From owner-p4-projects@FreeBSD.ORG  Thu Jan 27 13:09:59 2005
Return-Path: <owner-p4-projects@FreeBSD.ORG>
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 66ED816A4D0; Thu, 27 Jan 2005 13:09:59 +0000 (GMT)
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E545F16A4CE
	for <perforce@freebsd.org>; Thu, 27 Jan 2005 13:09:58 +0000 (GMT)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C2F8B43D53
	for <perforce@freebsd.org>; Thu, 27 Jan 2005 13:09:58 +0000 (GMT)
	(envelope-from areisse@nailabs.com)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id j0RD9w44033992
	for <perforce@freebsd.org>; Thu, 27 Jan 2005 13:09:58 GMT
	(envelope-from areisse@nailabs.com)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.13.1/8.13.1/Submit) id j0RD9wnn033989
	for perforce@freebsd.org; Thu, 27 Jan 2005 13:09:58 GMT
	(envelope-from areisse@nailabs.com)
Date: Thu, 27 Jan 2005 13:09:58 GMT
Message-Id: <200501271309.j0RD9wnn033989@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	areisse@nailabs.com using -f
From: Andrew Reisse <areisse@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Subject: PERFORCE change 69825 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jan 2005 13:10:00 -0000

http://perforce.freebsd.org/chv.cgi?CH=69825

Change 69825 by areisse@areisse_tislabs on 2005/01/27 13:09:03

	various minor sebsd policy changes
	-crontab, /usr/bin/mail, ssh
	dontaudit cap_sys_admin

Affected files ...

.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/admin.te#6 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ssh.te#10 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/mta.fc#3 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/program/crontab_macros.te#5 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/program/mta_macros.te#3 edit

Differences ...

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/admin.te#6 (text+ko) ====

@@ -31,3 +31,6 @@
 
 # Add/remove user home directories
 file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
+
+
+dontaudit domain self:capability sys_admin;
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ssh.te#10 (text+ko) ====

@@ -126,7 +126,6 @@
 # type of the pty for the child
 define(`sshd_spawn_domain', `
 login_spawn_domain($1, $2)
-domain_auto_trans($1_t, shell_exec_t, user_t)
 ifdef(`xauth.te', `
 domain_trans($1_t, xauth_exec_t, $2)
 ')
@@ -233,6 +232,9 @@
 allow sshd_t sshd_devpts_t:chr_file { setattr getattr relabelfrom relabelto };
 allow sshd_t userpty_type:chr_file { setattr relabelto rw_file_perms };
 
+# respawn sshd
+allow sshd_t sshd_exec_t:file execute_no_trans;
+
 #
 # Author:  Stephen Smalley <sds@epoch.ncsc.mil>
 #

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/mta.fc#3 (text+ko) ====

@@ -2,6 +2,7 @@
 /usr/sbin/sendmail(.sendmail)?	system_u:object_r:sendmail_exec_t
 /usr/sbin/mailwrapper		system_u:object_r:sendmail_exec_t
 /usr/libexec/sendmail/sendmail	system_u:object_r:sendmail_exec_t
+/usr/libexec/mail.local		system_u:object_r:sendmail_exec_t
 /etc/aliases			system_u:object_r:etc_aliases_t
 /etc/aliases\.db		system_u:object_r:etc_aliases_t
 /var/spool/mail(/.*)?		system_u:object_r:mail_spool_t

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/program/crontab_macros.te#5 (text+ko) ====

@@ -40,7 +40,7 @@
 
 # Use capabilities dac_override is to create the file in the directory
 # under /tmp
-allow $1_crontab_t $1_crontab_t:capability { setuid setgid chown dac_override };
+allow $1_crontab_t $1_crontab_t:capability { setuid setgid chown dac_override fowner };
 dontaudit $1_crontab_t proc_t:dir { search };
 dontaudit $1_crontab_t selinux_config_t:dir { search };
 
@@ -92,6 +92,7 @@
 # Inherit and use descriptors from gnome-pty-helper.
 ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;')
 allow $1_crontab_t privfd:fd use;
+allow $1_crontab_t self:fd { use create };
 
 dontaudit $1_crontab_t var_run_t:dir search;
 ')

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/program/mta_macros.te#3 (text+ko) ====

@@ -37,6 +37,7 @@
 can_ypbind($1_mail_t)
 allow $1_mail_t self:unix_dgram_socket create_socket_perms;
 allow $1_mail_t self:unix_stream_socket create_socket_perms;
+allow $1_mail_t self:fd {create use};
 
 read_locale($1_mail_t)
 read_sysctl($1_mail_t)