PERFORCE change 108521 for review

[Todd Miller]

http://perforce.freebsd.org/chv.cgi?CH=108521

Change 108521 by millert at millert_macbook on 2006/10/26 19:37:41

	Add DirectoryService_support_t and use it

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/DirectoryService.fc#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/DirectoryService.te#4 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/DirectoryService.fc#2 (text+ko) ====

@@ -4,4 +4,9 @@
 # MCS categories: <none>
 
 /usr/sbin/DirectoryService		--	gen_context(system_u:object_r:DirectoryService_exec_t,s0)
-/Library/Logs/DirectoryService/			gen_context(system_u:object_r:DirectoryService_var_log_t,s0)
+/Library/Logs/DirectoryService/.*			gen_context(system_u:object_r:DirectoryService_var_log_t,s0)
+
+/Library/Preferences/DirectoryService/.*	--	gen_context(system_u:object_r:DirectoryService_resource_t,s0)
+/System/Library/Frameworks/DirectoryService.framework/.*	--	gen_context(system_u:object_r:DirectoryService_resource_t,s0)
+
+

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/DirectoryService.te#4 (text+ko) ====

@@ -14,6 +14,10 @@
 type DirectoryService_var_log_t;
 logging_log_file(DirectoryService_var_log_t)
 
+# Other DirectoryService component files
+type DirectoryService_resource_t;
+
+
 ########################################
 #
 # DirectoryService local policy
@@ -35,6 +39,9 @@
 allow DirectoryService_t DirectoryService_var_log_t:dir { rw_dir_perms setattr };
 logging_log_filetrans(DirectoryService_t,DirectoryService_var_log_t,{ sock_file file dir })
 
+# support files
+allow DirectoryService_t DirectoryService_resource_t:file { execute getattr read setattr write };
+
 # file descriptors and sockets
 allow DirectoryService_t self:fd use;
 allow DirectoryService_t self:socket { bind connect read write };