| 1 |
Chris PeBenito wrote: |
| 2 |
> On Sun, 2008-03-09 at 09:43 -0400, Mike Edenfield wrote: |
| 3 |
>> I've almost got my wpa policy module working properly, but something I |
| 4 |
>> did along the way is causing the startup scripts to act kinda strange. |
| 5 |
>> The wpa processes are now running under the domain I defined for them, |
| 6 |
>> but so are a bunch of other network daemon processes that launch after WPA: |
| 7 |
>> |
| 8 |
>> system_u:system_r:wpa_t 3944 ? Ss 0:00 /sbin/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant.conf -C/var/run |
| 9 |
>> system_u:system_r:wpa_t 3955 ? Ss 0:00 /bin/wpa_cli -a/etc/wpa_supplicant/wpa_cli.sh -p/var/run/wpa_supplicant - |
| 10 |
>> system_u:system_r:wpa_t 6834 ? Ss 0:00 sshd: kutulu [priv] |
| 11 |
>> system_u:system_r:wpa_t 6836 ? S 0:00 sshd: kutulu@pts/0 |
| 12 |
> |
| 13 |
> What did you do to fix the transition to get to wpa_t? Was it the same |
| 14 |
> as my other response? |
| 15 |
|
| 16 |
Yes, I added the init_daemon_domain rule to my policy, as you had |
| 17 |
mentioned in your other email: |
| 18 |
|
| 19 |
type wpa_t; |
| 20 |
type wpa_exec_t; |
| 21 |
init_daemon_domain(wpa_t, wpa_exec_t) |
| 22 |
can_exec(wpa_t, wpa_exec_t) |
| 23 |
|
| 24 |
I should have thought to do this earlier, but I eventually started using |
| 25 |
the dhcp.te module from the ref policy as a basis, since it behaves |
| 26 |
similarly to wpa_supplicant (at least, close enough for my purposes.) |
| 27 |
|
| 28 |
> If starts/stops services based on network |
| 29 |
> availability, you'd probably want a transition back to initrc_t |
| 30 |
> (init_domtrans_script(wpa_t)). Thats assuming it uses the init scripts |
| 31 |
> to control the services. |
| 32 |
|
| 33 |
I just added this rule as well, and it looks like you solved my last |
| 34 |
little problem for me. Thanks a bunch for the help! |
| 35 |
|
| 36 |
--Mike |
| 37 |
|
| 38 |
|
| 39 |
-- |
| 40 |
gentoo-hardened@l.g.o mailing list |
Archives