PERFORCE change 113389 for review

[Todd Miller]

http://perforce.freebsd.org/chv.cgi?CH=113389

Change 113389 by millert at millert_macbook on 2007/01/22 19:55:26

	Allow a number of things

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/kextd.te#7 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/kextd.te#7 (text+ko) ====

@@ -24,23 +24,30 @@
 ## internal communication is often done using fifo and unix sockets.
 allow kextd_t self:fifo_file { read write };
 allow kextd_t self:unix_stream_socket create_stream_socket_perms;
+allow kextd_t self:socket connect;
 
 # Misc
 allow kextd_t self:fd use;
 allow kextd_t fs_t:filesystem getattr;
+allow kextd_t fs_t:lnk_file read;
+allow kextd_t root_t:file read;
+allow kextd_t boot_t:file { getattr read };
 allow kextd_t self:mach_port { copy_send make_send_once send };
 allow kextd_t random_device_t:chr_file read;
 allow kextd_t nfs_t:filesystem getattr;
 allow kextd_t nfs_t:lnk_file read;
 allow kextd_t mnt_t:dir { getattr read search };
+allow kextd_t bin_t:dir { search };
+allow kextd_t bin_t:file { execute_no_trans read getattr };
 allow kextd_t sbin_t:dir { getattr read search };
-allow kextd_t sbin_t:file { getattr read };
+allow kextd_t sbin_t:file { getattr read execute_no_trans };
+allow kextd_t lib_t:dir { write add_name };
 
-
 # Talk to self
 mach_allow_message(kextd_t, kextd_t)
-allow kextd_t self:process signal;
+allow kextd_t self:process { signal setsched };
 allow kextd_t self:udp_socket create;
+allow kextd_t self:unix_dgram_socket create;
 
 # Talk to launchd
 init_allow_ipc(kextd_t)
@@ -49,6 +56,7 @@
 
 # Talk to kernel
 kernel_allow_ipc(kextd_t)
+allow kextd_t kernel_t:process taskforpid;
 
 # Talk to diskarbitrationd
 diskarbitrationd_allow_ipc(kextd_t)
@@ -77,7 +85,8 @@
 # Use tmp files
 files_tmp_file(kextd_t)
 files_manage_generic_tmp_files(kextd_t)
-files_manage_generic_tmp_files(kextd_t)
+files_read_generic_tmp_symlinks(kextd_t)
+allow kextd_t tmp_t:dir { create rmdir };
 
 # Read /private/var
 files_read_var_files(kextd_t)
@@ -91,6 +100,11 @@
 
  # Use CoreServices
 darwin_allow_CoreServices_read(kextd_t)
+allow kextd_t coreservicesd_t:shm { read write };
+allow kextd_t coreservicesd_t:mach_port hold_send;
 
 # Read modules
 modutils_read_module_deps(kextd_t)
+
+# Talk to console
+allow kextd_t console_device_t:chr_file { read write };