[selinux-policy: 1018/3172] fix dupe interfaces

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:32:57 UTC 2010 

commit 1470ffb03f09d9d0fb8b01b58fa917392a9b0684
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Dec 5 17:11:14 2005 +0000

    fix dupe interfaces

 refpolicy/policy/modules/kernel/devices.if    |   18 ---------
 refpolicy/policy/modules/kernel/files.if      |   20 +---------
 refpolicy/policy/modules/kernel/filesystem.if |   18 ---------
 refpolicy/policy/modules/kernel/kernel.if     |   18 ---------
 refpolicy/policy/modules/kernel/storage.if    |   18 ---------
 refpolicy/policy/modules/kernel/terminal.if   |   17 --------
 refpolicy/policy/modules/services/ppp.if      |   18 +--------
 refpolicy/policy/modules/services/samba.if    |   17 --------
 refpolicy/policy/modules/services/squid.if    |   28 -------------
 refpolicy/policy/modules/system/init.if       |   51 ++++++++----------------
 10 files changed, 19 insertions(+), 204 deletions(-)
---
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 0ae1165..83e5dc2 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -253,24 +253,6 @@ interface(`dev_dontaudit_setattr_generic_blk_file',`
 
 ########################################
 ## <summary>
-##	Allow read, write, create, and delete for generic
-##	block files.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`dev_manage_generic_blk_file',`
-	gen_require(`
-		type device_t;
-	')
-
-	allow $1 device_t:dir rw_dir_perms;
-	allow $1 device_t:blk_file create_file_perms;
-')
-
-########################################
-## <summary>
 ##	Allow read, write, and create for generic character device files.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
index b78d961..b178766 100644
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
@@ -300,10 +300,9 @@ interface(`files_search_all',`
 ##	Domain allowed access.
 ## </param>
 #
-interface(`files_list_all_dirs',`
+interface(`files_list_all',`
 	gen_require(`
 		attribute file_type;
-		class dir r_dir_perms;
 	')
 
 	allow $1 file_type:dir r_dir_perms;
@@ -2046,23 +2045,6 @@ interface(`files_dontaudit_getattr_tmp_dir',`
 
 ########################################
 ## <summary>
-##	Allow domain to getattr on /tmp directory.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`files_getattr_tmp_dir',`
-	gen_require(`
-		type tmp_t;
-		class dir getattr;
-	')
-
-	allow $1 tmp_t:dir getattr;
-')
-
-########################################
-## <summary>
 ##	Search the tmp directory (/tmp).
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index f089669..f0f7255 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -653,24 +653,6 @@ interface(`fs_execute_cifs_files',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read or
-##	write files on a CIFS or SMB filesystems.
-## </summary>
-## <param name="domain">
-##	The type of the domain to not audit.
-## </param>
-#
-interface(`fs_dontaudit_read_cifs_files',`
-	gen_require(`
-		type cifs_t;
-		class file { read write };
-	')
-
-	dontaudit $1 cifs_t:file { read write };
-')
-
-########################################
-## <summary>
 ##	Create, read, write, and delete directories
 ##	on a CIFS or SMB network filesystem.
 ## </summary>
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 5510188..9f25444 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -1819,24 +1819,6 @@ interface(`kernel_read_file_from',`
 
 ########################################
 ## <summary>
-##	Allow the kernel to search the
-##	specified directory.
-## </summary>
-## <param name="dir_type">
-##	Directory type to search.
-## </param>
-#
-interface(`kernel_search_from',`
-	gen_require(`
-		type kernel_t;
-		class dir search;
-	')
-
-	allow kernel_t $1:dir search;
-')
-
-########################################
-## <summary>
 ##	Use the specified types for /lib directory
 ##	and use the dynamic link/loader for automatic loading
 ##	of shared libraries, and the link/loader
diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if
index a437aee..c6c34fb 100644
--- a/refpolicy/policy/modules/kernel/storage.if
+++ b/refpolicy/policy/modules/kernel/storage.if
@@ -363,24 +363,6 @@ interface(`storage_write_scsi_generic',`
 
 ########################################
 ## <summary>
-##	Get attributes of the device nodes
-##	for the SCSI generic inerface.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`storage_getattr_scsi_generic',`
-	gen_require(`
-		type scsi_generic_device_t;
-	')
-
-	dev_list_all_dev_nodes($1)
-	allow $1 scsi_generic_device_t:chr_file getattr;
-')
-
-########################################
-## <summary>
 ##	Set attributes of the device nodes
 ##	for the SCSI generic inerface.
 ## </summary>
diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index f4c7fc6..3dcd01c 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -642,23 +642,6 @@ interface(`term_reset_tty_labels',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to get the attributes
-##	of unallocated ttys.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`term_dontaudit_getattr_unallocated_ttys',`
-	gen_require(`
-		type tty_device_t;
-	')
-
-	dontaudit $1 tty_device_t:chr_file getattr;
-')
-
-########################################
-## <summary>
 ##	Write to unallocated ttys.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/services/ppp.if b/refpolicy/policy/modules/services/ppp.if
index aa5e4d9..b73fe4e 100644
--- a/refpolicy/policy/modules/services/ppp.if
+++ b/refpolicy/policy/modules/services/ppp.if
@@ -35,7 +35,7 @@ interface(`ppp_dontaudit_use_fd',`
 
 ########################################
 ## <summary>
-##	Allow domain to send sigchld to parent of PPP domain type.
+##	Send a SIGCHLD signal to PPP.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
@@ -68,22 +68,6 @@ interface(`ppp_signal',`
 
 ########################################
 ## <summary>
-##	Send a SIGCHLD signal to PPP.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`ppp_sigchld',`
-	gen_require(`
-		type pppd_t;
-	')
-
-	allow $1 pppd_t:process sigchld;
-')
-
-########################################
-## <summary>
 ##	 Execute domain in the ppp domain.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/services/samba.if b/refpolicy/policy/modules/services/samba.if
index 34b6d48..fd422c8 100644
--- a/refpolicy/policy/modules/services/samba.if
+++ b/refpolicy/policy/modules/services/samba.if
@@ -329,23 +329,6 @@ interface(`samba_read_winbind_pid',`
 
 ########################################
 ## <summary>
-##	Allow the specified domain to read the winbind pid files.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`samba_read_winbind_pid',`
-	gen_require(`
-		type winbind_var_run_t;
-	')
-
-	files_search_pids($1)
-	allow $1 winbind_var_run_t:file r_file_perms;
-')
-
-########################################
-## <summary>
 ##	Connect to winbind.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/services/squid.if b/refpolicy/policy/modules/services/squid.if
index 397a3a6..10497bf 100644
--- a/refpolicy/policy/modules/services/squid.if
+++ b/refpolicy/policy/modules/services/squid.if
@@ -11,9 +11,6 @@
 interface(`squid_domtrans',`
 	gen_require(`
 		type squid_t, squid_exec_t;
-		class process sigchld;
-		class fd use;
-		class fifo_file rw_file_perms;
 	')
 
 	corecmd_search_sbin($1)
@@ -36,7 +33,6 @@ interface(`squid_domtrans',`
 interface(`squid_read_config',`
 	gen_require(`
 		type squid_conf_t;
-		class file r_file_perms;
 	')
 
 	files_search_etc($1)
@@ -45,27 +41,6 @@ interface(`squid_read_config',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	squid logs.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`squid_manage_logs',`
-	gen_require(`
-		type squid_log_t;
-		class dir rw_dir_perms;
-		class file create_file_perms;
-	')
-
-	logging_search_logs($1)
-	allow $1 squid_log_t:dir rw_dir_perms;
-	allow $1 squid_log_t:file create_file_perms;
-')
-
-########################################
-## <summary>
 ##	Append squid logs.
 ## </summary>
 ## <param name="domain">
@@ -112,8 +87,6 @@ interface(`squid_append_log',`
 interface(`squid_manage_logs',`
 	gen_require(`
 		type squid_log_t;
-		class dir rw_dir_perms;
-		class file create_file_perms;
 	')
 
 	logging_search_logs($1)
@@ -132,7 +105,6 @@ interface(`squid_manage_logs',`
 interface(`squid_use',`
 	gen_require(`
 		type squid_t;
-		class tcp_socket { connectto acceptfrom recvfrom };
 	')
 
 	allow $1 squid_t:tcp_socket { connectto recvfrom };
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index 73bfa56..7c08d2c 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -442,40 +442,6 @@ interface(`init_write_script_pipe',`
 
 ########################################
 ## <summary>
-##	Allow the specified domain to connect to
-##	init scripts with a unix domain stream socket.
-## </summary>
-## <param name="domain">
-##      Domain allowed access.
-## </param>
-#
-interface(`init_unix_connect_script',`
-	gen_require(`
-		type initrc_t;
-	')
-
-	allow $1 initrc_t:unix_stream_socket connectto;
-')
-
-########################################
-## <summary>
-##	Dont audit the specified domain connecting to
-##	init scripts with a unix domain stream socket.
-## </summary>
-## <param name="domain">
-##      Domain allowed access.
-## </param>
-#
-interface(`init_dontaudit_unix_connect_script',`
-	gen_require(`
-		type initrc_t;
-	')
-
-	dontaudit $1 initrc_t:unix_stream_socket connectto;
-')
-
-########################################
-## <summary>
 ##	Get the attribute of init script entrypoint files.
 ## </summary>
 ## <param name="domain">
@@ -692,6 +658,23 @@ interface(`init_unix_connect_script',`
 
 ########################################
 ## <summary>
+##	Dont audit the specified domain connecting to
+##	init scripts with a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##      Domain allowed access.
+## </param>
+#
+interface(`init_dontaudit_unix_connect_script',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	dontaudit $1 initrc_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
 ##	Send and receive messages from
 ##	init scripts over dbus.
 ## </summary>

More information about the scm-commits mailing list