Date: Thu, 26 Jun 2003 18:28:48 -0700 (PDT) From: Chris Vance <cvance@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 33724 for review Message-ID: <200306270128.h5R1SmAL016199@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=33724 Change 33724 by cvance@cvance_demo on 2003/06/26 18:28:30 Update SEBSD policy slightly - allows system to boot in enforcing mode, with (very) basic support. Affected files ... .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/getty.te#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/initrc.te#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ldconfig.te#3 edit Differences ... ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/getty.te#2 (text+ko) ==== @@ -41,5 +41,8 @@ allow getty_t tty_device_t:chr_file rw_file_perms; allow getty_t ttyfile:chr_file rw_file_perms; +rw_dir_create_file(getty_t, var_lock_t) -rw_dir_create_file(getty_t, var_lock_t) +# Allow getty _secure_path call to stat /root/.login_conf +allow getty_t sysadm_home_t:dir r_dir_perms; + ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/initrc.te#2 (text+ko) ==== @@ -76,6 +76,7 @@ # Update /etc/ld.so.cache. allow initrc_t ld_so_cache_t:file rw_file_perms; +allow initrc_t ld_so_cache_t:file unlink; # Update /etc/mail. allow initrc_t etc_mail_t:file rw_file_perms; @@ -98,6 +99,7 @@ # Access /var/db/entropy. allow initrc_t var_db_entropy_t:file rw_file_perms; allow initrc_t var_db_entropy_t:file unlink; +allow initrc_t var_db_entropy_t:dir read; # Create lock file. allow initrc_t var_lock_t:dir create_dir_perms; @@ -154,6 +156,8 @@ ifdef(`gpm.te', `allow initrc_t gpmctl_t:sock_file setattr;') allow initrc_t var_spool_t:file rw_file_perms; +allow initrc_t var_spool_t:file { create unlink }; +allow initrc_t var_spool_t:dir rw_dir_perms; ifdef(`pump.te', `allow initrc_t pump_var_run_t:sock_file unlink;') @@ -209,3 +213,6 @@ allow initrc_t pidfile:sock_file unlink; allow initrc_t tmpfile:sock_file unlink; rw_dir_create_file(initrc_t, var_lib_t) + +allow initrc_t devfs_t:dir rw_dir_perms; +allow initrc_t devfs_t:lnk_file create; ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ldconfig.te#3 (text+ko) ==== @@ -25,3 +25,5 @@ allow ldconfig_t etc_t:file r_file_perms; allow ldconfig_t fs_t:filesystem getattr; + +allow ldconfig_t init_t:fd use;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200306270128.h5R1SmAL016199>