PERFORCE change 113401 for review

Todd Miller millert at FreeBSD.org
Mon Jan 22 20:14:25 UTC 2007


http://perforce.freebsd.org/chv.cgi?CH=113401

Change 113401 by millert at millert_macbook on 2007/01/22 20:01:14

	Update.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/diskarbitrationd.te#11 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/lookupd.te#7 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.te#11 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/logging.te#6 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/diskarbitrationd.te#11 (text+ko) ====

@@ -47,22 +47,20 @@
 allow diskarbitrationd_t self:socket { connect write };
 allow diskarbitrationd_t self:udp_socket create;
 allow diskarbitrationd_t self:unix_dgram_socket create;
-allow diskarbitrationd_t sbin_t:dir search;
+allow diskarbitrationd_t sbin_t:dir { getattr read search };
 
 # Allow disk/device/fs operations
 allow diskarbitrationd_t device_t:chr_file { ioctl read };
-allow diskarbitrationd_t fs_t:dir getattr;
+allow diskarbitrationd_t fs_t:dir { search getattr };
+allow diskarbitrationd_t fs_t:lnk_file unlink;
 allow diskarbitrationd_t fsadm_t:file execute_no_trans;
 
 # Allow mount operations
-allow diskarbitrationd_t fs_t:filesystem mount;
+allow diskarbitrationd_t fs_t:filesystem { getattr mount };
 allow diskarbitrationd_t mnt_t:dir { getattr read remove_name rmdir search };
 allow diskarbitrationd_t mnt_t:file { getattr unlink };
 allow diskarbitrationd_t mnt_t:lnk_file unlink;
 
-
-
-
 # Allow various file operations
 allow diskarbitrationd_t nfs_t:dir getattr;
 allow diskarbitrationd_t nfs_t:filesystem mount;
@@ -76,12 +74,7 @@
 
 # Allow access to raw disk devices
 storage_raw_read_fixed_disk(diskarbitrationd_t)
-# Note: This causes the following error...we need to figure it out:
-#
-## libsepol.check_assertion_helper: assertion on line 337564 violated by allow diskarbitrationd_t fixed_disk_device_t:blk_file { read };
-# libsepol.check_assertions: 1 assertion violations occured
-# Error while expanding policy
-#allow diskarbitrationd_t fixed_disk_device_t:blk_file { ioctl read };
+storage_raw_write_fixed_disk(diskarbitrationd_t)
 
 # Allow signaling fsck, etc
 allow diskarbitrationd_t fsadm_t:process signal;
@@ -117,6 +110,9 @@
 darwin_allow_host_pref_read(diskarbitrationd_t)
 darwin_allow_system_read(diskarbitrationd_t)
 
+# Use CoreServices
+darwin_allow_CoreServices_read(diskarbitrationd_t)
+
 # Allow access to frameworks
 frameworks_read(diskarbitrationd_t)
 
@@ -131,3 +127,6 @@
 
 # Search /var/vm
 files_search_vm(diskarbitrationd_t)
+
+# Read /var (symlinks)
+files_read_var_files(diskarbitrationd_t)

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/lookupd.te#7 (text+ko) ====

@@ -46,7 +46,7 @@
 
 # Misc
 allow lookupd_t mnt_t:dir search;
-allow lookupd_t nfs_t:filesystem getattr;
+allow lookupd_t { fs_t nfs_t }:filesystem getattr;
 allow lookupd_t nfs_t:lnk_file read;
 allow lookupd_t port_t:tcp_socket name_connect;
 allow lookupd_t random_device_t:chr_file read;
@@ -103,3 +103,7 @@
 
 # Allow Mach IPC w/ syslogd
 logging_allow_ipc(lookupd_t)
+
+# Read /var
+files_list_var(lookupd_t)
+files_read_var_files(lookupd_t)

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.te#11 (text+ko) ====

@@ -40,7 +40,7 @@
 allow securityd_t nfs_t:filesystem getattr;
 allow securityd_t nfs_t:lnk_file read;
 allow securityd_t usr_t:file { getattr read };
-allow securityd_t random_device_t:chr_file read;
+allow securityd_t random_device_t:chr_file { read write };
 allow securityd_t sbin_t:dir { getattr read search };
 
 # /var file operations

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/logging.te#6 (text+ko) ====

@@ -53,6 +53,9 @@
 allow syslogd_t devlog_t:sock_file create_file_perms;
 files_pid_filetrans(syslogd_t,devlog_t,sock_file)
 
+# Read /var symlinks
+files_read_var_files(syslogd_t)
+
 # create/append log files.
 allow syslogd_t var_log_t:dir rw_dir_perms;
 allow syslogd_t var_log_t:file create_file_perms;
@@ -86,11 +89,12 @@
 # Kernel messages come from /dev/klog
 dev_filetrans(syslogd_t,devklog_t,chr_file)
 genfscon devfs /klog gen_context(system_u:object_r:devklog_t,0s)
-allow syslogd_t devklog_t:chr_file read;
+allow syslogd_t devklog_t:chr_file { read ioctl };
 
 fs_search_auto_mountpoints(syslogd_t)
 
 term_write_console(syslogd_t)
+allow syslogd_t console_device_t:file write;
 # Allow syslog to a terminal
 term_write_unallocated_ttys(syslogd_t)
 
@@ -142,12 +146,16 @@
 kernel_allow_ipc(syslogd_t)
 
 # Talk to self
-allow syslogd_t self:socket read;
+allow syslogd_t self:socket { bind listen accept read };
+allow syslogd_t self:mach_port make_send_once;
 
 # Talk to notifyd
 notifyd_allow_ipc(syslogd_t)
 notifyd_allow_shm(syslogd_t)
 
+# Read /private
+darwin_allow_private_read(syslogd_t)
+
 ifdef(`targeted_policy',`
 	allow syslogd_t var_run_t:fifo_file { ioctl read write };
 	term_dontaudit_use_unallocated_ttys(syslogd_t)


More information about the trustedbsd-cvs mailing list