Date: Tue, 14 Nov 2006 20:58:08 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 109993 for review Message-ID: <200611142058.kAEKw8S2069972@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=109993 Change 109993 by millert@millert_macbook on 2006/11/14 20:57:07 Update policy. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules.conf#5 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/ATconfig.fc#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/ATconfig.if#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/ATconfig.te#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/Apple80211Monitor.fc#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/Apple80211Monitor.if#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/Apple80211Monitor.te#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/BatteryUpdater.fc#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/BatteryUpdater.if#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/BatteryUpdater.te#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/Bluetooth.fc#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/Bluetooth.if#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/Bluetooth.te#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/DynamicPowerStep.fc#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/DynamicPowerStep.if#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/DynamicPowerStep.te#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/IP6Configuration.fc#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/IP6Configuration.if#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/IP6Configuration.te#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/PPPController.fc#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/PPPController.if#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/PPPController.te#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/PowerManagement.fc#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/PowerManagement.if#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/PowerManagement.te#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/PrinterNotifications.fc#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/PrinterNotifications.if#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/SystemConfiguration/PrinterNotifications.te#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/DirectoryService.fc#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/DirectoryService.te#5 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/KernelEventAgent.te#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.fc#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.if#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.te#5 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.fc#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.if#5 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#6 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreaudiod.te#5 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/diskarbitrationd.te#5 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/frameworks.fc#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/frameworks.if#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/frameworks.te#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/kextd.te#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/files.fc#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/filesystem.te#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.fc#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.if#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.te#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/fstools.fc#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/fstools.if#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/init.te#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/libraries.fc#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/modutils.fc#3 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules.conf#5 (text+ko) ==== @@ -1611,6 +1611,8 @@ # # Darwin System Configuration Daemon # +darwin = module +frameworks = module mach = module configd = module DirectoryService = module @@ -1631,3 +1633,11 @@ lookupd = module +ATconfig = module +Apple80211Monitor = module +BatteryUpdater = module +Bluetooth = module +DynamicPowerStep = module +IP6Configuration = module +PPPController = module +PowerManagement = module ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/DirectoryService.fc#3 (text+ko) ==== @@ -4,9 +4,17 @@ # MCS categories: <none> /usr/sbin/DirectoryService -- gen_context(system_u:object_r:DirectoryService_exec_t,s0) +/Library/Logs/DirectoryService -d gen_context(system_u:object_r:DirectoryService_var_log_t,s0) /Library/Logs/DirectoryService/.* gen_context(system_u:object_r:DirectoryService_var_log_t,s0) +/Library/Preferences/DirectoryService -d gen_context(system_u:object_r:DirectoryService_resource_t,s0) /Library/Preferences/DirectoryService/.* -- gen_context(system_u:object_r:DirectoryService_resource_t,s0) -/System/Library/Frameworks/DirectoryService.framework/.* -- gen_context(system_u:object_r:DirectoryService_resource_t,s0) +/System/Library/Frameworks/DirectoryService.framework -d gen_context(system_u:object_r:DirectoryService_resource_t,s0) +/System/Library/Frameworks/DirectoryService.framework/.* gen_context(system_u:object_r:DirectoryService_resource_t,s0) +/System/Library/PrivateFrameworks/DirectoryServiceCore.framework.* gen_context(system_u:object_r:DirectoryService_resource_t,s0) + +/private/var/run/.DSRunningSP1 -- gen_context(system_u:object_r:DirectoryService_var_run_t,s0) +#/System +/System -d gen_context(system_u:object_r:darwin_system_t,s0) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/DirectoryService.te#5 (text+ko) ==== @@ -17,6 +17,9 @@ # Other DirectoryService component files type DirectoryService_resource_t; +type DirectoryService_var_run_t; +files_pid_file(DirectoryService_var_run_t) + ######################################## # @@ -33,6 +36,12 @@ allow DirectoryService_t self:fifo_file { read write }; allow DirectoryService_t self:unix_stream_socket create_stream_socket_perms; +# pid file +allow DirectoryService_t DirectoryService_var_run_t:file manage_file_perms; +allow DirectoryService_t DirectoryService_var_run_t:sock_file manage_file_perms; +allow DirectoryService_t DirectoryService_var_run_t:dir rw_dir_perms; +files_pid_filetrans(DirectoryService_t,DirectoryService_var_run_t, { file sock_file }) + # log files allow DirectoryService_t DirectoryService_var_log_t:file create_file_perms; allow DirectoryService_t DirectoryService_var_log_t:sock_file create_file_perms; @@ -41,6 +50,7 @@ # support files allow DirectoryService_t DirectoryService_resource_t:file { execute getattr read setattr write }; +allow DirectoryService_t DirectoryService_resource_t:dir { getattr read search }; # file descriptors and sockets allow DirectoryService_t self:fd use; @@ -60,6 +70,8 @@ allow DirectoryService_t self:process signal; allow DirectoryService_t self:socket create; allow DirectoryService_t bin_t:dir search; +allow DirectoryService_t nfs_t:dir { getattr read }; + # Allow Mach IPC with self @@ -67,6 +79,7 @@ # Allow communication with bootstrap server init_allow_bootstrap(DirectoryService_t) +init_allow_shm(DirectoryService_t) # Allow communication with notification server notifyd_allow_ipc(DirectoryService_t) @@ -91,3 +104,28 @@ # Allow shared memory usage w/ notifyd notifyd_allow_shm(DirectoryService_t) + +# Allow reading of prefs files +darwin_allow_global_pref_read(DirectoryService_t) +darwin_allow_host_pref_read(DirectoryService_t) + +# Allow reading of /System +darwin_allow_system_read(DirectoryService_t) + +# Allow shadow file stuff +auth_getattr_shadow(DirectoryService_t) +auth_rw_shadow(DirectoryService_t) +auth_manage_shadow(DirectoryService_t) + +# Framework access +frameworks_read(DirectoryService_t) +frameworks_execute(DirectoryService_t) + +# Read /private +darwin_allow_private_read(DirectoryService_t) + +# Read /private/var +files_read_var_files(DirectoryService_t) + +# Use CoreServices +darwin_allow_CoreServices_read(DirectoryService_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/KernelEventAgent.te#3 (text+ko) ==== @@ -30,3 +30,6 @@ # Talk to notifyd notifyd_allow_ipc(KernelEventAgent_t) + +# Talk to launchd +init_allow_ipc(KernelEventAgent_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.fc#2 (text+ko) ==== @@ -4,3 +4,5 @@ # MCS categories: <none> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/WindowServer -- gen_context(system_u:object_r:WindowServer_exec_t,s0) + +/System/Library/Displays/Overrides -- gen_context(system_u:object_r:WindowServer_resource_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.if#4 (text+ko) ==== @@ -85,3 +85,19 @@ allow $1 WindowServer_t:shm { create destroy getattr setattr read write associate unix_read unix_write lock }; ') + +######################################## +## <summary> +## Allow reading of WindowServer resources +## </summary> +## <param name="domain"> +## <summary> +## Type to be used as a domain.o## </summary> +## </param> +# +interface(`WindowServer_allow_resource_read',` + + allow $1 WindowServer_resource_t:file {read getattr}; + allow $1 WindowServer_resource_t:dir {search}; + +') ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.te#5 (text+ko) ==== @@ -7,6 +7,7 @@ type WindowServer_t; type WindowServer_exec_t; +type WindowServer_resource_t; domain_type(WindowServer_t) init_domain(WindowServer_t, WindowServer_exec_t) @@ -63,9 +64,21 @@ configd_allow_ipc(WindowServer_t) configd_allow_shm(WindowServer_t) +# Allow WindowServer to load kexts *shudder* +allow WindowServer_t modules_object_t:dir { getattr read search }; +allow WindowServer_t modules_object_t:file { execute getattr read }; + +# task_for_pid() for securityd +allow WindowServer_t securityd_t:process taskforpid; + +# Find the proper interface for this later +allow WindowServer_t var_log_t:dir search; +allow WindowServer_t var_log_t:file { getattr setattr write }; + # Misc allow WindowServer_t nfs_t:filesystem getattr; allow WindowServer_t nfs_t:lnk_file read; +allow WindowServer_t nfs_t:dir search; allow WindowServer_t mnt_t:dir search; allow WindowServer_t self:mach_task set_special_port; allow WindowServer_t self:process { setsched signal }; @@ -74,6 +87,30 @@ allow WindowServer_t mnt_t:dir getattr; allow WindowServer_t sbin_t:dir search; +# Read prefs, etc +darwin_allow_global_pref_read(WindowServer_t) +darwin_allow_host_pref_read(WindowServer_t) +darwin_allow_system_read(WindowServer_t) +# Allow execution of framework bits +frameworks_execute(WindowServer_t) +frameworks_read(WindowServer_t) + +# Read our resources +WindowServer_allow_resource_read(WindowServer_t) + +# Read /private/var +files_read_var_files(WindowServer_t) + +# Talk to CoreServices +darwin_allow_CoreServices_read(WindowServer_t) +# Read /private +darwin_allow_private_read(WindowServer_t) + +# Allow set_special_port to loginwindow +allow WindowServer_t loginwindow_t:mach_task set_special_port; + +# Read modules +allow WindowServer_t modules_dep_t:dir search; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.fc#3 (text+ko) ==== @@ -5,3 +5,4 @@ /usr/sbin/configd -- gen_context(system_u:object_r:configd_exec_t,s0) /private/var/run/configd.pid gen_context(system_u:object_r:configd_var_run_t,s0) +/System/Library/SystemConfiguration.* gen_context(system_u:object_r:configd_resource_t,s0) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.if#5 (text+ko) ==== @@ -90,3 +90,36 @@ allow $1 configd_t:shm { create destroy getattr setattr read write associate unix_read unix_write lock }; ') + +######################################## +## <summary> +## Allow reading of configd resource files +## </summary> +## <param name="domain"> +## <summary> +## Type to be used as a domain. +## </summary> +## </param> +# +interface(`configd_allow_resource_read',` + + allow configd_t configd_resource_t:file read_file_perms; + allow configd_t configd_resource_t:dir r_dir_perms; + +') + +######################################## +## <summary> +## Allow reading of configd resource files +## </summary> +## <param name="domain"> +## <summary> +## Type to be used as a domain. +## </summary> +## </param> +# +interface(`configd_allow_resource_execute',` + + allow configd_t configd_resource_t:file { execute execute_no_trans}; + +') ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#6 (text+ko) ==== @@ -9,12 +9,15 @@ type configd_exec_t; domain_type(configd_t) init_domain(configd_t, configd_exec_t) -# Allow Mach IP w/ init_t (launchd) +# Allow Mach IPC w/ init_t (launchd) init_allow_ipc(configd_t) # pid files type configd_var_run_t; files_pid_file(configd_var_run_t) + +# Resource files +type configd_resource_t; ######################################## # @@ -79,6 +82,10 @@ allow configd_t sbin_t:dir { getattr read search }; allow configd_t sbin_t:file { execute_no_trans getattr read }; +# Execute configd helpers +configd_allow_resource_read(configd_t) +configd_allow_resource_execute(configd_t) + # Allow configd to start ntpdate ntp_domtrans_ntpdate(configd_t) @@ -135,3 +142,29 @@ # Talk to WindowServer WindowServer_allow_ipc(configd_t) +WindowServer_allow_shm(configd_t) + +# Read prefs, etc +darwin_allow_global_pref_read(configd_t) +darwin_allow_host_pref_read(configd_t) +darwin_allow_system_read(configd_t) + +# Use Frameworks +frameworks_read(configd_t) +frameworks_execute(configd_t) + +# Read CoreServices libs, etc +darwin_allow_CoreServices_read(configd_t) + +# Read /private/var +files_read_var_files(configd_t) + +# Read /private +darwin_allow_private_read(configd_t) + +# list modules +allow configd_t modules_dep_t:dir search; + +# I'm certain there's a "proper" way to do this... +allow configd_t port_t:tcp_socket name_connect; + ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreaudiod.te#5 (text+ko) ==== @@ -30,9 +30,14 @@ allow coreaudiod_t mnt_t:dir getattr; allow coreaudiod_t nfs_t:lnk_file read; allow coreaudiod_t sbin_t:dir { getattr read search }; +allow coreaudiod_t mnt_t:dir search; +allow coreaudiod_t random_device_t:chr_file read; + # Talking to itself mach_allow_message(coreaudiod_t, coreaudiod_t) +allow coreaudiod_t self:fd use; +allow coreaudiod_t self:udp_socket create; # Talk to the bootstrap server init_allow_bootstrap(coreaudiod_t) @@ -43,4 +48,18 @@ # Talk to securityd securityd_allow_ipc(securityd_t) +# Talk to kernel +kernel_allow_ipc(coreaudiod_t) + +# Talk to lookupd +lookupd_allow_ipc(coreaudiod_t) +# Allow reading of prefs +darwin_allow_global_pref_read(coreaudiod_t) +darwin_allow_host_pref_read(coreaudiod_t) + +# Allow reading of CoreServices files +darwin_allow_CoreServices_read(coreaudiod_t) + +# Allow reading of /private +darwin_allow_private_read(coreaudiod_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/diskarbitrationd.te#5 (text+ko) ==== @@ -87,3 +87,15 @@ # Allow Mach IPC with diskarbitrationd WindowServer_allow_ipc(diskarbitrationd_t) + +# Read prefs, etc +darwin_allow_global_pref_read(diskarbitrationd_t) +darwin_allow_host_pref_read(diskarbitrationd_t) +darwin_allow_system_read(diskarbitrationd_t) + +# Allow access to frameworks +frameworks_read(diskarbitrationd_t) + + +# Read /private/var +files_read_var_files(diskarbitrationd_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/kextd.te#3 (text+ko) ==== @@ -32,12 +32,15 @@ allow kextd_t nfs_t:filesystem getattr; allow kextd_t nfs_t:lnk_file read; allow kextd_t mnt_t:dir { getattr read search }; +allow kextd_t sbin_t:dir { getattr read search }; +allow kextd_t sbin_t:file { getattr read }; # Talk to self mach_allow_message(kextd_t, kextd_t) allow kextd_t self:mach_task set_special_port; allow kextd_t self:process signal; +allow kextd_t self:udp_socket create; # Talk to launchd init_allow_ipc(kextd_t) @@ -63,3 +66,17 @@ # Talk to update update_allow_ipc(kextd_t) +# Read prefs, etc +darwin_allow_global_pref_read(kextd_t) +darwin_allow_host_pref_read(kextd_t) +darwin_allow_system_read(kextd_t) + +# Use Frameworks +frameworks_read(kextd_t) + +# Use tmp files +files_tmp_file(kextd_t) + + +# Read /private/var +files_read_var_files(kextd_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/files.fc#4 (text+ko) ==== @@ -13,11 +13,11 @@ # # /etc # -/etc -d gen_context(system_u:object_r:etc_t,s0) -/etc/.* gen_context(system_u:object_r:etc_t,s0) -/etc/localtime -l gen_context(system_u:object_r:etc_t,s0) -/etc/motd -- gen_context(system_u:object_r:etc_runtime_t,s0) -/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0) +/private/etc -d gen_context(system_u:object_r:etc_t,s0) +/private/etc/.* gen_context(system_u:object_r:etc_t,s0) +/private/etc/localtime -l gen_context(system_u:object_r:etc_t,s0) +/private/etc/motd -- gen_context(system_u:object_r:etc_runtime_t,s0) +/private/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0) # # HOME_ROOT @@ -44,13 +44,13 @@ /Volumes/[^/]*/.* <<none>> # -# /tmp +# /private/tmp # -/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) -/tmp/.* <<none>> +/private/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) +/private/tmp/.* <<none>> -/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) -/tmp/lost\+found/.* <<none>> +/private/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) +/private/tmp/lost\+found/.* <<none>> # # /usr @@ -73,25 +73,25 @@ /usr/share(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:usr_t,s0) # -# /var +# /private/var # -/var -d gen_context(system_u:object_r:var_t,s0) -/var/.* gen_context(system_u:object_r:var_t,s0) +/private/var -d gen_context(system_u:object_r:var_t,s0) +/private/var/.* gen_context(system_u:object_r:var_t,s0) -/var/db/.*\.db -- gen_context(system_u:object_r:etc_t,s0) +/private/var/db/.*\.db -- gen_context(system_u:object_r:etc_t,s0) -/var/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) -/var/lost\+found/.* <<none>> +/private/var/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) +/private/var/lost\+found/.* <<none>> -/var/run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh) -/var/run/.* gen_context(system_u:object_r:var_run_t,s0) -/var/run/.*\.*pid <<none>> +/private/var/run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh) +/private/var/run/.* gen_context(system_u:object_r:var_run_t,s0) +/private/var/run/.*\.*pid <<none>> -/var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0) -/var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) +/private/var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0) +/private/var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) -/var/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) -/var/tmp/.* <<none>> -/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) -/var/tmp/lost\+found/.* <<none>> -/var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0) +/private/var/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) +/private/var/tmp/.* <<none>> +/private/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) +/private/var/tmp/lost\+found/.* <<none>> +/private/var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/filesystem.te#4 (text+ko) ==== @@ -27,6 +27,8 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0); +fs_use_xattr hfs gen_context(system_u:object_r:fs_t,s0); +fs_use_xattr hfsplus gen_context(system_u:object_r:fs_t,s0); # Use the allocating task SID to label inodes in the following filesystem # types, and label the filesystem itself with the specified context. @@ -153,13 +155,13 @@ genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0) # -# iso9660_t is the type for CD filesystems +# cd9660_t is the type for CD filesystems # and their files. # -type iso9660_t; -fs_noxattr_type(iso9660_t) -genfscon iso9660 / gen_context(system_u:object_r:iso9660_t,s0) -genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) +type cd9660_t; +fs_noxattr_type(cd9660_t) +genfscon cd9660 / gen_context(system_u:object_r:cd9660_t,s0) +genfscon udf / gen_context(system_u:object_r:cd9660_t,s0) # # removable_t is the default type of all removable media @@ -179,8 +181,6 @@ genfscon nfs / gen_context(system_u:object_r:nfs_t,s0) genfscon nfs4 / gen_context(system_u:object_r:nfs_t,s0) genfscon afs / gen_context(system_u:object_r:nfs_t,s0) -genfscon hfs / gen_context(system_u:object_r:nfs_t,s0) -genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon gfs / gen_context(system_u:object_r:nfs_t,s0) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/fstools.fc#3 (text+ko) ==== @@ -1,3 +1,6 @@ /sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) + +/System/Library/Filesystems.* gen_context(system_u:object_r:fsadm_t,s0) +/System/Library/Filesystems/.*/MacOS/.* gen_context(system_u:object_r:fsadm_exec_t,s0) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/fstools.if#4 (text+ko) ==== @@ -129,3 +129,24 @@ allow $1 swapfile_t:file getattr; ') + +######################################## +## <summary> +## Read fsadm files +## </summary> +## <param name="domain"> +## <summary> +## The type of the process performing this action. +## </summary> +## </param> +# +interface(`fstools_read_files',` + gen_require(` + type swapfile_t; + ') + + allow $1 fsadm_t:dir r_dir_perms; + allow $1 fsadm_t:file read_file_perms; + allow $1 fsadm_t:lnk_file { read }; + +') ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/init.te#4 (text+ko) ==== @@ -648,3 +648,11 @@ # Talk to notifyd notifyd_allow_ipc(init_t) + +# Read prefs, etc +darwin_allow_global_pref_read(init_t) +darwin_allow_host_pref_read(init_t) +darwin_allow_system_read(init_t) + +# Use Frameworks +frameworks_read(init_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/libraries.fc#3 (text+ko) ==== @@ -1,9 +1,12 @@ # # /System # +/System/Library gen_context(system_u:object_r:lib_t,s0) /System/Library/Components/.*/Contents/MacOS/.* -- gen_context(system_u:object_r:lib_t,s0) /System/Library/CoreServices/.*/Contents/MacOS/.* -- gen_context(system_u:object_r:lib_t,s0) /System/Library/CoreServices/.*\.dylib -- gen_context(system_u:object_r:lib_t,s0) +#/System/Library/Frameworks gen_context(system_u:object_r:lib_t,s0) +#/System/Library/Frameworks/.* gen_context(system_u:object_r:lib_t,s0) # ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/modutils.fc#3 (text+ko) ==== @@ -5,4 +5,6 @@ /lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0) /sbin/kextload -- gen_context(system_u:object_r:insmod_exec_t,s0) -/sbin/kextunload -- gen_context(system_u:object_r:insmod_exec_t,s0) +/sbin/kextunload -- gen_context(system_u:object_r:insmod_exec_t,s0) + +/System/Library/Extensions.* gen_context(system_u:object_r:modules_dep_t,s0)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200611142058.kAEKw8S2069972>