Date: Mon, 22 Jan 2007 20:02:09 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 113401 for review Message-ID: <200701222002.l0MK298W087436@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=113401 Change 113401 by millert@millert_macbook on 2007/01/22 20:01:14 Update. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/diskarbitrationd.te#11 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/lookupd.te#7 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.te#11 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/logging.te#6 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/diskarbitrationd.te#11 (text+ko) ==== @@ -47,22 +47,20 @@ allow diskarbitrationd_t self:socket { connect write }; allow diskarbitrationd_t self:udp_socket create; allow diskarbitrationd_t self:unix_dgram_socket create; -allow diskarbitrationd_t sbin_t:dir search; +allow diskarbitrationd_t sbin_t:dir { getattr read search }; # Allow disk/device/fs operations allow diskarbitrationd_t device_t:chr_file { ioctl read }; -allow diskarbitrationd_t fs_t:dir getattr; +allow diskarbitrationd_t fs_t:dir { search getattr }; +allow diskarbitrationd_t fs_t:lnk_file unlink; allow diskarbitrationd_t fsadm_t:file execute_no_trans; # Allow mount operations -allow diskarbitrationd_t fs_t:filesystem mount; +allow diskarbitrationd_t fs_t:filesystem { getattr mount }; allow diskarbitrationd_t mnt_t:dir { getattr read remove_name rmdir search }; allow diskarbitrationd_t mnt_t:file { getattr unlink }; allow diskarbitrationd_t mnt_t:lnk_file unlink; - - - # Allow various file operations allow diskarbitrationd_t nfs_t:dir getattr; allow diskarbitrationd_t nfs_t:filesystem mount; @@ -76,12 +74,7 @@ # Allow access to raw disk devices storage_raw_read_fixed_disk(diskarbitrationd_t) -# Note: This causes the following error...we need to figure it out: -# -## libsepol.check_assertion_helper: assertion on line 337564 violated by allow diskarbitrationd_t fixed_disk_device_t:blk_file { read }; -# libsepol.check_assertions: 1 assertion violations occured -# Error while expanding policy -#allow diskarbitrationd_t fixed_disk_device_t:blk_file { ioctl read }; +storage_raw_write_fixed_disk(diskarbitrationd_t) # Allow signaling fsck, etc allow diskarbitrationd_t fsadm_t:process signal; @@ -117,6 +110,9 @@ darwin_allow_host_pref_read(diskarbitrationd_t) darwin_allow_system_read(diskarbitrationd_t) +# Use CoreServices +darwin_allow_CoreServices_read(diskarbitrationd_t) + # Allow access to frameworks frameworks_read(diskarbitrationd_t) @@ -131,3 +127,6 @@ # Search /var/vm files_search_vm(diskarbitrationd_t) + +# Read /var (symlinks) +files_read_var_files(diskarbitrationd_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/lookupd.te#7 (text+ko) ==== @@ -46,7 +46,7 @@ # Misc allow lookupd_t mnt_t:dir search; -allow lookupd_t nfs_t:filesystem getattr; +allow lookupd_t { fs_t nfs_t }:filesystem getattr; allow lookupd_t nfs_t:lnk_file read; allow lookupd_t port_t:tcp_socket name_connect; allow lookupd_t random_device_t:chr_file read; @@ -103,3 +103,7 @@ # Allow Mach IPC w/ syslogd logging_allow_ipc(lookupd_t) + +# Read /var +files_list_var(lookupd_t) +files_read_var_files(lookupd_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.te#11 (text+ko) ==== @@ -40,7 +40,7 @@ allow securityd_t nfs_t:filesystem getattr; allow securityd_t nfs_t:lnk_file read; allow securityd_t usr_t:file { getattr read }; -allow securityd_t random_device_t:chr_file read; +allow securityd_t random_device_t:chr_file { read write }; allow securityd_t sbin_t:dir { getattr read search }; # /var file operations ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/logging.te#6 (text+ko) ==== @@ -53,6 +53,9 @@ allow syslogd_t devlog_t:sock_file create_file_perms; files_pid_filetrans(syslogd_t,devlog_t,sock_file) +# Read /var symlinks +files_read_var_files(syslogd_t) + # create/append log files. allow syslogd_t var_log_t:dir rw_dir_perms; allow syslogd_t var_log_t:file create_file_perms; @@ -86,11 +89,12 @@ # Kernel messages come from /dev/klog dev_filetrans(syslogd_t,devklog_t,chr_file) genfscon devfs /klog gen_context(system_u:object_r:devklog_t,0s) -allow syslogd_t devklog_t:chr_file read; +allow syslogd_t devklog_t:chr_file { read ioctl }; fs_search_auto_mountpoints(syslogd_t) term_write_console(syslogd_t) +allow syslogd_t console_device_t:file write; # Allow syslog to a terminal term_write_unallocated_ttys(syslogd_t) @@ -142,12 +146,16 @@ kernel_allow_ipc(syslogd_t) # Talk to self -allow syslogd_t self:socket read; +allow syslogd_t self:socket { bind listen accept read }; +allow syslogd_t self:mach_port make_send_once; # Talk to notifyd notifyd_allow_ipc(syslogd_t) notifyd_allow_shm(syslogd_t) +# Read /private +darwin_allow_private_read(syslogd_t) + ifdef(`targeted_policy',` allow syslogd_t var_run_t:fifo_file { ioctl read write }; term_dontaudit_use_unallocated_ttys(syslogd_t)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200701222002.l0MK298W087436>