PERFORCE change 37446 for review

Andrew Reisse areisse at FreeBSD.org
Wed Sep 3 15:18:30 GMT 2003


http://perforce.freebsd.org/chv.cgi?CH=37446

Change 37446 by areisse at areisse_tislabs on 2003/09/03 08:17:53

	Updates to selinux policy to allow boot and login in sebsd.
	Some domains wanted by the default init process are in unused/:
	  mta ping sendmail rpcd lpd named dhcpc 
	gmake is required.
	The file_contexts have not been ported. First label with the old sebsd
	policy and then label some things manually.
	The flask directory has not been completely ported; the security class
	has been completely changed, and some other classes have new
	permissions.

Affected files ...

.. //depot/projects/trustedbsd/sebsd_policy/policy/Makefile#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/assert.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/cleanvar.te#1 add
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/crond.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/fsadm.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/getty.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/ifconfig.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/init.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/initrc.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/ldconfig.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/login.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/mount.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/save-entropy.te#1 add
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/ssh.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/syslogd.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/unused/dhcpc.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/unused/rpcd.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/usbd.te#1 add
.. //depot/projects/trustedbsd/sebsd_policy/policy/flask/access_vectors#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/fs_use#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/genfs_contexts#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/macros/global_macros.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/macros/program/mount_macros.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/macros/selinux_macros.te#1 add
.. //depot/projects/trustedbsd/sebsd_policy/policy/types/device.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/types/file.te#2 edit

Differences ...

==== //depot/projects/trustedbsd/sebsd_policy/policy/Makefile#2 (text+ko) ====

@@ -19,12 +19,15 @@
 PREFIX = /usr
 BINDIR = $(PREFIX)/bin
 SBINDIR = $(PREFIX)/sbin
-LOADPOLICY  = $(SBINDIR)/load_policy
-CHECKPOLICY = $(BINDIR)/checkpolicy
-SETFILES = $(SBINDIR)/setfiles
+
+CHECKPOLICY = $(REALDESTDIR)/sbin/sebsd_checkpolicy
+LOADPOLICY = /sbin/sebsd_loadpolicy
+SETFILES = $(REALDESTDIR)/sbin/sebsd_setfiles
+M4 = $(REALDESTDIR)/usr/bin/m4 -Imacros -s
 
-POLICYVER := policy.$(shell $(CHECKPOLICY) -V)
-INSTALLDIR = $(DESTDIR)/etc/security/selinux
+#POLICYVER := policy.$(shell $(CHECKPOLICY) -V)
+POLICYVER := policy.13
+INSTALLDIR = $(DESTDIR)/etc/security/sebsd
 LOADPATH = $(INSTALLDIR)/$(POLICYVER)
 SRCINSTALLDIR = $(INSTALLDIR)/src
 POLICYCONF = $(SRCINSTALLDIR)/policy.conf
@@ -48,13 +51,13 @@
 install: $(APPFILES) $(LOADPATH) 
 
 $(APPDIR)/default_contexts: appconfig/default_contexts
-	install -m 644 -o root -g root $< $@
+	install -m 644 -o root -g wheel $< $@
 
 $(APPDIR)/default_type: appconfig/default_type
-	install -m 644 -o root -g root $< $@
+	install -m 644 -o root -g wheel $< $@
 
 $(APPDIR)/initrc_context: appconfig/initrc_context
-	install -m 644 -o root -g root $< $@
+	install -m 644 -o root -g wheel $< $@
 
 $(LOADPATH):  $(POLICYCONF) $(CHECKPOLICY)
 	mkdir -p $(INSTALLDIR)
@@ -92,10 +95,10 @@
 CONSTRAINT_CONTEXT_MACRO_FILES := tmp/program_used_flags.te tmp/all_macros.te constraints initial_sid_contexts fs_use genfs_contexts net_contexts
 
 tmp/te-rbac.m4: $(TE_RBAC_MACRO_FILES)
-	m4 -Imacros -s $^ > $@
+	$(M4) $^ > $@
 
 tmp/constraints-contexts.m4: $(CONSTRAINT_CONTEXT_MACRO_FILES)
-	m4 -Imacros -s $^ > $@
+	$(M4) -Imacros -s $^ > $@
 
 tmp/all.te: $(ALLTEFILES)
 	cat $^ > $@

==== //depot/projects/trustedbsd/sebsd_policy/policy/assert.te#2 (text+ko) ====

@@ -118,7 +118,8 @@
 #
 # Verify that only the admin domains and initrc_t have setenforce.
 #
-neverallow ~{ admin initrc_t } security_t:security setenforce;
+#neverallow ~{ admin initrc_t } security_t:security setenforce;
+neverallow ~{ admin initrc_t } kernel_t:system avc_toggle;
 
 #
 # Verify that only the kernel and load_policy_t have load_policy.

==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/crond.te#2 (text+ko) ====

@@ -51,7 +51,7 @@
 file_type_auto_trans(crond_t, var_log_t, cron_log_t)
 
 # Use capabilities.
-allow crond_t crond_t:capability { setgid setuid net_bind_service };
+allow crond_t crond_t:capability { sys_resource setgid setuid net_bind_service };
 
 # Get security policy decisions.
 can_getsecurity(crond_t)

==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/fsadm.te#2 (text+ko) ====

@@ -54,6 +54,8 @@
 # mkreiserfs needs this
 allow fsadm_t proc_t:filesystem getattr;
 
+allow fsadm_t device_t:filesystem getattr;
+
 # mkreiserfs and other programs need this for UUID
 allow fsadm_t random_device_t:chr_file { getattr read };
 
@@ -87,6 +89,7 @@
 # Enable swapping to devices and files
 allow fsadm_t swapfile_t:file { getattr swapon };
 allow fsadm_t fixed_disk_device_t:blk_file { getattr swapon };
+allow fsadm_t fixed_disk_device_t:chr_file { getattr swapon };
 
 # XXX Why does updfstab run insmod?
 domain_auto_trans(fsadm_t, insmod_exec_t, insmod_t)
@@ -100,3 +103,5 @@
 allow fsadm_t privfd:fd use;
 
 read_locale(fsadm_t)
+
+allow fsadm_t fs_type:filesystem getattr;

==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/getty.te#2 (text+ko) ====

@@ -23,6 +23,7 @@
 allow getty_t self:process { getpgid getsession };
 allow getty_t self:unix_dgram_socket create_socket_perms;
 allow getty_t self:unix_stream_socket create_socket_perms;
+allow getty_t self:fd { create use };
 
 # for ldap and other authentication services
 allow getty_t resolv_conf_t:file { getattr read };
@@ -56,5 +57,6 @@
 allow getty_t tty_device_t:chr_file { setattr rw_file_perms };
 allow getty_t ttyfile:chr_file { setattr rw_file_perms };
 
+rw_dir_create_file(getty_t, var_lock_t)
 
-rw_dir_create_file(getty_t, var_lock_t)
+dontaudit getty_t sysadm_home_t:dir search;

==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/ifconfig.te#2 (text+ko) ====

@@ -36,6 +36,10 @@
 allow ifconfig_t proc_t:dir r_dir_perms;
 allow ifconfig_t proc_t:file r_file_perms;
 
+# read the kernel
+allow ifconfig_t boot_t:dir r_dir_perms;
+allow ifconfig_t boot_t:file r_file_perms;
+
 allow ifconfig_t privfd:fd use;
 
 # Create UDP sockets, necessary when called from dhcpc
@@ -53,3 +57,6 @@
 dontaudit ifconfig_t { sysctl_t sysctl_net_t }:dir search;
 
 allow ifconfig_t fs_t:filesystem getattr;
+
+# read /etc/mac.conf
+allow ifconfig_t etc_t:file r_file_perms;

==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/init.te#2 (text+ko) ====

@@ -22,6 +22,8 @@
 type initctl_t, file_type, sysadmfile;
 type sulogin_exec_t, file_type, exec_type, sysadmfile;
 
+allow init_t self:fd { create use };
+
 # for mount points
 allow init_t file_t:dir search;
 

==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/initrc.te#2 (text+ko) ====

@@ -21,6 +21,8 @@
 uses_shlib(initrc_t);
 type initrc_exec_t, file_type, sysadmfile, exec_type;
 
+allow initrc_t self:fd { create use };
+
 # read files in /etc/init.d
 allow initrc_t etc_t:lnk_file r_file_perms;
 
@@ -42,6 +44,8 @@
 allow initrc_t usbdevfs_t:{ file lnk_file } r_file_perms;
 allow initrc_t usbdevfs_device_t:file getattr;
 
+allow initrc_t device_t:dir r_dir_perms;
+
 # allow initrc to fork and renice itself
 allow initrc_t self:process { fork sigchld setsched };
 
@@ -113,7 +117,7 @@
 file_type_auto_trans(initrc_t, etc_t, etc_runtime_t, file)
 
 # Update /etc/ld.so.cache.
-allow initrc_t ld_so_cache_t:file rw_file_perms;
+allow initrc_t ld_so_cache_t:file { unlink rw_file_perms };
 
 ifdef(`sendmail.te', `
 # Update /etc/mail.
@@ -181,6 +185,10 @@
 allow initrc_t ttyfile:chr_file relabelfrom;
 allow initrc_t tty_device_t:chr_file relabelto;
 
+# Use lock files in /var/spool/lock.
+allow initrc_t var_spool_t:dir create_file_perms;
+allow initrc_t var_spool_t:file { rw_file_perms unlink };
+
 ifdef(`rpm.te', `
 # Create and read /boot/kernel.h.
 # Redhat systems typically create this file at boot time.
@@ -225,6 +233,10 @@
 allow initrc_t var_lib_rpm_t:file create_file_perms;
 ')
 
+# access /var/db/entropy
+allow initrc_t var_db_entropy_t:dir read;
+allow initrc_t var_db_entropy_t:file { unlink rw_file_perms };
+
 # Update /var/log/ksyms.*.
 file_type_auto_trans(initrc_t, var_log_t, var_log_ksyms_t)
 
@@ -259,6 +271,10 @@
 allow initrc_t tmpfile:dir { rw_dir_perms rmdir };
 allow initrc_t tmpfile:notdevfile_class_set { getattr unlink };
 
+# allow making links in /dev
+allow initrc_t device_t:dir { add_name };
+allow initrc_t device_t:lnk_file { create };
+
 #################################
 #
 # Rules for the run_init_t domain.

==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/ldconfig.te#2 (text+ko) ====

@@ -18,10 +18,11 @@
 dontaudit ldconfig_t device_t:dir search;
 allow ldconfig_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
 allow ldconfig_t privfd:fd use;
+allow ldconfig_t self:fd *;
 
 uses_shlib(ldconfig_t)
 
-file_type_auto_trans(ldconfig_t, etc_t, ld_so_cache_t)
+file_type_auto_trans(ldconfig_t, var_run_t, ld_so_cache_t)
 file_type_auto_trans(ldconfig_t, lib_t, shlib_t)
 # allow removing mis-labelled links
 allow ldconfig_t lib_t:lnk_file unlink;
@@ -29,5 +30,12 @@
 allow ldconfig_t userdomain:fd use;
 allow ldconfig_t etc_t:file { getattr read };
 allow ldconfig_t etc_t:lnk_file read;
+allow ldconfig_t var_t:dir r_dir_perms;
 
 allow ldconfig_t fs_t:filesystem getattr;
+
+# libraries may not be owned by root
+allow ldconfig_t self:capability { dac_write dac_read_search };
+
+# ldconfig uses /dev/random for some reason
+allow ldconfig_t random_device_t:{chr_file lnk_file} r_file_perms;

==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/login.te#2 (text+ko) ====

@@ -49,12 +49,15 @@
 allow $1_login_t device_t:dir r_dir_perms;
 allow $1_login_t device_t:lnk_file r_file_perms;
 
+# Use pam libraries.
+allow $1_login_t lib_t:{file lnk_file} rx_file_perms;
+
 uses_shlib($1_login_t);
 
 tmp_domain($1_login)
 
 # Use capabilities
-allow $1_login_t self:capability { setuid setgid chown fowner fsetid net_bind_service sys_tty_config dac_override sys_nice sys_resource };
+allow $1_login_t self:capability { linux_immutable setuid setgid chown fowner fsetid net_bind_service sys_tty_config dac_override sys_nice sys_resource };
 
 # Run shells in user_t by default.
 domain_auto_trans($1_login_t, shell_exec_t, user_t)
@@ -149,6 +152,8 @@
 allow local_login_t var_run_t:dir rw_dir_perms;
 allow local_login_t var_run_t:file create_file_perms;
 
+allow local_login_t sysadm_home_t:dir search;
+
 #################################
 #
 # Rules for the remote_login_t domain.

==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/mount.te#2 (text+ko) ====

@@ -19,8 +19,9 @@
 allow mount_t init_t:fd use;
 allow mount_t privfd:fd use;
 
-allow mount_t self:capability { ipc_lock dac_override };
+allow mount_t self:capability { mknod ipc_lock dac_override };
 allow mount_t self:process { fork signal_perms };
+allow mount_t self:fd { create use };
 
 allow mount_t file_type:dir search;
 
@@ -28,6 +29,9 @@
 allow mount_t fixed_disk_device_t:devfile_class_set rw_file_perms;
 allow mount_t removable_device_t:devfile_class_set rw_file_perms;
 
+# device_t is also used as a fs_type in freebsd
+allow mount_t device_t:filesystem mount_fs_perms;
+
 # Mount, remount and unmount file systems.
 allow mount_t fs_type:filesystem mount_fs_perms;
 allow mount_t file_t:dir mounton;
@@ -43,4 +47,8 @@
 ')
 allow mount_t root_t:filesystem unmount;
 
+# run fs-specific mount programs
+allow mount_t mount_exec_t:file execute_no_trans;
 
+# read resolv.conf
+allow mount_t resolv_conf_t:file r_file_perms;

==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/ssh.te#2 (text+ko) ====

@@ -15,6 +15,7 @@
 allow $1 self:unix_stream_socket create_stream_socket_perms;
 allow $1 self:fifo_file rw_file_perms;
 allow $1 self:process { fork sigchld setsched };
+allow $1 self:fd *;
 
 # Read system information files in /proc.
 allow $1 proc_t:dir r_dir_perms;
@@ -49,7 +50,7 @@
 allow $1 { null_device_t zero_device_t }:chr_file rw_file_perms;
 
 # Read /dev/random and /dev/zero.
-allow $1 random_device_t:chr_file r_file_perms;
+allow $1 random_device_t:{ lnk_file chr_file } r_file_perms;
 
 can_network($1)
 

==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/syslogd.te#2 (text+ko) ====

@@ -14,6 +14,7 @@
 # by syslogd.
 #
 daemon_domain(syslogd)
+#read_locale(syslogd_t)
 
 # can_network is for the UDP socket
 can_network(syslogd_t)
@@ -30,17 +31,20 @@
 allow syslogd_t resolv_conf_t:{ file lnk_file } r_file_perms;
 
 # Use capabilities.
-allow syslogd_t syslogd_t:capability { net_bind_service dac_override };
+allow syslogd_t syslogd_t:capability { kill net_bind_service dac_override };
 
 # Inherit and use descriptors from init.
 allow syslogd_t init_t:fd use;
 allow syslogd_t { initrc_devpts_t console_device_t }:chr_file { read write };
 
 # Modify/create log files.
-create_append_log_file(syslogd_t, var_log_t)
+#create_append_log_file(syslogd_t, var_log_t)
+allow syslogd_t var_log_t:dir create_file_perms;
+allow syslogd_t var_log_t:file rw_file_perms;
 
 # Create and bind to /dev/log or /var/run/log.
-file_type_auto_trans(syslogd_t, { device_t var_run_t }, devlog_t, sock_file)
+file_type_auto_trans(syslogd_t, { device_t var_run_t syslogd_var_run_t }, devlog_t, sock_file)
+allow syslogd_t { var_t var_log_t }:dir search;
 allow syslogd_t self:unix_dgram_socket create_socket_perms;
 allow syslogd_t self:unix_dgram_socket { sendto };
 allow syslogd_t self:unix_stream_socket create_socket_perms;
@@ -71,3 +75,6 @@
 #allow syslogd_t proc_t:dir search;
 #allow syslogd_t proc_kmsg_t:file { getattr read };
 
+# allow access to klog
+allow syslogd_t klog_device_t:chr_file { poll read };
+

==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/unused/dhcpc.te#2 (text+ko) ====

@@ -20,6 +20,7 @@
 allow dhcpc_t self:unix_dgram_socket create_socket_perms;
 allow dhcpc_t self:unix_stream_socket create_socket_perms;
 allow dhcpc_t self:fifo_file rw_file_perms;
+allow dhcpc_t self:fd { create use };
 
 ifdef(`cardmgr.te', `
 domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
@@ -71,13 +72,16 @@
 allow dhcpc_t self:packet_socket recvfrom;
 allow dhcpc_t { netmsg_eth0_t netmsg_eth1_t }:packet_socket { recvfrom };
 allow dhcpc_t icmp_socket_t:packet_socket { recvfrom };
-allow dhcpc_t var_lib_t:dir search;
+allow dhcpc_t var_db_t:dir search;
+file_type_auto_trans(dhcpc_t, var_db_t, dhcpc_state_t)
 file_type_auto_trans(dhcpc_t, dhcp_state_t, dhcpc_state_t)
 
 allow dhcpc_t bin_t:dir search;
 allow dhcpc_t bin_t:lnk_file read;
 can_exec(dhcpc_t, { bin_t shell_exec_t })
 
+allow dhcpc_t bpf_device_t:chr_file { poll rw_file_perms };
+
 dontaudit dhcpc_t domain:packet_socket recvfrom;
 dontaudit dhcpc_t { netmsg_t icmp_socket_t tcp_socket_t }:packet_socket recvfrom;
 dontaudit dhcpc_t icmp_socket_t:rawip_socket recvfrom;

==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/unused/rpcd.te#2 (text+ko) ====

@@ -20,7 +20,11 @@
 allow init_t rpcd_t:udp_socket write;
 
 read_locale(rpcd_t)
+
+# read/write mounttab
+allow rpcd_t { var_t var_db_t }: dir { search };
 allow rpcd_t etc_t:file { getattr read };
+allow rpcd_t etc_runtime_t:file rw_file_perms;
 
 allow rpcd_t self:unix_dgram_socket create_socket_perms;
 allow rpcd_t self:unix_stream_socket create_socket_perms;
@@ -29,6 +33,9 @@
 can_udp_send(mount_t, rpcd_t)
 can_udp_send(rpcd_t, mount_t)
 
+# statfs /dev
+allow rpcd_t device_t:filesystem getattr;
+
 tmp_domain(rpcd)
 
 # for /proc/fs/nfs/exports - should we have a new type?
@@ -59,6 +66,8 @@
 # allow nfsd to do its thing - should go into its own domain
 #allow rpcd_t self:capability sys_admin;
 
+allow rpcd_t nfs_t:filesystem getattr;
+
 # nfs kernel server needs kernel UDP access.  It is less risky and painful
 # to just give it everything.
 can_network(kernel_t)

==== //depot/projects/trustedbsd/sebsd_policy/policy/flask/access_vectors#2 (text+ko) ====

@@ -10,6 +10,7 @@
 
 common file
 {
+	poll
 	ioctl
 	read
 	write
@@ -19,7 +20,9 @@
 	lock
 	relabelfrom
 	relabelto
+	transition
 	append
+	access
 	unlink
 	link
 	rename
@@ -37,6 +40,7 @@
 common socket
 {
 # inherited from file
+	poll
 	ioctl
 	read
 	write
@@ -46,6 +50,7 @@
 	lock
 	relabelfrom
 	relabelto
+	transition
 	append
 # socket-specific
 	bind
@@ -137,6 +142,7 @@
 
 class fd
 {
+	create
 	use
 }
 
@@ -175,6 +181,8 @@
 
 class netif
 {
+	getattr
+	setattr
 	tcp_recv
 	tcp_send
 	udp_recv
@@ -212,11 +220,10 @@
 {
 	fork
 	transition
-	sigchld # commonly granted from child to parent
-	sigkill # cannot be caught or ignored
-	sigstop # cannot be caught or ignored
-	signull # for kill(pid, 0)
-	signal  # all other signals
+	sigchld
+	sigkill
+	sigstop
+	signal
 	ptrace
 	getsched
 	setsched
@@ -226,6 +233,7 @@
 	getcap
 	setcap
 	share
+	signull
 	getattr
 	setexec
 	setfscreate
@@ -275,7 +283,6 @@
 	load_policy
 	compute_relabel
 	compute_user
-	setenforce     # was avc_toggle in system class
 }
 
 
@@ -285,8 +292,15 @@
 
 class system
 {
+	net_io_control
+	route_control
+	arp_control
+	rarp_control
 	ipc_info
-	syslog_read  
+	avc_toggle
+	nfsd_control
+	bdflush
+	syslog_read
 	syslog_mod
 	syslog_console
 }
@@ -302,14 +316,29 @@
 	# those definitions. (Order matters)
 
 	chown           
-	dac_override    
+	dac_execute
+	dac_write
 	dac_read_search 
 	fowner          
 	fsetid          
-	kill            
+	kill
+	link_dir
+	setfcap            
 	setgid           
-	setuid           
-	setpcap          
+	setuid 
+	mac_downgrade
+	mac_read
+	mac_relabel_subj
+	mac_upgrade
+	mac_write
+	inf_nofloat_obj
+	inf_nofloat_subj
+	inf_relabel_obj
+	inf_relabel_subj
+	audit_control
+	audit_write        
+	setpcap
+	xxx_invalid1          
 	linux_immutable  
 	net_bind_service 
 	net_broadcast    
@@ -332,11 +361,6 @@
 	lease
 }
 
-
-#
-# Define the access vector interpretation for controlling
-# changes to passwd information.
-#
 class passwd
 {
 	passwd

==== //depot/projects/trustedbsd/sebsd_policy/policy/fs_use#2 (text+ko) ====

@@ -2,10 +2,9 @@
 # Define the labeling behavior for inodes in particular filesystem types.
 # This information was formerly hardcoded in the SELinux module.
 
-# Use xattrs for the following filesystem types.
-# Requires that a security xattr handler exist for the filesystem.
-fs_use_xattr ext2 system_u:object_r:fs_t;
-fs_use_xattr ext3 system_u:object_r:fs_t;
+fs_use_psid ext2;
+fs_use_psid ext3;
+fs_use_psid ufs;
 
 # Use the allocating task SID to label inodes in the following filesystem
 # types, and label the filesystem itself with the specified context.

==== //depot/projects/trustedbsd/sebsd_policy/policy/genfs_contexts#2 (text+ko) ====

@@ -2,8 +2,8 @@
 
 #
 # Security contexts for files in filesystems that
-# cannot support xattr or use one of the fixed labeling schemes 
-# specified in fs_use.
+# cannot support persistent label mappings or use one of the
+# fixed labeling schemes specified in fs_use.
 #
 # Each specifications has the form:
 # 	genfscon fstype pathname-prefix [ -type ] context
@@ -18,51 +18,67 @@
 # field by ls, e.g. use -c to match only character device files, -b
 # to match only block device files.
 #
-# Except for proc, other filesystems are limited to a single entry (/)
-# that covers all entries in the filesystem with a default file context.
-# For proc, a pathname can be reliably generated from the proc_dir_entry
-# tree.  The proc /sys entries are used for both proc inodes and for sysctl(2)
-# calls. /proc/PID entries are automatically labeled based on the associated
-# process.
-#
-# Support for other filesystem types requires corresponding code to be
-# added to the kernel, either as an xattr handler in the filesystem 
-# implementation (preferred, and necessary if you want to access the labels
-# from userspace) or as logic in the SELinux module.
 
-# proc (excluding /proc/PID)
+# proc (excluding /proc/PID and /proc/sys)
 genfscon proc /				system_u:object_r:proc_t
 genfscon proc /kmsg			system_u:object_r:proc_kmsg_t
 genfscon proc /kcore			system_u:object_r:proc_kcore_t
-genfscon proc /sysvipc			system_u:object_r:proc_t
-genfscon proc /sys			system_u:object_r:sysctl_t
-genfscon proc /sys/kernel		system_u:object_r:sysctl_kernel_t
-genfscon proc /sys/kernel/modprobe	system_u:object_r:sysctl_modprobe_t
-genfscon proc /sys/net			system_u:object_r:sysctl_net_t
-genfscon proc /sys/net/unix		system_u:object_r:sysctl_net_unix_t
-genfscon proc /sys/vm			system_u:object_r:sysctl_vm_t
-genfscon proc /sys/dev			system_u:object_r:sysctl_dev_t
 
-# rootfs
-genfscon rootfs /			system_u:object_r:root_t
+# procfs (FreeBSD)
+genfscon procfs /			system_u:object_r:proc_t
 
-# sysfs
-genfscon sysfs /			system_u:object_r:sysfs_t
+# nfs
+genfscon nfs /				system_u:object_r:nfs_t
 
-# selinuxfs
-genfscon selinuxfs /			system_u:object_r:security_t
+# driverfs
+genfscon driverfs /			system_u:object_r:driverfs_t
 
-# autofs
-ifdef(`automount.te', `
-genfscon autofs /			system_u:object_r:autofs_t
-')
+# usbdevfs
+genfscon usbdevfs /			system_u:object_r:usbdevfs_t
+genfscon usbdevfs /0 -- 		system_u:object_r:usbdevfs_device_t
 
-# iso9660
-genfscon iso9660 /			system_u:object_r:iso9660_t
-
-# vfat, msdos
-genfscon vfat /				system_u:object_r:dosfs_t
-genfscon msdos /			system_u:object_r:dosfs_t
-
-# nfs
-genfscon nfs /				system_u:object_r:nfs_t
+# devfs
+genfscon devfs /			system_u:object_r:device_t
+genfscon devfs /null			system_u:object_r:null_device_t
+genfscon devfs /zero			system_u:object_r:zero_device_t
+genfscon devfs /console		system_u:object_r:console_device_t
+genfscon devfs /kmem			system_u:object_r:memory_device_t
+genfscon devfs /mem			system_u:object_r:memory_device_t
+genfscon devfs /random		system_u:object_r:random_device_t
+genfscon devfs /urandom		system_u:object_r:random_device_t
+genfscon devfs /tty			system_u:object_r:devtty_t
+genfscon devfs /ctty			system_u:object_r:devtty_t
+genfscon devfs /ttyv			system_u:object_r:tty_device_t
+genfscon devfs /pty			system_u:object_r:devpts_t
+genfscon devfs /ttyp			system_u:object_r:devpts_t
+genfscon devfs /ttyq			system_u:object_r:devpts_t
+genfscon devfs /ttyr			system_u:object_r:devpts_t
+genfscon devfs /ttys			system_u:object_r:devpts_t
+genfscon devfs /ttyP			system_u:object_r:devpts_t
+genfscon devfs /ttyQ			system_u:object_r:devpts_t
+genfscon devfs /ttyR			system_u:object_r:devpts_t
+genfscon devfs /ttyS			system_u:object_r:devpts_t
+#genfscon devfs /cua			system_u:object_r:serial_device_t
+#genfscon devfs /ttyd			system_u:object_r:serial_device_t
+#genfscon devfs /ttyid			system_u:object_r:serial_device_t
+#genfscon devfs /ttyld			system_u:object_r:serial_device_t
+genfscon devfs /ad	-c		system_u:object_r:fixed_disk_device_t
+genfscon devfs /acd	-c		system_u:object_r:fixed_disk_device_t
+genfscon devfs /fd 	-c		system_u:object_r:removable_device_t
+genfscon devfs /ppp			system_u:object_r:ppp_device_t
+genfscon devfs /initctl		system_u:object_r:initctl_t
+genfscon devfs /log			system_u:object_r:devlog_t
+genfscon devfs /misc/psaux		system_u:object_r:mouse_device_t
+genfscon devfs /input/mouse		system_u:object_r:mouse_device_t
+genfscon devfs /mse			system_u:object_r:mouse_device_t
+genfscon devfs /psm			system_u:object_r:mouse_device_t
+genfscon devfs /ums			system_u:object_r:mouse_device_t
+#genfscon devfs /sysmouse		system_u:object_r:sysmouse_device_t
+#genfscon devfs /gpmctl		system_u:object_r:gpmctl_t
+genfscon devfs /ptmx			system_u:object_r:ptmx_t
+genfscon devfs /acpi			system_u:object_r:apm_bios_t
+genfscon devfs /sound -c		system_u:object_r:sound_device_t
+genfscon devfs /usb			system_u:object_r:usbdevfs_device_t
+genfscon devfs /bpf -c			system_u:object_r:bpf_device_t
+genfscon devfs /klog			system_u:object_r:klog_device_t
+# FLASK

==== //depot/projects/trustedbsd/sebsd_policy/policy/macros/global_macros.te#2 (text+ko) ====

@@ -233,8 +233,10 @@
 define(`can_setenforce',`
 allow $1 security_t:dir { read search getattr };
 allow $1 security_t:file { getattr read write };
-allow $1 security_t:security setenforce;
-auditallow $1 security_t:security setenforce;
+#allow $1 security_t:security setenforce;
+#auditallow $1 security_t:security setenforce;
+allow $1 kernel_t:system avc_toggle;
+auditallow $1 kernel_t:system avc_toggle;
 ')
 
 ##################################
@@ -352,6 +354,8 @@
 #
 define(`uses_shlib',`
 allow $1 { root_t usr_t lib_t etc_t }:dir r_dir_perms;
+allow $1 lib_t:file getattr; #!!!
+allow $1 { var_t var_run_t }:dir search;
 allow $1 lib_t:lnk_file r_file_perms;
 allow $1 ld_so_t:file rx_file_perms;
 allow $1 ld_so_t:file execute_no_trans;
@@ -361,6 +365,9 @@
 allow $1 ld_so_cache_t:file r_file_perms;
 allow $1 device_t:dir search;
 allow $1 null_device_t:chr_file rw_file_perms;
+
+# on freebsd /dev/random uses a PRNG, so this is safe
+allow $1 random_device_t:{chr_file lnk_file} { poll r_file_perms };
 ')
 
 #################################
@@ -611,9 +618,7 @@
 # Access the pty master multiplexer.
 allow $1_t ptmx_t:chr_file rw_file_perms;
 
-ifdef(`devfsd.te', `
 allow $1_t device_t:filesystem getattr;
-')
 allow $1_t devpts_t:filesystem getattr;
 
 # allow searching /dev/pts
@@ -893,6 +898,7 @@
 
 # Read /dev/random and /dev/zero.
 allow $1 random_device_t:chr_file r_file_perms;
+allow $1 random_device_t:lnk_file r_file_perms;
 allow $1 zero_device_t:chr_file r_file_perms;
 
 # Read the root directory of a tmpfs filesytem and any symbolic links.
@@ -1019,6 +1025,7 @@
 
 allow $1_t { self proc_t }:dir r_dir_perms;
 allow $1_t { self proc_t }:lnk_file read;
+allow $1_t self:fd { create use };
 
 allow $1_t device_t:dir { getattr search };
 allow $1_t null_device_t:chr_file rw_file_perms;

==== //depot/projects/trustedbsd/sebsd_policy/policy/macros/program/mount_macros.te#2 (text+ko) ====

@@ -35,8 +35,9 @@
 # Use capabilities.
 allow $2_t self:capability { net_bind_service sys_rawio sys_admin };
 
-# Create and modify /etc/mtab.
-file_type_auto_trans($2_t, etc_t, etc_runtime_t, file)
+# Create and modify /var/db/mtab.
+allow $2_t var_db_t:dir r_dir_perms;
+file_type_auto_trans($2_t, var_db_t, etc_runtime_t, file)
 
 allow $2_t etc_t:file { getattr read };
 

==== //depot/projects/trustedbsd/sebsd_policy/policy/types/device.te#2 (text+ko) ====

@@ -110,9 +110,14 @@
 # Type for /dev/cpu/mtrr
 type mtrr_device_t, file_type;
 
+# Type for /dev/bpf*
+type bpf_device_t, file_type;
 
 # Type for /dev/apm_bios
 type apm_bios_t, file_type;
 
 # Type for v4l
 type v4l_device_t, file_type;
+
+# Type for /dev/klog
+type klog_device_t, file_type;

==== //depot/projects/trustedbsd/sebsd_policy/policy/types/file.te#2 (text+ko) ====

@@ -167,6 +167,7 @@
 type tetex_data_t, file_type, sysadmfile, tmpfile;
 type var_spool_t, file_type, sysadmfile;
 type var_yp_t, file_type, sysadmfile;
+type var_db_t, file_type, sysadmfile;
 
 # Type for /var/log/sa.
 type var_log_sa_t, file_type, sysadmfile, logfile;
@@ -271,3 +272,5 @@
 
 type dosfs_t, fs_type, root_dir_type, sysadmfile;
 allow dosfs_t dosfs_t:filesystem associate;
+
+type var_db_entropy_t, file_type, sysadmfile;
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message



More information about the trustedbsd-cvs mailing list