Date: Wed, 8 Oct 2003 10:35:37 -0700 (PDT) From: Andrew Reisse <areisse@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 39357 for review Message-ID: <200310081735.h98HZbiS079026@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=39357 Change 39357 by areisse@areisse_tislabs on 2003/10/08 10:35:05 small policy tweaks. runtime.fc: Fix files that get created with bad labels because of booting without sebsd. Affected files ... .. //depot/projects/trustedbsd/sebsd_policy/policy/Makefile#5 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/cleanvar.te#3 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/unused/apache.te#3 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/apache.fc#3 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/save-entropy.fc#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/runtime.fc#1 add .. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/types.fc#4 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/types/file.te#4 edit Differences ... ==== //depot/projects/trustedbsd/sebsd_policy/policy/Makefile#5 (text+ko) ==== @@ -45,7 +45,7 @@ UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te) FC = file_contexts/file_contexts -FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) +FCFILES=file_contexts/types.fc file_contexts/runtime.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) APPDIR=$(DESTDIR)/etc/security APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context) ==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/cleanvar.te#3 (text+ko) ==== @@ -19,5 +19,6 @@ allow cleanvar_t { var_t etc_t bin_t sbin_t root_t } :dir r_dir_perms; allow cleanvar_t self:capability dac_override; +allow cleanvar_t fs_t:filesystem { getattr }; can_exec(cleanvar_t, bin_t) general_domain_access(cleanvar_t) #!!! ==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/unused/apache.te#3 (text+ko) ==== @@ -410,6 +410,7 @@ #################################################### allow httpd_t httpd_log_files_t:dir rw_dir_perms; allow httpd_t httpd_log_files_t:file create_file_perms; +file_type_auto_trans(httpd_t, var_log_t, httpd_log_files_t) ############################################ # Allow scripts to append to http logs ==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/apache.fc#3 (text+ko) ==== @@ -9,7 +9,7 @@ #/usr/sbin/suexec system_u:object_r:httpd_suexec_exec_t #/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? system_u:object_r:httpd_suexec_exec_t #/usr/lib/apache(2)?/suexec(2)? system_u:object_r:httpd_suexec_exec_t -/var/log/httpd(/.*)? system_u:object_r:httpd_log_files_t +/var/log/httpd-.* system_u:object_r:httpd_log_files_t #/var/log/apache(2)?(/.*)? system_u:object_r:httpd_log_files_t #/var/log/cgiwrap\.log.* system_u:object_r:httpd_log_files_t #/var/cache/ssl.*\.sem system_u:object_r:httpd_cache_t ==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/save-entropy.fc#2 (text+ko) ==== @@ -1,2 +1,2 @@ /usr/libexec/save-entropy system_u:object_r:save_entropy_exec_t -/var/db/entropy system_u:object_r:var_db_entropy_t +/var/db/entropy(/.*)? system_u:object_r:var_db_entropy_t ==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/types.fc#4 (text+ko) ==== @@ -83,9 +83,6 @@ /home system_u:object_r:home_root_t /home/[^/]+ -d system_u:object_r:user_home_dir_t /home/[^/]+/.+ system_u:object_r:user_home_t -/usr/home system_u:object_r:home_root_t -/usr/home/[^/]+ -d system_u:object_r:user_home_dir_t -/usr/home/[^/]+/.+ system_u:object_r:user_home_t # # Other staff home directories, replace "jadmin" with appropriate name @@ -206,6 +203,10 @@ /usr/man(/.*)? system_u:object_r:man_t /usr/share/man(/.*)? system_u:object_r:man_t +/usr/home system_u:object_r:home_root_t +/usr/home/[^/]+ -d system_u:object_r:user_home_dir_t +/usr/home/[^/]+/.+ system_u:object_r:user_home_t + # # /usr/bin # ==== //depot/projects/trustedbsd/sebsd_policy/policy/types/file.te#4 (text+ko) ==== @@ -256,6 +256,7 @@ # Allow the pty to be associated with the file system. allow devpts_t devpts_t:filesystem associate; allow tty_device_t device_t:filesystem associate; +allow device_t device_t:filesystem associate; type tmpfs_t, file_type, sysadmfile, fs_type, root_dir_type; allow { tmpfs_t tmp_t } tmpfs_t:filesystem associate;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200310081735.h98HZbiS079026>