[selinux-policy: 1566/3172] remove dead selopt rules
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:20:33 UTC 2010
commit 33c7e6b4e8e7a2d2e9f3f69806269c9622caa3bd
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Aug 15 20:00:58 2006 +0000
remove dead selopt rules
Changelog | 1 +
policy/modules/admin/mrtg.te | 3 +-
policy/modules/admin/portage.if | 1 -
policy/modules/admin/portage.te | 2 +-
policy/modules/apps/calamaris.te | 6 +---
policy/modules/apps/games.if | 4 --
policy/modules/apps/games.te | 2 +-
policy/modules/apps/irc.if | 9 -----
policy/modules/apps/mozilla.if | 4 --
policy/modules/apps/mozilla.te | 2 +-
policy/modules/apps/uml.if | 4 --
policy/modules/apps/uml.te | 2 +-
policy/modules/kernel/kernel.if | 25 ++++-----------
policy/modules/kernel/kernel.te | 7 +----
policy/modules/services/afs.te | 14 ++-------
policy/modules/services/amavis.te | 6 +---
policy/modules/services/apache.te | 5 +--
policy/modules/services/bind.if | 8 +----
policy/modules/services/bind.te | 12 +-------
policy/modules/services/cups.if | 10 +-----
policy/modules/services/cups.te | 21 ++-----------
policy/modules/services/dictd.if | 10 +-----
policy/modules/services/dictd.te | 3 +-
policy/modules/services/finger.if | 10 +-----
policy/modules/services/finger.te | 3 +-
policy/modules/services/ftp.if | 10 +-----
policy/modules/services/ftp.te | 2 +-
policy/modules/services/gatekeeper.te | 15 +--------
policy/modules/services/i18n_input.if | 10 +-----
policy/modules/services/i18n_input.te | 3 +-
policy/modules/services/inetd.if | 19 ++---------
policy/modules/services/inetd.te | 8 +----
policy/modules/services/jabber.if | 10 +-----
policy/modules/services/jabber.te | 3 +-
policy/modules/services/ldap.if | 10 +-----
policy/modules/services/ldap.te | 3 +-
policy/modules/services/lpd.if | 6 ----
policy/modules/services/lpd.te | 8 +----
policy/modules/services/mailman.te | 8 +----
policy/modules/services/mta.if | 21 +-----------
policy/modules/services/mta.te | 2 +-
policy/modules/services/nessus.if | 10 +-----
policy/modules/services/nessus.te | 3 +-
policy/modules/services/nis.if | 19 ++---------
policy/modules/services/nis.te | 9 +-----
policy/modules/services/nsd.if | 18 ++--------
policy/modules/services/nsd.te | 2 +-
policy/modules/services/ntp.te | 4 +-
policy/modules/services/perdition.if | 10 +-----
policy/modules/services/perdition.te | 3 +-
policy/modules/services/portmap.if | 38 ++++-------------------
policy/modules/services/portmap.te | 14 +--------
policy/modules/services/portslave.te | 6 +---
policy/modules/services/postfix.te | 10 +-----
policy/modules/services/postgresql.if | 10 +-----
policy/modules/services/postgresql.te | 3 +-
policy/modules/services/radius.if | 12 +------
policy/modules/services/radius.te | 6 +---
policy/modules/services/rpc.if | 19 ++---------
policy/modules/services/rpc.te | 8 +----
policy/modules/services/snmp.if | 19 ++---------
policy/modules/services/snmp.te | 3 +-
policy/modules/services/soundserver.if | 10 +-----
policy/modules/services/soundserver.te | 3 +-
policy/modules/services/spamassassin.if | 3 --
policy/modules/services/spamassassin.te | 3 +-
policy/modules/services/squid.if | 10 +-----
policy/modules/services/squid.te | 3 +-
policy/modules/services/ssh.if | 10 +-----
policy/modules/services/ssh.te | 9 +-----
policy/modules/services/tcpd.te | 6 +---
policy/modules/services/xserver.if | 6 ----
policy/modules/services/xserver.te | 2 +-
policy/modules/services/zebra.te | 7 +----
policy/modules/system/init.if | 21 ++----------
policy/modules/system/init.te | 7 +----
policy/modules/system/mount.te | 4 +--
policy/modules/system/userdomain.if | 51 +------------------------------
policy/modules/system/userdomain.te | 6 +---
79 files changed, 121 insertions(+), 578 deletions(-)
---
diff --git a/Changelog b/Changelog
index a90f6a9..4418061 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Remove old selopt rules.
- Full support for netfilter_contexts.
- MRTG patch for daemon operation from Stefan.
- Add authlogin interface to abstract common access for login programs.
diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te
index 8dcd535..4638424 100644
--- a/policy/modules/admin/mrtg.te
+++ b/policy/modules/admin/mrtg.te
@@ -1,5 +1,5 @@
-policy_module(mrtg,1.0.2)
+policy_module(mrtg,1.0.3)
########################################
#
@@ -167,7 +167,6 @@ optional_policy(`
')
optional_policy(`
- snmp_udp_chat(mrtg_t)
snmp_read_snmp_var_lib_files(mrtg_t)
')
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index 39407bc..14f8312 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -115,7 +115,6 @@ interface(`portage_compile_domain',`
allow $1 self:udp_socket create_socket_perms;
# misc networking stuff (esp needed for compiling perl):
allow $1 self:rawip_socket { create ioctl };
- allow $1 self:udp_socket recvfrom;
# needed for merging dbus:
allow $1 self:netlink_selinux_socket { bind create read };
allow $1 self:dbus send_msg;
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 00351d1..83c0a10 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -1,5 +1,5 @@
-policy_module(portage,1.0.4)
+policy_module(portage,1.0.5)
########################################
#
diff --git a/policy/modules/apps/calamaris.te b/policy/modules/apps/calamaris.te
index a680581..1f4b659 100644
--- a/policy/modules/apps/calamaris.te
+++ b/policy/modules/apps/calamaris.te
@@ -1,5 +1,5 @@
-policy_module(calamaris,1.0.0)
+policy_module(calamaris,1.0.1)
########################################
#
@@ -77,10 +77,6 @@ optional_policy(`
')
optional_policy(`
- bind_udp_chat_named(calamaris_t)
-')
-
-optional_policy(`
cron_system_entry(calamaris_t,calamaris_exec_t)
')
diff --git a/policy/modules/apps/games.if b/policy/modules/apps/games.if
index 6270276..592a423 100644
--- a/policy/modules/apps/games.if
+++ b/policy/modules/apps/games.if
@@ -61,8 +61,6 @@ template(`games_per_userdomain_template',`
allow $1_games_t self:sem create_sem_perms;
allow $1_games_t self:tcp_socket create_stream_socket_perms;
allow $1_games_t self:udp_socket create_socket_perms;
- allow $1_games_t self:tcp_socket { connectto sendto recvfrom };
- allow $1_games_t self:tcp_socket { acceptfrom recvfrom };
allow $1_games_t $1_games_tmpfs_t:dir rw_dir_perms;
allow $1_games_t $1_games_tmpfs_t:file manage_file_perms;
@@ -87,8 +85,6 @@ template(`games_per_userdomain_template',`
allow $2 $1_games_t:unix_stream_socket connectto;
allow $1_games_t $2:unix_stream_socket connectto;
- kernel_tcp_recvfrom($1_games_t)
- kernel_tcp_recvfrom($1_games_t)
kernel_read_system_state($1_games_t)
corecmd_exec_bin($1_games_t)
diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te
index e0b6974..46a2bc7 100644
--- a/policy/modules/apps/games.te
+++ b/policy/modules/apps/games.te
@@ -1,5 +1,5 @@
-policy_module(games,1.0.0)
+policy_module(games,1.0.1)
########################################
#
diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if
index 9fe7592..16848bc 100644
--- a/policy/modules/apps/irc.if
+++ b/policy/modules/apps/irc.if
@@ -156,13 +156,4 @@ template(`irc_per_userdomain_template',`
optional_policy(`
nis_use_ypbind($1_irc_t)
')
-
- ifdef(`TODO',`
- optional_policy(`
- allow $1_irc_t ircd_t:tcp_socket { connectto recvfrom };
- allow ircd_t $1_irc_t:tcp_socket { acceptfrom recvfrom };
- kernel_tcp_recvfrom($1_irc_t)
- kernel_tcp_recvfrom(ircd_t)
- ')
- ')
')
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
index 747bde4..d4480b2 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -354,10 +354,6 @@ template(`mozilla_per_userdomain_template',`
')
optional_policy(`
- squid_use($1_mozilla_t)
- ')
-
- optional_policy(`
lpd_domtrans_user_lpr($1,$1_mozilla_t)
')
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index 7565167..5de7b51 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -1,5 +1,5 @@
-policy_module(mozilla,1.0.3)
+policy_module(mozilla,1.0.4)
########################################
#
diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if
index fb067bb..8be916a 100644
--- a/policy/modules/apps/uml.if
+++ b/policy/modules/apps/uml.if
@@ -183,10 +183,6 @@ template(`uml_per_userdomain_template',`
nis_use_ypbind($1_uml_t)
')
- optional_policy(`
- ssh_tcp_connect($1_uml_t)
- ')
-
ifdef(`TODO',`
# for X
optional_policy(`
diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te
index 4b63b59..2a320ef 100644
--- a/policy/modules/apps/uml.te
+++ b/policy/modules/apps/uml.te
@@ -1,5 +1,5 @@
-policy_module(uml,1.0.2)
+policy_module(uml,1.0.3)
########################################
#
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 230b601..fc3c335 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -220,7 +220,7 @@ interface(`kernel_dgram_send',`
########################################
## <summary>
-## Receive messages from kernel TCP sockets.
+## Receive messages from kernel TCP sockets. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -229,16 +229,12 @@ interface(`kernel_dgram_send',`
## </param>
#
interface(`kernel_tcp_recvfrom',`
- gen_require(`
- type kernel_t;
- ')
-
- allow $1 kernel_t:tcp_socket recvfrom;
+ refpolicywarn(`$0($*) has been deprecated.')
')
########################################
## <summary>
-## Send UDP network traffic to the kernel.
+## Send UDP network traffic to the kernel. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -247,17 +243,12 @@ interface(`kernel_tcp_recvfrom',`
## </param>
#
interface(`kernel_udp_send',`
- gen_require(`
- type kernel_t;
- ')
-
- allow $1 kernel_t:udp_socket sendto;
- allow kernel_t $1:udp_socket recvfrom;
+ refpolicywarn(`$0($*) has been deprecated.')
')
########################################
## <summary>
-## Receive messages from kernel UDP sockets.
+## Receive messages from kernel UDP sockets. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -266,11 +257,7 @@ interface(`kernel_udp_send',`
## </param>
#
interface(`kernel_udp_recvfrom',`
- gen_require(`
- type kernel_t;
- ')
-
- allow $1 kernel_t:udp_socket recvfrom;
+ refpolicywarn(`$0($*) has been deprecated.')
')
########################################
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 43a5333..84e208d 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
-policy_module(kernel,1.3.13)
+policy_module(kernel,1.3.14)
########################################
#
@@ -273,10 +273,6 @@ optional_policy(`
')
optional_policy(`
- portmap_udp_chat(kernel_t)
-')
-
-optional_policy(`
# nfs kernel server needs kernel UDP access. It is less risky and painful
# to just give it everything.
allow kernel_t self:tcp_socket create_stream_socket_perms;
@@ -298,7 +294,6 @@ optional_policy(`
rpc_manage_nfs_ro_content(kernel_t)
rpc_manage_nfs_rw_content(kernel_t)
rpc_udp_rw_nfs_sockets(kernel_t)
- rpc_udp_send_nfs(kernel_t)
tunable_policy(`nfs_export_all_ro',`
fs_list_noxattr_fs(kernel_t)
diff --git a/policy/modules/services/afs.te b/policy/modules/services/afs.te
index 1e748b0..8de0ed8 100644
--- a/policy/modules/services/afs.te
+++ b/policy/modules/services/afs.te
@@ -1,5 +1,5 @@
-policy_module(afs,1.0.1)
+policy_module(afs,1.0.2)
########################################
#
@@ -134,8 +134,8 @@ allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice }
dontaudit afs_fsserver_t self:capability fsetid;
allow afs_fsserver_t self:process { setsched signal_perms };
allow afs_fsserver_t self:fifo_file rw_file_perms;
-allow afs_fsserver_t self:tcp_socket { create_stream_socket_perms connectto acceptfrom recvfrom };
-allow afs_fsserver_t self:udp_socket { create_socket_perms sendto recvfrom };
+allow afs_fsserver_t self:tcp_socket create_stream_socket_perms;
+allow afs_fsserver_t self:udp_socket create_socket_perms;
allow afs_fsserver_t afs_config_t:file r_file_perms;
allow afs_fsserver_t afs_config_t:dir r_dir_perms;
@@ -157,10 +157,6 @@ can_exec(afs_fsserver_t, afs_fsserver_exec_t)
allow afs_fsserver_t afs_logfile_t:file create_file_perms;
allow afs_fsserver_t afs_logfile_t:dir create_dir_perms;
-allow afs_fsserver_t afs_ptserver_t:udp_socket recvfrom;
-
-allow afs_fsserver_t afs_vlserver_t:udp_socket recvfrom;
-
kernel_read_system_state(afs_fsserver_t)
kernel_read_kernel_sysctls(afs_fsserver_t)
@@ -269,8 +265,6 @@ allow afs_ptserver_t afs_config_t:dir r_dir_perms;
allow afs_ptserver_t afs_logfile_t:file create_file_perms;
allow afs_ptserver_t afs_logfile_t:dir create_dir_perms;
-allow afs_ptserver_t afs_fsserver_t:udp_socket recvfrom;
-
allow afs_ptserver_t afs_pt_db_t:file manage_file_perms;
allow afs_ptserver_t afs_dbdir_t:dir rw_dir_perms;
type_transition afs_ptserver_t afs_dbdir_t:file afs_pt_db_t;
@@ -310,8 +304,6 @@ allow afs_vlserver_t self:udp_socket create_socket_perms;
allow afs_vlserver_t afs_config_t:file r_file_perms;
allow afs_vlserver_t afs_config_t:dir r_dir_perms;
-allow afs_vlserver_t afs_fsserver_t:udp_socket recvfrom;
-
allow afs_vlserver_t afs_logfile_t:file create_file_perms;
allow afs_vlserver_t afs_logfile_t:dir create_dir_perms;
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
index 55b4b6b..3dbd868 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -1,5 +1,5 @@
-policy_module(amavis,1.0.5)
+policy_module(amavis,1.0.6)
########################################
#
@@ -165,10 +165,6 @@ optional_policy(`
')
optional_policy(`
- ldap_use(amavis_t)
-')
-
-optional_policy(`
pyzor_domtrans(amavis_t)
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index e92d29d..6e7669f 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
-policy_module(apache,1.3.15)
+policy_module(apache,1.3.16)
#
# NOTES:
@@ -142,7 +142,7 @@ allow httpd_t self:msg { send receive };
allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
-allow httpd_t self:tcp_socket { create_stream_socket_perms acceptfrom connectto recvfrom };
+allow httpd_t self:tcp_socket create_stream_socket_perms;
allow httpd_t self:udp_socket create_socket_perms;
# Allow httpd_t to put files in /var/cache/httpd etc
@@ -206,7 +206,6 @@ allow httpd_t squirrelmail_spool_t:file create_file_perms;
allow httpd_t squirrelmail_spool_t:lnk_file create_lnk_perms;
kernel_read_kernel_sysctls(httpd_t)
-kernel_tcp_recvfrom(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
index 6797a13..62fffb3 100644
--- a/policy/modules/services/bind.if
+++ b/policy/modules/services/bind.if
@@ -256,7 +256,7 @@ interface(`bind_read_zone',`
########################################
## <summary>
-## Send and receive datagrams to and from named.
+## Send and receive datagrams to and from named. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -265,9 +265,5 @@ interface(`bind_read_zone',`
## </param>
#
interface(`bind_udp_chat_named',`
- gen_require(`
- type named_t;
- ')
- allow $1 named_t:udp_socket sendto;
- allow named_t $1:udp_socket recvfrom;
+ refpolicywarn(`$0($*) has been deprecated.')
')
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 1d2dd9f..2472732 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -1,5 +1,5 @@
-policy_module(bind,1.1.7)
+policy_module(bind,1.1.8)
########################################
#
@@ -92,12 +92,9 @@ allow named_t named_zone_t:dir r_dir_perms;
allow named_t named_zone_t:file r_file_perms;
allow named_t named_zone_t:lnk_file r_file_perms;
-allow named_t ndc_t:tcp_socket { acceptfrom recvfrom };
-
kernel_read_kernel_sysctls(named_t)
kernel_read_system_state(named_t)
kernel_read_network_state(named_t)
-kernel_tcp_recvfrom(named_t)
corenet_non_ipsec_sendrecv(named_t)
corenet_tcp_sendrecv_all_if(named_t)
@@ -200,11 +197,6 @@ optional_policy(`
')
optional_policy(`
- nsd_tcp_connect(named_t)
- nsd_udp_chat(named_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(named_t)
')
@@ -227,7 +219,6 @@ allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
allow ndc_t dnssec_t:file { getattr read };
-allow ndc_t named_t:tcp_socket { connectto recvfrom };
allow ndc_t named_t:unix_stream_socket connectto;
allow ndc_t named_conf_t:file { getattr read };
@@ -237,7 +228,6 @@ allow ndc_t named_var_run_t:sock_file rw_file_perms;
allow ndc_t named_zone_t:dir search;
kernel_read_kernel_sysctls(ndc_t)
-kernel_tcp_recvfrom(ndc_t)
corenet_non_ipsec_sendrecv(ndc_t)
corenet_tcp_sendrecv_all_if(ndc_t)
diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if
index 5f3a5cb..b144ee9 100644
--- a/policy/modules/services/cups.if
+++ b/policy/modules/services/cups.if
@@ -46,7 +46,7 @@ interface(`cups_stream_connect',`
########################################
## <summary>
-## Connect to cups over TCP.
+## Connect to cups over TCP. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -55,13 +55,7 @@ interface(`cups_stream_connect',`
## </param>
#
interface(`cups_tcp_connect',`
- gen_require(`
- type cupsd_t;
- ')
-
- allow $1 cupsd_t:tcp_socket { connectto recvfrom };
- allow cupsd_t $1:tcp_socket { acceptfrom recvfrom };
- kernel_tcp_recvfrom($1)
+ refpolicywarn(`$0($*) has been deprecated.')
')
########################################
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
index 48ed810..15fe7ac 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -1,5 +1,5 @@
-policy_module(cups,1.3.10)
+policy_module(cups,1.3.11)
########################################
#
@@ -82,7 +82,7 @@ allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow cupsd_t self:unix_dgram_socket create_socket_perms;
allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow cupsd_t self:netlink_route_socket r_netlink_socket_perms;
-allow cupsd_t self:tcp_socket { create_stream_socket_perms connectto acceptfrom recvfrom };
+allow cupsd_t self:tcp_socket create_stream_socket_perms;
allow cupsd_t self:udp_socket create_socket_perms;
allow cupsd_t self:appletalk_socket create_socket_perms;
# generic socket here until appletalk socket is available in kernels
@@ -126,7 +126,6 @@ allow cupsd_t ptal_t:unix_stream_socket connectto;
kernel_read_system_state(cupsd_t)
kernel_read_network_state(cupsd_t)
kernel_read_all_sysctls(cupsd_t)
-kernel_tcp_recvfrom(cupsd_t)
corenet_non_ipsec_sendrecv(cupsd_t)
corenet_tcp_sendrecv_all_if(cupsd_t)
@@ -259,10 +258,6 @@ optional_policy(`
')
optional_policy(`
- portmap_udp_chat(cupsd_t)
-')
-
-optional_policy(`
# from old usercanread attrib:
rpc_read_nfs_content(cupsd_t)
rpc_read_nfs_state_data(cupsd_t)
@@ -290,13 +285,7 @@ optional_policy(`
xserver_read_xkb_libs(cupsd_t)
')
-ifdef(`TODO',`
-allow web_client_domain cupsd_t:tcp_socket { connectto recvfrom };
-allow cupsd_t web_client_domain:tcp_socket { acceptfrom recvfrom };
-allow cupsd_t kernel_t:tcp_socket recvfrom;
-allow web_client_domain kernel_t:tcp_socket recvfrom;
-') dnl end TODO
-
+#FIXME:
allow cupsd_t usercanread:dir r_dir_perms;
allow cupsd_t usercanread:file r_file_perms;
allow cupsd_t usercanread:lnk_file { getattr read };
@@ -315,9 +304,6 @@ allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
allow cupsd_config_t self:tcp_socket create_stream_socket_perms;
allow cupsd_config_t self:netlink_route_socket r_netlink_socket_perms;
-allow cupsd_config_t cupsd_t:tcp_socket { connectto recvfrom };
-allow cupsd_t cupsd_config_t:tcp_socket { acceptfrom recvfrom };
-
# old can_ps() on cupsd_t:
allow cupsd_config_t cupsd_t:process { signal };
allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read };
@@ -350,7 +336,6 @@ allow cupsd_config_t cupsd_var_run_t:file { getattr read };
kernel_read_system_state(cupsd_config_t)
kernel_read_kernel_sysctls(cupsd_config_t)
-kernel_tcp_recvfrom(cupsd_config_t)
corenet_non_ipsec_sendrecv(cupsd_config_t)
corenet_tcp_sendrecv_all_if(cupsd_config_t)
diff --git a/policy/modules/services/dictd.if b/policy/modules/services/dictd.if
index 5addaa1..43f1ea3 100644
--- a/policy/modules/services/dictd.if
+++ b/policy/modules/services/dictd.if
@@ -3,7 +3,7 @@
########################################
## <summary>
## Use dictionary services by connecting
-## over TCP.
+## over TCP. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -12,11 +12,5 @@
## </param>
#
interface(`dictd_tcp_connect',`
- gen_require(`
- type dictd_t;
- ')
-
- allow $1 dictd_t:tcp_socket { connectto recvfrom };
- allow dictd_t $1:tcp_socket { acceptfrom recvfrom };
- kernel_tcp_recvfrom($1)
+ refpolicywarn(`$0($*) has been deprecated.')
')
diff --git a/policy/modules/services/dictd.te b/policy/modules/services/dictd.te
index 1a8ae10..b588c07 100644
--- a/policy/modules/services/dictd.te
+++ b/policy/modules/services/dictd.te
@@ -1,5 +1,5 @@
-policy_module(dictd,1.1.1)
+policy_module(dictd,1.1.2)
########################################
#
@@ -36,7 +36,6 @@ allow dictd_t dictd_var_lib_t:file r_file_perms;
kernel_read_system_state(dictd_t)
kernel_read_kernel_sysctls(dictd_t)
-kernel_tcp_recvfrom(dictd_t)
corenet_non_ipsec_sendrecv(dictd_t)
corenet_tcp_sendrecv_all_if(dictd_t)
diff --git a/policy/modules/services/finger.if b/policy/modules/services/finger.if
index 22d4824..f7b5910 100644
--- a/policy/modules/services/finger.if
+++ b/policy/modules/services/finger.if
@@ -25,7 +25,7 @@ interface(`finger_domtrans',`
########################################
## <summary>
-## Allow the specified domain to connect to fingerd with a tcp socket.
+## Allow the specified domain to connect to fingerd with a tcp socket. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -34,11 +34,5 @@ interface(`finger_domtrans',`
## </param>
#
interface(`finger_tcp_connect',`
- gen_require(`
- type fingerd_t;
- ')
-
- kernel_tcp_recvfrom($1)
- allow $1 fingerd_t:tcp_socket { connectto recvfrom };
- allow fingerd_t $1:tcp_socket { acceptfrom recvfrom };
+ refpolicywarn(`$0($*) has been deprecated.')
')
diff --git a/policy/modules/services/finger.te b/policy/modules/services/finger.te
index 1647e64..3de89b6 100644
--- a/policy/modules/services/finger.te
+++ b/policy/modules/services/finger.te
@@ -1,5 +1,5 @@
-policy_module(finger,1.1.1)
+policy_module(finger,1.1.2)
########################################
#
@@ -47,7 +47,6 @@ logging_log_filetrans(fingerd_t,fingerd_log_t,file)
kernel_read_kernel_sysctls(fingerd_t)
kernel_read_system_state(fingerd_t)
-kernel_tcp_recvfrom(fingerd_t)
corenet_non_ipsec_sendrecv(fingerd_t)
corenet_tcp_sendrecv_all_if(fingerd_t)
diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if
index 113e56c..e31a0fc 100644
--- a/policy/modules/services/ftp.if
+++ b/policy/modules/services/ftp.if
@@ -35,7 +35,7 @@ template(`ftp_per_userdomain_template',`
########################################
## <summary>
-## Use ftp by connecting over TCP.
+## Use ftp by connecting over TCP. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -44,13 +44,7 @@ template(`ftp_per_userdomain_template',`
## </param>
#
interface(`ftp_tcp_connect',`
- gen_require(`
- type ftpd_t;
- ')
-
- allow $1 ftpd_t:tcp_socket { connectto recvfrom };
- allow ftpd_t $1:tcp_socket { acceptfrom recvfrom };
- kernel_tcp_recvfrom($1)
+ refpolicywarn(`$0($*) has been deprecated.')
')
########################################
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index df7e7f2..ce3c62a 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -1,5 +1,5 @@
-policy_module(ftp,1.2.7)
+policy_module(ftp,1.2.8)
########################################
#
diff --git a/policy/modules/services/gatekeeper.te b/policy/modules/services/gatekeeper.te
index c33041d..0051043 100644
--- a/policy/modules/services/gatekeeper.te
+++ b/policy/modules/services/gatekeeper.te
@@ -1,5 +1,5 @@
-policy_module(gatekeeper,1.0.2)
+policy_module(gatekeeper,1.0.3)
########################################
#
@@ -113,16 +113,3 @@ optional_policy(`
optional_policy(`
udev_read_db(gatekeeper_t)
')
-
-ifdef(`TODO',`
-# for local users to run VOIP software
-allow userdomain gatekeeper_t:udp_socket sendto;
-allow gatekeeper_t userdomain:udp_socket recvfrom;
-allow gatekeeper_t userdomain:udp_socket sendto;
-allow userdomain gatekeeper_t:udp_socket recvfrom;
-
-allow gatekeeper_t userdomain:tcp_socket { connectto recvfrom };
-allow userdomain gatekeeper_t:tcp_socket { acceptfrom recvfrom };
-kernel_tcp_recvfrom(gatekeeper_t)
-kernel_tcp_recvfrom(userdomain)
-')
diff --git a/policy/modules/services/i18n_input.if b/policy/modules/services/i18n_input.if
index 9a9f0f7..bc7de4f 100644
--- a/policy/modules/services/i18n_input.if
+++ b/policy/modules/services/i18n_input.if
@@ -2,7 +2,7 @@
########################################
## <summary>
-## Use i18n_input over a TCP connection.
+## Use i18n_input over a TCP connection. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -11,11 +11,5 @@
## </param>
#
interface(`i18n_use',`
- gen_require(`
- type i18n_input_t;
- ')
-
- allow $1 i18n_input_t:tcp_socket { connectto recvfrom };
- allow i18n_input_t $1:tcp_socket { acceptfrom recvfrom };
- kernel_tcp_recvfrom($1)
+ refpolicywarn(`$0($*) has been deprecated.')
')
diff --git a/policy/modules/services/i18n_input.te b/policy/modules/services/i18n_input.te
index 9cabd74..fa18888 100644
--- a/policy/modules/services/i18n_input.te
+++ b/policy/modules/services/i18n_input.te
@@ -1,5 +1,5 @@
-policy_module(i18n_input,1.1.3)
+policy_module(i18n_input,1.1.4)
########################################
#
@@ -36,7 +36,6 @@ can_exec(i18n_input_t, i18n_input_exec_t)
kernel_read_kernel_sysctls(i18n_input_t)
kernel_read_system_state(i18n_input_t)
-kernel_tcp_recvfrom(i18n_input_t)
corenet_non_ipsec_sendrecv(i18n_input_t)
corenet_tcp_sendrecv_generic_if(i18n_input_t)
diff --git a/policy/modules/services/inetd.if b/policy/modules/services/inetd.if
index eded403..2edfec6 100644
--- a/policy/modules/services/inetd.if
+++ b/policy/modules/services/inetd.if
@@ -169,7 +169,7 @@ interface(`inetd_use_fds',`
########################################
## <summary>
-## Connect to the inetd service using a TCP connection.
+## Connect to the inetd service using a TCP connection. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -178,13 +178,7 @@ interface(`inetd_use_fds',`
## </param>
#
interface(`inetd_tcp_connect',`
- gen_require(`
- type inetd_t;
- ')
-
- allow $1 inetd_t:tcp_socket { connectto recvfrom };
- allow inetd_t $1:tcp_socket { acceptfrom recvfrom };
- kernel_tcp_recvfrom($1)
+ refpolicywarn(`$0($*) has been deprecated.')
')
########################################
@@ -213,7 +207,7 @@ interface(`inetd_domtrans_child',`
########################################
## <summary>
-## Send UDP network traffic to inetd.
+## Send UDP network traffic to inetd. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -222,12 +216,7 @@ interface(`inetd_domtrans_child',`
## </param>
#
interface(`inetd_udp_send',`
- gen_require(`
- type inetd_t;
- ')
-
- allow $1 inetd_t:udp_socket sendto;
- allow inetd_t $1:udp_socket recvfrom;
+ refpolicywarn(`$0($*) has been deprecated.')
')
########################################
diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te
index eb53308..f8cecba 100644
--- a/policy/modules/services/inetd.te
+++ b/policy/modules/services/inetd.te
@@ -1,5 +1,5 @@
-policy_module(inetd,1.1.5)
+policy_module(inetd,1.1.6)
########################################
#
@@ -55,7 +55,6 @@ files_pid_filetrans(inetd_t,inetd_var_run_t,file)
kernel_read_kernel_sysctls(inetd_t)
kernel_list_proc(inetd_t)
kernel_read_proc_symlinks(inetd_t)
-kernel_tcp_recvfrom(inetd_t)
# base networking:
corenet_non_ipsec_sendrecv(inetd_t)
@@ -145,11 +144,6 @@ optional_policy(`
amanda_search_lib(inetd_t)
')
-# Communicate with the portmapper.
-optional_policy(`
- portmap_udp_send(inetd_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(inetd_t)
')
diff --git a/policy/modules/services/jabber.if b/policy/modules/services/jabber.if
index ac0db06..4d1a931 100644
--- a/policy/modules/services/jabber.if
+++ b/policy/modules/services/jabber.if
@@ -2,7 +2,7 @@
########################################
## <summary>
-## Connect to jabber over a TCP socket
+## Connect to jabber over a TCP socket (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -11,11 +11,5 @@
## </param>
#
interface(`jabber_tcp_connect',`
- gen_require(`
- type jabberd_t;
- ')
-
- allow $1 jabberd_t:tcp_socket { connectto recvfrom };
- allow jabberd_t $1:tcp_socket { acceptfrom recvfrom };
- kernel_tcp_recvfrom($1)
+ refpolicywarn(`$0($*) has been deprecated.')
')
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
index 01f85a7..d30449e 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -1,5 +1,5 @@
-policy_module(jabber,1.0.2)
+policy_module(jabber,1.0.3)
########################################
#
@@ -46,7 +46,6 @@ files_pid_filetrans(jabberd_t,jabberd_var_run_t,file)
kernel_read_kernel_sysctls(jabberd_t)
kernel_list_proc(jabberd_t)
kernel_read_proc_symlinks(jabberd_t)
-kernel_tcp_recvfrom(jabberd_t)
corenet_non_ipsec_sendrecv(jabberd_t)
corenet_tcp_sendrecv_generic_if(jabberd_t)
diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if
index 03b9d83..5565567 100644
--- a/policy/modules/services/ldap.if
+++ b/policy/modules/services/ldap.if
@@ -40,7 +40,7 @@ interface(`ldap_read_config',`
########################################
## <summary>
-## Use LDAP over TCP connection.
+## Use LDAP over TCP connection. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -49,13 +49,7 @@ interface(`ldap_read_config',`
## </param>
#
interface(`ldap_use',`
- gen_require(`
- type slapd_t;
- ')
-
- allow $1 slapd_t:tcp_socket { connectto recvfrom };
- allow slapd_t $1:tcp_socket { acceptfrom recvfrom };
- kernel_tcp_recvfrom($1)
+ refpolicywarn(`$0($*) has been deprecated.')
')
diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
index 6731b76..f5b2c81 100644
--- a/policy/modules/services/ldap.te
+++ b/policy/modules/services/ldap.te
@@ -1,5 +1,5 @@
-policy_module(ldap,1.2.4)
+policy_module(ldap,1.2.5)
########################################
#
@@ -76,7 +76,6 @@ files_pid_filetrans(slapd_t,slapd_var_run_t,file)
kernel_read_system_state(slapd_t)
kernel_read_kernel_sysctls(slapd_t)
-kernel_tcp_recvfrom(slapd_t)
corenet_non_ipsec_sendrecv(slapd_t)
corenet_tcp_sendrecv_all_if(slapd_t)
diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if
index 3d997fa..5b19184 100644
--- a/policy/modules/services/lpd.if
+++ b/policy/modules/services/lpd.if
@@ -72,9 +72,6 @@ template(`lpd_per_userdomain_template',`
# Connect to lpd via a Unix domain socket.
allow $1_lpr_t printer_t:sock_file rw_file_perms;
allow $1_lpr_t lpd_t:unix_stream_socket connectto;
- # connecto to a network lpd
- allow $1_lpr_t lpd_t:tcp_socket { connectto recvfrom };
- allow lpd_t $1_lpr_t:tcp_socket { acceptfrom recvfrom };
# Send SIGHUP to lpd.
allow $1_lpr_t lpd_t:process signal;
@@ -109,7 +106,6 @@ template(`lpd_per_userdomain_template',`
allow lpd_t $1_print_spool_t:file r_file_perms;
allow lpd_t $1_print_spool_t:file link_file_perms;
- kernel_tcp_recvfrom($1_lpr_t)
kernel_read_kernel_sysctls($1_lpr_t)
corenet_non_ipsec_sendrecv($1_lpr_t)
@@ -186,9 +182,7 @@ template(`lpd_per_userdomain_template',`
optional_policy(`
cups_read_config($1_lpr_t)
- cups_tcp_connect($1_lpr_t)
cups_read_config($2)
- cups_tcp_connect($2)
cups_stream_connect($1_lpr_t)
')
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
index 0006d34..6adb181 100644
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -1,5 +1,5 @@
-policy_module(lpd,1.2.5)
+policy_module(lpd,1.2.6)
########################################
#
@@ -154,7 +154,6 @@ allow lpd_t printer_t:unix_stream_socket name_bind;
allow lpd_t printer_t:unix_dgram_socket name_bind;
kernel_read_kernel_sysctls(lpd_t)
-kernel_tcp_recvfrom(lpd_t)
# bash wants access to /proc/meminfo
kernel_read_system_state(lpd_t)
@@ -220,11 +219,6 @@ ifdef(`targeted_policy',`
optional_policy(`
nis_use_ypbind(lpd_t)
- nis_tcp_connect_ypbind(lpd_t)
-')
-
-optional_policy(`
- portmap_udp_send(lpd_t)
')
optional_policy(`
diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te
index 70e5b77..bbdd562 100644
--- a/policy/modules/services/mailman.te
+++ b/policy/modules/services/mailman.te
@@ -1,5 +1,5 @@
-policy_module(mailman,1.1.6)
+policy_module(mailman,1.1.7)
########################################
#
@@ -44,14 +44,11 @@ optional_policy(`
allow mailman_cgi_t mailman_archive_t:lnk_file create_lnk_perms;
allow mailman_cgi_t mailman_archive_t:file create_file_perms;
- kernel_tcp_recvfrom(mailman_cgi_t)
term_use_controlling_term(mailman_cgi_t)
files_search_spool(mailman_cgi_t)
- mta_tcp_connect_all_mailservers(mailman_cgi_t)
-
apache_sigchld(mailman_cgi_t)
apache_use_fds(mailman_cgi_t)
apache_dontaudit_append_log(mailman_cgi_t)
@@ -95,7 +92,6 @@ allow mailman_queue_t mailman_archive_t:file create_file_perms;
allow mailman_queue_t mailman_archive_t:lnk_file create_lnk_perms;
kernel_read_proc_symlinks(mailman_queue_t)
-kernel_tcp_recvfrom(mailman_queue_t)
auth_domtrans_chk_passwd(mailman_queue_t)
@@ -109,8 +105,6 @@ seutil_dontaudit_search_config(mailman_queue_t)
userdom_search_sysadm_home_dirs(mailman_queue_t)
userdom_getattr_sysadm_home_dirs(mailman_queue_t)
-mta_tcp_connect_all_mailservers(mailman_queue_t)
-
su_exec(mailman_queue_t)
optional_policy(`
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index bb83707..680594b 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -199,11 +199,6 @@ template(`mta_per_userdomain_template',`
allow $1_mail_t $2:fifo_file rw_file_perms;
allow $1_mail_t $2:process sigchld;
- # For when the user wants to send mail via port 25 localhost
- kernel_tcp_recvfrom($2)
- allow $2 mailserver_domain:tcp_socket { connectto recvfrom };
- allow mailserver_domain $2:tcp_socket { acceptfrom recvfrom };
-
domain_use_interactive_fds($1_mail_t)
userdom_use_user_terminals($1,$1_mail_t)
@@ -313,9 +308,6 @@ interface(`mta_mailserver',`
attribute mailserver_domain;
')
- # For when the user wants to send mail via port 25 localhost
- kernel_tcp_recvfrom($1)
-
init_daemon_domain($1,$2)
typeattribute $1 mailserver_domain;
')
@@ -355,9 +347,6 @@ interface(`mta_sendmail_mailserver',`
type sendmail_exec_t;
')
- # For when the user wants to send mail via port 25 localhost
- kernel_tcp_recvfrom($1)
-
init_system_domain($1,sendmail_exec_t)
typeattribute $1 mailserver_domain;
')
@@ -624,7 +613,7 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
#######################################
## <summary>
-## Connect to all mail servers over TCP.
+## Connect to all mail servers over TCP. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -633,13 +622,7 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
## </param>
#
interface(`mta_tcp_connect_all_mailservers',`
- gen_require(`
- attribute mailserver_domain;
- ')
-
- allow $1 mailserver_domain:tcp_socket { connectto recvfrom };
- allow mailserver_domain $1:tcp_socket { acceptfrom recvfrom };
- kernel_tcp_recvfrom($1)
+ refpolicywarn(`$0($*) has been deprecated.')
')
#######################################
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index 2e9d8a7..d4da5cb 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -1,5 +1,5 @@
-policy_module(mta,1.3.7)
+policy_module(mta,1.3.8)
########################################
#
diff --git a/policy/modules/services/nessus.if b/policy/modules/services/nessus.if
index 425c29b..6ec8003 100644
--- a/policy/modules/services/nessus.if
+++ b/policy/modules/services/nessus.if
@@ -2,7 +2,7 @@
########################################
## <summary>
-## Connect to nessus over a TCP socket
+## Connect to nessus over a TCP socket (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -11,11 +11,5 @@
## </param>
#
interface(`nessus_tcp_connect',`
- gen_require(`
- type nessusd_t;
- ')
-
- allow $1 nessusd_t:tcp_socket { connectto recvfrom };
- allow nessusd_t $1:tcp_socket { acceptfrom recvfrom };
- kernel_tcp_recvfrom($1)
+ refpolicywarn(`$0($*) has been deprecated.')
')
diff --git a/policy/modules/services/nessus.te b/policy/modules/services/nessus.te
index b049bf5..137d879 100644
--- a/policy/modules/services/nessus.te
+++ b/policy/modules/services/nessus.te
@@ -1,5 +1,5 @@
-policy_module(nessus,1.0.1)
+policy_module(nessus,1.0.2)
########################################
#
@@ -55,7 +55,6 @@ files_pid_filetrans(nessusd_t,nessusd_var_run_t,file)
kernel_read_system_state(nessusd_t)
kernel_read_kernel_sysctls(nessusd_t)
-kernel_tcp_recvfrom(nessusd_t)
# for nmap etc
corecmd_exec_bin(nessusd_t)
diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if
index 99ba6cb..e78f9aa 100644
--- a/policy/modules/services/nis.if
+++ b/policy/modules/services/nis.if
@@ -148,7 +148,7 @@ interface(`nis_list_var_yp',`
########################################
## <summary>
-## Send UDP network traffic to NIS clients.
+## Send UDP network traffic to NIS clients. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -157,17 +157,12 @@ interface(`nis_list_var_yp',`
## </param>
#
interface(`nis_udp_send_ypbind',`
- gen_require(`
- type ypbind_t;
- ')
-
- allow $1 ypbind_t:udp_socket sendto;
- allow ypbind_t $1:udp_socket recvfrom;
+ refpolicywarn(`$0($*) has been deprecated.')
')
########################################
## <summary>
-## Connect to ypbind over TCP.
+## Connect to ypbind over TCP. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -176,13 +171,7 @@ interface(`nis_udp_send_ypbind',`
## </param>
#
interface(`nis_tcp_connect_ypbind',`
- gen_require(`
- type ypbind_t;
- ')
-
- allow $1 ypbind_t:tcp_socket { connectto recvfrom };
- allow ypbind_t $1:tcp_socket { acceptfrom recvfrom };
- kernel_tcp_recvfrom($1)
+ refpolicywarn(`$0($*) has been deprecated.')
')
########################################
diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te
index d9edc35..7a3f162 100644
--- a/policy/modules/services/nis.te
+++ b/policy/modules/services/nis.te
@@ -1,5 +1,5 @@
-policy_module(nis,1.1.6)
+policy_module(nis,1.1.7)
########################################
#
@@ -70,7 +70,6 @@ allow ypbind_t var_yp_t:file create_file_perms;
kernel_read_kernel_sysctls(ypbind_t)
kernel_list_proc(ypbind_t)
kernel_read_proc_symlinks(ypbind_t)
-kernel_tcp_recvfrom(ypbind_t)
corenet_non_ipsec_sendrecv(ypbind_t)
corenet_tcp_sendrecv_all_if(ypbind_t)
@@ -107,7 +106,6 @@ files_list_var(ypbind_t)
init_use_fds(ypbind_t)
init_use_script_ptys(ypbind_t)
-init_udp_send_script(ypbind_t)
libs_use_ld_so(ypbind_t)
libs_use_shared_libs(ypbind_t)
@@ -121,7 +119,6 @@ sysnet_read_config(ypbind_t)
userdom_dontaudit_use_unpriv_user_fds(ypbind_t)
userdom_dontaudit_search_sysadm_home_dirs(ypbind_t)
-portmap_udp_send(ypbind_t)
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_ttys(ypbind_t)
@@ -204,7 +201,6 @@ files_relabel_etc_files(yppasswdd_t)
init_use_fds(yppasswdd_t)
init_use_script_ptys(yppasswdd_t)
-init_udp_send_script(yppasswdd_t)
libs_use_ld_so(yppasswdd_t)
libs_use_shared_libs(yppasswdd_t)
@@ -218,7 +214,6 @@ sysnet_read_config(yppasswdd_t)
userdom_dontaudit_use_unpriv_user_fds(yppasswdd_t)
userdom_dontaudit_search_sysadm_home_dirs(yppasswdd_t)
-portmap_udp_send(yppasswdd_t)
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(yppasswdd_t)
@@ -299,7 +294,6 @@ files_read_var_files(ypserv_t)
init_use_fds(ypserv_t)
init_use_script_ptys(ypserv_t)
-init_udp_send_script(ypserv_t)
libs_use_ld_so(ypserv_t)
libs_use_shared_libs(ypserv_t)
@@ -315,7 +309,6 @@ sysnet_read_config(ypserv_t)
userdom_dontaudit_use_unpriv_user_fds(ypserv_t)
userdom_dontaudit_search_sysadm_home_dirs(ypserv_t)
-portmap_udp_send(ypserv_t)
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(ypserv_t)
diff --git a/policy/modules/services/nsd.if b/policy/modules/services/nsd.if
index 3004b55..a1371d5 100644
--- a/policy/modules/services/nsd.if
+++ b/policy/modules/services/nsd.if
@@ -2,7 +2,7 @@
########################################
## <summary>
-## Send and receive datagrams from NSD.
+## Send and receive datagrams from NSD. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -11,16 +11,12 @@
## </param>
#
interface(`nsd_udp_chat',`
- gen_require(`
- type nsd_t;
- ')
- allow $1 nsd_t:udp_socket sendto;
- allow nsd_t $1:udp_socket recvfrom;
+ refpolicywarn(`$0($*) has been deprecated.')
')
########################################
## <summary>
-## Connect to NSD over a TCP socket
+## Connect to NSD over a TCP socket (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -29,11 +25,5 @@ interface(`nsd_udp_chat',`
## </param>
#
interface(`nsd_tcp_connect',`
- gen_require(`
- type nsd_t;
- ')
-
- allow $1 nsd_t:tcp_socket { connectto recvfrom };
- allow nsd_t $1:tcp_socket { acceptfrom recvfrom };
- kernel_tcp_recvfrom($1)
+ refpolicywarn(`$0($*) has been deprecated.')
')
diff --git a/policy/modules/services/nsd.te b/policy/modules/services/nsd.te
index e3b56d8..4a43054 100644
--- a/policy/modules/services/nsd.te
+++ b/policy/modules/services/nsd.te
@@ -1,5 +1,5 @@
-policy_module(nsd,1.0.1)
+policy_module(nsd,1.0.2)
########################################
#
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index 859cf22..f684714 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -1,5 +1,5 @@
-policy_module(ntp,1.1.4)
+policy_module(ntp,1.1.5)
########################################
#
@@ -40,7 +40,7 @@ allow ntpd_t self:unix_dgram_socket create_socket_perms;
allow ntpd_t self:unix_stream_socket create_socket_perms;
allow ntpd_t self:netlink_route_socket r_netlink_socket_perms;
allow ntpd_t self:tcp_socket create_stream_socket_perms;
-allow ntpd_t self:udp_socket { create_socket_perms sendto recvfrom };
+allow ntpd_t self:udp_socket create_socket_perms;
allow ntpd_t ntp_drift_t:dir rw_dir_perms;
allow ntpd_t ntp_drift_t:file create_file_perms;
diff --git a/policy/modules/services/perdition.if b/policy/modules/services/perdition.if
index 949cc11..e7891a8 100644
--- a/policy/modules/services/perdition.if
+++ b/policy/modules/services/perdition.if
@@ -2,7 +2,7 @@
########################################
## <summary>
-## Connect to perdition over a TCP socket
+## Connect to perdition over a TCP socket (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -11,11 +11,5 @@
## </param>
#
interface(`perdition_tcp_connect',`
- gen_require(`
- type perdition_t;
- ')
-
- allow $1 perdition_t:tcp_socket { connectto recvfrom };
- allow perdition_t $1:tcp_socket { acceptfrom recvfrom };
- kernel_tcp_recvfrom($1)
+ refpolicywarn(`$0($*) has been deprecated.')
')
diff --git a/policy/modules/services/perdition.te b/policy/modules/services/perdition.te
index d9c4037..95b61c6 100644
--- a/policy/modules/services/perdition.te
+++ b/policy/modules/services/perdition.te
@@ -1,5 +1,5 @@
-policy_module(perdition,1.0.1)
+policy_module(perdition,1.0.2)
########################################
#
@@ -37,7 +37,6 @@ files_pid_filetrans(perdition_t,perdition_var_run_t,file)
kernel_read_kernel_sysctls(perdition_t)
kernel_list_proc(perdition_t)
kernel_read_proc_symlinks(perdition_t)
-kernel_tcp_recvfrom(perdition_t)
corenet_non_ipsec_sendrecv(perdition_t)
corenet_tcp_sendrecv_generic_if(perdition_t)
diff --git a/policy/modules/services/portmap.if b/policy/modules/services/portmap.if
index 430138c..3376997 100644
--- a/policy/modules/services/portmap.if
+++ b/policy/modules/services/portmap.if
@@ -54,19 +54,11 @@ interface(`portmap_run_helper',`
portmap_domtrans_helper($1)
role $2 types portmap_helper_t;
allow portmap_helper_t $3:chr_file { getattr read write ioctl };
-
- # send to portmap
- allow $1 portmap_t:udp_socket sendto;
- allow portmap_t $1:udp_socket recvfrom;
-
- # receive from portmap
- allow portmap_t $1:udp_socket sendto;
- allow $1 portmap_t:udp_socket recvfrom;
')
########################################
## <summary>
-## Send UDP network traffic to portmap.
+## Send UDP network traffic to portmap. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -75,17 +67,12 @@ interface(`portmap_run_helper',`
## </param>
#
interface(`portmap_udp_send',`
- gen_require(`
- type portmap_t;
- ')
-
- allow $1 portmap_t:udp_socket sendto;
- allow portmap_t $1:udp_socket recvfrom;
+ refpolicywarn(`$0($*) has been deprecated.')
')
########################################
## <summary>
-## Send and receive UDP network traffic from portmap.
+## Send and receive UDP network traffic from portmap. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -94,19 +81,12 @@ interface(`portmap_udp_send',`
## </param>
#
interface(`portmap_udp_chat',`
- gen_require(`
- type portmap_t;
- ')
-
- allow $1 portmap_t:udp_socket sendto;
- allow portmap_t $1:udp_socket recvfrom;
- allow portmap_t $1:udp_socket sendto;
- allow $1 portmap_t:udp_socket recvfrom;
+ refpolicywarn(`$0($*) has been deprecated.')
')
########################################
## <summary>
-## Connect to portmap over a TCP socket
+## Connect to portmap over a TCP socket (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -115,11 +95,5 @@ interface(`portmap_udp_chat',`
## </param>
#
interface(`portmap_tcp_connect',`
- gen_require(`
- type portmap_t;
- ')
-
- allow $1 portmap_t:tcp_socket { connectto recvfrom };
- allow portmap_t $1:tcp_socket { acceptfrom recvfrom };
- kernel_tcp_recvfrom($1)
+ refpolicywarn(`$0($*) has been deprecated.')
')
diff --git a/policy/modules/services/portmap.te b/policy/modules/services/portmap.te
index 06e0af5..ddaa273 100644
--- a/policy/modules/services/portmap.te
+++ b/policy/modules/services/portmap.te
@@ -1,5 +1,5 @@
-policy_module(portmap,1.2.4)
+policy_module(portmap,1.2.5)
########################################
#
@@ -45,7 +45,6 @@ files_pid_filetrans(portmap_t,portmap_var_run_t,file)
kernel_read_kernel_sysctls(portmap_t)
kernel_list_proc(portmap_t)
kernel_read_proc_symlinks(portmap_t)
-kernel_tcp_recvfrom(portmap_t)
corenet_non_ipsec_sendrecv(portmap_t)
corenet_tcp_sendrecv_all_if(portmap_t)
@@ -82,8 +81,6 @@ files_read_etc_files(portmap_t)
init_use_fds(portmap_t)
init_use_script_ptys(portmap_t)
-init_udp_send(portmap_t)
-init_udp_send_script(portmap_t)
libs_use_ld_so(portmap_t)
libs_use_shared_libs(portmap_t)
@@ -104,12 +101,7 @@ ifdef(`targeted_policy', `
')
optional_policy(`
- inetd_udp_send(portmap_t)
-')
-
-optional_policy(`
nis_use_ypbind(portmap_t)
- nis_udp_send_ypbind(portmap_t)
')
optional_policy(`
@@ -117,10 +109,6 @@ optional_policy(`
')
optional_policy(`
- rpc_udp_send_nfs(portmap_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(portmap_t)
')
diff --git a/policy/modules/services/portslave.te b/policy/modules/services/portslave.te
index 5ebc80d..6589d72 100644
--- a/policy/modules/services/portslave.te
+++ b/policy/modules/services/portslave.te
@@ -1,5 +1,5 @@
-policy_module(portslave,1.0.1)
+policy_module(portslave,1.0.2)
########################################
#
@@ -128,10 +128,6 @@ optional_policy(`
')
optional_policy(`
- radius_use(portslave_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(portslave_t)
')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 7fb0b17..1d7691e 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -1,5 +1,5 @@
-policy_module(postfix,1.2.10)
+policy_module(postfix,1.2.11)
########################################
#
@@ -563,14 +563,6 @@ allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write;
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
-kernel_tcp_recvfrom(postfix_smtp_t)
-
-# if you have two different mail servers on the same host let them talk via
-# SMTP, also if one mail server wants to talk to itself then allow it and let
-# the SMTP protocol sort it out (SE Linux is not to prevent mail server
-# misconfiguration)
-mta_tcp_connect_all_mailservers(postfix_smtp_t)
-
########################################
#
# Postfix smtpd local policy
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index 818ba7c..c842eb7 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -83,7 +83,7 @@ interface(`postgresql_read_config',`
########################################
## <summary>
-## Allow the specified domain to connect to postgresql with a tcp socket.
+## Allow the specified domain to connect to postgresql with a tcp socket. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -92,13 +92,7 @@ interface(`postgresql_read_config',`
## </param>
#
interface(`postgresql_tcp_connect',`
- gen_require(`
- type postgresql_t;
- ')
-
- kernel_tcp_recvfrom($1)
- allow $1 postgresql_t:tcp_socket { connectto recvfrom };
- allow postgresql_t $1:tcp_socket { acceptfrom recvfrom };
+ refpolicywarn(`$0($*) has been deprecated.')
')
########################################
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 452f96c..d37997f 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -1,5 +1,5 @@
-policy_module(postgresql,1.1.2)
+policy_module(postgresql,1.1.3)
#################################
#
@@ -83,7 +83,6 @@ kernel_read_system_state(postgresql_t)
kernel_list_proc(postgresql_t)
kernel_read_all_sysctls(postgresql_t)
kernel_read_proc_symlinks(postgresql_t)
-kernel_tcp_recvfrom(postgresql_t)
corenet_non_ipsec_sendrecv(postgresql_t)
corenet_tcp_sendrecv_all_if(postgresql_t)
diff --git a/policy/modules/services/radius.if b/policy/modules/services/radius.if
index 59963cb..3d684f3 100644
--- a/policy/modules/services/radius.if
+++ b/policy/modules/services/radius.if
@@ -2,7 +2,7 @@
########################################
## <summary>
-## Use radius over a UDP connection.
+## Use radius over a UDP connection. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -11,13 +11,5 @@
## </param>
#
interface(`radius_use',`
- gen_require(`
- type radiusd_t;
- ')
-
- allow $1 radiusd_t:udp_socket sendto;
- allow radiusd_t $1:udp_socket recvfrom;
-
- allow radiusd_t $1:udp_socket sendto;
- allow $1 radiusd_t:udp_socket recvfrom;
+ refpolicywarn(`$0($*) has been deprecated.')
')
diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
index 6767c83..1def565 100644
--- a/policy/modules/services/radius.te
+++ b/policy/modules/services/radius.te
@@ -1,5 +1,5 @@
-policy_module(radius,1.1.2)
+policy_module(radius,1.1.3)
########################################
#
@@ -134,9 +134,5 @@ optional_policy(`
')
optional_policy(`
- snmp_tcp_connect(radiusd_t)
-')
-
-optional_policy(`
udev_read_db(radiusd_t)
')
diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
index 831a1cb..510d5f5 100644
--- a/policy/modules/services/rpc.if
+++ b/policy/modules/services/rpc.if
@@ -118,7 +118,7 @@ template(`rpc_domain_template', `
########################################
## <summary>
-## Send UDP network traffic to rpc and recieve UDP traffic from rpc.
+## Send UDP network traffic to rpc and recieve UDP traffic from rpc. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -127,12 +127,7 @@ template(`rpc_domain_template', `
## </param>
#
interface(`rpc_udp_send',`
- gen_require(`
- type rpc_t;
- ')
-
- allow $1 rpc_t:udp_socket sendto;
- allow rpc_t $1:udp_socket recvfrom;
+ refpolicywarn(`$0($*) has been deprecated.')
')
########################################
@@ -289,12 +284,11 @@ interface(`rpc_udp_rw_nfs_sockets',`
')
allow $1 nfsd_t:udp_socket rw_socket_perms;
-
')
########################################
## <summary>
-## Send UDP traffic to NFSd.
+## Send UDP traffic to NFSd. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -303,12 +297,7 @@ interface(`rpc_udp_rw_nfs_sockets',`
## </param>
#
interface(`rpc_udp_send_nfs',`
- gen_require(`
- type nfsd_t;
- ')
-
- allow $1 nfsd_t:udp_socket sendto;
- allow nfsd_t $1:udp_socket recvfrom;
+ refpolicywarn(`$0($*) has been deprecated.')
')
########################################
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 8536f77..98e6f73 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -1,5 +1,5 @@
-policy_module(rpc,1.2.9)
+policy_module(rpc,1.2.10)
########################################
#
@@ -64,7 +64,6 @@ miscfiles_read_certs(rpcd_t)
seutil_dontaudit_search_config(rpcd_t)
-portmap_udp_chat(rpcd_t)
ifdef(`distro_redhat',`
allow rpcd_t self:capability { chown dac_override setgid setuid };
@@ -87,8 +86,6 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms;
# for /proc/fs/nfs/exports - should we have a new type?
kernel_read_system_state(nfsd_t)
kernel_read_network_state(nfsd_t)
-kernel_udp_send(nfsd_t)
-kernel_tcp_recvfrom(nfsd_t)
fs_mount_nfsd_fs(nfsd_t)
fs_search_nfsd_fs(nfsd_t)
@@ -107,9 +104,6 @@ files_manage_mounttab(rpcd_t)
# Read access to public_content_t and public_content_rw_t
miscfiles_read_public_files(nfsd_t)
-portmap_tcp_connect(nfsd_t)
-portmap_udp_chat(nfsd_t)
-
# Write access to public_content_t and public_content_rw_t
tunable_policy(`allow_nfsd_anon_write',`
miscfiles_manage_public_files(nfsd_t)
diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if
index f9ebe44..730a1ac 100644
--- a/policy/modules/services/snmp.if
+++ b/policy/modules/services/snmp.if
@@ -2,7 +2,7 @@
########################################
## <summary>
-## Use snmp over a TCP connection.
+## Use snmp over a TCP connection. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -11,18 +11,12 @@
## </param>
#
interface(`snmp_tcp_connect',`
- gen_require(`
- type snmpd_t;
- ')
-
- allow $1 snmpd_t:tcp_socket { connectto recvfrom };
- allow snmpd_t $1:tcp_socket { acceptfrom recvfrom };
- kernel_tcp_recvfrom($1)
+ refpolicywarn(`$0($*) has been deprecated.')
')
########################################
## <summary>
-## Send and receive UDP traffic to SNMP
+## Send and receive UDP traffic to SNMP (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -31,12 +25,7 @@ interface(`snmp_tcp_connect',`
## </param>
#
interface(`snmp_udp_chat',`
- gen_require(`
- type snmpd_t;
- ')
-
- allow $1 snmpd_t:udp_socket { sendto recvfrom };
- allow snmpd_t $1:udp_socket { sendto recvfrom };
+ refpolicywarn(`$0($*) has been deprecated.')
')
########################################
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
index e00284d..a5f45da 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -1,5 +1,5 @@
-policy_module(snmp,1.1.2)
+policy_module(snmp,1.1.3)
########################################
#
@@ -55,7 +55,6 @@ kernel_read_net_sysctls(snmpd_t)
kernel_read_proc_symlinks(snmpd_t)
kernel_read_system_state(snmpd_t)
kernel_read_network_state(snmpd_t)
-kernel_tcp_recvfrom(snmpd_t)
corecmd_exec_bin(snmpd_t)
corecmd_exec_sbin(snmpd_t)
diff --git a/policy/modules/services/soundserver.if b/policy/modules/services/soundserver.if
index 4156204..4d862d9 100644
--- a/policy/modules/services/soundserver.if
+++ b/policy/modules/services/soundserver.if
@@ -2,7 +2,7 @@
########################################
## <summary>
-## Connect to the sound server over a TCP socket
+## Connect to the sound server over a TCP socket (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -11,11 +11,5 @@
## </param>
#
interface(`soundserver_tcp_connect',`
- gen_require(`
- type soundd_t;
- ')
-
- allow $1 soundd_t:tcp_socket { connectto recvfrom };
- allow soundd_t $1:tcp_socket { acceptfrom recvfrom };
- kernel_tcp_recvfrom($1)
+ refpolicywarn(`$0($*) has been deprecated.')
')
diff --git a/policy/modules/services/soundserver.te b/policy/modules/services/soundserver.te
index 22ba8e2..aed94e9 100644
--- a/policy/modules/services/soundserver.te
+++ b/policy/modules/services/soundserver.te
@@ -1,5 +1,5 @@
-policy_module(soundserver,1.0.1)
+policy_module(soundserver,1.0.2)
########################################
#
@@ -64,7 +64,6 @@ files_pid_filetrans(soundd_t,soundd_var_run_t,file)
kernel_read_kernel_sysctls(soundd_t)
kernel_list_proc(soundd_t)
kernel_read_proc_symlinks(soundd_t)
-kernel_tcp_recvfrom(soundd_t)
corenet_non_ipsec_sendrecv(soundd_t)
corenet_tcp_sendrecv_generic_if(soundd_t)
diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
index 1405466..b58b49f 100644
--- a/policy/modules/services/spamassassin.if
+++ b/policy/modules/services/spamassassin.if
@@ -85,8 +85,6 @@ template(`spamassassin_per_userdomain_template',`
files_tmp_filetrans($1_spamc_t, $1_spamc_tmp_t, { file dir })
# Allow connecting to a local spamd
- allow $1_spamc_t spamd_t:tcp_socket { connectto recvfrom };
- allow spamd_t $1_spamc_t:tcp_socket { acceptfrom recvfrom };
allow $1_spamc_t spamd_t:unix_stream_socket connectto;
allow $1_spamc_t spamd_tmp_t:sock_file rw_file_perms;
@@ -97,7 +95,6 @@ template(`spamassassin_per_userdomain_template',`
allow $1_spamc_t $2:process sigchld;
kernel_read_kernel_sysctls($1_spamc_t)
- kernel_tcp_recvfrom($1_spamc_t)
corenet_non_ipsec_sendrecv($1_spamc_t)
corenet_tcp_sendrecv_generic_if($1_spamc_t)
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index ba0d6e5..31f15ca 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -1,5 +1,5 @@
-policy_module(spamassassin,1.3.9)
+policy_module(spamassassin,1.3.10)
########################################
#
@@ -66,7 +66,6 @@ files_pid_filetrans(spamd_t,spamd_var_run_t,file)
kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)
-kernel_tcp_recvfrom(spamd_t)
corenet_non_ipsec_sendrecv(spamd_t)
corenet_tcp_sendrecv_all_if(spamd_t)
diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if
index 10e77d7..4a7a357 100644
--- a/policy/modules/services/squid.if
+++ b/policy/modules/services/squid.if
@@ -106,7 +106,7 @@ interface(`squid_manage_logs',`
########################################
## <summary>
-## Use squid services by connecting over TCP.
+## Use squid services by connecting over TCP. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -115,11 +115,5 @@ interface(`squid_manage_logs',`
## </param>
#
interface(`squid_use',`
- gen_require(`
- type squid_t;
- ')
-
- allow $1 squid_t:tcp_socket { connectto recvfrom };
- allow squid_t $1:tcp_socket { acceptfrom recvfrom };
- kernel_tcp_recvfrom($1)
+ refpolicywarn(`$0($*) has been deprecated.')
')
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
index c6d21df..eb8bd96 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -1,5 +1,5 @@
-policy_module(squid,1.1.4)
+policy_module(squid,1.1.5)
########################################
#
@@ -66,7 +66,6 @@ files_pid_filetrans(squid_t,squid_var_run_t,file)
kernel_read_kernel_sysctls(squid_t)
kernel_read_system_state(squid_t)
-kernel_tcp_recvfrom(squid_t)
files_dontaudit_getattr_boot_dirs(squid_t)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 172fcf6..9309129 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -663,7 +663,7 @@ interface(`ssh_dontaudit_rw_tcp_sockets',`
########################################
## <summary>
-## Connect to SSH daemons over TCP sockets.
+## Connect to SSH daemons over TCP sockets. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -672,13 +672,7 @@ interface(`ssh_dontaudit_rw_tcp_sockets',`
## </param>
#
interface(`ssh_tcp_connect',`
- gen_require(`
- type sshd_t;
- ')
-
- allow $1 sshd_t:tcp_socket { connectto recvfrom };
- allow sshd_t $1:tcp_socket { acceptfrom recvfrom };
- kernel_tcp_recvfrom($1)
+ refpolicywarn(`$0($*) has been deprecated.')
')
########################################
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 91a9116..289f530 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -1,5 +1,5 @@
-policy_module(ssh,1.3.8)
+policy_module(ssh,1.3.9)
########################################
#
@@ -72,7 +72,6 @@ ifdef(`targeted_policy',`
ifdef(`strict_policy',`
# so a tunnel can point to another ssh tunnel
- allow sshd_t self:tcp_socket { acceptfrom connectto recvfrom };
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t sshd_tmp_t:dir create_dir_perms;
@@ -186,12 +185,6 @@ ifdef(`strict_policy',`
domain_auto_trans(sysadm_t, sshd_exec_t, sshd_t)
role_transition sysadm_r sshd_exec_t system_r;
')
-
- # for port forwarding
- allow userdomain sshd_t:tcp_socket { connectto recvfrom };
- allow sshd_t userdomain:tcp_socket { acceptfrom recvfrom };
- allow userdomain kernel_t:tcp_socket recvfrom;
- allow sshd_t kernel_t:tcp_socket recvfrom;
') dnl endif TODO
')
diff --git a/policy/modules/services/tcpd.te b/policy/modules/services/tcpd.te
index a902b93..a296cfd 100644
--- a/policy/modules/services/tcpd.te
+++ b/policy/modules/services/tcpd.te
@@ -1,5 +1,5 @@
-policy_module(tcpd,1.0.3)
+policy_module(tcpd,1.0.4)
########################################
#
@@ -62,10 +62,6 @@ optional_policy(`
')
optional_policy(`
- portmap_udp_send(tcpd_t)
-')
-
-optional_policy(`
rlogin_domtrans(tcpd_t)
')
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index bac7292..1f592c6 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -564,12 +564,6 @@ template(`xserver_user_client_template',`
allow $2 $1_xserver_t:shm rw_shm_perms;
allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
')
-
- # for X over a ssh tunnel
- optional_policy(`
- kernel_tcp_recvfrom($2)
- ssh_tcp_connect($2)
- ')
')
########################################
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index c43154a..dacc624 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,5 +1,5 @@
-policy_module(xserver,1.1.12)
+policy_module(xserver,1.1.13)
########################################
#
diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te
index 2cc306e..ea623dd 100644
--- a/policy/modules/services/zebra.te
+++ b/policy/modules/services/zebra.te
@@ -1,5 +1,5 @@
-policy_module(zebra,1.2.3)
+policy_module(zebra,1.2.4)
########################################
#
@@ -58,7 +58,6 @@ files_pid_filetrans(zebra_t,zebra_var_run_t, { file sock_file })
kernel_read_system_state(zebra_t)
kernel_read_kernel_sysctls(zebra_t)
-kernel_tcp_recvfrom(zebra_t)
kernel_rw_net_sysctls(zebra_t)
corenet_non_ipsec_sendrecv(zebra_t)
@@ -124,10 +123,6 @@ tunable_policy(`allow_zebra_write_config',`
')
optional_policy(`
- ldap_use(zebra_t)
-')
-
-optional_policy(`
nis_use_ypbind(zebra_t)
')
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index cfe04fa..15bc6e8 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -317,7 +317,7 @@ interface(`init_dontaudit_use_fds',`
########################################
## <summary>
-## Send UDP network traffic to init.
+## Send UDP network traffic to init. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -326,15 +326,7 @@ interface(`init_dontaudit_use_fds',`
## </param>
#
interface(`init_udp_send',`
- gen_require(`
- type init_t;
-
- # cjp: remove this when init_t decl is moved back to this module
- attribute direct_run_init;
- ')
-
- allow $1 init_t:udp_socket sendto;
- allow init_t $1:udp_socket recvfrom;
+ refpolicywarn(`$0($*) has been deprecated.')
')
########################################
@@ -751,7 +743,7 @@ interface(`init_rw_script_pipes',`
########################################
## <summary>
-## Send UDP network traffic to init scripts.
+## Send UDP network traffic to init scripts. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -760,12 +752,7 @@ interface(`init_rw_script_pipes',`
## </param>
#
interface(`init_udp_send_script',`
- gen_require(`
- type initrc_t;
- ')
-
- allow $1 initrc_t:udp_socket sendto;
- allow initrc_t $1:udp_socket recvfrom;
+ refpolicywarn(`$0($*) has been deprecated.')
')
########################################
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 431483b..d798bd0 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,5 +1,5 @@
-policy_module(init,1.3.18)
+policy_module(init,1.3.19)
gen_require(`
class passwd rootok;
@@ -190,10 +190,6 @@ optional_policy(`
nscd_socket_use(init_t)
')
-optional_policy(`
- portmap_udp_send(init_t)
-')
-
# Run the shell in the sysadm_t domain for single-user mode.
optional_policy(`
userdom_shell_domtrans_sysadm(init_t)
@@ -635,7 +631,6 @@ optional_policy(`
optional_policy(`
nis_use_ypbind(initrc_t)
- nis_udp_send_ypbind(initrc_t)
nis_list_var_yp(initrc_t)
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index cb763fe..4966251 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -1,5 +1,5 @@
-policy_module(mount,1.3.8)
+policy_module(mount,1.3.9)
########################################
#
@@ -140,8 +140,6 @@ optional_policy(`
fs_search_rpc(mount_t)
- portmap_udp_chat(mount_t)
-
optional_policy(`
nis_use_ypbind(mount_t)
')
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index bb6212b..00a7dd6 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -97,7 +97,7 @@ template(`base_user_template',`
allow $1_t self:msg { send receive };
dontaudit $1_t self:socket create;
allow $1_t self:tcp_socket create_stream_socket_perms;
- allow $1_t self:udp_socket { create_socket_perms sendto recvfrom };
+ allow $1_t self:udp_socket create_socket_perms;
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
@@ -346,26 +346,6 @@ template(`base_user_template',`
')
optional_policy(`
- dictd_tcp_connect($1_t)
- ')
-
- optional_policy(`
- tunable_policy(`ftpd_is_daemon',`
- ftp_tcp_connect($1_t)
- ')
- ')
-
- optional_policy(`
- finger_tcp_connect($1_t)
- ')
-
- optional_policy(`
- i18n_use($1_t)
- ')
-
- optional_policy(`
- inetd_tcp_connect($1_t)
- inetd_udp_send($1_t)
inetd_use_fds($1_t)
inetd_rw_tcp_sockets($1_t)
')
@@ -377,10 +357,6 @@ template(`base_user_template',`
')
optional_policy(`
- jabber_tcp_connect($1_t)
- ')
-
- optional_policy(`
mta_rw_spool($1_t)
')
@@ -397,10 +373,6 @@ template(`base_user_template',`
')
optional_policy(`
- nessus_tcp_connect($1_t)
- ')
-
- optional_policy(`
nscd_socket_use($1_t)
')
@@ -410,14 +382,6 @@ template(`base_user_template',`
')
optional_policy(`
- perdition_tcp_connect($1_t)
- ')
-
- optional_policy(`
- portmap_tcp_connect($1_t)
- ')
-
- optional_policy(`
quota_dontaudit_getattr_db($1_t)
')
@@ -446,14 +410,6 @@ template(`base_user_template',`
')
optional_policy(`
- soundserver_tcp_connect($1_t)
- ')
-
- optional_policy(`
- squid_use($1_t)
- ')
-
- optional_policy(`
usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
')
@@ -778,9 +734,6 @@ template(`admin_user_template',`
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
- # for the administrator to run TCP servers directly
- allow $1_t self:tcp_socket { acceptfrom connectto recvfrom };
-
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
@@ -802,8 +755,6 @@ template(`admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
- # for the administrator to run TCP servers directly
- kernel_tcp_recvfrom($1_t)
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index cdec392..49b447d 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
-policy_module(userdomain,1.3.29)
+policy_module(userdomain,1.3.30)
gen_require(`
role sysadm_r, staff_r, user_r;
@@ -417,10 +417,6 @@ ifdef(`targeted_policy',`
')
optional_policy(`
- radius_use(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
rpm_run(sysadm_t,sysadm_r,admin_terminal)
')
More information about the scm-commits
mailing list