[refpolicy] [PATCH 1/2] Mark wpa_cli as a commandline utility for admins

[sven.vermeulen@siphos.be (Sven Vermeulen)]

The wpa_cli application has two functions within the network manager
environment: (1.) it acts as a commandline interface for administrators
to interact with wpa_supplicant, and (2.) it gets called from within init
scripts to perform some administrative, unattended tasks.

In this patch, we mark the wpa_cli_t domain as an application domain, introduce
a few interfaces to allow roles to run the wpa_cli application, and enhance the
wpa_cli_t local policies to reflect its dual use.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 networkmanager.fc |    2 +
 networkmanager.if |   65 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 networkmanager.te |   38 ++++++++++++++++++++++++++++++-
 3 files changed, 104 insertions(+), 1 deletions(-)

diff --git a/networkmanager.fc b/networkmanager.fc
index 386543b..c83ff26 100644
--- a/networkmanager.fc
+++ b/networkmanager.fc
@@ -7,6 +7,7 @@
 /sbin/wpa_cli			--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)
 /sbin/wpa_supplicant		--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 
+/usr/bin/wpa_cli		--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)
 /usr/s?bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 /usr/s?bin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 /usr/sbin/NetworkManagerDispatcher --	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
@@ -22,5 +23,6 @@
 /var/run/NetworkManager\.pid	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /var/run/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /var/run/nm-dhclient.*			gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/wpa_cli-.*		--	gen_context(system_u:object_r:wpa_cli_var_run_t,s0)
 /var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /var/run/wpa_supplicant-global	-s	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
index 2324d9e..adb90d4 100644
--- a/networkmanager.if
+++ b/networkmanager.if
@@ -191,3 +191,68 @@ interface(`networkmanager_read_pid_files',`
 	files_search_pids($1)
 	allow $1 NetworkManager_var_run_t:file read_file_perms;
 ')
+
+########################################
+## <summary>
+##	Do not audit use of wpa_cli file descriptors
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to dontaudit access.
+##	</summary>
+## </param>
+#
+interface(`networkmanager_dontaudit_use_wpa_cli_fds',`
+	gen_require(`
+		type wpa_cli_t;
+	')
+
+	dontaudit $1 wpa_cli_t:fd use;
+')
+
+
+########################################
+## <summary>
+##      Execute wpa_cli in the wpa_cli domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+#
+interface(`networkmanager_domtrans_wpa_cli',`
+        gen_require(`
+                type wpa_cli_t, wpa_cli_exec_t;
+        ')
+
+        corecmd_search_bin($1)
+        domtrans_pattern($1, wpa_cli_exec_t, wpa_cli_t)
+')
+
+########################################
+## <summary>
+##      Execute wpa cli in the wpa_cli domain, and
+##      allow the specified role the wpa_cli domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+## <param name="role">
+##      <summary>
+##      Role allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`networkmanager_run_wpa_cli',`
+        gen_require(`
+                type wpa_cli_exec_t;
+        ')
+
+        networkmanager_domtrans_wpa_cli($1)
+        role $2 types wpa_cli_t;
+')
+
diff --git a/networkmanager.te b/networkmanager.te
index 0619395..0cb8072 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -28,6 +28,9 @@ type wpa_cli_t;
 type wpa_cli_exec_t;
 init_system_domain(wpa_cli_t, wpa_cli_exec_t)
 
+type wpa_cli_var_run_t;
+files_pid_file(wpa_cli_var_run_t)
+
 ########################################
 #
 # Local policy
@@ -68,6 +71,11 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
 manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
 files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
 
+manage_dirs_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t)
+manage_files_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t)
+manage_sock_files_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t)
+files_pid_filetrans(wpa_cli_t, wpa_cli_var_run_t, { dir file sock_file })
+
 kernel_read_system_state(NetworkManager_t)
 kernel_read_network_state(NetworkManager_t)
 kernel_read_kernel_sysctls(NetworkManager_t)
@@ -281,9 +289,37 @@ files_tmp_filetrans(wpa_cli_t, NetworkManager_tmp_t, sock_file)
 list_dirs_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
 rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
 
+corecmd_exec_bin(wpa_cli_t)
+corecmd_exec_shell(wpa_cli_t)
+
+domain_use_interactive_fds(wpa_cli_t)
+
+files_search_pids(wpa_cli_t)
+
+fs_manage_tmpfs_dirs(wpa_cli_t)
+fs_manage_tmpfs_sockets(wpa_cli_t)
+fs_manage_tmpfs_sockets(NetworkManager_t)
+fs_rw_tmpfs_files(wpa_cli_t)
+fs_rw_tmpfs_files(NetworkManager_t)
+fs_search_tmpfs(wpa_cli_t)
+fs_search_tmpfs(NetworkManager_t)
+
+term_dontaudit_use_console(wpa_cli_t)
+
+getty_use_fds(wpa_cli_t)
+
+init_domtrans_script(wpa_cli_t)
 init_dontaudit_use_fds(wpa_cli_t)
 init_use_script_ptys(wpa_cli_t)
 
+logging_send_syslog_msg(wpa_cli_t)
+
 miscfiles_read_localization(wpa_cli_t)
 
-term_dontaudit_use_console(wpa_cli_t)
+userdom_use_user_terminals(wpa_cli_t)
+
+ifdef(`distro_gentoo',`
+       allow wpa_cli_t etc_t:file { getattr };
+
+       sysnet_domtrans_dhcpc(wpa_cli_t)
+')
-- 
1.7.3.4