From owner-p4-projects@FreeBSD.ORG Wed Dec 15 17:24:39 2004 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 74C5616A4D0; Wed, 15 Dec 2004 17:24:39 +0000 (GMT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1A14B16A4CE for ; Wed, 15 Dec 2004 17:24:39 +0000 (GMT) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id CBCF043D41 for ; Wed, 15 Dec 2004 17:24:38 +0000 (GMT) (envelope-from areisse@nailabs.com) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id iBFHOc72064230 for ; Wed, 15 Dec 2004 17:24:38 GMT (envelope-from areisse@nailabs.com) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.1/8.13.1/Submit) id iBFHOcjV064227 for perforce@freebsd.org; Wed, 15 Dec 2004 17:24:38 GMT (envelope-from areisse@nailabs.com) Date: Wed, 15 Dec 2004 17:24:38 GMT Message-Id: <200412151724.iBFHOcjV064227@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to areisse@nailabs.com using -f From: Andrew Reisse To: Perforce Change Reviews Subject: PERFORCE change 67131 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Dec 2004 17:24:40 -0000 http://perforce.freebsd.org/chv.cgi?CH=67131 Change 67131 by areisse@areisse_tislabs on 2004/12/15 17:23:47 types were not merged with rest of the policy... Affected files ... .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/device.te#4 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/devpts.te#4 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/file.te#4 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/network.te#4 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/nfs.te#4 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/procfs.te#4 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/security.te#4 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/x.te#1 branch Differences ... ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/device.te#4 (text+ko) ==== @@ -15,108 +15,141 @@ # # null_device_t is the type of /dev/null. # -type null_device_t, file_type, mlstrustedobject; +type null_device_t, device_type, mlstrustedobject; # # zero_device_t is the type of /dev/zero. # -type zero_device_t, file_type, mlstrustedobject; +type zero_device_t, device_type, mlstrustedobject; # # console_device_t is the type of /dev/console. # -type console_device_t, file_type; +type console_device_t, device_type; # # memory_device_t is the type of /dev/kmem, # /dev/mem, and /dev/port. # -type memory_device_t, file_type; +type memory_device_t, device_type; # -# random_device_t is the type of /dev/urandom -# and /dev/random. +# random_device_t is the type of /dev/random +# urandom_device_t is the type of /dev/urandom # -type random_device_t, file_type; +type random_device_t, device_type; +type urandom_device_t, device_type; # # devtty_t is the type of /dev/tty. # -type devtty_t, file_type, mlstrustedobject; +type devtty_t, device_type, mlstrustedobject; # # tty_device_t is the type of /dev/*tty* # -type tty_device_t, file_type; +type tty_device_t, serial_device, device_type; + +# +# bsdpty_device_t is the type of /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f] +type bsdpty_device_t, device_type; + +# +# usbtty_device_t is the type of /dev/usr/tty* +# +type usbtty_device_t, serial_device, device_type; + +# +# printer_device_t is the type for printer devices +# +type printer_device_t, file_type, device_type; # # fixed_disk_device_t is the type of # /dev/hd* and /dev/sd*. # -type fixed_disk_device_t, file_type; +type fixed_disk_device_t, device_type; + +# +# scsi_generic_device_t is the type of /dev/sg* +# it gives access to ALL SCSI devices (both fixed and removable) +# +type scsi_generic_device_t, device_type; # # removable_device_t is the type of # /dev/scd* and /dev/fd*. # -type removable_device_t, file_type; +type removable_device_t, device_type; # # clock_device_t is the type of # /dev/rtc. # -type clock_device_t, file_type; +type clock_device_t, device_type; # # tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/* # -type tun_tap_device_t, file_type; +type tun_tap_device_t, device_type; # # misc_device_t is the type of miscellaneous devices. # XXX: FIXME! Appropriate access to these devices need to be identified. # -type misc_device_t, file_type; +type misc_device_t, device_type; # -# psaux_t is the type of the /dev/psaux mouse device. -# This type is deprecated and will be removed. +# A more general type for mouse devices. # -type psaux_t, file_type; +type mouse_device_t, device_type; # -# A more general type for mouse devices. +# For generic /dev/input/event* event devices # -type mouse_device_t, file_type; +type event_device_t, device_type; # # Not sure what these devices are for, but X wants access to them. # -type agp_device_t, file_type; -type dri_device_t, file_type; +type agp_device_t, device_type; +type dri_device_t, device_type; # Type for sound devices. -type sound_device_t, file_type; +type sound_device_t, device_type; # Type for /dev/ppp. -type ppp_device_t, file_type; +type ppp_device_t, device_type; # Type for frame buffer /dev/fb/* -type framebuf_device_t, file_type; +type framebuf_device_t, device_type; # Type for /dev/.devfsd -type devfs_control_t, file_type; +type devfs_control_t, device_type; # Type for /dev/cpu/mtrr -type mtrr_device_t, file_type; +type mtrr_device_t, device_type; # Type for /dev/bpf* type bpf_device_t, file_type; # Type for /dev/apm_bios -type apm_bios_t, file_type; +type apm_bios_t, device_type; # Type for v4l +type v4l_device_t, device_type; + +# tape drives +type tape_device_t, device_type; + +# scanners +type scanner_device_t, device_type; + +# cpu control devices /dev/cpu/0/* +type cpu_device_t, device_type; + +# for other device nodes such as the NVidia binary-only driver +type xserver_misc_device_t, device_type; type v4l_device_t, file_type; # Type for /dev/klog ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/devpts.te#4 (text+ko) ==== @@ -10,7 +10,7 @@ # # ptmx_t is the type for /dev/ptmx. # -type ptmx_t, file_type, sysadmfile; +type ptmx_t, file_type, sysadmfile, device_type; # # devpts_t is the type of the devpts file system and ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/file.te#4 (text+ko) ==== @@ -9,38 +9,47 @@ # # unlabeled_t is the type of unlabeled objects. -# Eventually, once all objects are labeled and -# controlled by the security policy, unlabeled_t -# will not be used. +# Objects that have no known labeling information or that +# have labels that are no longer valid are treated as having this type. # -type unlabeled_t, fs_type, file_type, root_dir_type, sysadmfile; +type unlabeled_t, sysadmfile; # -# fs_t is the default type of an unlabeled -# file system. When an unlabeled file system is -# mounted read-write, the file system is labeled -# with this type. Except for the root file system, -# other types may be specified using the fs_contexts -# or fs_contexts.mls file. +# fs_t is the default type for conventional filesystems. # type fs_t, fs_type; +# needs more work +type eventpollfs_t, fs_type; +type futexfs_t, fs_type; +type bdev_t, fs_type; +type usbfs_t, fs_type; +type nfsd_fs_t, fs_type; +type rpc_pipefs_t, fs_type; +type binfmt_misc_fs_t, fs_type; + # -# file_t is the default type of an unlabeled -# file. When an unlabeled file system is mounted -# read-write, all files in the file system are labeled -# with this type. Except for the root file system, -# other types may be specified using the fs_contexts -# or fs_contexts.mls file. +# file_t is the default type of a file that has not yet been +# assigned an extended attribute (EA) value (when using a filesystem +# that supports EAs). # type file_t, file_type, root_dir_type, sysadmfile; +# default_t is the default type for files that do not +# match any specification in the file_contexts configuration +# other than the generic /.* specification. +type default_t, file_type, root_dir_type, sysadmfile; + # # root_t is the type for the root directory. # type root_t, file_type, sysadmfile; # +# mnt_t is the type for mount points such as /mnt/cdrom +type mnt_t, file_type, sysadmfile; + +# # home_root_t is the type for the directory where user home directories # are created # @@ -74,6 +83,7 @@ # etc_t is the type of the system etc directories. # type etc_t, file_type, sysadmfile; + # # shadow_t is the type of the /etc/shadow file # @@ -93,16 +103,21 @@ type etc_runtime_t, file_type, sysadmfile; # +# fonts_runtime_t is the type of various +# fonts files in /usr that are automatically +# generated during initialization. +# +type fonts_t, file_type, sysadmfile, usercanread; + +# # etc_aliases_t is the type of the aliases database. -# etc_mail_t is the type of /etc/mail. -# sendmail needs write access to these files. # type etc_aliases_t, file_type, sysadmfile; -type etc_mail_t, file_type, sysadmfile; -# resolv_conf_t is the type of the /etc/resolv.conf file. -# pump needs write access to this file. -type resolv_conf_t, file_type, sysadmfile; +# net_conf_t is the type of the /etc/resolv.conf file. +# all DHCP clients and PPP need write access to this file. +type net_conf_t, file_type, sysadmfile; +typealias net_conf_t alias resolv_conf_t; # # lib_t is the type of files in the system lib directories. @@ -169,9 +184,6 @@ type var_yp_t, file_type, sysadmfile; type var_db_t, file_type, sysadmfile; -# Type for /var/log/sa. -type var_log_sa_t, file_type, sysadmfile, logfile; - # Type for /var/log/ksyms. type var_log_ksyms_t, file_type, sysadmfile, logfile; @@ -179,7 +191,7 @@ type lastlog_t, file_type, sysadmfile, logfile; # Type for /var/lib/nfs. -type var_lib_nfs_t, file_type, sysadmfile; +type var_lib_nfs_t, file_type, sysadmfile, usercanread; # # wtmp_t is the type of /var/log/wtmp. @@ -192,11 +204,6 @@ type catman_t, file_type, sysadmfile, tmpfile; # -# at_spool_t is the type for /var/spool/at. -# -type at_spool_t, file_type, sysadmfile; - -# # cron_spool_t is the type for /var/spool/cron. # type cron_spool_t, file_type, sysadmfile; @@ -245,34 +252,49 @@ # # locale_t is the type for system localization # -type locale_t, file_type; +type locale_t, file_type, sysadmfile; # # Allow each file type to be associated with # the default file system type. # -allow file_type fs_t:filesystem associate; +allow { file_type device_type } fs_t:filesystem associate; # Allow the pty to be associated with the file system. allow devpts_t devpts_t:filesystem associate; -allow tty_device_t device_t:filesystem associate; -allow device_t device_t:filesystem associate; type tmpfs_t, file_type, sysadmfile, fs_type, root_dir_type; allow { tmpfs_t tmp_t } tmpfs_t:filesystem associate; -type usbdevfs_t, fs_type, root_dir_type, sysadmfile; +type autofs_t, fs_type, root_dir_type, noexattrfile, sysadmfile; +allow autofs_t autofs_t:filesystem associate; + +type usbdevfs_t, fs_type, root_dir_type, noexattrfile, sysadmfile; allow usbdevfs_t usbdevfs_t:filesystem associate; -type usbdevfs_device_t, file_type, sysadmfile; -allow usbdevfs_device_t usbdevfs_t:filesystem associate; -type sysfs_t alias driverfs_t, fs_type, root_dir_type, sysadmfile; +type sysfs_t, fs_type, root_dir_type, sysadmfile; allow sysfs_t sysfs_t:filesystem associate; -type iso9660_t, fs_type, root_dir_type, sysadmfile; +type iso9660_t, fs_type, root_dir_type, noexattrfile, sysadmfile; allow iso9660_t iso9660_t:filesystem associate; -type dosfs_t, fs_type, root_dir_type, sysadmfile; +type romfs_t, fs_type, root_dir_type, sysadmfile; +allow romfs_t romfs_t:filesystem associate; + +type ramfs_t, fs_type, root_dir_type, sysadmfile; +allow ramfs_t ramfs_t:filesystem associate; + +type dosfs_t, fs_type, root_dir_type, noexattrfile, sysadmfile; allow dosfs_t dosfs_t:filesystem associate; +# udev_runtime_t is the type of the udev table file +type udev_runtime_t, file_type, sysadmfile; + +# krb5_conf_t is the type of the /etc/krb5.conf file +type krb5_conf_t, file_type, sysadmfile; + +type sambafs_t, fs_type, root_dir_type, noexattrfile, sysadmfile; +allow sambafs_t sambafs_t:filesystem associate; +typealias sambafs_t alias cifs_t; + type var_db_entropy_t, file_type, sysadmfile; ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/network.te#4 (text+ko) ==== @@ -8,35 +8,55 @@ # Modified by Russell Coker # Move port types to their respective domains, add ifdefs, other cleanups. -############################################ +# generally we do not want to define port types in this file, but some things +# are insanely difficult to do elsewhere, xserver_port_t is a good example +# getting the type defined is the easy part for X, conditional code for many +# other domains (including one that starts with a) is the hard part. +ifdef(`xdm.te', `define(`use_x_ports')') +ifdef(`startx.te', `define(`use_x_ports')') +ifdef(`xauth.te', `define(`use_x_ports')') +ifdef(`xserver.te', `define(`use_x_ports')') +ifdef(`use_x_ports', ` +type xserver_port_t, port_type; +') # -# Network types +# Defines used by the te files need to be defined outside of net_constraints # +ifdef(`named.te', `define(`use_dns')') +ifdef(`nsd.te', `define(`use_dns')') +ifdef(`tinydns.te', `define(`use_dns')') +ifdef(`dnsmasq.te', `define(`use_dns')') +ifdef(`use_dns', ` +type dns_port_t, port_type; +') + +ifdef(`dhcpd.te', `define(`use_dhcpd')') +ifdef(`dnsmasq.te', `define(`use_dhcpd')') +ifdef(`use_dhcpd', ` +type dhcpd_port_t, port_type; +') + +ifdef(`cyrus.te', `define(`use_pop')') +ifdef(`courier.te', `define(`use_pop')') +ifdef(`perdition.te', `define(`use_pop')') +ifdef(`dovecot.te', `define(`use_pop')') +ifdef(`uwimapd.te', `define(`use_pop')') +ifdef(`use_pop', ` +type pop_port_t, port_type; +') +ifdef(`apache.te', `define(`use_http_cache')') +ifdef(`squid.te', `define(`use_http_cache')') +ifdef(`use_http_cache', ` +type http_cache_port_t, port_type; +') -# -# any_socket_t is the default destination -# socket type for UDP traffic. Unless a -# destination socket type is explicitly specified -# using sendto_secure/sendmsg_secure, this type -# is used for the udp_socket sendto permission check. -# -type any_socket_t, socket_type; -role system_r types any_socket_t; +ifdef(`dhcpd.te', `define(`use_pxe')') +ifdef(`pxe.te', `define(`use_pxe')') +############################################ # -# igmp_packet_t is the type of kernel-generated IGMP packets. -# icmp_socket_t is the type of the kernel socket used to send ICMP messages. -# tcp_socket_t is the type of the kernel socket used to send TCP resets. -# scmp_packet_t is the type for SCMP packets used by the SELOPT packet labeling. +# Network types # -type igmp_packet_t; -role system_r types igmp_packet_t; -type icmp_socket_t, socket_type; -role system_r types icmp_socket_t; -type tcp_socket_t, socket_type; -role system_r types tcp_socket_t; -type scmp_packet_t; -role system_r types scmp_packet_t; # # port_t is the default type of INET port numbers. @@ -62,22 +82,6 @@ type netif_ipsec2_t, netif_type; # -# netmsg_t is the default type of unlabeled received messages. -# The netmsg_*_t types are used for specific network -# interfaces in net_contexts or net_contexts.mls. -# -type netmsg_t, netmsg_type; -type netmsg_eth0_t, netmsg_type; -type netmsg_eth1_t, netmsg_type; -type netmsg_eth2_t, netmsg_type; -type netmsg_lo_t, netmsg_type; -type netmsg_ippp0_t, netmsg_type; - -type netmsg_ipsec0_t, netmsg_type; -type netmsg_ipsec1_t, netmsg_type; -type netmsg_ipsec2_t, netmsg_type; - -# # node_t is the default type of network nodes. # The node_*_t types are used for specific network # nodes in net_contexts or net_contexts.mls. @@ -85,54 +89,18 @@ type node_t, node_type; type node_lo_t, node_type; type node_internal_t, node_type; +type node_inaddr_any_t, node_type; +type node_unspec_t, node_type; +type node_link_local_t, node_type; +type node_site_local_t, node_type; +type node_multicast_t, node_type; +type node_mapped_ipv4_t, node_type; +type node_compat_ipv4_t, node_type; -# -# Permissions for the kernel-generated IGMP packets. -# -allow igmp_packet_t netif_type:netif { rawip_send rawip_recv }; -allow igmp_packet_t node_type:node { rawip_send rawip_recv }; +# Kernel-generated traffic, e.g. ICMP replies. +allow kernel_t netif_type:netif { rawip_send rawip_recv }; +allow kernel_t node_type:node { rawip_send rawip_recv }; -# -# Permissions for the kernel ICMP socket. -# -allow icmp_socket_t netif_type:netif { rawip_send rawip_recv }; -allow icmp_socket_t node_type:node { rawip_send rawip_recv }; -allow icmp_socket_t netmsg_type:rawip_socket recvfrom; - -# -# Permissions for the kernel TCP reset socket. -# -allow tcp_socket_t netif_type:netif { tcp_send tcp_recv }; -allow tcp_socket_t netmsg_type:tcp_socket recvfrom; -allow tcp_socket_t node_type:node { tcp_send tcp_recv }; - -# -# Allow network messages to be received. -# -allow netmsg_t node_t:node { tcp_recv udp_recv rawip_recv }; -allow netmsg_eth0_t node_t:node { tcp_recv udp_recv rawip_recv }; -allow netmsg_eth0_t netif_eth0_t:netif { tcp_recv udp_recv rawip_recv }; -allow netmsg_eth1_t node_t:node { tcp_recv udp_recv rawip_recv }; -allow netmsg_eth1_t netif_eth1_t:netif { tcp_recv udp_recv rawip_recv }; -allow netmsg_eth2_t node_t:node { tcp_recv udp_recv rawip_recv }; -allow netmsg_eth2_t netif_eth2_t:netif { tcp_recv udp_recv rawip_recv }; -allow netmsg_lo_t node_lo_t:node { tcp_recv udp_recv rawip_recv }; -allow netmsg_lo_t node_t:node { tcp_recv udp_recv rawip_recv }; -allow netmsg_lo_t netif_lo_t:netif { tcp_recv udp_recv rawip_recv }; -allow netmsg_ippp0_t node_t:node { tcp_recv udp_recv rawip_recv }; -allow netmsg_ippp0_t netif_ippp0_t:netif { tcp_recv udp_recv rawip_recv }; -allow netmsg_ipsec0_t node_t:node { tcp_recv udp_recv rawip_recv }; -allow netmsg_ipsec0_t netif_ipsec0_t:node { tcp_recv udp_recv rawip_recv }; -allow netmsg_ipsec1_t node_t:node { tcp_recv udp_recv rawip_recv }; -allow netmsg_ipsec1_t netif_ipsec1_t:netif { tcp_recv udp_recv rawip_recv }; -allow netmsg_ipsec2_t node_t:node { tcp_recv udp_recv rawip_recv }; -allow netmsg_ipsec2_t netif_ipsec2_t:netif { tcp_recv udp_recv rawip_recv }; - -# -# Allow ICMP echo requests to be sent and received, and echo replies to -# be received (when packets are labeled) -# -ifdef(`ping.te', -`allow ping_t netif_type:netif { rawip_send rawip_recv }; -allow ping_t node_type:node { rawip_send rawip_recv }; -allow ping_t netmsg_type:rawip_socket { recvfrom };') +# Kernel-generated traffic, e.g. TCP resets. +allow kernel_t netif_type:netif { tcp_send tcp_recv }; +allow kernel_t node_type:node { tcp_send tcp_recv }; ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/nfs.te#4 (text+ko) ==== ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/procfs.te#4 (text+ko) ==== @@ -21,21 +21,26 @@ # sysctl_fs_t is the type of /proc/sys/fs. # sysctl_kernel_t is the type of /proc/sys/kernel. # sysctl_modprobe_t is the type of /proc/sys/kernel/modprobe. +# sysctl_hotplug_t is the type of /proc/sys/kernel/hotplug. # sysctl_net_t is the type of /proc/sys/net. # sysctl_net_unix_t is the type of /proc/sys/net/unix. # sysctl_vm_t is the type of /proc/sys/vm. # sysctl_dev_t is the type of /proc/sys/dev. +# sysctl_rpc_t is the type of /proc/net/rpc. # # These types are applied to both the entries in # /proc/sys and the corresponding sysctl parameters. # -type sysctl_t; -type sysctl_fs_t; -type sysctl_kernel_t; -type sysctl_modprobe_t; -type sysctl_net_t; -type sysctl_net_unix_t; -type sysctl_vm_t; -type sysctl_dev_t; +type sysctl_t, sysctl_type; +type sysctl_fs_t, sysctl_type; +type sysctl_kernel_t, sysctl_type; +type sysctl_modprobe_t, sysctl_type; +type sysctl_hotplug_t, sysctl_type; +type sysctl_net_t, sysctl_type; +type sysctl_net_unix_t, sysctl_type; +type sysctl_vm_t, sysctl_type; +type sysctl_dev_t, sysctl_type; +type sysctl_rpc_t, sysctl_type; +type sysctl_irq_t, sysctl_type; ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/security.te#4 (text+ko) ==== @@ -15,7 +15,7 @@ type security_t, fs_type; # -# policy_config_t is the type of /ss_policy, +# policy_config_t is the type of /etc/security/selinux/* # the security server policy configuration. # type policy_config_t, file_type; @@ -28,17 +28,15 @@ # # default_context_t is the type applied to -# /etc/security/default_context +# /etc/selinux/*/contexts/* # type default_context_t, file_type, sysadmfile, login_contexts; # -# file_labels_t is the type of the persistent -# label mapping stored in each file system. -# The mapping files are in the ...security -# subdirectory at the root of each file system. +# file_context_t is the type applied to +# /etc/selinux/*/contexts/files # -type file_labels_t, file_type, sysadmfile; +type file_context_t, file_type, sysadmfile; # # no_access_t is the type for objects that should @@ -46,4 +44,10 @@ # type no_access_t, file_type, sysadmfile; +# +# selinux_config_t is the type applied to +# /etc/selinux/config +# +type selinux_config_t, file_type, sysadmfile; +