From owner-p4-projects@FreeBSD.ORG  Thu Feb 15 20:20:00 2007
Return-Path: <owner-p4-projects@FreeBSD.ORG>
X-Original-To: p4-projects@freebsd.org
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 38E9C16A407; Thu, 15 Feb 2007 20:20:00 +0000 (UTC)
X-Original-To: perforce@freebsd.org
Delivered-To: perforce@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id DA3D916A46B
	for <perforce@freebsd.org>; Thu, 15 Feb 2007 20:19:59 +0000 (UTC)
	(envelope-from millert@freebsd.org)
Received: from repoman.freebsd.org (repoman.freebsd.org [69.147.83.41])
	by mx1.freebsd.org (Postfix) with ESMTP id C4A1713C4A5
	for <perforce@freebsd.org>; Thu, 15 Feb 2007 20:19:59 +0000 (UTC)
	(envelope-from millert@freebsd.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id l1FKJvR3070243
	for <perforce@freebsd.org>; Thu, 15 Feb 2007 20:19:57 GMT
	(envelope-from millert@freebsd.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.13.6/8.13.4/Submit) id l1FKJvKM070240
	for perforce@freebsd.org; Thu, 15 Feb 2007 20:19:57 GMT
	(envelope-from millert@freebsd.org)
Date: Thu, 15 Feb 2007 20:19:57 GMT
Message-Id: <200702152019.l1FKJvKM070240@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	millert@freebsd.org using -f
From: Todd Miller <millert@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Cc: 
Subject: PERFORCE change 114578 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Feb 2007 20:20:00 -0000

http://perforce.freebsd.org/chv.cgi?CH=114578

Change 114578 by millert@millert_p4 on 2007/02/15 20:19:45

	Tweak to build with new checkpolicy.

Affected files ...

.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/booleans.conf#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/modules/services/devd.te#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/modules/services/usbd.te#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/modules/system/modutils.if#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/modules/system/modutils.te#2 edit

Differences ...

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/booleans.conf#2 (text+ko) ====

@@ -8,7 +8,7 @@
 #
 # Disable transitions to insmod.
 # 
-secure_mode_insmod = false
+secure_mode_insmod = true
 
 #
 # boolean to determine whether the system permits loading policy, setting

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/modules/services/devd.te#2 (text+ko) ====

@@ -10,8 +10,6 @@
 # kernel_domtrans_to(devd_t, devd_exec_t)
 init_daemon_domain(devd_t, devd_exec_t)
 
-type_transition initrc_t devd_exec_t:process devd_t;
-
 
 type devd_etc_t;
 files_config_file(devd_etc_t)

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/modules/services/usbd.te#2 (text+ko) ====

@@ -10,8 +10,6 @@
 #kernel_domtrans_to(usbd_t, usbd_exec_t)
 init_daemon_domain(usbd_t, usbd_exec_t)
 
-type_transition initrc_t usbd_exec_t:process usbd_t;
-
 
 type usbd_etc_t;
 files_config_file(usbd_etc_t)

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/modules/system/modutils.if#2 (text+ko) ====

@@ -85,7 +85,7 @@
 	allow $1 insmod_t:fd use;
 	allow insmod_t $1:fd use;
 	allow insmod_t $1:fifo_file rw_file_perms;
-	allow insmod_t $1:process sigchld;
+	#allow insmod_t $1:process sigchld;
 ')
 
 ########################################
@@ -103,9 +103,9 @@
 		bool secure_mode_insmod;
 	')
 
-	if (!secure_mode_insmod) {
-		modutils_domtrans_insmod_uncond($1)
-	}
+#	if (!secure_mode_insmod) {
+#		modutils_domtrans_insmod_uncond($1)
+#	}
 ')
 
 ########################################
@@ -175,7 +175,7 @@
 	allow $1 depmod_t:fd use;
 	allow depmod_t $1:fd use;
 	allow depmod_t $1:fifo_file rw_file_perms;
-	allow depmod_t $1:process sigchld;
+	#allow depmod_t $1:process sigchld;
 ')
 
 ########################################
@@ -242,7 +242,7 @@
 	allow $1 update_modules_t:fd use;
 	allow update_modules_t $1:fd use;
 	allow update_modules_t $1:fifo_file rw_file_perms;
-	allow update_modules_t $1:process sigchld;
+	#allow update_modules_t $1:process sigchld;
 ')
 
 ########################################

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/modules/system/modutils.te#2 (text+ko) ====

@@ -20,7 +20,6 @@
 
 type insmod_t;
 type insmod_exec_t;
-init_system_domain(insmod_t,insmod_exec_t)
 mls_file_write_down(insmod_t)
 role system_r types insmod_t;
 
@@ -43,7 +42,7 @@
 #
 
 allow insmod_t self:capability { dac_override net_raw sys_tty_config };
-allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
+#allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
 
 allow insmod_t self:udp_socket create_socket_perms; 
 allow insmod_t self:rawip_socket create_socket_perms; 
@@ -88,7 +87,7 @@
 corecmd_exec_sbin(insmod_t)
 corecmd_exec_shell(insmod_t)
 
-domain_signal_all_domains(insmod_t)
+#domain_signal_all_domains(insmod_t)
 domain_use_interactive_fds(insmod_t)
 
 files_read_etc_runtime_files(insmod_t)
@@ -115,25 +114,25 @@
 
 seutil_read_file_contexts(insmod_t)
 
-if( ! secure_mode_insmod ) {
-	kernel_domtrans_to(insmod_t,insmod_exec_t)
-}
+#if( ! secure_mode_insmod ) {
+#	kernel_domtrans_to(insmod_t,insmod_exec_t)
+#}
 
 ifdef(`hide_broken_symptoms',`
 	dev_dontaudit_rw_cardmgr(insmod_t)
 ')
 
-ifdef(`targeted_policy',`
-	unconfined_domain(insmod_t)
-')
+#ifdef(`targeted_policy',`
+#	unconfined_domain(insmod_t)
+#')
 
 optional_policy(`hotplug',`
 	hotplug_search_config(insmod_t)
 ')
 
-optional_policy(`mount',`
-	mount_domtrans(insmod_t)
-')
+#optional_policy(`mount',`
+#	mount_domtrans(insmod_t)
+#')
 
 optional_policy(`nis',`
 	nis_use_ypbind(insmod_t)
@@ -236,7 +235,7 @@
 allow update_modules_t depmod_t:fd use;
 allow depmod_t update_modules_t:fd use;
 allow depmod_t update_modules_t:fifo_file rw_file_perms;
-allow depmod_t update_modules_t:process sigchld;
+#allow depmod_t update_modules_t:process sigchld;
 
 allow update_modules_t update_modules_tmp_t:dir create_dir_perms;
 allow update_modules_t update_modules_tmp_t:file create_file_perms;