PERFORCE change 43969 for review

[Chris Vance]

http://perforce.freebsd.org/chv.cgi?CH=43969

Change 43969 by cvance at cvance_korben on 2003/12/16 07:37:54

	Update SEBSD policy for newer FreeBSD distribution (file locations,
	behavior, new MAC framework support, etc.

Affected files ...

.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/cleanvar.te#4 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/getty.te#4 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/initrc.te#3 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/login.te#3 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/mount.te#3 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/sendmail.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/ssh.te#7 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/syslogd.te#3 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/mount.fc#3 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/save-entropy.fc#3 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/ssh.fc#3 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/types.fc#5 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/macros/program/su_macros.te#2 edit

Differences ...

==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/cleanvar.te#4 (text+ko) ====

@@ -13,11 +13,15 @@
 
 domain_auto_trans(initrc_t, cleanvar_exec_t, cleanvar_t)
 allow cleanvar_t self:fd *;
+allow cleanvar_t init_t:fd use;
 allow cleanvar_t { var_run_t var_spool_t }:dir { rw_dir_perms };
+allow cleanvar_t var_run_t:file create_file_perms;
+allow cleanvar_t var_spool_t:file create_file_perms;
 # We really need /var/{run,spool}/*...
 allow cleanvar_t { pidfile var_spool_t }:file { getattr unlink };
 
-allow cleanvar_t { var_t etc_t bin_t sbin_t root_t } :dir r_dir_perms;
+allow cleanvar_t { var_t etc_t bin_t sbin_t root_t device_t } :dir r_dir_perms;
+allow cleanvar_t null_device_t:chr_file r_file_perms;
 allow cleanvar_t self:capability dac_override;
 allow cleanvar_t fs_t:filesystem { getattr };
 can_exec(cleanvar_t, bin_t)

==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/getty.te#4 (text+ko) ====

@@ -59,4 +59,4 @@
 
 rw_dir_create_file(getty_t, var_lock_t)
 
-dontaudit getty_t sysadm_home_t:dir search;
+dontaudit getty_t staff_home_dir_t:dir search;

==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/initrc.te#3 (text+ko) ====

@@ -25,6 +25,7 @@
 
 # read files in /etc/init.d
 allow initrc_t etc_t:lnk_file r_file_perms;
+allow initrc_t resolv_conf_t:{ file lnk_file } r_file_perms;
 
 read_locale(initrc_t)
 
@@ -122,6 +123,7 @@
 ifdef(`sendmail.te', `
 # Update /etc/mail.
 allow initrc_t etc_mail_t:file { setattr rw_file_perms };
+allow initrc_t sendmail_exec_t:lnk_file read;
 ')
 
 ifdef(`xfs.te',
@@ -186,8 +188,8 @@
 allow initrc_t tty_device_t:chr_file relabelto;
 
 # Use lock files in /var/spool/lock.
-allow initrc_t var_spool_t:dir create_file_perms;
-allow initrc_t var_spool_t:file { rw_file_perms unlink };
+allow initrc_t var_spool_t:dir create_dir_perms;
+allow initrc_t var_spool_t:file { create_file_perms unlink };
 
 ifdef(`rpm.te', `
 # Create and read /boot/kernel.h.
@@ -209,6 +211,7 @@
 ifdef(`gpm.te', `allow initrc_t gpmctl_t:sock_file setattr;')
 
 allow initrc_t var_spool_t:file rw_file_perms;
+allow initrc_t mqueue_spool_t:dir r_dir_perms;
 
 #
 # quota control

==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/login.te#3 (text+ko) ====

@@ -154,6 +154,9 @@
 
 allow local_login_t sysadm_home_t:dir search;
 
+type opiekey_t, file_type, sysadmfile;
+allow local_login_t opiekey_t:file rw_file_perms;
+
 #################################
 #
 # Rules for the remote_login_t domain.

==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/mount.te#3 (text+ko) ====

@@ -15,10 +15,20 @@
 role sysadm_r types mount_t;
 role system_r types mount_t;
 
+domain_auto_trans(init_t, mount_exec_t, mount_t)
 domain_auto_trans(initrc_t, mount_exec_t, mount_t)
 allow mount_t init_t:fd use;
 allow mount_t privfd:fd use;
 
+# XXX/TBD
+# When you label a filesystem, the directories _under_ the mount points 
+# aren't typically available, and remain unlabeled.  Not sure what the
+# best fix is for this.  In the meantime, allow the system to boot:
+allow init_t unlabeled_t:dir mounton;
+allow init_t device_t:filesystem mount;
+allow mount_t unlabeled_t:dir { mounton getattr };
+allow mount_t file_t:dir getattr;
+
 allow mount_t self:capability { mknod ipc_lock dac_override };
 allow mount_t self:process { fork signal_perms };
 allow mount_t self:fd { create use };

==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/sendmail.te#2 (symlink) ====


==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/ssh.te#7 (text+ko) ====

@@ -136,7 +136,7 @@
 can_exec(sshd_t, sshd_exec_t);
 
 # Use capabilities.
-allow sshd_t self:capability { sys_chroot sys_resource };
+allow sshd_t self:capability { net_admin sys_chroot sys_resource };
 
 # Create /var/run/sshd.pid
 var_run_domain(sshd)

==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/syslogd.te#3 (text+ko) ====

@@ -31,7 +31,7 @@
 allow syslogd_t resolv_conf_t:{ file lnk_file } r_file_perms;
 
 # Use capabilities.
-allow syslogd_t syslogd_t:capability { kill net_bind_service dac_override };
+allow syslogd_t syslogd_t:capability { kill net_admin net_bind_service dac_override };
 
 # Inherit and use descriptors from init.
 allow syslogd_t init_t:fd use;

==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/mount.fc#3 (text+ko) ====

@@ -1,5 +1,5 @@
 # mount
-/bin/mount 	                system_u:object_r:mount_exec_t
+/sbin/mount 	                system_u:object_r:mount_exec_t
 /sbin/mdmfs			system_u:object_r:mount_exec_t
 /sbin/mount_.*			system_u:object_r:mount_exec_t
 /sbin/umount			system_u:object_r:mount_exec_t

==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/save-entropy.fc#3 (text+ko) ====

@@ -1,2 +1,3 @@
 /usr/libexec/save-entropy		system_u:object_r:save_entropy_exec_t
 /var/db/entropy(/.*)?			system_u:object_r:var_db_entropy_t
+/entropy				system_u:object_r:var_db_entropy_t

==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/ssh.fc#3 (text+ko) ====

@@ -11,4 +11,5 @@
 
 /root/\.ssh(/.*)?		system_u:object_r:staff_home_ssh_t
 /home/[^/]+/\.ssh(/.*)?		system_u:object_r:user_home_ssh_t
-/home/jadmin/\.ssh(/.*)?		system_u:object_r:staff_home_ssh_t
+/usr/home/[^/]+/\.ssh(/.*)?	system_u:object_r:user_home_ssh_t
+/home/jadmin/\.ssh(/.*)?	system_u:object_r:staff_home_ssh_t

==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/types.fc#5 (text+ko) ====

@@ -168,7 +168,7 @@
 /etc/rc.d/sshd			system_u:object_r:initrc_exec_t
 /etc/rc.shutdown		system_u:object_r:initrc_exec_t
 /etc/rc				system_u:object_r:initrc_exec_t
-
+/etc/opiekeys			system_u:object_r:opiekey_t
 #
 # /lib
 #
@@ -198,6 +198,7 @@
 /usr(/.*)?			system_u:object_r:usr_t
 /usr/etc(/.*)?			system_u:object_r:etc_t
 /usr/libexec(/.*)?		system_u:object_r:lib_t
+/libexec(/.*)?			system_u:object_r:lib_t
 /usr/src(/.*)?			system_u:object_r:src_t
 /usr/tmp(/.*)?			system_u:object_r:tmp_t
 /usr/man(/.*)?			system_u:object_r:man_t
@@ -231,6 +232,7 @@
 /usr/share/selinux(/.*)?	system_u:object_r:policy_src_t
 /usr/games(/.*)?		system_u:object_r:bin_t
 /usr/libexec/ld.*\.so.*		system_u:object_r:ld_so_t
+/libexec/ld.*\.so.*		system_u:object_r:ld_so_t
 /usr/lib/pam_.*			system_u:object_r:shlib_t
 
 #

==== //depot/projects/trustedbsd/sebsd_policy/policy/macros/program/su_macros.te#2 (text+ko) ====

@@ -46,6 +46,7 @@
 allow $1_su_t bin_t:lnk_file read;
 
 allow $1_su_t privfd:fd use;
+allow $1_su_t self:fd { create use };
 
 # Write to utmp.
 allow $1_su_t { var_t var_run_t }:dir search;
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message