From owner-p4-projects@FreeBSD.ORG Thu Jun 26 18:28:50 2003 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id AACA637B404; Thu, 26 Jun 2003 18:28:49 -0700 (PDT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5C81737B401 for ; Thu, 26 Jun 2003 18:28:49 -0700 (PDT) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id DB65043FEA for ; Thu, 26 Jun 2003 18:28:48 -0700 (PDT) (envelope-from cvance@nailabs.com) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.12.6/8.12.6) with ESMTP id h5R1Sm0U016202 for ; Thu, 26 Jun 2003 18:28:48 -0700 (PDT) (envelope-from cvance@nailabs.com) Received: (from perforce@localhost) by repoman.freebsd.org (8.12.6/8.12.6/Submit) id h5R1SmAL016199 for perforce@freebsd.org; Thu, 26 Jun 2003 18:28:48 -0700 (PDT) Date: Thu, 26 Jun 2003 18:28:48 -0700 (PDT) Message-Id: <200306270128.h5R1SmAL016199@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to cvance@nailabs.com using -f From: Chris Vance To: Perforce Change Reviews Subject: PERFORCE change 33724 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jun 2003 01:28:50 -0000 http://perforce.freebsd.org/chv.cgi?CH=33724 Change 33724 by cvance@cvance_demo on 2003/06/26 18:28:30 Update SEBSD policy slightly - allows system to boot in enforcing mode, with (very) basic support. Affected files ... .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/getty.te#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/initrc.te#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ldconfig.te#3 edit Differences ... ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/getty.te#2 (text+ko) ==== @@ -41,5 +41,8 @@ allow getty_t tty_device_t:chr_file rw_file_perms; allow getty_t ttyfile:chr_file rw_file_perms; +rw_dir_create_file(getty_t, var_lock_t) -rw_dir_create_file(getty_t, var_lock_t) +# Allow getty _secure_path call to stat /root/.login_conf +allow getty_t sysadm_home_t:dir r_dir_perms; + ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/initrc.te#2 (text+ko) ==== @@ -76,6 +76,7 @@ # Update /etc/ld.so.cache. allow initrc_t ld_so_cache_t:file rw_file_perms; +allow initrc_t ld_so_cache_t:file unlink; # Update /etc/mail. allow initrc_t etc_mail_t:file rw_file_perms; @@ -98,6 +99,7 @@ # Access /var/db/entropy. allow initrc_t var_db_entropy_t:file rw_file_perms; allow initrc_t var_db_entropy_t:file unlink; +allow initrc_t var_db_entropy_t:dir read; # Create lock file. allow initrc_t var_lock_t:dir create_dir_perms; @@ -154,6 +156,8 @@ ifdef(`gpm.te', `allow initrc_t gpmctl_t:sock_file setattr;') allow initrc_t var_spool_t:file rw_file_perms; +allow initrc_t var_spool_t:file { create unlink }; +allow initrc_t var_spool_t:dir rw_dir_perms; ifdef(`pump.te', `allow initrc_t pump_var_run_t:sock_file unlink;') @@ -209,3 +213,6 @@ allow initrc_t pidfile:sock_file unlink; allow initrc_t tmpfile:sock_file unlink; rw_dir_create_file(initrc_t, var_lib_t) + +allow initrc_t devfs_t:dir rw_dir_perms; +allow initrc_t devfs_t:lnk_file create; ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ldconfig.te#3 (text+ko) ==== @@ -25,3 +25,5 @@ allow ldconfig_t etc_t:file r_file_perms; allow ldconfig_t fs_t:filesystem getattr; + +allow ldconfig_t init_t:fd use;