[selinux-policy/master_contrib: 15/47] Remove duplicate rules from contrib *.te files
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Jan 16 13:31:46 UTC 2013
commit 0c593c250f3a1eeff925e2e8e81ed47c5fd017dc
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Sun Jan 13 23:32:12 2013 +0100
Remove duplicate rules from contrib *.te files
accountsd.te | 4 ----
acct.te | 6 ------
afs.te | 5 ++---
aide.te | 2 --
alsa.te | 2 --
amanda.te | 4 ----
amavis.te | 1 -
apache.te | 26 ++++++--------------------
apcupsd.te | 5 -----
apm.te | 44 ++------------------------------------------
asterisk.te | 2 --
automount.te | 2 --
avahi.te | 4 ----
bind.te | 2 --
bitlbee.te | 9 ---------
blueman.te | 3 ---
bluetooth.te | 4 ----
cdrecord.te | 3 +--
certmonger.te | 6 +++---
cgroup.te | 1 -
chronyd.te | 4 ----
clamav.te | 10 ----------
colord.te | 2 --
corosync.te | 24 ------------------------
cpufreqselector.te | 1 -
cron.te | 1 -
cups.te | 11 -----------
cyrus.te | 1 -
dbus.te | 2 --
ddclient.te | 1 -
denyhosts.te | 2 --
devicekit.te | 7 -------
dhcp.te | 4 ----
djbdns.te | 1 -
dnsmasq.te | 8 --------
fail2ban.te | 8 --------
fetchmail.te | 7 -------
fprintd.te | 5 -----
ftp.te | 2 +-
glance.te | 4 +---
gpg.te | 6 ++----
gpsd.te | 11 -----------
icecast.te | 4 ----
inetd.te | 2 --
inn.te | 2 --
jabber.te | 12 +++---------
kdumpgui.te | 8 --------
kismet.te | 2 --
ksmtuned.te | 4 ----
ldap.te | 4 ----
logwatch.te | 6 ------
mailman.te | 12 ------------
mcelog.te | 9 ---------
mozilla.te | 2 +-
mpd.te | 2 --
mrtg.te | 2 --
munin.te | 5 -----
mysql.te | 1 -
nagios.te | 28 ++++++++--------------------
networkmanager.te | 7 ++++---
nsplugin.te | 4 ----
openct.te | 2 --
openshift.te | 5 +----
pegasus.te | 6 ------
pki.te | 6 ------
postfix.te | 1 -
ppp.te | 1 -
puppet.te | 15 ++++-----------
qpid.te | 5 -----
quantum.te | 1 -
quota.te | 17 +++++++----------
raid.te | 4 ----
rhcs.te | 20 --------------------
rhsmcertd.te | 2 --
rlogin.te | 6 ------
rpcbind.te | 2 --
rpm.te | 6 ++----
rtkit.te | 3 ---
samba.te | 4 ----
sambagui.te | 4 ----
shorewall.te | 2 --
smartmon.te | 4 ----
smoltclient.te | 8 --------
snmp.te | 10 ----------
squid.te | 10 ----------
sysstat.te | 2 --
telnet.te | 2 --
thumb.te | 2 --
tmpreaper.te | 5 -----
tor.te | 3 ---
uml.te | 4 ----
uucp.te | 6 ------
vdagent.te | 2 --
virt.te | 2 --
vmware.te | 12 ------------
vnstatd.te | 4 ----
webadm.te | 1 -
webalizer.te | 6 +-----
wine.te | 4 ----
wireshark.te | 2 --
xen.te | 1 -
zabbix.te | 12 ------------
102 files changed, 49 insertions(+), 538 deletions(-)
---
diff --git a/accountsd.te b/accountsd.te
index 783d3df..f9d3343 100644
--- a/accountsd.te
+++ b/accountsd.te
@@ -38,7 +38,6 @@ manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, dir)
-kernel_read_system_state(accountsd_t)
kernel_read_kernel_sysctls(accountsd_t)
kernel_read_system_state(accountsd_t)
@@ -50,13 +49,11 @@ files_read_mnt_files(accountsd_t)
fs_getattr_xattr_fs(accountsd_t)
fs_list_inotifyfs(accountsd_t)
-fs_getattr_xattr_fs(accountsd_t)
fs_read_noxattr_fs_files(accountsd_t)
auth_use_nsswitch(accountsd_t)
auth_read_login_records(accountsd_t)
auth_read_shadow(accountsd_t)
-auth_read_login_records(accountsd_t)
init_dbus_chat(accountsd_t)
@@ -72,7 +69,6 @@ usermanage_domtrans_passwd(accountsd_t)
optional_policy(`
consolekit_dbus_chat(accountsd_t)
consolekit_read_log(accountsd_t)
- consolekit_dbus_chat(accountsd_t)
')
optional_policy(`
diff --git a/acct.te b/acct.te
index 7a449cc..d538827 100644
--- a/acct.te
+++ b/acct.te
@@ -40,8 +40,6 @@ corecmd_exec_shell(acct_t)
dev_read_sysfs(acct_t)
dev_read_urand(acct_t)
-domain_use_interactive_fds(acct_t)
-
fs_search_auto_mountpoints(acct_t)
fs_getattr_xattr_fs(acct_t)
@@ -49,9 +47,6 @@ term_dontaudit_use_console(acct_t)
term_dontaudit_use_generic_ptys(acct_t)
files_read_etc_runtime_files(acct_t)
-files_list_usr(acct_t)
-
-auth_use_nsswitch(acct_t)
auth_use_nsswitch(acct_t)
@@ -61,7 +56,6 @@ init_exec_script_files(acct_t)
logging_send_syslog_msg(acct_t)
-userdom_dontaudit_use_unpriv_user_fds(acct_t)
userdom_dontaudit_search_user_home_dirs(acct_t)
userdom_dontaudit_use_unpriv_user_fds(acct_t)
diff --git a/afs.te b/afs.te
index ff1c351..baf390f 100644
--- a/afs.te
+++ b/afs.te
@@ -187,15 +187,14 @@ kernel_read_kernel_sysctls(afs_fsserver_t)
corenet_all_recvfrom_unlabeled(afs_fsserver_t)
corenet_all_recvfrom_netlabel(afs_fsserver_t)
+corenet_tcp_bind_generic_node(afs_fsserver_t)
+corenet_udp_bind_generic_node(afs_fsserver_t)
corenet_tcp_sendrecv_generic_if(afs_fsserver_t)
corenet_udp_sendrecv_generic_if(afs_fsserver_t)
corenet_tcp_sendrecv_generic_node(afs_fsserver_t)
corenet_udp_sendrecv_generic_node(afs_fsserver_t)
corenet_tcp_sendrecv_all_ports(afs_fsserver_t)
corenet_udp_sendrecv_all_ports(afs_fsserver_t)
-corenet_all_recvfrom_netlabel(afs_fsserver_t)
-corenet_tcp_bind_generic_node(afs_fsserver_t)
-corenet_udp_bind_generic_node(afs_fsserver_t)
corenet_sendrecv_afs_fs_server_packets(afs_fsserver_t)
corenet_tcp_bind_afs_fs_port(afs_fsserver_t)
diff --git a/aide.te b/aide.te
index 2cc5904..cf64a9a 100644
--- a/aide.te
+++ b/aide.te
@@ -34,11 +34,9 @@ setattr_files_pattern(aide_t, aide_log_t, aide_log_t)
logging_log_filetrans(aide_t, aide_log_t, file)
files_read_all_files(aide_t)
-files_read_boot_symlinks(aide_t)
files_read_all_symlinks(aide_t)
files_getattr_all_pipes(aide_t)
files_getattr_all_sockets(aide_t)
-files_read_all_symlinks(aide_t)
mls_file_read_to_clearance(aide_t)
mls_file_write_to_clearance(aide_t)
diff --git a/alsa.te b/alsa.te
index 1986c26..f19402e 100644
--- a/alsa.te
+++ b/alsa.te
@@ -62,8 +62,6 @@ dev_read_sound(alsa_t)
dev_read_sysfs(alsa_t)
dev_write_sound(alsa_t)
-corecmd_exec_bin(alsa_t)
-
files_search_var_lib(alsa_t)
term_dontaudit_use_console(alsa_t)
diff --git a/amanda.te b/amanda.te
index ebba0d8..b09436e 100644
--- a/amanda.te
+++ b/amanda.te
@@ -194,12 +194,8 @@ files_search_tmp(amanda_recover_t)
auth_use_nsswitch(amanda_recover_t)
-fstools_domtrans(amanda_t)
-fstools_signal(amanda_t)
-
logging_search_logs(amanda_recover_t)
-
userdom_use_inherited_user_terminals(amanda_recover_t)
userdom_search_user_home_content(amanda_recover_t)
diff --git a/amavis.te b/amavis.te
index f493d2a..a95b541 100644
--- a/amavis.te
+++ b/amavis.te
@@ -125,7 +125,6 @@ corenet_tcp_connect_agentx_port(amavis_t)
dev_read_rand(amavis_t)
dev_read_sysfs(amavis_t)
dev_read_urand(amavis_t)
-dev_read_sysfs(amavis_t)
domain_use_interactive_fds(amavis_t)
domain_dontaudit_read_all_domains_state(amavis_t)
diff --git a/apache.te b/apache.te
index bcdad77..44d1a07 100644
--- a/apache.te
+++ b/apache.te
@@ -368,10 +368,6 @@ files_tmp_file(httpd_suexec_tmp_t)
# setup the system domain for system CGI scripts
apache_content_template(sys)
-optional_policy(`
- postgresql_unpriv_client(httpd_sys_script_t)
-')
-
typeattribute httpd_sys_content_t httpdcontent; # customizable
typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
@@ -849,9 +845,8 @@ optional_policy(`
')
optional_policy(`
- # needed by FreeIPA
+ #needed by FreeIPA
dirsrv_stream_connect(httpd_t)
- ldap_stream_connect(httpd_t)
')
optional_policy(`
@@ -964,12 +959,11 @@ optional_policy(`
')
optional_policy(`
- pki_apache_domain_signal(httpd_t)
- pki_apache_domain_signal(httpd_t)
- pki_manage_apache_run(httpd_t)
- pki_manage_apache_config_files(httpd_t)
- pki_manage_apache_log_files(httpd_t)
- pki_manage_apache_lib(httpd_t)
+ pki_apache_domain_signal(httpd_t)
+ pki_manage_apache_config_files(httpd_t)
+ pki_manage_apache_lib(httpd_t)
+ pki_manage_apache_log_files(httpd_t)
+ pki_manage_apache_run(httpd_t)
')
optional_policy(`
@@ -1035,8 +1029,6 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
-userdom_use_inherited_user_terminals(httpd_helper_t)
-
tunable_policy(`httpd_verify_dns',`
corenet_udp_bind_all_ephemeral_ports(httpd_t)
')
@@ -1559,8 +1551,6 @@ allow httpd_script_type httpd_t:process sigchld;
dontaudit httpd_script_type httpd_t:tcp_socket { read write };
-dev_read_urand(httpd_script_type)
-
fs_getattr_xattr_fs(httpd_script_type)
files_read_etc_runtime_files(httpd_script_type)
@@ -1586,10 +1576,6 @@ tunable_policy(`httpd_builtin_scripting',`
allow httpd_t httpd_content_type:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
-
- allow httpd_t httpd_content_type:dir list_dir_perms;
- read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
- read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
')
tunable_policy(`httpd_use_openstack',`
diff --git a/apcupsd.te b/apcupsd.te
index febec9a..7e05d8c 100644
--- a/apcupsd.te
+++ b/apcupsd.te
@@ -66,7 +66,6 @@ corenet_udp_sendrecv_generic_node(apcupsd_t)
corenet_udp_bind_generic_node(apcupsd_t)
corenet_tcp_bind_apcupsd_port(apcupsd_t)
-corenet_udp_bind_generic_node(apcupsd_t)
corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
corenet_tcp_sendrecv_apcupsd_port(apcupsd_t)
corenet_tcp_connect_apcupsd_port(apcupsd_t)
@@ -101,10 +100,6 @@ optional_policy(`
')
optional_policy(`
- shutdown_domtrans(apcupsd_t)
-')
-
-optional_policy(`
mta_send_mail(apcupsd_t)
mta_system_content(apcupsd_tmp_t)
')
diff --git a/apm.te b/apm.te
index 29e3af5..5d9ac1d 100644
--- a/apm.te
+++ b/apm.te
@@ -129,8 +129,6 @@ domain_dontaudit_list_all_domains_state(apmd_t)
auth_use_nsswitch(apmd_t)
-auth_use_nsswitch(apmd_t)
-
init_domtrans_script(apmd_t)
libs_exec_ld_so(apmd_t)
@@ -150,44 +148,6 @@ userdom_dontaudit_use_unpriv_user_fds(apmd_t)
userdom_dontaudit_search_user_home_dirs(apmd_t)
userdom_dontaudit_search_user_home_content(apmd_t) # Excessive?
-ifdef(`distro_redhat',`
- allow apmd_t apmd_lock_t:file manage_file_perms;
- files_lock_filetrans(apmd_t, apmd_lock_t, file)
-
- can_exec(apmd_t, apmd_var_run_t)
-
- optional_policy(`
- fstools_domtrans(apmd_t)
- ')
-
- optional_policy(`
- iptables_domtrans(apmd_t)
- ')
-
- optional_policy(`
- netutils_domtrans(apmd_t)
- ')
-
- # ifconfig_exec_t needs to be run in its own domain for Red Hat
- optional_policy(`
- sssd_search_lib(apmd_t)
- ')
-
- optional_policy(`
- sysnet_domtrans_ifconfig(apmd_t)
- ')
-
-',`
- # for ifconfig which is run all the time
- kernel_dontaudit_search_sysctl(apmd_t)
-')
-
-ifdef(`distro_suse',`
- manage_dirs_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t)
- manage_files_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t)
- files_var_lib_filetrans(apmd_t, apmd_var_lib_t, file)
-')
-
optional_policy(`
automount_domtrans(apmd_t)
')
@@ -250,11 +210,11 @@ optional_policy(`
')
optional_policy(`
- systemd_dbus_chat_logind(apmd_t)
+ sssd_search_lib(apmd_t)
')
optional_policy(`
- shutdown_domtrans(apmd_t)
+ systemd_dbus_chat_logind(apmd_t)
')
optional_policy(`
diff --git a/asterisk.te b/asterisk.te
index 37841a1..0be374d 100644
--- a/asterisk.te
+++ b/asterisk.te
@@ -23,7 +23,6 @@ files_spool_file(asterisk_spool_t)
type asterisk_tmp_t;
files_tmp_file(asterisk_tmp_t)
-mta_system_content(asterisk_tmp_t)
type asterisk_tmpfs_t;
files_tmpfs_file(asterisk_tmpfs_t)
@@ -125,7 +124,6 @@ corenet_tcp_connect_pktcable_cops_port(asterisk_t)
corenet_sendrecv_sip_client_packets(asterisk_t)
corenet_tcp_connect_sip_port(asterisk_t)
-corenet_tcp_connect_jabber_client_port(asterisk_t)
dev_rw_generic_usb_dev(asterisk_t)
dev_read_sysfs(asterisk_t)
diff --git a/automount.te b/automount.te
index 9fdef3d..e8961f7 100644
--- a/automount.te
+++ b/automount.te
@@ -53,14 +53,12 @@ manage_fifo_files_pattern(automount_t, automount_var_run_t, automount_var_run_t)
files_pid_filetrans(automount_t, automount_var_run_t, { file fifo_file })
kernel_read_kernel_sysctls(automount_t)
-kernel_read_vm_sysctls(automount_t)
kernel_read_irq_sysctls(automount_t)
kernel_read_fs_sysctls(automount_t)
kernel_read_vm_sysctls(automount_t)
kernel_read_proc_symlinks(automount_t)
kernel_read_system_state(automount_t)
kernel_read_network_state(automount_t)
-kernel_search_vm_sysctl(automount_t)
kernel_list_proc(automount_t)
kernel_dontaudit_search_xen_state(automount_t)
diff --git a/avahi.te b/avahi.te
index 3929421..0730647 100644
--- a/avahi.te
+++ b/avahi.te
@@ -110,10 +110,6 @@ optional_policy(`
')
optional_policy(`
- rpcbind_signull(avahi_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(avahi_t)
')
diff --git a/bind.te b/bind.te
index 6a12335..74e77ff 100644
--- a/bind.te
+++ b/bind.te
@@ -174,7 +174,6 @@ tunable_policy(`named_write_master_zones',`
optional_policy(`
# needed by FreeIPA with DNS support
dirsrv_stream_connect(named_t)
- ldap_stream_connect(named_t)
')
optional_policy(`
@@ -235,7 +234,6 @@ allow ndc_t named_zone_t:dir search_dir_perms;
kernel_read_system_state(ndc_t)
kernel_read_kernel_sysctls(ndc_t)
-kernel_read_system_state(ndc_t)
corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_generic_if(ndc_t)
diff --git a/bitlbee.te b/bitlbee.te
index 5ca06bb..a63f4c2 100644
--- a/bitlbee.te
+++ b/bitlbee.te
@@ -57,10 +57,6 @@ files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, { dir file })
manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
-# log files
-manage_dirs_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
-manage_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
-
manage_dirs_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
@@ -102,11 +98,6 @@ corenet_tcp_sendrecv_http_port(bitlbee_t)
corenet_sendrecv_http_cache_client_packets(bitlbee_t)
corenet_tcp_connect_http_cache_port(bitlbee_t)
corenet_tcp_sendrecv_http_cache_port(bitlbee_t)
-corenet_tcp_bind_ircd_port(bitlbee_t)
-corenet_tcp_sendrecv_ircd_port(bitlbee_t)
-corenet_sendrecv_ircd_server_packets(bitlbee_t)
-corenet_tcp_bind_interwise_port(bitlbee_t)
-corenet_tcp_sendrecv_interwise_port(bitlbee_t)
corenet_sendrecv_ircd_server_packets(bitlbee_t)
corenet_tcp_bind_ircd_port(bitlbee_t)
diff --git a/blueman.te b/blueman.te
index fe09796..0beaf43 100644
--- a/blueman.te
+++ b/blueman.te
@@ -46,7 +46,6 @@ dev_rw_wireless(blueman_t)
domain_use_interactive_fds(blueman_t)
files_list_tmp(blueman_t)
-files_list_tmp(blueman_t)
auth_use_nsswitch(blueman_t)
@@ -55,8 +54,6 @@ logging_send_syslog_msg(blueman_t)
sysnet_domtrans_ifconfig(blueman_t)
sysnet_dns_name_resolve(blueman_t)
-sysnet_domtrans_ifconfig(blueman_t)
-
optional_policy(`
avahi_domtrans(blueman_t)
')
diff --git a/bluetooth.te b/bluetooth.te
index f3ae1a6..88b8feb 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -142,10 +142,6 @@ userdom_dontaudit_use_user_terminals(bluetooth_t)
userdom_dontaudit_search_user_home_dirs(bluetooth_t)
optional_policy(`
- devicekit_dbus_chat_power(bluetooth_t)
-')
-
-optional_policy(`
dbus_system_bus_client(bluetooth_t)
dbus_connect_system_bus(bluetooth_t)
diff --git a/cdrecord.te b/cdrecord.te
index e380b26..a7555c0 100644
--- a/cdrecord.te
+++ b/cdrecord.te
@@ -50,8 +50,7 @@ storage_write_scsi_generic(cdrecord_t)
logging_send_syslog_msg(cdrecord_t)
-userdom_use_user_terminals(cdrecord_t)
-userdom_read_user_home_content_files(cdrecord_t)
+userdom_use_inherited_user_terminals(cdrecord_t)
tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',`
fs_list_auto_mountpoints(cdrecord_t)
diff --git a/certmonger.te b/certmonger.te
index 1bb3f10..dd34a80 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -137,13 +137,13 @@ optional_policy(`
domtrans_pattern(certmonger_t, certmonger_unconfined_exec_t, certmonger_unconfined_t)
- unconfined_domain(certmonger_unconfined_t)
-
allow certmonger_t certmonger_unconfined_exec_t:dir search_dir_perms;
allow certmonger_t certmonger_unconfined_exec_t:dir read_file_perms;
allow certmonger_t certmonger_unconfined_exec_t:file ioctl;
init_domtrans_script(certmonger_unconfined_t)
- unconfined_domain(certmonger_unconfined_t)
+ optional_policy(`
+ unconfined_domain(certmonger_unconfined_t)
+ ')
')
diff --git a/cgroup.te b/cgroup.te
index 18cf736..68d9b5f 100644
--- a/cgroup.te
+++ b/cgroup.te
@@ -95,7 +95,6 @@ files_pid_filetrans(cgred_t, cgred_var_run_t, { file sock_file })
kernel_read_all_sysctls(cgred_t)
kernel_read_system_state(cgred_t)
-kernel_read_all_sysctls(cgred_t)
domain_read_all_domains_state(cgred_t)
domain_setpriority_all_domains(cgred_t)
diff --git a/chronyd.te b/chronyd.te
index dac9e4c..bd3362e 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -92,7 +92,3 @@ mta_send_mail(chronyd_t)
optional_policy(`
gpsd_rw_shm(chronyd_t)
')
-
-optional_policy(`
- mta_send_mail(chronyd_t)
-')
diff --git a/clamav.te b/clamav.te
index 725029f..c8c9a5a 100644
--- a/clamav.te
+++ b/clamav.te
@@ -261,10 +261,6 @@ optional_policy(`
')
optional_policy(`
- cron_system_entry(freshclam_t, freshclam_exec_t)
-')
-
-optional_policy(`
clamd_systemctl(freshclam_t)
')
@@ -303,12 +299,6 @@ kernel_dontaudit_list_proc(clamscan_t)
kernel_read_kernel_sysctls(clamscan_t)
kernel_read_system_state(clamscan_t)
-read_files_pattern(clamscan_t, clamd_var_run_t, clamd_var_run_t)
-allow clamscan_t clamd_var_run_t:dir list_dir_perms;
-
-kernel_dontaudit_list_proc(clamscan_t)
-kernel_read_system_state(clamscan_t)
-
corenet_all_recvfrom_netlabel(clamscan_t)
corenet_tcp_sendrecv_generic_if(clamscan_t)
corenet_tcp_sendrecv_generic_node(clamscan_t)
diff --git a/colord.te b/colord.te
index 235f39e..28dd440 100644
--- a/colord.te
+++ b/colord.te
@@ -89,9 +89,7 @@ domain_use_interactive_fds(colord_t)
files_list_mnt(colord_t)
-fs_search_all(colord_t)
fs_getattr_noxattr_fs(colord_t)
-fs_dontaudit_getattr_all_fs(colord_t)
fs_list_noxattr_fs(colord_t)
fs_read_noxattr_fs_files(colord_t)
fs_search_all(colord_t)
diff --git a/corosync.te b/corosync.te
index d7f485e..691ca11 100644
--- a/corosync.te
+++ b/corosync.te
@@ -46,8 +46,6 @@ allow corosync_t self:shm create_shm_perms;
allow corosync_t self:unix_dgram_socket sendto;
allow corosync_t self:unix_stream_socket { accept connectto listen };
-can_exec(corosync_t, corosync_exec_t)
-
manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
relabel_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
@@ -78,8 +76,6 @@ can_exec(corosync_t, corosync_exec_t)
kernel_read_all_sysctls(corosync_t)
kernel_read_network_state(corosync_t)
kernel_read_system_state(corosync_t)
-kernel_read_network_state(corosync_t)
-kernel_read_all_sysctls(corosync_t)
corecmd_exec_bin(corosync_t)
corecmd_exec_shell(corosync_t)
@@ -96,7 +92,6 @@ corenet_udp_sendrecv_netsupport_port(corosync_t)
dev_read_sysfs(corosync_t)
dev_read_urand(corosync_t)
-dev_read_sysfs(corosync_t)
domain_read_all_domains_state(corosync_t)
@@ -142,17 +137,6 @@ optional_policy(`
')
optional_policy(`
- qpidd_rw_shm(corosync_t)
-')
-
-optional_policy(`
- rhcs_getattr_fenced(corosync_t)
- rhcs_rw_cluster_shm(corosync_t)
- rhcs_rw_cluster_semaphores(corosync_t)
- rhcs_stream_connect_cluster(corosync_t)
-')
-
-optional_policy(`
lvm_rw_clvmd_tmpfs_files(corosync_t)
lvm_delete_clvmd_tmpfs_files(corosync_t)
')
@@ -173,14 +157,6 @@ optional_policy(`
')
optional_policy(`
- # should be removed in F19
- # workaround because we switch hearbeat from corosync to rgmanager
- rgmanager_manage_files(corosync_t)
-
- rgmanager_manage_tmpfs_files(corosync_t)
-')
-
-optional_policy(`
rpc_search_nfs_state_data(corosync_t)
')
diff --git a/cpufreqselector.te b/cpufreqselector.te
index 5bf715c..7fd7d8f 100644
--- a/cpufreqselector.te
+++ b/cpufreqselector.te
@@ -28,7 +28,6 @@ userdom_dontaudit_search_admin_dir(cpufreqselector_t)
optional_policy(`
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
- init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t)
optional_policy(`
consolekit_dbus_chat(cpufreqselector_t)
diff --git a/cron.te b/cron.te
index 9e55dbb..cb96ffb 100644
--- a/cron.te
+++ b/cron.te
@@ -241,7 +241,6 @@ init_read_state(crond_t)
init_rw_utmp(crond_t)
init_spec_domtrans_script(crond_t)
-auth_manage_var_auth(crond_t)
auth_use_nsswitch(crond_t)
logging_send_audit_msgs(crond_t)
diff --git a/cups.te b/cups.te
index 6cfc825..c7a0a97 100644
--- a/cups.te
+++ b/cups.te
@@ -221,7 +221,6 @@ files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
files_read_var_files(cupsd_t)
files_read_var_symlinks(cupsd_t)
-files_write_generic_pid_pipes(cupsd_t)
files_dontaudit_getattr_all_tmp_files(cupsd_t)
files_dontaudit_list_home(cupsd_t)
# for /etc/printcap
@@ -477,11 +476,6 @@ optional_policy(`
')
optional_policy(`
- policykit_dbus_chat(cupsd_config_t)
- userdom_read_all_users_state(cupsd_config_t)
-')
-
-optional_policy(`
rpm_read_db(cupsd_config_t)
')
@@ -644,9 +638,6 @@ stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_system_state(hplip_t)
kernel_read_kernel_sysctls(hplip_t)
-# for python
-corecmd_exec_bin(hplip_t)
-
corenet_all_recvfrom_netlabel(hplip_t)
corenet_tcp_sendrecv_generic_if(hplip_t)
corenet_udp_sendrecv_generic_if(hplip_t)
@@ -671,7 +662,6 @@ corenet_tcp_connect_ipp_port(hplip_t)
corenet_sendrecv_howl_server_packets(hplip_t)
corenet_udp_bind_howl_port(hplip_t)
-corenet_tcp_connect_ipp_port(hplip_t)
corecmd_exec_bin(hplip_t)
@@ -702,7 +692,6 @@ sysnet_dns_name_resolve(hplip_t)
userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
-userdom_dbus_send_all_users(hplip_t)
optional_policy(`
dbus_system_bus_client(hplip_t)
diff --git a/cyrus.te b/cyrus.te
index f35fbae..e157463 100644
--- a/cyrus.te
+++ b/cyrus.te
@@ -92,7 +92,6 @@ domain_use_interactive_fds(cyrus_t)
files_list_var_lib(cyrus_t)
files_read_etc_runtime_files(cyrus_t)
-files_dontaudit_write_usr_dirs(cyrus_t)
fs_getattr_all_fs(cyrus_t)
fs_search_auto_mountpoints(cyrus_t)
diff --git a/dbus.te b/dbus.te
index 6206703..4c346e6 100644
--- a/dbus.te
+++ b/dbus.te
@@ -328,10 +328,8 @@ optional_policy(`
optional_policy(`
xserver_search_xdm_lib(session_bus_type)
- xserver_use_xdm_fds(session_bus_type)
xserver_rw_xdm_pipes(session_bus_type)
xserver_use_xdm_fds(session_bus_type)
- xserver_rw_xdm_pipes(session_bus_type)
xserver_append_xdm_home_files(session_bus_type)
')
diff --git a/ddclient.te b/ddclient.te
index db7291a..2efb435 100644
--- a/ddclient.te
+++ b/ddclient.te
@@ -88,7 +88,6 @@ corenet_tcp_sendrecv_all_ports(ddclient_t)
corenet_udp_sendrecv_all_ports(ddclient_t)
corenet_tcp_bind_generic_node(ddclient_t)
corenet_udp_bind_generic_node(ddclient_t)
-corenet_tcp_connect_all_ports(ddclient_t)
corenet_sendrecv_all_client_packets(ddclient_t)
corenet_tcp_connect_all_ports(ddclient_t)
diff --git a/denyhosts.te b/denyhosts.te
index bc1d203..b53e611 100644
--- a/denyhosts.te
+++ b/denyhosts.te
@@ -47,9 +47,7 @@ logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file)
kernel_read_network_state(denyhosts_t)
kernel_read_system_state(denyhosts_t)
-kernel_read_network_state(denyhosts_t)
-corecmd_exec_shell(denyhosts_t)
corecmd_exec_bin(denyhosts_t)
corecmd_exec_shell(denyhosts_t)
diff --git a/devicekit.te b/devicekit.te
index 1aa58d4..979a3de 100644
--- a/devicekit.te
+++ b/devicekit.te
@@ -83,11 +83,9 @@ manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file })
files_filetrans_named_content(devicekit_disk_t)
-kernel_list_unlabeled(devicekit_disk_t)
kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
kernel_getattr_message_if(devicekit_disk_t)
kernel_list_unlabeled(devicekit_disk_t)
-kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
kernel_read_fs_sysctls(devicekit_disk_t)
kernel_read_network_state(devicekit_disk_t)
kernel_read_software_raid_state(devicekit_disk_t)
@@ -216,9 +214,6 @@ allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
-manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t)
-logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
-
manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
manage_files_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
files_tmp_filetrans(devicekit_power_t, devicekit_tmp_t, { file dir })
@@ -266,7 +261,6 @@ files_dontaudit_list_mnt(devicekit_power_t)
fs_getattr_all_fs(devicekit_power_t)
fs_list_inotifyfs(devicekit_power_t)
-fs_getattr_all_fs(devicekit_power_t)
term_use_all_inherited_terms(devicekit_power_t)
@@ -346,7 +340,6 @@ optional_policy(`
')
optional_policy(`
- policykit_dbus_chat(devicekit_power_t)
policykit_domtrans_auth(devicekit_power_t)
policykit_read_lib(devicekit_power_t)
policykit_read_reload(devicekit_power_t)
diff --git a/dhcp.te b/dhcp.te
index f14723d..cdb4d60 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -126,10 +126,6 @@ optional_policy(`
')
optional_policy(`
- bind_read_dnssec_keys(dhcpd_t)
-')
-
-optional_policy(`
dbus_system_bus_client(dhcpd_t)
dbus_connect_system_bus(dhcpd_t)
')
diff --git a/djbdns.te b/djbdns.te
index 2f66c34..df50e4c 100644
--- a/djbdns.te
+++ b/djbdns.te
@@ -57,7 +57,6 @@ daemontools_read_svc(djbdns_axfrdns_t)
# axfrdns local policy
#
-ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
allow djbdns_axfrdns_t { djbdns_tinydns_t djbdns_tinydns_conf_t }:dir list_dir_perms;
allow djbdns_axfrdns_t { djbdns_tinydns_t djbdns_tinydns_conf_t }:file read_file_perms;
diff --git a/dnsmasq.te b/dnsmasq.te
index f33d9f5..363af2a 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -116,14 +116,6 @@ optional_policy(`
')
optional_policy(`
- networkmanager_read_pid_files(dnsmasq_t)
-')
-
-optional_policy(`
- ppp_read_pid_files(dnsmasq_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(dnsmasq_t)
')
diff --git a/fail2ban.te b/fail2ban.te
index e985043..d49f5ad 100644
--- a/fail2ban.te
+++ b/fail2ban.te
@@ -60,11 +60,6 @@ manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, file)
-manage_dirs_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
-manage_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
-exec_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
-files_tmp_filetrans(fail2ban_t, fail2ban_tmp_t, { dir file })
-
kernel_read_system_state(fail2ban_t)
corecmd_exec_bin(fail2ban_t)
@@ -95,9 +90,6 @@ auth_use_nsswitch(fail2ban_t)
logging_read_all_logs(fail2ban_t)
logging_send_syslog_msg(fail2ban_t)
-sysnet_manage_config(fail2ban_t)
-sysnet_etc_filetrans_config(fail2ban_t)
-
mta_send_mail(fail2ban_t)
sysnet_manage_config(fail2ban_t)
diff --git a/fetchmail.te b/fetchmail.te
index 73521ff..fd440f8 100644
--- a/fetchmail.te
+++ b/fetchmail.te
@@ -39,8 +39,6 @@ allow fetchmail_t self:unix_stream_socket { accept listen };
allow fetchmail_t fetchmail_etc_t:file read_file_perms;
-read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
-
manage_dirs_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
append_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
create_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
@@ -50,10 +48,6 @@ logging_log_filetrans(fetchmail_t, fetchmail_log_t, { dir file })
allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms;
mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file)
-manage_dirs_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
-manage_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
-logging_log_filetrans(fetchmail_t, fetchmail_log_t, { dir file })
-
manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, dir)
@@ -99,7 +93,6 @@ logging_send_syslog_msg(fetchmail_t)
miscfiles_read_generic_certs(fetchmail_t)
userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
-userdom_search_user_home_dirs(fetchmail_t)
optional_policy(`
kerberos_use(fetchmail_t)
diff --git a/fprintd.te b/fprintd.te
index 5794a7b..7575a9b 100644
--- a/fprintd.te
+++ b/fprintd.te
@@ -50,16 +50,11 @@ optional_policy(`
')
')
-optional_policy(`
- dbus_system_domain(fprintd_t, fprintd_exec_t)
-')
optional_policy(`
policykit_read_reload(fprintd_t)
policykit_read_lib(fprintd_t)
- policykit_dbus_chat(fprintd_t)
policykit_domtrans_auth(fprintd_t)
- policykit_dbus_chat_auth(fprintd_t)
')
optional_policy(`
diff --git a/ftp.te b/ftp.te
index 11dedd5..45c02b7 100644
--- a/ftp.te
+++ b/ftp.te
@@ -228,10 +228,10 @@ corenet_tcp_bind_ftp_port(ftpd_t)
corenet_sendrecv_ftp_data_server_packets(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t)
+
corenet_tcp_bind_generic_port(ftpd_t)
corenet_tcp_bind_all_ephemeral_ports(ftpd_t)
corenet_tcp_connect_all_ephemeral_ports(ftpd_t)
-corenet_sendrecv_ftp_server_packets(ftpd_t)
domain_use_interactive_fds(ftpd_t)
diff --git a/glance.te b/glance.te
index 8892bda..be03e22 100644
--- a/glance.te
+++ b/glance.te
@@ -112,6 +112,7 @@ can_exec(glance_api_t, glance_tmp_t)
corenet_tcp_bind_generic_node(glance_api_t)
corenet_tcp_bind_glance_port(glance_api_t)
+corenet_sendrecv_glance_registry_client_packets(glance_api_t)
corenet_tcp_connect_glance_registry_port(glance_api_t)
corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
@@ -119,9 +120,6 @@ corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
corenet_sendrecv_hplip_server_packets(glance_api_t)
corenet_tcp_bind_hplip_port(glance_api_t)
-corenet_sendrecv_glance_registry_client_packets(glance_api_t)
-corenet_tcp_connect_glance_registry_port(glance_api_t)
-
fs_getattr_xattr_fs(glance_api_t)
optional_policy(`
diff --git a/gpg.te b/gpg.te
index 7c83c74..d80e7c0 100644
--- a/gpg.te
+++ b/gpg.te
@@ -94,10 +94,6 @@ manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
-domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
-
-# transition from the gpg domain to the helper domain
-domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
allow gpg_t gpg_secret_t:dir create_dir_perms;
manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
@@ -178,6 +174,8 @@ optional_policy(`
# GPG helper local policy
#
+domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+
allow gpg_helper_t self:process { getsched setsched };
# for helper programs (which automatically fetch keys)
diff --git a/gpsd.te b/gpsd.te
index 61d3e29..2200e6d 100644
--- a/gpsd.te
+++ b/gpsd.te
@@ -60,11 +60,6 @@ dev_rw_realtime_clock(gpsd_t)
domain_dontaudit_read_all_domains_state(gpsd_t)
-dev_read_sysfs(gpsd_t)
-dev_rw_realtime_clock(gpsd_t)
-
-domain_dontaudit_read_all_domains_state(gpsd_t)
-
term_use_unallocated_ttys(gpsd_t)
term_setattr_unallocated_ttys(gpsd_t)
term_use_usb_ttys(gpsd_t)
@@ -81,12 +76,6 @@ optional_policy(`
')
optional_policy(`
- chronyd_rw_shm(gpsd_t)
- chronyd_stream_connect(gpsd_t)
- chronyd_dgram_send(gpsd_t)
-')
-
-optional_policy(`
dbus_system_bus_client(gpsd_t)
')
diff --git a/icecast.te b/icecast.te
index 73f5015..6097225 100644
--- a/icecast.te
+++ b/icecast.te
@@ -67,10 +67,6 @@ dev_read_rand(icecast_t)
auth_use_nsswitch(icecast_t)
-domain_use_interactive_fds(icecast_t)
-
-auth_use_nsswitch(icecast_t)
-
tunable_policy(`icecast_use_any_tcp_ports',`
corenet_tcp_connect_all_ports(icecast_t)
corenet_sendrecv_all_client_packets(icecast_t)
diff --git a/inetd.te b/inetd.te
index 5eebf38..9762e4a 100644
--- a/inetd.te
+++ b/inetd.te
@@ -167,8 +167,6 @@ mls_socket_read_to_clearance(inetd_t)
mls_socket_write_to_clearance(inetd_t)
mls_net_outbound_all_levels(inetd_t)
mls_process_set_level(inetd_t)
-#706086
-mls_net_outbound_all_levels(inetd_t)
userdom_dontaudit_use_unpriv_user_fds(inetd_t)
userdom_dontaudit_search_user_home_dirs(inetd_t)
diff --git a/inn.te b/inn.te
index e2c9fe9..5967395 100644
--- a/inn.te
+++ b/inn.te
@@ -44,8 +44,6 @@ allow innd_t self:tcp_socket { accept listen };
read_files_pattern(innd_t, innd_etc_t, innd_etc_t)
read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t)
-can_exec(innd_t, innd_exec_t)
-
allow innd_t innd_log_t:dir setattr_dir_perms;
append_files_pattern(innd_t, innd_log_t, innd_log_t)
create_files_pattern(innd_t, innd_log_t, innd_log_t)
diff --git a/jabber.te b/jabber.te
index 5394703..ff69343 100644
--- a/jabber.te
+++ b/jabber.te
@@ -99,14 +99,9 @@ corenet_tcp_connect_jabber_router_port(pyicqt_t)
corecmd_exec_bin(pyicqt_t)
-dev_read_urand(pyicqt_t);
+dev_read_urand(pyicqt_t)
-
-auth_use_nsswitch(pyicqt_t);
-
-# for RHEL5
-libs_use_ld_so(pyicqt_t)
-libs_use_shared_libs(pyicqt_t)
+auth_use_nsswitch(pyicqt_t)
# needed for pyicq-t-mysql
optional_policy(`
@@ -135,9 +130,8 @@ corenet_tcp_sendrecv_all_ports(jabberd_domain)
corenet_udp_sendrecv_all_ports(jabberd_domain)
corenet_tcp_bind_generic_node(jabberd_domain)
-dev_read_urand(jabberd_domain)
-dev_read_urand(jabberd_domain)
dev_read_sysfs(jabberd_domain)
+dev_read_urand(jabberd_domain)
files_read_etc_runtime_files(jabberd_domain)
diff --git a/kdumpgui.te b/kdumpgui.te
index 17dc1b4..fb73b38 100644
--- a/kdumpgui.te
+++ b/kdumpgui.te
@@ -73,14 +73,6 @@ optional_policy(`
')
optional_policy(`
- consoletype_exec(kdumpgui_t)
-')
-
-optional_policy(`
- consoletype_exec(kdumpgui_t)
-')
-
-optional_policy(`
dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
')
diff --git a/kismet.te b/kismet.te
index fb28673..e60f701 100644
--- a/kismet.te
+++ b/kismet.te
@@ -86,8 +86,6 @@ corenet_tcp_sendrecv_generic_if(kismet_t)
corenet_tcp_sendrecv_generic_node(kismet_t)
corenet_tcp_bind_generic_node(kismet_t)
-corenet_tcp_bind_rtsclient_port(kismet_t)
-corenet_tcp_connect_rtsclient_port(kismet_t)
corenet_tcp_connect_pulseaudio_port(kismet_t)
corenet_sendrecv_rtsclient_server_packets(kismet_t)
diff --git a/ksmtuned.te b/ksmtuned.te
index 0af603d..a090996 100644
--- a/ksmtuned.te
+++ b/ksmtuned.te
@@ -32,10 +32,6 @@ create_files_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t)
setattr_files_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t)
logging_log_filetrans(ksmtuned_t, ksmtuned_log_t, { file dir })
-manage_dirs_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t)
-manage_files_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t)
-logging_log_filetrans(ksmtuned_t, ksmtuned_log_t, { file dir })
-
manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t)
files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file)
diff --git a/ldap.te b/ldap.te
index bfc2aa2..562c288 100644
--- a/ldap.te
+++ b/ldap.te
@@ -76,10 +76,6 @@ manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
-manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t)
-manage_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
-logging_log_filetrans(slapd_t, slapd_log_t, { file dir })
-
manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
diff --git a/logwatch.te b/logwatch.te
index 1bbe9d9..720b6cb 100644
--- a/logwatch.te
+++ b/logwatch.te
@@ -104,12 +104,6 @@ userdom_dontaudit_list_admin_dir(logwatch_t)
mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
mta_getattr_spool(logwatch_t)
-ifdef(`distro_redhat',`
- files_search_all(logwatch_t)
- files_getattr_all_files(logwatch_t)
- files_getattr_all_file_type_fs(logwatch_t)
-')
-
tunable_policy(`use_nfs_home_dirs',`
fs_list_nfs(logwatch_t)
')
diff --git a/mailman.te b/mailman.te
index 256819c..5e9f5bb 100644
--- a/mailman.te
+++ b/mailman.te
@@ -97,9 +97,6 @@ optional_policy(`
apache_search_sys_script_state(mailman_cgi_t)
apache_read_config(mailman_cgi_t)
apache_dontaudit_rw_stream_sockets(mailman_cgi_t)
-
- postfix_read_config(mailman_cgi_t)
-
')
optional_policy(`
@@ -123,15 +120,8 @@ corenet_sendrecv_innd_client_packets(mailman_mail_t)
corenet_tcp_connect_innd_port(mailman_mail_t)
corenet_tcp_sendrecv_innd_port(mailman_mail_t)
-manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
-manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
-files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir })
-
corenet_sendrecv_spamd_client_packets(mailman_mail_t)
-corenet_tcp_connect_spamd_port(mailman_mail_t)
corenet_tcp_sendrecv_spamd_port(mailman_mail_t)
-
-corenet_tcp_connect_innd_port(mailman_mail_t)
corenet_tcp_connect_spamd_port(mailman_mail_t)
dev_read_urand(mailman_mail_t)
@@ -171,8 +161,6 @@ corenet_sendrecv_innd_client_packets(mailman_queue_t)
corenet_tcp_connect_innd_port(mailman_queue_t)
corenet_tcp_sendrecv_innd_port(mailman_queue_t)
-corenet_tcp_connect_innd_port(mailman_queue_t)
-
auth_domtrans_chk_passwd(mailman_queue_t)
files_dontaudit_search_pids(mailman_queue_t)
diff --git a/mcelog.te b/mcelog.te
index 799df10..b5fdecf 100644
--- a/mcelog.te
+++ b/mcelog.te
@@ -75,15 +75,6 @@ manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file })
-manage_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
-manage_dirs_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
-logging_log_filetrans(mcelog_t, mcelog_log_t, { file dir })
-
-manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
-manage_dirs_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
-manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
-files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file } )
-
kernel_read_system_state(mcelog_t)
corecmd_exec_shell(mcelog_t)
diff --git a/mozilla.te b/mozilla.te
index 03196be..751a71e 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -575,7 +575,7 @@ manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_p
manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
-manage_fifo_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+manage_fifo_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
corecmd_exec_bin(mozilla_plugin_config_t)
corecmd_exec_shell(mozilla_plugin_config_t)
diff --git a/mpd.te b/mpd.te
index 670e1bf..200cec1 100644
--- a/mpd.te
+++ b/mpd.te
@@ -76,8 +76,6 @@ allow mpd_t self:tcp_socket { accept listen };
allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms;
allow mpd_t self:unix_dgram_socket { create_socket_perms sendto };
-read_files_pattern(mpd_t, mpd_etc_t, mpd_etc_t)
-
allow mpd_t mpd_data_t:dir manage_dir_perms;
allow mpd_t mpd_data_t:file manage_file_perms;
allow mpd_t mpd_data_t:lnk_file read_lnk_file_perms;
diff --git a/mrtg.te b/mrtg.te
index 9e68dfb..9411154 100644
--- a/mrtg.te
+++ b/mrtg.te
@@ -85,8 +85,6 @@ files_search_var(mrtg_t)
files_search_locks(mrtg_t)
files_search_var_lib(mrtg_t)
files_search_spool(mrtg_t)
-files_getattr_tmp_dirs(mrtg_t)
-files_read_etc_runtime_files(mrtg_t)
fs_search_auto_mountpoints(mrtg_t)
fs_getattr_all_fs(mrtg_t)
diff --git a/munin.te b/munin.te
index 27726ee..d5f13d8 100644
--- a/munin.te
+++ b/munin.te
@@ -239,11 +239,6 @@ corenet_sendrecv_hddtemp_client_packets(disk_munin_plugin_t)
corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
corenet_tcp_sendrecv_hddtemp_port(disk_munin_plugin_t)
-dev_getattr_all_blk_files(disk_munin_plugin_t)
-dev_getattr_lvm_control(disk_munin_plugin_t)
-dev_read_sysfs(disk_munin_plugin_t)
-dev_read_urand(disk_munin_plugin_t)
-
files_read_etc_runtime_files(disk_munin_plugin_t)
dev_getattr_lvm_control(disk_munin_plugin_t)
diff --git a/mysql.te b/mysql.te
index e5300cc..dfa6623 100644
--- a/mysql.te
+++ b/mysql.te
@@ -94,7 +94,6 @@ userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
kernel_read_network_state(mysqld_t)
kernel_read_system_state(mysqld_t)
-kernel_read_network_state(mysqld_t)
kernel_read_kernel_sysctls(mysqld_t)
corecmd_exec_bin(mysqld_t)
diff --git a/nagios.te b/nagios.te
index 61a6f39..7508aef 100644
--- a/nagios.te
+++ b/nagios.te
@@ -440,6 +440,14 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
init_domtrans_script(nagios_eventhandler_plugin_t)
+systemd_exec_systemctl(nagios_eventhandler_plugin_t)
+
+allow nagios_t nagios_eventhandler_plugin_exec_t:dir list_dir_perms;
+
+optional_policy(`
+ unconfined_domain(nagios_eventhandler_plugin_t)
+')
+
########################################
#
# Unconfined plugin policy
@@ -449,25 +457,5 @@ optional_policy(`
unconfined_domain(nagios_unconfined_plugin_t)
')
-#######################################
-#
-# Event handler plugin plugin policy
-#
-manage_files_pattern(nagios_eventhandler_plugin_t, nagios_eventhandler_plugin_tmp_t, nagios_eventhandler_plugin_tmp_t)
-manage_dirs_pattern(nagios_eventhandler_plugin_t, nagios_eventhandler_plugin_tmp_t, nagios_eventhandler_plugin_tmp_t)
-files_tmp_filetrans(nagios_eventhandler_plugin_t, nagios_eventhandler_plugin_tmp_t, { dir file })
-
-corecmd_exec_bin(nagios_eventhandler_plugin_t)
-corecmd_exec_shell(nagios_eventhandler_plugin_t)
-
-init_domtrans_script(nagios_eventhandler_plugin_t)
-
-systemd_exec_systemctl(nagios_eventhandler_plugin_t)
-
-allow nagios_t nagios_eventhandler_plugin_exec_t:dir list_dir_perms;
-
-optional_policy(`
- unconfined_domain(nagios_eventhandler_plugin_t)
-')
diff --git a/networkmanager.te b/networkmanager.te
index fca40a6..1dc0c55 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -81,9 +81,10 @@ manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_et
manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file })
-logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
-
-manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
+allow NetworkManager_t NetworkManager_log_t:dir setattr_dir_perms;
+append_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
+create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
+setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
can_exec(NetworkManager_t, NetworkManager_tmp_t)
diff --git a/nsplugin.te b/nsplugin.te
index ff384e0..7d839fe 100644
--- a/nsplugin.te
+++ b/nsplugin.te
@@ -44,10 +44,6 @@ type nsplugin_config_t;
domain_type(nsplugin_config_t)
domain_entry_file(nsplugin_config_t, nsplugin_config_exec_t)
-application_executable_file(nsplugin_exec_t)
-application_executable_file(nsplugin_config_exec_t)
-
-
########################################
#
# nsplugin local policy
diff --git a/openct.te b/openct.te
index c73eb86..66f068f 100644
--- a/openct.te
+++ b/openct.te
@@ -28,8 +28,6 @@ manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file })
-can_exec(openct_t, openct_exec_t)
-
kernel_read_kernel_sysctls(openct_t)
kernel_list_proc(openct_t)
kernel_read_proc_symlinks(openct_t)
diff --git a/openshift.te b/openshift.te
index 9bd0784..4fe3c71 100644
--- a/openshift.te
+++ b/openshift.te
@@ -214,7 +214,6 @@ files_dontaudit_getattr_lost_found_dirs(openshift_domain)
files_dontaudit_search_all_mountpoints(openshift_domain)
files_dontaudit_search_spool(openshift_domain)
files_dontaudit_search_all_dirs(openshift_domain)
-files_dontaudit_list_var(openshift_domain)
files_exec_etc_files(openshift_domain)
files_exec_usr_files(openshift_domain)
files_dontaudit_getattr_non_security_sockets(openshift_domain)
@@ -224,9 +223,6 @@ files_dontaudit_setattr_non_security_files(openshift_domain)
libs_exec_lib_files(openshift_domain)
libs_exec_ld_so(openshift_domain)
-term_use_ptmx(openshift_domain)
-term_use_generic_ptys(openshift_domain)
-
selinux_validate_context(openshift_domain)
logging_inherit_append_all_logs(openshift_domain)
@@ -239,6 +235,7 @@ miscfiles_dontaudit_setattr_fonts_cache_dirs(openshift_domain)
mta_dontaudit_read_spool_symlinks(openshift_domain)
term_dontaudit_search_ptys(openshift_domain)
+term_use_generic_ptys(openshift_domain)
term_use_ptmx(openshift_domain)
userdom_use_inherited_user_ptys(openshift_domain)
diff --git a/pegasus.te b/pegasus.te
index d459c82..e440d35 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -115,8 +115,6 @@ files_list_var_lib(pegasus_t)
files_read_var_lib_files(pegasus_t)
files_read_var_lib_symlinks(pegasus_t)
-hostname_exec(pegasus_t)
-
init_rw_utmp(pegasus_t)
init_stream_connect_script(pegasus_t)
@@ -163,10 +161,6 @@ optional_policy(`
')
optional_policy(`
- sysnet_domtrans_ifconfig(pegasus_t)
-')
-
-optional_policy(`
ssh_exec(pegasus_t)
')
diff --git a/pki.te b/pki.te
index b4286ce..352c7e4 100644
--- a/pki.te
+++ b/pki.te
@@ -114,7 +114,6 @@ corenet_tcp_connect_http_cache_port(pki_tomcat_t)
corenet_tcp_connect_ldap_port(pki_tomcat_t)
corenet_tcp_connect_smtp_port(pki_tomcat_t)
corenet_tcp_connect_pki_ca_port(pki_tomcat_t)
-corenet_tcp_connect_ldap_port(pki_tomcat_t)
selinux_get_enforce_mode(pki_tomcat_t)
@@ -148,11 +147,6 @@ optional_policy(`
hostname_exec(pki_tomcat_t)
')
-# install/ uninstall instance
-# WHY? leak?
-#allow load_policy_t pki_log_t:file write;
-#allow setfiles_t pki_log_t:file write;
-
#######################################
#
# tps local policy
diff --git a/postfix.te b/postfix.te
index 738b640..0a90ce1 100644
--- a/postfix.te
+++ b/postfix.te
@@ -636,7 +636,6 @@ rw_files_pattern(postfix_smtp_t, postfix_spool_maildrop_t, postfix_spool_maildro
# for spampd
corenet_tcp_connect_spamd_port(postfix_master_t)
-corenet_tcp_bind_spamd_port(postfix_master_t)
files_search_all_mountpoints(postfix_smtp_t)
diff --git a/ppp.te b/ppp.te
index 25f2610..91e0a7a 100644
--- a/ppp.te
+++ b/ppp.te
@@ -269,7 +269,6 @@ manage_sock_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
files_pid_filetrans(pptp_t, pptp_var_run_t, { file dir })
kernel_list_proc(pptp_t)
-kernel_signal(pptp_t)
kernel_read_kernel_sysctls(pptp_t)
kernel_read_network_state(pptp_t)
kernel_read_proc_symlinks(pptp_t)
diff --git a/puppet.te b/puppet.te
index fd38d93..b3f151c 100644
--- a/puppet.te
+++ b/puppet.te
@@ -145,6 +145,10 @@ seutil_read_file_contexts(puppet_t)
sysnet_run_ifconfig(puppet_t, system_r)
+usermanage_access_check_groupadd(puppet_t)
+usermanage_access_check_passwd(puppet_t)
+usermanage_access_check_useradd(puppet_t)
+
tunable_policy(`puppet_manage_all_files',`
files_manage_non_security_files(puppet_t)
')
@@ -188,12 +192,6 @@ optional_policy(`
')
optional_policy(`
- usermanage_access_check_groupadd(puppet_t)
- usermanage_access_check_passwd(puppet_t)
- usermanage_access_check_useradd(puppet_t)
-')
-
-optional_policy(`
auth_filetrans_named_content(puppet_t)
')
@@ -311,11 +309,6 @@ optional_policy(`
mta_sendmail_access_check(puppetca_t)
')
-optional_policy(`
- usermanage_access_check_groupadd(puppet_t)
- usermanage_access_check_passwd(puppet_t)
- usermanage_access_check_useradd(puppet_t)
-')
########################################
#
diff --git a/qpid.te b/qpid.te
index 8bf531a..a5ba415 100644
--- a/qpid.te
+++ b/qpid.te
@@ -37,10 +37,6 @@ manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
manage_files_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
fs_tmpfs_filetrans(qpidd_t, qpidd_tmpfs_t, { dir file })
-manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
-manage_files_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
-fs_tmpfs_filetrans(qpidd_t, qpidd_tmpfs_t, { dir file })
-
manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir })
@@ -55,7 +51,6 @@ corenet_all_recvfrom_netlabel(qpidd_t)
corenet_tcp_bind_generic_node(qpidd_t)
corenet_tcp_sendrecv_generic_if(qpidd_t)
corenet_tcp_sendrecv_generic_node(qpidd_t)
-corenet_tcp_bind_generic_node(qpidd_t)
corenet_sendrecv_amqp_server_packets(qpidd_t)
corenet_tcp_bind_amqp_port(qpidd_t)
diff --git a/quantum.te b/quantum.te
index e08eabf..7e6e161 100644
--- a/quantum.te
+++ b/quantum.te
@@ -64,7 +64,6 @@ corenet_tcp_sendrecv_generic_node(quantum_t)
corenet_tcp_sendrecv_all_ports(quantum_t)
corenet_tcp_bind_generic_node(quantum_t)
-corenet_tcp_bind_generic_node(quantum_t)
corenet_tcp_bind_quantum_port(quantum_t)
corenet_tcp_connect_mysqld_port(quantum_t)
diff --git a/quota.te b/quota.te
index 0df6e21..1aee969 100644
--- a/quota.te
+++ b/quota.te
@@ -44,16 +44,6 @@ files_var_filetrans(quota_t, quota_db_t, file)
files_spool_filetrans(quota_t, quota_db_t, file)
userdom_user_home_dir_filetrans(quota_t, quota_db_t, file)
-optional_policy(`
- mta_spool_filetrans(quota_t, quota_db_t, file)
- mta_spool_filetrans(quota_t, quota_db_t, file)
- mta_spool_filetrans_queue(quota_t, quota_db_t, file)
-')
-
-optional_policy(`
- openshift_lib_filetrans(quota_t, quota_db_t, file)
-')
-
kernel_list_proc(quota_t)
kernel_read_proc_symlinks(quota_t)
kernel_read_kernel_sysctls(quota_t)
@@ -91,10 +81,17 @@ init_use_script_ptys(quota_t)
logging_send_syslog_msg(quota_t)
+mta_spool_filetrans(quota_t, quota_db_t, file)
+mta_spool_filetrans_queue(quota_t, quota_db_t, file)
+
userdom_use_inherited_user_terminals(quota_t)
userdom_dontaudit_use_unpriv_user_fds(quota_t)
optional_policy(`
+ openshift_lib_filetrans(quota_t, quota_db_t, file)
+')
+
+optional_policy(`
seutil_sigchld_newrole(quota_t)
')
diff --git a/raid.te b/raid.te
index c27bb23..43e7487 100644
--- a/raid.te
+++ b/raid.te
@@ -91,10 +91,6 @@ optional_policy(`
')
optional_policy(`
- cron_system_entry(mdadm_t, mdadm_exec_t)
-')
-
-optional_policy(`
gpm_dontaudit_getattr_gpmctl(mdadm_t)
')
diff --git a/rhcs.te b/rhcs.te
index 337c06d..d8bf297 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -170,7 +170,6 @@ storage_raw_read_removable_device(fenced_t)
term_getattr_pty_fs(fenced_t)
term_use_generic_ptys(fenced_t)
term_use_ptmx(fenced_t)
-term_use_generic_ptys(fenced_t)
logging_send_syslog_msg(fenced_t)
@@ -198,25 +197,6 @@ optional_policy(`
')
optional_policy(`
- tunable_policy(`fenced_can_ssh',`
-
- allow fenced_t self:capability { setuid setgid };
-
- corenet_tcp_connect_ssh_port(fenced_t)
- ')
-')
-
-optional_policy(`
- ssh_exec(fenced_t)
- ssh_read_user_home_files(fenced_t)
- ')
-
-# needed by fence_scsi
-optional_policy(`
- corosync_exec(fenced_t)
-')
-
-optional_policy(`
ccs_read_config(fenced_t)
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
index a7c75e8..48fec17 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -55,8 +55,6 @@ kernel_read_system_state(rhsmcertd_t)
corenet_tcp_connect_http_port(rhsmcertd_t)
-files_list_tmp(rhsmcertd_t)
-
corecmd_exec_bin(rhsmcertd_t)
corecmd_exec_shell(rhsmcertd_t)
diff --git a/rlogin.te b/rlogin.te
index 991c738..f41c9c5 100644
--- a/rlogin.te
+++ b/rlogin.te
@@ -70,7 +70,6 @@ auth_domtrans_chk_passwd(rlogind_t)
auth_signal_chk_passwd(rlogind_t)
auth_rw_login_records(rlogind_t)
auth_use_nsswitch(rlogind_t)
-auth_login_pgm_domain(rlogind_t)
files_read_etc_runtime_files(rlogind_t)
files_search_default(rlogind_t)
@@ -104,10 +103,5 @@ optional_policy(`
')
optional_policy(`
- remotelogin_domtrans(rlogind_t)
- remotelogin_signal(rlogind_t)
-')
-
-optional_policy(`
tcpd_wrapped_domain(rlogind_t, rlogind_exec_t)
')
diff --git a/rpcbind.te b/rpcbind.te
index 13e491e..a323332 100644
--- a/rpcbind.te
+++ b/rpcbind.te
@@ -42,8 +42,6 @@ kernel_read_system_state(rpcbind_t)
kernel_read_network_state(rpcbind_t)
kernel_request_load_module(rpcbind_t)
-corecmd_exec_shell(rpcbind_t)
-
corenet_all_recvfrom_netlabel(rpcbind_t)
corenet_tcp_sendrecv_generic_if(rpcbind_t)
corenet_udp_sendrecv_generic_if(rpcbind_t)
diff --git a/rpm.te b/rpm.te
index 9f7e65d..b86d966 100644
--- a/rpm.te
+++ b/rpm.te
@@ -271,7 +271,6 @@ manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
manage_blk_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
manage_chr_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
-can_exec(rpm_script_t, rpm_script_tmp_t)
manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
manage_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
@@ -330,9 +329,6 @@ term_use_all_inherited_terms(rpm_script_t)
auth_dontaudit_getattr_shadow(rpm_script_t)
auth_use_nsswitch(rpm_script_t)
-# ideally we would not need this
-files_manage_all_files(rpm_script_t)
-files_relabel_all_files(rpm_script_t)
corecmd_exec_all_executables(rpm_script_t)
can_exec(rpm_script_t, rpm_script_tmp_t)
@@ -344,6 +340,8 @@ domain_use_interactive_fds(rpm_script_t)
domain_signal_all_domains(rpm_script_t)
domain_signull_all_domains(rpm_script_t)
+# ideally we would not need this
+files_manage_all_files(rpm_script_t)
files_exec_etc_files(rpm_script_t)
files_read_etc_runtime_files(rpm_script_t)
files_exec_usr_files(rpm_script_t)
diff --git a/rtkit.te b/rtkit.te
index d7bffcc..29a8e9e 100644
--- a/rtkit.te
+++ b/rtkit.te
@@ -33,9 +33,6 @@ logging_send_syslog_msg(rtkit_daemon_t)
optional_policy(`
dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
-')
-optional_policy(`
- dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
optional_policy(`
policykit_dbus_chat(rtkit_daemon_t)
diff --git a/samba.te b/samba.te
index bb73e4a..27fd4cd 100644
--- a/samba.te
+++ b/samba.te
@@ -531,7 +531,6 @@ manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
manage_files_pattern(nmbd_t, samba_log_t, samba_log_t)
manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
-manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t)
files_var_filetrans(nmbd_t, samba_var_t, dir, "samba")
@@ -746,7 +745,6 @@ manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
manage_dirs_pattern(swat_t, samba_var_t, samba_var_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
files_var_filetrans(swat_t, samba_var_t, dir, "samba")
-files_list_var_lib(swat_t)
allow swat_t smbd_exec_t:file mmap_file_perms ;
@@ -859,7 +857,6 @@ manage_files_pattern(winbind_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(winbind_t, samba_var_t, samba_var_t)
files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
-files_list_var_lib(winbind_t)
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@@ -898,7 +895,6 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
-corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
diff --git a/sambagui.te b/sambagui.te
index 2b2c0dc..9c40dbd 100644
--- a/sambagui.te
+++ b/sambagui.te
@@ -44,10 +44,6 @@ optional_policy(`
')
optional_policy(`
- dbus_system_domain(sambagui_t, sambagui_exec_t)
-')
-
-optional_policy(`
nscd_dontaudit_search_pid(sambagui_t)
')
diff --git a/shorewall.te b/shorewall.te
index f80249c..bac98d6 100644
--- a/shorewall.te
+++ b/shorewall.te
@@ -88,8 +88,6 @@ init_rw_utmp(shorewall_t)
logging_read_generic_logs(shorewall_t)
logging_send_syslog_msg(shorewall_t)
-auth_use_nsswitch(shorewall_t)
-
sysnet_domtrans_ifconfig(shorewall_t)
userdom_dontaudit_list_admin_dir(shorewall_t)
diff --git a/smartmon.te b/smartmon.te
index ff7649e..90cb567 100644
--- a/smartmon.te
+++ b/smartmon.te
@@ -124,10 +124,6 @@ optional_policy(`
')
optional_policy(`
- seutil_sigchld_newrole(fsdaemon_t)
-')
-
-optional_policy(`
udev_read_db(fsdaemon_t)
')
diff --git a/smoltclient.te b/smoltclient.te
index 529487e..14f15a4 100644
--- a/smoltclient.te
+++ b/smoltclient.te
@@ -67,14 +67,6 @@ optional_policy(`
')
optional_policy(`
- abrt_stream_connect(smoltclient_t)
-')
-
-optional_policy(`
- cron_system_entry(smoltclient_t, smoltclient_exec_t)
-')
-
-optional_policy(`
dbus_system_bus_client(smoltclient_t)
optional_policy(`
diff --git a/snmp.te b/snmp.te
index bcd62b2..a56b827 100644
--- a/snmp.te
+++ b/snmp.te
@@ -78,9 +78,7 @@ corenet_udp_bind_snmp_port(snmpd_t)
corenet_tcp_sendrecv_snmp_port(snmpd_t)
corenet_udp_sendrecv_snmp_port(snmpd_t)
-corenet_sendrecv_snmp_client_packets(snmpd_t)
corenet_tcp_connect_agentx_port(snmpd_t)
-corenet_sendrecv_snmp_server_packets(snmpd_t)
corenet_tcp_bind_agentx_port(snmpd_t)
corenet_udp_bind_agentx_port(snmpd_t)
corenet_tcp_sendrecv_agentx_port(snmpd_t)
@@ -105,7 +103,6 @@ fs_getattr_all_fs(snmpd_t)
files_list_all(snmpd_t)
files_search_all_mountpoints(snmpd_t)
fs_search_auto_mountpoints(snmpd_t)
-files_search_all_mountpoints(snmpd_t)
storage_dontaudit_read_fixed_disk(snmpd_t)
storage_dontaudit_read_removable_device(snmpd_t)
@@ -127,13 +124,6 @@ seutil_dontaudit_search_config(snmpd_t)
userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
userdom_dontaudit_search_user_home_dirs(snmpd_t)
-ifdef(`distro_redhat',`
- optional_policy(`
- rpm_read_db(snmpd_t)
- rpm_dontaudit_manage_db(snmpd_t)
- ')
-')
-
optional_policy(`
amanda_dontaudit_read_dumpdates(snmpd_t)
')
diff --git a/squid.te b/squid.te
index d8c9794..6ea61f9 100644
--- a/squid.te
+++ b/squid.te
@@ -86,10 +86,6 @@ setattr_files_pattern(squid_t, squid_log_t, squid_log_t)
manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t)
logging_log_filetrans(squid_t, squid_log_t, { file dir })
-manage_dirs_pattern(squid_t, squid_tmp_t, squid_tmp_t)
-manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t)
-files_tmp_filetrans(squid_t, squid_tmp_t, { file dir })
-
manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
@@ -106,8 +102,6 @@ kernel_read_kernel_sysctls(squid_t)
kernel_read_system_state(squid_t)
kernel_read_network_state(squid_t)
-files_dontaudit_getattr_boot_dirs(squid_t)
-
corenet_all_recvfrom_netlabel(squid_t)
corenet_tcp_sendrecv_generic_if(squid_t)
corenet_udp_sendrecv_generic_if(squid_t)
@@ -230,10 +224,6 @@ optional_policy(`
')
optional_policy(`
- mysql_stream_connect(squid_t)
-')
-
-optional_policy(`
kerberos_tmp_filetrans_host_rcache(squid_t, "host_0")
kerberos_manage_host_rcache(squid_t)
')
diff --git a/sysstat.te b/sysstat.te
index 33023d7..c6580e4 100644
--- a/sysstat.te
+++ b/sysstat.te
@@ -59,8 +59,6 @@ init_use_fds(sysstat_t)
locallogin_use_fds(sysstat_t)
-auth_use_nsswitch(sysstat_t)
-
logging_send_syslog_msg(sysstat_t)
userdom_dontaudit_list_user_home_dirs(sysstat_t)
diff --git a/telnet.te b/telnet.te
index 6a317d0..5f4c85e 100644
--- a/telnet.te
+++ b/telnet.te
@@ -67,8 +67,6 @@ fs_getattr_xattr_fs(telnetd_t)
auth_rw_login_records(telnetd_t)
auth_use_nsswitch(telnetd_t)
-corecmd_search_bin(telnetd_t)
-
init_rw_utmp(telnetd_t)
logging_send_syslog_msg(telnetd_t)
diff --git a/thumb.te b/thumb.te
index e8b5d5e..aab66c4 100644
--- a/thumb.te
+++ b/thumb.te
@@ -61,8 +61,6 @@ can_exec(thumb_t, thumb_exec_t)
kernel_read_system_state(thumb_t)
-domain_use_interactive_fds(thumb_t)
-
corecmd_exec_bin(thumb_t)
corecmd_exec_shell(thumb_t)
diff --git a/tmpreaper.te b/tmpreaper.te
index 0ab6c4c..a0b1618 100644
--- a/tmpreaper.te
+++ b/tmpreaper.te
@@ -19,7 +19,6 @@ allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
kernel_list_unlabeled(tmpreaper_t)
kernel_read_system_state(tmpreaper_t)
-kernel_list_unlabeled(tmpreaper_t)
kernel_delete_unlabeled(tmpreaper_t)
dev_read_urand(tmpreaper_t)
@@ -48,10 +47,6 @@ logging_send_syslog_msg(tmpreaper_t)
miscfiles_delete_man_pages(tmpreaper_t)
-optional_policy(`
- cron_system_entry(tmpreaper_t, tmpreaper_exec_t)
-')
-
ifdef(`distro_redhat',`
userdom_list_user_home_content(tmpreaper_t)
userdom_list_admin_dir(tmpreaper_t)
diff --git a/tor.te b/tor.te
index 2a5bcc4..78962c4 100644
--- a/tor.te
+++ b/tor.te
@@ -78,8 +78,6 @@ files_pid_filetrans(tor_t, tor_var_run_t, { dir file sock_file })
kernel_read_kernel_sysctls(tor_t)
kernel_read_net_sysctls(tor_t)
kernel_read_system_state(tor_t)
-kernel_read_net_sysctls(tor_t)
-kernel_read_kernel_sysctls(tor_t)
corenet_all_recvfrom_unlabeled(tor_t)
corenet_all_recvfrom_netlabel(tor_t)
@@ -105,7 +103,6 @@ corenet_tcp_sendrecv_all_reserved_ports(tor_t)
dev_read_sysfs(tor_t)
dev_read_urand(tor_t)
-dev_read_sysfs(tor_t)
domain_use_interactive_fds(tor_t)
diff --git a/uml.te b/uml.te
index fa862cf..423afe4 100644
--- a/uml.te
+++ b/uml.te
@@ -138,10 +138,6 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
- seutil_use_newrole_fds(uml_t)
-')
-
-optional_policy(`
virt_attach_tun_iface(uml_t)
')
diff --git a/uucp.te b/uucp.te
index 3886551..75545d6 100644
--- a/uucp.te
+++ b/uucp.te
@@ -129,10 +129,6 @@ optional_policy(`
')
optional_policy(`
- mta_send_mail(uucpd_t)
-')
-
-optional_policy(`
ssh_exec(uucpd_t)
')
@@ -164,8 +160,6 @@ auth_use_nsswitch(uux_t)
logging_search_logs(uux_t)
logging_send_syslog_msg(uux_t)
-logging_send_syslog_msg(uux_t)
-
optional_policy(`
mta_send_mail(uux_t)
mta_read_queue(uux_t)
diff --git a/vdagent.te b/vdagent.te
index 5ba96c7..4abe2aa 100644
--- a/vdagent.te
+++ b/vdagent.te
@@ -52,8 +52,6 @@ systemd_login_read_pid_files(vdagent_t)
term_use_virtio_console(vdagent_t)
-userdom_read_all_users_state(vdagent_t)
-
logging_send_syslog_msg(vdagent_t)
userdom_read_all_users_state(vdagent_t)
diff --git a/virt.te b/virt.te
index 95dd6c8..eaf5bf9 100644
--- a/virt.te
+++ b/virt.te
@@ -373,7 +373,6 @@ dev_relabel_generic_usb_dev(virtd_t)
# Init script handling
domain_use_interactive_fds(virtd_t)
domain_read_all_domains_state(virtd_t)
-domain_read_all_domains_state(virtd_t)
files_read_etc_runtime_files(virtd_t)
files_search_all(virtd_t)
@@ -1025,7 +1024,6 @@ selinux_compute_access_vector(virtd_lxc_t)
selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
-seutil_read_default_contexts(virtd_lxc_t)
sysnet_exec_ifconfig(virtd_lxc_t)
diff --git a/vmware.te b/vmware.te
index 935180a..5721057 100644
--- a/vmware.te
+++ b/vmware.te
@@ -171,18 +171,6 @@ optional_policy(`
')
optional_policy(`
- samba_read_config(vmware_host_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(vmware_host_t)
-')
-
-optional_policy(`
- shutdown_domtrans(vmware_host_t)
-')
-
-optional_policy(`
udev_read_db(vmware_host_t)
')
diff --git a/vnstatd.te b/vnstatd.te
index 9183e32..ff18188 100644
--- a/vnstatd.te
+++ b/vnstatd.te
@@ -34,10 +34,6 @@ allow vnstatd_t self:process signal;
allow vnstatd_t self:fifo_file rw_fifo_file_perms;
allow vnstatd_t self:unix_stream_socket { accept listen };
-manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
-manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
-files_pid_filetrans(vnstatd_t, vnstatd_var_run_t, { dir file })
-
manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, dir)
diff --git a/webadm.te b/webadm.te
index 2db084b..d26f598 100644
--- a/webadm.te
+++ b/webadm.te
@@ -49,7 +49,6 @@ seutil_domtrans_setfiles(webadm_t)
logging_send_audit_msgs(webadm_t)
logging_send_syslog_msg(webadm_t)
-logging_send_audit_msgs(webadm_t)
userdom_dontaudit_search_user_home_dirs(webadm_t)
diff --git a/webalizer.te b/webalizer.te
index bc76d1b..3c09628 100644
--- a/webalizer.te
+++ b/webalizer.te
@@ -82,12 +82,8 @@ userdom_dontaudit_search_user_home_content(webalizer_t)
optional_policy(`
apache_read_log(webalizer_t)
- apache_manage_sys_content(webalizer_t)
-')
-
-optional_policy(`
- apache_read_log(webalizer_t)
apache_content_template(webalizer)
+ apache_manage_sys_content(webalizer_t)
manage_dirs_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t)
manage_files_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t)
')
diff --git a/wine.te b/wine.te
index 335c8c2..22e9047 100644
--- a/wine.te
+++ b/wine.te
@@ -71,10 +71,6 @@ optional_policy(`
')
optional_policy(`
- rtkit_scheduled(wine_t)
-')
-
-optional_policy(`
unconfined_domain(wine_t)
')
diff --git a/wireshark.te b/wireshark.te
index 0418405..d379bd6 100644
--- a/wireshark.te
+++ b/wireshark.te
@@ -89,8 +89,6 @@ fs_search_auto_mountpoints(wireshark_t)
auth_use_nsswitch(wireshark_t)
-auth_use_nsswitch(wireshark_t)
-
miscfiles_read_fonts(wireshark_t)
userdom_use_user_terminals(wireshark_t)
diff --git a/xen.te b/xen.te
index 94542a1..8042769 100644
--- a/xen.te
+++ b/xen.te
@@ -402,7 +402,6 @@ fs_manage_xenfs_files(xenconsoled_t)
term_create_pty(xenconsoled_t, xen_devpts_t)
term_use_generic_ptys(xenconsoled_t)
-term_use_console(xenconsoled_t)
init_use_fds(xenconsoled_t)
init_use_script_ptys(xenconsoled_t)
diff --git a/zabbix.te b/zabbix.te
index 68a6624..29d4996 100644
--- a/zabbix.te
+++ b/zabbix.te
@@ -90,21 +90,13 @@ corenet_sendrecv_zabbix_server_packets(zabbix_t)
corenet_tcp_bind_zabbix_port(zabbix_t)
corenet_tcp_sendrecv_zabbix_port(zabbix_t)
-# needed by zabbix-server-mysql
-corenet_tcp_connect_http_port(zabbix_t)
-# to monitor ftp urls
-corenet_tcp_connect_ftp_port(zabbix_t)
-
-
corecmd_exec_bin(zabbix_t)
corecmd_exec_shell(zabbix_t)
dev_read_urand(zabbix_t)
-
auth_use_nsswitch(zabbix_t)
-
zabbix_agent_tcp_connect(zabbix_t)
tunable_policy(`zabbix_can_network',`
@@ -114,10 +106,6 @@ tunable_policy(`zabbix_can_network',`
')
optional_policy(`
- netutils_domtrans_ping(zabbix_t)
-')
-
-optional_policy(`
mysql_stream_connect(zabbix_t)
')
More information about the scm-commits
mailing list