From owner-p4-projects  Mon Jan 13 11:23:28 2003
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id EF95937B405; Mon, 13 Jan 2003 11:23:24 -0800 (PST)
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7261537B401
	for <perforce@freebsd.org>; Mon, 13 Jan 2003 11:23:24 -0800 (PST)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 17CBD43F1E
	for <perforce@freebsd.org>; Mon, 13 Jan 2003 11:23:24 -0800 (PST)
	(envelope-from green@freebsd.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.12.6/8.12.6) with ESMTP id h0DJNNfh003420
	for <perforce@freebsd.org>; Mon, 13 Jan 2003 11:23:23 -0800 (PST)
	(envelope-from green@freebsd.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.12.6/8.12.6/Submit) id h0DJNN58003417
	for perforce@freebsd.org; Mon, 13 Jan 2003 11:23:23 -0800 (PST)
Date: Mon, 13 Jan 2003 11:23:23 -0800 (PST)
Message-Id: <200301131923.h0DJNN58003417@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to green@freebsd.org using -f
From: Brian Feldman <green@FreeBSD.org>
Subject: PERFORCE change 23688 for review
To: Perforce Change Reviews <perforce@freebsd.org>
Sender: owner-p4-projects@FreeBSD.ORG
Precedence: bulk
List-ID: <p4-projects.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20p4-projects>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20p4-projects>
X-Loop: FreeBSD.ORG

http://perforce.freebsd.org/chv.cgi?CH=23688

Change 23688 by green@green_laptop_2 on 2003/01/13 11:23:04

	* Add the uses_kld() macro, and use it in a few utilities so
	  far that need it.
	* Implement cleanvar.te policy for use in /etc/rc.d/cleanvar.

Affected files ...

.. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/assert.te#2 edit
.. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/domains/program/cleanvar.te#1 add
.. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/domains/program/ifconfig.te#2 edit
.. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/domains/program/initrc.te#4 edit
.. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/domains/program/mount.te#3 edit
.. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/file_contexts/program/initrc.fc#3 edit
.. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/files.lst#8 edit
.. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/macros/global_macros.te#3 edit

Differences ...

==== //depot/projects/trustedbsd/mac/contrib/sebsd/policy/assert.te#2 (text+ko) ====

@@ -27,12 +27,6 @@
 neverallow domain ~domain:process transition;
 
 #
-# Verify that only the kmod_t, insmod_t, and ifconfig_t domains 
-# have the sys_module capability.
-#
-neverallow ~{ kmod_t insmod_t ifconfig_t } self:capability sys_module;
-
-#
 # Verify that executable types, the system dynamic loaders, and the
 # system shared libraries can only be modified by administrators.
 #

==== //depot/projects/trustedbsd/mac/contrib/sebsd/policy/domains/program/ifconfig.te#2 (text+ko) ====

@@ -13,6 +13,7 @@
 role system_r types ifconfig_t;
 role sysadm_r types ifconfig_t;
 every_domain(ifconfig_t)
+uses_kld(ifconfig_t)
 type ifconfig_exec_t, file_type, sysadmfile, exec_type;
 domain_auto_trans(initrc_t, ifconfig_exec_t, ifconfig_t)
 type_transition init_t ifconfig_exec_t:process ifconfig_t;

==== //depot/projects/trustedbsd/mac/contrib/sebsd/policy/domains/program/initrc.te#4 (text+ko) ====


==== //depot/projects/trustedbsd/mac/contrib/sebsd/policy/domains/program/mount.te#3 (text+ko) ====

@@ -13,6 +13,7 @@
 role system_r types mount_t;
 role sysadm_r types mount_t;
 every_domain(mount_t)
+uses_kld(mount_t)
 type mount_exec_t, file_type, sysadmfile, exec_type;
 domain_auto_trans(initrc_t, mount_exec_t, mount_t)
 type_transition init_t mount_exec_t:process mount_t;

==== //depot/projects/trustedbsd/mac/contrib/sebsd/policy/file_contexts/program/initrc.fc#3 (text+ko) ====

@@ -4,6 +4,7 @@
 /etc/rc.d/rc			system_u:object_r:initrc_exec_t
 /etc/rc.d/rc.sysinit		system_u:object_r:initrc_exec_t
 /etc/rc.d/rc.local		system_u:object_r:initrc_exec_t
+/etc/rc.d/cleanvar		system_u:object_r:cleanvar_exec_t
 /etc/init.d/rc.*		system_u:object_r:initrc_exec_t
 /var/run/utmp			system_u:object_r:initrc_var_run_t
 /var/run/runlevel.dir		system_u:object_r:initrc_var_run_t

==== //depot/projects/trustedbsd/mac/contrib/sebsd/policy/files.lst#8 (text+ko) ====

@@ -143,6 +143,7 @@
 domains/program/backup.te
 domains/program/bootloader.te
 domains/program/cardmgr.te
+domains/program/cleanvar.te
 domains/program/courier.te
 domains/program/crack.te
 domains/program/crond.te

==== //depot/projects/trustedbsd/mac/contrib/sebsd/policy/macros/global_macros.te#3 (text+ko) ====

@@ -262,6 +262,18 @@
 
 #################################
 #
+# uses_kld(domain)
+#
+# Permissions for using kernel modules.
+#
+define(`uses_kld',`
+allow $1 boot_t:dir r_dir_perms;
+allow $1 boot_t:file r_file_perms;
+allow $1 self:capability sys_module;
+')
+
+#################################
+#
 # uses_shlib(domain)
 #
 # Permissions for using shared libraries.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe p4-projects" in the body of the message