PERFORCE change 37446 for review
Andrew Reisse
areisse at FreeBSD.org
Wed Sep 3 15:18:30 GMT 2003
http://perforce.freebsd.org/chv.cgi?CH=37446
Change 37446 by areisse at areisse_tislabs on 2003/09/03 08:17:53
Updates to selinux policy to allow boot and login in sebsd.
Some domains wanted by the default init process are in unused/:
mta ping sendmail rpcd lpd named dhcpc
gmake is required.
The file_contexts have not been ported. First label with the old sebsd
policy and then label some things manually.
The flask directory has not been completely ported; the security class
has been completely changed, and some other classes have new
permissions.
Affected files ...
.. //depot/projects/trustedbsd/sebsd_policy/policy/Makefile#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/assert.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/cleanvar.te#1 add
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/crond.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/fsadm.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/getty.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/ifconfig.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/init.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/initrc.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/ldconfig.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/login.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/mount.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/save-entropy.te#1 add
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/ssh.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/syslogd.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/unused/dhcpc.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/unused/rpcd.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/usbd.te#1 add
.. //depot/projects/trustedbsd/sebsd_policy/policy/flask/access_vectors#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/fs_use#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/genfs_contexts#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/macros/global_macros.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/macros/program/mount_macros.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/macros/selinux_macros.te#1 add
.. //depot/projects/trustedbsd/sebsd_policy/policy/types/device.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/types/file.te#2 edit
Differences ...
==== //depot/projects/trustedbsd/sebsd_policy/policy/Makefile#2 (text+ko) ====
@@ -19,12 +19,15 @@
PREFIX = /usr
BINDIR = $(PREFIX)/bin
SBINDIR = $(PREFIX)/sbin
-LOADPOLICY = $(SBINDIR)/load_policy
-CHECKPOLICY = $(BINDIR)/checkpolicy
-SETFILES = $(SBINDIR)/setfiles
+
+CHECKPOLICY = $(REALDESTDIR)/sbin/sebsd_checkpolicy
+LOADPOLICY = /sbin/sebsd_loadpolicy
+SETFILES = $(REALDESTDIR)/sbin/sebsd_setfiles
+M4 = $(REALDESTDIR)/usr/bin/m4 -Imacros -s
-POLICYVER := policy.$(shell $(CHECKPOLICY) -V)
-INSTALLDIR = $(DESTDIR)/etc/security/selinux
+#POLICYVER := policy.$(shell $(CHECKPOLICY) -V)
+POLICYVER := policy.13
+INSTALLDIR = $(DESTDIR)/etc/security/sebsd
LOADPATH = $(INSTALLDIR)/$(POLICYVER)
SRCINSTALLDIR = $(INSTALLDIR)/src
POLICYCONF = $(SRCINSTALLDIR)/policy.conf
@@ -48,13 +51,13 @@
install: $(APPFILES) $(LOADPATH)
$(APPDIR)/default_contexts: appconfig/default_contexts
- install -m 644 -o root -g root $< $@
+ install -m 644 -o root -g wheel $< $@
$(APPDIR)/default_type: appconfig/default_type
- install -m 644 -o root -g root $< $@
+ install -m 644 -o root -g wheel $< $@
$(APPDIR)/initrc_context: appconfig/initrc_context
- install -m 644 -o root -g root $< $@
+ install -m 644 -o root -g wheel $< $@
$(LOADPATH): $(POLICYCONF) $(CHECKPOLICY)
mkdir -p $(INSTALLDIR)
@@ -92,10 +95,10 @@
CONSTRAINT_CONTEXT_MACRO_FILES := tmp/program_used_flags.te tmp/all_macros.te constraints initial_sid_contexts fs_use genfs_contexts net_contexts
tmp/te-rbac.m4: $(TE_RBAC_MACRO_FILES)
- m4 -Imacros -s $^ > $@
+ $(M4) $^ > $@
tmp/constraints-contexts.m4: $(CONSTRAINT_CONTEXT_MACRO_FILES)
- m4 -Imacros -s $^ > $@
+ $(M4) -Imacros -s $^ > $@
tmp/all.te: $(ALLTEFILES)
cat $^ > $@
==== //depot/projects/trustedbsd/sebsd_policy/policy/assert.te#2 (text+ko) ====
@@ -118,7 +118,8 @@
#
# Verify that only the admin domains and initrc_t have setenforce.
#
-neverallow ~{ admin initrc_t } security_t:security setenforce;
+#neverallow ~{ admin initrc_t } security_t:security setenforce;
+neverallow ~{ admin initrc_t } kernel_t:system avc_toggle;
#
# Verify that only the kernel and load_policy_t have load_policy.
==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/crond.te#2 (text+ko) ====
@@ -51,7 +51,7 @@
file_type_auto_trans(crond_t, var_log_t, cron_log_t)
# Use capabilities.
-allow crond_t crond_t:capability { setgid setuid net_bind_service };
+allow crond_t crond_t:capability { sys_resource setgid setuid net_bind_service };
# Get security policy decisions.
can_getsecurity(crond_t)
==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/fsadm.te#2 (text+ko) ====
@@ -54,6 +54,8 @@
# mkreiserfs needs this
allow fsadm_t proc_t:filesystem getattr;
+allow fsadm_t device_t:filesystem getattr;
+
# mkreiserfs and other programs need this for UUID
allow fsadm_t random_device_t:chr_file { getattr read };
@@ -87,6 +89,7 @@
# Enable swapping to devices and files
allow fsadm_t swapfile_t:file { getattr swapon };
allow fsadm_t fixed_disk_device_t:blk_file { getattr swapon };
+allow fsadm_t fixed_disk_device_t:chr_file { getattr swapon };
# XXX Why does updfstab run insmod?
domain_auto_trans(fsadm_t, insmod_exec_t, insmod_t)
@@ -100,3 +103,5 @@
allow fsadm_t privfd:fd use;
read_locale(fsadm_t)
+
+allow fsadm_t fs_type:filesystem getattr;
==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/getty.te#2 (text+ko) ====
@@ -23,6 +23,7 @@
allow getty_t self:process { getpgid getsession };
allow getty_t self:unix_dgram_socket create_socket_perms;
allow getty_t self:unix_stream_socket create_socket_perms;
+allow getty_t self:fd { create use };
# for ldap and other authentication services
allow getty_t resolv_conf_t:file { getattr read };
@@ -56,5 +57,6 @@
allow getty_t tty_device_t:chr_file { setattr rw_file_perms };
allow getty_t ttyfile:chr_file { setattr rw_file_perms };
+rw_dir_create_file(getty_t, var_lock_t)
-rw_dir_create_file(getty_t, var_lock_t)
+dontaudit getty_t sysadm_home_t:dir search;
==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/ifconfig.te#2 (text+ko) ====
@@ -36,6 +36,10 @@
allow ifconfig_t proc_t:dir r_dir_perms;
allow ifconfig_t proc_t:file r_file_perms;
+# read the kernel
+allow ifconfig_t boot_t:dir r_dir_perms;
+allow ifconfig_t boot_t:file r_file_perms;
+
allow ifconfig_t privfd:fd use;
# Create UDP sockets, necessary when called from dhcpc
@@ -53,3 +57,6 @@
dontaudit ifconfig_t { sysctl_t sysctl_net_t }:dir search;
allow ifconfig_t fs_t:filesystem getattr;
+
+# read /etc/mac.conf
+allow ifconfig_t etc_t:file r_file_perms;
==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/init.te#2 (text+ko) ====
@@ -22,6 +22,8 @@
type initctl_t, file_type, sysadmfile;
type sulogin_exec_t, file_type, exec_type, sysadmfile;
+allow init_t self:fd { create use };
+
# for mount points
allow init_t file_t:dir search;
==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/initrc.te#2 (text+ko) ====
@@ -21,6 +21,8 @@
uses_shlib(initrc_t);
type initrc_exec_t, file_type, sysadmfile, exec_type;
+allow initrc_t self:fd { create use };
+
# read files in /etc/init.d
allow initrc_t etc_t:lnk_file r_file_perms;
@@ -42,6 +44,8 @@
allow initrc_t usbdevfs_t:{ file lnk_file } r_file_perms;
allow initrc_t usbdevfs_device_t:file getattr;
+allow initrc_t device_t:dir r_dir_perms;
+
# allow initrc to fork and renice itself
allow initrc_t self:process { fork sigchld setsched };
@@ -113,7 +117,7 @@
file_type_auto_trans(initrc_t, etc_t, etc_runtime_t, file)
# Update /etc/ld.so.cache.
-allow initrc_t ld_so_cache_t:file rw_file_perms;
+allow initrc_t ld_so_cache_t:file { unlink rw_file_perms };
ifdef(`sendmail.te', `
# Update /etc/mail.
@@ -181,6 +185,10 @@
allow initrc_t ttyfile:chr_file relabelfrom;
allow initrc_t tty_device_t:chr_file relabelto;
+# Use lock files in /var/spool/lock.
+allow initrc_t var_spool_t:dir create_file_perms;
+allow initrc_t var_spool_t:file { rw_file_perms unlink };
+
ifdef(`rpm.te', `
# Create and read /boot/kernel.h.
# Redhat systems typically create this file at boot time.
@@ -225,6 +233,10 @@
allow initrc_t var_lib_rpm_t:file create_file_perms;
')
+# access /var/db/entropy
+allow initrc_t var_db_entropy_t:dir read;
+allow initrc_t var_db_entropy_t:file { unlink rw_file_perms };
+
# Update /var/log/ksyms.*.
file_type_auto_trans(initrc_t, var_log_t, var_log_ksyms_t)
@@ -259,6 +271,10 @@
allow initrc_t tmpfile:dir { rw_dir_perms rmdir };
allow initrc_t tmpfile:notdevfile_class_set { getattr unlink };
+# allow making links in /dev
+allow initrc_t device_t:dir { add_name };
+allow initrc_t device_t:lnk_file { create };
+
#################################
#
# Rules for the run_init_t domain.
==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/ldconfig.te#2 (text+ko) ====
@@ -18,10 +18,11 @@
dontaudit ldconfig_t device_t:dir search;
allow ldconfig_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
allow ldconfig_t privfd:fd use;
+allow ldconfig_t self:fd *;
uses_shlib(ldconfig_t)
-file_type_auto_trans(ldconfig_t, etc_t, ld_so_cache_t)
+file_type_auto_trans(ldconfig_t, var_run_t, ld_so_cache_t)
file_type_auto_trans(ldconfig_t, lib_t, shlib_t)
# allow removing mis-labelled links
allow ldconfig_t lib_t:lnk_file unlink;
@@ -29,5 +30,12 @@
allow ldconfig_t userdomain:fd use;
allow ldconfig_t etc_t:file { getattr read };
allow ldconfig_t etc_t:lnk_file read;
+allow ldconfig_t var_t:dir r_dir_perms;
allow ldconfig_t fs_t:filesystem getattr;
+
+# libraries may not be owned by root
+allow ldconfig_t self:capability { dac_write dac_read_search };
+
+# ldconfig uses /dev/random for some reason
+allow ldconfig_t random_device_t:{chr_file lnk_file} r_file_perms;
==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/login.te#2 (text+ko) ====
@@ -49,12 +49,15 @@
allow $1_login_t device_t:dir r_dir_perms;
allow $1_login_t device_t:lnk_file r_file_perms;
+# Use pam libraries.
+allow $1_login_t lib_t:{file lnk_file} rx_file_perms;
+
uses_shlib($1_login_t);
tmp_domain($1_login)
# Use capabilities
-allow $1_login_t self:capability { setuid setgid chown fowner fsetid net_bind_service sys_tty_config dac_override sys_nice sys_resource };
+allow $1_login_t self:capability { linux_immutable setuid setgid chown fowner fsetid net_bind_service sys_tty_config dac_override sys_nice sys_resource };
# Run shells in user_t by default.
domain_auto_trans($1_login_t, shell_exec_t, user_t)
@@ -149,6 +152,8 @@
allow local_login_t var_run_t:dir rw_dir_perms;
allow local_login_t var_run_t:file create_file_perms;
+allow local_login_t sysadm_home_t:dir search;
+
#################################
#
# Rules for the remote_login_t domain.
==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/mount.te#2 (text+ko) ====
@@ -19,8 +19,9 @@
allow mount_t init_t:fd use;
allow mount_t privfd:fd use;
-allow mount_t self:capability { ipc_lock dac_override };
+allow mount_t self:capability { mknod ipc_lock dac_override };
allow mount_t self:process { fork signal_perms };
+allow mount_t self:fd { create use };
allow mount_t file_type:dir search;
@@ -28,6 +29,9 @@
allow mount_t fixed_disk_device_t:devfile_class_set rw_file_perms;
allow mount_t removable_device_t:devfile_class_set rw_file_perms;
+# device_t is also used as a fs_type in freebsd
+allow mount_t device_t:filesystem mount_fs_perms;
+
# Mount, remount and unmount file systems.
allow mount_t fs_type:filesystem mount_fs_perms;
allow mount_t file_t:dir mounton;
@@ -43,4 +47,8 @@
')
allow mount_t root_t:filesystem unmount;
+# run fs-specific mount programs
+allow mount_t mount_exec_t:file execute_no_trans;
+# read resolv.conf
+allow mount_t resolv_conf_t:file r_file_perms;
==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/ssh.te#2 (text+ko) ====
@@ -15,6 +15,7 @@
allow $1 self:unix_stream_socket create_stream_socket_perms;
allow $1 self:fifo_file rw_file_perms;
allow $1 self:process { fork sigchld setsched };
+allow $1 self:fd *;
# Read system information files in /proc.
allow $1 proc_t:dir r_dir_perms;
@@ -49,7 +50,7 @@
allow $1 { null_device_t zero_device_t }:chr_file rw_file_perms;
# Read /dev/random and /dev/zero.
-allow $1 random_device_t:chr_file r_file_perms;
+allow $1 random_device_t:{ lnk_file chr_file } r_file_perms;
can_network($1)
==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/syslogd.te#2 (text+ko) ====
@@ -14,6 +14,7 @@
# by syslogd.
#
daemon_domain(syslogd)
+#read_locale(syslogd_t)
# can_network is for the UDP socket
can_network(syslogd_t)
@@ -30,17 +31,20 @@
allow syslogd_t resolv_conf_t:{ file lnk_file } r_file_perms;
# Use capabilities.
-allow syslogd_t syslogd_t:capability { net_bind_service dac_override };
+allow syslogd_t syslogd_t:capability { kill net_bind_service dac_override };
# Inherit and use descriptors from init.
allow syslogd_t init_t:fd use;
allow syslogd_t { initrc_devpts_t console_device_t }:chr_file { read write };
# Modify/create log files.
-create_append_log_file(syslogd_t, var_log_t)
+#create_append_log_file(syslogd_t, var_log_t)
+allow syslogd_t var_log_t:dir create_file_perms;
+allow syslogd_t var_log_t:file rw_file_perms;
# Create and bind to /dev/log or /var/run/log.
-file_type_auto_trans(syslogd_t, { device_t var_run_t }, devlog_t, sock_file)
+file_type_auto_trans(syslogd_t, { device_t var_run_t syslogd_var_run_t }, devlog_t, sock_file)
+allow syslogd_t { var_t var_log_t }:dir search;
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_dgram_socket { sendto };
allow syslogd_t self:unix_stream_socket create_socket_perms;
@@ -71,3 +75,6 @@
#allow syslogd_t proc_t:dir search;
#allow syslogd_t proc_kmsg_t:file { getattr read };
+# allow access to klog
+allow syslogd_t klog_device_t:chr_file { poll read };
+
==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/unused/dhcpc.te#2 (text+ko) ====
@@ -20,6 +20,7 @@
allow dhcpc_t self:unix_dgram_socket create_socket_perms;
allow dhcpc_t self:unix_stream_socket create_socket_perms;
allow dhcpc_t self:fifo_file rw_file_perms;
+allow dhcpc_t self:fd { create use };
ifdef(`cardmgr.te', `
domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
@@ -71,13 +72,16 @@
allow dhcpc_t self:packet_socket recvfrom;
allow dhcpc_t { netmsg_eth0_t netmsg_eth1_t }:packet_socket { recvfrom };
allow dhcpc_t icmp_socket_t:packet_socket { recvfrom };
-allow dhcpc_t var_lib_t:dir search;
+allow dhcpc_t var_db_t:dir search;
+file_type_auto_trans(dhcpc_t, var_db_t, dhcpc_state_t)
file_type_auto_trans(dhcpc_t, dhcp_state_t, dhcpc_state_t)
allow dhcpc_t bin_t:dir search;
allow dhcpc_t bin_t:lnk_file read;
can_exec(dhcpc_t, { bin_t shell_exec_t })
+allow dhcpc_t bpf_device_t:chr_file { poll rw_file_perms };
+
dontaudit dhcpc_t domain:packet_socket recvfrom;
dontaudit dhcpc_t { netmsg_t icmp_socket_t tcp_socket_t }:packet_socket recvfrom;
dontaudit dhcpc_t icmp_socket_t:rawip_socket recvfrom;
==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/unused/rpcd.te#2 (text+ko) ====
@@ -20,7 +20,11 @@
allow init_t rpcd_t:udp_socket write;
read_locale(rpcd_t)
+
+# read/write mounttab
+allow rpcd_t { var_t var_db_t }: dir { search };
allow rpcd_t etc_t:file { getattr read };
+allow rpcd_t etc_runtime_t:file rw_file_perms;
allow rpcd_t self:unix_dgram_socket create_socket_perms;
allow rpcd_t self:unix_stream_socket create_socket_perms;
@@ -29,6 +33,9 @@
can_udp_send(mount_t, rpcd_t)
can_udp_send(rpcd_t, mount_t)
+# statfs /dev
+allow rpcd_t device_t:filesystem getattr;
+
tmp_domain(rpcd)
# for /proc/fs/nfs/exports - should we have a new type?
@@ -59,6 +66,8 @@
# allow nfsd to do its thing - should go into its own domain
#allow rpcd_t self:capability sys_admin;
+allow rpcd_t nfs_t:filesystem getattr;
+
# nfs kernel server needs kernel UDP access. It is less risky and painful
# to just give it everything.
can_network(kernel_t)
==== //depot/projects/trustedbsd/sebsd_policy/policy/flask/access_vectors#2 (text+ko) ====
@@ -10,6 +10,7 @@
common file
{
+ poll
ioctl
read
write
@@ -19,7 +20,9 @@
lock
relabelfrom
relabelto
+ transition
append
+ access
unlink
link
rename
@@ -37,6 +40,7 @@
common socket
{
# inherited from file
+ poll
ioctl
read
write
@@ -46,6 +50,7 @@
lock
relabelfrom
relabelto
+ transition
append
# socket-specific
bind
@@ -137,6 +142,7 @@
class fd
{
+ create
use
}
@@ -175,6 +181,8 @@
class netif
{
+ getattr
+ setattr
tcp_recv
tcp_send
udp_recv
@@ -212,11 +220,10 @@
{
fork
transition
- sigchld # commonly granted from child to parent
- sigkill # cannot be caught or ignored
- sigstop # cannot be caught or ignored
- signull # for kill(pid, 0)
- signal # all other signals
+ sigchld
+ sigkill
+ sigstop
+ signal
ptrace
getsched
setsched
@@ -226,6 +233,7 @@
getcap
setcap
share
+ signull
getattr
setexec
setfscreate
@@ -275,7 +283,6 @@
load_policy
compute_relabel
compute_user
- setenforce # was avc_toggle in system class
}
@@ -285,8 +292,15 @@
class system
{
+ net_io_control
+ route_control
+ arp_control
+ rarp_control
ipc_info
- syslog_read
+ avc_toggle
+ nfsd_control
+ bdflush
+ syslog_read
syslog_mod
syslog_console
}
@@ -302,14 +316,29 @@
# those definitions. (Order matters)
chown
- dac_override
+ dac_execute
+ dac_write
dac_read_search
fowner
fsetid
- kill
+ kill
+ link_dir
+ setfcap
setgid
- setuid
- setpcap
+ setuid
+ mac_downgrade
+ mac_read
+ mac_relabel_subj
+ mac_upgrade
+ mac_write
+ inf_nofloat_obj
+ inf_nofloat_subj
+ inf_relabel_obj
+ inf_relabel_subj
+ audit_control
+ audit_write
+ setpcap
+ xxx_invalid1
linux_immutable
net_bind_service
net_broadcast
@@ -332,11 +361,6 @@
lease
}
-
-#
-# Define the access vector interpretation for controlling
-# changes to passwd information.
-#
class passwd
{
passwd
==== //depot/projects/trustedbsd/sebsd_policy/policy/fs_use#2 (text+ko) ====
@@ -2,10 +2,9 @@
# Define the labeling behavior for inodes in particular filesystem types.
# This information was formerly hardcoded in the SELinux module.
-# Use xattrs for the following filesystem types.
-# Requires that a security xattr handler exist for the filesystem.
-fs_use_xattr ext2 system_u:object_r:fs_t;
-fs_use_xattr ext3 system_u:object_r:fs_t;
+fs_use_psid ext2;
+fs_use_psid ext3;
+fs_use_psid ufs;
# Use the allocating task SID to label inodes in the following filesystem
# types, and label the filesystem itself with the specified context.
==== //depot/projects/trustedbsd/sebsd_policy/policy/genfs_contexts#2 (text+ko) ====
@@ -2,8 +2,8 @@
#
# Security contexts for files in filesystems that
-# cannot support xattr or use one of the fixed labeling schemes
-# specified in fs_use.
+# cannot support persistent label mappings or use one of the
+# fixed labeling schemes specified in fs_use.
#
# Each specifications has the form:
# genfscon fstype pathname-prefix [ -type ] context
@@ -18,51 +18,67 @@
# field by ls, e.g. use -c to match only character device files, -b
# to match only block device files.
#
-# Except for proc, other filesystems are limited to a single entry (/)
-# that covers all entries in the filesystem with a default file context.
-# For proc, a pathname can be reliably generated from the proc_dir_entry
-# tree. The proc /sys entries are used for both proc inodes and for sysctl(2)
-# calls. /proc/PID entries are automatically labeled based on the associated
-# process.
-#
-# Support for other filesystem types requires corresponding code to be
-# added to the kernel, either as an xattr handler in the filesystem
-# implementation (preferred, and necessary if you want to access the labels
-# from userspace) or as logic in the SELinux module.
-# proc (excluding /proc/PID)
+# proc (excluding /proc/PID and /proc/sys)
genfscon proc / system_u:object_r:proc_t
genfscon proc /kmsg system_u:object_r:proc_kmsg_t
genfscon proc /kcore system_u:object_r:proc_kcore_t
-genfscon proc /sysvipc system_u:object_r:proc_t
-genfscon proc /sys system_u:object_r:sysctl_t
-genfscon proc /sys/kernel system_u:object_r:sysctl_kernel_t
-genfscon proc /sys/kernel/modprobe system_u:object_r:sysctl_modprobe_t
-genfscon proc /sys/net system_u:object_r:sysctl_net_t
-genfscon proc /sys/net/unix system_u:object_r:sysctl_net_unix_t
-genfscon proc /sys/vm system_u:object_r:sysctl_vm_t
-genfscon proc /sys/dev system_u:object_r:sysctl_dev_t
-# rootfs
-genfscon rootfs / system_u:object_r:root_t
+# procfs (FreeBSD)
+genfscon procfs / system_u:object_r:proc_t
-# sysfs
-genfscon sysfs / system_u:object_r:sysfs_t
+# nfs
+genfscon nfs / system_u:object_r:nfs_t
-# selinuxfs
-genfscon selinuxfs / system_u:object_r:security_t
+# driverfs
+genfscon driverfs / system_u:object_r:driverfs_t
-# autofs
-ifdef(`automount.te', `
-genfscon autofs / system_u:object_r:autofs_t
-')
+# usbdevfs
+genfscon usbdevfs / system_u:object_r:usbdevfs_t
+genfscon usbdevfs /0 -- system_u:object_r:usbdevfs_device_t
-# iso9660
-genfscon iso9660 / system_u:object_r:iso9660_t
-
-# vfat, msdos
-genfscon vfat / system_u:object_r:dosfs_t
-genfscon msdos / system_u:object_r:dosfs_t
-
-# nfs
-genfscon nfs / system_u:object_r:nfs_t
+# devfs
+genfscon devfs / system_u:object_r:device_t
+genfscon devfs /null system_u:object_r:null_device_t
+genfscon devfs /zero system_u:object_r:zero_device_t
+genfscon devfs /console system_u:object_r:console_device_t
+genfscon devfs /kmem system_u:object_r:memory_device_t
+genfscon devfs /mem system_u:object_r:memory_device_t
+genfscon devfs /random system_u:object_r:random_device_t
+genfscon devfs /urandom system_u:object_r:random_device_t
+genfscon devfs /tty system_u:object_r:devtty_t
+genfscon devfs /ctty system_u:object_r:devtty_t
+genfscon devfs /ttyv system_u:object_r:tty_device_t
+genfscon devfs /pty system_u:object_r:devpts_t
+genfscon devfs /ttyp system_u:object_r:devpts_t
+genfscon devfs /ttyq system_u:object_r:devpts_t
+genfscon devfs /ttyr system_u:object_r:devpts_t
+genfscon devfs /ttys system_u:object_r:devpts_t
+genfscon devfs /ttyP system_u:object_r:devpts_t
+genfscon devfs /ttyQ system_u:object_r:devpts_t
+genfscon devfs /ttyR system_u:object_r:devpts_t
+genfscon devfs /ttyS system_u:object_r:devpts_t
+#genfscon devfs /cua system_u:object_r:serial_device_t
+#genfscon devfs /ttyd system_u:object_r:serial_device_t
+#genfscon devfs /ttyid system_u:object_r:serial_device_t
+#genfscon devfs /ttyld system_u:object_r:serial_device_t
+genfscon devfs /ad -c system_u:object_r:fixed_disk_device_t
+genfscon devfs /acd -c system_u:object_r:fixed_disk_device_t
+genfscon devfs /fd -c system_u:object_r:removable_device_t
+genfscon devfs /ppp system_u:object_r:ppp_device_t
+genfscon devfs /initctl system_u:object_r:initctl_t
+genfscon devfs /log system_u:object_r:devlog_t
+genfscon devfs /misc/psaux system_u:object_r:mouse_device_t
+genfscon devfs /input/mouse system_u:object_r:mouse_device_t
+genfscon devfs /mse system_u:object_r:mouse_device_t
+genfscon devfs /psm system_u:object_r:mouse_device_t
+genfscon devfs /ums system_u:object_r:mouse_device_t
+#genfscon devfs /sysmouse system_u:object_r:sysmouse_device_t
+#genfscon devfs /gpmctl system_u:object_r:gpmctl_t
+genfscon devfs /ptmx system_u:object_r:ptmx_t
+genfscon devfs /acpi system_u:object_r:apm_bios_t
+genfscon devfs /sound -c system_u:object_r:sound_device_t
+genfscon devfs /usb system_u:object_r:usbdevfs_device_t
+genfscon devfs /bpf -c system_u:object_r:bpf_device_t
+genfscon devfs /klog system_u:object_r:klog_device_t
+# FLASK
==== //depot/projects/trustedbsd/sebsd_policy/policy/macros/global_macros.te#2 (text+ko) ====
@@ -233,8 +233,10 @@
define(`can_setenforce',`
allow $1 security_t:dir { read search getattr };
allow $1 security_t:file { getattr read write };
-allow $1 security_t:security setenforce;
-auditallow $1 security_t:security setenforce;
+#allow $1 security_t:security setenforce;
+#auditallow $1 security_t:security setenforce;
+allow $1 kernel_t:system avc_toggle;
+auditallow $1 kernel_t:system avc_toggle;
')
##################################
@@ -352,6 +354,8 @@
#
define(`uses_shlib',`
allow $1 { root_t usr_t lib_t etc_t }:dir r_dir_perms;
+allow $1 lib_t:file getattr; #!!!
+allow $1 { var_t var_run_t }:dir search;
allow $1 lib_t:lnk_file r_file_perms;
allow $1 ld_so_t:file rx_file_perms;
allow $1 ld_so_t:file execute_no_trans;
@@ -361,6 +365,9 @@
allow $1 ld_so_cache_t:file r_file_perms;
allow $1 device_t:dir search;
allow $1 null_device_t:chr_file rw_file_perms;
+
+# on freebsd /dev/random uses a PRNG, so this is safe
+allow $1 random_device_t:{chr_file lnk_file} { poll r_file_perms };
')
#################################
@@ -611,9 +618,7 @@
# Access the pty master multiplexer.
allow $1_t ptmx_t:chr_file rw_file_perms;
-ifdef(`devfsd.te', `
allow $1_t device_t:filesystem getattr;
-')
allow $1_t devpts_t:filesystem getattr;
# allow searching /dev/pts
@@ -893,6 +898,7 @@
# Read /dev/random and /dev/zero.
allow $1 random_device_t:chr_file r_file_perms;
+allow $1 random_device_t:lnk_file r_file_perms;
allow $1 zero_device_t:chr_file r_file_perms;
# Read the root directory of a tmpfs filesytem and any symbolic links.
@@ -1019,6 +1025,7 @@
allow $1_t { self proc_t }:dir r_dir_perms;
allow $1_t { self proc_t }:lnk_file read;
+allow $1_t self:fd { create use };
allow $1_t device_t:dir { getattr search };
allow $1_t null_device_t:chr_file rw_file_perms;
==== //depot/projects/trustedbsd/sebsd_policy/policy/macros/program/mount_macros.te#2 (text+ko) ====
@@ -35,8 +35,9 @@
# Use capabilities.
allow $2_t self:capability { net_bind_service sys_rawio sys_admin };
-# Create and modify /etc/mtab.
-file_type_auto_trans($2_t, etc_t, etc_runtime_t, file)
+# Create and modify /var/db/mtab.
+allow $2_t var_db_t:dir r_dir_perms;
+file_type_auto_trans($2_t, var_db_t, etc_runtime_t, file)
allow $2_t etc_t:file { getattr read };
==== //depot/projects/trustedbsd/sebsd_policy/policy/types/device.te#2 (text+ko) ====
@@ -110,9 +110,14 @@
# Type for /dev/cpu/mtrr
type mtrr_device_t, file_type;
+# Type for /dev/bpf*
+type bpf_device_t, file_type;
# Type for /dev/apm_bios
type apm_bios_t, file_type;
# Type for v4l
type v4l_device_t, file_type;
+
+# Type for /dev/klog
+type klog_device_t, file_type;
==== //depot/projects/trustedbsd/sebsd_policy/policy/types/file.te#2 (text+ko) ====
@@ -167,6 +167,7 @@
type tetex_data_t, file_type, sysadmfile, tmpfile;
type var_spool_t, file_type, sysadmfile;
type var_yp_t, file_type, sysadmfile;
+type var_db_t, file_type, sysadmfile;
# Type for /var/log/sa.
type var_log_sa_t, file_type, sysadmfile, logfile;
@@ -271,3 +272,5 @@
type dosfs_t, fs_type, root_dir_type, sysadmfile;
allow dosfs_t dosfs_t:filesystem associate;
+
+type var_db_entropy_t, file_type, sysadmfile;
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list