[refpolicy] wpa_supplicant

Martin Orr martin at martinorr.name
Sat Sep 13 13:31:39 CDT 2008 

On 11/09/08 15:02, Christopher J. PeBenito wrote:
> On Fri, 2008-08-22 at 16:15 +0100, Martin Orr wrote:
>> wpa_supplicant on Debian lives in /sbin.
>> Also let it write a log, and talk to itself through a socket in /tmp.
> 
> Merged with some distro_debian coverage in the file contexts, except for
> the wpa_cli context, which is a command line interactive program, so I
> think shouldn't be labeled as a daemon entrypoint.

Makes sense.  But then wpa_cli needs a domain of its own so it can use its sockets.

Index: policy/modules/services/networkmanager.fc
===================================================================
--- policy/modules/services/networkmanager.fc.orig
+++ policy/modules/services/networkmanager.fc
@@ -1,4 +1,5 @@
 /sbin/wpa_supplicant		--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/sbin/wpa_cli			--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)
 
 /usr/s?bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 /usr/s?bin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
Index: policy/modules/services/networkmanager.te
===================================================================
--- policy/modules/services/networkmanager.te.orig
+++ policy/modules/services/networkmanager.te
@@ -22,6 +22,10 @@
 type NetworkManager_var_run_t;
 files_pid_file(NetworkManager_var_run_t)
 
+type wpa_cli_t;
+type wpa_cli_exec_t;
+init_system_domain(wpa_cli_t, wpa_cli_exec_t)
+
 ########################################
 #
 # Local policy
@@ -40,13 +44,15 @@
 allow NetworkManager_t self:udp_socket create_socket_perms;
 allow NetworkManager_t self:packet_socket create_socket_perms;
 
+allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
+
 can_exec(NetworkManager_t, NetworkManager_exec_t)
 
 manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
 logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
 
-manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
-files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, sock_file)
+files_search_tmp(NetworkManager_t)
+rw_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
 
 manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
 manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
@@ -190,3 +196,28 @@
 	vpn_domtrans(NetworkManager_t)
 	vpn_signal(NetworkManager_t)
 ')
+
+########################################
+#
+# wpa_cli local policy
+#
+allow wpa_cli_t self:capability dac_override;
+allow wpa_cli_t self:unix_dgram_socket create_socket_perms;
+
+allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto;
+
+manage_sock_files_pattern(wpa_cli_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
+files_tmp_filetrans(wpa_cli_t, NetworkManager_tmp_t, sock_file)
+
+list_dirs_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
+rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
+
+init_dontaudit_use_fds(wpa_cli_t)
+init_use_script_ptys(wpa_cli_t)
+
+libs_use_ld_so(wpa_cli_t)
+libs_use_shared_libs(wpa_cli_t)
+
+miscfiles_read_localization(wpa_cli_t)
+
+term_dontaudit_use_console(wpa_cli_t)

-- 
Martin Orr

More information about the refpolicy mailing list