t, file) > + > +corecmd_exec_bin(wpa_cli_t) > +corecmd_exec_shell(wpa_cli_t) > + > +domain_use_interactive_fds(wpa_cli_t) > + > +files_search_pids(wpa_cli_t) > + > +fs_manage_tmpfs_dirs(wpa_cli_t) > +fs_manage_tmpfs_sockets(wpa_cli_t) > +fs_manage_tmpfs_sockets(NetworkManager_t) > +fs_rw_tmpfs_files(wpa_cli_t) > +fs_rw_tmpfs_files(NetworkManager_t) > +fs_search_tmpfs(wpa_cli_t) > +fs_search_tmpfs(NetworkManager_t) tmpfs_t usage? It looks like there should be either a NetworkManager_tmpfs_t or wpa_cli_tmpfs_t (my guess is the former). Also the NetworkManager_t rules should be moved over with the other NetworkManager_t rules. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com