From owner-p4-projects@FreeBSD.ORG Fri Dec 17 17:19:10 2004 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id A8FF416A4D0; Fri, 17 Dec 2004 17:19:09 +0000 (GMT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A6C916A4CE for ; Fri, 17 Dec 2004 17:19:09 +0000 (GMT) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 31C6343D5E for ; Fri, 17 Dec 2004 17:19:09 +0000 (GMT) (envelope-from areisse@nailabs.com) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id iBHHJ9PI075834 for ; Fri, 17 Dec 2004 17:19:09 GMT (envelope-from areisse@nailabs.com) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.1/8.13.1/Submit) id iBHHJ8T5075831 for perforce@freebsd.org; Fri, 17 Dec 2004 17:19:08 GMT (envelope-from areisse@nailabs.com) Date: Fri, 17 Dec 2004 17:19:08 GMT Message-Id: <200412171719.iBHHJ8T5075831@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to areisse@nailabs.com using -f From: Andrew Reisse To: Perforce Change Reviews Subject: PERFORCE change 67241 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Dec 2004 17:19:10 -0000 http://perforce.freebsd.org/chv.cgi?CH=67241 Change 67241 by areisse@areisse_tislabs on 2004/12/17 17:18:37 Fix problems with policy that prevented it from building: -Type differences from selinux -netlink security classes -building (still requires gmake) -file:poll permission Affected files ... .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/Makefile#14 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/assert.te#5 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/admin.te#5 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/atrun.te#5 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/initrc.te#6 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ssh.te#7 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/unconfined.te#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/unused/apache.te#3 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/unused/sendmail.te#3 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/usbd.te#5 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/access_vectors#7 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/initial_sids#5 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/security_classes#6 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/fs_use#5 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/genfs_contexts#5 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/initial_sid_contexts#5 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/base_user_macros.te#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/core_macros.te#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/global_macros.te#7 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/selinux_macros.te#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/device.te#5 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/file.te#5 edit Differences ... ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/Makefile#14 (text+ko) ==== @@ -114,9 +114,9 @@ mv $@.tmp $@ install-src: /etc/security/sebsd - rm -rf $(INSTALLDIR)/policy.old - -mv $(INSTALLDIR)/policy $(INSTALLDIR)/policy.old - cd ..; tar cf - policy | (cd $(INSTALLDIR); tar xf -) + rm -rf $(INSTALLDIR)/policy.old + -mv $(INSTALLDIR)/policy $(INSTALLDIR)/policy.old + cd ..; tar cf - policy | (cd $(INSTALLDIR); tar xf -) tmp/program_used_flags.te: $(wildcard domains/program/*.te) domains/program mkdir -p tmp @@ -155,7 +155,3 @@ rm -f tmp/* rm -f $(FC) -install-src: /etc/security/sebsd - rm -rf $(INSTALLDIR)/policy.old - -mv $(INSTALLDIR)/policy $(INSTALLDIR)/policy.old - cd ..; tar cf - policy | (cd $(INSTALLDIR); tar xf -) ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/assert.te#5 (text+ko) ==== ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/admin.te#5 (text+ko) ==== ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/atrun.te#5 (text+ko) ==== @@ -9,7 +9,7 @@ type atrun_t, domain, privlog; role system_r types atrun_t; role sysadm_r types atrun_t; -every_domain(atrun_t) +base_file_read_access(atrun_t) type atrun_exec_t, file_type, sysadmfile, exec_type; domain_auto_trans({ crond_t system_crond_t sysadm_t }, atrun_exec_t, atrun_t) ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/initrc.te#6 (text+ko) ==== ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ssh.te#7 (text+ko) ==== @@ -64,7 +64,7 @@ allow $1_t { null_device_t zero_device_t }:chr_file rw_file_perms; # Read /dev/random and /dev/zero. -allow $1 random_device_t:{ lnk_file chr_file } r_file_perms; +allow $1_t random_device_t:{ lnk_file chr_file } r_file_perms; can_network($1_t) @@ -226,11 +226,6 @@ allow sshd_t sshd_devpts_t:chr_file { setattr getattr relabelfrom relabelto }; allow sshd_t userpty_type:chr_file { setattr relabelto rw_file_perms }; -# ssh_keygen_t is the type of the ssh-keygen program when run at install time -# and by sysadm_t -daemon_base_domain(ssh_keygen) -allow ssh_keygen_t etc_t:file { getattr read }; -file_type_auto_trans(ssh_keygen_t, etc_t, sshd_key_t, file) # # Author: Stephen Smalley # ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/unconfined.te#2 (text+ko) ==== ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/unused/apache.te#3 (text+ko) ==== @@ -158,7 +158,7 @@ r_dir_file(initrc_t, httpd_config_t) ################################################## -file_type_auto_trans(httpd_t, var_log_t, httpd_log_files_t) +file_type_auto_trans(httpd_t, var_log_t, httpd_log_t) ######################################## # Allow httpd_t to bind to the HTTP port ######################################## ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/unused/sendmail.te#3 (text+ko) ==== @@ -13,9 +13,6 @@ # daemon started by the init rc scripts. # -# etc_mail_t is the type of /etc/mail. -type etc_mail_t, file_type, sysadmfile; - daemon_domain(sendmail, `, mta_delivery_agent, mail_server_domain, mail_server_sender', nosysadm) tmp_domain(sendmail) ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/usbd.te#5 (text+ko) ==== ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/access_vectors#7 (text+ko) ==== @@ -160,13 +160,20 @@ connectto newconn acceptfrom + node_bind } class udp_socket inherits socket +{ + node_bind +} class rawip_socket inherits socket +{ + node_bind +} class node { @@ -269,6 +276,9 @@ class shm inherits ipc +{ + lock +} class posix_sem { @@ -375,4 +385,6 @@ passwd chfn chsh + rootok + crontab } ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/initial_sids#5 (text+ko) ==== @@ -28,10 +28,8 @@ sid sysctl_vm sid sysctl_dev sid kmod -sid devfs -sid devpts -sid nfs sid policy -sid tmpfs +sid scmp_packet +sid devnull # FLASK ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/security_classes#6 (text+ko) ==== ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/fs_use#5 (text+ko) ==== ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/genfs_contexts#5 (text+ko) ==== @@ -54,7 +54,7 @@ # driverfs -genfscon driverfs / system_u:object_r:driverfs_t +#genfscon driverfs / system_u:object_r:driverfs_t # usbdevfs genfscon usbdevfs / system_u:object_r:usbdevfs_t ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/initial_sid_contexts#5 (text+ko) ==== ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/base_user_macros.te#2 (text+ko) ==== ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/core_macros.te#2 (text+ko) ==== @@ -81,7 +81,7 @@ # # Permissions for reading and writing files and their attributes. # -define(`rw_file_perms', `{ ioctl read getattr lock write append }') +define(`rw_file_perms', `{ ioctl read getattr lock write append poll }') # # Permissions for reading and appending to files. @@ -558,7 +558,7 @@ allow $1_t devpts_t:dir { getattr read search }; # ignore old BSD pty devices -dontaudit $1_t bsdpty_device_t:chr_file { getattr read write }; +#dontaudit $1_t bsdpty_device_t:chr_file { getattr read write }; ') ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/global_macros.te#7 (text+ko) ==== @@ -599,6 +599,6 @@ # Set user information and skip authentication. allow $1 self:passwd *; -allow $1 self:dbus *; -allow $1 self:nscd *; +#allow $1 self:dbus *; +#allow $1 self:nscd *; ') ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/selinux_macros.te#2 (text+ko) ==== @@ -1,1 +1,15 @@ define(`dac_override', `{ dac_read_search dac_execute dac_write }') + +# FreeBSD doesn't use netlink sockets for administering networks. +# Instead of using rules directly, those parts of the policy should use macros. +define(`netlink_route_socket', `netlink_socket') +define(`netlink_firewall_socket', `netlink_socket') +define(`netlink_xfrm_socket', `netlink_socket') +define(`netlink_ip6fw_socket', `netlink_socket') +define(`netlink_selinux_socket', `netlink_socket') +define(`netlink_audit_socket', `netlink_socket') +define(`netlink_tcpdiag_socket', `netlink_socket') +define(`netlink_nflog_socket', `netlink_socket') +define(`netlink_dnrt_socket', `netlink_socket') +define(`nlmsg_read', `read') +define(`nlmsg_write', `write') ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/device.te#5 (text+ko) ==== @@ -131,7 +131,7 @@ type mtrr_device_t, device_type; # Type for /dev/bpf* -type bpf_device_t, file_type; +type bpf_device_t, device_type; # Type for /dev/apm_bios type apm_bios_t, device_type; @@ -150,7 +150,6 @@ # for other device nodes such as the NVidia binary-only driver type xserver_misc_device_t, device_type; -type v4l_device_t, file_type; # Type for /dev/klog -type klog_device_t, file_type; +type klog_device_t, device_type; ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/file.te#5 (text+ko) ==== @@ -113,6 +113,7 @@ # etc_aliases_t is the type of the aliases database. # type etc_aliases_t, file_type, sysadmfile; +type etc_mail_t, file_type, sysadmfile; # net_conf_t is the type of the /etc/resolv.conf file. # all DHCP clients and PPP need write access to this file. @@ -271,6 +272,8 @@ type usbdevfs_t, fs_type, root_dir_type, noexattrfile, sysadmfile; allow usbdevfs_t usbdevfs_t:filesystem associate; +type usbdevfs_device_t, device_type, noexattrfile, sysadmfile; +allow usbdevfs_device_t usbdevfs_t:filesystem associate; type sysfs_t, fs_type, root_dir_type, sysadmfile; allow sysfs_t sysfs_t:filesystem associate;