PERFORCE change 22219 for review

Brian Feldman green at freebsd.org
Thu Dec 12 21:17:16 GMT 2002 

http://perforce.freebsd.org/chv.cgi?CH=22219

Change 22219 by green at green_laptop_2 on 2002/12/12 13:17:04

	* Add a uses_libc(domain) macro, used now by uses_shlib(domain)
	  and every_domain(domain), which defines generic permissions
	  necessary by libc in general.  So far, these are to readlink(2)
	  /etc/malloc.conf and to read from /dev/u?random.
	* Add policy and file contexts for malloc.conf.
	* Add policy and file contexts for /var/db, /var/db/entropy,
	  and for the /usr/libexec/save-entropy cron-job.

Affected files ...

.. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/domains/program/initrc.te#2 edit
.. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/domains/program/save-entropy.te#1 add
.. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/file_contexts/program/save-entropy.fc#1 add
.. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/file_contexts/types.fc#6 edit
.. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/files.lst#5 edit
.. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/macros/global_macros.te#2 edit
.. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/types/file.te#2 edit

Differences ...

==== //depot/projects/trustedbsd/mac/contrib/sebsd/policy/domains/program/initrc.te#2 (text+ko) ====

@@ -95,6 +95,10 @@
 allow initrc_t var_lib_t:file rw_file_perms;
 allow initrc_t var_lib_t:file unlink;
 
+# Access /var/db/entropy.
+allow initrc_t var_db_entropy_t:file rw_file_perms;
+allow initrc_t var_db_entropy_t:file unlink;
+
 # Create lock file.
 allow initrc_t var_lock_t:dir create_dir_perms;
 allow initrc_t var_lock_t:file create_file_perms;

==== //depot/projects/trustedbsd/mac/contrib/sebsd/policy/file_contexts/types.fc#6 (text+ko) ====

@@ -54,6 +54,8 @@
 /var(/.*)?			system_u:object_r:var_t
 /var/catman(/.*)?		system_u:object_r:catman_t
 /var/cache/man(/.*)?		system_u:object_r:catman_t
+/var/db(/.*)?			system_u:object_r:var_db_t
+/var/db/entropy(/.*)?		system_u:object_r:var_db_entropy_t
 /var/yp(/.*)?			system_u:object_r:var_yp_t
 /var/lib(/.*)?			system_u:object_r:var_lib_t
 /var/lib/nfs(/.*)?		system_u:object_r:var_lib_nfs_t
@@ -145,6 +147,7 @@
 /etc/mrtg(/.*)?			system_u:object_r:etc_mrtg_t
 /etc/selinux(/.*)?		system_u:object_r:policy_src_t
 /etc/security/sebsd(/.*)?	system_u:object_r:policy_config_t	
+/etc/malloc\.conf		system_u:object_r:malloc_conf_t
 
 #
 # /lib

==== //depot/projects/trustedbsd/mac/contrib/sebsd/policy/files.lst#5 (text+ko) ====

@@ -97,6 +97,7 @@
 file_contexts/program/rshd.fc
 file_contexts/program/run_deb.fc
 file_contexts/program/run_init.fc
+file_contexts/program/save-entropy.fc
 file_contexts/program/selopt.fc
 file_contexts/program/sendmail.fc
 file_contexts/program/setfiles.fc
@@ -226,6 +227,7 @@
 domains/program/xserver.te
 domains/program/ypbind.te
 domains/program/acct.te
+domains/program/save-entropy.te
 domains/test
 domains/test/test_wait.te
 domains/test/test_capable_net.te

==== //depot/projects/trustedbsd/mac/contrib/sebsd/policy/macros/global_macros.te#2 (text+ko) ====

@@ -277,10 +277,22 @@
 allow $1 lib_t:{ file lnk_file } r_file_perms;
 allow $1 usr_t:{ file lnk_file } r_file_perms;
 allow $1 null_device_t:chr_file rw_file_perms;
+uses_libc($1)
 ')
 
 #################################
 #
+# uses_libc(domain)
+#
+# Permissions for using the standard C library.
+#
+define(`uses_libc',`
+allow $1 random_device_t:{ chr_file lnk_file } r_file_perms;
+allow $1 malloc_conf_t:lnk_file { getattr read };
+')
+
+#################################
+#
 # can_exec(domain, type)
 #
 # Permissions for executing programs with
@@ -759,7 +771,7 @@
 allow $1 device_t:lnk_file r_file_perms;
 
 # Read /dev/random and /dev/zero.
-allow $1 random_device_t:chr_file r_file_perms;
+allow $1 random_device_t:{ chr_file lnk_file } r_file_perms;
 allow $1 zero_device_t:chr_file r_file_perms;
 
 # Read the root directory of a tmpfs filesytem and any symbolic links.
@@ -878,6 +890,9 @@
 # Grant permissions needed to create TCP and UDP sockets and 
 # to access the network.
 can_network($1)
+
+# Include generically-useful libc-requisite functionality.
+uses_libc($1)
 ')
 
 #######################

==== //depot/projects/trustedbsd/mac/contrib/sebsd/policy/types/file.te#2 (text+ko) ====

@@ -93,6 +93,10 @@
 # pump needs write access to this file.
 type resolv_conf_t, file_type, sysadmfile;
 
+# malloc_conf_t is the type of the /etc/malloc.conf malloc(3)-configuration
+# symbolic link.
+type malloc_conf_t, file_type, sysadmfile;
+
 # etc_mrtg_t is the type of the /etc/mrtg directory and files.
 # crond needs write access to this directory.
 type etc_mrtg_t, file_type, sysadmfile;
@@ -151,6 +155,7 @@
 #
 # Types for subdirectories of /var.
 #
+type var_db_t, file_type, sysadmfile;
 type var_run_t, file_type, sysadmfile;
 type var_log_t, file_type, sysadmfile;
 type var_lock_t, file_type, sysadmfile;
@@ -158,6 +163,9 @@
 type var_spool_t, file_type, sysadmfile;
 type var_yp_t, file_type, sysadmfile;
 
+# Type for /var/db/entropy.
+type var_db_entropy_t, file_type, sysadmfile;
+
 # Type for /var/log/sa.
 type var_log_sa_t, file_type, sysadmfile;
 
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list