PERFORCE change 114578 for review
Todd Miller
millert at FreeBSD.org
Thu Feb 15 20:20:00 UTC 2007
http://perforce.freebsd.org/chv.cgi?CH=114578
Change 114578 by millert at millert_p4 on 2007/02/15 20:19:45
Tweak to build with new checkpolicy.
Affected files ...
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/booleans.conf#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/modules/services/devd.te#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/modules/services/usbd.te#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/modules/system/modutils.if#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/modules/system/modutils.te#2 edit
Differences ...
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/booleans.conf#2 (text+ko) ====
@@ -8,7 +8,7 @@
#
# Disable transitions to insmod.
#
-secure_mode_insmod = false
+secure_mode_insmod = true
#
# boolean to determine whether the system permits loading policy, setting
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/modules/services/devd.te#2 (text+ko) ====
@@ -10,8 +10,6 @@
# kernel_domtrans_to(devd_t, devd_exec_t)
init_daemon_domain(devd_t, devd_exec_t)
-type_transition initrc_t devd_exec_t:process devd_t;
-
type devd_etc_t;
files_config_file(devd_etc_t)
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/modules/services/usbd.te#2 (text+ko) ====
@@ -10,8 +10,6 @@
#kernel_domtrans_to(usbd_t, usbd_exec_t)
init_daemon_domain(usbd_t, usbd_exec_t)
-type_transition initrc_t usbd_exec_t:process usbd_t;
-
type usbd_etc_t;
files_config_file(usbd_etc_t)
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/modules/system/modutils.if#2 (text+ko) ====
@@ -85,7 +85,7 @@
allow $1 insmod_t:fd use;
allow insmod_t $1:fd use;
allow insmod_t $1:fifo_file rw_file_perms;
- allow insmod_t $1:process sigchld;
+ #allow insmod_t $1:process sigchld;
')
########################################
@@ -103,9 +103,9 @@
bool secure_mode_insmod;
')
- if (!secure_mode_insmod) {
- modutils_domtrans_insmod_uncond($1)
- }
+# if (!secure_mode_insmod) {
+# modutils_domtrans_insmod_uncond($1)
+# }
')
########################################
@@ -175,7 +175,7 @@
allow $1 depmod_t:fd use;
allow depmod_t $1:fd use;
allow depmod_t $1:fifo_file rw_file_perms;
- allow depmod_t $1:process sigchld;
+ #allow depmod_t $1:process sigchld;
')
########################################
@@ -242,7 +242,7 @@
allow $1 update_modules_t:fd use;
allow update_modules_t $1:fd use;
allow update_modules_t $1:fifo_file rw_file_perms;
- allow update_modules_t $1:process sigchld;
+ #allow update_modules_t $1:process sigchld;
')
########################################
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/refpolicy/policy/modules/system/modutils.te#2 (text+ko) ====
@@ -20,7 +20,6 @@
type insmod_t;
type insmod_exec_t;
-init_system_domain(insmod_t,insmod_exec_t)
mls_file_write_down(insmod_t)
role system_r types insmod_t;
@@ -43,7 +42,7 @@
#
allow insmod_t self:capability { dac_override net_raw sys_tty_config };
-allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
+#allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
allow insmod_t self:udp_socket create_socket_perms;
allow insmod_t self:rawip_socket create_socket_perms;
@@ -88,7 +87,7 @@
corecmd_exec_sbin(insmod_t)
corecmd_exec_shell(insmod_t)
-domain_signal_all_domains(insmod_t)
+#domain_signal_all_domains(insmod_t)
domain_use_interactive_fds(insmod_t)
files_read_etc_runtime_files(insmod_t)
@@ -115,25 +114,25 @@
seutil_read_file_contexts(insmod_t)
-if( ! secure_mode_insmod ) {
- kernel_domtrans_to(insmod_t,insmod_exec_t)
-}
+#if( ! secure_mode_insmod ) {
+# kernel_domtrans_to(insmod_t,insmod_exec_t)
+#}
ifdef(`hide_broken_symptoms',`
dev_dontaudit_rw_cardmgr(insmod_t)
')
-ifdef(`targeted_policy',`
- unconfined_domain(insmod_t)
-')
+#ifdef(`targeted_policy',`
+# unconfined_domain(insmod_t)
+#')
optional_policy(`hotplug',`
hotplug_search_config(insmod_t)
')
-optional_policy(`mount',`
- mount_domtrans(insmod_t)
-')
+#optional_policy(`mount',`
+# mount_domtrans(insmod_t)
+#')
optional_policy(`nis',`
nis_use_ypbind(insmod_t)
@@ -236,7 +235,7 @@
allow update_modules_t depmod_t:fd use;
allow depmod_t update_modules_t:fd use;
allow depmod_t update_modules_t:fifo_file rw_file_perms;
-allow depmod_t update_modules_t:process sigchld;
+#allow depmod_t update_modules_t:process sigchld;
allow update_modules_t update_modules_tmp_t:dir create_dir_perms;
allow update_modules_t update_modules_tmp_t:file create_file_perms;
More information about the p4-projects
mailing list