Date: Wed, 17 May 2006 19:04:59 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 97366 for review Message-ID: <200605171904.k4HJ4xoS044574@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=97366 Change 97366 by millert@millert_ibook on 2006/05/17 19:04:33 Properly label all tty and disk device nodes and add transitions for fsck, mount, etc. Affected files ... .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/devfs#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/rules#10 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/sebsd-relabel.sh#5 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/devfs#3 (text+ko) ==== @@ -9,6 +9,22 @@ genfscon devfs /random system_u:object_r:random_device_t genfscon devfs /urandom system_u:object_r:random_device_t genfscon devfs /ttyp system_u:object_r:devpts_t +genfscon devfs /ttyq system_u:object_r:devpts_t +genfscon devfs /ttyr system_u:object_r:devpts_t +genfscon devfs /ttys system_u:object_r:devpts_t +genfscon devfs /ttyt system_u:object_r:devpts_t +genfscon devfs /ttyu system_u:object_r:devpts_t +genfscon devfs /ttyv system_u:object_r:devpts_t +genfscon devfs /ttyw system_u:object_r:devpts_t genfscon devfs /ptyp system_u:object_r:devpts_t +genfscon devfs /ptyq system_u:object_r:devpts_t +genfscon devfs /ptyr system_u:object_r:devpts_t +genfscon devfs /ptys system_u:object_r:devpts_t +genfscon devfs /ptyt system_u:object_r:devpts_t +genfscon devfs /ptyu system_u:object_r:devpts_t +genfscon devfs /ptyv system_u:object_r:devpts_t +genfscon devfs /ptyw system_u:object_r:devpts_t +genfscon devfs /disk system_u:object_r:disk_device_t +#genfscon devfs /bpf system_u:object_r:bpf_device_t # FLASK ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/rules#10 (text+ko) ==== @@ -32,6 +32,7 @@ type sysadm_devpts_t; type tmpfs_t; type device_t; +type disk_device_t; type memory_device_t; type null_device_t; type zero_device_t; @@ -62,6 +63,7 @@ type notifyd_d, domain, domain2; type mtest_d, domain, domain2; type diskarbitrationd_d, domain, domain2; +type fsadm_d, domain, domain2; type configd_d, domain, domain2; type pbs_exec_t, file; @@ -76,6 +78,7 @@ type notifyd_exec_t, file; type mtest_exec_t, file; type diskarbitrationd_exec_t, file; +type fsadm_exec_t, file; type configd_exec_t, file; role system_r types init_d; @@ -97,6 +100,7 @@ role system_r types notifyd_d; role system_r types mtest_d; role system_r types diskarbitrationd_d; +role system_r types fsadm_d; role system_r types configd_d; role system_r types security_t; role system_r types unlabeled_t; @@ -177,6 +181,8 @@ allow domain2 file:{file lnk_file sock_file fifo_file} {create_file_perms execute }; allow domain2 file:file execute_no_trans; allow domain2 file:dir { create_dir_perms }; +allow domain2 device_t:dir { read search getattr }; +allow domain2 {device_t disk_device_t}:{blk_file} { getattr }; allow domain2 {null_device_t console_device_t memory_device_t random_device_t zero_device_t device_t}:{file chr_file} create_file_perms; allow domain2 device_t:blk_file create_file_perms; allow domain2 {devpts_t user_devpts_t sysadm_devpts_t}:chr_file create_file_perms; @@ -212,6 +218,13 @@ # Transitions for mtest domain_auto_trans(user_secret_d,mtest_exec_t,mtest_d); +# Transitions for fsck* +domain_auto_trans(init_d,fsadm_exec_t,fsadm_d); +allow_mach_ipc(fsadm_d,mach_init_d); +allow_mach_ipc(fsadm_d,unlabeled_t); +allow fsadm_d device_t:dir { read search getattr }; +allow fsadm_d disk_device_t:blk_file { read write getattr }; + domain_auto_trans(systemstarter_d,windowserver_exec_t,windowserver_d); domain_auto_trans(systemstarter_d,securityserver_exec_t,securityserver_d); domain_auto_trans(systemstarter_d,coreservices_exec_t,coreservices_d); @@ -325,6 +338,7 @@ allow_mach_ipc(diskarbitrationd_d,lookupd_d); allow_mach_ipc(diskarbitrationd_d,securityserver_d); allow_mach_ipc(diskarbitrationd_d,systemstarter_d); +allow diskarbitrationd_d disk_device_t:blk_file { read write getattr }; # user_d rules allow_notify_ipc(user_d); ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/sebsd-relabel.sh#5 (text+ko) ==== @@ -12,6 +12,8 @@ $SETFMAC sebsd/system_u:object_r:bin_t /bin/* $SETFMAC sebsd/system_u:object_r:bin_t /usr/bin/* $SETFMAC sebsd/system_u:object_r:bin_t /usr/local/bin/* +$SETFMAC sebsd/system_u:object_r:fsadm_exec_t /sbin/fsck* +$SETFMAC sebsd/system_u:object_r:fsadm_exec_t /sbin/mount* $SETFMAC sebsd/system_u:object_r:shell_exec_t /bin/*sh $SETFMAC sebsd/system_u:object_r:login_exec_t /usr/bin/login $SETFMAC sebsd/system_u:object_r:sshd_exec_t /usr/sbin/sshd
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200605171904.k4HJ4xoS044574>