From owner-trustedbsd-cvs@FreeBSD.ORG Mon Jan 22 20:14:25 2007 Return-Path: X-Original-To: trustedbsd-cvs@freebsd.org Delivered-To: trustedbsd-cvs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8A4C716A400 for ; Mon, 22 Jan 2007 20:14:25 +0000 (UTC) (envelope-from owner-perforce@freebsd.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id 88A9513C455 for ; Mon, 22 Jan 2007 20:14:24 +0000 (UTC) (envelope-from owner-perforce@freebsd.org) Received: from mx2.freebsd.org (mx2.freebsd.org [69.147.83.53]) by cyrus.watson.org (Postfix) with ESMTP id D59F448928 for ; Mon, 22 Jan 2007 15:14:22 -0500 (EST) Received: from hub.freebsd.org (hub.freebsd.org [69.147.83.54]) by mx2.freebsd.org (Postfix) with ESMTP id 3475E14B56D; Mon, 22 Jan 2007 20:02:16 +0000 (GMT) (envelope-from owner-perforce@freebsd.org) Received: by hub.freebsd.org (Postfix, from userid 32767) id D262A16A484; Mon, 22 Jan 2007 20:02:14 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 985B816A47E for ; Mon, 22 Jan 2007 20:02:14 +0000 (UTC) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [69.147.83.41]) by mx1.freebsd.org (Postfix) with ESMTP id 7D3F513C469 for ; Mon, 22 Jan 2007 20:02:14 +0000 (UTC) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id l0MK2902087441 for ; Mon, 22 Jan 2007 20:02:09 GMT (envelope-from millert@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id l0MK298W087436 for perforce@freebsd.org; Mon, 22 Jan 2007 20:02:09 GMT (envelope-from millert@freebsd.org) Date: Mon, 22 Jan 2007 20:02:09 GMT Message-Id: <200701222002.l0MK298W087436@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to millert@freebsd.org using -f From: Todd Miller To: Perforce Change Reviews Cc: Subject: PERFORCE change 113401 for review X-BeenThere: trustedbsd-cvs@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD CVS and Perforce commit message list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Jan 2007 20:14:25 -0000 http://perforce.freebsd.org/chv.cgi?CH=113401 Change 113401 by millert@millert_macbook on 2007/01/22 20:01:14 Update. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/diskarbitrationd.te#11 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/lookupd.te#7 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.te#11 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/logging.te#6 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/diskarbitrationd.te#11 (text+ko) ==== @@ -47,22 +47,20 @@ allow diskarbitrationd_t self:socket { connect write }; allow diskarbitrationd_t self:udp_socket create; allow diskarbitrationd_t self:unix_dgram_socket create; -allow diskarbitrationd_t sbin_t:dir search; +allow diskarbitrationd_t sbin_t:dir { getattr read search }; # Allow disk/device/fs operations allow diskarbitrationd_t device_t:chr_file { ioctl read }; -allow diskarbitrationd_t fs_t:dir getattr; +allow diskarbitrationd_t fs_t:dir { search getattr }; +allow diskarbitrationd_t fs_t:lnk_file unlink; allow diskarbitrationd_t fsadm_t:file execute_no_trans; # Allow mount operations -allow diskarbitrationd_t fs_t:filesystem mount; +allow diskarbitrationd_t fs_t:filesystem { getattr mount }; allow diskarbitrationd_t mnt_t:dir { getattr read remove_name rmdir search }; allow diskarbitrationd_t mnt_t:file { getattr unlink }; allow diskarbitrationd_t mnt_t:lnk_file unlink; - - - # Allow various file operations allow diskarbitrationd_t nfs_t:dir getattr; allow diskarbitrationd_t nfs_t:filesystem mount; @@ -76,12 +74,7 @@ # Allow access to raw disk devices storage_raw_read_fixed_disk(diskarbitrationd_t) -# Note: This causes the following error...we need to figure it out: -# -## libsepol.check_assertion_helper: assertion on line 337564 violated by allow diskarbitrationd_t fixed_disk_device_t:blk_file { read }; -# libsepol.check_assertions: 1 assertion violations occured -# Error while expanding policy -#allow diskarbitrationd_t fixed_disk_device_t:blk_file { ioctl read }; +storage_raw_write_fixed_disk(diskarbitrationd_t) # Allow signaling fsck, etc allow diskarbitrationd_t fsadm_t:process signal; @@ -117,6 +110,9 @@ darwin_allow_host_pref_read(diskarbitrationd_t) darwin_allow_system_read(diskarbitrationd_t) +# Use CoreServices +darwin_allow_CoreServices_read(diskarbitrationd_t) + # Allow access to frameworks frameworks_read(diskarbitrationd_t) @@ -131,3 +127,6 @@ # Search /var/vm files_search_vm(diskarbitrationd_t) + +# Read /var (symlinks) +files_read_var_files(diskarbitrationd_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/lookupd.te#7 (text+ko) ==== @@ -46,7 +46,7 @@ # Misc allow lookupd_t mnt_t:dir search; -allow lookupd_t nfs_t:filesystem getattr; +allow lookupd_t { fs_t nfs_t }:filesystem getattr; allow lookupd_t nfs_t:lnk_file read; allow lookupd_t port_t:tcp_socket name_connect; allow lookupd_t random_device_t:chr_file read; @@ -103,3 +103,7 @@ # Allow Mach IPC w/ syslogd logging_allow_ipc(lookupd_t) + +# Read /var +files_list_var(lookupd_t) +files_read_var_files(lookupd_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.te#11 (text+ko) ==== @@ -40,7 +40,7 @@ allow securityd_t nfs_t:filesystem getattr; allow securityd_t nfs_t:lnk_file read; allow securityd_t usr_t:file { getattr read }; -allow securityd_t random_device_t:chr_file read; +allow securityd_t random_device_t:chr_file { read write }; allow securityd_t sbin_t:dir { getattr read search }; # /var file operations ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/logging.te#6 (text+ko) ==== @@ -53,6 +53,9 @@ allow syslogd_t devlog_t:sock_file create_file_perms; files_pid_filetrans(syslogd_t,devlog_t,sock_file) +# Read /var symlinks +files_read_var_files(syslogd_t) + # create/append log files. allow syslogd_t var_log_t:dir rw_dir_perms; allow syslogd_t var_log_t:file create_file_perms; @@ -86,11 +89,12 @@ # Kernel messages come from /dev/klog dev_filetrans(syslogd_t,devklog_t,chr_file) genfscon devfs /klog gen_context(system_u:object_r:devklog_t,0s) -allow syslogd_t devklog_t:chr_file read; +allow syslogd_t devklog_t:chr_file { read ioctl }; fs_search_auto_mountpoints(syslogd_t) term_write_console(syslogd_t) +allow syslogd_t console_device_t:file write; # Allow syslog to a terminal term_write_unallocated_ttys(syslogd_t) @@ -142,12 +146,16 @@ kernel_allow_ipc(syslogd_t) # Talk to self -allow syslogd_t self:socket read; +allow syslogd_t self:socket { bind listen accept read }; +allow syslogd_t self:mach_port make_send_once; # Talk to notifyd notifyd_allow_ipc(syslogd_t) notifyd_allow_shm(syslogd_t) +# Read /private +darwin_allow_private_read(syslogd_t) + ifdef(`targeted_policy',` allow syslogd_t var_run_t:fifo_file { ioctl read write }; term_dontaudit_use_unallocated_ttys(syslogd_t)