PERFORCE change 104915 for review
dongmei
dongmei at FreeBSD.org
Thu Aug 24 11:09:55 UTC 2006
http://perforce.freebsd.org/chv.cgi?CH=104915
Change 104915 by dongmei at soc-dongmei-sebsd on 2006/08/24 11:09:12
Corrected most of boot error, include the service cron,devd,inetd,usbd,syslogd,getty,dhclient,ifconfig,swapon and login programs. Interfaces which I have added are comment by "#lll" for future check.
Affected files ...
.. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/Makefile#4 edit
.. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/devices.if#3 edit
.. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/files.if#3 edit
.. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/filesystem.te#3 edit
.. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/kernel.te#3 edit
.. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/storage.if#3 edit
.. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/services/cron.te#2 edit
.. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/services/devd.te#2 edit
.. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/services/dhcp.te#2 edit
.. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/services/ftp.if#2 edit
.. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/services/inetd.te#2 edit
.. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/services/usbd.te#2 edit
.. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/authlogin.fc#3 edit
.. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/fstools.te#3 edit
.. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/getty.te#3 edit
.. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/hostname.if#3 edit
.. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/hostname.te#3 edit
.. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/init.te#3 edit
.. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/libraries.if#3 edit
.. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/libraries.te#3 edit
.. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/locallogin.te#3 edit
.. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/logging.te#3 edit
.. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/sysnetwork.if#3 edit
.. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/sysnetwork.te#3 edit
Differences ...
==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/Makefile#4 (text+ko) ====
@@ -68,7 +68,7 @@
POLDIR := policy
MODDIR := $(POLDIR)/modules
FLASKDIR := $(POLDIR)/flask
-SECCLASS := $(FLASKDIR)/security_classes
+#SECCLASS := $(FLASKDIR)/security_classes
ISIDS := $(FLASKDIR)/initial_sids
ifeq ($(DISTRO),sebsd)
AVS := $(FLASKDIR)/access_vectors.sebsd
==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/devices.if#3 (text+ko) ====
@@ -1150,6 +1150,23 @@
allow $1 dri_device_t:chr_file manage_file_perms;
type_transition $1 device_t:chr_file dri_device_t;
')
+########################################
+## <summary>
+## Create, read, write, and delete the generic devices.(lll)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_manage_generic_dev',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:dir rw_dir_perms;
+')
########################################
## <summary>
@@ -2342,7 +2359,7 @@
')
########################################
## <summary>
-## Allow caller to read /dev
+## Allow caller to read /dev chr_files(lll)
## </summary>
## <param name="domain">
## <summary>
@@ -2350,7 +2367,7 @@
## </summary>
## </param>
#
-interface(`dev_read_chr_file_devfs',`
+interface(`dev_read_generic_chr_file',`
gen_require(`
type device_t;
')
@@ -2780,4 +2797,75 @@
allow $1 self:capability sys_rawio;
typeattribute $1 memory_raw_write, memory_raw_read;
')
+########################################
+## <summary>
+## Mount a filesystem on /dev.(lll)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_mounton_dev',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:dir { search mounton };
+')
+########################################
+## <summary>
+## Create, read, write, and delete the null devices.(lll)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_manage_null_dev',`
+ gen_require(`
+ type device_t, null_device_t;
+ ')
+
+ allow $1 device_t:dir rw_dir_perms;
+ allow $1 null_device_t:chr_file manage_file_perms;
+')
+########################################
+## <summary>
+## Read from random number generator
+## devices symlinks (e.g., /dev/random)(lll)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_rand_symlinks',`
+ gen_require(`
+ type device_t, random_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 random_device_t:lnk_file r_file_perms;
+')
+########################################
+## <summary>
+## Create, read, write, and delete the usb devices.(lll)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_manage_usb_dev',`
+ gen_require(`
+ type device_t, usb_device_t;
+ ')
+
+ allow $1 usb_device_t:chr_file manage_file_perms;
+')
==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/files.if#3 (text+ko) ====
@@ -1549,6 +1549,17 @@
allow $1 etc_t:file r_file_perms;
allow $1 etc_t:lnk_file r_file_perms;
')
+########################################
+#
+# files_read_boot_files(domain)
+#
+interface(`files_read_boot_files',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:file r_file_perms;
+')
########################################
#
@@ -3052,7 +3063,25 @@
allow $1 root_t:dir search_dir_perms;
')
+############################################################
+## <summary>
+## Search the contents of /bin
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_bin',`
+
+ gen_require(`
+ type bin_t;
+ ')
+ allow $1 bin_t:dir search_dir_perms;
+')
+
########################################
## <summary>
## Do not audit attempts to search
@@ -3108,6 +3137,24 @@
allow $1 var_t:dir create_dir_perms;
')
+########################################
+## <summary>
+## Create, read, write, and delete directories
+## in the /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_var_run_dirs',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ allow $1 var_run_t:dir create_dir_perms;
+')
########################################
## <summary>
@@ -3146,6 +3193,42 @@
allow $1 var_t:dir rw_dir_perms;
allow $1 var_t:file create_file_perms;
')
+########################################
+## <summary>
+## Create, read, write, and delete files in the /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_var_run_files',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ allow $1 var_run_t:dir rw_dir_perms;
+ allow $1 var_run_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+## Create sock files in the /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_var_run_sock_file',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ allow $1 var_run_t:sock_file create_file_perms;
+')
########################################
## <summary>
==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/filesystem.te#3 (text+ko) ====
@@ -1,4 +1,4 @@
-
+
policy_module(filesystem,1.3.0)
########################################
==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/kernel.te#3 (text+ko) ====
@@ -58,6 +58,7 @@
fs_type(proc_t)
genfscon proc / gen_context(system_u:object_r:proc_t,s0)
genfscon proc /sysvipc gen_context(system_u:object_r:proc_t,s0)
+genfscon procfs / gen_context(system_u:object_r:proc_t,s0)
# kernel message interface
type proc_kmsg_t, proc_type;
@@ -176,7 +177,7 @@
allow kernel_t self:unix_stream_socket connectto;
allow kernel_t self:fifo_file rw_file_perms;
allow kernel_t self:sock_file r_file_perms;
-allow kernel_t self:fd use;
+allow kernel_t self:fd { use create };
# old general_proc_read_access():
allow kernel_t proc_t:dir r_dir_perms;
@@ -192,6 +193,13 @@
# cjp: this seems questionable
allow kernel_t unlabeled_t:fifo_file rw_file_perms;
+#lll
+dev_manage_generic_dev(kernel_t)
+dev_manage_generic_symlinks(kernel_t)
+dev_mounton_dev(kernel_t)
+dev_manage_null_dev(kernel_t)
+
+
corenet_non_ipsec_sendrecv(kernel_t)
# Kernel-generated traffic e.g., ICMP replies:
==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/kernel/storage.if#3 (text+ko) ====
@@ -614,6 +614,24 @@
dev_list_all_dev_nodes($1)
allow $1 tape_device_t:chr_file { getattr write ioctl };
')
+########################################
+## <summary>
+## Allow the caller to directly write
+## a fixed disk device.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`storage_write_fixed_disk',`
+ gen_require(`
+ type fixed_disk_device_t;
+ ')
+
+ allow $1 fixed_disk_device_t:chr_file { getattr write ioctl };
+')
########################################
## <summary>
==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/services/cron.te#2 (text+ko) ====
@@ -69,6 +69,7 @@
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
allow crond_t self:fd use;
+allow crond_t self:fd create;
allow crond_t self:fifo_file rw_file_perms;
allow crond_t self:unix_dgram_socket create_socket_perms;
allow crond_t self:unix_stream_socket create_stream_socket_perms;
@@ -118,7 +119,9 @@
# Read from /var/spool/cron.
files_search_var_lib(crond_t)
files_search_default(crond_t)
-
+files_read_var_run_files(crond_t)
+files_read_var_files(crond_t)
+files_list_var(crond_t)
init_use_fds(crond_t)
init_use_script_ptys(crond_t)
init_rw_utmp(crond_t)
==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/services/devd.te#2 (text+ko) ====
@@ -11,21 +11,66 @@
init_daemon_domain(devd_t, devd_exec_t)
type_transition initrc_t devd_exec_t:process devd_t;
-
+
type devd_etc_t;
files_config_file(devd_etc_t)
init_daemon_domain(devd_t,devd_etc_t)
+files_search_etc(devd_t)
+
########################################
#
# Local policy
#
-
allow devd_t devd_etc_t:file r_file_perms;
allow devd_t devd_etc_t:dir r_dir_perms;
allow devd_t devd_etc_t:lnk_file r_file_perms;
+allow devd_t self:fd create;
+allow devd_t self:fd use;
+allow devd_t self:process signal;
+allow devd_t self:capability { sys_resource };
+allow devd_t self:fifo_file { read write ioctl getattr };
+
+files_read_var_files(crond_t)
+files_search_usr(devd_t)
+files_manage_var_run_dirs(devd_t)
+files_manage_var_run_files(devd_t)
+files_manage_var_run_sock_file(devd_t)
+files_search_bin(devd_t)
+files_read_var_run_files(devd_t)
+
+libs_search_lib(devd_t)
+libs_read_shlib_files(devd_t)
+libs_getattr_shlib_files(devd_t)
+libs_exec_shlib_files(devd_t)
+libs_exec_ld_so(devd_t)
+
+corecmd_search_sbin(devd_t)
+corecmd_exec_sbin(devd_t)
+corecmd_getattr_sbin_files(devd_t)
+
+corecmd_search_bin(devd_t)
+corecmd_getattr_bin_files(devd_t)
+corecmd_exec_bin(devd_t)
+
+corecmd_exec_shell(devd_t)
+
+term_use_console(devd_t)
+dev_read_generic_chr_file(devd_t)
+
+files_search_etc(devd_t)
+files_getattr_etc_files(devd_t)
+files_read_etc_files(devd_t)
+
+init_exec(devd_t)
+init_exec_script_files(devd_t)
+init_read_script_files(devd_t)
+init_use_fds(devd_t)
+
+miscfiles_read_localization(devd_t)
+
can_exec(devd_t,devd_etc_t)
can_exec(devd_t, devd_exec_t)
==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/services/dhcp.te#2 (text+ko) ====
@@ -50,7 +50,7 @@
allow dhcpd_t dhcpd_var_run_t:file create_file_perms;
allow dhcpd_t dhcpd_var_run_t:dir rw_dir_perms;
files_pid_filetrans(dhcpd_t,dhcpd_var_run_t,file)
-
+#
kernel_read_system_state(dhcpd_t)
kernel_read_kernel_sysctls(dhcpd_t)
==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/services/ftp.if#2 (text+ko) ====
@@ -109,3 +109,20 @@
logging_search_logs($1)
allow $1 xferlog_t:file r_file_perms;
')
+########################################
+## <summary>
+## Read write FTP transfer logs(lll)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ftp_rw_log',`
+ gen_require(`
+ type xferlog_t;
+ ')
+
+ allow $1 xferlog_t:file rw_file_perms;
+')
==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/services/inetd.te#2 (text+ko) ====
@@ -36,14 +36,18 @@
#
allow inetd_t self:capability { setuid setgid };
-dontaudit inetd_t self:capability sys_tty_config;
+dontaudit inetd_t self:capability { sys_tty_config sys_resource linux_immutable net_raw };
allow inetd_t self:process setsched;
allow inetd_t self:fifo_file rw_file_perms;
+allow inetd_t self:fifo_file poll;
allow inetd_t self:tcp_socket create_stream_socket_perms;
allow inetd_t self:udp_socket { connect connected_socket_perms };
+allow inetd_t self:fd { create use };
allow inetd_t inetd_log_t:file create_file_perms;
logging_log_filetrans(inetd_t,inetd_log_t,file)
+#lll
+files_read_var_run_files(inetd_t)
allow inetd_t inetd_tmp_t:dir create_dir_perms;
allow inetd_t inetd_tmp_t:file create_file_perms;
==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/services/usbd.te#2 (text+ko) ====
@@ -22,12 +22,20 @@
# Local policy
#
-
+allow usbd_t self:fd { use create };
+allow usbd_t self:capability { sys_resource };
allow usbd_t usbd_etc_t:file r_file_perms;
allow usbd_t usbd_etc_t:dir r_dir_perms;
allow usbd_t usbd_etc_t:lnk_file r_file_perms;
can_exec(usbd_t,usbd_etc_t)
can_exec(usbd_t, usbd_exec_t)
-
+#lll
+files_search_etc(usbd_t)
+libs_search_lib(usbd_t)
+libs_exec_shlib_files(usbd_t)
+libs_getattr_shlib_files(usbd_t)
+libs_read_shlib_files(usbd_t)
+dev_manage_usb_dev(usbd_t)
+files_read_var_run_files(usbd_t)
==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/authlogin.fc#3 (text+ko) ====
@@ -1,5 +1,5 @@
-/usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
+/bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
/etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
/etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/fstools.te#3 (text+ko) ====
@@ -24,9 +24,10 @@
#
# ipc_lock is for losetup
-allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search };
+allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search sys_resource};
allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap };
allow fsadm_t self:fd use;
+allow fsadm_t self:fd create;
allow fsadm_t self:fifo_file rw_file_perms;
allow fsadm_t self:sock_file r_file_perms;
allow fsadm_t self:unix_dgram_socket create_socket_perms;
@@ -92,8 +93,8 @@
libs_exec_ld_so(fsadm_t)
#for fsck_ufs
dev_getattr_devfs(fsadm_t)
-
-
+files_read_var_run_files(fsadm_t)
+storage_write_fixed_disk(fsadm_t)
#lll end
==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/getty.te#3 (text+ko) ====
@@ -37,10 +37,13 @@
#
# Use capabilities.
-allow getty_t self:capability { dac_override chown sys_resource sys_tty_config fowner fsetid };
+allow getty_t self:capability { dac_override chown sys_resource sys_tty_config fowner fsetid setgid setuid };
dontaudit getty_t self:capability sys_tty_config;
allow getty_t self:process { getpgid getsession signal_perms };
+#lll
+allow getty_t self:fd { use create };
+
allow getty_t getty_etc_t:dir r_dir_perms;
allow getty_t getty_etc_t:file r_file_perms;
allow getty_t getty_etc_t:lnk_file { getattr read };
@@ -64,6 +67,9 @@
kernel_read_proc_symlinks(getty_t)
dev_read_sysfs(getty_t)
+#lll
+files_list_default(getty_t)
+libs_exec_ld_so(getty_t)
fs_search_auto_mountpoints(getty_t)
# for error condition handling
==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/hostname.if#3 (text+ko) ====
@@ -73,3 +73,20 @@
corecmd_search_bin($1)
can_exec($1,hostname_exec_t)
')
+########################################
+## <summary>
+## Send generic signals to hostname
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hostname_signal',`
+ gen_require(`
+ type hostname_t;
+ ')
+
+ allow $1 hostname_t:process signal;
+')
==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/hostname.te#3 (text+ko) ====
@@ -71,11 +71,11 @@
files_read_var_run_files(hostname_t)
libs_search_lib(hostname_t)
libs_read_shlib_files(hostname_t)
-files_getattr_shlib_files(hostname_t)
+libs_getattr_shlib_files(hostname_t)
libs_exec_shlib_files(hostname_t)
userdom_rw_sysadm_pipes(hostname_t)
userdom_getattr_sysadm_pipes(hostname_t)
-dev_read_chr_file_devfs(hostname_t)
+dev_read_generic_chr_file(hostname_t)
==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/init.te#3 (text+ko) ====
@@ -96,7 +96,7 @@
# sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot()
allow init_t self:fifo_file rw_file_perms;
-
+allow init_t self:fd { create use };
# Re-exec itself
allow init_t init_exec_t:file { getattr read ioctl execute execute_no_trans };
@@ -120,6 +120,10 @@
kernel_share_state(init_t)
dev_read_sysfs(init_t)
+#lll
+libs_exec_ld_so(init_t)
+files_manage_var_run_files(init_t)
+
mls_process_write_down(init_t)
==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/libraries.if#3 (text+ko) ====
@@ -286,7 +286,7 @@
## </summary>
## </param>
#
-interface(`files_getattr_shlib_files',`
+interface(`libs_getattr_shlib_files',`
gen_require(`
type shlib_t;
')
==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/libraries.te#3 (text+ko) ====
@@ -53,7 +53,8 @@
allow ldconfig_t ld_so_cache_t:file create_file_perms;
files_etc_filetrans(ldconfig_t,ld_so_cache_t,file)
-
+allow ldconfig_t self:fd { use create };
+allow ldconfig_t self:capability { sys_resource dac_read_search };
allow ldconfig_t lib_t:dir rw_dir_perms;
allow ldconfig_t lib_t:lnk_file { getattr create read unlink };
allow ldconfig_t ld_so_t:lnk_file r_file_perms;
@@ -61,6 +62,12 @@
allow ldconfig_t ld_so_cache_t:file r_file_perms;
allow ldconfig_t { shlib_t textrel_shlib_t }:lnk_file r_file_perms;
allow ldconfig_t { shlib_t textrel_shlib_t }:file rx_file_perms;
+#lll
+dev_read_rand_symlinks(ldconfig_t)
+dev_read_rand(ldconfig_t)
+files_manage_var_run_dirs(ldconfig_t)
+files_manage_var_run_files(ldconfig_t)
+
kernel_read_system_state(ldconfig_t)
==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/locallogin.te#3 (text+ko) ====
@@ -36,10 +36,10 @@
# Local login local policy
#
-allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
+allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config net_admin setpcap linux_immutable mknod };
allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow local_login_t self:process { setrlimit setexec };
-allow local_login_t self:fd use;
+allow local_login_t self:fd { use create };
allow local_login_t self:fifo_file rw_file_perms;
allow local_login_t self:sock_file r_file_perms;
allow local_login_t self:unix_dgram_socket create_socket_perms;
@@ -57,6 +57,13 @@
allow local_login_t local_login_tmp_t:dir create_dir_perms;
allow local_login_t local_login_tmp_t:file create_file_perms;
files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir })
+#lll
+files_list_default(local_login_t)
+files_rw_etc_files(local_login_t)
+libs_exec_ld_so(local_login_t)
+files_manage_var_run_files(local_login_t)
+
+
kernel_read_system_state(local_login_t)
kernel_read_kernel_sysctls(local_login_t)
==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/logging.te#3 (text+ko) ====
@@ -263,7 +263,7 @@
# sys_admin chown fsetid for syslog-ng
# cjp: why net_admin!
allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
-dontaudit syslogd_t self:capability sys_tty_config;
+dontaudit syslogd_t self:capability { sys_tty_config ipc_owner net_raw mknod };
allow syslogd_t self:process signal_perms;
allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
# receive messages to be logged
@@ -272,6 +272,12 @@
allow syslogd_t self:unix_dgram_socket sendto;
allow syslogd_t self:fifo_file rw_file_perms;
allow syslogd_t self:udp_socket { connected_socket_perms connect };
+allow syslogd_t self:fd { create use };
+#lll
+dev_read_generic_chr_file(syslogd_t)
+files_read_var_run_files(syslogd_t)
+ftp_rw_log(syslogd_t)
+
# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file create_file_perms;
==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/sysnetwork.if#3 (text+ko) ====
@@ -144,6 +144,23 @@
allow $1 dhcpc_t:process signal;
')
+########################################
+## <summary>
+## Send a generic signal to the ifconfig(lll).
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain sending the signal.
+## </summary>
+## </param>
+#
+interface(`sysnet_signal_ifconfig',`
+ gen_require(`
+ type dhcpc_t;
+ ')
+
+ allow $1 dhcpc_t:process signal;
+')
########################################
## <summary>
==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/policy/modules/system/sysnetwork.te#3 (text+ko) ====
@@ -44,13 +44,19 @@
allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config };
dontaudit dhcpc_t self:capability sys_tty_config;
# for access("/etc/bashrc", X_OK) on Red Hat
-dontaudit dhcpc_t self:capability { dac_read_search sys_module };
+dontaudit dhcpc_t self:capability { dac_read_search sys_module fowner setgid sys_admin setpcap setuid linux_immutable ipc_owner};
allow dhcpc_t self:process signal_perms;
-allow dhcpc_t self:fifo_file rw_file_perms;
+allow dhcpc_t self:fifo_file rw_file_perms;
+allow dhcpc_t self:fifo_file poll;
allow dhcpc_t self:tcp_socket create_stream_socket_perms;
allow dhcpc_t self:udp_socket create_socket_perms;
allow dhcpc_t self:packet_socket create_socket_perms;
allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read };
+#lll
+allow dhcpc_t self:fd { use create };
+dev_manage_generic_chr_files(dhcpc_t)
+hostname_signal(dhcpc_t)
+sysnet_signal_ifconfig(dhcpc_t)
allow dhcpc_t dhcp_etc_t:dir r_dir_perms;
allow dhcpc_t dhcp_etc_t:lnk_file r_file_perms;
@@ -139,9 +145,11 @@
libs_use_ld_so(dhcpc_t)
libs_use_shared_libs(dhcpc_t)
+libs_exec_ld_so(dhcpc_t)
+dev_read_raw_memory(dhcpc_t)
+files_manage_var_files(dhcpc_t)
miscfiles_read_localization(dhcpc_t)
-
modutils_domtrans_insmod(dhcpc_t)
userdom_dontaudit_search_staff_home_dirs(dhcpc_t)
@@ -252,10 +260,10 @@
#
allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
-allow ifconfig_t self:capability { net_raw net_admin sys_tty_config };
+allow ifconfig_t self:capability { net_raw net_admin sys_tty_config sys_resource sys_ptrace ipc_owner };
dontaudit ifconfig_t self:capability sys_module;
-allow ifconfig_t self:fd use;
+allow ifconfig_t self:fd { use create };
allow ifconfig_t self:fifo_file rw_file_perms;
allow ifconfig_t self:sock_file r_file_perms;
allow ifconfig_t self:socket create_socket_perms;
@@ -276,6 +284,11 @@
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
allow ifconfig_t self:tcp_socket { create ioctl };
files_read_etc_files(ifconfig_t);
+#lll
+files_search_boot(ifconfig_t)
+files_read_boot_files(ifconfig_t)
+files_search_var_run(ifconfig_t)
+files_search_var(ifconfig_t)
kernel_use_fds(ifconfig_t)
kernel_read_system_state(ifconfig_t)
More information about the p4-projects
mailing list