PERFORCE change 69825 for review

Andrew Reisse areisse at FreeBSD.org
Thu Jan 27 13:09:58 GMT 2005 

http://perforce.freebsd.org/chv.cgi?CH=69825

Change 69825 by areisse at areisse_tislabs on 2005/01/27 13:09:03

	various minor sebsd policy changes
	-crontab, /usr/bin/mail, ssh
	dontaudit cap_sys_admin

Affected files ...

.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/admin.te#6 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ssh.te#10 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/mta.fc#3 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/program/crontab_macros.te#5 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/program/mta_macros.te#3 edit

Differences ...

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/admin.te#6 (text+ko) ====

@@ -31,3 +31,6 @@
 
 # Add/remove user home directories
 file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
+
+
+dontaudit domain self:capability sys_admin;
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ssh.te#10 (text+ko) ====

@@ -126,7 +126,6 @@
 # type of the pty for the child
 define(`sshd_spawn_domain', `
 login_spawn_domain($1, $2)
-domain_auto_trans($1_t, shell_exec_t, user_t)
 ifdef(`xauth.te', `
 domain_trans($1_t, xauth_exec_t, $2)
 ')
@@ -233,6 +232,9 @@
 allow sshd_t sshd_devpts_t:chr_file { setattr getattr relabelfrom relabelto };
 allow sshd_t userpty_type:chr_file { setattr relabelto rw_file_perms };
 
+# respawn sshd
+allow sshd_t sshd_exec_t:file execute_no_trans;
+
 #
 # Author:  Stephen Smalley <sds at epoch.ncsc.mil>
 #

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/mta.fc#3 (text+ko) ====

@@ -2,6 +2,7 @@
 /usr/sbin/sendmail(.sendmail)?	system_u:object_r:sendmail_exec_t
 /usr/sbin/mailwrapper		system_u:object_r:sendmail_exec_t
 /usr/libexec/sendmail/sendmail	system_u:object_r:sendmail_exec_t
+/usr/libexec/mail.local		system_u:object_r:sendmail_exec_t
 /etc/aliases			system_u:object_r:etc_aliases_t
 /etc/aliases\.db		system_u:object_r:etc_aliases_t
 /var/spool/mail(/.*)?		system_u:object_r:mail_spool_t

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/program/crontab_macros.te#5 (text+ko) ====

@@ -40,7 +40,7 @@
 
 # Use capabilities dac_override is to create the file in the directory
 # under /tmp
-allow $1_crontab_t $1_crontab_t:capability { setuid setgid chown dac_override };
+allow $1_crontab_t $1_crontab_t:capability { setuid setgid chown dac_override fowner };
 dontaudit $1_crontab_t proc_t:dir { search };
 dontaudit $1_crontab_t selinux_config_t:dir { search };
 
@@ -92,6 +92,7 @@
 # Inherit and use descriptors from gnome-pty-helper.
 ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;')
 allow $1_crontab_t privfd:fd use;
+allow $1_crontab_t self:fd { use create };
 
 dontaudit $1_crontab_t var_run_t:dir search;
 ')

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/program/mta_macros.te#3 (text+ko) ====

@@ -37,6 +37,7 @@
 can_ypbind($1_mail_t)
 allow $1_mail_t self:unix_dgram_socket create_socket_perms;
 allow $1_mail_t self:unix_stream_socket create_socket_perms;
+allow $1_mail_t self:fd {create use};
 
 read_locale($1_mail_t)
 read_sysctl($1_mail_t)
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list