From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id A011B138334 for ; Sun, 10 Feb 2019 04:14:56 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id EFE25E0B0A; Sun, 10 Feb 2019 04:14:50 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id AEDABE0B09 for ; Sun, 10 Feb 2019 04:14:50 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id E2EDC335D4F for ; Sun, 10 Feb 2019 04:14:48 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id B2C52547 for ; Sun, 10 Feb 2019 04:14:45 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1549771885.1463b90ab62ddfcfa18e9a08f04e7dd3a7e200a5.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/services/hostapd.fc policy/modules/services/hostapd.if policy/modules/services/hostapd.te X-VCS-Directories: policy/modules/services/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 1463b90ab62ddfcfa18e9a08f04e7dd3a7e200a5 X-VCS-Branch: master Date: Sun, 10 Feb 2019 04:14:45 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: efbe8bb2-4166-4b89-9dd8-2e8c94e2cfc6 X-Archives-Hash: 38fe7d741867d8b9f21b4e88b117c152 commit: 1463b90ab62ddfcfa18e9a08f04e7dd3a7e200a5 Author: Alexander Miroshnichenko millerson name> AuthorDate: Tue Jan 29 19:01:52 2019 +0000 Commit: Jason Zaman gentoo org> CommitDate: Sun Feb 10 04:11:25 2019 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1463b90a Add hostapd service module Add a SELinux Reference Policy module for the hostapd IEEE 802.11 wireless LAN Host AP daemon. Signed-off-by: Jason Zaman perfinion.com> policy/modules/services/hostapd.fc | 7 +++++ policy/modules/services/hostapd.if | 1 + policy/modules/services/hostapd.te | 56 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 64 insertions(+) diff --git a/policy/modules/services/hostapd.fc b/policy/modules/services/hostapd.fc new file mode 100644 index 00000000..83583a77 --- /dev/null +++ b/policy/modules/services/hostapd.fc @@ -0,0 +1,7 @@ +/usr/sbin/hostapd -- gen_context(system_u:object_r:hostapd_exec_t,s0) + +/var/run/hostapd(/.*)? gen_context(system_u:object_r:hostapd_var_run_t,s0) + +/etc/hostapd(/.*)? gen_context(system_u:object_r:hostapd_conf_t,s0) + +/run/hostapd.pid -- gen_context(system_u:object_r:hostapd_var_run_t,s0) diff --git a/policy/modules/services/hostapd.if b/policy/modules/services/hostapd.if new file mode 100644 index 00000000..fce874d2 --- /dev/null +++ b/policy/modules/services/hostapd.if @@ -0,0 +1 @@ +## IEEE 802.11 wireless LAN Host AP daemon. diff --git a/policy/modules/services/hostapd.te b/policy/modules/services/hostapd.te new file mode 100644 index 00000000..2db1e7de --- /dev/null +++ b/policy/modules/services/hostapd.te @@ -0,0 +1,56 @@ +policy_module(hostapd, 1.0.0) + +######################################## +# +# Declarations +# + +type hostapd_t; +type hostapd_exec_t; +init_daemon_domain(hostapd_t, hostapd_exec_t) + +type hostapd_var_run_t; +files_pid_file(hostapd_var_run_t) + +type hostapd_conf_t; +files_type(hostapd_conf_t) + +######################################## +# +# hostapd local policy +# + +allow hostapd_t self:capability { fsetid chown net_admin net_raw dac_read_search dac_override }; +allow hostapd_t self:fifo_file rw_fifo_file_perms; +allow hostapd_t self:unix_stream_socket create_stream_socket_perms; +allow hostapd_t self:netlink_socket create_socket_perms; +allow hostapd_t self:netlink_generic_socket create_socket_perms; +allow hostapd_t self:netlink_route_socket create_netlink_socket_perms; +allow hostapd_t self:packet_socket create_socket_perms; + +manage_dirs_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t) +manage_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t) +manage_lnk_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t) +manage_sock_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t) +files_pid_filetrans(hostapd_t, hostapd_var_run_t, { dir file lnk_file sock_file }) + +read_files_pattern(hostapd_t, hostapd_conf_t, hostapd_conf_t) + +kernel_read_system_state(hostapd_t) +kernel_read_network_state(hostapd_t) +kernel_request_load_module(hostapd_t) +kernel_rw_net_sysctls(hostapd_t) +dev_rw_sysfs(hostapd_t) + +dev_read_rand(hostapd_t) +dev_read_urand(hostapd_t) +dev_read_sysfs(hostapd_t) +dev_rw_wireless(hostapd_t) + +domain_use_interactive_fds(hostapd_t) + +auth_use_nsswitch(hostapd_t) + +logging_send_syslog_msg(hostapd_t) + +miscfiles_read_localization(hostapd_t)