From owner-p4-projects@FreeBSD.ORG Thu Aug 24 11:09:55 2006 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 1D18016A4E1; Thu, 24 Aug 2006 11:09:55 +0000 (UTC) X-Original-To: perforce@FreeBSD.org Delivered-To: perforce@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EEB8716A4DF for ; Thu, 24 Aug 2006 11:09:54 +0000 (UTC) (envelope-from dongmei@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9EB0A43D49 for ; Thu, 24 Aug 2006 11:09:54 +0000 (GMT) (envelope-from dongmei@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k7OB9s8F062551 for ; Thu, 24 Aug 2006 11:09:54 GMT (envelope-from dongmei@FreeBSD.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k7OB9sCb062548 for perforce@freebsd.org; Thu, 24 Aug 2006 11:09:54 GMT (envelope-from dongmei@FreeBSD.org) Date: Thu, 24 Aug 2006 11:09:54 GMT Message-Id: <200608241109.k7OB9sCb062548@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to dongmei@FreeBSD.org using -f From: dongmei To: Perforce Change Reviews Cc: Subject: PERFORCE change 104915 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Aug 2006 11:09:55 -0000 http://perforce.freebsd.org/chv.cgi?CH=104915 Change 104915 by dongmei@soc-dongmei-sebsd on 2006/08/24 11:09:12 Corrected most of boot error, include the service cron,devd,inetd,usbd,syslogd,getty,dhclient,ifconfig,swapon and login programs. Interfaces which I have added are comment by "#lll" for future check. Affected files ... .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/Makefile#4 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/devices.if#3 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/files.if#3 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/filesystem.te#3 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/kernel.te#3 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/storage.if#3 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/services/cron.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/services/devd.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/services/dhcp.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/services/ftp.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/services/inetd.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/services/usbd.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/authlogin.fc#3 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/fstools.te#3 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/getty.te#3 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/hostname.if#3 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/hostname.te#3 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/init.te#3 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/libraries.if#3 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/libraries.te#3 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/locallogin.te#3 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/logging.te#3 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/sysnetwork.if#3 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/sysnetwork.te#3 edit Differences ... ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/Makefile#4 (text+ko) ==== @@ -68,7 +68,7 @@ POLDIR := policy MODDIR := $(POLDIR)/modules FLASKDIR := $(POLDIR)/flask -SECCLASS := $(FLASKDIR)/security_classes +#SECCLASS := $(FLASKDIR)/security_classes ISIDS := $(FLASKDIR)/initial_sids ifeq ($(DISTRO),sebsd) AVS := $(FLASKDIR)/access_vectors.sebsd ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/devices.if#3 (text+ko) ==== @@ -1150,6 +1150,23 @@ allow $1 dri_device_t:chr_file manage_file_perms; type_transition $1 device_t:chr_file dri_device_t; ') +######################################## +## +## Create, read, write, and delete the generic devices.(lll) +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_manage_generic_dev',` + gen_require(` + type device_t; + ') + + allow $1 device_t:dir rw_dir_perms; +') ######################################## ## @@ -2342,7 +2359,7 @@ ') ######################################## ## -## Allow caller to read /dev +## Allow caller to read /dev chr_files(lll) ## ## ## @@ -2350,7 +2367,7 @@ ## ## # -interface(`dev_read_chr_file_devfs',` +interface(`dev_read_generic_chr_file',` gen_require(` type device_t; ') @@ -2780,4 +2797,75 @@ allow $1 self:capability sys_rawio; typeattribute $1 memory_raw_write, memory_raw_read; ') +######################################## +## +## Mount a filesystem on /dev.(lll) +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_mounton_dev',` + gen_require(` + type device_t; + ') + + allow $1 device_t:dir { search mounton }; +') +######################################## +## +## Create, read, write, and delete the null devices.(lll) +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_manage_null_dev',` + gen_require(` + type device_t, null_device_t; + ') + + allow $1 device_t:dir rw_dir_perms; + allow $1 null_device_t:chr_file manage_file_perms; +') +######################################## +## +## Read from random number generator +## devices symlinks (e.g., /dev/random)(lll) +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_read_rand_symlinks',` + gen_require(` + type device_t, random_device_t; + ') + + allow $1 device_t:dir r_dir_perms; + allow $1 random_device_t:lnk_file r_file_perms; +') +######################################## +## +## Create, read, write, and delete the usb devices.(lll) +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_manage_usb_dev',` + gen_require(` + type device_t, usb_device_t; + ') + + allow $1 usb_device_t:chr_file manage_file_perms; +') ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/files.if#3 (text+ko) ==== @@ -1549,6 +1549,17 @@ allow $1 etc_t:file r_file_perms; allow $1 etc_t:lnk_file r_file_perms; ') +######################################## +# +# files_read_boot_files(domain) +# +interface(`files_read_boot_files',` + gen_require(` + type boot_t; + ') + + allow $1 boot_t:file r_file_perms; +') ######################################## # @@ -3052,7 +3063,25 @@ allow $1 root_t:dir search_dir_perms; ') +############################################################ +## +## Search the contents of /bin +## +## +## +## Domain allowed access. +## +## +# +interface(`files_search_bin',` + + gen_require(` + type bin_t; + ') + allow $1 bin_t:dir search_dir_perms; +') + ######################################## ## ## Do not audit attempts to search @@ -3108,6 +3137,24 @@ allow $1 var_t:dir create_dir_perms; ') +######################################## +## +## Create, read, write, and delete directories +## in the /var/run directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_var_run_dirs',` + gen_require(` + type var_run_t; + ') + + allow $1 var_run_t:dir create_dir_perms; +') ######################################## ## @@ -3146,6 +3193,42 @@ allow $1 var_t:dir rw_dir_perms; allow $1 var_t:file create_file_perms; ') +######################################## +## +## Create, read, write, and delete files in the /var/run directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_var_run_files',` + gen_require(` + type var_run_t; + ') + + allow $1 var_run_t:dir rw_dir_perms; + allow $1 var_run_t:file create_file_perms; +') + +######################################## +## +## Create sock files in the /var/run directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_var_run_sock_file',` + gen_require(` + type var_run_t; + ') + + allow $1 var_run_t:sock_file create_file_perms; +') ######################################## ## ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/filesystem.te#3 (text+ko) ==== @@ -1,4 +1,4 @@ - + policy_module(filesystem,1.3.0) ######################################## ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/kernel.te#3 (text+ko) ==== @@ -58,6 +58,7 @@ fs_type(proc_t) genfscon proc / gen_context(system_u:object_r:proc_t,s0) genfscon proc /sysvipc gen_context(system_u:object_r:proc_t,s0) +genfscon procfs / gen_context(system_u:object_r:proc_t,s0) # kernel message interface type proc_kmsg_t, proc_type; @@ -176,7 +177,7 @@ allow kernel_t self:unix_stream_socket connectto; allow kernel_t self:fifo_file rw_file_perms; allow kernel_t self:sock_file r_file_perms; -allow kernel_t self:fd use; +allow kernel_t self:fd { use create }; # old general_proc_read_access(): allow kernel_t proc_t:dir r_dir_perms; @@ -192,6 +193,13 @@ # cjp: this seems questionable allow kernel_t unlabeled_t:fifo_file rw_file_perms; +#lll +dev_manage_generic_dev(kernel_t) +dev_manage_generic_symlinks(kernel_t) +dev_mounton_dev(kernel_t) +dev_manage_null_dev(kernel_t) + + corenet_non_ipsec_sendrecv(kernel_t) # Kernel-generated traffic e.g., ICMP replies: ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/storage.if#3 (text+ko) ==== @@ -614,6 +614,24 @@ dev_list_all_dev_nodes($1) allow $1 tape_device_t:chr_file { getattr write ioctl }; ') +######################################## +## +## Allow the caller to directly write +## a fixed disk device. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`storage_write_fixed_disk',` + gen_require(` + type fixed_disk_device_t; + ') + + allow $1 fixed_disk_device_t:chr_file { getattr write ioctl }; +') ######################################## ## ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/services/cron.te#2 (text+ko) ==== @@ -69,6 +69,7 @@ allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow crond_t self:process { setexec setfscreate }; allow crond_t self:fd use; +allow crond_t self:fd create; allow crond_t self:fifo_file rw_file_perms; allow crond_t self:unix_dgram_socket create_socket_perms; allow crond_t self:unix_stream_socket create_stream_socket_perms; @@ -118,7 +119,9 @@ # Read from /var/spool/cron. files_search_var_lib(crond_t) files_search_default(crond_t) - +files_read_var_run_files(crond_t) +files_read_var_files(crond_t) +files_list_var(crond_t) init_use_fds(crond_t) init_use_script_ptys(crond_t) init_rw_utmp(crond_t) ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/services/devd.te#2 (text+ko) ==== @@ -11,21 +11,66 @@ init_daemon_domain(devd_t, devd_exec_t) type_transition initrc_t devd_exec_t:process devd_t; - + type devd_etc_t; files_config_file(devd_etc_t) init_daemon_domain(devd_t,devd_etc_t) +files_search_etc(devd_t) + ######################################## # # Local policy # - allow devd_t devd_etc_t:file r_file_perms; allow devd_t devd_etc_t:dir r_dir_perms; allow devd_t devd_etc_t:lnk_file r_file_perms; +allow devd_t self:fd create; +allow devd_t self:fd use; +allow devd_t self:process signal; +allow devd_t self:capability { sys_resource }; +allow devd_t self:fifo_file { read write ioctl getattr }; + +files_read_var_files(crond_t) +files_search_usr(devd_t) +files_manage_var_run_dirs(devd_t) +files_manage_var_run_files(devd_t) +files_manage_var_run_sock_file(devd_t) +files_search_bin(devd_t) +files_read_var_run_files(devd_t) + +libs_search_lib(devd_t) +libs_read_shlib_files(devd_t) +libs_getattr_shlib_files(devd_t) +libs_exec_shlib_files(devd_t) +libs_exec_ld_so(devd_t) + +corecmd_search_sbin(devd_t) +corecmd_exec_sbin(devd_t) +corecmd_getattr_sbin_files(devd_t) + +corecmd_search_bin(devd_t) +corecmd_getattr_bin_files(devd_t) +corecmd_exec_bin(devd_t) + +corecmd_exec_shell(devd_t) + +term_use_console(devd_t) +dev_read_generic_chr_file(devd_t) + +files_search_etc(devd_t) +files_getattr_etc_files(devd_t) +files_read_etc_files(devd_t) + +init_exec(devd_t) +init_exec_script_files(devd_t) +init_read_script_files(devd_t) +init_use_fds(devd_t) + +miscfiles_read_localization(devd_t) + can_exec(devd_t,devd_etc_t) can_exec(devd_t, devd_exec_t) ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/services/dhcp.te#2 (text+ko) ==== @@ -50,7 +50,7 @@ allow dhcpd_t dhcpd_var_run_t:file create_file_perms; allow dhcpd_t dhcpd_var_run_t:dir rw_dir_perms; files_pid_filetrans(dhcpd_t,dhcpd_var_run_t,file) - +# kernel_read_system_state(dhcpd_t) kernel_read_kernel_sysctls(dhcpd_t) ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/services/ftp.if#2 (text+ko) ==== @@ -109,3 +109,20 @@ logging_search_logs($1) allow $1 xferlog_t:file r_file_perms; ') +######################################## +## +## Read write FTP transfer logs(lll) +## +## +## +## Domain allowed access. +## +## +# +interface(`ftp_rw_log',` + gen_require(` + type xferlog_t; + ') + + allow $1 xferlog_t:file rw_file_perms; +') ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/services/inetd.te#2 (text+ko) ==== @@ -36,14 +36,18 @@ # allow inetd_t self:capability { setuid setgid }; -dontaudit inetd_t self:capability sys_tty_config; +dontaudit inetd_t self:capability { sys_tty_config sys_resource linux_immutable net_raw }; allow inetd_t self:process setsched; allow inetd_t self:fifo_file rw_file_perms; +allow inetd_t self:fifo_file poll; allow inetd_t self:tcp_socket create_stream_socket_perms; allow inetd_t self:udp_socket { connect connected_socket_perms }; +allow inetd_t self:fd { create use }; allow inetd_t inetd_log_t:file create_file_perms; logging_log_filetrans(inetd_t,inetd_log_t,file) +#lll +files_read_var_run_files(inetd_t) allow inetd_t inetd_tmp_t:dir create_dir_perms; allow inetd_t inetd_tmp_t:file create_file_perms; ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/services/usbd.te#2 (text+ko) ==== @@ -22,12 +22,20 @@ # Local policy # - +allow usbd_t self:fd { use create }; +allow usbd_t self:capability { sys_resource }; allow usbd_t usbd_etc_t:file r_file_perms; allow usbd_t usbd_etc_t:dir r_dir_perms; allow usbd_t usbd_etc_t:lnk_file r_file_perms; can_exec(usbd_t,usbd_etc_t) can_exec(usbd_t, usbd_exec_t) - +#lll +files_search_etc(usbd_t) +libs_search_lib(usbd_t) +libs_exec_shlib_files(usbd_t) +libs_getattr_shlib_files(usbd_t) +libs_read_shlib_files(usbd_t) +dev_manage_usb_dev(usbd_t) +files_read_var_run_files(usbd_t) ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/authlogin.fc#3 (text+ko) ==== @@ -1,5 +1,5 @@ -/usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0) +/bin/login -- gen_context(system_u:object_r:login_exec_t,s0) /etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) /etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0) ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/fstools.te#3 (text+ko) ==== @@ -24,9 +24,10 @@ # # ipc_lock is for losetup -allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search }; +allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search sys_resource}; allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap }; allow fsadm_t self:fd use; +allow fsadm_t self:fd create; allow fsadm_t self:fifo_file rw_file_perms; allow fsadm_t self:sock_file r_file_perms; allow fsadm_t self:unix_dgram_socket create_socket_perms; @@ -92,8 +93,8 @@ libs_exec_ld_so(fsadm_t) #for fsck_ufs dev_getattr_devfs(fsadm_t) - - +files_read_var_run_files(fsadm_t) +storage_write_fixed_disk(fsadm_t) #lll end ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/getty.te#3 (text+ko) ==== @@ -37,10 +37,13 @@ # # Use capabilities. -allow getty_t self:capability { dac_override chown sys_resource sys_tty_config fowner fsetid }; +allow getty_t self:capability { dac_override chown sys_resource sys_tty_config fowner fsetid setgid setuid }; dontaudit getty_t self:capability sys_tty_config; allow getty_t self:process { getpgid getsession signal_perms }; +#lll +allow getty_t self:fd { use create }; + allow getty_t getty_etc_t:dir r_dir_perms; allow getty_t getty_etc_t:file r_file_perms; allow getty_t getty_etc_t:lnk_file { getattr read }; @@ -64,6 +67,9 @@ kernel_read_proc_symlinks(getty_t) dev_read_sysfs(getty_t) +#lll +files_list_default(getty_t) +libs_exec_ld_so(getty_t) fs_search_auto_mountpoints(getty_t) # for error condition handling ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/hostname.if#3 (text+ko) ==== @@ -73,3 +73,20 @@ corecmd_search_bin($1) can_exec($1,hostname_exec_t) ') +######################################## +## +## Send generic signals to hostname +## +## +## +## Domain allowed access. +## +## +# +interface(`hostname_signal',` + gen_require(` + type hostname_t; + ') + + allow $1 hostname_t:process signal; +') ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/hostname.te#3 (text+ko) ==== @@ -71,11 +71,11 @@ files_read_var_run_files(hostname_t) libs_search_lib(hostname_t) libs_read_shlib_files(hostname_t) -files_getattr_shlib_files(hostname_t) +libs_getattr_shlib_files(hostname_t) libs_exec_shlib_files(hostname_t) userdom_rw_sysadm_pipes(hostname_t) userdom_getattr_sysadm_pipes(hostname_t) -dev_read_chr_file_devfs(hostname_t) +dev_read_generic_chr_file(hostname_t) ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/init.te#3 (text+ko) ==== @@ -96,7 +96,7 @@ # sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot() allow init_t self:fifo_file rw_file_perms; - +allow init_t self:fd { create use }; # Re-exec itself allow init_t init_exec_t:file { getattr read ioctl execute execute_no_trans }; @@ -120,6 +120,10 @@ kernel_share_state(init_t) dev_read_sysfs(init_t) +#lll +libs_exec_ld_so(init_t) +files_manage_var_run_files(init_t) + mls_process_write_down(init_t) ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/libraries.if#3 (text+ko) ==== @@ -286,7 +286,7 @@ ## ## # -interface(`files_getattr_shlib_files',` +interface(`libs_getattr_shlib_files',` gen_require(` type shlib_t; ') ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/libraries.te#3 (text+ko) ==== @@ -53,7 +53,8 @@ allow ldconfig_t ld_so_cache_t:file create_file_perms; files_etc_filetrans(ldconfig_t,ld_so_cache_t,file) - +allow ldconfig_t self:fd { use create }; +allow ldconfig_t self:capability { sys_resource dac_read_search }; allow ldconfig_t lib_t:dir rw_dir_perms; allow ldconfig_t lib_t:lnk_file { getattr create read unlink }; allow ldconfig_t ld_so_t:lnk_file r_file_perms; @@ -61,6 +62,12 @@ allow ldconfig_t ld_so_cache_t:file r_file_perms; allow ldconfig_t { shlib_t textrel_shlib_t }:lnk_file r_file_perms; allow ldconfig_t { shlib_t textrel_shlib_t }:file rx_file_perms; +#lll +dev_read_rand_symlinks(ldconfig_t) +dev_read_rand(ldconfig_t) +files_manage_var_run_dirs(ldconfig_t) +files_manage_var_run_files(ldconfig_t) + kernel_read_system_state(ldconfig_t) ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/locallogin.te#3 (text+ko) ==== @@ -36,10 +36,10 @@ # Local login local policy # -allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config }; +allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config net_admin setpcap linux_immutable mknod }; allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow local_login_t self:process { setrlimit setexec }; -allow local_login_t self:fd use; +allow local_login_t self:fd { use create }; allow local_login_t self:fifo_file rw_file_perms; allow local_login_t self:sock_file r_file_perms; allow local_login_t self:unix_dgram_socket create_socket_perms; @@ -57,6 +57,13 @@ allow local_login_t local_login_tmp_t:dir create_dir_perms; allow local_login_t local_login_tmp_t:file create_file_perms; files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir }) +#lll +files_list_default(local_login_t) +files_rw_etc_files(local_login_t) +libs_exec_ld_so(local_login_t) +files_manage_var_run_files(local_login_t) + + kernel_read_system_state(local_login_t) kernel_read_kernel_sysctls(local_login_t) ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/logging.te#3 (text+ko) ==== @@ -263,7 +263,7 @@ # sys_admin chown fsetid for syslog-ng # cjp: why net_admin! allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid }; -dontaudit syslogd_t self:capability sys_tty_config; +dontaudit syslogd_t self:capability { sys_tty_config ipc_owner net_raw mknod }; allow syslogd_t self:process signal_perms; allow syslogd_t self:netlink_route_socket r_netlink_socket_perms; # receive messages to be logged @@ -272,6 +272,12 @@ allow syslogd_t self:unix_dgram_socket sendto; allow syslogd_t self:fifo_file rw_file_perms; allow syslogd_t self:udp_socket { connected_socket_perms connect }; +allow syslogd_t self:fd { create use }; +#lll +dev_read_generic_chr_file(syslogd_t) +files_read_var_run_files(syslogd_t) +ftp_rw_log(syslogd_t) + # Create and bind to /dev/log or /var/run/log. allow syslogd_t devlog_t:sock_file create_file_perms; ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/sysnetwork.if#3 (text+ko) ==== @@ -144,6 +144,23 @@ allow $1 dhcpc_t:process signal; ') +######################################## +## +## Send a generic signal to the ifconfig(lll). +## +## +## +## The domain sending the signal. +## +## +# +interface(`sysnet_signal_ifconfig',` + gen_require(` + type dhcpc_t; + ') + + allow $1 dhcpc_t:process signal; +') ######################################## ## ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/sysnetwork.te#3 (text+ko) ==== @@ -44,13 +44,19 @@ allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config }; dontaudit dhcpc_t self:capability sys_tty_config; # for access("/etc/bashrc", X_OK) on Red Hat -dontaudit dhcpc_t self:capability { dac_read_search sys_module }; +dontaudit dhcpc_t self:capability { dac_read_search sys_module fowner setgid sys_admin setpcap setuid linux_immutable ipc_owner}; allow dhcpc_t self:process signal_perms; -allow dhcpc_t self:fifo_file rw_file_perms; +allow dhcpc_t self:fifo_file rw_file_perms; +allow dhcpc_t self:fifo_file poll; allow dhcpc_t self:tcp_socket create_stream_socket_perms; allow dhcpc_t self:udp_socket create_socket_perms; allow dhcpc_t self:packet_socket create_socket_perms; allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read }; +#lll +allow dhcpc_t self:fd { use create }; +dev_manage_generic_chr_files(dhcpc_t) +hostname_signal(dhcpc_t) +sysnet_signal_ifconfig(dhcpc_t) allow dhcpc_t dhcp_etc_t:dir r_dir_perms; allow dhcpc_t dhcp_etc_t:lnk_file r_file_perms; @@ -139,9 +145,11 @@ libs_use_ld_so(dhcpc_t) libs_use_shared_libs(dhcpc_t) +libs_exec_ld_so(dhcpc_t) +dev_read_raw_memory(dhcpc_t) +files_manage_var_files(dhcpc_t) miscfiles_read_localization(dhcpc_t) - modutils_domtrans_insmod(dhcpc_t) userdom_dontaudit_search_staff_home_dirs(dhcpc_t) @@ -252,10 +260,10 @@ # allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; -allow ifconfig_t self:capability { net_raw net_admin sys_tty_config }; +allow ifconfig_t self:capability { net_raw net_admin sys_tty_config sys_resource sys_ptrace ipc_owner }; dontaudit ifconfig_t self:capability sys_module; -allow ifconfig_t self:fd use; +allow ifconfig_t self:fd { use create }; allow ifconfig_t self:fifo_file rw_file_perms; allow ifconfig_t self:sock_file r_file_perms; allow ifconfig_t self:socket create_socket_perms; @@ -276,6 +284,11 @@ allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; allow ifconfig_t self:tcp_socket { create ioctl }; files_read_etc_files(ifconfig_t); +#lll +files_search_boot(ifconfig_t) +files_read_boot_files(ifconfig_t) +files_search_var_run(ifconfig_t) +files_search_var(ifconfig_t) kernel_use_fds(ifconfig_t) kernel_read_system_state(ifconfig_t)