Date: Tue, 16 Dec 2003 07:38:53 -0800 (PST) From: Chris Vance <cvance@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 43969 for review Message-ID: <200312161538.hBGFcrjx009139@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=43969 Change 43969 by cvance@cvance_korben on 2003/12/16 07:37:54 Update SEBSD policy for newer FreeBSD distribution (file locations, behavior, new MAC framework support, etc. Affected files ... .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/cleanvar.te#4 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/getty.te#4 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/initrc.te#3 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/login.te#3 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/mount.te#3 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/sendmail.te#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/ssh.te#7 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/syslogd.te#3 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/mount.fc#3 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/save-entropy.fc#3 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/ssh.fc#3 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/types.fc#5 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/macros/program/su_macros.te#2 edit Differences ... ==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/cleanvar.te#4 (text+ko) ==== @@ -13,11 +13,15 @@ domain_auto_trans(initrc_t, cleanvar_exec_t, cleanvar_t) allow cleanvar_t self:fd *; +allow cleanvar_t init_t:fd use; allow cleanvar_t { var_run_t var_spool_t }:dir { rw_dir_perms }; +allow cleanvar_t var_run_t:file create_file_perms; +allow cleanvar_t var_spool_t:file create_file_perms; # We really need /var/{run,spool}/*... allow cleanvar_t { pidfile var_spool_t }:file { getattr unlink }; -allow cleanvar_t { var_t etc_t bin_t sbin_t root_t } :dir r_dir_perms; +allow cleanvar_t { var_t etc_t bin_t sbin_t root_t device_t } :dir r_dir_perms; +allow cleanvar_t null_device_t:chr_file r_file_perms; allow cleanvar_t self:capability dac_override; allow cleanvar_t fs_t:filesystem { getattr }; can_exec(cleanvar_t, bin_t) ==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/getty.te#4 (text+ko) ==== @@ -59,4 +59,4 @@ rw_dir_create_file(getty_t, var_lock_t) -dontaudit getty_t sysadm_home_t:dir search; +dontaudit getty_t staff_home_dir_t:dir search; ==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/initrc.te#3 (text+ko) ==== @@ -25,6 +25,7 @@ # read files in /etc/init.d allow initrc_t etc_t:lnk_file r_file_perms; +allow initrc_t resolv_conf_t:{ file lnk_file } r_file_perms; read_locale(initrc_t) @@ -122,6 +123,7 @@ ifdef(`sendmail.te', ` # Update /etc/mail. allow initrc_t etc_mail_t:file { setattr rw_file_perms }; +allow initrc_t sendmail_exec_t:lnk_file read; ') ifdef(`xfs.te', @@ -186,8 +188,8 @@ allow initrc_t tty_device_t:chr_file relabelto; # Use lock files in /var/spool/lock. -allow initrc_t var_spool_t:dir create_file_perms; -allow initrc_t var_spool_t:file { rw_file_perms unlink }; +allow initrc_t var_spool_t:dir create_dir_perms; +allow initrc_t var_spool_t:file { create_file_perms unlink }; ifdef(`rpm.te', ` # Create and read /boot/kernel.h. @@ -209,6 +211,7 @@ ifdef(`gpm.te', `allow initrc_t gpmctl_t:sock_file setattr;') allow initrc_t var_spool_t:file rw_file_perms; +allow initrc_t mqueue_spool_t:dir r_dir_perms; # # quota control ==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/login.te#3 (text+ko) ==== @@ -154,6 +154,9 @@ allow local_login_t sysadm_home_t:dir search; +type opiekey_t, file_type, sysadmfile; +allow local_login_t opiekey_t:file rw_file_perms; + ################################# # # Rules for the remote_login_t domain. ==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/mount.te#3 (text+ko) ==== @@ -15,10 +15,20 @@ role sysadm_r types mount_t; role system_r types mount_t; +domain_auto_trans(init_t, mount_exec_t, mount_t) domain_auto_trans(initrc_t, mount_exec_t, mount_t) allow mount_t init_t:fd use; allow mount_t privfd:fd use; +# XXX/TBD +# When you label a filesystem, the directories _under_ the mount points +# aren't typically available, and remain unlabeled. Not sure what the +# best fix is for this. In the meantime, allow the system to boot: +allow init_t unlabeled_t:dir mounton; +allow init_t device_t:filesystem mount; +allow mount_t unlabeled_t:dir { mounton getattr }; +allow mount_t file_t:dir getattr; + allow mount_t self:capability { mknod ipc_lock dac_override }; allow mount_t self:process { fork signal_perms }; allow mount_t self:fd { create use }; ==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/sendmail.te#2 (symlink) ==== ==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/ssh.te#7 (text+ko) ==== @@ -136,7 +136,7 @@ can_exec(sshd_t, sshd_exec_t); # Use capabilities. -allow sshd_t self:capability { sys_chroot sys_resource }; +allow sshd_t self:capability { net_admin sys_chroot sys_resource }; # Create /var/run/sshd.pid var_run_domain(sshd) ==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/syslogd.te#3 (text+ko) ==== @@ -31,7 +31,7 @@ allow syslogd_t resolv_conf_t:{ file lnk_file } r_file_perms; # Use capabilities. -allow syslogd_t syslogd_t:capability { kill net_bind_service dac_override }; +allow syslogd_t syslogd_t:capability { kill net_admin net_bind_service dac_override }; # Inherit and use descriptors from init. allow syslogd_t init_t:fd use; ==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/mount.fc#3 (text+ko) ==== @@ -1,5 +1,5 @@ # mount -/bin/mount system_u:object_r:mount_exec_t +/sbin/mount system_u:object_r:mount_exec_t /sbin/mdmfs system_u:object_r:mount_exec_t /sbin/mount_.* system_u:object_r:mount_exec_t /sbin/umount system_u:object_r:mount_exec_t ==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/save-entropy.fc#3 (text+ko) ==== @@ -1,2 +1,3 @@ /usr/libexec/save-entropy system_u:object_r:save_entropy_exec_t /var/db/entropy(/.*)? system_u:object_r:var_db_entropy_t +/entropy system_u:object_r:var_db_entropy_t ==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/ssh.fc#3 (text+ko) ==== @@ -11,4 +11,5 @@ /root/\.ssh(/.*)? system_u:object_r:staff_home_ssh_t /home/[^/]+/\.ssh(/.*)? system_u:object_r:user_home_ssh_t -/home/jadmin/\.ssh(/.*)? system_u:object_r:staff_home_ssh_t +/usr/home/[^/]+/\.ssh(/.*)? system_u:object_r:user_home_ssh_t +/home/jadmin/\.ssh(/.*)? system_u:object_r:staff_home_ssh_t ==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/types.fc#5 (text+ko) ==== @@ -168,7 +168,7 @@ /etc/rc.d/sshd system_u:object_r:initrc_exec_t /etc/rc.shutdown system_u:object_r:initrc_exec_t /etc/rc system_u:object_r:initrc_exec_t - +/etc/opiekeys system_u:object_r:opiekey_t # # /lib # @@ -198,6 +198,7 @@ /usr(/.*)? system_u:object_r:usr_t /usr/etc(/.*)? system_u:object_r:etc_t /usr/libexec(/.*)? system_u:object_r:lib_t +/libexec(/.*)? system_u:object_r:lib_t /usr/src(/.*)? system_u:object_r:src_t /usr/tmp(/.*)? system_u:object_r:tmp_t /usr/man(/.*)? system_u:object_r:man_t @@ -231,6 +232,7 @@ /usr/share/selinux(/.*)? system_u:object_r:policy_src_t /usr/games(/.*)? system_u:object_r:bin_t /usr/libexec/ld.*\.so.* system_u:object_r:ld_so_t +/libexec/ld.*\.so.* system_u:object_r:ld_so_t /usr/lib/pam_.* system_u:object_r:shlib_t # ==== //depot/projects/trustedbsd/sebsd_policy/policy/macros/program/su_macros.te#2 (text+ko) ==== @@ -46,6 +46,7 @@ allow $1_su_t bin_t:lnk_file read; allow $1_su_t privfd:fd use; +allow $1_su_t self:fd { create use }; # Write to utmp. allow $1_su_t { var_t var_run_t }:dir search;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200312161538.hBGFcrjx009139>