Gentoo Archives: gentoo-hardened

From: Mike Edenfield <kutulu@××××××.org>
To: gentoo-hardened@l.g.o
Subject: [gentoo-hardened] Domain Transition problems wpa -> anything else
Date: Sun, 09 Mar 2008 13:43:04
Message-Id: 47D3E966.80201@kutulu.org
1 I've almost got my wpa policy module working properly, but something I
2 did along the way is causing the startup scripts to act kinda strange.
3 The wpa processes are now running under the domain I defined for them,
4 but so are a bunch of other network daemon processes that launch after WPA:
5
6 system_u:system_r:wpa_t 3944 ? Ss 0:00
7 /sbin/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant.conf -C/var/run
8 system_u:system_r:wpa_t 3955 ? Ss 0:00 /bin/wpa_cli
9 -a/etc/wpa_supplicant/wpa_cli.sh -p/var/run/wpa_supplicant -
10 system_u:system_r:wpa_t 6834 ? Ss 0:00 sshd: kutulu
11 [priv]
12 system_u:system_r:wpa_t 6836 ? S 0:00 sshd:
13 kutulu@pts/0
14 system_u:system_r:dhcpc_t 10500 ? Ss 0:00 /sbin/dhcpcd
15 -h songbird -m 2000 eth0
16 system_u:system_r:wpa_t 10695 ? Ss 0:00
17 /usr/sbin/ntpd -p /var/run/ntpd.pid
18 system_u:system_r:wpa_t 10753 ? Ss 0:00 /usr/sbin/smbd -D
19 system_u:system_r:wpa_t 10757 ? S 0:00 /usr/sbin/smbd -D
20 system_u:system_r:wpa_t 10763 ? Ss 0:00 /usr/sbin/nmbd -D
21 system_u:system_r:wpa_t 10821 ? Ss 0:00 /usr/sbin/sshd
22
23
24 I forced dhcpcd to run in the correct domain by adding an explicit
25 domain_auto_trans rule for wpa_t -> dhcpc_exec_t -> dhcpc_t, which
26 solved that specific problem. The other processes sometimes run
27 correctly, sometimes run as wpa_t, but at least one always seems to be
28 an issue. I'm pretty sure I'm fixing the problem the wrong way by
29 adding all these transition rules, and I'm not sure why this is
30 happening to begin with.
31
32 Has anyone seen this before? Is there something simple I'm missing from
33 my policy module (I hope!)?
34
35 Thanks,
36
37 --Mike
38 --
39 gentoo-hardened@l.g.o mailing list

Replies

Subject Author
Re: [gentoo-hardened] Domain Transition problems wpa -> anything else Chris PeBenito <pebenito@g.o>