PERFORCE change 39357 for review

Andrew Reisse areisse at FreeBSD.org
Wed Oct 8 17:35:37 GMT 2003 

http://perforce.freebsd.org/chv.cgi?CH=39357

Change 39357 by areisse at areisse_tislabs on 2003/10/08 10:35:05

	small policy tweaks.
	runtime.fc: Fix files that get created with bad labels because
	of booting without sebsd.

Affected files ...

.. //depot/projects/trustedbsd/sebsd_policy/policy/Makefile#5 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/cleanvar.te#3 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/unused/apache.te#3 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/apache.fc#3 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/save-entropy.fc#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/runtime.fc#1 add
.. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/types.fc#4 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/types/file.te#4 edit

Differences ...

==== //depot/projects/trustedbsd/sebsd_policy/policy/Makefile#5 (text+ko) ====

@@ -45,7 +45,7 @@
 UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te)
 
 FC = file_contexts/file_contexts
-FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te))
+FCFILES=file_contexts/types.fc file_contexts/runtime.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te))
 
 APPDIR=$(DESTDIR)/etc/security
 APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context)

==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/cleanvar.te#3 (text+ko) ====

@@ -19,5 +19,6 @@
 
 allow cleanvar_t { var_t etc_t bin_t sbin_t root_t } :dir r_dir_perms;
 allow cleanvar_t self:capability dac_override;
+allow cleanvar_t fs_t:filesystem { getattr };
 can_exec(cleanvar_t, bin_t)
 general_domain_access(cleanvar_t) #!!!

==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/unused/apache.te#3 (text+ko) ====

@@ -410,6 +410,7 @@
 ####################################################
 allow httpd_t httpd_log_files_t:dir  rw_dir_perms;
 allow httpd_t httpd_log_files_t:file create_file_perms;
+file_type_auto_trans(httpd_t, var_log_t, httpd_log_files_t)
 
 ############################################
 # Allow scripts to append to http logs

==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/apache.fc#3 (text+ko) ====

@@ -9,7 +9,7 @@
 #/usr/sbin/suexec		system_u:object_r:httpd_suexec_exec_t
 #/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? system_u:object_r:httpd_suexec_exec_t
 #/usr/lib/apache(2)?/suexec(2)?	system_u:object_r:httpd_suexec_exec_t
-/var/log/httpd(/.*)?		system_u:object_r:httpd_log_files_t
+/var/log/httpd-.*		system_u:object_r:httpd_log_files_t
 #/var/log/apache(2)?(/.*)?	system_u:object_r:httpd_log_files_t
 #/var/log/cgiwrap\.log.*	system_u:object_r:httpd_log_files_t
 #/var/cache/ssl.*\.sem		system_u:object_r:httpd_cache_t

==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/save-entropy.fc#2 (text+ko) ====

@@ -1,2 +1,2 @@
 /usr/libexec/save-entropy		system_u:object_r:save_entropy_exec_t
-/var/db/entropy				system_u:object_r:var_db_entropy_t
+/var/db/entropy(/.*)?			system_u:object_r:var_db_entropy_t

==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/types.fc#4 (text+ko) ====

@@ -83,9 +83,6 @@
 /home				system_u:object_r:home_root_t
 /home/[^/]+	-d		system_u:object_r:user_home_dir_t
 /home/[^/]+/.+			system_u:object_r:user_home_t
-/usr/home			system_u:object_r:home_root_t
-/usr/home/[^/]+	-d		system_u:object_r:user_home_dir_t
-/usr/home/[^/]+/.+		system_u:object_r:user_home_t
 
 #
 # Other staff home directories, replace "jadmin" with appropriate name
@@ -206,6 +203,10 @@
 /usr/man(/.*)?			system_u:object_r:man_t
 /usr/share/man(/.*)?		system_u:object_r:man_t
 
+/usr/home			system_u:object_r:home_root_t
+/usr/home/[^/]+	-d		system_u:object_r:user_home_dir_t
+/usr/home/[^/]+/.+		system_u:object_r:user_home_t
+
 #
 # /usr/bin
 #

==== //depot/projects/trustedbsd/sebsd_policy/policy/types/file.te#4 (text+ko) ====

@@ -256,6 +256,7 @@
 # Allow the pty to be associated with the file system.
 allow devpts_t devpts_t:filesystem associate;
 allow tty_device_t device_t:filesystem associate;
+allow device_t device_t:filesystem associate;
 
 type tmpfs_t, file_type, sysadmfile, fs_type, root_dir_type;
 allow { tmpfs_t tmp_t } tmpfs_t:filesystem associate;
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list