PERFORCE change 113383 for review
Todd Miller
millert at FreeBSD.org
Mon Jan 22 20:01:38 UTC 2007
http://perforce.freebsd.org/chv.cgi?CH=113383
Change 113383 by millert at millert_macbook on 2007/01/22 19:52:03
Update to deal with /var/vm/swapfile* transition and labeling.
Allow other activities.
Affected files ...
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/dynamic_pager.fc#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/dynamic_pager.te#3 edit
Differences ...
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/dynamic_pager.fc#2 (text+ko) ====
@@ -4,3 +4,4 @@
# MCS categories: <none>
/sbin/dynamic_pager -- gen_context(system_u:object_r:dynamic_pager_exec_t,s0)
+/private/var/vm/swapfile.* gen_context(system_u:object_r:dynamic_pager_swapfile_t,s0)
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/dynamic_pager.te#3 (text+ko) ====
@@ -10,6 +10,9 @@
domain_type(dynamic_pager_t)
init_domain(dynamic_pager_t, dynamic_pager_exec_t)
+# /var/vm/swapfile*
+type dynamic_pager_swapfile_t;
+
########################################
#
# dynamic_pager local policy
@@ -25,5 +28,26 @@
allow dynamic_pager_t self:fifo_file { read write };
allow dynamic_pager_t self:unix_stream_socket create_stream_socket_perms;
+# swapfiles
+allow dynamic_pager_t var_vm_t:dir { search add_name };
+allow dynamic_pager_t dynamic_pager_swapfile_t:file { create unlink read write swapon setattr };
+allow dynamic_pager_t fs_t:filesystem getattr;
+allow dynamic_pager_swapfile_t fs_t:filesystem associate;
+
+# files created by dynamic_pager in /var/vm are relabeled
+type_transition dynamic_pager_t var_vm_t:file dynamic_pager_swapfile_t;
+
+# talk to console
+allow dynamic_pager_t console_device_t:chr_file { read write };
+
# Talk to launchd
init_allow_ipc(dynamic_pager_t)
+
+# Talk to self
+mach_allow_message(dynamic_pager_t, dynamic_pager_t)
+
+# Talk to kernel
+kernel_allow_ipc(dynamic_pager_t)
+
+# Read /private
+darwin_allow_private_read(dynamic_pager_t)
More information about the trustedbsd-cvs
mailing list