PERFORCE change 111069 for review
Todd Miller
millert at FreeBSD.org
Mon Dec 4 11:09:22 PST 2006
http://perforce.freebsd.org/chv.cgi?CH=111069
Change 111069 by millert at millert_macbook on 2006/12/04 19:02:48
Update policy
Affected files ...
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/DirectoryService.fc#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.fc#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.if#5 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.te#7 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#8 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreaudiod.te#6 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/diskarbitrationd.te#7 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/kextd.te#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.fc#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.if#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.te#5 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/lookupd.te#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/mDNSResponder.te#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/notifyd.if#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/notifyd.te#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.fc#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.if#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.te#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/update.te#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/files.fc#6 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/kernel.if#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.fc#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.if#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.te#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/init.if#6 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/init.te#6 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/logging.if#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/logging.te#4 edit
Differences ...
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/DirectoryService.fc#4 (text+ko) ====
@@ -9,9 +9,6 @@
/Library/Preferences/DirectoryService -d gen_context(system_u:object_r:DirectoryService_resource_t,s0)
/Library/Preferences/DirectoryService/.* -- gen_context(system_u:object_r:DirectoryService_resource_t,s0)
-/System/Library/Frameworks/DirectoryService.framework -d gen_context(system_u:object_r:DirectoryService_resource_t,s0)
-/System/Library/Frameworks/DirectoryService.framework/.* gen_context(system_u:object_r:DirectoryService_resource_t,s0)
-/System/Library/PrivateFrameworks/DirectoryServiceCore.framework.* gen_context(system_u:object_r:DirectoryService_resource_t,s0)
/private/var/run/.DSRunningSP1 -- gen_context(system_u:object_r:DirectoryService_var_run_t,s0)
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.fc#4 (text+ko) ====
@@ -5,4 +5,4 @@
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/WindowServer -- gen_context(system_u:object_r:WindowServer_exec_t,s0)
-/System/Library/Displays/.* -- gen_context(system_u:object_r:WindowServer_resource_t)
+/System/Library/Displays.* gen_context(system_u:object_r:WindowServer_resource_t)
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.if#5 (text+ko) ====
@@ -97,7 +97,7 @@
#
interface(`WindowServer_allow_resource_read',`
- allow $1 WindowServer_resource_t:file {read getattr};
- allow $1 WindowServer_resource_t:dir {search};
+ allow $1 WindowServer_resource_t:file read_file_perms;
+ allow $1 WindowServer_resource_t:dir r_dir_perms;
')
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.te#7 (text+ko) ====
@@ -116,3 +116,11 @@
# Read general resource files
darwin_allow_resource_read(WindowServer_t)
+
+# Perform filesystem operations
+fs_getattr_xattr_fs(WindowServer_t)
+
+# Read user home dirs
+userdom_search_all_users_home_content(WindowServer_t)
+userdom_read_all_users_home_content_files(WindowServer_t)
+
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#8 (text+ko) ====
@@ -145,6 +145,7 @@
WindowServer_allow_shm(configd_t)
# Read prefs, etc
+darwin_allow_global_pref_manage(configd_t)
darwin_allow_global_pref_rw(configd_t)
darwin_allow_host_pref_read(configd_t)
darwin_allow_system_read(configd_t)
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreaudiod.te#6 (text+ko) ====
@@ -63,3 +63,7 @@
# Allow reading of /private
darwin_allow_private_read(coreaudiod_t)
+
+# Allow reading of /var
+files_read_var_symlinks(coreaudiod_t)
+files_read_var_files(coreaudiod_t)
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/diskarbitrationd.te#7 (text+ko) ====
@@ -47,8 +47,23 @@
allow diskarbitrationd_t self:udp_socket create;
allow diskarbitrationd_t self:unix_dgram_socket create;
allow diskarbitrationd_t sbin_t:dir search;
+allow diskarbitrationd_t self:mach_task set_special_port;
+
+# Allow disk/device/fs operations
+allow diskarbitrationd_t device_t:chr_file { ioctl read };
+allow diskarbitrationd_t fs_t:dir getattr;
+allow diskarbitrationd_t fsadm_t:file execute_no_trans;
+# Allow mount operations
+allow diskarbitrationd_t fs_t:filesystem mount;
+allow diskarbitrationd_t mnt_t:dir { getattr read remove_name rmdir search };
+allow diskarbitrationd_t mnt_t:file { getattr unlink };
+allow diskarbitrationd_t mnt_t:lnk_file unlink;
+
+
+
+
# Allow various file operations
allow diskarbitrationd_t nfs_t:dir getattr;
allow diskarbitrationd_t nfs_t:filesystem mount;
@@ -61,9 +76,10 @@
allow diskarbitrationd_t mount_exec_t:file { execute_no_trans read };
# Allow access to raw disk devices
+storage_raw_read_fixed_disk(diskarbitrationd_t)
# Note: This causes the following error...we need to figure it out:
#
-# libsepol.check_assertion_helper: assertion on line 337564 violated by allow diskarbitrationd_t fixed_disk_device_t:blk_file { read };
+## libsepol.check_assertion_helper: assertion on line 337564 violated by allow diskarbitrationd_t fixed_disk_device_t:blk_file { read };
# libsepol.check_assertions: 1 assertion violations occured
# Error while expanding policy
#allow diskarbitrationd_t fixed_disk_device_t:blk_file { ioctl read };
@@ -79,6 +95,7 @@
# Allow Mach IPC with launchd
init_allow_ipc(diskarbitrationd_t)
+init_allow_bootstrap(diskarbitrationd_t)
# Allow Mach IPC with configd
configd_allow_ipc(diskarbitrationd_t)
@@ -105,7 +122,7 @@
frameworks_read(diskarbitrationd_t)
# Read /private/var
-files_read_var_files(diskarbitrationd_t)
+files_rw_var_files(diskarbitrationd_t)
# Allow reading of /private
darwin_allow_private_read(diskarbitrationd_t)
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/kextd.te#4 (text+ko) ====
@@ -77,6 +77,16 @@
# Use tmp files
files_tmp_file(kextd_t)
-
# Read /private/var
files_read_var_files(kextd_t)
+
+# Read/write/create in /private
+darwin_allow_private_rw(kextd_t)
+darwin_allow_private_create(kextd_t)
+
+# Read the kernel
+kernel_read_kernel(kextd_t)
+
+
+ # Use CoreServices
+darwin_allow_CoreServices_read(kextd_t)
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.fc#2 (text+ko) ====
@@ -4,3 +4,4 @@
# MCS categories: <none>
/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow -- gen_context(system_u:object_r:loginwindow_exec_t,s0)
+/System/Library/LoginPlugins gen_context(system_u:object_r:loginwindow_resource_t,s0)
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.if#4 (text+ko) ====
@@ -54,3 +54,24 @@
allow $1 loginwindow_t:shm { create destroy getattr setattr read write associate unix_read unix_write lock };
')
+
+
+########################################
+## <summary>
+## Allow reading of loginwindow resource files
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+#
+interface(`loginwindow_allow_resource_read',`
+ gen_require(`
+ type loginwindow_resource_t;
+ ')
+
+ allow $1 loginwindow_resource_t:file read_file_perms;
+ allow $1 loginwindow_resource_t:dir r_dir_perms;
+
+')
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.te#5 (text+ko) ====
@@ -10,6 +10,8 @@
domain_type(loginwindow_t)
init_domain(loginwindow_t, loginwindow_exec_t)
+type loginwindow_resource_t;
+
########################################
#
# loginwindow local policy
@@ -77,16 +79,55 @@
# Use CoreServices
darwin_allow_CoreServices_read(loginwindow_t)
+darwin_allow_CoreServices_execute(loginwindow_t)
# Read prefs
darwin_allow_global_pref_read(loginwindow_t)
darwin_allow_host_pref_read(loginwindow_t)
# Read /private
-darwin_allow_private_read(loginwindow_t)
+darwin_allow_private_rw(loginwindow_t)
+darwin_allow_private_create(loginwindow_t)
# Read /System
darwin_allow_system_read(loginwindow_t)
# Use frameworks
frameworks_read(loginwindow_t)
+frameworks_execute(loginwindow_t)
+
+# Read general resources
+darwin_allow_resource_read(loginwindow_t)
+
+# Read our own resources
+loginwindow_allow_resource_read(loginwindow_t)
+
+# Read user home dirs
+userdom_search_all_users_home_content(loginwindow_t)
+userdom_read_all_users_home_content_files(loginwindow_t)
+
+# Read/Write lastlog
+auth_rw_lastlog(loginwindow_t)
+
+# Perform filesystem operations
+fs_getattr_xattr_fs(loginwindow_t)
+# Note: Not sure of the best way to do this "for real"
+allow loginwindow_t fs_t:dir { getattr read search };
+allow loginwindow_t fs_t:file { getattr read };
+
+# Read/Write utmp
+init_rw_utmp(loginwindow_t)
+
+# Use login plugins
+darwin_allow_loginplugin_read(loginwindow_t)
+darwin_allow_loginplugin_execute(loginwindow_t)
+
+# Read WindowServer resources
+WindowServer_allow_resource_read(loginwindow_t)
+
+# Read/write caches
+darwin_allow_cache_rw(loginwindow_t)
+
+# Read services files
+darwin_allow_services_read(loginwindow_t)
+
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/lookupd.te#4 (text+ko) ====
@@ -99,4 +99,7 @@
# Use frameworks
frameworks_read(lookupd_t)
+frameworks_execute(lookupd_t)
+# Allow Mach IPC w/ syslogd
+logging_allow_ipc(lookupd_t)
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/mDNSResponder.te#4 (text+ko) ====
@@ -77,3 +77,5 @@
# Read /private
darwin_allow_private_read(mDNSResponder_t)
+# Talk to notifyd
+notifyd_allow_ipc(mDNSResponder_t)
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/notifyd.if#4 (text+ko) ====
@@ -34,10 +34,10 @@
interface(`notifyd_allow_ipc',`
# Allow communication with notification server
- allow $1 notifyd_t:mi_notify_ipc { notify_server_cancel notify_server_get_state notify_server_monitor_file notify_server_register_check notify_server_register_plain notify_server_post notify_server_register_mach_port notify_server_register_signal};
+ allow $1 notifyd_t:mi_notify_ipc { notify_server_cancel notify_server_get_state notify_server_monitor_file notify_server_register_check notify_server_register_plain notify_server_post notify_server_register_mach_port notify_server_register_signal notify_server_set_state notify_server_get_state};
# Note. this may be temporary. We are still investigating the reasons
# for launchd started services being labeled init_t.
- allow $1 init_t:mi_notify_ipc { notify_server_cancel notify_server_get_state notify_server_monitor_file notify_server_register_check notify_server_register_plain notify_server_post notify_server_register_mach_port notify_server_register_signal};
+ allow $1 init_t:mi_notify_ipc { notify_server_cancel notify_server_get_state notify_server_monitor_file notify_server_register_check notify_server_register_plain notify_server_post notify_server_register_mach_port notify_server_register_signal notify_server_set_state notify_server_get_state};
mach_allow_ipc($1, notifyd_t)
')
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/notifyd.te#4 (text+ko) ====
@@ -41,3 +41,6 @@
# Allow signalling of other processes
allow notifyd_t init_t:process signal;
allow notifyd_t lookupd_t:process signal;
+
+# Read /private
+darwin_allow_private_read(notifyd_t)
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.fc#2 (text+ko) ====
@@ -4,3 +4,5 @@
# MCS categories: <none>
/usr/sbin/securityd -- gen_context(system_u:object_r:securityd_exec_t,s0)
+
+/private/var/tmp/mds.* gen_context(system_u:object_r:securityd_tmp_t,s0)
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.if#3 (text+ko) ====
@@ -36,3 +36,20 @@
# Allow bidirectional comminication with securityd
mach_allow_ipc(securityd_t, $1)
')
+
+########################################
+## <summary>
+## Allow read of securityd tmp files
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+#
+interface(`securityd_tmp_read',`
+
+ allow $1 securityd_tmp_t:file read_file_perms;
+ allow $1 securityd_tmp_t:dir search_dir_perms;
+')
+
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.te#4 (text+ko) ====
@@ -10,6 +10,9 @@
domain_type(securityd_t)
init_domain(securityd_t, securityd_exec_t)
+type securityd_tmp_t;
+files_tmp_file(securityd_tmp_t)
+
########################################
#
# securityd local policy
@@ -38,7 +41,14 @@
allow securityd_t nfs_t:filesystem getattr;
allow securityd_t nfs_t:lnk_file read;
allow securityd_t usr_t:file { getattr read };
+allow securityd_t random_device_t:chr_file read;
+allow securityd_t sbin_t:dir { getattr read search };
+# /var file operations
+files_manage_var_files(securityd_t)
+files_manage_var_dirs(securityd_t)
+files_manage_var_symlinks(securityd_t)
+
# Talk to launchd
init_allow_ipc(securityd_t)
@@ -52,3 +62,43 @@
# something is probably mislabeled.
allow securityd_t lib_t:file execute_no_trans;
+# Talk to bootstrap server
+init_allow_bootstrap(securityd_t)
+
+# Talk to kernel
+kernel_allow_ipc(securityd_t)
+
+# Use CoreServices
+darwin_allow_CoreServices_read(securityd_t)
+darwin_allow_CoreServices_execute(securityd_t)
+
+# Read prefs
+darwin_allow_global_pref_read(securityd_t)
+darwin_allow_host_pref_read(securityd_t)
+
+# Read /private
+darwin_allow_private_rw(securityd_t)
+
+# Use general resources
+darwin_allow_resource_read(securityd_t)
+
+# read /System
+darwin_allow_system_read(securityd_t)
+
+# Use frameworks
+frameworks_read(securityd_t)
+
+# Share memory w/ WindowServer
+WindowServer_allow_shm(securityd_t)
+
+# Read configd executable
+allow securityd_t configd_exec_t:file read;
+
+# Read/Write temp files, etc
+files_read_generic_tmp_files(securityd_t)
+securityd_tmp_read(securityd_t)
+
+# Read user home dirs
+userdom_search_all_users_home_content(securityd_t)
+userdom_read_all_users_home_content_files(securityd_t)
+
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/update.te#3 (text+ko) ====
@@ -25,5 +25,12 @@
allow update_t self:fifo_file { read write };
allow update_t self:unix_stream_socket create_stream_socket_perms;
+# talk to self
+mach_allow_message(update_t, update_t)
+
+# talk to kernel
+kernel_allow_ipc(update_t)
+
# talk to launchd
init_allow_ipc(update_t)
+
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/files.fc#6 (text+ko) ====
@@ -45,6 +45,11 @@
/Volumes/[^/]*/.* <<none>>
#
+# /tmp
+#
+/tmp gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+
+#
# /private/tmp
#
/private/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/kernel.if#4 (text+ko) ====
@@ -2386,3 +2386,17 @@
interface(`kernel_allow_ipc',`
mach_allow_ipc(kernel_t, $1)
')
+
+########################################
+## <summary>
+## Allow reading of the kernel.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_read_kernel',`
+ allow $1 kernel_t:file read_file_perms;
+')
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.fc#3 (text+ko) ====
@@ -1,12 +1,35 @@
-/Library/Preferences/.GlobalPreferences.plist -- gen_context(system_u:object_r:darwin_global_pref_t,s0)
-/Library/Preferences -d gen_context(system_u:object_r:darwin_global_pref_t,s0)
+
+#
+# /private
+#
+/private -d gen_context(system_u:object_r:darwin_private_t,s0)
/private/var/db/.AppleSetupDone -- gen_context(system_u:object_r:darwin_global_pref_t,s0)
-/Library/Preferences/SystemConfiguration.* gen_context(system_u:object_r:darwin_global_pref_t,s0)
/private/var/root/Library/Preferences/ByHost.* gen_context(system_u:object_r:darwin_host_pref_t,s0)
+
+
+#
+# /System
+#
+/System/Library/LoginPlugins.* gen_context(system_u:object_r:darwin_loginplugin_t,s0)
+/System/library/Caches.* gen_context(system_u:object_r:darwin_loginplugin_t,s0)
+/System/library/Services.* gen_context(system_u:object_r:darwin_services_t,s0)
+/System/Library/Security.* gen_context(system_u:object_r:darwin_security_t,s0)
/System/Library/CoreServices.* gen_context(system_u:object_r:darwin_CoreServices_t,s0)
+/System/Library/ColorSync.* gen_context(system_u:object_r:darwin_resource_t,s0)
-/private -d gen_context(system_u:object_r:darwin_private_t,s0)
+#
+# Applications
+#
+/Applications.* gen_context(system_u:object_r:bin_t,s0)
+#
+# /Library
+#
/Library/ColorSync.* gen_context(system_u:object_r:darwin_resource_t,s0)
-/System/Library/ColorSync.* gen_context(system_u:object_r:darwin_resource_t,s0)
+/Library/Preferences/.GlobalPreferences.plist -- gen_context(system_u:object_r:darwin_global_pref_t,s0)
+/Library/Preferences.* gen_context(system_u:object_r:darwin_global_pref_t,s0)
+/Library/Preferences/SystemConfiguration.* gen_context(system_u:object_r:darwin_global_pref_t,s0)
+/Library/Keychains.* gen_context(system_u:object_r:darwin_keychain_t,s0)
+# Kernel
+/mach_kernel -- gen_context(system_u:object_r:kernel_t,s0)
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.if#3 (text+ko) ====
@@ -42,6 +42,25 @@
########################################
## <summary>
+## Allow creation of global preference files
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+#
+interface(`darwin_allow_global_pref_manage',`
+ gen_require(`
+ type darwin_global_pref_t;
+ ')
+
+ allow $1 darwin_global_pref_t:file manage_file_perms;
+
+')
+
+########################################
+## <summary>
## Allow reading of host preference files
## </summary>
## <param name="domain">
@@ -60,7 +79,6 @@
allow $1 darwin_host_pref_t:dir r_dir_perms;
')
-
########################################
## <summary>
## Allow reading of CoreServices files
@@ -72,13 +90,33 @@
## </param>
#
interface(`darwin_allow_CoreServices_read',`
+ gen_require(`
+ type darwin_CoreServices_t;
+ ')
+
+ allow $1 darwin_CoreServices_t:file read_file_perms;
+ allow $1 darwin_CoreServices_t:dir r_dir_perms;
+ allow $1 darwin_CoreServices_t:lnk_file { getattr read };
+
+')
+
+
+########################################
+## <summary>
+## Allow execution of CoreServices files
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+#
+interface(`darwin_allow_CoreServices_execute',`
gen_require(`
type darwin_CoreServices_t;
')
- allow $1 darwin_CoreServices_t:file read_file_perms;
- allow $1 darwin_CoreServices_t:dir r_dir_perms;
- allow $1 darwin_CoreServices_t:lnk_file { getattr read };
+ allow $1 darwin_CoreServices_t:file { execute execute_no_trans };
')
@@ -117,6 +155,7 @@
')
allow $1 darwin_private_t:dir r_dir_perms;
+ allow $1 darwin_private_t:file read_file_perms;
')
@@ -136,11 +175,51 @@
')
allow $1 darwin_private_t:dir rw_dir_perms;
+ allow $1 darwin_private_t:file rw_file_perms;
')
########################################
## <summary>
+## Allow creation of files in /private
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+#
+interface(`darwin_allow_private_create',`
+ gen_require(`
+ type darwin_private_t;
+ ')
+
+ allow $1 darwin_private_t:file create_file_perms;
+ allow $1 darwin_private_t:dir create_dir_perms;
+
+')
+
+########################################
+## <summary>
+## Allow complete managament of /private
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+#
+interface(`darwin_allow_private_manage',`
+ gen_require(`
+ type darwin_private_t;
+ ')
+
+ allow $1 darwin_private_t:dir manage_dir_perms;
+
+')
+
+########################################
+## <summary>
## Allow reading of general resource files
## </summary>
## <param name="domain">
@@ -158,3 +237,360 @@
allow $1 darwin_resource_t:dir r_dir_perms;
')
+
+########################################
+## <summary>
+## Allow reading of loginplugin files
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+#
+interface(`darwin_allow_loginplugin_read',`
+ gen_require(`
+ type darwin_loginplugin_t;
+ ')
+
+ allow $1 darwin_loginplugin_t:file read_file_perms;
+ allow $1 darwin_loginplugin_t:dir r_dir_perms;
+
+')
+
+########################################
+## <summary>
+## Allow reading/writing of loginplugin files
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+#
+interface(`darwin_allow_loginplugin_rw',`
+ gen_require(`
+ type darwin_loginplugin_t;
+ ')
+
+ allow $1 darwin_loginplugin_t:file rw_file_perms;
+ allow $1 darwin_loginplugin_t:dir rw_dir_perms;
+
+')
+
+########################################
+## <summary>
+## Allow managing of loginplugin files
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+#
+interface(`darwin_allow_loginplugin_manage',`
+ gen_require(`
+ type darwin_loginplugin_t;
+ ')
+
+ allow $1 darwin_loginplugin_t:file manage_file_perms;
+
+')
+
+########################################
+## <summary>
+## Allow execution of loginplugin files
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+#
+interface(`darwin_allow_loginplugin_execute',`
+ gen_require(`
+ type darwin_loginplugin_t;
+ ')
+
+ allow $1 darwin_loginplugin_t:file { execute execute_no_trans };
+
+')
+
+########################################
+## <summary>
+## Allow reading of cache files
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+#
+interface(`darwin_allow_cache_read',`
+ gen_require(`
+ type darwin_cache_t;
+ ')
+
+ allow $1 darwin_cache_t:file read_file_perms;
+
+')
+
+########################################
+## <summary>
+## Allow reading/writing of cache files
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+#
+interface(`darwin_allow_cache_rw',`
+ gen_require(`
+ type darwin_cache_t;
+ ')
+
+ allow $1 darwin_cache_t:file rw_file_perms;
+
+')
+
+########################################
+## <summary>
+## Allow managing of cache files
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+#
+interface(`darwin_allow_cache_manage',`
+ gen_require(`
+ type darwin_cache_t;
+ ')
+
+ allow $1 darwin_cache_t:file manage_file_perms;
+
+')
+
+########################################
+## <summary>
+## Allow reading of services files
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+#
+interface(`darwin_allow_services_read',`
+ gen_require(`
+ type darwin_services_t;
+ ')
+
+ allow $1 darwin_services_t:file read_file_perms;
+
+')
+
+########################################
+## <summary>
+## Allow reading/writing of services files
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+#
+interface(`darwin_allow_services_rw',`
+ gen_require(`
+ type darwin_services_t;
+ ')
+
+ allow $1 darwin_services_t:file rw_file_perms;
+
+')
+
+########################################
+## <summary>
+## Allow managing of services files
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+#
+interface(`darwin_allow_services_manage',`
+ gen_require(`
+ type darwin_services_t;
+ ')
+
+ allow $1 darwin_services_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Allow reading of trash files
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+#
+interface(`darwin_allow_trash_read',`
+ gen_require(`
+ type darwin_trash_t;
+ ')
+
+ allow $1 darwin_trash_t:file read_file_perms;
+ allow $1 darwin_trash_t:dir read_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow reading/writing of trash files
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+#
+interface(`darwin_allow_trash_rw',`
+ gen_require(`
+ type darwin_trash_t;
+ ')
+
+ allow $1 darwin_trash_t:file rw_file_perms;
+ allow $1 darwin_trash_t:dir rw_dir_perms;
+')
+########################################
+## <summary>
+## Allow managing of trash files
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+#
+interface(`darwin_allow_trash_manage',`
+ gen_require(`
+ type darwin_trash_t;
+ ')
+
+ allow $1 darwin_trash_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Allow reading of security files
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+#
+interface(`darwin_allow_security_read',`
+ gen_require(`
+ type darwin_security_t;
+ ')
+
+ allow $1 darwin_security_t:file read_file_perms;
+ allow $1 darwin_security_t:file r_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow reading/writing of security files
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+#
+interface(`darwin_allow_security_rw',`
+ gen_require(`
+ type darwin_security_t;
+ ')
+
+ allow $1 darwin_security_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Allow reading/writing of security files
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+#
+interface(`darwin_allow_security_manage',`
+ gen_require(`
+ type darwin_security_t;
+ ')
+
+ allow $1 darwin_security_t:file manage_file_perms;
+')
+
+
+########################################
+## <summary>
+## Allow reading of keychain files
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+#
+interface(`darwin_allow_keychain_read',`
+ gen_require(`
+ type darwin_keychain_t;
+ ')
+
+ allow $1 darwin_keychain_t:file read_file_perms;
+ allow $1 darwin_keychain_t:file r_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow reading/writing of keychain files
>>> TRUNCATED FOR MAIL (1000 lines) <<<
More information about the trustedbsd-cvs
mailing list