PERFORCE change 113386 for review

[Todd Miller]

http://perforce.freebsd.org/chv.cgi?CH=113386

Change 113386 by millert at millert_macbook on 2007/01/22 19:53:43

	Add permissions for /var/vm.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#11 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/diskarbitrationd.te#10 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.te#8 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.te#7 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/files.if#5 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#11 (text+ko) ====

@@ -165,6 +165,8 @@
 # Not sure why it wants to search this dir, it should know what it wants
 allow configd_t var_log_t:dir search;
 
+# Search /var/vm
+files_search_vm(securityd_t)
 
 # Read /private
 darwin_allow_private_read(configd_t)

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/diskarbitrationd.te#10 (text+ko) ====

@@ -129,4 +129,5 @@
 # Read fstools files
 fstools_read_files(diskarbitrationd_t)
 
-
+# Search /var/vm
+files_search_vm(diskarbitrationd_t)

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.te#8 (text+ko) ====

@@ -141,6 +141,8 @@
 files_search_var(loginwindow_t)
 files_read_var_symlinks(loginwindow_t)
 
+# Search /var/vm
+files_search_vm(loginwindow_t)
+
 # Write to WTMP
 auth_write_login_records(loginwindow_t)
-

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.te#7 (text+ko) ====

@@ -48,6 +48,8 @@
 files_manage_var_dirs(securityd_t)
 files_manage_var_symlinks(securityd_t)
 
+# Search /var/vm
+files_search_vm(securityd_t)
 
 # Talk to launchd
 init_allow_ipc(securityd_t)

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/files.if#5 (text+ko) ====

@@ -4501,6 +4501,25 @@
 
 ########################################
 ## <summary>
+##	Search the contents of vm irectories (/var/vm).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_search_vm',`
+	gen_require(`
+		type var_t, var_vm_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_vm_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Unconfined access to files.
 ## </summary>
 ## <param name="domain">