Date: Thu, 27 Jan 2005 13:09:58 GMT From: Andrew Reisse <areisse@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 69825 for review Message-ID: <200501271309.j0RD9wnn033989@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=69825 Change 69825 by areisse@areisse_tislabs on 2005/01/27 13:09:03 various minor sebsd policy changes -crontab, /usr/bin/mail, ssh dontaudit cap_sys_admin Affected files ... .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/admin.te#6 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ssh.te#10 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/mta.fc#3 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/program/crontab_macros.te#5 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/program/mta_macros.te#3 edit Differences ... ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/admin.te#6 (text+ko) ==== @@ -31,3 +31,6 @@ # Add/remove user home directories file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir) + + +dontaudit domain self:capability sys_admin; ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ssh.te#10 (text+ko) ==== @@ -126,7 +126,6 @@ # type of the pty for the child define(`sshd_spawn_domain', ` login_spawn_domain($1, $2) -domain_auto_trans($1_t, shell_exec_t, user_t) ifdef(`xauth.te', ` domain_trans($1_t, xauth_exec_t, $2) ') @@ -233,6 +232,9 @@ allow sshd_t sshd_devpts_t:chr_file { setattr getattr relabelfrom relabelto }; allow sshd_t userpty_type:chr_file { setattr relabelto rw_file_perms }; +# respawn sshd +allow sshd_t sshd_exec_t:file execute_no_trans; + # # Author: Stephen Smalley <sds@epoch.ncsc.mil> # ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/mta.fc#3 (text+ko) ==== @@ -2,6 +2,7 @@ /usr/sbin/sendmail(.sendmail)? system_u:object_r:sendmail_exec_t /usr/sbin/mailwrapper system_u:object_r:sendmail_exec_t /usr/libexec/sendmail/sendmail system_u:object_r:sendmail_exec_t +/usr/libexec/mail.local system_u:object_r:sendmail_exec_t /etc/aliases system_u:object_r:etc_aliases_t /etc/aliases\.db system_u:object_r:etc_aliases_t /var/spool/mail(/.*)? system_u:object_r:mail_spool_t ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/program/crontab_macros.te#5 (text+ko) ==== @@ -40,7 +40,7 @@ # Use capabilities dac_override is to create the file in the directory # under /tmp -allow $1_crontab_t $1_crontab_t:capability { setuid setgid chown dac_override }; +allow $1_crontab_t $1_crontab_t:capability { setuid setgid chown dac_override fowner }; dontaudit $1_crontab_t proc_t:dir { search }; dontaudit $1_crontab_t selinux_config_t:dir { search }; @@ -92,6 +92,7 @@ # Inherit and use descriptors from gnome-pty-helper. ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;') allow $1_crontab_t privfd:fd use; +allow $1_crontab_t self:fd { use create }; dontaudit $1_crontab_t var_run_t:dir search; ') ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/program/mta_macros.te#3 (text+ko) ==== @@ -37,6 +37,7 @@ can_ypbind($1_mail_t) allow $1_mail_t self:unix_dgram_socket create_socket_perms; allow $1_mail_t self:unix_stream_socket create_socket_perms; +allow $1_mail_t self:fd {create use}; read_locale($1_mail_t) read_sysctl($1_mail_t)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200501271309.j0RD9wnn033989>