PERFORCE change 67131 for review
Andrew Reisse
areisse at FreeBSD.org
Wed Dec 15 17:24:38 GMT 2004
http://perforce.freebsd.org/chv.cgi?CH=67131
Change 67131 by areisse at areisse_tislabs on 2004/12/15 17:23:47
types were not merged with rest of the policy...
Affected files ...
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/device.te#4 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/devpts.te#4 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/file.te#4 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/network.te#4 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/nfs.te#4 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/procfs.te#4 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/security.te#4 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/x.te#1 branch
Differences ...
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/device.te#4 (text+ko) ====
@@ -15,108 +15,141 @@
#
# null_device_t is the type of /dev/null.
#
-type null_device_t, file_type, mlstrustedobject;
+type null_device_t, device_type, mlstrustedobject;
#
# zero_device_t is the type of /dev/zero.
#
-type zero_device_t, file_type, mlstrustedobject;
+type zero_device_t, device_type, mlstrustedobject;
#
# console_device_t is the type of /dev/console.
#
-type console_device_t, file_type;
+type console_device_t, device_type;
#
# memory_device_t is the type of /dev/kmem,
# /dev/mem, and /dev/port.
#
-type memory_device_t, file_type;
+type memory_device_t, device_type;
#
-# random_device_t is the type of /dev/urandom
-# and /dev/random.
+# random_device_t is the type of /dev/random
+# urandom_device_t is the type of /dev/urandom
#
-type random_device_t, file_type;
+type random_device_t, device_type;
+type urandom_device_t, device_type;
#
# devtty_t is the type of /dev/tty.
#
-type devtty_t, file_type, mlstrustedobject;
+type devtty_t, device_type, mlstrustedobject;
#
# tty_device_t is the type of /dev/*tty*
#
-type tty_device_t, file_type;
+type tty_device_t, serial_device, device_type;
+
+#
+# bsdpty_device_t is the type of /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f]
+type bsdpty_device_t, device_type;
+
+#
+# usbtty_device_t is the type of /dev/usr/tty*
+#
+type usbtty_device_t, serial_device, device_type;
+
+#
+# printer_device_t is the type for printer devices
+#
+type printer_device_t, file_type, device_type;
#
# fixed_disk_device_t is the type of
# /dev/hd* and /dev/sd*.
#
-type fixed_disk_device_t, file_type;
+type fixed_disk_device_t, device_type;
+
+#
+# scsi_generic_device_t is the type of /dev/sg*
+# it gives access to ALL SCSI devices (both fixed and removable)
+#
+type scsi_generic_device_t, device_type;
#
# removable_device_t is the type of
# /dev/scd* and /dev/fd*.
#
-type removable_device_t, file_type;
+type removable_device_t, device_type;
#
# clock_device_t is the type of
# /dev/rtc.
#
-type clock_device_t, file_type;
+type clock_device_t, device_type;
#
# tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/*
#
-type tun_tap_device_t, file_type;
+type tun_tap_device_t, device_type;
#
# misc_device_t is the type of miscellaneous devices.
# XXX: FIXME! Appropriate access to these devices need to be identified.
#
-type misc_device_t, file_type;
+type misc_device_t, device_type;
#
-# psaux_t is the type of the /dev/psaux mouse device.
-# This type is deprecated and will be removed.
+# A more general type for mouse devices.
#
-type psaux_t, file_type;
+type mouse_device_t, device_type;
#
-# A more general type for mouse devices.
+# For generic /dev/input/event* event devices
#
-type mouse_device_t, file_type;
+type event_device_t, device_type;
#
# Not sure what these devices are for, but X wants access to them.
#
-type agp_device_t, file_type;
-type dri_device_t, file_type;
+type agp_device_t, device_type;
+type dri_device_t, device_type;
# Type for sound devices.
-type sound_device_t, file_type;
+type sound_device_t, device_type;
# Type for /dev/ppp.
-type ppp_device_t, file_type;
+type ppp_device_t, device_type;
# Type for frame buffer /dev/fb/*
-type framebuf_device_t, file_type;
+type framebuf_device_t, device_type;
# Type for /dev/.devfsd
-type devfs_control_t, file_type;
+type devfs_control_t, device_type;
# Type for /dev/cpu/mtrr
-type mtrr_device_t, file_type;
+type mtrr_device_t, device_type;
# Type for /dev/bpf*
type bpf_device_t, file_type;
# Type for /dev/apm_bios
-type apm_bios_t, file_type;
+type apm_bios_t, device_type;
# Type for v4l
+type v4l_device_t, device_type;
+
+# tape drives
+type tape_device_t, device_type;
+
+# scanners
+type scanner_device_t, device_type;
+
+# cpu control devices /dev/cpu/0/*
+type cpu_device_t, device_type;
+
+# for other device nodes such as the NVidia binary-only driver
+type xserver_misc_device_t, device_type;
type v4l_device_t, file_type;
# Type for /dev/klog
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/devpts.te#4 (text+ko) ====
@@ -10,7 +10,7 @@
#
# ptmx_t is the type for /dev/ptmx.
#
-type ptmx_t, file_type, sysadmfile;
+type ptmx_t, file_type, sysadmfile, device_type;
#
# devpts_t is the type of the devpts file system and
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/file.te#4 (text+ko) ====
@@ -9,38 +9,47 @@
#
# unlabeled_t is the type of unlabeled objects.
-# Eventually, once all objects are labeled and
-# controlled by the security policy, unlabeled_t
-# will not be used.
+# Objects that have no known labeling information or that
+# have labels that are no longer valid are treated as having this type.
#
-type unlabeled_t, fs_type, file_type, root_dir_type, sysadmfile;
+type unlabeled_t, sysadmfile;
#
-# fs_t is the default type of an unlabeled
-# file system. When an unlabeled file system is
-# mounted read-write, the file system is labeled
-# with this type. Except for the root file system,
-# other types may be specified using the fs_contexts
-# or fs_contexts.mls file.
+# fs_t is the default type for conventional filesystems.
#
type fs_t, fs_type;
+# needs more work
+type eventpollfs_t, fs_type;
+type futexfs_t, fs_type;
+type bdev_t, fs_type;
+type usbfs_t, fs_type;
+type nfsd_fs_t, fs_type;
+type rpc_pipefs_t, fs_type;
+type binfmt_misc_fs_t, fs_type;
+
#
-# file_t is the default type of an unlabeled
-# file. When an unlabeled file system is mounted
-# read-write, all files in the file system are labeled
-# with this type. Except for the root file system,
-# other types may be specified using the fs_contexts
-# or fs_contexts.mls file.
+# file_t is the default type of a file that has not yet been
+# assigned an extended attribute (EA) value (when using a filesystem
+# that supports EAs).
#
type file_t, file_type, root_dir_type, sysadmfile;
+# default_t is the default type for files that do not
+# match any specification in the file_contexts configuration
+# other than the generic /.* specification.
+type default_t, file_type, root_dir_type, sysadmfile;
+
#
# root_t is the type for the root directory.
#
type root_t, file_type, sysadmfile;
#
+# mnt_t is the type for mount points such as /mnt/cdrom
+type mnt_t, file_type, sysadmfile;
+
+#
# home_root_t is the type for the directory where user home directories
# are created
#
@@ -74,6 +83,7 @@
# etc_t is the type of the system etc directories.
#
type etc_t, file_type, sysadmfile;
+
#
# shadow_t is the type of the /etc/shadow file
#
@@ -93,16 +103,21 @@
type etc_runtime_t, file_type, sysadmfile;
#
+# fonts_runtime_t is the type of various
+# fonts files in /usr that are automatically
+# generated during initialization.
+#
+type fonts_t, file_type, sysadmfile, usercanread;
+
+#
# etc_aliases_t is the type of the aliases database.
-# etc_mail_t is the type of /etc/mail.
-# sendmail needs write access to these files.
#
type etc_aliases_t, file_type, sysadmfile;
-type etc_mail_t, file_type, sysadmfile;
-# resolv_conf_t is the type of the /etc/resolv.conf file.
-# pump needs write access to this file.
-type resolv_conf_t, file_type, sysadmfile;
+# net_conf_t is the type of the /etc/resolv.conf file.
+# all DHCP clients and PPP need write access to this file.
+type net_conf_t, file_type, sysadmfile;
+typealias net_conf_t alias resolv_conf_t;
#
# lib_t is the type of files in the system lib directories.
@@ -169,9 +184,6 @@
type var_yp_t, file_type, sysadmfile;
type var_db_t, file_type, sysadmfile;
-# Type for /var/log/sa.
-type var_log_sa_t, file_type, sysadmfile, logfile;
-
# Type for /var/log/ksyms.
type var_log_ksyms_t, file_type, sysadmfile, logfile;
@@ -179,7 +191,7 @@
type lastlog_t, file_type, sysadmfile, logfile;
# Type for /var/lib/nfs.
-type var_lib_nfs_t, file_type, sysadmfile;
+type var_lib_nfs_t, file_type, sysadmfile, usercanread;
#
# wtmp_t is the type of /var/log/wtmp.
@@ -192,11 +204,6 @@
type catman_t, file_type, sysadmfile, tmpfile;
#
-# at_spool_t is the type for /var/spool/at.
-#
-type at_spool_t, file_type, sysadmfile;
-
-#
# cron_spool_t is the type for /var/spool/cron.
#
type cron_spool_t, file_type, sysadmfile;
@@ -245,34 +252,49 @@
#
# locale_t is the type for system localization
#
-type locale_t, file_type;
+type locale_t, file_type, sysadmfile;
#
# Allow each file type to be associated with
# the default file system type.
#
-allow file_type fs_t:filesystem associate;
+allow { file_type device_type } fs_t:filesystem associate;
# Allow the pty to be associated with the file system.
allow devpts_t devpts_t:filesystem associate;
-allow tty_device_t device_t:filesystem associate;
-allow device_t device_t:filesystem associate;
type tmpfs_t, file_type, sysadmfile, fs_type, root_dir_type;
allow { tmpfs_t tmp_t } tmpfs_t:filesystem associate;
-type usbdevfs_t, fs_type, root_dir_type, sysadmfile;
+type autofs_t, fs_type, root_dir_type, noexattrfile, sysadmfile;
+allow autofs_t autofs_t:filesystem associate;
+
+type usbdevfs_t, fs_type, root_dir_type, noexattrfile, sysadmfile;
allow usbdevfs_t usbdevfs_t:filesystem associate;
-type usbdevfs_device_t, file_type, sysadmfile;
-allow usbdevfs_device_t usbdevfs_t:filesystem associate;
-type sysfs_t alias driverfs_t, fs_type, root_dir_type, sysadmfile;
+type sysfs_t, fs_type, root_dir_type, sysadmfile;
allow sysfs_t sysfs_t:filesystem associate;
-type iso9660_t, fs_type, root_dir_type, sysadmfile;
+type iso9660_t, fs_type, root_dir_type, noexattrfile, sysadmfile;
allow iso9660_t iso9660_t:filesystem associate;
-type dosfs_t, fs_type, root_dir_type, sysadmfile;
+type romfs_t, fs_type, root_dir_type, sysadmfile;
+allow romfs_t romfs_t:filesystem associate;
+
+type ramfs_t, fs_type, root_dir_type, sysadmfile;
+allow ramfs_t ramfs_t:filesystem associate;
+
+type dosfs_t, fs_type, root_dir_type, noexattrfile, sysadmfile;
allow dosfs_t dosfs_t:filesystem associate;
+# udev_runtime_t is the type of the udev table file
+type udev_runtime_t, file_type, sysadmfile;
+
+# krb5_conf_t is the type of the /etc/krb5.conf file
+type krb5_conf_t, file_type, sysadmfile;
+
+type sambafs_t, fs_type, root_dir_type, noexattrfile, sysadmfile;
+allow sambafs_t sambafs_t:filesystem associate;
+typealias sambafs_t alias cifs_t;
+
type var_db_entropy_t, file_type, sysadmfile;
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/network.te#4 (text+ko) ====
@@ -8,35 +8,55 @@
# Modified by Russell Coker
# Move port types to their respective domains, add ifdefs, other cleanups.
-############################################
+# generally we do not want to define port types in this file, but some things
+# are insanely difficult to do elsewhere, xserver_port_t is a good example
+# getting the type defined is the easy part for X, conditional code for many
+# other domains (including one that starts with a) is the hard part.
+ifdef(`xdm.te', `define(`use_x_ports')')
+ifdef(`startx.te', `define(`use_x_ports')')
+ifdef(`xauth.te', `define(`use_x_ports')')
+ifdef(`xserver.te', `define(`use_x_ports')')
+ifdef(`use_x_ports', `
+type xserver_port_t, port_type;
+')
#
-# Network types
+# Defines used by the te files need to be defined outside of net_constraints
#
+ifdef(`named.te', `define(`use_dns')')
+ifdef(`nsd.te', `define(`use_dns')')
+ifdef(`tinydns.te', `define(`use_dns')')
+ifdef(`dnsmasq.te', `define(`use_dns')')
+ifdef(`use_dns', `
+type dns_port_t, port_type;
+')
+
+ifdef(`dhcpd.te', `define(`use_dhcpd')')
+ifdef(`dnsmasq.te', `define(`use_dhcpd')')
+ifdef(`use_dhcpd', `
+type dhcpd_port_t, port_type;
+')
+
+ifdef(`cyrus.te', `define(`use_pop')')
+ifdef(`courier.te', `define(`use_pop')')
+ifdef(`perdition.te', `define(`use_pop')')
+ifdef(`dovecot.te', `define(`use_pop')')
+ifdef(`uwimapd.te', `define(`use_pop')')
+ifdef(`use_pop', `
+type pop_port_t, port_type;
+')
+ifdef(`apache.te', `define(`use_http_cache')')
+ifdef(`squid.te', `define(`use_http_cache')')
+ifdef(`use_http_cache', `
+type http_cache_port_t, port_type;
+')
-#
-# any_socket_t is the default destination
-# socket type for UDP traffic. Unless a
-# destination socket type is explicitly specified
-# using sendto_secure/sendmsg_secure, this type
-# is used for the udp_socket sendto permission check.
-#
-type any_socket_t, socket_type;
-role system_r types any_socket_t;
+ifdef(`dhcpd.te', `define(`use_pxe')')
+ifdef(`pxe.te', `define(`use_pxe')')
+############################################
#
-# igmp_packet_t is the type of kernel-generated IGMP packets.
-# icmp_socket_t is the type of the kernel socket used to send ICMP messages.
-# tcp_socket_t is the type of the kernel socket used to send TCP resets.
-# scmp_packet_t is the type for SCMP packets used by the SELOPT packet labeling.
+# Network types
#
-type igmp_packet_t;
-role system_r types igmp_packet_t;
-type icmp_socket_t, socket_type;
-role system_r types icmp_socket_t;
-type tcp_socket_t, socket_type;
-role system_r types tcp_socket_t;
-type scmp_packet_t;
-role system_r types scmp_packet_t;
#
# port_t is the default type of INET port numbers.
@@ -62,22 +82,6 @@
type netif_ipsec2_t, netif_type;
#
-# netmsg_t is the default type of unlabeled received messages.
-# The netmsg_*_t types are used for specific network
-# interfaces in net_contexts or net_contexts.mls.
-#
-type netmsg_t, netmsg_type;
-type netmsg_eth0_t, netmsg_type;
-type netmsg_eth1_t, netmsg_type;
-type netmsg_eth2_t, netmsg_type;
-type netmsg_lo_t, netmsg_type;
-type netmsg_ippp0_t, netmsg_type;
-
-type netmsg_ipsec0_t, netmsg_type;
-type netmsg_ipsec1_t, netmsg_type;
-type netmsg_ipsec2_t, netmsg_type;
-
-#
# node_t is the default type of network nodes.
# The node_*_t types are used for specific network
# nodes in net_contexts or net_contexts.mls.
@@ -85,54 +89,18 @@
type node_t, node_type;
type node_lo_t, node_type;
type node_internal_t, node_type;
+type node_inaddr_any_t, node_type;
+type node_unspec_t, node_type;
+type node_link_local_t, node_type;
+type node_site_local_t, node_type;
+type node_multicast_t, node_type;
+type node_mapped_ipv4_t, node_type;
+type node_compat_ipv4_t, node_type;
-#
-# Permissions for the kernel-generated IGMP packets.
-#
-allow igmp_packet_t netif_type:netif { rawip_send rawip_recv };
-allow igmp_packet_t node_type:node { rawip_send rawip_recv };
+# Kernel-generated traffic, e.g. ICMP replies.
+allow kernel_t netif_type:netif { rawip_send rawip_recv };
+allow kernel_t node_type:node { rawip_send rawip_recv };
-#
-# Permissions for the kernel ICMP socket.
-#
-allow icmp_socket_t netif_type:netif { rawip_send rawip_recv };
-allow icmp_socket_t node_type:node { rawip_send rawip_recv };
-allow icmp_socket_t netmsg_type:rawip_socket recvfrom;
-
-#
-# Permissions for the kernel TCP reset socket.
-#
-allow tcp_socket_t netif_type:netif { tcp_send tcp_recv };
-allow tcp_socket_t netmsg_type:tcp_socket recvfrom;
-allow tcp_socket_t node_type:node { tcp_send tcp_recv };
-
-#
-# Allow network messages to be received.
-#
-allow netmsg_t node_t:node { tcp_recv udp_recv rawip_recv };
-allow netmsg_eth0_t node_t:node { tcp_recv udp_recv rawip_recv };
-allow netmsg_eth0_t netif_eth0_t:netif { tcp_recv udp_recv rawip_recv };
-allow netmsg_eth1_t node_t:node { tcp_recv udp_recv rawip_recv };
-allow netmsg_eth1_t netif_eth1_t:netif { tcp_recv udp_recv rawip_recv };
-allow netmsg_eth2_t node_t:node { tcp_recv udp_recv rawip_recv };
-allow netmsg_eth2_t netif_eth2_t:netif { tcp_recv udp_recv rawip_recv };
-allow netmsg_lo_t node_lo_t:node { tcp_recv udp_recv rawip_recv };
-allow netmsg_lo_t node_t:node { tcp_recv udp_recv rawip_recv };
-allow netmsg_lo_t netif_lo_t:netif { tcp_recv udp_recv rawip_recv };
-allow netmsg_ippp0_t node_t:node { tcp_recv udp_recv rawip_recv };
-allow netmsg_ippp0_t netif_ippp0_t:netif { tcp_recv udp_recv rawip_recv };
-allow netmsg_ipsec0_t node_t:node { tcp_recv udp_recv rawip_recv };
-allow netmsg_ipsec0_t netif_ipsec0_t:node { tcp_recv udp_recv rawip_recv };
-allow netmsg_ipsec1_t node_t:node { tcp_recv udp_recv rawip_recv };
-allow netmsg_ipsec1_t netif_ipsec1_t:netif { tcp_recv udp_recv rawip_recv };
-allow netmsg_ipsec2_t node_t:node { tcp_recv udp_recv rawip_recv };
-allow netmsg_ipsec2_t netif_ipsec2_t:netif { tcp_recv udp_recv rawip_recv };
-
-#
-# Allow ICMP echo requests to be sent and received, and echo replies to
-# be received (when packets are labeled)
-#
-ifdef(`ping.te',
-`allow ping_t netif_type:netif { rawip_send rawip_recv };
-allow ping_t node_type:node { rawip_send rawip_recv };
-allow ping_t netmsg_type:rawip_socket { recvfrom };')
+# Kernel-generated traffic, e.g. TCP resets.
+allow kernel_t netif_type:netif { tcp_send tcp_recv };
+allow kernel_t node_type:node { tcp_send tcp_recv };
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/nfs.te#4 (text+ko) ====
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/procfs.te#4 (text+ko) ====
@@ -21,21 +21,26 @@
# sysctl_fs_t is the type of /proc/sys/fs.
# sysctl_kernel_t is the type of /proc/sys/kernel.
# sysctl_modprobe_t is the type of /proc/sys/kernel/modprobe.
+# sysctl_hotplug_t is the type of /proc/sys/kernel/hotplug.
# sysctl_net_t is the type of /proc/sys/net.
# sysctl_net_unix_t is the type of /proc/sys/net/unix.
# sysctl_vm_t is the type of /proc/sys/vm.
# sysctl_dev_t is the type of /proc/sys/dev.
+# sysctl_rpc_t is the type of /proc/net/rpc.
#
# These types are applied to both the entries in
# /proc/sys and the corresponding sysctl parameters.
#
-type sysctl_t;
-type sysctl_fs_t;
-type sysctl_kernel_t;
-type sysctl_modprobe_t;
-type sysctl_net_t;
-type sysctl_net_unix_t;
-type sysctl_vm_t;
-type sysctl_dev_t;
+type sysctl_t, sysctl_type;
+type sysctl_fs_t, sysctl_type;
+type sysctl_kernel_t, sysctl_type;
+type sysctl_modprobe_t, sysctl_type;
+type sysctl_hotplug_t, sysctl_type;
+type sysctl_net_t, sysctl_type;
+type sysctl_net_unix_t, sysctl_type;
+type sysctl_vm_t, sysctl_type;
+type sysctl_dev_t, sysctl_type;
+type sysctl_rpc_t, sysctl_type;
+type sysctl_irq_t, sysctl_type;
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/types/security.te#4 (text+ko) ====
@@ -15,7 +15,7 @@
type security_t, fs_type;
#
-# policy_config_t is the type of /ss_policy,
+# policy_config_t is the type of /etc/security/selinux/*
# the security server policy configuration.
#
type policy_config_t, file_type;
@@ -28,17 +28,15 @@
#
# default_context_t is the type applied to
-# /etc/security/default_context
+# /etc/selinux/*/contexts/*
#
type default_context_t, file_type, sysadmfile, login_contexts;
#
-# file_labels_t is the type of the persistent
-# label mapping stored in each file system.
-# The mapping files are in the ...security
-# subdirectory at the root of each file system.
+# file_context_t is the type applied to
+# /etc/selinux/*/contexts/files
#
-type file_labels_t, file_type, sysadmfile;
+type file_context_t, file_type, sysadmfile;
#
# no_access_t is the type for objects that should
@@ -46,4 +44,10 @@
#
type no_access_t, file_type, sysadmfile;
+#
+# selinux_config_t is the type applied to
+# /etc/selinux/config
+#
+type selinux_config_t, file_type, sysadmfile;
+
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list