Date: Mon, 22 Jan 2007 19:53:50 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 113386 for review Message-ID: <200701221953.l0MJrosM084199@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=113386 Change 113386 by millert@millert_macbook on 2007/01/22 19:53:43 Add permissions for /var/vm. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#11 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/diskarbitrationd.te#10 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.te#8 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.te#7 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/files.if#5 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#11 (text+ko) ==== @@ -165,6 +165,8 @@ # Not sure why it wants to search this dir, it should know what it wants allow configd_t var_log_t:dir search; +# Search /var/vm +files_search_vm(securityd_t) # Read /private darwin_allow_private_read(configd_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/diskarbitrationd.te#10 (text+ko) ==== @@ -129,4 +129,5 @@ # Read fstools files fstools_read_files(diskarbitrationd_t) - +# Search /var/vm +files_search_vm(diskarbitrationd_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.te#8 (text+ko) ==== @@ -141,6 +141,8 @@ files_search_var(loginwindow_t) files_read_var_symlinks(loginwindow_t) +# Search /var/vm +files_search_vm(loginwindow_t) + # Write to WTMP auth_write_login_records(loginwindow_t) - ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.te#7 (text+ko) ==== @@ -48,6 +48,8 @@ files_manage_var_dirs(securityd_t) files_manage_var_symlinks(securityd_t) +# Search /var/vm +files_search_vm(securityd_t) # Talk to launchd init_allow_ipc(securityd_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/files.if#5 (text+ko) ==== @@ -4501,6 +4501,25 @@ ######################################## ## <summary> +## Search the contents of vm irectories (/var/vm). +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_search_vm',` + gen_require(` + type var_t, var_vm_t; + ') + + allow $1 var_t:dir search_dir_perms; + allow $1 var_vm_t:dir search_dir_perms; +') + +######################################## +## <summary> ## Unconfined access to files. ## </summary> ## <param name="domain">
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200701221953.l0MJrosM084199>