From owner-p4-projects@FreeBSD.ORG  Wed Oct 15 05:33:03 2003
Return-Path: <owner-p4-projects@FreeBSD.ORG>
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 3F20916A4C0; Wed, 15 Oct 2003 05:33:03 -0700 (PDT)
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0250316A4B3
	for <perforce@freebsd.org>; Wed, 15 Oct 2003 05:33:03 -0700 (PDT)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6A7B143F75
	for <perforce@freebsd.org>; Wed, 15 Oct 2003 05:33:02 -0700 (PDT)
	(envelope-from areisse@nailabs.com)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.12.9/8.12.9) with ESMTP id h9FCX2XJ066316
	for <perforce@freebsd.org>; Wed, 15 Oct 2003 05:33:02 -0700 (PDT)
	(envelope-from areisse@nailabs.com)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.12.9/8.12.9/Submit) id h9FCX12R066313
	for perforce@freebsd.org; Wed, 15 Oct 2003 05:33:01 -0700 (PDT)
	(envelope-from areisse@nailabs.com)
Date: Wed, 15 Oct 2003 05:33:01 -0700 (PDT)
Message-Id: <200310151233.h9FCX12R066313@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	areisse@nailabs.com using -f
From: Andrew Reisse <areisse@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Subject: PERFORCE change 39741 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Oct 2003 12:33:03 -0000

http://perforce.freebsd.org/chv.cgi?CH=39741

Change 39741 by areisse@areisse_tislabs on 2003/10/15 05:32:25

	fixes for cron.
	changes in cvs to allow different originating types.
	possible compilation fixes

Affected files ...

.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/crond.te#3 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/unused/cvs.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/crond.fc#3 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/macros/global_macros.te#8 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/macros/program/crond_macros.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/macros/program/cvs_macros.te#2 edit

Differences ...

==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/crond.te#3 (text+ko) ====

@@ -61,6 +61,7 @@
 allow crond_t bin_t:lnk_file read;
 
 # Read from /var/spool/cron.
+allow crond_t var_t:dir search;
 allow crond_t var_lib_t:dir search;
 allow crond_t var_spool_t:dir r_dir_perms;
 allow crond_t cron_spool_t:dir r_dir_perms;

==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/unused/cvs.te#2 (text+ko) ====

@@ -1,6 +1,7 @@
 
 type cvs_exec_t, exec_type, file_type, sysadmfile;
 
-cvs_program_domain(user)
+cvs_program_domain(user,user)
 #domain_auto_trans(user_t,cvs_exec_t,user_cvs_rw_t)
 role user_r types user_cvs_rw_t;
+role user_r types user_cvs_ro_t;

==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/crond.fc#3 (text+ko) ====

@@ -21,5 +21,6 @@
 /var/run/fcron\.pid		system_u:object_r:crond_var_run_t
 # FreeBSD
 /var/cron			system_u:object_r:cron_spool_t
+/var/cron/tabs			system_u:object_r:cron_spool_t
 /var/cron/tabs/.*		system_u:object_r:user_cron_spool_t
 /var/cron/tabs/root		system_u:object_r:sysadm_cron_spool_t

==== //depot/projects/trustedbsd/sebsd_policy/policy/macros/global_macros.te#8 (text+ko) ====

@@ -626,10 +626,6 @@
 
 # allow searching /dev/pts
 allow $1_t devpts_t:dir { getattr read search };
-
-# For systems without /dev/ptmx
-#allow $1_t devpts_t:chr_file { poll getattr setattr read write };
-#type_change $1_t devpts_t:chr_file $1_devpts_t;
 ')
 
 ##################################
@@ -638,7 +634,7 @@
 #
 # Permissions for creating ptys.
 #
-define(`can_create_pty',`
+define(`can_create_pty', `
 base_pty_perms($1)
 type $1_devpts_t, file_type, sysadmfile, ptyfile $2;
 
@@ -653,7 +649,7 @@
 
 # Read and write my pty files.
 allow $1_t $1_devpts_t:chr_file { poll setattr rw_file_perms };
-')
+)
 
 
 ##################################

==== //depot/projects/trustedbsd/sebsd_policy/policy/macros/program/crond_macros.te#2 (text+ko) ====

@@ -52,6 +52,7 @@
 allow $1_crond_t self:process { fork signal_perms };
 allow $1_crond_t proc_t:dir { getattr search read };
 allow $1_crond_t proc_t:file { getattr read };
+allow $1_crond_t self:fd { create use };
 read_locale($1_crond_t)
 allow $1_crond_t sysctl_kernel_t:dir search;
 allow $1_crond_t sysctl_kernel_t:file { getattr read };

==== //depot/projects/trustedbsd/sebsd_policy/policy/macros/program/cvs_macros.te#2 (text+ko) ====

@@ -45,11 +45,11 @@
 
 # read/write user home directory
 allow { $1_cvs_rw_t $1_cvs_ro_t } home_root_t:dir search;
-allow { $1_cvs_rw_t $1_cvs_ro_t } { $1_home_dir_t $1_home_t }:dir create_dir_perms;
-allow { $1_cvs_rw_t $1_cvs_ro_t } $1_home_t:file create_file_perms;
+allow { $1_cvs_rw_t $1_cvs_ro_t } { $2_home_dir_t $2_home_t }:dir create_dir_perms;
+allow { $1_cvs_rw_t $1_cvs_ro_t } $2_home_t:file create_file_perms;
 
 # talk to the terminal
-allow { $1_cvs_rw_t $1_cvs_ro_t } $1_devpts_t:chr_file { write read getattr poll };
-allow { $1_cvs_rw_t $1_cvs_ro_t } $1_tty_device_t:chr_file { write read getattr poll };
+allow { $1_cvs_rw_t $1_cvs_ro_t } $2_devpts_t:chr_file { write read getattr poll };
+allow { $1_cvs_rw_t $1_cvs_ro_t } $2_tty_device_t:chr_file { write read getattr poll };
 
 ')