Date: Thu, 26 Oct 2006 19:34:50 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 108520 for review Message-ID: <200610261934.k9QJYojv080664@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=108520 Change 108520 by millert@millert_macbook on 2006/10/26 19:34:44 Update securityd and notifyd policies Affected files ... .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/notifyd.te#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.te#3 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/notifyd.te#3 (text+ko) ==== @@ -25,9 +25,19 @@ allow notifyd_t self:fifo_file { read write }; allow notifyd_t self:unix_stream_socket create_stream_socket_perms; +# Misc allow notifyd_t mnt_t:dir { getattr search }; allow notifyd_t nfs_t:lnk_file { getattr read }; +# Talk to self mach_allow_message(notifyd_t, notifyd_t) + +# Talk to kernel kernel_allow_ipc(notifyd_t) + +# Talk to launchd init_allow_ipc(notifyd_t) + +# Allow signalling of other processes +allow notifyd_t init_t:process signal; +allow notifyd_t lookupd_t:process signal; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.te#3 (text+ko) ==== @@ -25,8 +25,30 @@ allow securityd_t self:fifo_file { read write }; allow securityd_t self:unix_stream_socket create_stream_socket_perms; +# Talk to self +allow securityd_t self:mach_task set_special_port; +allow securityd_t self:process signal; +allow securityd_t self:socket { connect write }; +allow securityd_t self:udp_socket create; +allow securityd_t self:unix_dgram_socket create; + +# Misc +allow securityd_t mnt_t:dir { getattr search }; +allow securityd_t nfs_t:dir { getattr search }; +allow securityd_t nfs_t:filesystem getattr; +allow securityd_t nfs_t:lnk_file read; +allow securityd_t usr_t:file { getattr read }; + + # Talk to launchd init_allow_ipc(securityd_t) +init_allow_shm(securityd_t) # Talk to notifyd notifyd_allow_ipc(securityd_t) +notifyd_allow_shm(securityd_t) + +# Not sure what this is for exactly. You don't generally execute libraries, so +# something is probably mislabeled. +allow securityd_t lib_t:file execute_no_trans; +
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200610261934.k9QJYojv080664>