PERFORCE change 109993 for review

Todd Miller millert at FreeBSD.org
Tue Nov 14 21:13:29 UTC 2006 

http://perforce.freebsd.org/chv.cgi?CH=109993

Change 109993 by millert at millert_macbook on 2006/11/14 20:57:07

	Update policy.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules.conf#5 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/ATconfig.fc#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/ATconfig.if#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/ATconfig.te#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/Apple80211Monitor.fc#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/Apple80211Monitor.if#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/Apple80211Monitor.te#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/BatteryUpdater.fc#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/BatteryUpdater.if#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/BatteryUpdater.te#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/Bluetooth.fc#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/Bluetooth.if#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/Bluetooth.te#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/DynamicPowerStep.fc#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/DynamicPowerStep.if#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/DynamicPowerStep.te#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/IP6Configuration.fc#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/IP6Configuration.if#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/IP6Configuration.te#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/PPPController.fc#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/PPPController.if#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/PPPController.te#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/PowerManagement.fc#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/PowerManagement.if#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/PowerManagement.te#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/PrinterNotifications.fc#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/PrinterNotifications.if#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/PrinterNotifications.te#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/DirectoryService.fc#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/DirectoryService.te#5 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/KernelEventAgent.te#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.fc#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.if#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.te#5 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.fc#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.if#5 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#6 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreaudiod.te#5 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/diskarbitrationd.te#5 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/frameworks.fc#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/frameworks.if#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/frameworks.te#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/kextd.te#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/files.fc#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/filesystem.te#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.fc#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.if#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.te#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/fstools.fc#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/fstools.if#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/init.te#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/libraries.fc#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/modutils.fc#3 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules.conf#5 (text+ko) ====

@@ -1611,6 +1611,8 @@
 #
 # Darwin System Configuration Daemon
 #
+darwin = module
+frameworks = module
 mach = module
 configd = module
 DirectoryService = module
@@ -1631,3 +1633,11 @@
 lookupd = module
 
 
+ATconfig = module
+Apple80211Monitor = module
+BatteryUpdater = module
+Bluetooth = module
+DynamicPowerStep = module
+IP6Configuration = module
+PPPController = module
+PowerManagement = module

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/DirectoryService.fc#3 (text+ko) ====

@@ -4,9 +4,17 @@
 # MCS categories: <none>
 
 /usr/sbin/DirectoryService		--	gen_context(system_u:object_r:DirectoryService_exec_t,s0)
+/Library/Logs/DirectoryService		-d	gen_context(system_u:object_r:DirectoryService_var_log_t,s0)
 /Library/Logs/DirectoryService/.*			gen_context(system_u:object_r:DirectoryService_var_log_t,s0)
 
+/Library/Preferences/DirectoryService	-d	gen_context(system_u:object_r:DirectoryService_resource_t,s0)
 /Library/Preferences/DirectoryService/.*	--	gen_context(system_u:object_r:DirectoryService_resource_t,s0)
-/System/Library/Frameworks/DirectoryService.framework/.*	--	gen_context(system_u:object_r:DirectoryService_resource_t,s0)
+/System/Library/Frameworks/DirectoryService.framework	-d	gen_context(system_u:object_r:DirectoryService_resource_t,s0)
+/System/Library/Frameworks/DirectoryService.framework/.*	gen_context(system_u:object_r:DirectoryService_resource_t,s0)
+/System/Library/PrivateFrameworks/DirectoryServiceCore.framework.*	gen_context(system_u:object_r:DirectoryService_resource_t,s0)
+
 
+/private/var/run/.DSRunningSP1		--	gen_context(system_u:object_r:DirectoryService_var_run_t,s0)	
 
+#/System
+/System					-d	gen_context(system_u:object_r:darwin_system_t,s0)

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/DirectoryService.te#5 (text+ko) ====

@@ -17,6 +17,9 @@
 # Other DirectoryService component files
 type DirectoryService_resource_t;
 
+type DirectoryService_var_run_t;
+files_pid_file(DirectoryService_var_run_t)
+
 
 ########################################
 #
@@ -33,6 +36,12 @@
 allow DirectoryService_t self:fifo_file { read write };
 allow DirectoryService_t self:unix_stream_socket create_stream_socket_perms;
 
+# pid file
+allow DirectoryService_t DirectoryService_var_run_t:file manage_file_perms;
+allow DirectoryService_t DirectoryService_var_run_t:sock_file manage_file_perms;
+allow DirectoryService_t DirectoryService_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(DirectoryService_t,DirectoryService_var_run_t, { file sock_file })
+
 # log files
 allow DirectoryService_t DirectoryService_var_log_t:file create_file_perms;
 allow DirectoryService_t DirectoryService_var_log_t:sock_file create_file_perms;
@@ -41,6 +50,7 @@
 
 # support files
 allow DirectoryService_t DirectoryService_resource_t:file { execute getattr read setattr write };
+allow DirectoryService_t DirectoryService_resource_t:dir {  getattr read search };
 
 # file descriptors and sockets
 allow DirectoryService_t self:fd use;
@@ -60,6 +70,8 @@
 allow DirectoryService_t self:process signal;
 allow DirectoryService_t self:socket create;
 allow DirectoryService_t bin_t:dir search;
+allow DirectoryService_t nfs_t:dir { getattr read };
+
 
 
 # Allow Mach IPC with self
@@ -67,6 +79,7 @@
 
 # Allow communication with bootstrap server
 init_allow_bootstrap(DirectoryService_t)
+init_allow_shm(DirectoryService_t)
 
 # Allow communication with notification server
 notifyd_allow_ipc(DirectoryService_t)
@@ -91,3 +104,28 @@
 
 # Allow shared memory usage w/ notifyd
 notifyd_allow_shm(DirectoryService_t)
+
+# Allow reading of prefs files
+darwin_allow_global_pref_read(DirectoryService_t)
+darwin_allow_host_pref_read(DirectoryService_t)
+
+# Allow reading of /System
+darwin_allow_system_read(DirectoryService_t)
+
+# Allow shadow file stuff
+auth_getattr_shadow(DirectoryService_t)
+auth_rw_shadow(DirectoryService_t)
+auth_manage_shadow(DirectoryService_t)
+
+# Framework access
+frameworks_read(DirectoryService_t)
+frameworks_execute(DirectoryService_t)
+
+# Read /private
+darwin_allow_private_read(DirectoryService_t)
+
+# Read /private/var
+files_read_var_files(DirectoryService_t)
+
+# Use CoreServices
+darwin_allow_CoreServices_read(DirectoryService_t)

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/KernelEventAgent.te#3 (text+ko) ====

@@ -30,3 +30,6 @@
 
 # Talk to notifyd
 notifyd_allow_ipc(KernelEventAgent_t)
+
+# Talk to launchd
+init_allow_ipc(KernelEventAgent_t)

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.fc#2 (text+ko) ====

@@ -4,3 +4,5 @@
 # MCS categories: <none>
 
 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/WindowServer		--	gen_context(system_u:object_r:WindowServer_exec_t,s0)
+
+/System/Library/Displays/Overrides	--	gen_context(system_u:object_r:WindowServer_resource_t)

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.if#4 (text+ko) ====

@@ -85,3 +85,19 @@
         allow $1 WindowServer_t:shm { create destroy getattr setattr read write associate unix_read unix_write lock };
 
 ')
+
+########################################
+## <summary>
+##    Allow reading of WindowServer resources
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Type to be used as a domain.o##      </summary>
+## </param>
+#
+interface(`WindowServer_allow_resource_read',`
+
+        allow $1 WindowServer_resource_t:file {read getattr};
+        allow $1 WindowServer_resource_t:dir {search};
+
+')

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.te#5 (text+ko) ====

@@ -7,6 +7,7 @@
 
 type WindowServer_t;
 type WindowServer_exec_t;
+type WindowServer_resource_t;
 domain_type(WindowServer_t)
 init_domain(WindowServer_t, WindowServer_exec_t)
 
@@ -63,9 +64,21 @@
 configd_allow_ipc(WindowServer_t)
 configd_allow_shm(WindowServer_t)
 
+# Allow WindowServer to load kexts *shudder*
+allow WindowServer_t modules_object_t:dir { getattr read search };
+allow WindowServer_t modules_object_t:file { execute getattr read };
+
+# task_for_pid() for securityd
+allow WindowServer_t securityd_t:process taskforpid;
+
+# Find the proper interface for this later
+allow WindowServer_t var_log_t:dir search;
+allow WindowServer_t var_log_t:file { getattr setattr write };
+
 # Misc
 allow WindowServer_t nfs_t:filesystem getattr;
 allow WindowServer_t nfs_t:lnk_file read;
+allow WindowServer_t nfs_t:dir search;
 allow WindowServer_t mnt_t:dir search;
 allow WindowServer_t self:mach_task set_special_port;
 allow WindowServer_t self:process { setsched signal };
@@ -74,6 +87,30 @@
 allow WindowServer_t mnt_t:dir getattr;
 allow WindowServer_t sbin_t:dir search;
 
+# Read prefs, etc
+darwin_allow_global_pref_read(WindowServer_t)
+darwin_allow_host_pref_read(WindowServer_t)
+darwin_allow_system_read(WindowServer_t)
 
+# Allow execution of framework bits
+frameworks_execute(WindowServer_t)
+frameworks_read(WindowServer_t)
+
+# Read our resources
+WindowServer_allow_resource_read(WindowServer_t)
+
+# Read /private/var
+files_read_var_files(WindowServer_t)
+
+# Talk to CoreServices
+darwin_allow_CoreServices_read(WindowServer_t)
 
+# Read /private
+darwin_allow_private_read(WindowServer_t)
+
+# Allow set_special_port to loginwindow
+allow WindowServer_t loginwindow_t:mach_task set_special_port;
+
+# Read modules
+allow WindowServer_t modules_dep_t:dir search;
 

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.fc#3 (text+ko) ====

@@ -5,3 +5,4 @@
 
 /usr/sbin/configd		--	gen_context(system_u:object_r:configd_exec_t,s0)
 /private/var/run/configd.pid			gen_context(system_u:object_r:configd_var_run_t,s0)
+/System/Library/SystemConfiguration.*		gen_context(system_u:object_r:configd_resource_t,s0)

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.if#5 (text+ko) ====

@@ -90,3 +90,36 @@
         allow $1 configd_t:shm { create destroy getattr setattr read write associate unix_read unix_write lock };
 
 ')
+
+########################################
+## <summary>
+##    Allow reading of configd resource files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Type to be used as a domain.
+##      </summary>
+## </param>
+#
+interface(`configd_allow_resource_read',`
+
+	allow configd_t	configd_resource_t:file read_file_perms;
+	allow configd_t	configd_resource_t:dir r_dir_perms;
+
+')
+
+########################################
+## <summary>
+##    Allow reading of configd resource files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Type to be used as a domain.
+##      </summary>
+## </param>
+#
+interface(`configd_allow_resource_execute',`
+
+        allow configd_t  configd_resource_t:file { execute  execute_no_trans};
+
+')

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#6 (text+ko) ====

@@ -9,12 +9,15 @@
 type configd_exec_t;
 domain_type(configd_t)
 init_domain(configd_t, configd_exec_t)
-# Allow Mach IP w/ init_t (launchd)
+# Allow Mach IPC w/ init_t (launchd)
 init_allow_ipc(configd_t)
 
 # pid files
 type configd_var_run_t;
 files_pid_file(configd_var_run_t)
+ 
+# Resource files
+type configd_resource_t;
 
 ########################################
 #
@@ -79,6 +82,10 @@
 allow configd_t sbin_t:dir { getattr read search };
 allow configd_t sbin_t:file { execute_no_trans getattr read };
 
+# Execute configd helpers
+configd_allow_resource_read(configd_t)
+configd_allow_resource_execute(configd_t)
+
 # Allow configd to start ntpdate
 ntp_domtrans_ntpdate(configd_t)
 
@@ -135,3 +142,29 @@
 
 # Talk to WindowServer
 WindowServer_allow_ipc(configd_t)
+WindowServer_allow_shm(configd_t)
+
+# Read prefs, etc
+darwin_allow_global_pref_read(configd_t)
+darwin_allow_host_pref_read(configd_t)
+darwin_allow_system_read(configd_t)
+
+# Use Frameworks
+frameworks_read(configd_t)
+frameworks_execute(configd_t)
+
+# Read CoreServices libs, etc
+darwin_allow_CoreServices_read(configd_t)
+
+# Read /private/var
+files_read_var_files(configd_t)
+
+# Read /private
+darwin_allow_private_read(configd_t)
+
+# list modules
+allow configd_t modules_dep_t:dir search;
+
+# I'm certain there's a "proper" way to do this...
+allow configd_t port_t:tcp_socket name_connect;
+

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreaudiod.te#5 (text+ko) ====

@@ -30,9 +30,14 @@
 allow coreaudiod_t mnt_t:dir getattr;
 allow coreaudiod_t nfs_t:lnk_file read;
 allow coreaudiod_t sbin_t:dir { getattr read search };
+allow coreaudiod_t mnt_t:dir search;
+allow coreaudiod_t random_device_t:chr_file read;
+
 
 # Talking to itself
 mach_allow_message(coreaudiod_t, coreaudiod_t)
+allow coreaudiod_t self:fd use;
+allow coreaudiod_t self:udp_socket create;
 
 # Talk to the bootstrap server 
 init_allow_bootstrap(coreaudiod_t)
@@ -43,4 +48,18 @@
 # Talk to securityd
 securityd_allow_ipc(securityd_t)
 
+# Talk to kernel
+kernel_allow_ipc(coreaudiod_t)
+
+# Talk to lookupd
+lookupd_allow_ipc(coreaudiod_t)
 
+# Allow reading of prefs
+darwin_allow_global_pref_read(coreaudiod_t)
+darwin_allow_host_pref_read(coreaudiod_t)
+
+# Allow reading of CoreServices files
+darwin_allow_CoreServices_read(coreaudiod_t)
+
+# Allow reading of /private
+darwin_allow_private_read(coreaudiod_t)

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/diskarbitrationd.te#5 (text+ko) ====

@@ -87,3 +87,15 @@
 
 # Allow Mach IPC with diskarbitrationd
 WindowServer_allow_ipc(diskarbitrationd_t)
+
+# Read prefs, etc
+darwin_allow_global_pref_read(diskarbitrationd_t)
+darwin_allow_host_pref_read(diskarbitrationd_t)
+darwin_allow_system_read(diskarbitrationd_t)
+
+# Allow access to frameworks
+frameworks_read(diskarbitrationd_t)
+
+
+# Read /private/var
+files_read_var_files(diskarbitrationd_t)

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/kextd.te#3 (text+ko) ====

@@ -32,12 +32,15 @@
 allow kextd_t nfs_t:filesystem getattr;
 allow kextd_t nfs_t:lnk_file read;
 allow kextd_t mnt_t:dir { getattr read search };
+allow kextd_t sbin_t:dir { getattr read search };
+allow kextd_t sbin_t:file { getattr read };
 
 
 # Talk to self
 mach_allow_message(kextd_t, kextd_t)
 allow kextd_t self:mach_task set_special_port;
 allow kextd_t self:process signal;
+allow kextd_t self:udp_socket create;
 
 # Talk to launchd
 init_allow_ipc(kextd_t)
@@ -63,3 +66,17 @@
 # Talk to update
 update_allow_ipc(kextd_t)
 
+# Read prefs, etc
+darwin_allow_global_pref_read(kextd_t)
+darwin_allow_host_pref_read(kextd_t)
+darwin_allow_system_read(kextd_t)
+
+# Use Frameworks
+frameworks_read(kextd_t)
+
+# Use tmp files
+files_tmp_file(kextd_t)
+
+
+# Read /private/var
+files_read_var_files(kextd_t)

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/files.fc#4 (text+ko) ====

@@ -13,11 +13,11 @@
 #
 # /etc
 #
-/etc			-d	gen_context(system_u:object_r:etc_t,s0)
-/etc/.*				gen_context(system_u:object_r:etc_t,s0)
-/etc/localtime		-l	gen_context(system_u:object_r:etc_t,s0)
-/etc/motd		--	gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/nologin.*		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/private/etc			-d	gen_context(system_u:object_r:etc_t,s0)
+/private/etc/.*				gen_context(system_u:object_r:etc_t,s0)
+/private/etc/localtime		-l	gen_context(system_u:object_r:etc_t,s0)
+/private/etc/motd		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/private/etc/nologin.*		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 
 #
 # HOME_ROOT
@@ -44,13 +44,13 @@
 /Volumes/[^/]*/.*			<<none>>
 
 #
-# /tmp
+# /private/tmp
 #
-/tmp			-d	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
-/tmp/.*				<<none>>
+/private/tmp			-d	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+/private/tmp/.*				<<none>>
 
-/tmp/lost\+found	-d		gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
-/tmp/lost\+found/.*		<<none>>
+/private/tmp/lost\+found	-d		gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+/private/tmp/lost\+found/.*		<<none>>
 
 #
 # /usr
@@ -73,25 +73,25 @@
 /usr/share(/.*)?/lib(64)?(/.*)?	gen_context(system_u:object_r:usr_t,s0)
 
 #
-# /var
+# /private/var
 #
-/var			-d	gen_context(system_u:object_r:var_t,s0)
-/var/.*				gen_context(system_u:object_r:var_t,s0)
+/private/var			-d	gen_context(system_u:object_r:var_t,s0)
+/private/var/.*				gen_context(system_u:object_r:var_t,s0)
 
-/var/db/.*\.db		--	gen_context(system_u:object_r:etc_t,s0)
+/private/var/db/.*\.db		--	gen_context(system_u:object_r:etc_t,s0)
 
-/var/lost\+found		-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
-/var/lost\+found/.*		<<none>>
+/private/var/lost\+found		-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+/private/var/lost\+found/.*		<<none>>
 
-/var/run			-d	gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
-/var/run/.*			gen_context(system_u:object_r:var_run_t,s0)
-/var/run/.*\.*pid		<<none>>
+/private/var/run			-d	gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
+/private/var/run/.*			gen_context(system_u:object_r:var_run_t,s0)
+/private/var/run/.*\.*pid		<<none>>
 
-/var/spool(/.*)?			gen_context(system_u:object_r:var_spool_t,s0)
-/var/spool/postfix/etc(/.*)?	gen_context(system_u:object_r:etc_t,s0)
+/private/var/spool(/.*)?			gen_context(system_u:object_r:var_spool_t,s0)
+/private/var/spool/postfix/etc(/.*)?	gen_context(system_u:object_r:etc_t,s0)
 
-/var/tmp			-d	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
-/var/tmp/.*			<<none>>
-/var/tmp/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
-/var/tmp/lost\+found/.*		<<none>>
-/var/tmp/vi\.recover	-d	gen_context(system_u:object_r:tmp_t,s0)
+/private/var/tmp			-d	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+/private/var/tmp/.*			<<none>>
+/private/var/tmp/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+/private/var/tmp/lost\+found/.*		<<none>>
+/private/var/tmp/vi\.recover	-d	gen_context(system_u:object_r:tmp_t,s0)

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/filesystem.te#4 (text+ko) ====

@@ -27,6 +27,8 @@
 fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr hfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr hfsplus gen_context(system_u:object_r:fs_t,s0);
 
 # Use the allocating task SID to label inodes in the following filesystem
 # types, and label the filesystem itself with the specified context.
@@ -153,13 +155,13 @@
 genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0)
 
 #
-# iso9660_t is the type for CD filesystems
+# cd9660_t is the type for CD filesystems
 # and their files.
 #
-type iso9660_t;
-fs_noxattr_type(iso9660_t)
-genfscon iso9660 / gen_context(system_u:object_r:iso9660_t,s0)
-genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+type cd9660_t;
+fs_noxattr_type(cd9660_t)
+genfscon cd9660 / gen_context(system_u:object_r:cd9660_t,s0)
+genfscon udf / gen_context(system_u:object_r:cd9660_t,s0)
 
 #
 # removable_t is the default type of all removable media
@@ -179,8 +181,6 @@
 genfscon nfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon nfs4 / gen_context(system_u:object_r:nfs_t,s0)
 genfscon afs / gen_context(system_u:object_r:nfs_t,s0)
-genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)
-genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)
 genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon gfs / gen_context(system_u:object_r:nfs_t,s0)
 

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/fstools.fc#3 (text+ko) ====

@@ -1,3 +1,6 @@
 /sbin/dump		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/fdisk		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/fsck.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+
+/System/Library/Filesystems.*		gen_context(system_u:object_r:fsadm_t,s0)
+/System/Library/Filesystems/.*/MacOS/.*		gen_context(system_u:object_r:fsadm_exec_t,s0)

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/fstools.if#4 (text+ko) ====

@@ -129,3 +129,24 @@
 
 	allow $1 swapfile_t:file getattr;
 ')
+
+########################################
+## <summary>
+##      Read fsadm files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      The type of the process performing this action.
+##      </summary>
+## </param>
+#
+interface(`fstools_read_files',`
+        gen_require(`
+                type swapfile_t;
+        ')
+
+	allow $1 fsadm_t:dir r_dir_perms;
+	allow $1 fsadm_t:file read_file_perms;
+	allow $1 fsadm_t:lnk_file  { read };
+
+')

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/init.te#4 (text+ko) ====

@@ -648,3 +648,11 @@
 
 # Talk to notifyd
 notifyd_allow_ipc(init_t)
+
+# Read prefs, etc
+darwin_allow_global_pref_read(init_t)
+darwin_allow_host_pref_read(init_t)
+darwin_allow_system_read(init_t)
+
+# Use Frameworks
+frameworks_read(init_t)

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/libraries.fc#3 (text+ko) ====

@@ -1,9 +1,12 @@
 #
 # /System
 #
+/System/Library					gen_context(system_u:object_r:lib_t,s0)
 /System/Library/Components/.*/Contents/MacOS/.*	--	gen_context(system_u:object_r:lib_t,s0)
 /System/Library/CoreServices/.*/Contents/MacOS/.*	--	gen_context(system_u:object_r:lib_t,s0)
 /System/Library/CoreServices/.*\.dylib	--	gen_context(system_u:object_r:lib_t,s0)
+#/System/Library/Frameworks			gen_context(system_u:object_r:lib_t,s0)
+#/System/Library/Frameworks/.*			gen_context(system_u:object_r:lib_t,s0)
 
 
 #

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/modutils.fc#3 (text+ko) ====

@@ -5,4 +5,6 @@
 /lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
 
 /sbin/kextload		--	gen_context(system_u:object_r:insmod_exec_t,s0)
-/sbin/kextunload		--	gen_context(system_u:object_r:insmod_exec_t,s0)
+/sbin/kextunload	--	gen_context(system_u:object_r:insmod_exec_t,s0)
+
+/System/Library/Extensions.*	gen_context(system_u:object_r:modules_dep_t,s0)

More information about the trustedbsd-cvs mailing list