Date: Thu, 25 Sep 2003 07:16:46 -0700 (PDT) From: Andrew Reisse <areisse@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 38576 for review Message-ID: <200309251416.h8PEGkTb099308@repoman.freebsd.org>
index | next in thread | raw e-mail
http://perforce.freebsd.org/chv.cgi?CH=38576 Change 38576 by areisse@areisse_tislabs on 2003/09/25 07:15:54 Updates to selinux policy. Files should be labelled correctly. ssh and login should work in enforcing mode. Affected files ... .. //depot/projects/trustedbsd/sebsd_policy/policy/Makefile#3 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/atrun.te#1 add .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/checkpolicy.te#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/cleanvar.te#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/dhcpc.te#1 add .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/getty.te#3 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/lpd.te#1 add .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/lpr.te#1 add .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/mta.te#1 add .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/rpcd.te#1 add .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/sendmail.te#1 add .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/ssh.te#3 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/unused/rpcd.te#3 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/atrun.fc#1 add .. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/checkpolicy.fc#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/crond.fc#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/dhcpc.fc#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/fsadm.fc#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/getty.fc#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/login.fc#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/mount.fc#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/ping.fc#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/save-entropy.fc#1 add .. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/ssh.fc#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/su.fc#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/usbd.fc#1 add .. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/types.fc#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/fs_use#3 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/macros/global_macros.te#3 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/macros/program/ssh_macros.te#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/macros/user_macros.te#2 edit Differences ... ==== //depot/projects/trustedbsd/sebsd_policy/policy/Makefile#3 (text+ko) ==== @@ -26,12 +26,14 @@ M4 = $(REALDESTDIR)/usr/bin/m4 -Imacros -s #POLICYVER := policy.$(shell $(CHECKPOLICY) -V) -POLICYVER := policy.13 +POLICYVER := policy.16 INSTALLDIR = $(DESTDIR)/etc/security/sebsd LOADPATH = $(INSTALLDIR)/$(POLICYVER) SRCINSTALLDIR = $(INSTALLDIR)/src POLICYCONF = $(SRCINSTALLDIR)/policy.conf +MULTILABELMOUNTS := $(shell /sbin/mount -t ufs -p | /usr/bin/awk '{if (match($$4, "multilabel")) {print $$2}}') + POLICYFILES = $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors) ifeq ($(MLS),y) POLICYFILES += mls @@ -72,7 +74,7 @@ $(POLICYCONF): policy.conf mkdir -p $(SRCINSTALLDIR) - install -m 644 -o root -g root policy.conf $@ + install -m 644 -o root -g wheel policy.conf $@ reload tmp/load: $(LOADPATH) $(LOADPOLICY) $(LOADPATH) @@ -121,10 +123,10 @@ cat domains/*.te domains/misc/*.te domains/program/*.te > $@ relabel: $(FC) $(SETFILES) - $(SETFILES) $(FC) `mount | awk '/ext[23]/{print $$3}'` + $(SETFILES) $(FC) $(MULTILABELMOUNTS) reset: $(FC) $(SETFILES) - $(SETFILES) -R $(FC) `mount | awk '/ext[23]/{print $$3}'` + $(SETFILES) -R $(FC) $(MULTILABELMOUNTS) $(FC): $(FCFILES) file_contexts/program cat $(FCFILES) > $@ ==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/checkpolicy.te#2 (text+ko) ==== @@ -57,4 +57,5 @@ can_exec(user_t, checkpolicy_exec_t) allow checkpolicy_t privfd:fd use; +allow checkpolicy_t checkpolicy_t:fd { use create }; ==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/cleanvar.te#2 (text+ko) ==== @@ -18,5 +18,6 @@ allow cleanvar_t { pidfile var_spool_t }:file { getattr unlink }; allow cleanvar_t { var_t etc_t bin_t sbin_t root_t } :dir r_dir_perms; +allow cleanvar_t self:capability dac_override; can_exec(cleanvar_t, bin_t) general_domain_access(cleanvar_t) #!!! ==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/getty.te#3 (text+ko) ==== ==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/ssh.te#3 (text+ko) ==== @@ -13,7 +13,7 @@ uses_shlib($1) allow $1 self:unix_dgram_socket create_socket_perms; allow $1 self:unix_stream_socket create_stream_socket_perms; -allow $1 self:fifo_file rw_file_perms; +allow $1 self:fifo_file { poll rw_file_perms }; allow $1 self:process { fork sigchld setsched }; allow $1 self:fd *; @@ -172,6 +172,11 @@ allow sshd_login_t sshd_devpts_t:chr_file { relabelfrom relabelto }; allow sshd_login_t userpty_type:chr_file { getattr relabelfrom relabelto }; +# open old-style ptys +allow sshd_login_t devpts_t:chr_file { read write relabelfrom relabelto getattr setattr }; + +allow sshd_login_t self:capability { linux_immutable sys_resource }; + read_locale(sshd_t) # Allow checking users mail at login ==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/unused/rpcd.te#3 (text+ko) ==== ==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/checkpolicy.fc#2 (text+ko) ==== @@ -1,2 +1,3 @@ # checkpolicy /usr/bin/checkpolicy system_u:object_r:checkpolicy_exec_t +/sbin/sebsd_checkpolicy system_u:object_r:checkpolicy_exec_t ==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/crond.fc#2 (text+ko) ==== @@ -19,3 +19,7 @@ /var/spool/fcron/systab system_u:object_r:sysadm_cron_spool_t /var/run/fcron\.fifo system_u:object_r:crond_var_run_t /var/run/fcron\.pid system_u:object_r:crond_var_run_t +# FreeBSD +/var/cron system_u:object_r:cron_spool_t +/var/cron/tabs/.* system_u:object_r:user_cron_spool_t +/var/cron/tabs/root system_u:object_r:sysadm_cron_spool_t ==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/dhcpc.fc#2 (text+ko) ==== @@ -7,5 +7,6 @@ /var/lib/dhcp(3)? system_u:object_r:dhcp_state_t /var/lib/dhcp(3)?/dhclient.* system_u:object_r:dhcpc_state_t /var/run/dhclient.*\.pid system_u:object_r:dhcpc_var_run_t +/var/db/dhclient.leases system_u:object_r:dhcpc_state_t # pump /sbin/pump system_u:object_r:dhcpc_exec_t ==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/fsadm.fc#2 (text+ko) ==== @@ -17,7 +17,7 @@ /sbin/parted system_u:object_r:fsadm_exec_t /sbin/tune2fs system_u:object_r:fsadm_exec_t /sbin/dumpe2fs system_u:object_r:fsadm_exec_t -/sbin/swapon system_u:object_r:fsadm_exec_t +/sbin/swap(on|off|ctl) system_u:object_r:fsadm_exec_t /sbin/hdparm system_u:object_r:fsadm_exec_t /sbin/raidstart system_u:object_r:fsadm_exec_t /sbin/mkraid system_u:object_r:fsadm_exec_t @@ -28,3 +28,9 @@ /usr/sbin/smart(d|ctl) system_u:object_r:fsadm_exec_t /sbin/lvmiopversion system_u:object_r:fsadm_exec_t /sbin/install-mbr system_u:object_r:fsadm_exec_t + +# FreeBSD +/sbin/bsdlabel system_u:object_r:fsadm_exec_t +/sbin/disklabel system_u:object_r:fsadm_exec_t +/sbin/dumpon system_u:object_r:fsadm_exec_t +/sbin/newfs system_u:object_r:fsadm_exec_t ==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/getty.fc#2 (text+ko) ==== @@ -1,3 +1,4 @@ # getty /sbin/.*getty system_u:object_r:getty_exec_t /etc/mgetty(/.*)? system_u:object_r:etc_getty_t +/usr/libexec/getty system_u:object_r:getty_exec_t ==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/login.fc#2 (text+ko) ==== @@ -1,2 +1,3 @@ # login /bin/login system_u:object_r:login_exec_t +/usr/bin/login system_u:object_r:login_exec_t ==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/mount.fc#2 (text+ko) ==== @@ -1,3 +1,6 @@ # mount /bin/mount system_u:object_r:mount_exec_t +/sbin/mdmfs system_u:object_r:mount_exec_t +/sbin/mount_.* system_u:object_r:mount_exec_t +/sbin/umount system_u:object_r:mount_exec_t /bin/umount system_u:object_r:mount_exec_t ==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/ping.fc#2 (text+ko) ==== @@ -1,3 +1,4 @@ # ping /bin/ping.* system_u:object_r:ping_exec_t /usr/sbin/hping2 system_u:object_r:ping_exec_t +/sbin/ping system_u:object_r:ping_exec_t ==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/ssh.fc#2 (text+ko) ==== @@ -1,6 +1,8 @@ # ssh /usr/bin/ssh system_u:object_r:ssh_exec_t +/usr/bin/slogin system_u:object_r:ssh_exec_t # sshd +/etc/ssh/moduli system_u:object_r:sshd_key_t /etc/ssh/primes system_u:object_r:sshd_key_t /etc/ssh/ssh_host_key system_u:object_r:sshd_key_t /etc/ssh/ssh_host_dsa_key system_u:object_r:sshd_key_t ==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/su.fc#2 (text+ko) ==== @@ -1,2 +1,3 @@ # su /bin/su system_u:object_r:su_exec_t +/usr/bin/su system_u:object_r:su_exec_t ==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/types.fc#2 (text+ko) ==== @@ -58,6 +58,8 @@ /var/tmp(/.*)? system_u:object_r:tmp_t # /var/tmp/vi\.recover system_u:object_r:tmp_t +/var/empty system_u:object_r:etc_t +/var/db/mounttab system_u:object_r:etc_runtime_t # # /var/ftp @@ -81,17 +83,21 @@ /home system_u:object_r:home_root_t /home/[^/]+ -d system_u:object_r:user_home_dir_t /home/[^/]+/.+ system_u:object_r:user_home_t +/usr/home system_u:object_r:home_root_t +/home/[^/]+ -d system_u:object_r:user_home_dir_t +/home/[^/]+/.+ system_u:object_r:user_home_t # # Other staff home directories, replace "jadmin" with appropriate name # -/home/jadmin/(/.*)? system_u:object_r:staff_home_t -/home/jadmin system_u:object_r:staff_home_dir_t +#/home/jadmin/(/.*)? system_u:object_r:staff_home_t +#/home/jadmin system_u:object_r:staff_home_dir_t # # /bin # /bin(/.*)? system_u:object_r:bin_t +/bin/sh -- system_u:object_r:shell_exec_t /bin/tcsh -- system_u:object_r:shell_exec_t /bin/bash -- system_u:object_r:shell_exec_t /bin/bash2 -- system_u:object_r:shell_exec_t @@ -122,14 +128,7 @@ /dev/[^/]*tty[^/]* system_u:object_r:tty_device_t /dev/vcs[^/]* system_u:object_r:tty_device_t /dev/tty system_u:object_r:devtty_t -/dev/[shmr]d[^/]* system_u:object_r:fixed_disk_device_t -/dev/ubd[^/]* system_u:object_r:fixed_disk_device_t -/dev/cciss/[^/]* system_u:object_r:fixed_disk_device_t -/dev/ida/[^/]* system_u:object_r:fixed_disk_device_t -/dev/dasd[^/]* system_u:object_r:fixed_disk_device_t -/dev/flash[^/]* system_u:object_r:fixed_disk_device_t -/dev/nb[^/]+ system_u:object_r:fixed_disk_device_t -/dev/ataraid/.* system_u:object_r:fixed_disk_device_t +/dev/ad[^/]* system_u:object_r:fixed_disk_device_t /dev/loop.* system_u:object_r:fixed_disk_device_t /dev/ram.* system_u:object_r:fixed_disk_device_t /dev/s(cd|r)[^/]* system_u:object_r:removable_device_t @@ -137,14 +136,8 @@ /dev/rtc system_u:object_r:clock_device_t /dev/psaux system_u:object_r:mouse_device_t /dev/.*mouse.* -c system_u:object_r:mouse_device_t -/dev/input/.*mouse.* system_u:object_r:mouse_device_t -/dev/input/mice system_u:object_r:mouse_device_t /dev/ptmx system_u:object_r:ptmx_t /dev/sequencer system_u:object_r:misc_device_t -/dev/fb[0-9]* system_u:object_r:framebuf_device_t -/dev/apm_bios system_u:object_r:apm_bios_t -/dev/cpu/mtrr system_u:object_r:mtrr_device_t -/dev/(radio|video|vbi|vtx).* -c system_u:object_r:v4l_device_t /proc(/.*)? <<none>> @@ -154,24 +147,30 @@ /etc(/.*)? system_u:object_r:etc_t /etc/shadow.* system_u:object_r:shadow_t /etc/gshadow.* system_u:object_r:shadow_t +/etc/master.passwd system_u:object_r:shadow_t /etc/\.pwd\.lock system_u:object_r:shadow_t /etc/fstab\.REVOKE system_u:object_r:etc_runtime_t /etc/HOSTNAME system_u:object_r:etc_runtime_t /etc/ioctl\.save system_u:object_r:etc_runtime_t /etc/mtab -- system_u:object_r:etc_runtime_t +/var/db/mounttab system_u:object_r:etc_runtime_t /etc/motd system_u:object_r:etc_runtime_t /etc/issue system_u:object_r:etc_runtime_t /etc/issue\.net system_u:object_r:etc_runtime_t -/etc/sysconfig/hwconf system_u:object_r:etc_runtime_t -/etc/asound\.state system_u:object_r:etc_runtime_t /etc/ld\.so\.cache system_u:object_r:ld_so_cache_t /etc/ld\.so\.preload system_u:object_r:ld_so_cache_t /etc/resolv\.conf.* system_u:object_r:resolv_conf_t -/etc/selinux(/.*)? system_u:object_r:policy_src_t -/etc/security/selinux(/.*)? system_u:object_r:policy_config_t -/etc/security/selinux/src(/.*)? system_u:object_r:policy_src_t +/etc/security/sebsd(/.*)? system_u:object_r:policy_config_t +/etc/security/sebsd/src(/.*)? system_u:object_r:policy_src_t /etc/security/default_context.* system_u:object_r:default_context_t /etc/services system_u:object_r:etc_t +/etc/namedb(/.*)? system_u:object_r:named_zone_t +/etc/namedb/named.conf system_u:object_r:named_conf_t +/etc/rc.d/cleanvar system_u:object_r:cleanvar_exec_t +/etc/rc.d/dhclient system_u:object_r:initrc_exec_t +/etc/rc.d/sshd system_u:object_r:initrc_exec_t +/etc/rc.shutdown system_u:object_r:initrc_exec_t +/etc/rc system_u:object_r:initrc_exec_t # # /lib @@ -224,35 +223,16 @@ /usr/lib/autofs/.*\.so system_u:object_r:shlib_t /usr/lib/perl5/man(/.*)? system_u:object_r:man_t /usr/lib/perl.*\.so system_u:object_r:shlib_t -/usr/lib/selinux(/.*)? system_u:object_r:policy_src_t /usr/lib/emacsen-common/.* system_u:object_r:bin_t /usr/lib/.*/bin(/.*)? system_u:object_r:bin_t /usr/lib/gconv/.*\.so system_u:object_r:shlib_t /usr/share/guile/g-wrapped/.*\.so system_u:object_r:shlib_t /usr/share/selinux(/.*)? system_u:object_r:policy_src_t /usr/games(/.*)? system_u:object_r:bin_t - -# -# /usr/.*glibc.*-linux/lib -# -/usr/.*glibc.*-linux/lib(/.*)? system_u:object_r:lib_t -/usr/.*glibc.*-linux/lib/ld.*\.so.* system_u:object_r:ld_so_t -/usr/.*glibc.*-linux/lib/lib.*\.so.* system_u:object_r:shlib_t +/usr/libexec/ld.*\.so.* system_u:object_r:ld_so_t +/usr/lib/pam_.* system_u:object_r:shlib_t -# /usr/.*redhat-linux/lib # -/usr/.*redhat-linux/lib(/.*)? system_u:object_r:lib_t -/usr/.*redhat-linux/lib/ld.*\.so.* system_u:object_r:ld_so_t -/usr/.*redhat-linux/lib/lib.*\.so.* system_u:object_r:shlib_t - -# -# /usr/.*linux-libc.*/lib -# -/usr/.*linux-libc.*/lib(/.*)? system_u:object_r:lib_t -/usr/.*linux-libc.*/lib/ld.*\.so.* system_u:object_r:ld_so_t -/usr/.*linux-libc.*/lib/lib.*\.so.* system_u:object_r:shlib_t - -# # /usr/local # /usr/local/etc(/.*)? system_u:object_r:etc_t @@ -264,6 +244,7 @@ # /usr/local/bin # /usr/local/bin(/.*)? system_u:object_r:bin_t +/usr/local/bin/bash system_u:object_r:shell_exec_t # # /usr/local/lib @@ -302,18 +283,12 @@ /usr/kerberos/lib/lib.*\.so.* system_u:object_r:shlib_t # -# /usr/local/selinux -# -/usr/local/selinux/bin(/.*)? system_u:object_r:bin_t -/usr/local/selinux/sbin(/.*)? system_u:object_r:bin_t -/usr/local/selinux/lib(/.*)? system_u:object_r:lib_t -/usr/local/selinux/libexec(/.*)? system_u:object_r:lib_t - -# # /var/run # /var/run(/.*)? system_u:object_r:var_run_t /var/run/.*\.*pid <<none>> +/var/run/ld\.so\..* system_u:object_r:ld_so_cache_t +/var/run/ld-elf\.so\..* system_u:object_r:ld_so_cache_t # # /var/spool @@ -333,17 +308,7 @@ /var/log/lastlog system_u:object_r:lastlog_t /var/log/ksymoops(/.*)? system_u:object_r:var_log_ksyms_t /var/log/syslog system_u:object_r:var_log_t - -# -# Persistent label mappings. -# -/\.\.\.security(/.*)? system_u:object_r:file_labels_t -/usr/\.\.\.security(/.*)? system_u:object_r:file_labels_t -/boot/\.\.\.security(/.*)? system_u:object_r:file_labels_t -/home/\.\.\.security(/.*)? system_u:object_r:file_labels_t -/var/\.\.\.security(/.*)? system_u:object_r:file_labels_t -/tmp/\.\.\.security(/.*)? system_u:object_r:file_labels_t -/usr/local/\.\.\.security(/.*)? system_u:object_r:file_labels_t +/var/log/messages system_u:object_r:var_log_t # # Lost and found directories. @@ -364,14 +329,3 @@ /usr/lib/locale/.* system_u:object_r:locale_t /etc/localtime -- system_u:object_r:locale_t /etc/localtime -l system_u:object_r:etc_t - -# -# initrd mount point, only used during boot -# -/initrd system_u:object_r:root_t - -# -# The Sun Java development kit, RPM install -# -/usr/java/j2sdk.*/bin(/.*)? system_u:object_r:bin_t -/usr/java/j2sdk.*/jre/lib/i386(/.*)? system_u:object_r:lib_t ==== //depot/projects/trustedbsd/sebsd_policy/policy/fs_use#3 (text+ko) ==== @@ -2,9 +2,7 @@ # Define the labeling behavior for inodes in particular filesystem types. # This information was formerly hardcoded in the SELinux module. -fs_use_psid ext2; -fs_use_psid ext3; -fs_use_psid ufs; +fs_use_xattr ufs system_u:object_r:fs_t; # Use the allocating task SID to label inodes in the following filesystem # types, and label the filesystem itself with the specified context. ==== //depot/projects/trustedbsd/sebsd_policy/policy/macros/global_macros.te#3 (text+ko) ==== @@ -623,6 +623,10 @@ # allow searching /dev/pts allow $1_t devpts_t:dir { getattr read search }; + +# For systems without /dev/ptmx +allow $1_t devpts_t:chr_file { poll getattr setattr read write }; +type_change $1_t devpts_t:chr_file $1_devpts_t; ') ################################## @@ -642,7 +646,7 @@ type_transition $1_t devpts_t:chr_file $1_devpts_t; # Read and write my pty files. -allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms }; +allow $1_t $1_devpts_t:chr_file { poll setattr rw_file_perms }; ') @@ -658,7 +662,7 @@ type_transition $1_t devpts_t:chr_file $2_devpts_t; # Read and write pty files. -allow $1_t $2_devpts_t:chr_file { setattr rw_file_perms }; +allow $1_t $2_devpts_t:chr_file { setattr poll rw_file_perms }; ') ################################## ==== //depot/projects/trustedbsd/sebsd_policy/policy/macros/program/ssh_macros.te#2 (text+ko) ==== @@ -125,8 +125,8 @@ ') # Write to the user domain tty. -allow $1_ssh_t $1_tty_device_t:chr_file rw_file_perms; -allow $1_ssh_t $1_devpts_t:chr_file rw_file_perms; +allow $1_ssh_t $1_tty_device_t:chr_file { poll rw_file_perms }; +allow $1_ssh_t $1_devpts_t:chr_file { poll rw_file_perms }; # Allow the user shell to signal the ssh program. allow $1_t $1_ssh_t:process signal; ==== //depot/projects/trustedbsd/sebsd_policy/policy/macros/user_macros.te#2 (text+ko) ==== @@ -44,7 +44,7 @@ type $1_tty_device_t, file_type, sysadmfile, ttyfile; # Access ttys. allow $1_t privfd:fd use; -allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms }; +allow $1_t $1_tty_device_t:chr_file { poll setattr rw_file_perms }; # Use the type when relabeling terminal devices. type_change $1_t tty_device_t:chr_file $1_tty_device_t; ifdef(`dpkg.te', `help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200309251416.h8PEGkTb099308>