[refpolicy] wpa_supplicant
Christopher J. PeBenito
cpebenito at tresys.com
Thu Sep 18 10:05:54 CDT 2008
On Sat, 2008-09-13 at 19:31 +0100, Martin Orr wrote:
> On 11/09/08 15:02, Christopher J. PeBenito wrote:
> > On Fri, 2008-08-22 at 16:15 +0100, Martin Orr wrote:
> >> wpa_supplicant on Debian lives in /sbin.
> >> Also let it write a log, and talk to itself through a socket in /tmp.
> >
> > Merged with some distro_debian coverage in the file contexts, except for
> > the wpa_cli context, which is a command line interactive program, so I
> > think shouldn't be labeled as a daemon entrypoint.
>
> Makes sense. But then wpa_cli needs a domain of its own so it can use its sockets.
Merged.
> Index: policy/modules/services/networkmanager.fc
> ===================================================================
> --- policy/modules/services/networkmanager.fc.orig
> +++ policy/modules/services/networkmanager.fc
> @@ -1,4 +1,5 @@
> /sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
> +/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
>
> /usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
> /usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
> Index: policy/modules/services/networkmanager.te
> ===================================================================
> --- policy/modules/services/networkmanager.te.orig
> +++ policy/modules/services/networkmanager.te
> @@ -22,6 +22,10 @@
> type NetworkManager_var_run_t;
> files_pid_file(NetworkManager_var_run_t)
>
> +type wpa_cli_t;
> +type wpa_cli_exec_t;
> +init_system_domain(wpa_cli_t, wpa_cli_exec_t)
> +
> ########################################
> #
> # Local policy
> @@ -40,13 +44,15 @@
> allow NetworkManager_t self:udp_socket create_socket_perms;
> allow NetworkManager_t self:packet_socket create_socket_perms;
>
> +allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
> +
> can_exec(NetworkManager_t, NetworkManager_exec_t)
>
> manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
> logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
>
> -manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
> -files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, sock_file)
> +files_search_tmp(NetworkManager_t)
> +rw_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
>
> manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
> manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
> @@ -190,3 +196,28 @@
> vpn_domtrans(NetworkManager_t)
> vpn_signal(NetworkManager_t)
> ')
> +
> +########################################
> +#
> +# wpa_cli local policy
> +#
> +allow wpa_cli_t self:capability dac_override;
> +allow wpa_cli_t self:unix_dgram_socket create_socket_perms;
> +
> +allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto;
> +
> +manage_sock_files_pattern(wpa_cli_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
> +files_tmp_filetrans(wpa_cli_t, NetworkManager_tmp_t, sock_file)
> +
> +list_dirs_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
> +rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
> +
> +init_dontaudit_use_fds(wpa_cli_t)
> +init_use_script_ptys(wpa_cli_t)
> +
> +libs_use_ld_so(wpa_cli_t)
> +libs_use_shared_libs(wpa_cli_t)
> +
> +miscfiles_read_localization(wpa_cli_t)
> +
> +term_dontaudit_use_console(wpa_cli_t)
>
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
More information about the refpolicy
mailing list