[refpolicy] wpa_supplicant

[refpolicy] wpa_supplicant

[Martin Orr]

wpa_supplicant on Debian lives in /sbin.
Also let it write a log, and talk to itself through a socket in /tmp.


Index: policy/modules/services/networkmanager.fc
===================================================================
--- policy/modules/services/networkmanager.fc.orig
+++ policy/modules/services/networkmanager.fc
@@ -1,6 +1,11 @@
+/sbin/wpa_cli			--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/sbin/wpa_supplicant		--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+
 /usr/s?bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 /usr/s?bin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 
+/var/log/wpa_supplicant.*	--	gen_context(system_u:object_r:NetworkManager_var_log_t,s0)
+
 /var/run/NetworkManager\.pid	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /var/run/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
Index: policy/modules/services/networkmanager.te
===================================================================
--- policy/modules/services/networkmanager.te.orig
+++ policy/modules/services/networkmanager.te
@@ -10,6 +10,12 @@
 type NetworkManager_exec_t;
 init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
 
+type NetworkManager_tmp_t;
+files_tmp_file(NetworkManager_tmp_t)
+
+type NetworkManager_var_log_t;
+logging_log_file(NetworkManager_var_log_t)
+
 type NetworkManager_var_run_t;
 files_pid_file(NetworkManager_var_run_t)
 
@@ -38,6 +44,12 @@
 manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
 files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file })
 
+manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
+files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, sock_file)
+
+manage_files_pattern(NetworkManager_t, NetworkManager_var_log_t, NetworkManager_var_log_t)
+logging_log_filetrans(NetworkManager_t, NetworkManager_var_log_t, file)
+
 kernel_read_system_state(NetworkManager_t)
 kernel_read_network_state(NetworkManager_t)
 kernel_read_kernel_sysctls(NetworkManager_t)

-- 
Martin Orr

[refpolicy] wpa_supplicant

[Russell Coker]

On Saturday 23 August 2008 01:15, Martin Orr <martin@martinorr.name> wrote:
> wpa_supplicant on Debian lives in /sbin.
> Also let it write a log, and talk to itself through a socket in /tmp.

It would be good to have ifdef(`distro_debian', around such things.

If the Debian location changes in future and there is ifdef(`distro_debian', 
around it then the old version can easily be replaced.  We don't want to 
maintain an archive of all the old names and file locations for daemons.

-- 
russell at coker.com.au
http://etbe.coker.com.au/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

[refpolicy] wpa_supplicant

[Christopher J. PeBenito]

On Fri, 2008-08-22 at 16:15 +0100, Martin Orr wrote:
> wpa_supplicant on Debian lives in /sbin.
> Also let it write a log, and talk to itself through a socket in /tmp.

Merged with some distro_debian coverage in the file contexts, except for
the wpa_cli context, which is a command line interactive program, so I
think shouldn't be labeled as a daemon entrypoint.

> Index: policy/modules/services/networkmanager.fc
> ===================================================================
> --- policy/modules/services/networkmanager.fc.orig
> +++ policy/modules/services/networkmanager.fc
> @@ -1,6 +1,11 @@
> +/sbin/wpa_cli			--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
> +/sbin/wpa_supplicant		--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
> +
>  /usr/s?bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
>  /usr/s?bin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
>  
> +/var/log/wpa_supplicant.*	--	gen_context(system_u:object_r:NetworkManager_var_log_t,s0)
> +
>  /var/run/NetworkManager\.pid	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
>  /var/run/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
>  /var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
> Index: policy/modules/services/networkmanager.te
> ===================================================================
> --- policy/modules/services/networkmanager.te.orig
> +++ policy/modules/services/networkmanager.te
> @@ -10,6 +10,12 @@
>  type NetworkManager_exec_t;
>  init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
>  
> +type NetworkManager_tmp_t;
> +files_tmp_file(NetworkManager_tmp_t)
> +
> +type NetworkManager_var_log_t;
> +logging_log_file(NetworkManager_var_log_t)
> +
>  type NetworkManager_var_run_t;
>  files_pid_file(NetworkManager_var_run_t)
>  
> @@ -38,6 +44,12 @@
>  manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
>  files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file })
>  
> +manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
> +files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, sock_file)
> +
> +manage_files_pattern(NetworkManager_t, NetworkManager_var_log_t, NetworkManager_var_log_t)
> +logging_log_filetrans(NetworkManager_t, NetworkManager_var_log_t, file)
> +
>  kernel_read_system_state(NetworkManager_t)
>  kernel_read_network_state(NetworkManager_t)
>  kernel_read_kernel_sysctls(NetworkManager_t)
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

[refpolicy] wpa_supplicant

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christopher J. PeBenito wrote:
> On Fri, 2008-08-22 at 16:15 +0100, Martin Orr wrote:
>> wpa_supplicant on Debian lives in /sbin.
>> Also let it write a log, and talk to itself through a socket in /tmp.
> 
> Merged with some distro_debian coverage in the file contexts, except for
> the wpa_cli context, which is a command line interactive program, so I
> think shouldn't be labeled as a daemon entrypoint.
> 
>> Index: policy/modules/services/networkmanager.fc
>> ===================================================================
>> --- policy/modules/services/networkmanager.fc.orig
>> +++ policy/modules/services/networkmanager.fc
>> @@ -1,6 +1,11 @@
>> +/sbin/wpa_cli			--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
>> +/sbin/wpa_supplicant		--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
>> +
>>  /usr/s?bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
>>  /usr/s?bin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
>>  
>> +/var/log/wpa_supplicant.*	--	gen_context(system_u:object_r:NetworkManager_var_log_t,s0)
>> +
>>  /var/run/NetworkManager\.pid	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
>>  /var/run/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
>>  /var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
>> Index: policy/modules/services/networkmanager.te
>> ===================================================================
>> --- policy/modules/services/networkmanager.te.orig
>> +++ policy/modules/services/networkmanager.te
>> @@ -10,6 +10,12 @@
>>  type NetworkManager_exec_t;
>>  init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
>>  
>> +type NetworkManager_tmp_t;
>> +files_tmp_file(NetworkManager_tmp_t)
>> +
>> +type NetworkManager_var_log_t;
>> +logging_log_file(NetworkManager_var_log_t)
>> +
>>  type NetworkManager_var_run_t;
>>  files_pid_file(NetworkManager_var_run_t)
>>  
>> @@ -38,6 +44,12 @@
>>  manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
>>  files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file })
>>  
>> +manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
>> +files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, sock_file)
>> +
>> +manage_files_pattern(NetworkManager_t, NetworkManager_var_log_t, NetworkManager_var_log_t)
>> +logging_log_filetrans(NetworkManager_t, NetworkManager_var_log_t, file)
>> +
>>  kernel_read_system_state(NetworkManager_t)
>>  kernel_read_network_state(NetworkManager_t)
>>  kernel_read_kernel_sysctls(NetworkManager_t)
>>
I don't think adding the ifdef debian to the fc file is of great use.
Since there is a chance that wpasupplicant paths in other distributions
might match, and it is unlikely that files named wpasupplicant for other
distributions would have different security domains.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjJPEoACgkQrlYvE4MpobPjMgCfevVQIaXV5a0cSdOI0BMwPvbW
GeoAoNgCyN6TiV68R8lk9rVpPQYGiv5e
=PCiZ
-----END PGP SIGNATURE-----

[refpolicy] wpa_supplicant

[Christopher J. PeBenito]

On Thu, 2008-09-11 at 11:42 -0400, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Fri, 2008-08-22 at 16:15 +0100, Martin Orr wrote:
> >> wpa_supplicant on Debian lives in /sbin.
> >> Also let it write a log, and talk to itself through a socket in /tmp.
> > 
> > Merged with some distro_debian coverage in the file contexts, except for
> > the wpa_cli context, which is a command line interactive program, so I
> > think shouldn't be labeled as a daemon entrypoint.
> > 
> >> Index: policy/modules/services/networkmanager.fc
> >> ===================================================================
> >> --- policy/modules/services/networkmanager.fc.orig
> >> +++ policy/modules/services/networkmanager.fc
> >> @@ -1,6 +1,11 @@
> >> +/sbin/wpa_cli			--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
> >> +/sbin/wpa_supplicant		--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
> >> +
> >>  /usr/s?bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
> >>  /usr/s?bin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
> >>  
> >> +/var/log/wpa_supplicant.*	--	gen_context(system_u:object_r:NetworkManager_var_log_t,s0)
> >> +
> >>  /var/run/NetworkManager\.pid	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
> >>  /var/run/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
> >>  /var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)

> I don't think adding the ifdef debian to the fc file is of great use.
> Since there is a chance that wpasupplicant paths in other distributions
> might match, and it is unlikely that files named wpasupplicant for other
> distributions would have different security domains.

Good point.  I'll take it out.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

[refpolicy] wpa_supplicant

[Martin Orr]

On 11/09/08 15:02, Christopher J. PeBenito wrote:
> On Fri, 2008-08-22 at 16:15 +0100, Martin Orr wrote:
>> wpa_supplicant on Debian lives in /sbin.
>> Also let it write a log, and talk to itself through a socket in /tmp.
> 
> Merged with some distro_debian coverage in the file contexts, except for
> the wpa_cli context, which is a command line interactive program, so I
> think shouldn't be labeled as a daemon entrypoint.

Makes sense.  But then wpa_cli needs a domain of its own so it can use its sockets.

Index: policy/modules/services/networkmanager.fc
===================================================================
--- policy/modules/services/networkmanager.fc.orig
+++ policy/modules/services/networkmanager.fc
@@ -1,4 +1,5 @@
 /sbin/wpa_supplicant		--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/sbin/wpa_cli			--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)
 
 /usr/s?bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 /usr/s?bin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
Index: policy/modules/services/networkmanager.te
===================================================================
--- policy/modules/services/networkmanager.te.orig
+++ policy/modules/services/networkmanager.te
@@ -22,6 +22,10 @@
 type NetworkManager_var_run_t;
 files_pid_file(NetworkManager_var_run_t)
 
+type wpa_cli_t;
+type wpa_cli_exec_t;
+init_system_domain(wpa_cli_t, wpa_cli_exec_t)
+
 ########################################
 #
 # Local policy
@@ -40,13 +44,15 @@
 allow NetworkManager_t self:udp_socket create_socket_perms;
 allow NetworkManager_t self:packet_socket create_socket_perms;
 
+allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
+
 can_exec(NetworkManager_t, NetworkManager_exec_t)
 
 manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
 logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
 
-manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
-files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, sock_file)
+files_search_tmp(NetworkManager_t)
+rw_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
 
 manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
 manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
@@ -190,3 +196,28 @@
 	vpn_domtrans(NetworkManager_t)
 	vpn_signal(NetworkManager_t)
 ')
+
+########################################
+#
+# wpa_cli local policy
+#
+allow wpa_cli_t self:capability dac_override;
+allow wpa_cli_t self:unix_dgram_socket create_socket_perms;
+
+allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto;
+
+manage_sock_files_pattern(wpa_cli_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
+files_tmp_filetrans(wpa_cli_t, NetworkManager_tmp_t, sock_file)
+
+list_dirs_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
+rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
+
+init_dontaudit_use_fds(wpa_cli_t)
+init_use_script_ptys(wpa_cli_t)
+
+libs_use_ld_so(wpa_cli_t)
+libs_use_shared_libs(wpa_cli_t)
+
+miscfiles_read_localization(wpa_cli_t)
+
+term_dontaudit_use_console(wpa_cli_t)

-- 
Martin Orr

[refpolicy] wpa_supplicant

[Christopher J. PeBenito]

On Sat, 2008-09-13 at 19:31 +0100, Martin Orr wrote:
> On 11/09/08 15:02, Christopher J. PeBenito wrote:
> > On Fri, 2008-08-22 at 16:15 +0100, Martin Orr wrote:
> >> wpa_supplicant on Debian lives in /sbin.
> >> Also let it write a log, and talk to itself through a socket in /tmp.
> > 
> > Merged with some distro_debian coverage in the file contexts, except for
> > the wpa_cli context, which is a command line interactive program, so I
> > think shouldn't be labeled as a daemon entrypoint.
> 
> Makes sense.  But then wpa_cli needs a domain of its own so it can use its sockets.

Merged.

> Index: policy/modules/services/networkmanager.fc
> ===================================================================
> --- policy/modules/services/networkmanager.fc.orig
> +++ policy/modules/services/networkmanager.fc
> @@ -1,4 +1,5 @@
>  /sbin/wpa_supplicant		--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
> +/sbin/wpa_cli			--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)
>  
>  /usr/s?bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
>  /usr/s?bin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
> Index: policy/modules/services/networkmanager.te
> ===================================================================
> --- policy/modules/services/networkmanager.te.orig
> +++ policy/modules/services/networkmanager.te
> @@ -22,6 +22,10 @@
>  type NetworkManager_var_run_t;
>  files_pid_file(NetworkManager_var_run_t)
>  
> +type wpa_cli_t;
> +type wpa_cli_exec_t;
> +init_system_domain(wpa_cli_t, wpa_cli_exec_t)
> +
>  ########################################
>  #
>  # Local policy
> @@ -40,13 +44,15 @@
>  allow NetworkManager_t self:udp_socket create_socket_perms;
>  allow NetworkManager_t self:packet_socket create_socket_perms;
>  
> +allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
> +
>  can_exec(NetworkManager_t, NetworkManager_exec_t)
>  
>  manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
>  logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
>  
> -manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
> -files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, sock_file)
> +files_search_tmp(NetworkManager_t)
> +rw_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
>  
>  manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
>  manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
> @@ -190,3 +196,28 @@
>  	vpn_domtrans(NetworkManager_t)
>  	vpn_signal(NetworkManager_t)
>  ')
> +
> +########################################
> +#
> +# wpa_cli local policy
> +#
> +allow wpa_cli_t self:capability dac_override;
> +allow wpa_cli_t self:unix_dgram_socket create_socket_perms;
> +
> +allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto;
> +
> +manage_sock_files_pattern(wpa_cli_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
> +files_tmp_filetrans(wpa_cli_t, NetworkManager_tmp_t, sock_file)
> +
> +list_dirs_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
> +rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
> +
> +init_dontaudit_use_fds(wpa_cli_t)
> +init_use_script_ptys(wpa_cli_t)
> +
> +libs_use_ld_so(wpa_cli_t)
> +libs_use_shared_libs(wpa_cli_t)
> +
> +miscfiles_read_localization(wpa_cli_t)
> +
> +term_dontaudit_use_console(wpa_cli_t)
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150