PERFORCE change 39741 for review
Andrew Reisse
areisse at FreeBSD.org
Wed Oct 15 12:33:01 GMT 2003
http://perforce.freebsd.org/chv.cgi?CH=39741
Change 39741 by areisse at areisse_tislabs on 2003/10/15 05:32:25
fixes for cron.
changes in cvs to allow different originating types.
possible compilation fixes
Affected files ...
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/crond.te#3 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/unused/cvs.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/crond.fc#3 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/macros/global_macros.te#8 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/macros/program/crond_macros.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/macros/program/cvs_macros.te#2 edit
Differences ...
==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/crond.te#3 (text+ko) ====
@@ -61,6 +61,7 @@
allow crond_t bin_t:lnk_file read;
# Read from /var/spool/cron.
+allow crond_t var_t:dir search;
allow crond_t var_lib_t:dir search;
allow crond_t var_spool_t:dir r_dir_perms;
allow crond_t cron_spool_t:dir r_dir_perms;
==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/unused/cvs.te#2 (text+ko) ====
@@ -1,6 +1,7 @@
type cvs_exec_t, exec_type, file_type, sysadmfile;
-cvs_program_domain(user)
+cvs_program_domain(user,user)
#domain_auto_trans(user_t,cvs_exec_t,user_cvs_rw_t)
role user_r types user_cvs_rw_t;
+role user_r types user_cvs_ro_t;
==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/crond.fc#3 (text+ko) ====
@@ -21,5 +21,6 @@
/var/run/fcron\.pid system_u:object_r:crond_var_run_t
# FreeBSD
/var/cron system_u:object_r:cron_spool_t
+/var/cron/tabs system_u:object_r:cron_spool_t
/var/cron/tabs/.* system_u:object_r:user_cron_spool_t
/var/cron/tabs/root system_u:object_r:sysadm_cron_spool_t
==== //depot/projects/trustedbsd/sebsd_policy/policy/macros/global_macros.te#8 (text+ko) ====
@@ -626,10 +626,6 @@
# allow searching /dev/pts
allow $1_t devpts_t:dir { getattr read search };
-
-# For systems without /dev/ptmx
-#allow $1_t devpts_t:chr_file { poll getattr setattr read write };
-#type_change $1_t devpts_t:chr_file $1_devpts_t;
')
##################################
@@ -638,7 +634,7 @@
#
# Permissions for creating ptys.
#
-define(`can_create_pty',`
+define(`can_create_pty', `
base_pty_perms($1)
type $1_devpts_t, file_type, sysadmfile, ptyfile $2;
@@ -653,7 +649,7 @@
# Read and write my pty files.
allow $1_t $1_devpts_t:chr_file { poll setattr rw_file_perms };
-')
+)
##################################
==== //depot/projects/trustedbsd/sebsd_policy/policy/macros/program/crond_macros.te#2 (text+ko) ====
@@ -52,6 +52,7 @@
allow $1_crond_t self:process { fork signal_perms };
allow $1_crond_t proc_t:dir { getattr search read };
allow $1_crond_t proc_t:file { getattr read };
+allow $1_crond_t self:fd { create use };
read_locale($1_crond_t)
allow $1_crond_t sysctl_kernel_t:dir search;
allow $1_crond_t sysctl_kernel_t:file { getattr read };
==== //depot/projects/trustedbsd/sebsd_policy/policy/macros/program/cvs_macros.te#2 (text+ko) ====
@@ -45,11 +45,11 @@
# read/write user home directory
allow { $1_cvs_rw_t $1_cvs_ro_t } home_root_t:dir search;
-allow { $1_cvs_rw_t $1_cvs_ro_t } { $1_home_dir_t $1_home_t }:dir create_dir_perms;
-allow { $1_cvs_rw_t $1_cvs_ro_t } $1_home_t:file create_file_perms;
+allow { $1_cvs_rw_t $1_cvs_ro_t } { $2_home_dir_t $2_home_t }:dir create_dir_perms;
+allow { $1_cvs_rw_t $1_cvs_ro_t } $2_home_t:file create_file_perms;
# talk to the terminal
-allow { $1_cvs_rw_t $1_cvs_ro_t } $1_devpts_t:chr_file { write read getattr poll };
-allow { $1_cvs_rw_t $1_cvs_ro_t } $1_tty_device_t:chr_file { write read getattr poll };
+allow { $1_cvs_rw_t $1_cvs_ro_t } $2_devpts_t:chr_file { write read getattr poll };
+allow { $1_cvs_rw_t $1_cvs_ro_t } $2_tty_device_t:chr_file { write read getattr poll };
')
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list