From sds at tycho.nsa.gov Tue Jul 1 12:45:29 2008 From: sds at tycho.nsa.gov (sds at tycho.nsa.gov) Date: Tue, 1 Jul 2008 12:45:29 -0700 (PDT) Subject: [fmac-notify] [fmac-discuss] [PATCH] Take fmac_enabled checks to fmacsys() entrypoint Message-ID: <200807011945.m61JjTRU005647@oss-app2.opensolaris.org> Author: Stephen Smalley Repository: /hg/fmac/fmac-gate Latest revision: 7be1ca3878cf3af1dbb1411e7d82b185272556c9 Total changesets: 1 Log message: [fmac-discuss] [PATCH] Take fmac_enabled checks to fmacsys() entrypoint This patch takes the fmac_enabled checks to the fmacsys() entrypoint so that we don't need to test for it in each FMAC syscall. Note that we handle is_fmac_enabled first as that call is supported even when FMAC is disabled. Also cast avc_ss_reset return to void to fix a lint warning. Files: update: usr/src/uts/common/syscall/fmacsys.c From sds at tycho.nsa.gov Tue Jul 1 12:45:31 2008 From: sds at tycho.nsa.gov (sds at tycho.nsa.gov) Date: Tue, 1 Jul 2008 12:45:31 -0700 (PDT) Subject: [fmac-notify] [fmac-discuss] [PATCH] getenforce lint and gettext cleanup Message-ID: <200807011945.m61JjVKS005697@oss-app2.opensolaris.org> Author: Stephen Smalley Repository: /hg/fmac/fmac-gate Latest revision: 460875c576ef381136f27030fe3928acb101f975 Total changesets: 1 Log message: [fmac-discuss] [PATCH] getenforce lint and gettext cleanup This patch cleans up some lint warnings and wraps the output strings with gettext calls in the getenforce utility program. Files: update: usr/src/cmd/fmac/getenforce/getenforce.c From sds at tycho.nsa.gov Tue Jul 1 12:45:30 2008 From: sds at tycho.nsa.gov (sds at tycho.nsa.gov) Date: Tue, 1 Jul 2008 12:45:30 -0700 (PDT) Subject: [fmac-notify] [fmac-discuss] [PATCH] Rework avc_audit Message-ID: <200807011945.m61JjUre005694@oss-app2.opensolaris.org> Author: Stephen Smalley Repository: /hg/fmac/fmac-gate Latest revision: 79393063cc01d637a15b7eb814270cbc0453eeba Total changesets: 1 Log message: [fmac-discuss] [PATCH] Rework avc_audit This patch reworks the avc_audit code so that each avc message is output as a single log message, which is necessary due to the behavior of Solaris kernel printf. avc_audit_buffer is presently protected under the avc_lock but the locking scheme will change later in order to be more scalable. This is a temporary fix until we have a chance to explore using Solaris audit for avc messages. With this patch, a call to avc_has_perm for a permission check produces output such as: avc: denied { load_policy } for scontext=system_u:system_r:init_t:unclassified tcontext=system_u:object_r:security_t:unclassified tclass=security which is consistent with SELinux and can be processed by tools such as audit2allow. scontext= is the source (typically subject/process) context; tcontext= is the target (typically object) context; tclass= is the target object class. Other supplemental audit data will be added later. The patch also adds fmac_enabled tests to avc_init and avc_has_perm so that the AVC allocation and permission checking is skipped if FMAC is disabled. Files: update: usr/src/uts/common/fmac/avc.c From sds at tycho.nsa.gov Wed Jul 2 05:44:52 2008 From: sds at tycho.nsa.gov (sds at tycho.nsa.gov) Date: Wed, 2 Jul 2008 05:44:52 -0700 (PDT) Subject: [fmac-notify] [fmac-discuss] [PATCH] Synchronize security class with FMAC syscalls Message-ID: <200807021244.m62Ciqx5026282@oss-app2.opensolaris.org> Author: Stephen Smalley Repository: /hg/fmac/fmac-gate Latest revision: 5cd6aaacbfa29a8bfd96c3b06d36ccc45fa8f8c6 Total changesets: 1 Log message: [fmac-discuss] [PATCH] Synchronize security class with FMAC syscalls Synchronize the security class permission definitions with the FMAC syscalls, and update the example policy configuration accordingly. Files: update: usr/src/cmd/fmac/policy/domains/admin/sysadm.te update: usr/src/cmd/fmac/policy/domains/every.te update: usr/src/cmd/fmac/policy/domains/program/newrole.te update: usr/src/cmd/fmac/policy/domains/system/login.te update: usr/src/cmd/fmac/policy/domains/system/sshd.te update: usr/src/cmd/fmac/policy/init.te update: usr/src/cmd/fmac/policy/mls update: usr/src/common/fmac/policy/flask/access_vectors From sds at tycho.nsa.gov Thu Jul 3 04:23:21 2008 From: sds at tycho.nsa.gov (sds at tycho.nsa.gov) Date: Thu, 3 Jul 2008 04:23:21 -0700 (PDT) Subject: [fmac-notify] [fmac-discuss] [PATCH] Rework file and process access vectors Message-ID: <200807031123.m63BNL41029358@oss-app2.opensolaris.org> Author: Stephen Smalley Repository: /hg/fmac/fmac-gate Latest revision: 7350608d8779adbecb619ec8060f237a162adf4e Total changesets: 1 Log message: [fmac-discuss] [PATCH] Rework file and process access vectors This patch reworks the file and process access vector definitions in preparation for adding permission checks. Some of the changes are to bring the definitions more into alignment with the permissions in modern SELinux (in particular for checks on domain transitions), while other changes are to reorganize the definitions and prune unnecessary ones. The "initpolicy" is also removed as it is unnecessary. Future revisions to the definitions are likely. Files: delete: usr/src/cmd/fmac/policy/init.te update: usr/src/cmd/fmac/policy/Makefile update: usr/src/cmd/fmac/policy/assert.te update: usr/src/cmd/fmac/policy/domains/every.te update: usr/src/cmd/fmac/policy/domains/program/netscape.te update: usr/src/cmd/fmac/policy/domains/program/passwd.te update: usr/src/cmd/fmac/policy/domains/program/utempter.te update: usr/src/cmd/fmac/policy/domains/system/crond.te update: usr/src/cmd/fmac/policy/domains/system/initrc.te update: usr/src/cmd/fmac/policy/macros.te update: usr/src/cmd/fmac/policy/mls update: usr/src/common/fmac/policy/flask/access_vectors From sds at tycho.nsa.gov Thu Jul 3 05:27:28 2008 From: sds at tycho.nsa.gov (sds at tycho.nsa.gov) Date: Thu, 3 Jul 2008 05:27:28 -0700 (PDT) Subject: [fmac-notify] Fix trivial lint warning - cast memset return to void. Message-ID: <200807031227.m63CRSau001364@oss-app2.opensolaris.org> Author: "Stephen Smalley " Repository: /hg/fmac/fmac-gate Latest revision: 924aa88013c2c01b83c18f90fb39f7a08cb0cfda Total changesets: 1 Log message: Fix trivial lint warning - cast memset return to void. Files: update: usr/src/uts/common/fmac/avc.c From john.weeks at sun.com Thu Jul 10 18:33:44 2008 From: john.weeks at sun.com (john.weeks at sun.com) Date: Thu, 10 Jul 2008 18:33:44 -0700 (PDT) Subject: [fmac-notify] [PATCH] Process SecID Support Message-ID: <200807110133.m6B1Xikp006881@oss-app2.opensolaris.org> Author: John Weeks Repository: /hg/fmac/fmac-gate Latest revision: ab14629b3018b25877c62858222972ae4adb9d6b Total changesets: 1 Log message: [PATCH] Process SecID Support This patch adds sids to the kernel cred structure and the corresponding system calls. All processes will now default to SECINITSID_KERNEL until file system contexts are implemented. Files: create: usr/src/cmd/fmac/pcon/Makefile create: usr/src/cmd/fmac/pcon/pcon.c update: usr/src/cmd/fmac/Makefile update: usr/src/cmd/truss/systable.c update: usr/src/common/fmac/policy/flask/access_vectors update: usr/src/head/fmac/fmac.h update: usr/src/lib/libc/inc/synonyms.h update: usr/src/lib/libc/port/mapfile-vers update: usr/src/lib/libc/port/sys/fmacsys.c update: usr/src/pkgdefs/SUNWesu/prototype_com update: usr/src/uts/common/os/cred.c update: usr/src/uts/common/sys/cred.h update: usr/src/uts/common/sys/cred_impl.h update: usr/src/uts/common/sys/fmac/fmac.h update: usr/src/uts/common/syscall/fmacsys.c From john.weeks at sun.com Wed Jul 16 16:50:19 2008 From: john.weeks at sun.com (john.weeks at sun.com) Date: Wed, 16 Jul 2008 16:50:19 -0700 (PDT) Subject: [fmac-notify] truss missing getprevcon and other fixes Message-ID: <200807162350.m6GNoJgF026831@oss-app2.opensolaris.org> Author: John Weeks Repository: /hg/fmac/fmac-gate Latest revision: 46e3138f5eafb5c96018b2262b5a8205ed296e0e Total changesets: 1 Log message: truss missing getprevcon and other fixes Files: update: usr/src/cmd/truss/systable.c From john.weeks at sun.com Thu Jul 24 19:45:52 2008 From: john.weeks at sun.com (john.weeks at sun.com) Date: Thu, 24 Jul 2008 19:45:52 -0700 (PDT) Subject: [fmac-notify] typo in truss for security_getenforce/setenforce Message-ID: <200807250245.m6P2jqje006672@oss-app2.opensolaris.org> Author: John Weeks Repository: /hg/fmac/fmac-gate Latest revision: d31f31b093df587a50be9bb4e34e81db860da05c Total changesets: 1 Log message: typo in truss for security_getenforce/setenforce Files: update: usr/src/cmd/truss/systable.c