Date: Tue, 22 Aug 2006 11:53:43 GMT From: dongmei <dongmei@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 104768 for review Message-ID: <200608221153.k7MBrh19043801@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=104768 Change 104768 by dongmei@soc-dongmei-sebsd on 2006/08/22 11:53:00 Correct a part of booting error, as the error about swapon, fsck and hosstname. In addition, make the filesystem types that cannot support persistent label mapping such as devfs labeled correctly. Affected files ... .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/corecommands.fc#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/corecommands.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/corecommands.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/corenetwork.fc#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/corenetwork.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/corenetwork.if.in#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/corenetwork.if.m4#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/corenetwork.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/corenetwork.te.in#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/corenetwork.te.m4#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/devices.fc#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/devices.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/devices.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/domain.fc#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/domain.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/domain.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/files.fc#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/files.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/files.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/filesystem.fc#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/filesystem.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/filesystem.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/kernel.fc#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/kernel.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/kernel.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/mcs.fc#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/mcs.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/mcs.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/metadata.xml#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/mls.fc#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/mls.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/mls.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/selinux.fc#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/selinux.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/selinux.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/storage.fc#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/storage.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/storage.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/terminal.fc#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/terminal.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/terminal.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/authlogin.fc#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/authlogin.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/authlogin.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/clock.fc#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/clock.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/clock.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/daemontools.fc#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/daemontools.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/daemontools.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/fstools.fc#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/fstools.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/fstools.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/getty.fc#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/getty.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/getty.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/hostname.fc#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/hostname.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/hostname.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/hotplug.fc#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/hotplug.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/hotplug.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/init.fc#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/init.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/init.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/ipsec.fc#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/ipsec.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/ipsec.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/iptables.fc#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/iptables.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/iptables.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/libraries.fc#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/libraries.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/libraries.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/locallogin.fc#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/locallogin.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/locallogin.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/logging.fc#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/logging.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/logging.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/lvm.fc#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/lvm.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/lvm.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/metadata.xml#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/miscfiles.fc#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/miscfiles.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/miscfiles.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/modutils.fc#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/modutils.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/modutils.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/mount.fc#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/mount.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/mount.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/pcmcia.fc#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/pcmcia.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/pcmcia.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/raid.fc#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/raid.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/raid.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/selinuxutil.fc#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/selinuxutil.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/selinuxutil.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/sysnetwork.fc#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/sysnetwork.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/sysnetwork.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/udev.fc#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/udev.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/udev.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/unconfined.fc#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/unconfined.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/unconfined.te#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/userdomain.fc#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/userdomain.if#2 edit .. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/userdomain.te#2 edit Differences ... ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/corecommands.fc#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/corecommands.if#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/corecommands.te#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/corenetwork.fc#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/corenetwork.if#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/corenetwork.if.in#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/corenetwork.if.m4#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/corenetwork.te#2 (text+ko) ==== @@ -47,6 +47,7 @@ type ppp_device_t; dev_node(ppp_device_t) +genfscon devfs /ppp gen_context(system_u:object_r:ppp_device_t,s0) # # tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/* ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/corenetwork.te.in#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/corenetwork.te.m4#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/devices.fc#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/devices.if#2 (text+ko) ==== @@ -2253,6 +2253,21 @@ allow $1 sysfs_t:dir search; ') +############################################################ +## <summary> +## Get the attributes of devfs +## </summary> +## <param name="domain"> +## <summary> +## The type of the process performing this action +## </summary> +## </param> +# +interface(`dev_getattr_devfs',` + # TODO + allow $1 device_t:filesystem getattr; +') + ######################################## ## <summary> @@ -2271,7 +2286,24 @@ dontaudit $1 sysfs_t:dir search; ') +############################################################ +## <summary> +## Search the devfs directories +## </summary> +## <param name="domain"> +## <summary> +## The type of the process performing this action +## </summary> +## </param> +# +interface(`dev_search_devfs',` + gen_require(` + type device_t; + ') + allow $1 device_t:dir search; + ') + ######################################## ## <summary> ## List the contents of the sysfs directories. @@ -2308,6 +2340,23 @@ allow $1 sysfs_t:dir r_dir_perms; allow $1 sysfs_t:{ file lnk_file } r_file_perms; ') +######################################## +## <summary> +## Allow caller to read /dev +## </summary> +## <param name="domain"> +## <summary> +## The process type reading hardware state information. +## </summary> +## </param> +# +interface(`dev_read_chr_file_devfs',` + gen_require(` + type device_t; + ') + + allow $1 device_t:chr_file r_file_perms; +') ######################################## ## <summary> ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/devices.te#2 (text+ko) ==== @@ -158,7 +158,9 @@ fs_noxattr_type(usbfs_t) genfscon usbfs / gen_context(system_u:object_r:usbfs_t,s0) genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0) - +#lll begin +genfscon usbdevfs /0 -- gen_context(system_u:object_r:usbfs_t,s0) +#lll end # # usb_device_t is the type for /dev/bus/usb/[0-9]+/[0-9]+ # @@ -167,7 +169,23 @@ # SEBSD still uses devfs so we need to genfscon the usb entries genfscon devfs /usb gen_context(system_u:object_r:usb_device_t,s0) +#lll begin +genfscon devfs / gen_context(system_u:object_r:device_t,s0) +genfscon devfs /acd -c gen_context(system_u:object_r:fixed_disk_device_t,s0) +genfscon devfs /fd -c gen_context(system_u:object_r:fixed_disk_device_t,s0) +genfscon devfs /initctl gen_context(system_u:object_r:initctl_t,s0) +genfscon devfs /log gen_context(system_u:object_r:devlog_t,s0) +genfscon devfs /misc/psaux gen_context(system_u:object_r:mouse_device_t,s0) +genfscon devfs /input/mouse gen_context(system_u:object_r:mouse_device_t,s0) +genfscon devfs /mse gen_context(system_u:object_r:mouse_device_t,s0) +genfscon devfs /psm gen_context(system_u:object_r:mouse_device_t,s0) +genfscon devfs /acpi gen_context(system_u:object_r:mouse_device_t,s0) +genfscon devfs /sound -c gen_context(system_u:object_r:sound_device_t,s0) +#genfscon devfs /usb gen_context(system_u:object_r:usbdevfs_device_t,s0) +#genfscon devfs /bpf -c gen_context(system_u:object_r:bpf_device_t,s0) +#genfscon devfs /klog gen_context(system_u:object_r:klog_device_t,s0) +#lll end type v4l_device_t; dev_node(v4l_device_t) ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/domain.fc#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/domain.if#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/domain.te#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/files.fc#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/files.if#2 (text+ko) ==== @@ -2773,7 +2773,24 @@ allow $1 usr_t:dir search; allow $1 usr_t:file getattr; ') +######################################## +## <summary> +## Get the attributes of files in /etc. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_getattr_etc_files',` + gen_require(` + type etc_t; + ') + allow $1 etc_t:file getattr; +') + ######################################## # # files_read_usr_files(domain) @@ -3016,6 +3033,25 @@ dontaudit $1 var_t:dir write; ') +############################################################ +## <summary> +## Search the contents of / +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_search_root',` + + gen_require(` + type root_t; + ') + + allow $1 root_t:dir search_dir_perms; +') + ######################################## ## <summary> @@ -3215,7 +3251,24 @@ allow $1 { var_t var_lib_t }:dir search_dir_perms; ') +######################################## +## <summary> +## Search the /var/run directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_search_var_run',` + gen_require(` + type var_t, var_run_t; + ') + allow $1 { var_t var_run_t }:dir search_dir_perms; +') + ######################################## ## <summary> ## List the contents of the /var/lib directory. @@ -3283,6 +3336,24 @@ allow $1 { var_t var_lib_t }:dir search_dir_perms; allow $1 var_lib_t:file r_file_perms; ') +######################################## +## <summary> +## Read generic files in /var/run. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_read_var_run_files',` + gen_require(` + type var_t, var_run_t; + ') + + allow $1 { var_t var_run_t }:dir search_dir_perms; + allow $1 var_run_t:file r_file_perms; +') ######################################## ## <summary> ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/files.te#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/filesystem.fc#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/filesystem.if#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/filesystem.te#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/kernel.fc#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/kernel.if#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/kernel.te#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/mcs.fc#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/mcs.if#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/mcs.te#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/metadata.xml#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/mls.fc#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/mls.if#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/mls.te#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/selinux.fc#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/selinux.if#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/selinux.te#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/storage.fc#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/storage.if#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/storage.te#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/terminal.fc#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/terminal.if#2 (text+ko) ==== @@ -532,6 +532,23 @@ allow $1 devpts_t:dir r_dir_perms; dontaudit $1 ptynode:chr_file getattr; ') +############################################################ +## <summary> +## Get the attributes of console device +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +# +interface(`term_getattr_console',` + gen_require(` + type console_device_t; + ') + allow $1 console_device_t:chr_file getattr; +') + ######################################## ## <summary> ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/terminal.te#2 (text+ko) ==== @@ -14,6 +14,25 @@ # bsdpty_device_t is the type of /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f] type bsdpty_device_t; dev_node(bsdpty_device_t) +genfscon devfs /null gen_context(system_u:object_r:null_device_t,s0) +genfscon devfs /zero gen_context(system_u:object_r:zero_device_t,s0) +genfscon devfs /console gen_context(system_u:object_r:console_device_t,s0) +genfscon devfs /kmem gen_context(system_u:object_r:memory_device_t,s0) +genfscon devfs /mem gen_context(system_u:object_r:memory_device_t,s0) +genfscon devfs /random gen_context(system_u:object_r:random_device_t,s0) +genfscon devfs /urandom gen_context(system_u:object_r:random_device_t,s0) +genfscon devfs /tty gen_context(system_u:object_r:devtty_t,s0) +genfscon devfs /ctty gen_context(system_u:object_r:devtty_t,s0) +genfscon devfs /ttyv gen_context(system_u:object_r:tty_device_t,s0) +genfscon devfs /pty gen_context(system_u:object_r:devpts_t,s0) +genfscon devfs /ttyp gen_context(system_u:object_r:devpts_t,s0) +genfscon devfs /ttyq gen_context(system_u:object_r:devpts_t,s0) +genfscon devfs /ttyr gen_context(system_u:object_r:devpts_t,s0) +genfscon devfs /ttys gen_context(system_u:object_r:devpts_t,s0) +genfscon devfs /ttyP gen_context(system_u:object_r:devpts_t,s0) +genfscon devfs /ttyQ gen_context(system_u:object_r:devpts_t,s0) +genfscon devfs /ttyR gen_context(system_u:object_r:devpts_t,s0) +genfscon devfs /ttyS gen_context(system_u:object_r:devpts_t,s0) # # console_device_t is the type of /dev/console. ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/authlogin.fc#2 (text+ko) ==== @@ -1,5 +1,5 @@ -/bin/login -- gen_context(system_u:object_r:login_exec_t,s0) +/usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0) /etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) /etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0) ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/authlogin.if#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/authlogin.te#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/clock.fc#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/clock.if#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/clock.te#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/daemontools.fc#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/daemontools.if#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/daemontools.te#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/fstools.fc#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/fstools.if#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/fstools.te#2 (text+ko) ==== @@ -73,7 +73,30 @@ dev_getattr_usbfs_dirs(fsadm_t) # Access to /dev/mapper/control dev_rw_lvm_control(fsadm_t) +#lll begin for swapon +#Access /dev +dev_search_devfs(fsadm_t) +#Access /dev/console +term_getattr_console(fsadm_t) +#?for the avc error denied:fsadm_t init_t:fd {use} +init_use_fds(fsadm_t) +storage_getattr_fixed_disk_dev(fsadm_t) +#for fsck +#for fsck search /sbin directory +corecmd_search_sbin(fsadm_t) +#for fsck_ufs,fsck_ffs,fsck_4.2bsd command +can_exec(fsadm_t,fsadm_exec_t) +# +corecmd_search_bin(fsadm_t) +#for /libexec/ld-elf.so.1 +libs_exec_ld_so(fsadm_t) +#for fsck_ufs +dev_getattr_devfs(fsadm_t) + + + +#lll end fs_search_auto_mountpoints(fsadm_t) fs_getattr_xattr_fs(fsadm_t) fs_rw_ramfs_pipes(fsadm_t) @@ -167,3 +190,9 @@ optional_policy(`nis',` nis_use_ypbind(fsadm_t) ') +#lll begin +storage_raw_read_fixed_disk(fsadm_t) + +storage_raw_write_fixed_disk(fsadm_t) + + ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/getty.fc#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/getty.if#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/getty.te#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/hostname.fc#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/hostname.if#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/hostname.te#2 (text+ko) ==== @@ -56,6 +56,27 @@ sysnet_read_config(hostname_t) sysnet_dns_name_resolve(hostname_t) +#begin lll +allow hostname_t hostname_exec_t:file entrypoint; +allow hostname_t hostname_t:fd create; +allow hostname_t hostname_t:capability sys_resource; +allow hostname_t hostname_t:fd use; + +files_search_root(hostname_t) +files_search_etc(hostname_t) +files_read_etc_files(hostname_t) +files_getattr_etc_files(hostname_t) +files_search_var(hostname_t) +files_search_var_run(hostname_t) +files_read_var_run_files(hostname_t) +libs_search_lib(hostname_t) +libs_read_shlib_files(hostname_t) +files_getattr_shlib_files(hostname_t) +libs_exec_shlib_files(hostname_t) +userdom_rw_sysadm_pipes(hostname_t) +userdom_getattr_sysadm_pipes(hostname_t) +dev_read_chr_file_devfs(hostname_t) + ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/hotplug.fc#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/hotplug.if#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/hotplug.te#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/init.fc#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/init.if#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/init.te#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/ipsec.fc#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/ipsec.if#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/ipsec.te#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/iptables.fc#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/iptables.if#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/iptables.te#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/libraries.fc#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/libraries.if#2 (text+ko) ==== @@ -220,7 +220,25 @@ allow $1 lib_t:dir r_dir_perms; allow $1 lib_t:{ file lnk_file } r_file_perms; ') +######################################## +## <summary> +## Read files in the library directories, such +## as static libraries. +## </summary> +## <param name="domain"> +## <summary> +## The type of the process performing this action. +## </summary> +## </param> +# +interface(`libs_read_shlib_files',` + gen_require(` + type shlib_t; + ') + allow $1 shlib_t:{ file lnk_file } r_file_perms; +') + ######################################## ## <summary> ## Execute library scripts in the caller domain. @@ -241,6 +259,40 @@ allow $1 lib_t:lnk_file r_file_perms; can_exec($1,lib_t) ') +######################################## +## <summary> +## Execute library scripts in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## The type of the process performing this action. +## </summary> +## </param> +# +interface(`libs_exec_shlib_files',` + gen_require(` + type shlib_t; + ') + + can_exec($1,shlib_t) +') +######################################## +## <summary> +## Get the attributes of files in /lib/*. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_getattr_shlib_files',` + gen_require(` + type shlib_t; + ') + + allow $1 shlib_t:file getattr; +') ######################################## ## <summary> ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/libraries.te#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/locallogin.fc#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/locallogin.if#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/locallogin.te#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/logging.fc#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/logging.if#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/logging.te#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/lvm.fc#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/lvm.if#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/lvm.te#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/metadata.xml#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/miscfiles.fc#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/miscfiles.if#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/miscfiles.te#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/modutils.fc#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/modutils.if#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/modutils.te#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/mount.fc#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/mount.if#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/mount.te#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/pcmcia.fc#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/pcmcia.if#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/pcmcia.te#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/raid.fc#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/raid.if#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/raid.te#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/selinuxutil.fc#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/selinuxutil.if#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/selinuxutil.te#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/sysnetwork.fc#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/sysnetwork.if#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/sysnetwork.te#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/udev.fc#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/udev.if#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/udev.te#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/unconfined.fc#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/unconfined.if#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/unconfined.te#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/userdomain.fc#2 (text+ko) ==== ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/userdomain.if#2 (text+ko) ==== @@ -974,6 +974,17 @@ allow $1 removable_t:filesystem getattr; ') dnl endif TODO +files_search_mnt($1_t) +corecmd_exec_sbin($1_t) +corecmd_exec_shell($1_t) +files_search_boot($1_t) +files_exec_etc_files($1_t) +files_exec_usr_files($1_t) +files_manage_var_dirs($1_t) +logging_search_logs($1_t) + + + ') ######################################## @@ -3411,6 +3422,23 @@ allow $1 sysadm_home_dir_t:dir getattr; ') +######################################## +## <summary> +## Get the attributes of the sysadm pipes +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`userdom_getattr_sysadm_pipes',` + gen_require(` + type sysadm_t; + ') + + allow $1 sysadm_t:fifo_file getattr; +') ######################################## ## <summary> @@ -4432,3 +4460,5 @@ allow $1 user_home_dir_t:dir create_dir_perms; files_home_filetrans($1,user_home_dir_t,dir) ') + + ==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/userdomain.te#2 (text+ko) ====
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200608221153.k7MBrh19043801>