| 1 |
I'm trying to write a policy module for WPA (mostly for practice), to |
| 2 |
get rid of the numerous denials generated by the socket usage. I'm |
| 3 |
stuck trying to get the wpa_cli and wpa_supplicant processes to |
| 4 |
transition to the context I've defined for them, when launched out of |
| 5 |
init. They are holding the initrc_t context, even though I'm pretty |
| 6 |
sure I have everything set up properly. |
| 7 |
|
| 8 |
I've tried to mimic the parts of the reference policy's dhcp module, |
| 9 |
which uses sockets in a similar manner to WPA. So far, my custom module |
| 10 |
looks like this: |
| 11 |
|
| 12 |
----- wpa.te |
| 13 |
policy_module(wpa, 1.0.0) |
| 14 |
|
| 15 |
# Basic wpa_t domain and entry point. |
| 16 |
type wpa_t; |
| 17 |
type wpa_exec_t; |
| 18 |
|
| 19 |
domain_type(wpa_t) |
| 20 |
domain_entry_file(wpa_t, wpa_exec_t) |
| 21 |
|
| 22 |
# Allow WPA to manage it's own temp files |
| 23 |
type wpa_tmp_t; |
| 24 |
files_tmp_file(wpa_tmp_t) |
| 25 |
files_tmp_filetrans(wpa_t, wpa_tmp_t, { file dir }) |
| 26 |
manage_dirs_pattern(wpa_t, wpa_tmp_t, wpa_tmp_t) |
| 27 |
manage_files_pattern(wpa_t, wpa_tmp_t, wpa_tmp_t) |
| 28 |
|
| 29 |
# Allow WPA to manage it's own run-time files. |
| 30 |
type wpa_var_run_t; |
| 31 |
files_pid_file(wpa_var_run_t) |
| 32 |
files_pid_filetrans(wpa_t, wpa_var_run_t, file) |
| 33 |
manage_files_pattern(wpa_t, wpa_var_run_t, wpa_var_run_t) |
| 34 |
|
| 35 |
# Allow WPA to create and use the sockets it needs. |
| 36 |
# (sendto doesn't appear to be in any standard permission sets) |
| 37 |
allow wpa_t self:unix_dgram_socket { create_socket_perms sendto }; |
| 38 |
allow wpa_t self:netlink_route_socket rw_netlink_socket_perms; |
| 39 |
allow wpa_t self:packet_socket create_socket_perms; |
| 40 |
----- End wpa.te |
| 41 |
|
| 42 |
----- wpa.fc: |
| 43 |
/sbin/wpa_supplicant -- gen_context(system_u:object_r:wpa_exec_t, s0) |
| 44 |
/bin/wpa_cli -- gen_context(system_u:object_r:wpa_exec_t, s0) |
| 45 |
/bin/wpa_passphrase -- gen_context(system_u:object_r:wpa_exec_t, s0) |
| 46 |
|
| 47 |
/var/run/wpa_supplicant(/.*)? -- |
| 48 |
gen_context(system_u:object_r:wpa_var_run_t, s0) |
| 49 |
/var/run/wpa_supplicant-eth[0-9].pid -- |
| 50 |
gen_context(system_u:object_r:wpa_var_run_t, s0) |
| 51 |
/var/run/wpa_cli-eth[0-9].pid -- |
| 52 |
gen_context(system_u:object_r:wpa_var_run_t, s0) |
| 53 |
----- End wpa.fc |
| 54 |
|
| 55 |
I have the files being labelled properly, but the process is still |
| 56 |
running in the wrong context: |
| 57 |
|
| 58 |
# ls -lZ /sbin/wpa* /bin/wpa* |
| 59 |
-rwxr-xr-x+ 1 root root system_u:object_r:wpa_exec_t 29104 Jul 4 2007 |
| 60 |
/bin/wpa_cli |
| 61 |
-rwxr-xr-x+ 1 root root system_u:object_r:wpa_exec_t 13948 Jul 4 2007 |
| 62 |
/bin/wpa_passphrase |
| 63 |
-rwxr-xr-x+ 1 root root system_u:object_r:wpa_exec_t 293256 Jul 4 2007 |
| 64 |
/sbin/wpa_supplicant |
| 65 |
|
| 66 |
# ps axZ | grep wpa |
| 67 |
system_u:system_r:initrc_t 3929 ? Ss 0:03 |
| 68 |
/sbin/wpa_supplicant |
| 69 |
system_u:system_r:initrc_t 3940 ? Ss 0:01 /bin/wpa_cli |
| 70 |
|
| 71 |
Clearly I'm missing a step. Any ideas? |
| 72 |
|
| 73 |
Thanks, |
| 74 |
|
| 75 |
--Mike |
| 76 |
|
| 77 |
-- |
| 78 |
gentoo-hardened@l.g.o mailing list |
Archives