PERFORCE change 113413 for review

Todd Miller millert at FreeBSD.org
Mon Jan 22 20:16:31 UTC 2007 

http://perforce.freebsd.org/chv.cgi?CH=113413

Change 113413 by millert at millert_macbook on 2007/01/22 20:06:43

	Initial pass at loginwindow.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.te#13 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.te#13 (text+ko) ====

@@ -32,7 +32,7 @@
 term_setattr_console(loginwindow_t)
 allow loginwindow_t lib_t:file execute_no_trans;
 allow loginwindow_t self:fd use;
-allow loginwindow_t self:process { taskforpid signal }; # XXX
+allow loginwindow_t self:process { taskforpid signal ptrace }; # XXX
 allow loginwindow_t self:shm { create read setattr write };
 allow loginwindow_t self:socket { connect write };
 allow loginwindow_t self:udp_socket create;
@@ -46,8 +46,13 @@
 allow loginwindow_t volfs_t:dir search;
 
 # There has to be a "proper" interface for this. Fix this when we find it
-allow loginwindow_t bin_t:dir search;
-allow loginwindow_t bin_t:file { execute execute_no_trans read };
+allow loginwindow_t bin_t:dir { search read getattr };
+allow loginwindow_t bin_t:file { getattr execute execute_no_trans read };
+
+allow loginwindow_t darwin_services_t:dir { read search getattr };
+
+allow loginwindow_t init_t:process taskforpid;
+allow loginwindow_t unconfined_t:process getsched;
 
 # Talk to self
 mach_allow_message(loginwindow_t, loginwindow_t)
@@ -136,8 +141,13 @@
 
 # Access tmp files
 files_read_generic_tmp_files(loginwindow_t)
+files_read_generic_tmp_symlinks(loginwindow_t)
 files_manage_generic_tmp_files(loginwindow_t)
 
+# XXX: label transition for pid file?
+files_rw_generic_pids(loginwindow_t)
+allow loginwindow_t var_run_t:dir remove_name;
+
 # /var file operations
 files_rw_var_files(loginwindow_t)
 files_read_var_symlinks(loginwindow_t)
@@ -152,3 +162,7 @@
 
 # Access cache files
 allow loginwindow_t darwin_cache_t:dir search;
+
+# Read default_t
+files_list_default(loginwindow_t)
+files_read_default_files(loginwindow_t)

More information about the trustedbsd-cvs mailing list