1 |
I'm trying to write a policy module for WPA (mostly for practice), to |
2 |
get rid of the numerous denials generated by the socket usage. I'm |
3 |
stuck trying to get the wpa_cli and wpa_supplicant processes to |
4 |
transition to the context I've defined for them, when launched out of |
5 |
init. They are holding the initrc_t context, even though I'm pretty |
6 |
sure I have everything set up properly. |
7 |
|
8 |
I've tried to mimic the parts of the reference policy's dhcp module, |
9 |
which uses sockets in a similar manner to WPA. So far, my custom module |
10 |
looks like this: |
11 |
|
12 |
----- wpa.te |
13 |
policy_module(wpa, 1.0.0) |
14 |
|
15 |
# Basic wpa_t domain and entry point. |
16 |
type wpa_t; |
17 |
type wpa_exec_t; |
18 |
|
19 |
domain_type(wpa_t) |
20 |
domain_entry_file(wpa_t, wpa_exec_t) |
21 |
|
22 |
# Allow WPA to manage it's own temp files |
23 |
type wpa_tmp_t; |
24 |
files_tmp_file(wpa_tmp_t) |
25 |
files_tmp_filetrans(wpa_t, wpa_tmp_t, { file dir }) |
26 |
manage_dirs_pattern(wpa_t, wpa_tmp_t, wpa_tmp_t) |
27 |
manage_files_pattern(wpa_t, wpa_tmp_t, wpa_tmp_t) |
28 |
|
29 |
# Allow WPA to manage it's own run-time files. |
30 |
type wpa_var_run_t; |
31 |
files_pid_file(wpa_var_run_t) |
32 |
files_pid_filetrans(wpa_t, wpa_var_run_t, file) |
33 |
manage_files_pattern(wpa_t, wpa_var_run_t, wpa_var_run_t) |
34 |
|
35 |
# Allow WPA to create and use the sockets it needs. |
36 |
# (sendto doesn't appear to be in any standard permission sets) |
37 |
allow wpa_t self:unix_dgram_socket { create_socket_perms sendto }; |
38 |
allow wpa_t self:netlink_route_socket rw_netlink_socket_perms; |
39 |
allow wpa_t self:packet_socket create_socket_perms; |
40 |
----- End wpa.te |
41 |
|
42 |
----- wpa.fc: |
43 |
/sbin/wpa_supplicant -- gen_context(system_u:object_r:wpa_exec_t, s0) |
44 |
/bin/wpa_cli -- gen_context(system_u:object_r:wpa_exec_t, s0) |
45 |
/bin/wpa_passphrase -- gen_context(system_u:object_r:wpa_exec_t, s0) |
46 |
|
47 |
/var/run/wpa_supplicant(/.*)? -- |
48 |
gen_context(system_u:object_r:wpa_var_run_t, s0) |
49 |
/var/run/wpa_supplicant-eth[0-9].pid -- |
50 |
gen_context(system_u:object_r:wpa_var_run_t, s0) |
51 |
/var/run/wpa_cli-eth[0-9].pid -- |
52 |
gen_context(system_u:object_r:wpa_var_run_t, s0) |
53 |
----- End wpa.fc |
54 |
|
55 |
I have the files being labelled properly, but the process is still |
56 |
running in the wrong context: |
57 |
|
58 |
# ls -lZ /sbin/wpa* /bin/wpa* |
59 |
-rwxr-xr-x+ 1 root root system_u:object_r:wpa_exec_t 29104 Jul 4 2007 |
60 |
/bin/wpa_cli |
61 |
-rwxr-xr-x+ 1 root root system_u:object_r:wpa_exec_t 13948 Jul 4 2007 |
62 |
/bin/wpa_passphrase |
63 |
-rwxr-xr-x+ 1 root root system_u:object_r:wpa_exec_t 293256 Jul 4 2007 |
64 |
/sbin/wpa_supplicant |
65 |
|
66 |
# ps axZ | grep wpa |
67 |
system_u:system_r:initrc_t 3929 ? Ss 0:03 |
68 |
/sbin/wpa_supplicant |
69 |
system_u:system_r:initrc_t 3940 ? Ss 0:01 /bin/wpa_cli |
70 |
|
71 |
Clearly I'm missing a step. Any ideas? |
72 |
|
73 |
Thanks, |
74 |
|
75 |
--Mike |
76 |
|
77 |
-- |
78 |
gentoo-hardened@l.g.o mailing list |