Date: Mon, 22 Jan 2007 19:52:48 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 113383 for review Message-ID: <200701221952.l0MJqm4Y083851@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=113383 Change 113383 by millert@millert_macbook on 2007/01/22 19:52:03 Update to deal with /var/vm/swapfile* transition and labeling. Allow other activities. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/dynamic_pager.fc#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/dynamic_pager.te#3 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/dynamic_pager.fc#2 (text+ko) ==== @@ -4,3 +4,4 @@ # MCS categories: <none> /sbin/dynamic_pager -- gen_context(system_u:object_r:dynamic_pager_exec_t,s0) +/private/var/vm/swapfile.* gen_context(system_u:object_r:dynamic_pager_swapfile_t,s0) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/dynamic_pager.te#3 (text+ko) ==== @@ -10,6 +10,9 @@ domain_type(dynamic_pager_t) init_domain(dynamic_pager_t, dynamic_pager_exec_t) +# /var/vm/swapfile* +type dynamic_pager_swapfile_t; + ######################################## # # dynamic_pager local policy @@ -25,5 +28,26 @@ allow dynamic_pager_t self:fifo_file { read write }; allow dynamic_pager_t self:unix_stream_socket create_stream_socket_perms; +# swapfiles +allow dynamic_pager_t var_vm_t:dir { search add_name }; +allow dynamic_pager_t dynamic_pager_swapfile_t:file { create unlink read write swapon setattr }; +allow dynamic_pager_t fs_t:filesystem getattr; +allow dynamic_pager_swapfile_t fs_t:filesystem associate; + +# files created by dynamic_pager in /var/vm are relabeled +type_transition dynamic_pager_t var_vm_t:file dynamic_pager_swapfile_t; + +# talk to console +allow dynamic_pager_t console_device_t:chr_file { read write }; + # Talk to launchd init_allow_ipc(dynamic_pager_t) + +# Talk to self +mach_allow_message(dynamic_pager_t, dynamic_pager_t) + +# Talk to kernel +kernel_allow_ipc(dynamic_pager_t) + +# Read /private +darwin_allow_private_read(dynamic_pager_t)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200701221952.l0MJqm4Y083851>