PERFORCE change 33724 for review
Chris Vance
cvance at FreeBSD.org
Fri Jun 27 01:28:48 GMT 2003
http://perforce.freebsd.org/chv.cgi?CH=33724
Change 33724 by cvance at cvance_demo on 2003/06/26 18:28:30
Update SEBSD policy slightly - allows system to boot in enforcing
mode, with (very) basic support.
Affected files ...
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/getty.te#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/initrc.te#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ldconfig.te#3 edit
Differences ...
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/getty.te#2 (text+ko) ====
@@ -41,5 +41,8 @@
allow getty_t tty_device_t:chr_file rw_file_perms;
allow getty_t ttyfile:chr_file rw_file_perms;
+rw_dir_create_file(getty_t, var_lock_t)
-rw_dir_create_file(getty_t, var_lock_t)
+# Allow getty _secure_path call to stat /root/.login_conf
+allow getty_t sysadm_home_t:dir r_dir_perms;
+
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/initrc.te#2 (text+ko) ====
@@ -76,6 +76,7 @@
# Update /etc/ld.so.cache.
allow initrc_t ld_so_cache_t:file rw_file_perms;
+allow initrc_t ld_so_cache_t:file unlink;
# Update /etc/mail.
allow initrc_t etc_mail_t:file rw_file_perms;
@@ -98,6 +99,7 @@
# Access /var/db/entropy.
allow initrc_t var_db_entropy_t:file rw_file_perms;
allow initrc_t var_db_entropy_t:file unlink;
+allow initrc_t var_db_entropy_t:dir read;
# Create lock file.
allow initrc_t var_lock_t:dir create_dir_perms;
@@ -154,6 +156,8 @@
ifdef(`gpm.te', `allow initrc_t gpmctl_t:sock_file setattr;')
allow initrc_t var_spool_t:file rw_file_perms;
+allow initrc_t var_spool_t:file { create unlink };
+allow initrc_t var_spool_t:dir rw_dir_perms;
ifdef(`pump.te', `allow initrc_t pump_var_run_t:sock_file unlink;')
@@ -209,3 +213,6 @@
allow initrc_t pidfile:sock_file unlink;
allow initrc_t tmpfile:sock_file unlink;
rw_dir_create_file(initrc_t, var_lib_t)
+
+allow initrc_t devfs_t:dir rw_dir_perms;
+allow initrc_t devfs_t:lnk_file create;
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ldconfig.te#3 (text+ko) ====
@@ -25,3 +25,5 @@
allow ldconfig_t etc_t:file r_file_perms;
allow ldconfig_t fs_t:filesystem getattr;
+
+allow ldconfig_t init_t:fd use;
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list