PERFORCE change 113403 for review

Todd Miller millert at FreeBSD.org
Mon Jan 22 20:14:24 UTC 2007


http://perforce.freebsd.org/chv.cgi?CH=113403

Change 113403 by millert at millert_macbook on 2007/01/22 20:02:18

	Allow searching volfs_t.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.te#11 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#14 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreservicesd.te#8 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/kextd.te#9 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.te#12 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.te#13 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.te#11 (text+ko) ====

@@ -94,6 +94,7 @@
 allow WindowServer_t bin_t:dir search;
 allow WindowServer_t mnt_t:dir getattr;
 allow WindowServer_t sbin_t:dir search;
+allow WindowServer_t volfs_t:dir search;
 
 # Read prefs, etc
 darwin_allow_global_pref_read(WindowServer_t)

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#14 (text+ko) ====

@@ -72,6 +72,7 @@
 allow configd_t nfs_t:filesystem { getattr mount };
 allow configd_t nfs_t:lnk_file { create getattr read };
 allow configd_t mnt_t:dir { getattr read search };
+allow configd_t volfs_t:dir search;
 allow configd_t self:socket connect;
 allow configd_t self:unix_dgram_socket create;
 

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreservicesd.te#8 (text+ko) ====

@@ -98,6 +98,7 @@
 
 # Search dirs
 allow coreservicesd_t { darwin_system_t mnt_t fs_t }:dir { getattr search }; 
+allow coreservicesd_t volfs_t:dir { search };
 
 # Use /dev/fsevents
 allow coreservicesd_t device_t:chr_file { read ioctl };

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/kextd.te#9 (text+ko) ====

@@ -42,6 +42,7 @@
 allow kextd_t sbin_t:dir { getattr read search };
 allow kextd_t sbin_t:file { getattr read execute_no_trans };
 allow kextd_t lib_t:dir { write add_name };
+allow kextd_t volfs_t:dir search;
 
 # Talk to self
 mach_allow_message(kextd_t, kextd_t)

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.te#12 (text+ko) ====

@@ -43,6 +43,7 @@
 allow loginwindow_t nfs_t:filesystem getattr;
 allow loginwindow_t nfs_t:lnk_file { getattr read };
 allow loginwindow_t usr_t:file { getattr read };
+allow loginwindow_t volfs_t:dir search;
 
 # There has to be a "proper" interface for this. Fix this when we find it
 allow loginwindow_t bin_t:dir search;

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.te#13 (text+ko) ====

@@ -37,6 +37,7 @@
 # Misc
 allow securityd_t mnt_t:dir { getattr search };
 allow securityd_t nfs_t:dir { getattr search };
+allow securityd_t volfs_t:dir { search };
 allow securityd_t { fs_t nfs_t }:filesystem getattr;
 allow securityd_t nfs_t:lnk_file read;
 allow securityd_t usr_t:file { getattr read };


More information about the trustedbsd-cvs mailing list