From owner-p4-projects@FreeBSD.ORG Thu Dec 23 20:38:36 2004 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id A097C16A4CF; Thu, 23 Dec 2004 20:38:35 +0000 (GMT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 75EA916A4D0 for ; Thu, 23 Dec 2004 20:38:35 +0000 (GMT) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 34F7F43D3F for ; Thu, 23 Dec 2004 20:38:35 +0000 (GMT) (envelope-from areisse@nailabs.com) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id iBNKcZth078128 for ; Thu, 23 Dec 2004 20:38:35 GMT (envelope-from areisse@nailabs.com) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.1/8.13.1/Submit) id iBNKcYe8078125 for perforce@freebsd.org; Thu, 23 Dec 2004 20:38:34 GMT (envelope-from areisse@nailabs.com) Date: Thu, 23 Dec 2004 20:38:34 GMT Message-Id: <200412232038.iBNKcYe8078125@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to areisse@nailabs.com using -f From: Andrew Reisse To: Perforce Change Reviews Subject: PERFORCE change 67606 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Dec 2004 20:38:36 -0000 http://perforce.freebsd.org/chv.cgi?CH=67606 Change 67606 by areisse@areisse_tislabs on 2004/12/23 20:38:30 Checkpoint work on updating policy. Affected files ... .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/atrun.te#6 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/cleanvar.te#5 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/devd.te#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/getty.te#6 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/hostname.te#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/initrc.te#7 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ssh.te#8 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/syslogd.te#6 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/unused/dhcpc.te#3 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/unused/rpcd.te#3 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/unused/sendmail.te#4 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/devd.fc#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/fsadm.fc#5 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/logrotate.fc#5 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/syslogd.fc#5 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/types.fc#5 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/core_macros.te#3 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/global_macros.te#8 edit Differences ... ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/atrun.te#6 (text+ko) ==== @@ -32,3 +32,6 @@ allow atrun_t { var_at_jobs_t var_at_spool_t }:dir rw_dir_perms; allow atrun_t var_at_jobs_t:file { r_file_perms unlink }; allow atrun_t var_at_spool_t:file create_file_perms; + +uses_shlib(atrun_t) +allow atrun_t self:fd { create use }; ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/cleanvar.te#5 (text+ko) ==== @@ -26,3 +26,4 @@ allow cleanvar_t fs_t:filesystem { getattr }; can_exec(cleanvar_t, bin_t) general_domain_access(cleanvar_t) #!!! +uses_shlib(cleanvar_t) ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/getty.te#6 (text+ko) ==== @@ -62,3 +62,5 @@ dontaudit getty_t staff_home_dir_t:dir search; r_dir_file(getty_t, sysfs_t) + +allow getty_t self:fd { create use }; ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/hostname.te#2 (text+ko) ==== @@ -22,3 +22,5 @@ # for when /usr is not mounted dontaudit hostname_t file_t:dir search; + +allow hostname_t self:fd { create use }; ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/initrc.te#7 (text+ko) ==== @@ -156,6 +156,10 @@ allow initrc_t var_lib_t:file rw_file_perms; allow initrc_t var_lib_t:file unlink; +# /var/db/entropy +allow initrc_t var_db_entropy_t:file { read write create }; +allow initrc_t var_db_entropy_t:dir { read add_name remove_name }; + # Create lock file. allow initrc_t var_lock_t:dir create_dir_perms; allow initrc_t var_lock_t:file create_file_perms; @@ -169,8 +173,8 @@ # Read and unlink /var/run/*.pid files. allow initrc_t pidfile:file { getattr read unlink }; -# Write to /dev/urandom. -allow initrc_t urandom_device_t:chr_file rw_file_perms; +# Write to /dev/random. +allow initrc_t random_device_t:chr_file rw_file_perms; # Set device ownerships/modes. allow initrc_t framebuf_device_t:lnk_file read; @@ -267,6 +271,10 @@ # allow making links in /dev allow initrc_t device_t:dir { add_name }; allow initrc_t device_t:lnk_file { create }; +allow device_t device_t:filesystem associate; + +# /var/.diskless +allow initrc_t var_t:dir { add_name remove_name rmdir create }; ################################# # ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ssh.te#8 (text+ko) ==== @@ -110,6 +110,8 @@ # Update /var/log/lastlog. allow $1_t lastlog_t:file rw_file_perms; +allow $1_t self:fd { create use }; + read_locale($1_t) read_sysctl($1_t) ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/syslogd.te#6 (text+ko) ==== @@ -88,3 +88,5 @@ # allow access to klog allow syslogd_t klog_device_t:chr_file { poll read }; +# Use file descriptors +allow syslogd_t self:fd { create use }; ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/unused/dhcpc.te#3 (text+ko) ==== @@ -80,7 +80,7 @@ allow dhcpc_t { userdomain run_init_t }:fd use; # Use capabilities -allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config }; +allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config sys_admin }; # for access("/etc/bashrc", X_OK) on Red Hat dontaudit dhcpc_t self:capability { dac_read_search sys_module }; ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/unused/rpcd.te#3 (text+ko) ==== @@ -129,3 +129,8 @@ # for exportfs and rpc.mountd allow nfsd_t tmp_t:dir getattr; r_dir_file(rpcd_t, rpc_pipefs_t) + +# rpc.umntall +allow rpcd_t self:fd { create use }; +allow rpcd_t nfs_t:filesystem getattr; +#dontaudit rpcd_t fs_type:filesystem getattr; ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/unused/sendmail.te#4 (text+ko) ==== @@ -29,6 +29,8 @@ allow sendmail_t self:unix_dgram_socket create_socket_perms; allow sendmail_t self:fifo_file rw_file_perms; +allow sendmail_t self:fd { create use }; + # Bind to the SMTP port. allow sendmail_t smtp_port_t:tcp_socket name_bind; ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/fsadm.fc#5 (text+ko) ==== @@ -19,7 +19,7 @@ /sbin/parted -- system_u:object_r:fsadm_exec_t /sbin/tune2fs -- system_u:object_r:fsadm_exec_t /sbin/dumpe2fs -- system_u:object_r:fsadm_exec_t -/sbin/swapon.* -- system_u:object_r:fsadm_exec_t +/sbin/swapon -- system_u:object_r:fsadm_exec_t /sbin/hdparm -- system_u:object_r:fsadm_exec_t /sbin/raidstart -- system_u:object_r:fsadm_exec_t /sbin/mkraid -- system_u:object_r:fsadm_exec_t ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/logrotate.fc#5 (text+ko) ==== @@ -7,3 +7,5 @@ /var/lib/logcheck(/.*)? system_u:object_r:logrotate_var_lib_t # using a hard-coded name under /var/tmp is a bug - new version fixes it /var/tmp/logcheck -d system_u:object_r:logrotate_tmp_t +# FreeBsd +/usr/sbin/newsyslog -- system_u:object_r:logrotate_exec_t ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/syslogd.fc#5 (text+ko) ==== @@ -6,3 +6,4 @@ /dev/log -s system_u:object_r:devlog_t /var/run/log -s system_u:object_r:devlog_t /var/run/syslogd\.pid -- system_u:object_r:syslogd_var_run_t +newsyslog XXX -- system_u:object_r:syslogd_exec_t ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/types.fc#5 (text+ko) ==== @@ -59,6 +59,7 @@ # A common mount point /mnt(/.*)? -d system_u:object_r:mnt_t /media(/.*)? -d system_u:object_r:mnt_t +/cdrom -d system_u:object_r:mnt_t # # /var ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/core_macros.te#3 (text+ko) ==== @@ -549,12 +549,10 @@ # Access the pty master multiplexer. allow $1_t ptmx_t:chr_file rw_file_perms; -ifdef(`devfsd.te', ` allow $1_t device_t:filesystem getattr; -') -allow $1_t devpts_t:filesystem getattr; # allow searching /dev/pts +allow $1_t device_t:dir { getattr read search }; allow $1_t devpts_t:dir { getattr read search }; # ignore old BSD pty devices @@ -572,7 +570,7 @@ type $1_devpts_t, file_type, sysadmfile, ptyfile $2; # Allow the pty to be associated with the file system. -allow $1_devpts_t devpts_t:filesystem associate; +allow $1_devpts_t device_t:filesystem associate; # Label pty files with a derived type. type_transition $1_t devpts_t:chr_file $1_devpts_t; ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/global_macros.te#8 (text+ko) ==== @@ -88,7 +88,7 @@ allow $1 { var_t var_run_t }:dir search; allow $1 lib_t:lnk_file r_file_perms; allow $1 ld_so_t:file rx_file_perms; -#allow $1 ld_so_t:file execute_no_trans; +allow $1 ld_so_t:file execute_no_trans; allow $1 ld_so_t:lnk_file r_file_perms; allow $1 shlib_t:file rx_file_perms; allow $1 shlib_t:lnk_file r_file_perms;