Date: Thu, 12 Dec 2002 13:17:16 -0800 (PST) From: Brian Feldman <green@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 22219 for review Message-ID: <200212122117.gBCLHGAY012750@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=22219 Change 22219 by green@green_laptop_2 on 2002/12/12 13:17:04 * Add a uses_libc(domain) macro, used now by uses_shlib(domain) and every_domain(domain), which defines generic permissions necessary by libc in general. So far, these are to readlink(2) /etc/malloc.conf and to read from /dev/u?random. * Add policy and file contexts for malloc.conf. * Add policy and file contexts for /var/db, /var/db/entropy, and for the /usr/libexec/save-entropy cron-job. Affected files ... .. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/domains/program/initrc.te#2 edit .. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/domains/program/save-entropy.te#1 add .. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/file_contexts/program/save-entropy.fc#1 add .. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/file_contexts/types.fc#6 edit .. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/files.lst#5 edit .. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/macros/global_macros.te#2 edit .. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/types/file.te#2 edit Differences ... ==== //depot/projects/trustedbsd/mac/contrib/sebsd/policy/domains/program/initrc.te#2 (text+ko) ==== @@ -95,6 +95,10 @@ allow initrc_t var_lib_t:file rw_file_perms; allow initrc_t var_lib_t:file unlink; +# Access /var/db/entropy. +allow initrc_t var_db_entropy_t:file rw_file_perms; +allow initrc_t var_db_entropy_t:file unlink; + # Create lock file. allow initrc_t var_lock_t:dir create_dir_perms; allow initrc_t var_lock_t:file create_file_perms; ==== //depot/projects/trustedbsd/mac/contrib/sebsd/policy/file_contexts/types.fc#6 (text+ko) ==== @@ -54,6 +54,8 @@ /var(/.*)? system_u:object_r:var_t /var/catman(/.*)? system_u:object_r:catman_t /var/cache/man(/.*)? system_u:object_r:catman_t +/var/db(/.*)? system_u:object_r:var_db_t +/var/db/entropy(/.*)? system_u:object_r:var_db_entropy_t /var/yp(/.*)? system_u:object_r:var_yp_t /var/lib(/.*)? system_u:object_r:var_lib_t /var/lib/nfs(/.*)? system_u:object_r:var_lib_nfs_t @@ -145,6 +147,7 @@ /etc/mrtg(/.*)? system_u:object_r:etc_mrtg_t /etc/selinux(/.*)? system_u:object_r:policy_src_t /etc/security/sebsd(/.*)? system_u:object_r:policy_config_t +/etc/malloc\.conf system_u:object_r:malloc_conf_t # # /lib ==== //depot/projects/trustedbsd/mac/contrib/sebsd/policy/files.lst#5 (text+ko) ==== @@ -97,6 +97,7 @@ file_contexts/program/rshd.fc file_contexts/program/run_deb.fc file_contexts/program/run_init.fc +file_contexts/program/save-entropy.fc file_contexts/program/selopt.fc file_contexts/program/sendmail.fc file_contexts/program/setfiles.fc @@ -226,6 +227,7 @@ domains/program/xserver.te domains/program/ypbind.te domains/program/acct.te +domains/program/save-entropy.te domains/test domains/test/test_wait.te domains/test/test_capable_net.te ==== //depot/projects/trustedbsd/mac/contrib/sebsd/policy/macros/global_macros.te#2 (text+ko) ==== @@ -277,10 +277,22 @@ allow $1 lib_t:{ file lnk_file } r_file_perms; allow $1 usr_t:{ file lnk_file } r_file_perms; allow $1 null_device_t:chr_file rw_file_perms; +uses_libc($1) ') ################################# # +# uses_libc(domain) +# +# Permissions for using the standard C library. +# +define(`uses_libc',` +allow $1 random_device_t:{ chr_file lnk_file } r_file_perms; +allow $1 malloc_conf_t:lnk_file { getattr read }; +') + +################################# +# # can_exec(domain, type) # # Permissions for executing programs with @@ -759,7 +771,7 @@ allow $1 device_t:lnk_file r_file_perms; # Read /dev/random and /dev/zero. -allow $1 random_device_t:chr_file r_file_perms; +allow $1 random_device_t:{ chr_file lnk_file } r_file_perms; allow $1 zero_device_t:chr_file r_file_perms; # Read the root directory of a tmpfs filesytem and any symbolic links. @@ -878,6 +890,9 @@ # Grant permissions needed to create TCP and UDP sockets and # to access the network. can_network($1) + +# Include generically-useful libc-requisite functionality. +uses_libc($1) ') ####################### ==== //depot/projects/trustedbsd/mac/contrib/sebsd/policy/types/file.te#2 (text+ko) ==== @@ -93,6 +93,10 @@ # pump needs write access to this file. type resolv_conf_t, file_type, sysadmfile; +# malloc_conf_t is the type of the /etc/malloc.conf malloc(3)-configuration +# symbolic link. +type malloc_conf_t, file_type, sysadmfile; + # etc_mrtg_t is the type of the /etc/mrtg directory and files. # crond needs write access to this directory. type etc_mrtg_t, file_type, sysadmfile; @@ -151,6 +155,7 @@ # # Types for subdirectories of /var. # +type var_db_t, file_type, sysadmfile; type var_run_t, file_type, sysadmfile; type var_log_t, file_type, sysadmfile; type var_lock_t, file_type, sysadmfile; @@ -158,6 +163,9 @@ type var_spool_t, file_type, sysadmfile; type var_yp_t, file_type, sysadmfile; +# Type for /var/db/entropy. +type var_db_entropy_t, file_type, sysadmfile; + # Type for /var/log/sa. type var_log_sa_t, file_type, sysadmfile; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200212122117.gBCLHGAY012750>