PERFORCE change 67241 for review
Andrew Reisse
areisse at FreeBSD.org
Fri Dec 17 17:19:08 GMT 2004
http://perforce.freebsd.org/chv.cgi?CH=67241
Change 67241 by areisse at areisse_tislabs on 2004/12/17 17:18:37
Fix problems with policy that prevented it from building:
-Type differences from selinux
-netlink security classes
-building (still requires gmake)
-file:poll permission
Affected files ...
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/Makefile#14 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/assert.te#5 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/admin.te#5 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/atrun.te#5 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/initrc.te#6 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ssh.te#7 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/unconfined.te#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/unused/apache.te#3 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/unused/sendmail.te#3 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/usbd.te#5 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/access_vectors#7 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/initial_sids#5 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/security_classes#6 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/fs_use#5 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/genfs_contexts#5 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/initial_sid_contexts#5 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/base_user_macros.te#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/core_macros.te#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/global_macros.te#7 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/selinux_macros.te#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/device.te#5 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/file.te#5 edit
Differences ...
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/Makefile#14 (text+ko) ====
@@ -114,9 +114,9 @@
mv $@.tmp $@
install-src: /etc/security/sebsd
- rm -rf $(INSTALLDIR)/policy.old
- -mv $(INSTALLDIR)/policy $(INSTALLDIR)/policy.old
- cd ..; tar cf - policy | (cd $(INSTALLDIR); tar xf -)
+ rm -rf $(INSTALLDIR)/policy.old
+ -mv $(INSTALLDIR)/policy $(INSTALLDIR)/policy.old
+ cd ..; tar cf - policy | (cd $(INSTALLDIR); tar xf -)
tmp/program_used_flags.te: $(wildcard domains/program/*.te) domains/program
mkdir -p tmp
@@ -155,7 +155,3 @@
rm -f tmp/*
rm -f $(FC)
-install-src: /etc/security/sebsd
- rm -rf $(INSTALLDIR)/policy.old
- -mv $(INSTALLDIR)/policy $(INSTALLDIR)/policy.old
- cd ..; tar cf - policy | (cd $(INSTALLDIR); tar xf -)
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/assert.te#5 (text+ko) ====
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/admin.te#5 (text+ko) ====
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/atrun.te#5 (text+ko) ====
@@ -9,7 +9,7 @@
type atrun_t, domain, privlog;
role system_r types atrun_t;
role sysadm_r types atrun_t;
-every_domain(atrun_t)
+base_file_read_access(atrun_t)
type atrun_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans({ crond_t system_crond_t sysadm_t }, atrun_exec_t, atrun_t)
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/initrc.te#6 (text+ko) ====
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ssh.te#7 (text+ko) ====
@@ -64,7 +64,7 @@
allow $1_t { null_device_t zero_device_t }:chr_file rw_file_perms;
# Read /dev/random and /dev/zero.
-allow $1 random_device_t:{ lnk_file chr_file } r_file_perms;
+allow $1_t random_device_t:{ lnk_file chr_file } r_file_perms;
can_network($1_t)
@@ -226,11 +226,6 @@
allow sshd_t sshd_devpts_t:chr_file { setattr getattr relabelfrom relabelto };
allow sshd_t userpty_type:chr_file { setattr relabelto rw_file_perms };
-# ssh_keygen_t is the type of the ssh-keygen program when run at install time
-# and by sysadm_t
-daemon_base_domain(ssh_keygen)
-allow ssh_keygen_t etc_t:file { getattr read };
-file_type_auto_trans(ssh_keygen_t, etc_t, sshd_key_t, file)
#
# Author: Stephen Smalley <sds at epoch.ncsc.mil>
#
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/unconfined.te#2 (text+ko) ====
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/unused/apache.te#3 (text+ko) ====
@@ -158,7 +158,7 @@
r_dir_file(initrc_t, httpd_config_t)
##################################################
-file_type_auto_trans(httpd_t, var_log_t, httpd_log_files_t)
+file_type_auto_trans(httpd_t, var_log_t, httpd_log_t)
########################################
# Allow httpd_t to bind to the HTTP port
########################################
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/unused/sendmail.te#3 (text+ko) ====
@@ -13,9 +13,6 @@
# daemon started by the init rc scripts.
#
-# etc_mail_t is the type of /etc/mail.
-type etc_mail_t, file_type, sysadmfile;
-
daemon_domain(sendmail, `, mta_delivery_agent, mail_server_domain, mail_server_sender', nosysadm)
tmp_domain(sendmail)
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/usbd.te#5 (text+ko) ====
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/access_vectors#7 (text+ko) ====
@@ -160,13 +160,20 @@
connectto
newconn
acceptfrom
+ node_bind
}
class udp_socket
inherits socket
+{
+ node_bind
+}
class rawip_socket
inherits socket
+{
+ node_bind
+}
class node
{
@@ -269,6 +276,9 @@
class shm
inherits ipc
+{
+ lock
+}
class posix_sem
{
@@ -375,4 +385,6 @@
passwd
chfn
chsh
+ rootok
+ crontab
}
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/initial_sids#5 (text+ko) ====
@@ -28,10 +28,8 @@
sid sysctl_vm
sid sysctl_dev
sid kmod
-sid devfs
-sid devpts
-sid nfs
sid policy
-sid tmpfs
+sid scmp_packet
+sid devnull
# FLASK
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/security_classes#6 (text+ko) ====
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/fs_use#5 (text+ko) ====
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/genfs_contexts#5 (text+ko) ====
@@ -54,7 +54,7 @@
# driverfs
-genfscon driverfs / system_u:object_r:driverfs_t
+#genfscon driverfs / system_u:object_r:driverfs_t
# usbdevfs
genfscon usbdevfs / system_u:object_r:usbdevfs_t
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/initial_sid_contexts#5 (text+ko) ====
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/base_user_macros.te#2 (text+ko) ====
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/core_macros.te#2 (text+ko) ====
@@ -81,7 +81,7 @@
#
# Permissions for reading and writing files and their attributes.
#
-define(`rw_file_perms', `{ ioctl read getattr lock write append }')
+define(`rw_file_perms', `{ ioctl read getattr lock write append poll }')
#
# Permissions for reading and appending to files.
@@ -558,7 +558,7 @@
allow $1_t devpts_t:dir { getattr read search };
# ignore old BSD pty devices
-dontaudit $1_t bsdpty_device_t:chr_file { getattr read write };
+#dontaudit $1_t bsdpty_device_t:chr_file { getattr read write };
')
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/global_macros.te#7 (text+ko) ====
@@ -599,6 +599,6 @@
# Set user information and skip authentication.
allow $1 self:passwd *;
-allow $1 self:dbus *;
-allow $1 self:nscd *;
+#allow $1 self:dbus *;
+#allow $1 self:nscd *;
')
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/selinux_macros.te#2 (text+ko) ====
@@ -1,1 +1,15 @@
define(`dac_override', `{ dac_read_search dac_execute dac_write }')
+
+# FreeBSD doesn't use netlink sockets for administering networks.
+# Instead of using rules directly, those parts of the policy should use macros.
+define(`netlink_route_socket', `netlink_socket')
+define(`netlink_firewall_socket', `netlink_socket')
+define(`netlink_xfrm_socket', `netlink_socket')
+define(`netlink_ip6fw_socket', `netlink_socket')
+define(`netlink_selinux_socket', `netlink_socket')
+define(`netlink_audit_socket', `netlink_socket')
+define(`netlink_tcpdiag_socket', `netlink_socket')
+define(`netlink_nflog_socket', `netlink_socket')
+define(`netlink_dnrt_socket', `netlink_socket')
+define(`nlmsg_read', `read')
+define(`nlmsg_write', `write')
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/device.te#5 (text+ko) ====
@@ -131,7 +131,7 @@
type mtrr_device_t, device_type;
# Type for /dev/bpf*
-type bpf_device_t, file_type;
+type bpf_device_t, device_type;
# Type for /dev/apm_bios
type apm_bios_t, device_type;
@@ -150,7 +150,6 @@
# for other device nodes such as the NVidia binary-only driver
type xserver_misc_device_t, device_type;
-type v4l_device_t, file_type;
# Type for /dev/klog
-type klog_device_t, file_type;
+type klog_device_t, device_type;
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/file.te#5 (text+ko) ====
@@ -113,6 +113,7 @@
# etc_aliases_t is the type of the aliases database.
#
type etc_aliases_t, file_type, sysadmfile;
+type etc_mail_t, file_type, sysadmfile;
# net_conf_t is the type of the /etc/resolv.conf file.
# all DHCP clients and PPP need write access to this file.
@@ -271,6 +272,8 @@
type usbdevfs_t, fs_type, root_dir_type, noexattrfile, sysadmfile;
allow usbdevfs_t usbdevfs_t:filesystem associate;
+type usbdevfs_device_t, device_type, noexattrfile, sysadmfile;
+allow usbdevfs_device_t usbdevfs_t:filesystem associate;
type sysfs_t, fs_type, root_dir_type, sysadmfile;
allow sysfs_t sysfs_t:filesystem associate;
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list