PERFORCE change 67606 for review

Andrew Reisse areisse at FreeBSD.org
Thu Dec 23 20:38:34 GMT 2004 

http://perforce.freebsd.org/chv.cgi?CH=67606

Change 67606 by areisse at areisse_tislabs on 2004/12/23 20:38:30

	Checkpoint work on updating policy.

Affected files ...

.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/atrun.te#6 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/cleanvar.te#5 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/devd.te#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/getty.te#6 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/hostname.te#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/initrc.te#7 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ssh.te#8 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/syslogd.te#6 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/unused/dhcpc.te#3 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/unused/rpcd.te#3 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/unused/sendmail.te#4 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/devd.fc#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/fsadm.fc#5 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/logrotate.fc#5 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/syslogd.fc#5 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/types.fc#5 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/core_macros.te#3 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/global_macros.te#8 edit

Differences ...

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/atrun.te#6 (text+ko) ====

@@ -32,3 +32,6 @@
 allow atrun_t { var_at_jobs_t var_at_spool_t }:dir rw_dir_perms;
 allow atrun_t var_at_jobs_t:file { r_file_perms unlink };
 allow atrun_t var_at_spool_t:file create_file_perms;
+
+uses_shlib(atrun_t)
+allow atrun_t self:fd { create use };

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/cleanvar.te#5 (text+ko) ====

@@ -26,3 +26,4 @@
 allow cleanvar_t fs_t:filesystem { getattr };
 can_exec(cleanvar_t, bin_t)
 general_domain_access(cleanvar_t) #!!!
+uses_shlib(cleanvar_t)
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/getty.te#6 (text+ko) ====

@@ -62,3 +62,5 @@
 
 dontaudit getty_t staff_home_dir_t:dir search;
 r_dir_file(getty_t, sysfs_t)
+
+allow getty_t self:fd { create use };
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/hostname.te#2 (text+ko) ====

@@ -22,3 +22,5 @@
 
 # for when /usr is not mounted
 dontaudit hostname_t file_t:dir search;
+
+allow hostname_t self:fd { create use };

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/initrc.te#7 (text+ko) ====

@@ -156,6 +156,10 @@
 allow initrc_t var_lib_t:file rw_file_perms;
 allow initrc_t var_lib_t:file unlink;
 
+# /var/db/entropy
+allow initrc_t var_db_entropy_t:file { read write create };
+allow initrc_t var_db_entropy_t:dir { read add_name remove_name };
+
 # Create lock file.
 allow initrc_t var_lock_t:dir create_dir_perms;
 allow initrc_t var_lock_t:file create_file_perms;
@@ -169,8 +173,8 @@
 # Read and unlink /var/run/*.pid files.
 allow initrc_t pidfile:file { getattr read unlink };
 
-# Write to /dev/urandom.
-allow initrc_t urandom_device_t:chr_file rw_file_perms;
+# Write to /dev/random.
+allow initrc_t random_device_t:chr_file rw_file_perms;
 
 # Set device ownerships/modes.
 allow initrc_t framebuf_device_t:lnk_file read;
@@ -267,6 +271,10 @@
 # allow making links in /dev
 allow initrc_t device_t:dir { add_name };
 allow initrc_t device_t:lnk_file { create };
+allow device_t device_t:filesystem associate;
+
+# /var/.diskless
+allow initrc_t var_t:dir { add_name remove_name rmdir create };
 
 #################################
 #

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ssh.te#8 (text+ko) ====

@@ -110,6 +110,8 @@
 # Update /var/log/lastlog.
 allow $1_t lastlog_t:file rw_file_perms;
 
+allow $1_t self:fd { create use };
+
 read_locale($1_t)
 read_sysctl($1_t)
 

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/syslogd.te#6 (text+ko) ====

@@ -88,3 +88,5 @@
 # allow access to klog
 allow syslogd_t klog_device_t:chr_file { poll read };
 
+# Use file descriptors
+allow syslogd_t self:fd { create use };
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/unused/dhcpc.te#3 (text+ko) ====

@@ -80,7 +80,7 @@
 allow dhcpc_t { userdomain run_init_t }:fd use;
 
 # Use capabilities
-allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config };
+allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config sys_admin };
 
 # for access("/etc/bashrc", X_OK) on Red Hat
 dontaudit dhcpc_t self:capability { dac_read_search sys_module };

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/unused/rpcd.te#3 (text+ko) ====

@@ -129,3 +129,8 @@
 # for exportfs and rpc.mountd
 allow nfsd_t tmp_t:dir getattr;
 r_dir_file(rpcd_t, rpc_pipefs_t)
+
+# rpc.umntall
+allow rpcd_t self:fd { create use };
+allow rpcd_t nfs_t:filesystem getattr;
+#dontaudit rpcd_t fs_type:filesystem getattr;
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/unused/sendmail.te#4 (text+ko) ====

@@ -29,6 +29,8 @@
 allow sendmail_t self:unix_dgram_socket create_socket_perms;
 allow sendmail_t self:fifo_file rw_file_perms;
 
+allow sendmail_t self:fd { create use };
+
 # Bind to the SMTP port.
 allow sendmail_t smtp_port_t:tcp_socket name_bind;
 

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/fsadm.fc#5 (text+ko) ====

@@ -19,7 +19,7 @@
 /sbin/parted		--	system_u:object_r:fsadm_exec_t
 /sbin/tune2fs		--	system_u:object_r:fsadm_exec_t
 /sbin/dumpe2fs		--	system_u:object_r:fsadm_exec_t
-/sbin/swapon.*		--	system_u:object_r:fsadm_exec_t
+/sbin/swapon		--	system_u:object_r:fsadm_exec_t
 /sbin/hdparm		--	system_u:object_r:fsadm_exec_t
 /sbin/raidstart		--	system_u:object_r:fsadm_exec_t
 /sbin/mkraid		--	system_u:object_r:fsadm_exec_t

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/logrotate.fc#5 (text+ko) ====

@@ -7,3 +7,5 @@
 /var/lib/logcheck(/.*)?		system_u:object_r:logrotate_var_lib_t
 # using a hard-coded name under /var/tmp is a bug - new version fixes it
 /var/tmp/logcheck	-d	system_u:object_r:logrotate_tmp_t
+# FreeBsd
+/usr/sbin/newsyslog	--	system_u:object_r:logrotate_exec_t

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/syslogd.fc#5 (text+ko) ====

@@ -6,3 +6,4 @@
 /dev/log		-s	system_u:object_r:devlog_t
 /var/run/log		-s	system_u:object_r:devlog_t
 /var/run/syslogd\.pid	--	system_u:object_r:syslogd_var_run_t
+newsyslog XXX		--	system_u:object_r:syslogd_exec_t
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/types.fc#5 (text+ko) ====

@@ -59,6 +59,7 @@
 # A common mount point
 /mnt(/.*)?		-d	system_u:object_r:mnt_t
 /media(/.*)?		-d	system_u:object_r:mnt_t
+/cdrom			-d	system_u:object_r:mnt_t
 
 #
 # /var

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/core_macros.te#3 (text+ko) ====

@@ -549,12 +549,10 @@
 # Access the pty master multiplexer.
 allow $1_t ptmx_t:chr_file rw_file_perms;
 
-ifdef(`devfsd.te', `
 allow $1_t device_t:filesystem getattr;
-')
-allow $1_t devpts_t:filesystem getattr;
 
 # allow searching /dev/pts
+allow $1_t device_t:dir { getattr read search };
 allow $1_t devpts_t:dir { getattr read search };
 
 # ignore old BSD pty devices
@@ -572,7 +570,7 @@
 type $1_devpts_t, file_type, sysadmfile, ptyfile $2;
 
 # Allow the pty to be associated with the file system.
-allow $1_devpts_t devpts_t:filesystem associate;
+allow $1_devpts_t device_t:filesystem associate;
 
 # Label pty files with a derived type.
 type_transition $1_t devpts_t:chr_file $1_devpts_t;

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/global_macros.te#8 (text+ko) ====

@@ -88,7 +88,7 @@
 allow $1 { var_t var_run_t }:dir search;
 allow $1 lib_t:lnk_file r_file_perms;
 allow $1 ld_so_t:file rx_file_perms;
-#allow $1 ld_so_t:file execute_no_trans;
+allow $1 ld_so_t:file execute_no_trans;
 allow $1 ld_so_t:lnk_file r_file_perms;
 allow $1 shlib_t:file rx_file_perms;
 allow $1 shlib_t:lnk_file r_file_perms;
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list