PERFORCE change 39741 for review

[Andrew Reisse]

http://perforce.freebsd.org/chv.cgi?CH=39741

Change 39741 by areisse at areisse_tislabs on 2003/10/15 05:32:25

	fixes for cron.
	changes in cvs to allow different originating types.
	possible compilation fixes

Affected files ...

.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/crond.te#3 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/unused/cvs.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/crond.fc#3 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/macros/global_macros.te#8 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/macros/program/crond_macros.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/macros/program/cvs_macros.te#2 edit

Differences ...

==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/crond.te#3 (text+ko) ====

@@ -61,6 +61,7 @@
 allow crond_t bin_t:lnk_file read;
 
 # Read from /var/spool/cron.
+allow crond_t var_t:dir search;
 allow crond_t var_lib_t:dir search;
 allow crond_t var_spool_t:dir r_dir_perms;
 allow crond_t cron_spool_t:dir r_dir_perms;

==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/unused/cvs.te#2 (text+ko) ====

@@ -1,6 +1,7 @@
 
 type cvs_exec_t, exec_type, file_type, sysadmfile;
 
-cvs_program_domain(user)
+cvs_program_domain(user,user)
 #domain_auto_trans(user_t,cvs_exec_t,user_cvs_rw_t)
 role user_r types user_cvs_rw_t;
+role user_r types user_cvs_ro_t;

==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/crond.fc#3 (text+ko) ====

@@ -21,5 +21,6 @@
 /var/run/fcron\.pid		system_u:object_r:crond_var_run_t
 # FreeBSD
 /var/cron			system_u:object_r:cron_spool_t
+/var/cron/tabs			system_u:object_r:cron_spool_t
 /var/cron/tabs/.*		system_u:object_r:user_cron_spool_t
 /var/cron/tabs/root		system_u:object_r:sysadm_cron_spool_t

==== //depot/projects/trustedbsd/sebsd_policy/policy/macros/global_macros.te#8 (text+ko) ====

@@ -626,10 +626,6 @@
 
 # allow searching /dev/pts
 allow $1_t devpts_t:dir { getattr read search };
-
-# For systems without /dev/ptmx
-#allow $1_t devpts_t:chr_file { poll getattr setattr read write };
-#type_change $1_t devpts_t:chr_file $1_devpts_t;
 ')
 
 ##################################
@@ -638,7 +634,7 @@
 #
 # Permissions for creating ptys.
 #
-define(`can_create_pty',`
+define(`can_create_pty', `
 base_pty_perms($1)
 type $1_devpts_t, file_type, sysadmfile, ptyfile $2;
 
@@ -653,7 +649,7 @@
 
 # Read and write my pty files.
 allow $1_t $1_devpts_t:chr_file { poll setattr rw_file_perms };
-')
+)
 
 
 ##################################

==== //depot/projects/trustedbsd/sebsd_policy/policy/macros/program/crond_macros.te#2 (text+ko) ====

@@ -52,6 +52,7 @@
 allow $1_crond_t self:process { fork signal_perms };
 allow $1_crond_t proc_t:dir { getattr search read };
 allow $1_crond_t proc_t:file { getattr read };
+allow $1_crond_t self:fd { create use };
 read_locale($1_crond_t)
 allow $1_crond_t sysctl_kernel_t:dir search;
 allow $1_crond_t sysctl_kernel_t:file { getattr read };

==== //depot/projects/trustedbsd/sebsd_policy/policy/macros/program/cvs_macros.te#2 (text+ko) ====

@@ -45,11 +45,11 @@
 
 # read/write user home directory
 allow { $1_cvs_rw_t $1_cvs_ro_t } home_root_t:dir search;
-allow { $1_cvs_rw_t $1_cvs_ro_t } { $1_home_dir_t $1_home_t }:dir create_dir_perms;
-allow { $1_cvs_rw_t $1_cvs_ro_t } $1_home_t:file create_file_perms;
+allow { $1_cvs_rw_t $1_cvs_ro_t } { $2_home_dir_t $2_home_t }:dir create_dir_perms;
+allow { $1_cvs_rw_t $1_cvs_ro_t } $2_home_t:file create_file_perms;
 
 # talk to the terminal
-allow { $1_cvs_rw_t $1_cvs_ro_t } $1_devpts_t:chr_file { write read getattr poll };
-allow { $1_cvs_rw_t $1_cvs_ro_t } $1_tty_device_t:chr_file { write read getattr poll };
+allow { $1_cvs_rw_t $1_cvs_ro_t } $2_devpts_t:chr_file { write read getattr poll };
+allow { $1_cvs_rw_t $1_cvs_ro_t } $2_tty_device_t:chr_file { write read getattr poll };
 
 ')
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message