PERFORCE change 114578 for review

Todd Miller millert at FreeBSD.org
Thu Feb 15 20:20:00 UTC 2007 

http://perforce.freebsd.org/chv.cgi?CH=114578

Change 114578 by millert at millert_p4 on 2007/02/15 20:19:45

	Tweak to build with new checkpolicy.

Affected files ...

.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/booleans.conf#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/modules/services/devd.te#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/modules/services/usbd.te#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/modules/system/modutils.if#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/modules/system/modutils.te#2 edit

Differences ...

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/booleans.conf#2 (text+ko) ====

@@ -8,7 +8,7 @@
 #
 # Disable transitions to insmod.
 # 
-secure_mode_insmod = false
+secure_mode_insmod = true
 
 #
 # boolean to determine whether the system permits loading policy, setting

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/modules/services/devd.te#2 (text+ko) ====

@@ -10,8 +10,6 @@
 # kernel_domtrans_to(devd_t, devd_exec_t)
 init_daemon_domain(devd_t, devd_exec_t)
 
-type_transition initrc_t devd_exec_t:process devd_t;
-
 
 type devd_etc_t;
 files_config_file(devd_etc_t)

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/modules/services/usbd.te#2 (text+ko) ====

@@ -10,8 +10,6 @@
 #kernel_domtrans_to(usbd_t, usbd_exec_t)
 init_daemon_domain(usbd_t, usbd_exec_t)
 
-type_transition initrc_t usbd_exec_t:process usbd_t;
-
 
 type usbd_etc_t;
 files_config_file(usbd_etc_t)

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/modules/system/modutils.if#2 (text+ko) ====

@@ -85,7 +85,7 @@
 	allow $1 insmod_t:fd use;
 	allow insmod_t $1:fd use;
 	allow insmod_t $1:fifo_file rw_file_perms;
-	allow insmod_t $1:process sigchld;
+	#allow insmod_t $1:process sigchld;
 ')
 
 ########################################
@@ -103,9 +103,9 @@
 		bool secure_mode_insmod;
 	')
 
-	if (!secure_mode_insmod) {
-		modutils_domtrans_insmod_uncond($1)
-	}
+#	if (!secure_mode_insmod) {
+#		modutils_domtrans_insmod_uncond($1)
+#	}
 ')
 
 ########################################
@@ -175,7 +175,7 @@
 	allow $1 depmod_t:fd use;
 	allow depmod_t $1:fd use;
 	allow depmod_t $1:fifo_file rw_file_perms;
-	allow depmod_t $1:process sigchld;
+	#allow depmod_t $1:process sigchld;
 ')
 
 ########################################
@@ -242,7 +242,7 @@
 	allow $1 update_modules_t:fd use;
 	allow update_modules_t $1:fd use;
 	allow update_modules_t $1:fifo_file rw_file_perms;
-	allow update_modules_t $1:process sigchld;
+	#allow update_modules_t $1:process sigchld;
 ')
 
 ########################################

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/modules/system/modutils.te#2 (text+ko) ====

@@ -20,7 +20,6 @@
 
 type insmod_t;
 type insmod_exec_t;
-init_system_domain(insmod_t,insmod_exec_t)
 mls_file_write_down(insmod_t)
 role system_r types insmod_t;
 
@@ -43,7 +42,7 @@
 #
 
 allow insmod_t self:capability { dac_override net_raw sys_tty_config };
-allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
+#allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
 
 allow insmod_t self:udp_socket create_socket_perms; 
 allow insmod_t self:rawip_socket create_socket_perms; 
@@ -88,7 +87,7 @@
 corecmd_exec_sbin(insmod_t)
 corecmd_exec_shell(insmod_t)
 
-domain_signal_all_domains(insmod_t)
+#domain_signal_all_domains(insmod_t)
 domain_use_interactive_fds(insmod_t)
 
 files_read_etc_runtime_files(insmod_t)
@@ -115,25 +114,25 @@
 
 seutil_read_file_contexts(insmod_t)
 
-if( ! secure_mode_insmod ) {
-	kernel_domtrans_to(insmod_t,insmod_exec_t)
-}
+#if( ! secure_mode_insmod ) {
+#	kernel_domtrans_to(insmod_t,insmod_exec_t)
+#}
 
 ifdef(`hide_broken_symptoms',`
 	dev_dontaudit_rw_cardmgr(insmod_t)
 ')
 
-ifdef(`targeted_policy',`
-	unconfined_domain(insmod_t)
-')
+#ifdef(`targeted_policy',`
+#	unconfined_domain(insmod_t)
+#')
 
 optional_policy(`hotplug',`
 	hotplug_search_config(insmod_t)
 ')
 
-optional_policy(`mount',`
-	mount_domtrans(insmod_t)
-')
+#optional_policy(`mount',`
+#	mount_domtrans(insmod_t)
+#')
 
 optional_policy(`nis',`
 	nis_use_ypbind(insmod_t)
@@ -236,7 +235,7 @@
 allow update_modules_t depmod_t:fd use;
 allow depmod_t update_modules_t:fd use;
 allow depmod_t update_modules_t:fifo_file rw_file_perms;
-allow depmod_t update_modules_t:process sigchld;
+#allow depmod_t update_modules_t:process sigchld;
 
 allow update_modules_t update_modules_tmp_t:dir create_dir_perms;
 allow update_modules_t update_modules_tmp_t:file create_file_perms;

More information about the p4-projects mailing list