PERFORCE change 23688 for review

[Brian Feldman]

http://perforce.freebsd.org/chv.cgi?CH=23688

Change 23688 by green at green_laptop_2 on 2003/01/13 11:23:04

	* Add the uses_kld() macro, and use it in a few utilities so
	  far that need it.
	* Implement cleanvar.te policy for use in /etc/rc.d/cleanvar.

Affected files ...

.. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/assert.te#2 edit
.. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/domains/program/cleanvar.te#1 add
.. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/domains/program/ifconfig.te#2 edit
.. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/domains/program/initrc.te#4 edit
.. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/domains/program/mount.te#3 edit
.. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/file_contexts/program/initrc.fc#3 edit
.. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/files.lst#8 edit
.. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/macros/global_macros.te#3 edit

Differences ...

==== //depot/projects/trustedbsd/mac/contrib/sebsd/policy/assert.te#2 (text+ko) ====

@@ -27,12 +27,6 @@
 neverallow domain ~domain:process transition;
 
 #
-# Verify that only the kmod_t, insmod_t, and ifconfig_t domains 
-# have the sys_module capability.
-#
-neverallow ~{ kmod_t insmod_t ifconfig_t } self:capability sys_module;
-
-#
 # Verify that executable types, the system dynamic loaders, and the
 # system shared libraries can only be modified by administrators.
 #

==== //depot/projects/trustedbsd/mac/contrib/sebsd/policy/domains/program/ifconfig.te#2 (text+ko) ====

@@ -13,6 +13,7 @@
 role system_r types ifconfig_t;
 role sysadm_r types ifconfig_t;
 every_domain(ifconfig_t)
+uses_kld(ifconfig_t)
 type ifconfig_exec_t, file_type, sysadmfile, exec_type;
 domain_auto_trans(initrc_t, ifconfig_exec_t, ifconfig_t)
 type_transition init_t ifconfig_exec_t:process ifconfig_t;

==== //depot/projects/trustedbsd/mac/contrib/sebsd/policy/domains/program/initrc.te#4 (text+ko) ====


==== //depot/projects/trustedbsd/mac/contrib/sebsd/policy/domains/program/mount.te#3 (text+ko) ====

@@ -13,6 +13,7 @@
 role system_r types mount_t;
 role sysadm_r types mount_t;
 every_domain(mount_t)
+uses_kld(mount_t)
 type mount_exec_t, file_type, sysadmfile, exec_type;
 domain_auto_trans(initrc_t, mount_exec_t, mount_t)
 type_transition init_t mount_exec_t:process mount_t;

==== //depot/projects/trustedbsd/mac/contrib/sebsd/policy/file_contexts/program/initrc.fc#3 (text+ko) ====

@@ -4,6 +4,7 @@
 /etc/rc.d/rc			system_u:object_r:initrc_exec_t
 /etc/rc.d/rc.sysinit		system_u:object_r:initrc_exec_t
 /etc/rc.d/rc.local		system_u:object_r:initrc_exec_t
+/etc/rc.d/cleanvar		system_u:object_r:cleanvar_exec_t
 /etc/init.d/rc.*		system_u:object_r:initrc_exec_t
 /var/run/utmp			system_u:object_r:initrc_var_run_t
 /var/run/runlevel.dir		system_u:object_r:initrc_var_run_t

==== //depot/projects/trustedbsd/mac/contrib/sebsd/policy/files.lst#8 (text+ko) ====

@@ -143,6 +143,7 @@
 domains/program/backup.te
 domains/program/bootloader.te
 domains/program/cardmgr.te
+domains/program/cleanvar.te
 domains/program/courier.te
 domains/program/crack.te
 domains/program/crond.te

==== //depot/projects/trustedbsd/mac/contrib/sebsd/policy/macros/global_macros.te#3 (text+ko) ====

@@ -262,6 +262,18 @@
 
 #################################
 #
+# uses_kld(domain)
+#
+# Permissions for using kernel modules.
+#
+define(`uses_kld',`
+allow $1 boot_t:dir r_dir_perms;
+allow $1 boot_t:file r_file_perms;
+allow $1 self:capability sys_module;
+')
+
+#################################
+#
 # uses_shlib(domain)
 #
 # Permissions for using shared libraries.
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message