PERFORCE change 77892 for review

[Andrew Reisse]

http://perforce.freebsd.org/chv.cgi?CH=77892

Change 77892 by areisse at areisse_tislabs on 2005/06/02 20:47:59

	Small policy fixes:
	-Ordinary user roles should be able to change passwords, which
	 requires running pwd_mkdb.
	-Checkpolicy creates fds.
	-loadpolicy is installed in /usr/sbin, not /sbin.

Affected files ...

.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/Makefile#22 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/checkpolicy.te#3 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/passwd.te#6 edit

Differences ...

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/Makefile#22 (text+ko) ====

@@ -18,7 +18,7 @@
 
 FLASKDIR = flask/
 PREFIX = /usr
-LOADPOLICY  = $(DESTDIR)/sbin/sebsd_loadpolicy
+LOADPOLICY  = $(DESTDIR)/usr/sbin/sebsd_loadpolicy
 CHECKPOLICY = $(DESTDIR)/sbin/sebsd_checkpolicy
 SETFILES = $(DESTDIR)/sbin/sebsd_setfiles
 .if (POLICYVERCOMPAT)

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/checkpolicy.te#3 (text+ko) ====

@@ -63,3 +63,4 @@
 allow checkpolicy_t console_device_t:chr_file { read write };
 allow checkpolicy_t init_t:fd { use };
 allow checkpolicy_t selinux_config_t:dir { search };
+allow checkpolicy_t self:fd create;

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/passwd.te#6 (text+ko) ====

@@ -149,6 +149,7 @@
 
 role system_r types pwdmkdb_t;
 role sysadm_r types pwdmkdb_t;
+in_user_role(pwdmkdb_t);
 
 general_domain_access(pwdmkdb_t);
 uses_shlib(pwdmkdb_t);
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message