SELinux policy for ndiswrapper

Tue Mar 15 18:04:59 UTC 2005

I wrote a policy to get ndiswrapper running in my FC3 strict policy SELinux system. This is the first policy I have created. I would greatly appreciate any pointers or feedback anyone would like to share. This policy is specifically used to allow the kernel_t domain to use the loadndisdriver executable to update the ndiswrapper module with configuration information. With this policy I can now successfully insmod ndiswrapper v1.1

#################################################
#
# Define default file contexts for ndis tools
# Filename: loadndis.fc
# Assumptions: This file assumes that the
# loadndisdriver executable is
# found under /sbin and the
# config files are all under
# /etc/ndiswrapper.
#
# Author: Ryan Gall <rrcoot at verizon.net>
#

#File context for the loadndisdriver executable
/sbin/loadndisdriver -- system_u:object_r:loadndis_exec_t

#Context for the driver configuration files
/etc/ndiswrapper/ -- system_u:object_r:loadndis_content_t

##################################################
#
# Policy to create a domain for the
# loadndisdriver executable
# Filename: loadndis.te
# Purpose: To isolate the executable to
# some normal application stuff
# and the loadndisdriver configuration 
# files. Ultimately allow successful
# completion of `insmod ndiswrapper`
# in an enforcing strict SELinux
# policy.
#
# Author: Ryan Gall <rrcoot at verizon.net>
#

#Declare our loadndis domain
type loadndis_t, domain, privlog;

#Let system_r access this new domain
role system_r types loadndis_t;

#Set up the file contexts for loadndis executable and content
type loadndis_exec_t, file_type, sysadmfile;
type loadndis_content_t, file_type, sysadmfile;

#Transition execution to loadndis domain when executed
domain_auto_trans(kernel_t, loadndis_exec_t, loadndis_t)

#Needs to be able to search root of filesystem
allow loadndis_t root_t:dir search;

#Rules for devices
allow loadndis_t device_t:dir { rw_dir_perms };
allow loadndis_t device_t:chr_file { read create unlink ioctl };
allow loadndis_t null_device_t:chr_file { rw_file_perms };
allow loadndis_t console_device_t:chr_file { rw_file_perms };

#Capabilities
allow loadndis_t self:capability { sys_tty_config };
allow loadndis_t self:capability { mknod };

#Rules for proc filesystem
allow loadndis_t proc_t:dir { r_dir_perms };
allow loadndis_t proc_t:file { r_file_perms };

#Sysfs rule
allow loadndis_t sysfs_t:dir { search };

#Allow logging
allow loadndis_t devlog_t:sock_file { write };

#Create a unix datagram socket
allow loadndis_t self:unix_dgram_socket { create_socket_perms };

#Let it access common configuration directories and libraries
uses_shlib(loadndis_t)
read_locale(loadndis_t)

#Finally allow access to our content
allow loadndis_t loadndis_content_t:file { r_file_perms };
allow loadndis_t loadndis_content_t:dir { r_dir_perms };