PERFORCE change 38576 for review

Andrew Reisse areisse at FreeBSD.org
Thu Sep 25 14:16:46 GMT 2003 

http://perforce.freebsd.org/chv.cgi?CH=38576

Change 38576 by areisse at areisse_tislabs on 2003/09/25 07:15:54

	Updates to selinux policy.
	Files should be labelled correctly.
	ssh and login should work in enforcing mode.

Affected files ...

.. //depot/projects/trustedbsd/sebsd_policy/policy/Makefile#3 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/atrun.te#1 add
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/checkpolicy.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/cleanvar.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/dhcpc.te#1 add
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/getty.te#3 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/lpd.te#1 add
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/lpr.te#1 add
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/mta.te#1 add
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/rpcd.te#1 add
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/sendmail.te#1 add
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/ssh.te#3 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/unused/rpcd.te#3 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/atrun.fc#1 add
.. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/checkpolicy.fc#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/crond.fc#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/dhcpc.fc#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/fsadm.fc#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/getty.fc#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/login.fc#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/mount.fc#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/ping.fc#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/save-entropy.fc#1 add
.. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/ssh.fc#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/su.fc#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/usbd.fc#1 add
.. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/types.fc#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/fs_use#3 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/macros/global_macros.te#3 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/macros/program/ssh_macros.te#2 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/macros/user_macros.te#2 edit

Differences ...

==== //depot/projects/trustedbsd/sebsd_policy/policy/Makefile#3 (text+ko) ====

@@ -26,12 +26,14 @@
 M4 = $(REALDESTDIR)/usr/bin/m4 -Imacros -s
 
 #POLICYVER := policy.$(shell $(CHECKPOLICY) -V)
-POLICYVER := policy.13
+POLICYVER := policy.16
 INSTALLDIR = $(DESTDIR)/etc/security/sebsd
 LOADPATH = $(INSTALLDIR)/$(POLICYVER)
 SRCINSTALLDIR = $(INSTALLDIR)/src
 POLICYCONF = $(SRCINSTALLDIR)/policy.conf
 
+MULTILABELMOUNTS := $(shell /sbin/mount -t ufs -p | /usr/bin/awk '{if (match($$4, "multilabel")) {print $$2}}')
+
 POLICYFILES = $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors)
 ifeq ($(MLS),y)
 POLICYFILES += mls
@@ -72,7 +74,7 @@
 
 $(POLICYCONF): policy.conf 
 	mkdir -p $(SRCINSTALLDIR)
-	install -m 644 -o root -g root policy.conf $@
+	install -m 644 -o root -g wheel policy.conf $@
 
 reload tmp/load: $(LOADPATH)
 	$(LOADPOLICY) $(LOADPATH)
@@ -121,10 +123,10 @@
 	cat domains/*.te domains/misc/*.te domains/program/*.te > $@
 
 relabel:  $(FC) $(SETFILES)
-	$(SETFILES) $(FC) `mount | awk '/ext[23]/{print $$3}'`
+	$(SETFILES) $(FC) $(MULTILABELMOUNTS)
 
 reset:  $(FC) $(SETFILES)
-	$(SETFILES) -R $(FC) `mount | awk '/ext[23]/{print $$3}'`
+	$(SETFILES) -R $(FC) $(MULTILABELMOUNTS)
 
 $(FC): $(FCFILES) file_contexts/program 
 	cat $(FCFILES) > $@

==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/checkpolicy.te#2 (text+ko) ====

@@ -57,4 +57,5 @@
 can_exec(user_t, checkpolicy_exec_t)
 
 allow checkpolicy_t privfd:fd use;
+allow checkpolicy_t checkpolicy_t:fd { use create };
 

==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/cleanvar.te#2 (text+ko) ====

@@ -18,5 +18,6 @@
 allow cleanvar_t { pidfile var_spool_t }:file { getattr unlink };
 
 allow cleanvar_t { var_t etc_t bin_t sbin_t root_t } :dir r_dir_perms;
+allow cleanvar_t self:capability dac_override;
 can_exec(cleanvar_t, bin_t)
 general_domain_access(cleanvar_t) #!!!

==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/getty.te#3 (text+ko) ====


==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/ssh.te#3 (text+ko) ====

@@ -13,7 +13,7 @@
 uses_shlib($1)
 allow $1 self:unix_dgram_socket create_socket_perms;
 allow $1 self:unix_stream_socket create_stream_socket_perms;
-allow $1 self:fifo_file rw_file_perms;
+allow $1 self:fifo_file { poll rw_file_perms };
 allow $1 self:process { fork sigchld setsched };
 allow $1 self:fd *;
 
@@ -172,6 +172,11 @@
 allow sshd_login_t sshd_devpts_t:chr_file { relabelfrom relabelto };
 allow sshd_login_t userpty_type:chr_file { getattr relabelfrom relabelto };
 
+# open old-style ptys
+allow sshd_login_t devpts_t:chr_file { read write relabelfrom relabelto getattr setattr };
+
+allow sshd_login_t self:capability { linux_immutable sys_resource };
+
 read_locale(sshd_t)
 
 # Allow checking users mail at login

==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/unused/rpcd.te#3 (text+ko) ====


==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/checkpolicy.fc#2 (text+ko) ====

@@ -1,2 +1,3 @@
 # checkpolicy
 /usr/bin/checkpolicy			system_u:object_r:checkpolicy_exec_t
+/sbin/sebsd_checkpolicy		system_u:object_r:checkpolicy_exec_t

==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/crond.fc#2 (text+ko) ====

@@ -19,3 +19,7 @@
 /var/spool/fcron/systab		system_u:object_r:sysadm_cron_spool_t
 /var/run/fcron\.fifo		system_u:object_r:crond_var_run_t
 /var/run/fcron\.pid		system_u:object_r:crond_var_run_t
+# FreeBSD
+/var/cron			system_u:object_r:cron_spool_t
+/var/cron/tabs/.*		system_u:object_r:user_cron_spool_t
+/var/cron/tabs/root		system_u:object_r:sysadm_cron_spool_t

==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/dhcpc.fc#2 (text+ko) ====

@@ -7,5 +7,6 @@
 /var/lib/dhcp(3)?		system_u:object_r:dhcp_state_t
 /var/lib/dhcp(3)?/dhclient.*	system_u:object_r:dhcpc_state_t
 /var/run/dhclient.*\.pid	system_u:object_r:dhcpc_var_run_t
+/var/db/dhclient.leases		system_u:object_r:dhcpc_state_t
 # pump
 /sbin/pump			system_u:object_r:dhcpc_exec_t

==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/fsadm.fc#2 (text+ko) ====

@@ -17,7 +17,7 @@
 /sbin/parted			system_u:object_r:fsadm_exec_t
 /sbin/tune2fs			system_u:object_r:fsadm_exec_t
 /sbin/dumpe2fs			system_u:object_r:fsadm_exec_t
-/sbin/swapon			system_u:object_r:fsadm_exec_t
+/sbin/swap(on|off|ctl)		system_u:object_r:fsadm_exec_t
 /sbin/hdparm			system_u:object_r:fsadm_exec_t
 /sbin/raidstart			system_u:object_r:fsadm_exec_t
 /sbin/mkraid			system_u:object_r:fsadm_exec_t
@@ -28,3 +28,9 @@
 /usr/sbin/smart(d|ctl)		system_u:object_r:fsadm_exec_t
 /sbin/lvmiopversion		system_u:object_r:fsadm_exec_t
 /sbin/install-mbr		system_u:object_r:fsadm_exec_t
+
+# FreeBSD
+/sbin/bsdlabel			system_u:object_r:fsadm_exec_t
+/sbin/disklabel			system_u:object_r:fsadm_exec_t
+/sbin/dumpon			system_u:object_r:fsadm_exec_t
+/sbin/newfs			system_u:object_r:fsadm_exec_t

==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/getty.fc#2 (text+ko) ====

@@ -1,3 +1,4 @@
 # getty
 /sbin/.*getty			system_u:object_r:getty_exec_t
 /etc/mgetty(/.*)?		system_u:object_r:etc_getty_t
+/usr/libexec/getty		system_u:object_r:getty_exec_t

==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/login.fc#2 (text+ko) ====

@@ -1,2 +1,3 @@
 # login
 /bin/login			system_u:object_r:login_exec_t
+/usr/bin/login			system_u:object_r:login_exec_t

==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/mount.fc#2 (text+ko) ====

@@ -1,3 +1,6 @@
 # mount
 /bin/mount 	                system_u:object_r:mount_exec_t
+/sbin/mdmfs			system_u:object_r:mount_exec_t
+/sbin/mount_.*			system_u:object_r:mount_exec_t
+/sbin/umount			system_u:object_r:mount_exec_t
 /bin/umount                     system_u:object_r:mount_exec_t

==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/ping.fc#2 (text+ko) ====

@@ -1,3 +1,4 @@
 # ping
 /bin/ping.* 			system_u:object_r:ping_exec_t
 /usr/sbin/hping2		system_u:object_r:ping_exec_t
+/sbin/ping			system_u:object_r:ping_exec_t

==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/ssh.fc#2 (text+ko) ====

@@ -1,6 +1,8 @@
 # ssh
 /usr/bin/ssh			system_u:object_r:ssh_exec_t
+/usr/bin/slogin			system_u:object_r:ssh_exec_t
 # sshd
+/etc/ssh/moduli			system_u:object_r:sshd_key_t
 /etc/ssh/primes                 system_u:object_r:sshd_key_t
 /etc/ssh/ssh_host_key 		system_u:object_r:sshd_key_t
 /etc/ssh/ssh_host_dsa_key       system_u:object_r:sshd_key_t

==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/su.fc#2 (text+ko) ====

@@ -1,2 +1,3 @@
 # su
 /bin/su				system_u:object_r:su_exec_t
+/usr/bin/su			system_u:object_r:su_exec_t

==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/types.fc#2 (text+ko) ====

@@ -58,6 +58,8 @@
 /var/tmp(/.*)?			system_u:object_r:tmp_t
 #
 /var/tmp/vi\.recover		system_u:object_r:tmp_t
+/var/empty			system_u:object_r:etc_t
+/var/db/mounttab		system_u:object_r:etc_runtime_t
 
 #
 # /var/ftp
@@ -81,17 +83,21 @@
 /home				system_u:object_r:home_root_t
 /home/[^/]+	-d		system_u:object_r:user_home_dir_t
 /home/[^/]+/.+			system_u:object_r:user_home_t
+/usr/home			system_u:object_r:home_root_t
+/home/[^/]+	-d		system_u:object_r:user_home_dir_t
+/home/[^/]+/.+			system_u:object_r:user_home_t
 
 #
 # Other staff home directories, replace "jadmin" with appropriate name
 #
-/home/jadmin/(/.*)?			system_u:object_r:staff_home_t
-/home/jadmin				system_u:object_r:staff_home_dir_t
+#/home/jadmin/(/.*)?			system_u:object_r:staff_home_t
+#/home/jadmin				system_u:object_r:staff_home_dir_t
 
 #
 # /bin
 #
 /bin(/.*)?			system_u:object_r:bin_t
+/bin/sh			--	system_u:object_r:shell_exec_t
 /bin/tcsh		--	system_u:object_r:shell_exec_t
 /bin/bash		--	system_u:object_r:shell_exec_t
 /bin/bash2		--	system_u:object_r:shell_exec_t
@@ -122,14 +128,7 @@
 /dev/[^/]*tty[^/]*		system_u:object_r:tty_device_t
 /dev/vcs[^/]*			system_u:object_r:tty_device_t
 /dev/tty			system_u:object_r:devtty_t
-/dev/[shmr]d[^/]*		system_u:object_r:fixed_disk_device_t
-/dev/ubd[^/]*			system_u:object_r:fixed_disk_device_t
-/dev/cciss/[^/]*		system_u:object_r:fixed_disk_device_t
-/dev/ida/[^/]*			system_u:object_r:fixed_disk_device_t
-/dev/dasd[^/]*			system_u:object_r:fixed_disk_device_t
-/dev/flash[^/]*			system_u:object_r:fixed_disk_device_t
-/dev/nb[^/]+			system_u:object_r:fixed_disk_device_t
-/dev/ataraid/.*			system_u:object_r:fixed_disk_device_t
+/dev/ad[^/]*			system_u:object_r:fixed_disk_device_t
 /dev/loop.*			system_u:object_r:fixed_disk_device_t
 /dev/ram.*			system_u:object_r:fixed_disk_device_t
 /dev/s(cd|r)[^/]*		system_u:object_r:removable_device_t
@@ -137,14 +136,8 @@
 /dev/rtc			system_u:object_r:clock_device_t
 /dev/psaux			system_u:object_r:mouse_device_t
 /dev/.*mouse.*	-c		system_u:object_r:mouse_device_t
-/dev/input/.*mouse.*		system_u:object_r:mouse_device_t
-/dev/input/mice			system_u:object_r:mouse_device_t
 /dev/ptmx			system_u:object_r:ptmx_t
 /dev/sequencer			system_u:object_r:misc_device_t
-/dev/fb[0-9]*			system_u:object_r:framebuf_device_t
-/dev/apm_bios			system_u:object_r:apm_bios_t
-/dev/cpu/mtrr			system_u:object_r:mtrr_device_t
-/dev/(radio|video|vbi|vtx).* -c	system_u:object_r:v4l_device_t
 
 /proc(/.*)?			<<none>>
 
@@ -154,24 +147,30 @@
 /etc(/.*)?			system_u:object_r:etc_t
 /etc/shadow.*			system_u:object_r:shadow_t
 /etc/gshadow.*			system_u:object_r:shadow_t
+/etc/master.passwd		system_u:object_r:shadow_t
 /etc/\.pwd\.lock		system_u:object_r:shadow_t
 /etc/fstab\.REVOKE		system_u:object_r:etc_runtime_t
 /etc/HOSTNAME			system_u:object_r:etc_runtime_t
 /etc/ioctl\.save		system_u:object_r:etc_runtime_t
 /etc/mtab		--	system_u:object_r:etc_runtime_t
+/var/db/mounttab		system_u:object_r:etc_runtime_t
 /etc/motd			system_u:object_r:etc_runtime_t
 /etc/issue			system_u:object_r:etc_runtime_t
 /etc/issue\.net			system_u:object_r:etc_runtime_t
-/etc/sysconfig/hwconf		system_u:object_r:etc_runtime_t
-/etc/asound\.state		system_u:object_r:etc_runtime_t
 /etc/ld\.so\.cache		system_u:object_r:ld_so_cache_t
 /etc/ld\.so\.preload		system_u:object_r:ld_so_cache_t
 /etc/resolv\.conf.*		system_u:object_r:resolv_conf_t
-/etc/selinux(/.*)?		system_u:object_r:policy_src_t
-/etc/security/selinux(/.*)?	system_u:object_r:policy_config_t	
-/etc/security/selinux/src(/.*)?	system_u:object_r:policy_src_t
+/etc/security/sebsd(/.*)?	system_u:object_r:policy_config_t	
+/etc/security/sebsd/src(/.*)?	system_u:object_r:policy_src_t
 /etc/security/default_context.*	system_u:object_r:default_context_t
 /etc/services			system_u:object_r:etc_t
+/etc/namedb(/.*)?		system_u:object_r:named_zone_t
+/etc/namedb/named.conf		system_u:object_r:named_conf_t
+/etc/rc.d/cleanvar		system_u:object_r:cleanvar_exec_t
+/etc/rc.d/dhclient		system_u:object_r:initrc_exec_t
+/etc/rc.d/sshd			system_u:object_r:initrc_exec_t
+/etc/rc.shutdown		system_u:object_r:initrc_exec_t
+/etc/rc				system_u:object_r:initrc_exec_t
 
 #
 # /lib
@@ -224,35 +223,16 @@
 /usr/lib/autofs/.*\.so		system_u:object_r:shlib_t
 /usr/lib/perl5/man(/.*)?	system_u:object_r:man_t
 /usr/lib/perl.*\.so		system_u:object_r:shlib_t
-/usr/lib/selinux(/.*)?		system_u:object_r:policy_src_t
 /usr/lib/emacsen-common/.*	system_u:object_r:bin_t
 /usr/lib/.*/bin(/.*)?		system_u:object_r:bin_t
 /usr/lib/gconv/.*\.so		system_u:object_r:shlib_t
 /usr/share/guile/g-wrapped/.*\.so system_u:object_r:shlib_t
 /usr/share/selinux(/.*)?	system_u:object_r:policy_src_t
 /usr/games(/.*)?		system_u:object_r:bin_t
-
-#
-# /usr/.*glibc.*-linux/lib
-#
-/usr/.*glibc.*-linux/lib(/.*)?	system_u:object_r:lib_t
-/usr/.*glibc.*-linux/lib/ld.*\.so.* system_u:object_r:ld_so_t
-/usr/.*glibc.*-linux/lib/lib.*\.so.* system_u:object_r:shlib_t
+/usr/libexec/ld.*\.so.*		system_u:object_r:ld_so_t
+/usr/lib/pam_.*			system_u:object_r:shlib_t
 
-# /usr/.*redhat-linux/lib
 #
-/usr/.*redhat-linux/lib(/.*)?	system_u:object_r:lib_t
-/usr/.*redhat-linux/lib/ld.*\.so.* system_u:object_r:ld_so_t
-/usr/.*redhat-linux/lib/lib.*\.so.* system_u:object_r:shlib_t
-
-#
-# /usr/.*linux-libc.*/lib
-#
-/usr/.*linux-libc.*/lib(/.*)? system_u:object_r:lib_t
-/usr/.*linux-libc.*/lib/ld.*\.so.* system_u:object_r:ld_so_t
-/usr/.*linux-libc.*/lib/lib.*\.so.* system_u:object_r:shlib_t
-
-#
 # /usr/local
 #
 /usr/local/etc(/.*)?		system_u:object_r:etc_t
@@ -264,6 +244,7 @@
 # /usr/local/bin
 #
 /usr/local/bin(/.*)?		system_u:object_r:bin_t
+/usr/local/bin/bash		system_u:object_r:shell_exec_t
 
 #
 # /usr/local/lib
@@ -302,18 +283,12 @@
 /usr/kerberos/lib/lib.*\.so.*	system_u:object_r:shlib_t
 
 #
-# /usr/local/selinux
-#
-/usr/local/selinux/bin(/.*)?		system_u:object_r:bin_t
-/usr/local/selinux/sbin(/.*)?		system_u:object_r:bin_t
-/usr/local/selinux/lib(/.*)?		system_u:object_r:lib_t
-/usr/local/selinux/libexec(/.*)?	system_u:object_r:lib_t
-
-#
 # /var/run
 #
 /var/run(/.*)?			system_u:object_r:var_run_t
 /var/run/.*\.*pid		<<none>>
+/var/run/ld\.so\..*		system_u:object_r:ld_so_cache_t
+/var/run/ld-elf\.so\..*		system_u:object_r:ld_so_cache_t
 
 #
 # /var/spool
@@ -333,17 +308,7 @@
 /var/log/lastlog		system_u:object_r:lastlog_t
 /var/log/ksymoops(/.*)?		system_u:object_r:var_log_ksyms_t
 /var/log/syslog			system_u:object_r:var_log_t
-
-#
-# Persistent label mappings.
-#
-/\.\.\.security(/.*)?		system_u:object_r:file_labels_t
-/usr/\.\.\.security(/.*)?	system_u:object_r:file_labels_t
-/boot/\.\.\.security(/.*)?	system_u:object_r:file_labels_t
-/home/\.\.\.security(/.*)?	system_u:object_r:file_labels_t
-/var/\.\.\.security(/.*)?	system_u:object_r:file_labels_t
-/tmp/\.\.\.security(/.*)?	system_u:object_r:file_labels_t
-/usr/local/\.\.\.security(/.*)?	system_u:object_r:file_labels_t
+/var/log/messages		system_u:object_r:var_log_t
 
 #
 # Lost and found directories.
@@ -364,14 +329,3 @@
 /usr/lib/locale/.*		system_u:object_r:locale_t
 /etc/localtime		--	system_u:object_r:locale_t
 /etc/localtime		-l	system_u:object_r:etc_t
-
-#
-# initrd mount point, only used during boot
-#
-/initrd				system_u:object_r:root_t
-
-#
-# The Sun Java development kit, RPM install
-#
-/usr/java/j2sdk.*/bin(/.*)?		system_u:object_r:bin_t
-/usr/java/j2sdk.*/jre/lib/i386(/.*)?	system_u:object_r:lib_t

==== //depot/projects/trustedbsd/sebsd_policy/policy/fs_use#3 (text+ko) ====

@@ -2,9 +2,7 @@
 # Define the labeling behavior for inodes in particular filesystem types.
 # This information was formerly hardcoded in the SELinux module.
 
-fs_use_psid ext2;
-fs_use_psid ext3;
-fs_use_psid ufs;
+fs_use_xattr ufs system_u:object_r:fs_t;
 
 # Use the allocating task SID to label inodes in the following filesystem
 # types, and label the filesystem itself with the specified context.

==== //depot/projects/trustedbsd/sebsd_policy/policy/macros/global_macros.te#3 (text+ko) ====

@@ -623,6 +623,10 @@
 
 # allow searching /dev/pts
 allow $1_t devpts_t:dir { getattr read search };
+
+# For systems without /dev/ptmx
+allow $1_t devpts_t:chr_file { poll getattr setattr read write };
+type_change $1_t devpts_t:chr_file $1_devpts_t;
 ')
 
 ##################################
@@ -642,7 +646,7 @@
 type_transition $1_t devpts_t:chr_file $1_devpts_t;
 
 # Read and write my pty files.
-allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms };
+allow $1_t $1_devpts_t:chr_file { poll setattr rw_file_perms };
 ')
 
 
@@ -658,7 +662,7 @@
 type_transition $1_t devpts_t:chr_file $2_devpts_t;
 
 # Read and write pty files.
-allow $1_t $2_devpts_t:chr_file { setattr rw_file_perms };
+allow $1_t $2_devpts_t:chr_file { setattr poll rw_file_perms };
 ')
 
 ##################################

==== //depot/projects/trustedbsd/sebsd_policy/policy/macros/program/ssh_macros.te#2 (text+ko) ====

@@ -125,8 +125,8 @@
 ')
 
 # Write to the user domain tty.
-allow $1_ssh_t $1_tty_device_t:chr_file rw_file_perms;
-allow $1_ssh_t $1_devpts_t:chr_file rw_file_perms;
+allow $1_ssh_t $1_tty_device_t:chr_file { poll rw_file_perms };
+allow $1_ssh_t $1_devpts_t:chr_file { poll rw_file_perms };
 
 # Allow the user shell to signal the ssh program.
 allow $1_t $1_ssh_t:process signal;

==== //depot/projects/trustedbsd/sebsd_policy/policy/macros/user_macros.te#2 (text+ko) ====

@@ -44,7 +44,7 @@
 type $1_tty_device_t, file_type, sysadmfile, ttyfile;
 # Access ttys.
 allow $1_t privfd:fd use;
-allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
+allow $1_t $1_tty_device_t:chr_file { poll setattr rw_file_perms };
 # Use the type when relabeling terminal devices.
 type_change $1_t tty_device_t:chr_file $1_tty_device_t;
 ifdef(`dpkg.te', `
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list