[refpolicy] [PATCH 0/2] Mark wpa_cli as interactive application

[refpolicy] [PATCH 0/2] Mark wpa_cli as interactive application

[Sven Vermeulen]

The wpa_cli application is an interactive application to interact with
wpa_supplicant. This patch supports this within the SELinux policies.

Wkr,
	Sven Vermeulen

[refpolicy] [PATCH 1/2] Mark wpa_cli as a commandline utility for admins

[Sven Vermeulen]

The wpa_cli application has two functions within the network manager
environment: (1.) it acts as a commandline interface for administrators
to interact with wpa_supplicant, and (2.) it gets called from within init
scripts to perform some administrative, unattended tasks.

In this patch, we mark the wpa_cli_t domain as an application domain, introduce
a few interfaces to allow roles to run the wpa_cli application, and enhance the
wpa_cli_t local policies to reflect its dual use.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 networkmanager.fc |    2 +
 networkmanager.if |   65 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 networkmanager.te |   38 ++++++++++++++++++++++++++++++-
 3 files changed, 104 insertions(+), 1 deletions(-)

diff --git a/networkmanager.fc b/networkmanager.fc
index 386543b..c83ff26 100644
--- a/networkmanager.fc
+++ b/networkmanager.fc
@@ -7,6 +7,7 @@
 /sbin/wpa_cli			--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)
 /sbin/wpa_supplicant		--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 
+/usr/bin/wpa_cli		--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)
 /usr/s?bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 /usr/s?bin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 /usr/sbin/NetworkManagerDispatcher --	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
@@ -22,5 +23,6 @@
 /var/run/NetworkManager\.pid	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /var/run/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /var/run/nm-dhclient.*			gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/wpa_cli-.*		--	gen_context(system_u:object_r:wpa_cli_var_run_t,s0)
 /var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /var/run/wpa_supplicant-global	-s	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
index 2324d9e..adb90d4 100644
--- a/networkmanager.if
+++ b/networkmanager.if
@@ -191,3 +191,68 @@ interface(`networkmanager_read_pid_files',`
 	files_search_pids($1)
 	allow $1 NetworkManager_var_run_t:file read_file_perms;
 ')
+
+########################################
+## <summary>
+##	Do not audit use of wpa_cli file descriptors
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to dontaudit access.
+##	</summary>
+## </param>
+#
+interface(`networkmanager_dontaudit_use_wpa_cli_fds',`
+	gen_require(`
+		type wpa_cli_t;
+	')
+
+	dontaudit $1 wpa_cli_t:fd use;
+')
+
+
+########################################
+## <summary>
+##      Execute wpa_cli in the wpa_cli domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+#
+interface(`networkmanager_domtrans_wpa_cli',`
+        gen_require(`
+                type wpa_cli_t, wpa_cli_exec_t;
+        ')
+
+        corecmd_search_bin($1)
+        domtrans_pattern($1, wpa_cli_exec_t, wpa_cli_t)
+')
+
+########################################
+## <summary>
+##      Execute wpa cli in the wpa_cli domain, and
+##      allow the specified role the wpa_cli domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+## <param name="role">
+##      <summary>
+##      Role allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`networkmanager_run_wpa_cli',`
+        gen_require(`
+                type wpa_cli_exec_t;
+        ')
+
+        networkmanager_domtrans_wpa_cli($1)
+        role $2 types wpa_cli_t;
+')
+
diff --git a/networkmanager.te b/networkmanager.te
index 0619395..0cb8072 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -28,6 +28,9 @@ type wpa_cli_t;
 type wpa_cli_exec_t;
 init_system_domain(wpa_cli_t, wpa_cli_exec_t)
 
+type wpa_cli_var_run_t;
+files_pid_file(wpa_cli_var_run_t)
+
 ########################################
 #
 # Local policy
@@ -68,6 +71,11 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
 manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
 files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
 
+manage_dirs_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t)
+manage_files_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t)
+manage_sock_files_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t)
+files_pid_filetrans(wpa_cli_t, wpa_cli_var_run_t, { dir file sock_file })
+
 kernel_read_system_state(NetworkManager_t)
 kernel_read_network_state(NetworkManager_t)
 kernel_read_kernel_sysctls(NetworkManager_t)
@@ -281,9 +289,37 @@ files_tmp_filetrans(wpa_cli_t, NetworkManager_tmp_t, sock_file)
 list_dirs_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
 rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
 
+corecmd_exec_bin(wpa_cli_t)
+corecmd_exec_shell(wpa_cli_t)
+
+domain_use_interactive_fds(wpa_cli_t)
+
+files_search_pids(wpa_cli_t)
+
+fs_manage_tmpfs_dirs(wpa_cli_t)
+fs_manage_tmpfs_sockets(wpa_cli_t)
+fs_manage_tmpfs_sockets(NetworkManager_t)
+fs_rw_tmpfs_files(wpa_cli_t)
+fs_rw_tmpfs_files(NetworkManager_t)
+fs_search_tmpfs(wpa_cli_t)
+fs_search_tmpfs(NetworkManager_t)
+
+term_dontaudit_use_console(wpa_cli_t)
+
+getty_use_fds(wpa_cli_t)
+
+init_domtrans_script(wpa_cli_t)
 init_dontaudit_use_fds(wpa_cli_t)
 init_use_script_ptys(wpa_cli_t)
 
+logging_send_syslog_msg(wpa_cli_t)
+
 miscfiles_read_localization(wpa_cli_t)
 
-term_dontaudit_use_console(wpa_cli_t)
+userdom_use_user_terminals(wpa_cli_t)
+
+ifdef(`distro_gentoo',`
+       allow wpa_cli_t etc_t:file { getattr };
+
+       sysnet_domtrans_dhcpc(wpa_cli_t)
+')
-- 
1.7.3.4

[refpolicy] [PATCH 2/2] Allow sysadm_r role to call wpa_cli

[Sven Vermeulen]

Allow system administrators to run wpa_cli to interact with wpa_supplicant.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/roles/sysadm.te |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index bd5a2ea..3c74fcb 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -241,6 +241,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	networkmanager_run_wpa_cli(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
 	netutils_run(sysadm_t, sysadm_r)
 	netutils_run_ping(sysadm_t, sysadm_r)
 	netutils_run_traceroute(sysadm_t, sysadm_r)
-- 
1.7.3.4

[refpolicy] [PATCH 1/2] Mark wpa_cli as a commandline utility for admins

[Dominick Grift]

On Mon, 2012-05-28 at 12:22 +0200, Sven Vermeulen wrote:

> +/var/run/wpa_cli-.*		--	gen_context(system_u:object_r:wpa_cli_var_run_t,s0)

This applies to files only (--). However there are also dirs and
sock_files labeled wpi_cli_var_run_t. The context of those objects will
not be restored as per above file context specification.

> +manage_dirs_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t)
> +manage_files_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t)
> +manage_sock_files_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t)
> +files_pid_filetrans(wpa_cli_t, wpa_cli_var_run_t, { dir file sock_file })
> +

Not sure if it applies here but try to be conservative with type
transitions. If any of the dir, file, sock_file security classes do no
really need to type transition from var_run_t to wpa_cli_var_run_t, then
i would not specify a type transition for it.

So if a dir /var/run/wpa-cli-bla gets created in /var/run and files and
sock files get created in /var/run/wpa-cli-bla, then there really is no
need to add type transition rules for files and sock_files in my view.

> +       allow wpa_cli_t etc_t:file { getattr };

you dont need brace extension here because there is nothing to extent. I
would however use the getattr_file_perms permissions set for forward
compatibility.

In the unlikely scenario that in the future a new av permission is
introduced that is required to get attributes, it will be easier to
integrate if you consistently use permission sets (single point of
entry)

[refpolicy] [PATCH 1/2] Mark wpa_cli as a commandline utility for admins

[Dominick Grift]

On Mon, 2012-05-28 at 12:22 +0200, Sven Vermeulen wrote:

> +ifdef(`distro_gentoo',`
> +       allow wpa_cli_t etc_t:file { getattr };

By the way: type etc_t is declared in the files module and is external
to the networkmanager module. You should not make direct references to
external types but use interfaces instead.

[refpolicy] [PATCH 1/2] Mark wpa_cli as a commandline utility for admins

[Sven Vermeulen]

On Mon, May 28, 2012 at 03:54:33PM +0200, Dominick Grift wrote:
> On Mon, 2012-05-28 at 12:22 +0200, Sven Vermeulen wrote:
> 
> > +/var/run/wpa_cli-.*		--	gen_context(system_u:object_r:wpa_cli_var_run_t,s0)
> 
> This applies to files only (--). However there are also dirs and
> sock_files labeled wpi_cli_var_run_t. The context of those objects will
> not be restored as per above file context specification.

Hmm, on my system, it is only PID files directly in /var/run.

The socket is stored in /tmp (but is written/managed by wpa_supplicant, not
wpa_cli).

I'll incorporate the other changes in the next try; if you know of any other
locations (fc's) that I need to add in case of Fedora (or other systems),
let me know and I'll add them in.

Wkr,
	Sven Vermeulen

[refpolicy] [PATCH 1/2] Mark wpa_cli as a commandline utility for admins

[Dominick Grift]

On Wed, 2012-06-20 at 17:48 +0200, Sven Vermeulen wrote:
> On Mon, May 28, 2012 at 03:54:33PM +0200, Dominick Grift wrote:
> > On Mon, 2012-05-28 at 12:22 +0200, Sven Vermeulen wrote:
> > 
> > > +/var/run/wpa_cli-.*		--	gen_context(system_u:object_r:wpa_cli_var_run_t,s0)
> > 
> > This applies to files only (--). However there are also dirs and
> > sock_files labeled wpi_cli_var_run_t. The context of those objects will
> > not be restored as per above file context specification.
> 
> Hmm, on my system, it is only PID files directly in /var/run.

Thats not what your policy says:

> +manage_dirs_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t)
> +manage_files_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t)
> +manage_sock_files_pattern(wpa_cli_t, wpa_cli_var_run_t,
wpa_cli_var_run_t)
> +files_pid_filetrans(wpa_cli_t, wpa_cli_var_run_t, { dir file
sock_file })

The above is a type transition for dirs files and for sock_files
So there is a conflict there if you ask me.

> The socket is stored in /tmp (but is written/managed by wpa_supplicant, not
> wpa_cli).
> 
> I'll incorporate the other changes in the next try; if you know of any other
> locations (fc's) that I need to add in case of Fedora (or other systems),
> let me know and I'll add them in.
> 
> Wkr,
> 	Sven Vermeulen
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy