PERFORCE change 33724 for review

Chris Vance cvance at FreeBSD.org
Fri Jun 27 01:28:48 GMT 2003 

http://perforce.freebsd.org/chv.cgi?CH=33724

Change 33724 by cvance at cvance_demo on 2003/06/26 18:28:30

	Update SEBSD policy slightly - allows system to boot in enforcing
	mode, with (very) basic support.

Affected files ...

.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/getty.te#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/initrc.te#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ldconfig.te#3 edit

Differences ...

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/getty.te#2 (text+ko) ====

@@ -41,5 +41,8 @@
 allow getty_t tty_device_t:chr_file rw_file_perms;
 allow getty_t ttyfile:chr_file rw_file_perms;
 
+rw_dir_create_file(getty_t, var_lock_t)
 
-rw_dir_create_file(getty_t, var_lock_t)
+# Allow getty _secure_path call to stat /root/.login_conf
+allow getty_t sysadm_home_t:dir r_dir_perms;
+

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/initrc.te#2 (text+ko) ====

@@ -76,6 +76,7 @@
 
 # Update /etc/ld.so.cache.
 allow initrc_t ld_so_cache_t:file rw_file_perms;
+allow initrc_t ld_so_cache_t:file unlink;
 
 # Update /etc/mail.
 allow initrc_t etc_mail_t:file rw_file_perms;
@@ -98,6 +99,7 @@
 # Access /var/db/entropy.
 allow initrc_t var_db_entropy_t:file rw_file_perms;
 allow initrc_t var_db_entropy_t:file unlink;
+allow initrc_t var_db_entropy_t:dir read;
 
 # Create lock file.
 allow initrc_t var_lock_t:dir create_dir_perms;
@@ -154,6 +156,8 @@
 ifdef(`gpm.te', `allow initrc_t gpmctl_t:sock_file setattr;')
 
 allow initrc_t var_spool_t:file rw_file_perms;
+allow initrc_t var_spool_t:file { create unlink };
+allow initrc_t var_spool_t:dir rw_dir_perms;
 
 ifdef(`pump.te', `allow initrc_t pump_var_run_t:sock_file unlink;')
 
@@ -209,3 +213,6 @@
 allow initrc_t pidfile:sock_file unlink;
 allow initrc_t tmpfile:sock_file unlink;
 rw_dir_create_file(initrc_t, var_lib_t)
+
+allow initrc_t devfs_t:dir rw_dir_perms;
+allow initrc_t devfs_t:lnk_file create;

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ldconfig.te#3 (text+ko) ====

@@ -25,3 +25,5 @@
 allow ldconfig_t etc_t:file r_file_perms;
 
 allow ldconfig_t fs_t:filesystem getattr;
+
+allow ldconfig_t init_t:fd use;
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list