Written by: Martin Orr

Label /etc/wpa_supplicant scripts as wpa_cli_exec_t

This is needed because hal runs /etc/wpa_supplicant/action_wpa.sh
Maybe action_wpa.sh should be the only one so labelled (and isn't hal going away?)
A lot of extra rules are needed for ifupdown.sh, which used to run as initrc_t

Original message looked like this:
Mar 27 22:53:16 caligula kernel: type=1400 audit(1238194396.121:6): avc:  denied  { read } for  pid=20977 comm="action_wpa" name="wpa_supplicant" dev=dm-0 ino=1525131 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=dir

Index: policy/modules/services/networkmanager.fc
===================================================================
--- policy/modules/services/networkmanager.fc.orig
+++ policy/modules/services/networkmanager.fc
@@ -1,4 +1,5 @@
 /etc/rc\.d/init\.d/wicd		--	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/etc/wpa_supplicant/.*\.sh	--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)
 
 /etc/NetworkManager/dispatcher\.d(/.*)	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
 
Index: policy/modules/services/hal.te
===================================================================
--- policy/modules/services/hal.te.orig
+++ policy/modules/services/hal.te
@@ -289,6 +289,10 @@
 ')
 
 optional_policy(`
+	networkmanager_cli_domtrans(hald_t)
+')
+
+optional_policy(`
 	ntp_domtrans(hald_t)
 ')
 
Index: policy/modules/services/networkmanager.if
===================================================================
--- policy/modules/services/networkmanager.if.orig
+++ policy/modules/services/networkmanager.if
@@ -191,3 +191,23 @@
 	files_search_pids($1)
 	allow $1 NetworkManager_var_run_t:file read_file_perms;
 ')
+
+########################################
+## <summary>
+##	Execute wpa commandline scripts with a domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`networkmanager_cli_domtrans',`
+	gen_require(`
+		type wpa_cli_t, wpa_cli_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, wpa_cli_exec_t, wpa_cli_t)
+')
+
Index: policy/modules/services/networkmanager.te
===================================================================
--- policy/modules/services/networkmanager.te.orig
+++ policy/modules/services/networkmanager.te
@@ -274,17 +274,39 @@
 allow wpa_cli_t self:capability dac_override;
 allow wpa_cli_t self:unix_dgram_socket create_socket_perms;
 
+allow wpa_cli_t NetworkManager_t:process signal_perms;
 allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto;
 
+allow wpa_cli_t self:fifo_file rw_fifo_file_perms;
+
+read_files_pattern(wpa_cli_t, NetworkManager_t, NetworkManager_t)
+read_lnk_files_pattern(wpa_cli_t, NetworkManager_t, NetworkManager_t)
+
 manage_sock_files_pattern(wpa_cli_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
 files_tmp_filetrans(wpa_cli_t, NetworkManager_tmp_t, sock_file)
 
 list_dirs_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
+manage_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
 rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
+files_pid_filetrans(wpa_cli_t, NetworkManager_var_run_t, file)
+
+can_exec(wpa_cli_t, wpa_cli_exec_t)
+
+corecmd_exec_bin(wpa_cli_t)
+corecmd_exec_shell(wpa_cli_t)
 
 init_dontaudit_use_fds(wpa_cli_t)
 init_use_script_ptys(wpa_cli_t)
 
+logging_search_logs(wpa_cli_t)
+
 miscfiles_read_localization(wpa_cli_t)
 
 term_dontaudit_use_console(wpa_cli_t)
+
+networkmanager_domtrans(wpa_cli_t)
+
+optional_policy(`
+	hal_write_log(wpa_cli_t)
+	hal_dontaudit_read_pid_files(wpa_cli_t)
+')