Date: Wed, 3 Sep 2003 08:18:30 -0700 (PDT) From: Andrew Reisse <areisse@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 37446 for review Message-ID: <200309031518.h83FIUkI094101@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=37446 Change 37446 by areisse@areisse_tislabs on 2003/09/03 08:17:53 Updates to selinux policy to allow boot and login in sebsd. Some domains wanted by the default init process are in unused/: mta ping sendmail rpcd lpd named dhcpc gmake is required. The file_contexts have not been ported. First label with the old sebsd policy and then label some things manually. The flask directory has not been completely ported; the security class has been completely changed, and some other classes have new permissions. Affected files ... .. //depot/projects/trustedbsd/sebsd_policy/policy/Makefile#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/assert.te#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/cleanvar.te#1 add .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/crond.te#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/fsadm.te#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/getty.te#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/ifconfig.te#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/init.te#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/initrc.te#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/ldconfig.te#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/login.te#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/mount.te#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/save-entropy.te#1 add .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/ssh.te#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/syslogd.te#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/unused/dhcpc.te#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/unused/rpcd.te#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/usbd.te#1 add .. //depot/projects/trustedbsd/sebsd_policy/policy/flask/access_vectors#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/fs_use#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/genfs_contexts#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/macros/global_macros.te#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/macros/program/mount_macros.te#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/macros/selinux_macros.te#1 add .. //depot/projects/trustedbsd/sebsd_policy/policy/types/device.te#2 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/types/file.te#2 edit Differences ... ==== //depot/projects/trustedbsd/sebsd_policy/policy/Makefile#2 (text+ko) ==== @@ -19,12 +19,15 @@ PREFIX = /usr BINDIR = $(PREFIX)/bin SBINDIR = $(PREFIX)/sbin -LOADPOLICY = $(SBINDIR)/load_policy -CHECKPOLICY = $(BINDIR)/checkpolicy -SETFILES = $(SBINDIR)/setfiles + +CHECKPOLICY = $(REALDESTDIR)/sbin/sebsd_checkpolicy +LOADPOLICY = /sbin/sebsd_loadpolicy +SETFILES = $(REALDESTDIR)/sbin/sebsd_setfiles +M4 = $(REALDESTDIR)/usr/bin/m4 -Imacros -s -POLICYVER := policy.$(shell $(CHECKPOLICY) -V) -INSTALLDIR = $(DESTDIR)/etc/security/selinux +#POLICYVER := policy.$(shell $(CHECKPOLICY) -V) +POLICYVER := policy.13 +INSTALLDIR = $(DESTDIR)/etc/security/sebsd LOADPATH = $(INSTALLDIR)/$(POLICYVER) SRCINSTALLDIR = $(INSTALLDIR)/src POLICYCONF = $(SRCINSTALLDIR)/policy.conf @@ -48,13 +51,13 @@ install: $(APPFILES) $(LOADPATH) $(APPDIR)/default_contexts: appconfig/default_contexts - install -m 644 -o root -g root $< $@ + install -m 644 -o root -g wheel $< $@ $(APPDIR)/default_type: appconfig/default_type - install -m 644 -o root -g root $< $@ + install -m 644 -o root -g wheel $< $@ $(APPDIR)/initrc_context: appconfig/initrc_context - install -m 644 -o root -g root $< $@ + install -m 644 -o root -g wheel $< $@ $(LOADPATH): $(POLICYCONF) $(CHECKPOLICY) mkdir -p $(INSTALLDIR) @@ -92,10 +95,10 @@ CONSTRAINT_CONTEXT_MACRO_FILES := tmp/program_used_flags.te tmp/all_macros.te constraints initial_sid_contexts fs_use genfs_contexts net_contexts tmp/te-rbac.m4: $(TE_RBAC_MACRO_FILES) - m4 -Imacros -s $^ > $@ + $(M4) $^ > $@ tmp/constraints-contexts.m4: $(CONSTRAINT_CONTEXT_MACRO_FILES) - m4 -Imacros -s $^ > $@ + $(M4) -Imacros -s $^ > $@ tmp/all.te: $(ALLTEFILES) cat $^ > $@ ==== //depot/projects/trustedbsd/sebsd_policy/policy/assert.te#2 (text+ko) ==== @@ -118,7 +118,8 @@ # # Verify that only the admin domains and initrc_t have setenforce. # -neverallow ~{ admin initrc_t } security_t:security setenforce; +#neverallow ~{ admin initrc_t } security_t:security setenforce; +neverallow ~{ admin initrc_t } kernel_t:system avc_toggle; # # Verify that only the kernel and load_policy_t have load_policy. ==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/crond.te#2 (text+ko) ==== @@ -51,7 +51,7 @@ file_type_auto_trans(crond_t, var_log_t, cron_log_t) # Use capabilities. -allow crond_t crond_t:capability { setgid setuid net_bind_service }; +allow crond_t crond_t:capability { sys_resource setgid setuid net_bind_service }; # Get security policy decisions. can_getsecurity(crond_t) ==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/fsadm.te#2 (text+ko) ==== @@ -54,6 +54,8 @@ # mkreiserfs needs this allow fsadm_t proc_t:filesystem getattr; +allow fsadm_t device_t:filesystem getattr; + # mkreiserfs and other programs need this for UUID allow fsadm_t random_device_t:chr_file { getattr read }; @@ -87,6 +89,7 @@ # Enable swapping to devices and files allow fsadm_t swapfile_t:file { getattr swapon }; allow fsadm_t fixed_disk_device_t:blk_file { getattr swapon }; +allow fsadm_t fixed_disk_device_t:chr_file { getattr swapon }; # XXX Why does updfstab run insmod? domain_auto_trans(fsadm_t, insmod_exec_t, insmod_t) @@ -100,3 +103,5 @@ allow fsadm_t privfd:fd use; read_locale(fsadm_t) + +allow fsadm_t fs_type:filesystem getattr; ==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/getty.te#2 (text+ko) ==== @@ -23,6 +23,7 @@ allow getty_t self:process { getpgid getsession }; allow getty_t self:unix_dgram_socket create_socket_perms; allow getty_t self:unix_stream_socket create_socket_perms; +allow getty_t self:fd { create use }; # for ldap and other authentication services allow getty_t resolv_conf_t:file { getattr read }; @@ -56,5 +57,6 @@ allow getty_t tty_device_t:chr_file { setattr rw_file_perms }; allow getty_t ttyfile:chr_file { setattr rw_file_perms }; +rw_dir_create_file(getty_t, var_lock_t) -rw_dir_create_file(getty_t, var_lock_t) +dontaudit getty_t sysadm_home_t:dir search; ==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/ifconfig.te#2 (text+ko) ==== @@ -36,6 +36,10 @@ allow ifconfig_t proc_t:dir r_dir_perms; allow ifconfig_t proc_t:file r_file_perms; +# read the kernel +allow ifconfig_t boot_t:dir r_dir_perms; +allow ifconfig_t boot_t:file r_file_perms; + allow ifconfig_t privfd:fd use; # Create UDP sockets, necessary when called from dhcpc @@ -53,3 +57,6 @@ dontaudit ifconfig_t { sysctl_t sysctl_net_t }:dir search; allow ifconfig_t fs_t:filesystem getattr; + +# read /etc/mac.conf +allow ifconfig_t etc_t:file r_file_perms; ==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/init.te#2 (text+ko) ==== @@ -22,6 +22,8 @@ type initctl_t, file_type, sysadmfile; type sulogin_exec_t, file_type, exec_type, sysadmfile; +allow init_t self:fd { create use }; + # for mount points allow init_t file_t:dir search; ==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/initrc.te#2 (text+ko) ==== @@ -21,6 +21,8 @@ uses_shlib(initrc_t); type initrc_exec_t, file_type, sysadmfile, exec_type; +allow initrc_t self:fd { create use }; + # read files in /etc/init.d allow initrc_t etc_t:lnk_file r_file_perms; @@ -42,6 +44,8 @@ allow initrc_t usbdevfs_t:{ file lnk_file } r_file_perms; allow initrc_t usbdevfs_device_t:file getattr; +allow initrc_t device_t:dir r_dir_perms; + # allow initrc to fork and renice itself allow initrc_t self:process { fork sigchld setsched }; @@ -113,7 +117,7 @@ file_type_auto_trans(initrc_t, etc_t, etc_runtime_t, file) # Update /etc/ld.so.cache. -allow initrc_t ld_so_cache_t:file rw_file_perms; +allow initrc_t ld_so_cache_t:file { unlink rw_file_perms }; ifdef(`sendmail.te', ` # Update /etc/mail. @@ -181,6 +185,10 @@ allow initrc_t ttyfile:chr_file relabelfrom; allow initrc_t tty_device_t:chr_file relabelto; +# Use lock files in /var/spool/lock. +allow initrc_t var_spool_t:dir create_file_perms; +allow initrc_t var_spool_t:file { rw_file_perms unlink }; + ifdef(`rpm.te', ` # Create and read /boot/kernel.h. # Redhat systems typically create this file at boot time. @@ -225,6 +233,10 @@ allow initrc_t var_lib_rpm_t:file create_file_perms; ') +# access /var/db/entropy +allow initrc_t var_db_entropy_t:dir read; +allow initrc_t var_db_entropy_t:file { unlink rw_file_perms }; + # Update /var/log/ksyms.*. file_type_auto_trans(initrc_t, var_log_t, var_log_ksyms_t) @@ -259,6 +271,10 @@ allow initrc_t tmpfile:dir { rw_dir_perms rmdir }; allow initrc_t tmpfile:notdevfile_class_set { getattr unlink }; +# allow making links in /dev +allow initrc_t device_t:dir { add_name }; +allow initrc_t device_t:lnk_file { create }; + ################################# # # Rules for the run_init_t domain. ==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/ldconfig.te#2 (text+ko) ==== @@ -18,10 +18,11 @@ dontaudit ldconfig_t device_t:dir search; allow ldconfig_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms; allow ldconfig_t privfd:fd use; +allow ldconfig_t self:fd *; uses_shlib(ldconfig_t) -file_type_auto_trans(ldconfig_t, etc_t, ld_so_cache_t) +file_type_auto_trans(ldconfig_t, var_run_t, ld_so_cache_t) file_type_auto_trans(ldconfig_t, lib_t, shlib_t) # allow removing mis-labelled links allow ldconfig_t lib_t:lnk_file unlink; @@ -29,5 +30,12 @@ allow ldconfig_t userdomain:fd use; allow ldconfig_t etc_t:file { getattr read }; allow ldconfig_t etc_t:lnk_file read; +allow ldconfig_t var_t:dir r_dir_perms; allow ldconfig_t fs_t:filesystem getattr; + +# libraries may not be owned by root +allow ldconfig_t self:capability { dac_write dac_read_search }; + +# ldconfig uses /dev/random for some reason +allow ldconfig_t random_device_t:{chr_file lnk_file} r_file_perms; ==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/login.te#2 (text+ko) ==== @@ -49,12 +49,15 @@ allow $1_login_t device_t:dir r_dir_perms; allow $1_login_t device_t:lnk_file r_file_perms; +# Use pam libraries. +allow $1_login_t lib_t:{file lnk_file} rx_file_perms; + uses_shlib($1_login_t); tmp_domain($1_login) # Use capabilities -allow $1_login_t self:capability { setuid setgid chown fowner fsetid net_bind_service sys_tty_config dac_override sys_nice sys_resource }; +allow $1_login_t self:capability { linux_immutable setuid setgid chown fowner fsetid net_bind_service sys_tty_config dac_override sys_nice sys_resource }; # Run shells in user_t by default. domain_auto_trans($1_login_t, shell_exec_t, user_t) @@ -149,6 +152,8 @@ allow local_login_t var_run_t:dir rw_dir_perms; allow local_login_t var_run_t:file create_file_perms; +allow local_login_t sysadm_home_t:dir search; + ################################# # # Rules for the remote_login_t domain. ==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/mount.te#2 (text+ko) ==== @@ -19,8 +19,9 @@ allow mount_t init_t:fd use; allow mount_t privfd:fd use; -allow mount_t self:capability { ipc_lock dac_override }; +allow mount_t self:capability { mknod ipc_lock dac_override }; allow mount_t self:process { fork signal_perms }; +allow mount_t self:fd { create use }; allow mount_t file_type:dir search; @@ -28,6 +29,9 @@ allow mount_t fixed_disk_device_t:devfile_class_set rw_file_perms; allow mount_t removable_device_t:devfile_class_set rw_file_perms; +# device_t is also used as a fs_type in freebsd +allow mount_t device_t:filesystem mount_fs_perms; + # Mount, remount and unmount file systems. allow mount_t fs_type:filesystem mount_fs_perms; allow mount_t file_t:dir mounton; @@ -43,4 +47,8 @@ ') allow mount_t root_t:filesystem unmount; +# run fs-specific mount programs +allow mount_t mount_exec_t:file execute_no_trans; +# read resolv.conf +allow mount_t resolv_conf_t:file r_file_perms; ==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/ssh.te#2 (text+ko) ==== @@ -15,6 +15,7 @@ allow $1 self:unix_stream_socket create_stream_socket_perms; allow $1 self:fifo_file rw_file_perms; allow $1 self:process { fork sigchld setsched }; +allow $1 self:fd *; # Read system information files in /proc. allow $1 proc_t:dir r_dir_perms; @@ -49,7 +50,7 @@ allow $1 { null_device_t zero_device_t }:chr_file rw_file_perms; # Read /dev/random and /dev/zero. -allow $1 random_device_t:chr_file r_file_perms; +allow $1 random_device_t:{ lnk_file chr_file } r_file_perms; can_network($1) ==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/syslogd.te#2 (text+ko) ==== @@ -14,6 +14,7 @@ # by syslogd. # daemon_domain(syslogd) +#read_locale(syslogd_t) # can_network is for the UDP socket can_network(syslogd_t) @@ -30,17 +31,20 @@ allow syslogd_t resolv_conf_t:{ file lnk_file } r_file_perms; # Use capabilities. -allow syslogd_t syslogd_t:capability { net_bind_service dac_override }; +allow syslogd_t syslogd_t:capability { kill net_bind_service dac_override }; # Inherit and use descriptors from init. allow syslogd_t init_t:fd use; allow syslogd_t { initrc_devpts_t console_device_t }:chr_file { read write }; # Modify/create log files. -create_append_log_file(syslogd_t, var_log_t) +#create_append_log_file(syslogd_t, var_log_t) +allow syslogd_t var_log_t:dir create_file_perms; +allow syslogd_t var_log_t:file rw_file_perms; # Create and bind to /dev/log or /var/run/log. -file_type_auto_trans(syslogd_t, { device_t var_run_t }, devlog_t, sock_file) +file_type_auto_trans(syslogd_t, { device_t var_run_t syslogd_var_run_t }, devlog_t, sock_file) +allow syslogd_t { var_t var_log_t }:dir search; allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_dgram_socket { sendto }; allow syslogd_t self:unix_stream_socket create_socket_perms; @@ -71,3 +75,6 @@ #allow syslogd_t proc_t:dir search; #allow syslogd_t proc_kmsg_t:file { getattr read }; +# allow access to klog +allow syslogd_t klog_device_t:chr_file { poll read }; + ==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/unused/dhcpc.te#2 (text+ko) ==== @@ -20,6 +20,7 @@ allow dhcpc_t self:unix_dgram_socket create_socket_perms; allow dhcpc_t self:unix_stream_socket create_socket_perms; allow dhcpc_t self:fifo_file rw_file_perms; +allow dhcpc_t self:fd { create use }; ifdef(`cardmgr.te', ` domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t) @@ -71,13 +72,16 @@ allow dhcpc_t self:packet_socket recvfrom; allow dhcpc_t { netmsg_eth0_t netmsg_eth1_t }:packet_socket { recvfrom }; allow dhcpc_t icmp_socket_t:packet_socket { recvfrom }; -allow dhcpc_t var_lib_t:dir search; +allow dhcpc_t var_db_t:dir search; +file_type_auto_trans(dhcpc_t, var_db_t, dhcpc_state_t) file_type_auto_trans(dhcpc_t, dhcp_state_t, dhcpc_state_t) allow dhcpc_t bin_t:dir search; allow dhcpc_t bin_t:lnk_file read; can_exec(dhcpc_t, { bin_t shell_exec_t }) +allow dhcpc_t bpf_device_t:chr_file { poll rw_file_perms }; + dontaudit dhcpc_t domain:packet_socket recvfrom; dontaudit dhcpc_t { netmsg_t icmp_socket_t tcp_socket_t }:packet_socket recvfrom; dontaudit dhcpc_t icmp_socket_t:rawip_socket recvfrom; ==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/unused/rpcd.te#2 (text+ko) ==== @@ -20,7 +20,11 @@ allow init_t rpcd_t:udp_socket write; read_locale(rpcd_t) + +# read/write mounttab +allow rpcd_t { var_t var_db_t }: dir { search }; allow rpcd_t etc_t:file { getattr read }; +allow rpcd_t etc_runtime_t:file rw_file_perms; allow rpcd_t self:unix_dgram_socket create_socket_perms; allow rpcd_t self:unix_stream_socket create_socket_perms; @@ -29,6 +33,9 @@ can_udp_send(mount_t, rpcd_t) can_udp_send(rpcd_t, mount_t) +# statfs /dev +allow rpcd_t device_t:filesystem getattr; + tmp_domain(rpcd) # for /proc/fs/nfs/exports - should we have a new type? @@ -59,6 +66,8 @@ # allow nfsd to do its thing - should go into its own domain #allow rpcd_t self:capability sys_admin; +allow rpcd_t nfs_t:filesystem getattr; + # nfs kernel server needs kernel UDP access. It is less risky and painful # to just give it everything. can_network(kernel_t) ==== //depot/projects/trustedbsd/sebsd_policy/policy/flask/access_vectors#2 (text+ko) ==== @@ -10,6 +10,7 @@ common file { + poll ioctl read write @@ -19,7 +20,9 @@ lock relabelfrom relabelto + transition append + access unlink link rename @@ -37,6 +40,7 @@ common socket { # inherited from file + poll ioctl read write @@ -46,6 +50,7 @@ lock relabelfrom relabelto + transition append # socket-specific bind @@ -137,6 +142,7 @@ class fd { + create use } @@ -175,6 +181,8 @@ class netif { + getattr + setattr tcp_recv tcp_send udp_recv @@ -212,11 +220,10 @@ { fork transition - sigchld # commonly granted from child to parent - sigkill # cannot be caught or ignored - sigstop # cannot be caught or ignored - signull # for kill(pid, 0) - signal # all other signals + sigchld + sigkill + sigstop + signal ptrace getsched setsched @@ -226,6 +233,7 @@ getcap setcap share + signull getattr setexec setfscreate @@ -275,7 +283,6 @@ load_policy compute_relabel compute_user - setenforce # was avc_toggle in system class } @@ -285,8 +292,15 @@ class system { + net_io_control + route_control + arp_control + rarp_control ipc_info - syslog_read + avc_toggle + nfsd_control + bdflush + syslog_read syslog_mod syslog_console } @@ -302,14 +316,29 @@ # those definitions. (Order matters) chown - dac_override + dac_execute + dac_write dac_read_search fowner fsetid - kill + kill + link_dir + setfcap setgid - setuid - setpcap + setuid + mac_downgrade + mac_read + mac_relabel_subj + mac_upgrade + mac_write + inf_nofloat_obj + inf_nofloat_subj + inf_relabel_obj + inf_relabel_subj + audit_control + audit_write + setpcap + xxx_invalid1 linux_immutable net_bind_service net_broadcast @@ -332,11 +361,6 @@ lease } - -# -# Define the access vector interpretation for controlling -# changes to passwd information. -# class passwd { passwd ==== //depot/projects/trustedbsd/sebsd_policy/policy/fs_use#2 (text+ko) ==== @@ -2,10 +2,9 @@ # Define the labeling behavior for inodes in particular filesystem types. # This information was formerly hardcoded in the SELinux module. -# Use xattrs for the following filesystem types. -# Requires that a security xattr handler exist for the filesystem. -fs_use_xattr ext2 system_u:object_r:fs_t; -fs_use_xattr ext3 system_u:object_r:fs_t; +fs_use_psid ext2; +fs_use_psid ext3; +fs_use_psid ufs; # Use the allocating task SID to label inodes in the following filesystem # types, and label the filesystem itself with the specified context. ==== //depot/projects/trustedbsd/sebsd_policy/policy/genfs_contexts#2 (text+ko) ==== @@ -2,8 +2,8 @@ # # Security contexts for files in filesystems that -# cannot support xattr or use one of the fixed labeling schemes -# specified in fs_use. +# cannot support persistent label mappings or use one of the +# fixed labeling schemes specified in fs_use. # # Each specifications has the form: # genfscon fstype pathname-prefix [ -type ] context @@ -18,51 +18,67 @@ # field by ls, e.g. use -c to match only character device files, -b # to match only block device files. # -# Except for proc, other filesystems are limited to a single entry (/) -# that covers all entries in the filesystem with a default file context. -# For proc, a pathname can be reliably generated from the proc_dir_entry -# tree. The proc /sys entries are used for both proc inodes and for sysctl(2) -# calls. /proc/PID entries are automatically labeled based on the associated -# process. -# -# Support for other filesystem types requires corresponding code to be -# added to the kernel, either as an xattr handler in the filesystem -# implementation (preferred, and necessary if you want to access the labels -# from userspace) or as logic in the SELinux module. -# proc (excluding /proc/PID) +# proc (excluding /proc/PID and /proc/sys) genfscon proc / system_u:object_r:proc_t genfscon proc /kmsg system_u:object_r:proc_kmsg_t genfscon proc /kcore system_u:object_r:proc_kcore_t -genfscon proc /sysvipc system_u:object_r:proc_t -genfscon proc /sys system_u:object_r:sysctl_t -genfscon proc /sys/kernel system_u:object_r:sysctl_kernel_t -genfscon proc /sys/kernel/modprobe system_u:object_r:sysctl_modprobe_t -genfscon proc /sys/net system_u:object_r:sysctl_net_t -genfscon proc /sys/net/unix system_u:object_r:sysctl_net_unix_t -genfscon proc /sys/vm system_u:object_r:sysctl_vm_t -genfscon proc /sys/dev system_u:object_r:sysctl_dev_t -# rootfs -genfscon rootfs / system_u:object_r:root_t +# procfs (FreeBSD) +genfscon procfs / system_u:object_r:proc_t -# sysfs -genfscon sysfs / system_u:object_r:sysfs_t +# nfs +genfscon nfs / system_u:object_r:nfs_t -# selinuxfs -genfscon selinuxfs / system_u:object_r:security_t +# driverfs +genfscon driverfs / system_u:object_r:driverfs_t -# autofs -ifdef(`automount.te', ` -genfscon autofs / system_u:object_r:autofs_t -') +# usbdevfs +genfscon usbdevfs / system_u:object_r:usbdevfs_t +genfscon usbdevfs /0 -- system_u:object_r:usbdevfs_device_t -# iso9660 -genfscon iso9660 / system_u:object_r:iso9660_t - -# vfat, msdos -genfscon vfat / system_u:object_r:dosfs_t -genfscon msdos / system_u:object_r:dosfs_t - -# nfs -genfscon nfs / system_u:object_r:nfs_t +# devfs +genfscon devfs / system_u:object_r:device_t +genfscon devfs /null system_u:object_r:null_device_t +genfscon devfs /zero system_u:object_r:zero_device_t +genfscon devfs /console system_u:object_r:console_device_t +genfscon devfs /kmem system_u:object_r:memory_device_t +genfscon devfs /mem system_u:object_r:memory_device_t +genfscon devfs /random system_u:object_r:random_device_t +genfscon devfs /urandom system_u:object_r:random_device_t +genfscon devfs /tty system_u:object_r:devtty_t +genfscon devfs /ctty system_u:object_r:devtty_t +genfscon devfs /ttyv system_u:object_r:tty_device_t +genfscon devfs /pty system_u:object_r:devpts_t +genfscon devfs /ttyp system_u:object_r:devpts_t +genfscon devfs /ttyq system_u:object_r:devpts_t +genfscon devfs /ttyr system_u:object_r:devpts_t +genfscon devfs /ttys system_u:object_r:devpts_t +genfscon devfs /ttyP system_u:object_r:devpts_t +genfscon devfs /ttyQ system_u:object_r:devpts_t +genfscon devfs /ttyR system_u:object_r:devpts_t +genfscon devfs /ttyS system_u:object_r:devpts_t +#genfscon devfs /cua system_u:object_r:serial_device_t +#genfscon devfs /ttyd system_u:object_r:serial_device_t +#genfscon devfs /ttyid system_u:object_r:serial_device_t +#genfscon devfs /ttyld system_u:object_r:serial_device_t +genfscon devfs /ad -c system_u:object_r:fixed_disk_device_t +genfscon devfs /acd -c system_u:object_r:fixed_disk_device_t +genfscon devfs /fd -c system_u:object_r:removable_device_t +genfscon devfs /ppp system_u:object_r:ppp_device_t +genfscon devfs /initctl system_u:object_r:initctl_t +genfscon devfs /log system_u:object_r:devlog_t +genfscon devfs /misc/psaux system_u:object_r:mouse_device_t +genfscon devfs /input/mouse system_u:object_r:mouse_device_t +genfscon devfs /mse system_u:object_r:mouse_device_t +genfscon devfs /psm system_u:object_r:mouse_device_t +genfscon devfs /ums system_u:object_r:mouse_device_t +#genfscon devfs /sysmouse system_u:object_r:sysmouse_device_t +#genfscon devfs /gpmctl system_u:object_r:gpmctl_t +genfscon devfs /ptmx system_u:object_r:ptmx_t +genfscon devfs /acpi system_u:object_r:apm_bios_t +genfscon devfs /sound -c system_u:object_r:sound_device_t +genfscon devfs /usb system_u:object_r:usbdevfs_device_t +genfscon devfs /bpf -c system_u:object_r:bpf_device_t +genfscon devfs /klog system_u:object_r:klog_device_t +# FLASK ==== //depot/projects/trustedbsd/sebsd_policy/policy/macros/global_macros.te#2 (text+ko) ==== @@ -233,8 +233,10 @@ define(`can_setenforce',` allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; -allow $1 security_t:security setenforce; -auditallow $1 security_t:security setenforce; +#allow $1 security_t:security setenforce; +#auditallow $1 security_t:security setenforce; +allow $1 kernel_t:system avc_toggle; +auditallow $1 kernel_t:system avc_toggle; ') ################################## @@ -352,6 +354,8 @@ # define(`uses_shlib',` allow $1 { root_t usr_t lib_t etc_t }:dir r_dir_perms; +allow $1 lib_t:file getattr; #!!! +allow $1 { var_t var_run_t }:dir search; allow $1 lib_t:lnk_file r_file_perms; allow $1 ld_so_t:file rx_file_perms; allow $1 ld_so_t:file execute_no_trans; @@ -361,6 +365,9 @@ allow $1 ld_so_cache_t:file r_file_perms; allow $1 device_t:dir search; allow $1 null_device_t:chr_file rw_file_perms; + +# on freebsd /dev/random uses a PRNG, so this is safe +allow $1 random_device_t:{chr_file lnk_file} { poll r_file_perms }; ') ################################# @@ -611,9 +618,7 @@ # Access the pty master multiplexer. allow $1_t ptmx_t:chr_file rw_file_perms; -ifdef(`devfsd.te', ` allow $1_t device_t:filesystem getattr; -') allow $1_t devpts_t:filesystem getattr; # allow searching /dev/pts @@ -893,6 +898,7 @@ # Read /dev/random and /dev/zero. allow $1 random_device_t:chr_file r_file_perms; +allow $1 random_device_t:lnk_file r_file_perms; allow $1 zero_device_t:chr_file r_file_perms; # Read the root directory of a tmpfs filesytem and any symbolic links. @@ -1019,6 +1025,7 @@ allow $1_t { self proc_t }:dir r_dir_perms; allow $1_t { self proc_t }:lnk_file read; +allow $1_t self:fd { create use }; allow $1_t device_t:dir { getattr search }; allow $1_t null_device_t:chr_file rw_file_perms; ==== //depot/projects/trustedbsd/sebsd_policy/policy/macros/program/mount_macros.te#2 (text+ko) ==== @@ -35,8 +35,9 @@ # Use capabilities. allow $2_t self:capability { net_bind_service sys_rawio sys_admin }; -# Create and modify /etc/mtab. -file_type_auto_trans($2_t, etc_t, etc_runtime_t, file) +# Create and modify /var/db/mtab. +allow $2_t var_db_t:dir r_dir_perms; +file_type_auto_trans($2_t, var_db_t, etc_runtime_t, file) allow $2_t etc_t:file { getattr read }; ==== //depot/projects/trustedbsd/sebsd_policy/policy/types/device.te#2 (text+ko) ==== @@ -110,9 +110,14 @@ # Type for /dev/cpu/mtrr type mtrr_device_t, file_type; +# Type for /dev/bpf* +type bpf_device_t, file_type; # Type for /dev/apm_bios type apm_bios_t, file_type; # Type for v4l type v4l_device_t, file_type; + +# Type for /dev/klog +type klog_device_t, file_type; ==== //depot/projects/trustedbsd/sebsd_policy/policy/types/file.te#2 (text+ko) ==== @@ -167,6 +167,7 @@ type tetex_data_t, file_type, sysadmfile, tmpfile; type var_spool_t, file_type, sysadmfile; type var_yp_t, file_type, sysadmfile; +type var_db_t, file_type, sysadmfile; # Type for /var/log/sa. type var_log_sa_t, file_type, sysadmfile, logfile; @@ -271,3 +272,5 @@ type dosfs_t, fs_type, root_dir_type, sysadmfile; allow dosfs_t dosfs_t:filesystem associate; + +type var_db_entropy_t, file_type, sysadmfile;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200309031518.h83FIUkI094101>