[refpolicy] [PATCH v2 0/2] Mark wpa_cli as interactive application

[refpolicy] [PATCH v2 0/2] Mark wpa_cli as interactive application

[Sven Vermeulen]

The wpa_cli application is an interactive application to interact with
wpa_supplicant. This patch supports this within the SELinux policies.

Updates since v1
----------------

- Only manage the file class for wpa_cli_t -> wpa_cli_var_run_t, including
  transition (files_pid_filetrans)
- Drop the direct etc_t call

Wkr,
	Sven Vermeulen

[refpolicy] [PATCH v2 1/2] Mark wpa_cli as a commandline utility for admins

[Sven Vermeulen]

The wpa_cli application has two functions within the network manager
environment: (1.) it acts as a commandline interface for administrators
to interact with wpa_supplicant, and (2.) it gets called from within init
scripts to perform some administrative, unattended tasks.

In this patch, we mark the wpa_cli_t domain as an application domain, introduce
a few interfaces to allow roles to run the wpa_cli application, and enhance the
wpa_cli_t local policies to reflect its dual use.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 networkmanager.fc |    2 +
 networkmanager.if |   65 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 networkmanager.te |   34 +++++++++++++++++++++++++++-
 3 files changed, 100 insertions(+), 1 deletions(-)

diff --git a/networkmanager.fc b/networkmanager.fc
index 386543b..c83ff26 100644
--- a/networkmanager.fc
+++ b/networkmanager.fc
@@ -7,6 +7,7 @@
 /sbin/wpa_cli			--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)
 /sbin/wpa_supplicant		--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 
+/usr/bin/wpa_cli		--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)
 /usr/s?bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 /usr/s?bin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 /usr/sbin/NetworkManagerDispatcher --	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
@@ -22,5 +23,6 @@
 /var/run/NetworkManager\.pid	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /var/run/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /var/run/nm-dhclient.*			gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/wpa_cli-.*		--	gen_context(system_u:object_r:wpa_cli_var_run_t,s0)
 /var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /var/run/wpa_supplicant-global	-s	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
index 2324d9e..adb90d4 100644
--- a/networkmanager.if
+++ b/networkmanager.if
@@ -191,3 +191,68 @@ interface(`networkmanager_read_pid_files',`
 	files_search_pids($1)
 	allow $1 NetworkManager_var_run_t:file read_file_perms;
 ')
+
+########################################
+## <summary>
+##	Do not audit use of wpa_cli file descriptors
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to dontaudit access.
+##	</summary>
+## </param>
+#
+interface(`networkmanager_dontaudit_use_wpa_cli_fds',`
+	gen_require(`
+		type wpa_cli_t;
+	')
+
+	dontaudit $1 wpa_cli_t:fd use;
+')
+
+
+########################################
+## <summary>
+##      Execute wpa_cli in the wpa_cli domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+#
+interface(`networkmanager_domtrans_wpa_cli',`
+        gen_require(`
+                type wpa_cli_t, wpa_cli_exec_t;
+        ')
+
+        corecmd_search_bin($1)
+        domtrans_pattern($1, wpa_cli_exec_t, wpa_cli_t)
+')
+
+########################################
+## <summary>
+##      Execute wpa cli in the wpa_cli domain, and
+##      allow the specified role the wpa_cli domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+## <param name="role">
+##      <summary>
+##      Role allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`networkmanager_run_wpa_cli',`
+        gen_require(`
+                type wpa_cli_exec_t;
+        ')
+
+        networkmanager_domtrans_wpa_cli($1)
+        role $2 types wpa_cli_t;
+')
+
diff --git a/networkmanager.te b/networkmanager.te
index 0619395..1303185 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -28,6 +28,9 @@ type wpa_cli_t;
 type wpa_cli_exec_t;
 init_system_domain(wpa_cli_t, wpa_cli_exec_t)
 
+type wpa_cli_var_run_t;
+files_pid_file(wpa_cli_var_run_t)
+
 ########################################
 #
 # Local policy
@@ -281,9 +284,38 @@ files_tmp_filetrans(wpa_cli_t, NetworkManager_tmp_t, sock_file)
 list_dirs_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
 rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
 
+manage_files_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t)
+files_pid_filetrans(wpa_cli_t, wpa_cli_var_run_t, file)
+
+corecmd_exec_bin(wpa_cli_t)
+corecmd_exec_shell(wpa_cli_t)
+
+domain_use_interactive_fds(wpa_cli_t)
+
+files_search_pids(wpa_cli_t)
+
+fs_manage_tmpfs_dirs(wpa_cli_t)
+fs_manage_tmpfs_sockets(wpa_cli_t)
+fs_manage_tmpfs_sockets(NetworkManager_t)
+fs_rw_tmpfs_files(wpa_cli_t)
+fs_rw_tmpfs_files(NetworkManager_t)
+fs_search_tmpfs(wpa_cli_t)
+fs_search_tmpfs(NetworkManager_t)
+
+term_dontaudit_use_console(wpa_cli_t)
+
+getty_use_fds(wpa_cli_t)
+
+init_domtrans_script(wpa_cli_t)
 init_dontaudit_use_fds(wpa_cli_t)
 init_use_script_ptys(wpa_cli_t)
 
+logging_send_syslog_msg(wpa_cli_t)
+
 miscfiles_read_localization(wpa_cli_t)
 
-term_dontaudit_use_console(wpa_cli_t)
+userdom_use_user_terminals(wpa_cli_t)
+
+ifdef(`distro_gentoo',`
+       sysnet_domtrans_dhcpc(wpa_cli_t)
+')
-- 
1.7.3.4

[refpolicy] [PATCH v2 2/2] Allow sysadm_r role to call wpa_cli

[Sven Vermeulen]

Allow system administrators to run wpa_cli to interact with wpa_supplicant.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/roles/sysadm.te |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index bd5a2ea..3c74fcb 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -241,6 +241,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	networkmanager_run_wpa_cli(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
 	netutils_run(sysadm_t, sysadm_r)
 	netutils_run_ping(sysadm_t, sysadm_r)
 	netutils_run_traceroute(sysadm_t, sysadm_r)
-- 
1.7.3.4

[refpolicy] [PATCH v2 1/2] Mark wpa_cli as a commandline utility for admins

[Christopher J. PeBenito]

On 06/20/12 11:53, Sven Vermeulen wrote:
> The wpa_cli application has two functions within the network manager
> environment: (1.) it acts as a commandline interface for administrators
> to interact with wpa_supplicant, and (2.) it gets called from within init
> scripts to perform some administrative, unattended tasks.
> 
> In this patch, we mark the wpa_cli_t domain as an application domain, introduce
> a few interfaces to allow roles to run the wpa_cli application, and enhance the
> wpa_cli_t local policies to reflect its dual use.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  networkmanager.fc |    2 +
>  networkmanager.if |   65 +++++++++++++++++++++++++++++++++++++++++++++++++++++
>  networkmanager.te |   34 +++++++++++++++++++++++++++-
>  3 files changed, 100 insertions(+), 1 deletions(-)


> diff --git a/networkmanager.te b/networkmanager.te
> index 0619395..1303185 100644
> --- a/networkmanager.te
> +++ b/networkmanager.te
> @@ -281,9 +284,38 @@ files_tmp_filetrans(wpa_cli_t, NetworkManager_tmp_t, sock_file)
>  list_dirs_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
>  rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
>  
> +manage_files_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t)
> +files_pid_filetrans(wpa_cli_t, wpa_cli_var_run_t, file)
> +
> +corecmd_exec_bin(wpa_cli_t)
> +corecmd_exec_shell(wpa_cli_t)
> +
> +domain_use_interactive_fds(wpa_cli_t)
> +
> +files_search_pids(wpa_cli_t)
> +
> +fs_manage_tmpfs_dirs(wpa_cli_t)
> +fs_manage_tmpfs_sockets(wpa_cli_t)
> +fs_manage_tmpfs_sockets(NetworkManager_t)
> +fs_rw_tmpfs_files(wpa_cli_t)
> +fs_rw_tmpfs_files(NetworkManager_t)
> +fs_search_tmpfs(wpa_cli_t)
> +fs_search_tmpfs(NetworkManager_t)

tmpfs_t usage?  It looks like there should be either a NetworkManager_tmpfs_t or wpa_cli_tmpfs_t (my guess is the former).  Also the NetworkManager_t rules should be moved over with the other NetworkManager_t rules.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com