From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1071327-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id A011B138334
	for <garchives@archives.gentoo.org>; Sun, 10 Feb 2019 04:14:56 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id EFE25E0B0A;
	Sun, 10 Feb 2019 04:14:50 +0000 (UTC)
Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id AEDABE0B09
	for <gentoo-commits@lists.gentoo.org>; Sun, 10 Feb 2019 04:14:50 +0000 (UTC)
Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id E2EDC335D4F
	for <gentoo-commits@lists.gentoo.org>; Sun, 10 Feb 2019 04:14:48 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id B2C52547
	for <gentoo-commits@lists.gentoo.org>; Sun, 10 Feb 2019 04:14:45 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1549771885.1463b90ab62ddfcfa18e9a08f04e7dd3a7e200a5.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/services/hostapd.fc policy/modules/services/hostapd.if policy/modules/services/hostapd.te
X-VCS-Directories: policy/modules/services/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 1463b90ab62ddfcfa18e9a08f04e7dd3a7e200a5
X-VCS-Branch: master
Date: Sun, 10 Feb 2019 04:14:45 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: efbe8bb2-4166-4b89-9dd8-2e8c94e2cfc6
X-Archives-Hash: 38fe7d741867d8b9f21b4e88b117c152

commit:     1463b90ab62ddfcfa18e9a08f04e7dd3a7e200a5
Author:     Alexander Miroshnichenko <alex <AT> millerson <DOT> name>
AuthorDate: Tue Jan 29 19:01:52 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 10 04:11:25 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1463b90a

Add hostapd service module

Add a SELinux Reference Policy module for the hostapd
IEEE 802.11 wireless LAN Host AP daemon.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/hostapd.fc |  7 +++++
 policy/modules/services/hostapd.if |  1 +
 policy/modules/services/hostapd.te | 56 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 64 insertions(+)

diff --git a/policy/modules/services/hostapd.fc b/policy/modules/services/hostapd.fc
new file mode 100644
index 00000000..83583a77
--- /dev/null
+++ b/policy/modules/services/hostapd.fc
@@ -0,0 +1,7 @@
+/usr/sbin/hostapd               --      gen_context(system_u:object_r:hostapd_exec_t,s0)
+
+/var/run/hostapd(/.*)?          gen_context(system_u:object_r:hostapd_var_run_t,s0)
+
+/etc/hostapd(/.*)?          gen_context(system_u:object_r:hostapd_conf_t,s0)
+
+/run/hostapd.pid                --      gen_context(system_u:object_r:hostapd_var_run_t,s0)

diff --git a/policy/modules/services/hostapd.if b/policy/modules/services/hostapd.if
new file mode 100644
index 00000000..fce874d2
--- /dev/null
+++ b/policy/modules/services/hostapd.if
@@ -0,0 +1 @@
+## <summary>IEEE 802.11 wireless LAN Host AP daemon.</summary>

diff --git a/policy/modules/services/hostapd.te b/policy/modules/services/hostapd.te
new file mode 100644
index 00000000..2db1e7de
--- /dev/null
+++ b/policy/modules/services/hostapd.te
@@ -0,0 +1,56 @@
+policy_module(hostapd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type hostapd_t;
+type hostapd_exec_t;
+init_daemon_domain(hostapd_t, hostapd_exec_t)
+
+type hostapd_var_run_t;
+files_pid_file(hostapd_var_run_t)
+
+type hostapd_conf_t;
+files_type(hostapd_conf_t)
+
+########################################
+#
+# hostapd local policy
+#
+
+allow hostapd_t self:capability { fsetid chown net_admin net_raw dac_read_search dac_override };
+allow hostapd_t self:fifo_file rw_fifo_file_perms;
+allow hostapd_t self:unix_stream_socket create_stream_socket_perms;
+allow hostapd_t self:netlink_socket create_socket_perms;
+allow hostapd_t self:netlink_generic_socket create_socket_perms;
+allow hostapd_t self:netlink_route_socket create_netlink_socket_perms;
+allow hostapd_t self:packet_socket create_socket_perms;
+
+manage_dirs_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
+manage_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
+manage_lnk_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
+manage_sock_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
+files_pid_filetrans(hostapd_t, hostapd_var_run_t, { dir file lnk_file sock_file })
+
+read_files_pattern(hostapd_t, hostapd_conf_t, hostapd_conf_t)
+
+kernel_read_system_state(hostapd_t)
+kernel_read_network_state(hostapd_t)
+kernel_request_load_module(hostapd_t)
+kernel_rw_net_sysctls(hostapd_t)
+dev_rw_sysfs(hostapd_t)
+
+dev_read_rand(hostapd_t)
+dev_read_urand(hostapd_t)
+dev_read_sysfs(hostapd_t)
+dev_rw_wireless(hostapd_t)
+
+domain_use_interactive_fds(hostapd_t)
+
+auth_use_nsswitch(hostapd_t)
+
+logging_send_syslog_msg(hostapd_t)
+
+miscfiles_read_localization(hostapd_t)