[refpolicy] wpa_supplicant

[dwalsh@redhat.com (Daniel J Walsh)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christopher J. PeBenito wrote:
> On Fri, 2008-08-22 at 16:15 +0100, Martin Orr wrote:
>> wpa_supplicant on Debian lives in /sbin.
>> Also let it write a log, and talk to itself through a socket in /tmp.
> 
> Merged with some distro_debian coverage in the file contexts, except for
> the wpa_cli context, which is a command line interactive program, so I
> think shouldn't be labeled as a daemon entrypoint.
> 
>> Index: policy/modules/services/networkmanager.fc
>> ===================================================================
>> --- policy/modules/services/networkmanager.fc.orig
>> +++ policy/modules/services/networkmanager.fc
>> @@ -1,6 +1,11 @@
>> +/sbin/wpa_cli			--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
>> +/sbin/wpa_supplicant		--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
>> +
>>  /usr/s?bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
>>  /usr/s?bin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
>>  
>> +/var/log/wpa_supplicant.*	--	gen_context(system_u:object_r:NetworkManager_var_log_t,s0)
>> +
>>  /var/run/NetworkManager\.pid	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
>>  /var/run/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
>>  /var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
>> Index: policy/modules/services/networkmanager.te
>> ===================================================================
>> --- policy/modules/services/networkmanager.te.orig
>> +++ policy/modules/services/networkmanager.te
>> @@ -10,6 +10,12 @@
>>  type NetworkManager_exec_t;
>>  init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
>>  
>> +type NetworkManager_tmp_t;
>> +files_tmp_file(NetworkManager_tmp_t)
>> +
>> +type NetworkManager_var_log_t;
>> +logging_log_file(NetworkManager_var_log_t)
>> +
>>  type NetworkManager_var_run_t;
>>  files_pid_file(NetworkManager_var_run_t)
>>  
>> @@ -38,6 +44,12 @@
>>  manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
>>  files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file })
>>  
>> +manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
>> +files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, sock_file)
>> +
>> +manage_files_pattern(NetworkManager_t, NetworkManager_var_log_t, NetworkManager_var_log_t)
>> +logging_log_filetrans(NetworkManager_t, NetworkManager_var_log_t, file)
>> +
>>  kernel_read_system_state(NetworkManager_t)
>>  kernel_read_network_state(NetworkManager_t)
>>  kernel_read_kernel_sysctls(NetworkManager_t)
>>
I don't think adding the ifdef debian to the fc file is of great use.
Since there is a chance that wpasupplicant paths in other distributions
might match, and it is unlikely that files named wpasupplicant for other
distributions would have different security domains.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjJPEoACgkQrlYvE4MpobPjMgCfevVQIaXV5a0cSdOI0BMwPvbW
GeoAoNgCyN6TiV68R8lk9rVpPQYGiv5e
=PCiZ
-----END PGP SIGNATURE-----