PERFORCE change 113404 for review

Todd Miller millert at FreeBSD.org
Mon Jan 22 20:14:24 UTC 2007 

http://perforce.freebsd.org/chv.cgi?CH=113404

Change 113404 by millert at millert_macbook on 2007/01/22 20:02:38

	Label and permit access to /Library/Caches.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.te#14 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.fc#7 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/init.te#11 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.te#14 (text+ko) ====

@@ -117,6 +117,7 @@
 # Allow reading of security_t files
 darwin_allow_security_read(securityd_t)
 
-# Access cache files
-allow securityd_t darwin_cache_t:dir search;
+# Read/write caches
+darwin_allow_cache_rw(securityd_t)
+allow securityd_t darwin_cache_t:dir { search getattr };
 allow securityd_t darwin_cache_t:file { read lock };

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.fc#7 (text+ko) ====

@@ -14,8 +14,8 @@
 /System/Library/Caches.*			gen_context(system_u:object_r:darwin_cache_t,s0)
 /System/Library/Services.*			gen_context(system_u:object_r:darwin_services_t,s0)
 /System/Library/Security.*			gen_context(system_u:object_r:darwin_security_t,s0)
-/System/Library/CoreServices.*				gen_context(system_u:object_r:darwin_CoreServices_t,s0)
-/System/Library/ColorSync.*					gen_context(system_u:object_r:darwin_resource_t,s0)
+/System/Library/CoreServices.*			gen_context(system_u:object_r:darwin_CoreServices_t,s0)
+/System/Library/ColorSync.*			gen_context(system_u:object_r:darwin_resource_t,s0)
 
 #
 # Applications
@@ -25,11 +25,12 @@
 #
 # /Library
 #
+/Library/Caches.*					gen_context(system_u:object_r:darwin_cache_t,s0)
 /Library/ColorSync.*					gen_context(system_u:object_r:darwin_resource_t,s0)
 /Library/Preferences/.GlobalPreferences.plist	--	gen_context(system_u:object_r:darwin_global_pref_t,s0)
 /Library/Preferences.*					gen_context(system_u:object_r:darwin_global_pref_t,s0)
 /Library/Preferences/SystemConfiguration.*		gen_context(system_u:object_r:darwin_global_pref_t,s0)
-/Library/Keychains.*		gen_context(system_u:object_r:darwin_keychain_t,s0)
+/Library/Keychains.*					gen_context(system_u:object_r:darwin_keychain_t,s0)
 
 # Kernel
 /mach_kernel					--	gen_context(system_u:object_r:boot_t,s0)

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/init.te#11 (text+ko) ====

@@ -684,5 +684,6 @@
 allow init_t dynamic_pager_swapfile_t:file { getattr unlink };
 
 # Allow access to Cache files
-allow init_t darwin_cache_t:dir search;
-allow init_t darwin_cache_t:file { read write lock };
+darwin_allow_cache_rw(init_t)
+allow init_t darwin_cache_t:dir { getattr search add_name remove_name };
+allow init_t darwin_cache_t:file { create setattr unlink };

More information about the trustedbsd-cvs mailing list