1 |
commit: 1463b90ab62ddfcfa18e9a08f04e7dd3a7e200a5 |
2 |
Author: Alexander Miroshnichenko <alex <AT> millerson <DOT> name> |
3 |
AuthorDate: Tue Jan 29 19:01:52 2019 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Feb 10 04:11:25 2019 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1463b90a |
7 |
|
8 |
Add hostapd service module |
9 |
|
10 |
Add a SELinux Reference Policy module for the hostapd |
11 |
IEEE 802.11 wireless LAN Host AP daemon. |
12 |
|
13 |
Signed-off-by: Jason Zaman <jason <AT> perfinion.com> |
14 |
|
15 |
policy/modules/services/hostapd.fc | 7 +++++ |
16 |
policy/modules/services/hostapd.if | 1 + |
17 |
policy/modules/services/hostapd.te | 56 ++++++++++++++++++++++++++++++++++++++ |
18 |
3 files changed, 64 insertions(+) |
19 |
|
20 |
diff --git a/policy/modules/services/hostapd.fc b/policy/modules/services/hostapd.fc |
21 |
new file mode 100644 |
22 |
index 00000000..83583a77 |
23 |
--- /dev/null |
24 |
+++ b/policy/modules/services/hostapd.fc |
25 |
@@ -0,0 +1,7 @@ |
26 |
+/usr/sbin/hostapd -- gen_context(system_u:object_r:hostapd_exec_t,s0) |
27 |
+ |
28 |
+/var/run/hostapd(/.*)? gen_context(system_u:object_r:hostapd_var_run_t,s0) |
29 |
+ |
30 |
+/etc/hostapd(/.*)? gen_context(system_u:object_r:hostapd_conf_t,s0) |
31 |
+ |
32 |
+/run/hostapd.pid -- gen_context(system_u:object_r:hostapd_var_run_t,s0) |
33 |
|
34 |
diff --git a/policy/modules/services/hostapd.if b/policy/modules/services/hostapd.if |
35 |
new file mode 100644 |
36 |
index 00000000..fce874d2 |
37 |
--- /dev/null |
38 |
+++ b/policy/modules/services/hostapd.if |
39 |
@@ -0,0 +1 @@ |
40 |
+## <summary>IEEE 802.11 wireless LAN Host AP daemon.</summary> |
41 |
|
42 |
diff --git a/policy/modules/services/hostapd.te b/policy/modules/services/hostapd.te |
43 |
new file mode 100644 |
44 |
index 00000000..2db1e7de |
45 |
--- /dev/null |
46 |
+++ b/policy/modules/services/hostapd.te |
47 |
@@ -0,0 +1,56 @@ |
48 |
+policy_module(hostapd, 1.0.0) |
49 |
+ |
50 |
+######################################## |
51 |
+# |
52 |
+# Declarations |
53 |
+# |
54 |
+ |
55 |
+type hostapd_t; |
56 |
+type hostapd_exec_t; |
57 |
+init_daemon_domain(hostapd_t, hostapd_exec_t) |
58 |
+ |
59 |
+type hostapd_var_run_t; |
60 |
+files_pid_file(hostapd_var_run_t) |
61 |
+ |
62 |
+type hostapd_conf_t; |
63 |
+files_type(hostapd_conf_t) |
64 |
+ |
65 |
+######################################## |
66 |
+# |
67 |
+# hostapd local policy |
68 |
+# |
69 |
+ |
70 |
+allow hostapd_t self:capability { fsetid chown net_admin net_raw dac_read_search dac_override }; |
71 |
+allow hostapd_t self:fifo_file rw_fifo_file_perms; |
72 |
+allow hostapd_t self:unix_stream_socket create_stream_socket_perms; |
73 |
+allow hostapd_t self:netlink_socket create_socket_perms; |
74 |
+allow hostapd_t self:netlink_generic_socket create_socket_perms; |
75 |
+allow hostapd_t self:netlink_route_socket create_netlink_socket_perms; |
76 |
+allow hostapd_t self:packet_socket create_socket_perms; |
77 |
+ |
78 |
+manage_dirs_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t) |
79 |
+manage_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t) |
80 |
+manage_lnk_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t) |
81 |
+manage_sock_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t) |
82 |
+files_pid_filetrans(hostapd_t, hostapd_var_run_t, { dir file lnk_file sock_file }) |
83 |
+ |
84 |
+read_files_pattern(hostapd_t, hostapd_conf_t, hostapd_conf_t) |
85 |
+ |
86 |
+kernel_read_system_state(hostapd_t) |
87 |
+kernel_read_network_state(hostapd_t) |
88 |
+kernel_request_load_module(hostapd_t) |
89 |
+kernel_rw_net_sysctls(hostapd_t) |
90 |
+dev_rw_sysfs(hostapd_t) |
91 |
+ |
92 |
+dev_read_rand(hostapd_t) |
93 |
+dev_read_urand(hostapd_t) |
94 |
+dev_read_sysfs(hostapd_t) |
95 |
+dev_rw_wireless(hostapd_t) |
96 |
+ |
97 |
+domain_use_interactive_fds(hostapd_t) |
98 |
+ |
99 |
+auth_use_nsswitch(hostapd_t) |
100 |
+ |
101 |
+logging_send_syslog_msg(hostapd_t) |
102 |
+ |
103 |
+miscfiles_read_localization(hostapd_t) |