From owner-trustedbsd-cvs@FreeBSD.ORG  Mon Jan 22 20:19:18 2007
Return-Path: <owner-trustedbsd-cvs@FreeBSD.ORG>
X-Original-To: trustedbsd-cvs@freebsd.org
Delivered-To: trustedbsd-cvs@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 4064E16A4AC
	for <trustedbsd-cvs@freebsd.org>; Mon, 22 Jan 2007 20:19:18 +0000 (UTC)
	(envelope-from owner-perforce@freebsd.org)
Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42])
	by mx1.freebsd.org (Postfix) with ESMTP id 9213D13C506
	for <trustedbsd-cvs@freebsd.org>; Mon, 22 Jan 2007 20:19:16 +0000 (UTC)
	(envelope-from owner-perforce@freebsd.org)
Received: from mx2.freebsd.org (mx2.freebsd.org [69.147.83.53])
	by cyrus.watson.org (Postfix) with ESMTP id 8390648A5C
	for <trustedbsd-cvs@trustedbsd.org>;
	Mon, 22 Jan 2007 15:19:01 -0500 (EST)
Received: from hub.freebsd.org (hub.freebsd.org [69.147.83.54])
	by mx2.freebsd.org (Postfix) with ESMTP id 3FA9572C29;
	Mon, 22 Jan 2007 20:17:46 +0000 (GMT)
	(envelope-from owner-perforce@freebsd.org)
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id CFE9F16A54B; Mon, 22 Jan 2007 20:17:41 +0000 (UTC)
X-Original-To: perforce@freebsd.org
Delivered-To: perforce@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id AC5BD16A4EF
	for <perforce@freebsd.org>; Mon, 22 Jan 2007 20:17:41 +0000 (UTC)
	(envelope-from millert@freebsd.org)
Received: from repoman.freebsd.org (repoman.freebsd.org [69.147.83.41])
	by mx1.freebsd.org (Postfix) with ESMTP id 7DA2B13C4A5
	for <perforce@freebsd.org>; Mon, 22 Jan 2007 20:17:41 +0000 (UTC)
	(envelope-from millert@freebsd.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id l0MKHfie093056
	for <perforce@freebsd.org>; Mon, 22 Jan 2007 20:17:41 GMT
	(envelope-from millert@freebsd.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.13.6/8.13.4/Submit) id l0MKHf0i093049
	for perforce@freebsd.org; Mon, 22 Jan 2007 20:17:41 GMT
	(envelope-from millert@freebsd.org)
Date: Mon, 22 Jan 2007 20:17:41 GMT
Message-Id: <200701222017.l0MKHf0i093049@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	millert@freebsd.org using -f
From: Todd Miller <millert@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Cc: 
Subject: PERFORCE change 113425 for review
X-BeenThere: trustedbsd-cvs@FreeBSD.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TrustedBSD CVS and Perforce commit message list
	<trustedbsd-cvs.FreeBSD.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/trustedbsd-cvs>, 
	<mailto:trustedbsd-cvs-request@FreeBSD.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/trustedbsd-cvs>
List-Post: <mailto:trustedbsd-cvs@FreeBSD.org>
List-Help: <mailto:trustedbsd-cvs-request@FreeBSD.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/trustedbsd-cvs>,
	<mailto:trustedbsd-cvs-request@FreeBSD.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jan 2007 20:19:18 -0000

http://perforce.freebsd.org/chv.cgi?CH=113425

Change 113425 by millert@millert_macbook on 2007/01/22 20:17:39

	configd needs to be able to getattr not just read
	modules_object_t:file Children spawned by configd need to
	be able to check /var/run pid files.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#17 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#17 (text+ko) ====

@@ -125,7 +125,7 @@
 
 # Allow configd to load kexts
 allow configd_t modules_object_t:dir { read search };
-allow configd_t modules_object_t:file read;
+allow configd_t modules_object_t:file { read getattr };
 
 # Allow configd to run ifconfig
 allow configd_t ifconfig_exec_t:file { execute_no_trans getattr read };
@@ -172,6 +172,9 @@
 # Not sure why it wants to search this dir, it should know what it wants
 allow configd_t var_log_t:dir search;
 
+# Configd child processes needs access to pid files
+allow configd_t init_var_run_t:file { getattr read };
+
 # Search /var/vm
 files_search_vm(securityd_t)