PERFORCE change 113414 for review

Todd Miller millert at FreeBSD.org
Mon Jan 22 20:16:33 UTC 2007 

http://perforce.freebsd.org/chv.cgi?CH=113414

Change 113414 by millert at millert_macbook on 2007/01/22 20:07:45

	Try to disambiguate file labels for shells and cron executables.
	Add self mach_port permissions for syslogd_t and memberd_t.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/memberd.te#8 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/corecommands.fc#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/services/cron.fc#5 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/logging.te#7 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/memberd.te#8 (text+ko) ====

@@ -42,8 +42,8 @@
 init_allow_shm(memberd_t)
 init_allow_bootstrap(memberd_t)
 
-# Talk tro self
-allow memberd_t self:mach_port make_send_once;
+# Talk to self
+allow memberd_t self:mach_port { copy_send hold_send send make_send_once };
 
 # Talk to kernel
 kernel_allow_ipc(memberd_t)

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/corecommands.fc#3 (text+ko) ====

@@ -8,7 +8,9 @@
 /bin/ksh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/ls				--	gen_context(system_u:object_r:ls_exec_t,s0)
 /bin/tcsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/csh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/zsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/zsh-.*			--	gen_context(system_u:object_r:shell_exec_t,s0)
 
 #
 # /sbin

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/services/cron.fc#5 (text+ko) ====

@@ -7,6 +7,9 @@
 
 /usr/sbin/anacron		--	gen_context(system_u:object_r:anacron_exec_t,s0)
 /usr/sbin/atd			--	gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/sbin/atq			--	gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/sbin/atrm			--	gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/sbin/batch			--	gen_context(system_u:object_r:crond_exec_t,s0)
 /usr/sbin/cron(d)?		--	gen_context(system_u:object_r:crond_exec_t,s0)
 /usr/sbin/fcron			--	gen_context(system_u:object_r:crond_exec_t,s0)
 

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/logging.te#7 (text+ko) ====

@@ -147,7 +147,7 @@
 
 # Talk to self
 allow syslogd_t self:socket { bind listen accept read };
-allow syslogd_t self:mach_port make_send_once;
+allow syslogd_t self:mach_port { copy_send hold_send send make_send_once };
 
 # Talk to notifyd
 notifyd_allow_ipc(syslogd_t)

More information about the trustedbsd-cvs mailing list