Date: Thu, 15 Feb 2007 20:19:57 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 114578 for review Message-ID: <200702152019.l1FKJvKM070240@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=114578 Change 114578 by millert@millert_p4 on 2007/02/15 20:19:45 Tweak to build with new checkpolicy. Affected files ... .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/booleans.conf#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/modules/services/devd.te#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/modules/services/usbd.te#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/modules/system/modutils.if#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/modules/system/modutils.te#2 edit Differences ... ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/booleans.conf#2 (text+ko) ==== @@ -8,7 +8,7 @@ # # Disable transitions to insmod. # -secure_mode_insmod = false +secure_mode_insmod = true # # boolean to determine whether the system permits loading policy, setting ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/modules/services/devd.te#2 (text+ko) ==== @@ -10,8 +10,6 @@ # kernel_domtrans_to(devd_t, devd_exec_t) init_daemon_domain(devd_t, devd_exec_t) -type_transition initrc_t devd_exec_t:process devd_t; - type devd_etc_t; files_config_file(devd_etc_t) ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/modules/services/usbd.te#2 (text+ko) ==== @@ -10,8 +10,6 @@ #kernel_domtrans_to(usbd_t, usbd_exec_t) init_daemon_domain(usbd_t, usbd_exec_t) -type_transition initrc_t usbd_exec_t:process usbd_t; - type usbd_etc_t; files_config_file(usbd_etc_t) ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/modules/system/modutils.if#2 (text+ko) ==== @@ -85,7 +85,7 @@ allow $1 insmod_t:fd use; allow insmod_t $1:fd use; allow insmod_t $1:fifo_file rw_file_perms; - allow insmod_t $1:process sigchld; + #allow insmod_t $1:process sigchld; ') ######################################## @@ -103,9 +103,9 @@ bool secure_mode_insmod; ') - if (!secure_mode_insmod) { - modutils_domtrans_insmod_uncond($1) - } +# if (!secure_mode_insmod) { +# modutils_domtrans_insmod_uncond($1) +# } ') ######################################## @@ -175,7 +175,7 @@ allow $1 depmod_t:fd use; allow depmod_t $1:fd use; allow depmod_t $1:fifo_file rw_file_perms; - allow depmod_t $1:process sigchld; + #allow depmod_t $1:process sigchld; ') ######################################## @@ -242,7 +242,7 @@ allow $1 update_modules_t:fd use; allow update_modules_t $1:fd use; allow update_modules_t $1:fifo_file rw_file_perms; - allow update_modules_t $1:process sigchld; + #allow update_modules_t $1:process sigchld; ') ######################################## ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/modules/system/modutils.te#2 (text+ko) ==== @@ -20,7 +20,6 @@ type insmod_t; type insmod_exec_t; -init_system_domain(insmod_t,insmod_exec_t) mls_file_write_down(insmod_t) role system_r types insmod_t; @@ -43,7 +42,7 @@ # allow insmod_t self:capability { dac_override net_raw sys_tty_config }; -allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal }; +#allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal }; allow insmod_t self:udp_socket create_socket_perms; allow insmod_t self:rawip_socket create_socket_perms; @@ -88,7 +87,7 @@ corecmd_exec_sbin(insmod_t) corecmd_exec_shell(insmod_t) -domain_signal_all_domains(insmod_t) +#domain_signal_all_domains(insmod_t) domain_use_interactive_fds(insmod_t) files_read_etc_runtime_files(insmod_t) @@ -115,25 +114,25 @@ seutil_read_file_contexts(insmod_t) -if( ! secure_mode_insmod ) { - kernel_domtrans_to(insmod_t,insmod_exec_t) -} +#if( ! secure_mode_insmod ) { +# kernel_domtrans_to(insmod_t,insmod_exec_t) +#} ifdef(`hide_broken_symptoms',` dev_dontaudit_rw_cardmgr(insmod_t) ') -ifdef(`targeted_policy',` - unconfined_domain(insmod_t) -') +#ifdef(`targeted_policy',` +# unconfined_domain(insmod_t) +#') optional_policy(`hotplug',` hotplug_search_config(insmod_t) ') -optional_policy(`mount',` - mount_domtrans(insmod_t) -') +#optional_policy(`mount',` +# mount_domtrans(insmod_t) +#') optional_policy(`nis',` nis_use_ypbind(insmod_t) @@ -236,7 +235,7 @@ allow update_modules_t depmod_t:fd use; allow depmod_t update_modules_t:fd use; allow depmod_t update_modules_t:fifo_file rw_file_perms; -allow depmod_t update_modules_t:process sigchld; +#allow depmod_t update_modules_t:process sigchld; allow update_modules_t update_modules_tmp_t:dir create_dir_perms; allow update_modules_t update_modules_tmp_t:file create_file_perms;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200702152019.l1FKJvKM070240>