Date: Mon, 13 Jan 2003 11:23:23 -0800 (PST) From: Brian Feldman <green@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 23688 for review Message-ID: <200301131923.h0DJNN58003417@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=23688 Change 23688 by green@green_laptop_2 on 2003/01/13 11:23:04 * Add the uses_kld() macro, and use it in a few utilities so far that need it. * Implement cleanvar.te policy for use in /etc/rc.d/cleanvar. Affected files ... .. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/assert.te#2 edit .. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/domains/program/cleanvar.te#1 add .. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/domains/program/ifconfig.te#2 edit .. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/domains/program/initrc.te#4 edit .. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/domains/program/mount.te#3 edit .. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/file_contexts/program/initrc.fc#3 edit .. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/files.lst#8 edit .. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/macros/global_macros.te#3 edit Differences ... ==== //depot/projects/trustedbsd/mac/contrib/sebsd/policy/assert.te#2 (text+ko) ==== @@ -27,12 +27,6 @@ neverallow domain ~domain:process transition; # -# Verify that only the kmod_t, insmod_t, and ifconfig_t domains -# have the sys_module capability. -# -neverallow ~{ kmod_t insmod_t ifconfig_t } self:capability sys_module; - -# # Verify that executable types, the system dynamic loaders, and the # system shared libraries can only be modified by administrators. # ==== //depot/projects/trustedbsd/mac/contrib/sebsd/policy/domains/program/ifconfig.te#2 (text+ko) ==== @@ -13,6 +13,7 @@ role system_r types ifconfig_t; role sysadm_r types ifconfig_t; every_domain(ifconfig_t) +uses_kld(ifconfig_t) type ifconfig_exec_t, file_type, sysadmfile, exec_type; domain_auto_trans(initrc_t, ifconfig_exec_t, ifconfig_t) type_transition init_t ifconfig_exec_t:process ifconfig_t; ==== //depot/projects/trustedbsd/mac/contrib/sebsd/policy/domains/program/initrc.te#4 (text+ko) ==== ==== //depot/projects/trustedbsd/mac/contrib/sebsd/policy/domains/program/mount.te#3 (text+ko) ==== @@ -13,6 +13,7 @@ role system_r types mount_t; role sysadm_r types mount_t; every_domain(mount_t) +uses_kld(mount_t) type mount_exec_t, file_type, sysadmfile, exec_type; domain_auto_trans(initrc_t, mount_exec_t, mount_t) type_transition init_t mount_exec_t:process mount_t; ==== //depot/projects/trustedbsd/mac/contrib/sebsd/policy/file_contexts/program/initrc.fc#3 (text+ko) ==== @@ -4,6 +4,7 @@ /etc/rc.d/rc system_u:object_r:initrc_exec_t /etc/rc.d/rc.sysinit system_u:object_r:initrc_exec_t /etc/rc.d/rc.local system_u:object_r:initrc_exec_t +/etc/rc.d/cleanvar system_u:object_r:cleanvar_exec_t /etc/init.d/rc.* system_u:object_r:initrc_exec_t /var/run/utmp system_u:object_r:initrc_var_run_t /var/run/runlevel.dir system_u:object_r:initrc_var_run_t ==== //depot/projects/trustedbsd/mac/contrib/sebsd/policy/files.lst#8 (text+ko) ==== @@ -143,6 +143,7 @@ domains/program/backup.te domains/program/bootloader.te domains/program/cardmgr.te +domains/program/cleanvar.te domains/program/courier.te domains/program/crack.te domains/program/crond.te ==== //depot/projects/trustedbsd/mac/contrib/sebsd/policy/macros/global_macros.te#3 (text+ko) ==== @@ -262,6 +262,18 @@ ################################# # +# uses_kld(domain) +# +# Permissions for using kernel modules. +# +define(`uses_kld',` +allow $1 boot_t:dir r_dir_perms; +allow $1 boot_t:file r_file_perms; +allow $1 self:capability sys_module; +') + +################################# +# # uses_shlib(domain) # # Permissions for using shared libraries. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301131923.h0DJNN58003417>