This is an automated email from the git hooks/post-receive script.
firstyear pushed a commit to branch master
in repository 389-ds-base.
commit be93d90a5da7e0bbbf0ebe451ae5b0641be52f55
Author: William Brown <firstyear(a)redhat.com>
Date: Fri Mar 10 14:27:56 2017 +1000
Ticket 49151 - Remove defunct selinux policy
Bug Description: Remove defunct and unused selinux policy from
the source tree.
Fix Description: rm -r selinux :)
https://pagure.io/389-ds-base/issue/49151
Author: wibrown
Review by: mreynolds (Thanks!)
---
Makefile.am | 12 ---
configure.ac | 1 -
m4/selinux.m4 | 5 +-
selinux/Makefile | 17 -----
selinux/dirsrv.fc.in | 24 ------
selinux/dirsrv.if | 193 ----------------------------------------------
selinux/dirsrv.te | 212 ---------------------------------------------------
7 files changed, 4 insertions(+), 460 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index d712aba..ccbb530 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -240,19 +240,12 @@ CLEANFILES = dberrstrs.h ns-slapd.properties \
clean-local:
-rm -rf dist
- -rm -rf selinux-built
-rm -rf $(abs_top_builddir)/html
-rm -rf $(abs_top_builddir)/man
dberrstrs.h: Makefile
perl $(srcdir)/ldap/servers/slapd/mkDBErrStrs.pl -i @db_incdir@ -o .
-selinux-built:
- cp -r $(srcdir)/selinux $@
-
-selinux-built/dirsrv.fc: selinux-built
- $(fixupcmd) selinux-built/dirsrv.fc.in > $@
-
#------------------------
# Install Paths
@@ -316,10 +309,6 @@ else
enable_presence = off
endif
-if SELINUX
-POLICY_FC = selinux-built/dirsrv.fc
-endif
-
if enable_acctpolicy
LIBACCTPOLICY_PLUGIN = libacctpolicy-plugin.la
LIBACCTPOLICY_SCHEMA = $(srcdir)/ldap/schema/60acctpolicy.ldif
@@ -591,7 +580,6 @@ dist_noinst_DATA = \
$(srcdir)/rpm/389-ds-base.spec.in \
$(srcdir)/rpm/389-ds-base-devel.README \
$(srcdir)/rpm/389-ds-base-git.sh \
- $(srcdir)/selinux \
$(srcdir)/README \
$(srcdir)/LICENSE \
$(srcdir)/LICENSE.* \
diff --git a/configure.ac b/configure.ac
index ebcffd5..23f36b1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -765,7 +765,6 @@ else
sasl_path="$sasl_libdir/sasl2"
fi
-AM_CONDITIONAL(SELINUX,test "$with_selinux" = "yes")
AM_CONDITIONAL(OPENLDAP,test "$with_openldap" = "yes")
AM_CONDITIONAL(SOLARIS,test "$platform" = "solaris")
AM_CONDITIONAL(SPARC,test "x$TARGET" = xSPARC)
diff --git a/m4/selinux.m4 b/m4/selinux.m4
index 80d84b2..1920645 100644
--- a/m4/selinux.m4
+++ b/m4/selinux.m4
@@ -10,7 +10,7 @@ AC_CHECKING(for SELinux)
# check for --with-selinux
AC_MSG_CHECKING(for --with-selinux)
-AC_ARG_WITH(selinux, AS_HELP_STRING([--with-selinux],[Support SELinux policy]),
+AC_ARG_WITH(selinux, AS_HELP_STRING([--with-selinux],[Support SELinux features]),
[
if test "$withval" = "no"; then
AC_MSG_RESULT(no)
@@ -21,3 +21,6 @@ AC_ARG_WITH(selinux, AS_HELP_STRING([--with-selinux],[Support SELinux
policy]),
fi
],
AC_MSG_RESULT(no))
+
+AM_CONDITIONAL(SELINUX,test "$with_selinux" = "yes")
+
diff --git a/selinux/Makefile b/selinux/Makefile
deleted file mode 100644
index bc8e6a7..0000000
--- a/selinux/Makefile
+++ /dev/null
@@ -1,17 +0,0 @@
-POLICY_MAKEFILE = /usr/share/selinux/devel/Makefile
-POLICY_DIR = $(DESTDIR)/usr/share/selinux/targeted
-
-all:
- if [ ! -e $(POLICY_MAKEFILE) ]; then echo "You need to install the SELinux policy
development tools (selinux-policy)" && exit 1; fi
-
- $(MAKE) -f $(POLICY_MAKEFILE) $@ || exit 1;
-
-clean:
- $(MAKE) -f $(POLICY_MAKEFILE) $@ || exit 1;
-
-install: all
- install -d $(POLICY_DIR)
- install -m 644 dirsrv.pp $(POLICY_DIR)
-
-load:
- /usr/sbin/semodule -i dirsrv.pp
diff --git a/selinux/dirsrv.fc.in b/selinux/dirsrv.fc.in
deleted file mode 100644
index 1cfce88..0000000
--- a/selinux/dirsrv.fc.in
+++ /dev/null
@@ -1,24 +0,0 @@
-# dirsrv executable will have:
-# label: system_u:object_r:dirsrv_exec_t
-# MLS sensitivity: s0
-# MCS categories: <none>
-
-@sbindir@/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0)
-@sbindir@/ldap-agent -- gen_context(system_u:object_r:initrc_exec_t,s0)
-@sbindir@/ldap-agent-bin -- gen_context(system_u:object_r:dirsrv_snmp_exec_t,s0)
-@sbindir@/start-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0)
-@sbindir@/restart-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0)
-@localstatedir@/run/@package_name@ gen_context(system_u:object_r:dirsrv_var_run_t,s0)
-@localstatedir@/run/@package_name(a)(/.*) gen_context(system_u:object_r:dirsrv_var_run_t,s0)
-@localstatedir(a)/run/ldap-agent.pid gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0)
-@localstatedir@/log/@package_name@ gen_context(system_u:object_r:dirsrv_var_log_t,s0)
-@localstatedir@/log/@package_name(a)(/.*) gen_context(system_u:object_r:dirsrv_var_log_t,s0)
-@localstatedir@/log/@package_name(a)/ldap-agent.log gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0)
-@localstatedir@/lock/@package_name@ gen_context(system_u:object_r:dirsrv_var_lock_t,s0)
-@localstatedir@/lock/@package_name(a)(/.*) gen_context(system_u:object_r:dirsrv_var_lock_t,s0)
-@localstatedir@/lib/@package_name@ gen_context(system_u:object_r:dirsrv_var_lib_t,s0)
-@localstatedir@/lib/@package_name(a)(/.*) gen_context(system_u:object_r:dirsrv_var_lib_t,s0)
-@sysconfdir@/@package_name@ gen_context(system_u:object_r:dirsrv_config_t,s0)
-@sysconfdir@/@package_name(a)(/.*) gen_context(system_u:object_r:dirsrv_config_t,s0)
-@datadir@/@package_name@ gen_context(system_u:object_r:dirsrv_share_t,s0)
-@datadir@/@package_name(a)(/.*) gen_context(system_u:object_r:dirsrv_share_t,s0)
diff --git a/selinux/dirsrv.if b/selinux/dirsrv.if
deleted file mode 100644
index 6478799..0000000
--- a/selinux/dirsrv.if
+++ /dev/null
@@ -1,193 +0,0 @@
-## <summary>policy for dirsrv</summary>
-
-########################################
-## <summary>
-## Execute a domain transition to run dirsrv.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`dirsrv_domtrans',`
- gen_require(`
- type dirsrv_t, dirsrv_exec_t;
- ')
-
- domain_auto_trans($1,dirsrv_exec_t,dirsrv_t)
-
- allow dirsrv_t $1:fd use;
- allow dirsrv_t $1:fifo_file rw_file_perms;
- allow dirsrv_t $1:process sigchld;
-')
-
-
-########################################
-## <summary>
-## Allow caller to signal dirsrv.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dirsrv_signal',`
- gen_require(`
- type dirsrv_t;
- ')
-
- allow $1 dirsrv_t:process signal;
-')
-
-
-########################################
-## <summary>
-## Send a null signal to dirsrv.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dirsrv_signull',`
- gen_require(`
- type dirsrv_t;
- ')
-
- allow $1 dirsrv_t:process signull;
-')
-
-#######################################
-## <summary>
-## Allow a domain to manage dirsrv logs.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dirsrv_manage_log',`
- gen_require(`
- type dirsrv_var_log_t;
- ')
-
- allow $1 dirsrv_var_log_t:dir manage_dir_perms;
- allow $1 dirsrv_var_log_t:file manage_file_perms;
- allow $1 dirsrv_var_log_t:fifo_file manage_fifo_file_perms;
-')
-
-#######################################
-## <summary>
-## Allow a domain to manage dirsrv /var/lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dirsrv_manage_var_lib',`
- gen_require(`
- type dirsrv_var_lib_t;
- ')
- allow $1 dirsrv_var_lib_t:dir manage_dir_perms;
- allow $1 dirsrv_var_lib_t:file manage_file_perms;
-')
-
-#######################################
-## <summary>
-## Allow a domain to manage dirsrv /var/run files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dirsrv_manage_var_run',`
- gen_require(`
- type dirsrv_var_run_t;
- ')
- allow $1 dirsrv_var_run_t:dir manage_dir_perms;
- allow $1 dirsrv_var_run_t:file manage_file_perms;
- allow $1 dirsrv_var_run_t:sock_file manage_file_perms;
-')
-
-#####################################
-# <summary>
-# Allow a domain to create dirsrv pid directories.
-# </summary>
-# <param name="domain">
-# <summary>
-# Domain allowed access.
-# </summary>
-# </param>
-#
-interface(`dirsrv_pid_filetrans',`
- gen_require(`
- type dirsrv_var_run_t;
- ')
- # Allow creating a dir in /var/run with this type
- files_pid_filetrans($1, dirsrv_var_run_t, dir)
-')
-
-#######################################
-## <summary>
-## Allow a domain to read dirsrv /var/run files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dirsrv_read_var_run',`
- gen_require(`
- type dirsrv_var_run_t;
- ')
- allow $1 dirsrv_var_run_t:dir list_dir_perms;
- allow $1 dirsrv_var_run_t:file read_file_perms;
-')
-
-########################################
-## <summary>
-## Manage dirsrv configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dirsrv_manage_config',`
- gen_require(`
- type dirsrv_config_t;
- ')
-
- allow $1 dirsrv_config_t:dir manage_dir_perms;
- allow $1 dirsrv_config_t:file manage_file_perms;
-')
-
-########################################
-## <summary>
-## Read dirsrv share files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dirsrv_read_share',`
- gen_require(`
- type dirsrv_share_t;
- ')
-
- allow $1 dirsrv_share_t:dir list_dir_perms;
- allow $1 dirsrv_share_t:file read_file_perms;
- allow $1 dirsrv_share_t:lnk_file read;
-')
diff --git a/selinux/dirsrv.te b/selinux/dirsrv.te
deleted file mode 100644
index d9c810d..0000000
--- a/selinux/dirsrv.te
+++ /dev/null
@@ -1,212 +0,0 @@
-policy_module(dirsrv,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-# NGK - this can go away when bz 478629, bz 523548,
-# and bz 523771 are addressed. See the notes below
-# where we work around those issues.
-require {
- type snmpd_var_lib_t;
- type snmpd_t;
-}
-
-# main daemon
-type dirsrv_t;
-type dirsrv_exec_t;
-domain_type(dirsrv_t)
-init_daemon_domain(dirsrv_t, dirsrv_exec_t)
-
-# snmp subagent daemon
-type dirsrv_snmp_t;
-type dirsrv_snmp_exec_t;
-domain_type(dirsrv_snmp_t)
-init_daemon_domain(dirsrv_snmp_t, dirsrv_snmp_exec_t)
-
-# var/lib files
-type dirsrv_var_lib_t;
-files_type(dirsrv_var_lib_t)
-
-# log files
-type dirsrv_var_log_t;
-logging_log_file(dirsrv_var_log_t)
-
-# snmp log file
-type dirsrv_snmp_var_log_t;
-logging_log_file(dirsrv_snmp_var_log_t)
-
-# pid files
-type dirsrv_var_run_t;
-files_pid_file(dirsrv_var_run_t)
-
-# snmp pid file
-type dirsrv_snmp_var_run_t;
-files_pid_file(dirsrv_snmp_var_run_t)
-
-# lock files
-type dirsrv_var_lock_t;
-files_lock_file(dirsrv_var_lock_t)
-
-# config files
-type dirsrv_config_t;
-files_type(dirsrv_config_t)
-
-# tmp files
-type dirsrv_tmp_t;
-files_tmp_file(dirsrv_tmp_t)
-
-# semaphores
-type dirsrv_tmpfs_t;
-files_tmpfs_file(dirsrv_tmpfs_t)
-
-# shared files
-type dirsrv_share_t;
-files_type(dirsrv_share_t);
-
-########################################
-#
-# dirsrv local policy
-#
-
-# Some common macros
-files_read_etc_files(dirsrv_t)
-corecmd_search_sbin(dirsrv_t)
-files_read_usr_symlinks(dirsrv_t)
-miscfiles_read_localization(dirsrv_t)
-dev_read_urand(dirsrv_t)
-libs_use_ld_so(dirsrv_t)
-libs_use_shared_libs(dirsrv_t)
-allow dirsrv_t self:fifo_file { read write };
-
-# process stuff
-allow dirsrv_t self:process { getsched setsched setfscreate signal_perms};
-allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_override fowner
};
-
-# semaphores
-allow dirsrv_t self:sem all_sem_perms;
-manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
-fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, file)
-
-# var/lib files for dirsrv
-manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
-manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
-files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file })
-
-# log files
-manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
-manage_fifo_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
-allow dirsrv_t dirsrv_var_log_t:dir { setattr };
-logging_log_filetrans(dirsrv_t,dirsrv_var_log_t,{ sock_file file dir })
-
-# pid files
-manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
-files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file sock_file })
-
-# ldapi socket
-manage_sock_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
-
-# lock files
-manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
-manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
-files_lock_filetrans(dirsrv_t, dirsrv_var_lock_t, { file })
-
-# config files
-manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
-manage_dirs_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
-
-# tmp files
-manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
-manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
-files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir })
-
-# system state
-fs_getattr_all_fs(dirsrv_t)
-kernel_read_system_state(dirsrv_t)
-
-# kerberos config for SASL GSSAPI
-kerberos_read_config(dirsrv_t)
-kerberos_dontaudit_write_config(dirsrv_t)
-
-# Networking basics
-sysnet_dns_name_resolve(dirsrv_t)
-corenet_all_recvfrom_unlabeled(dirsrv_t)
-corenet_all_recvfrom_netlabel(dirsrv_t)
-corenet_tcp_sendrecv_generic_if(dirsrv_t)
-corenet_tcp_sendrecv_generic_node(dirsrv_t)
-corenet_tcp_sendrecv_all_ports(dirsrv_t)
-corenet_tcp_bind_all_nodes(dirsrv_t)
-corenet_tcp_bind_ldap_port(dirsrv_t)
-corenet_tcp_bind_all_rpc_ports(dirsrv_t)
-corenet_udp_bind_all_rpc_ports(dirsrv_t)
-corenet_tcp_connect_all_ports(dirsrv_t)
-corenet_sendrecv_ldap_server_packets(dirsrv_t)
-corenet_sendrecv_all_client_packets(dirsrv_t)
-allow dirsrv_t self:tcp_socket { create_stream_socket_perms };
-
-# Init script handling
-init_use_fds(dirsrv_t)
-init_use_script_ptys(dirsrv_t)
-domain_use_interactive_fds(dirsrv_t)
-
-
-########################################
-#
-# dirsrv-snmp local policy
-#
-
-# Some common macros
-files_read_etc_files(dirsrv_snmp_t)
-miscfiles_read_localization(dirsrv_snmp_t)
-libs_use_ld_so(dirsrv_snmp_t)
-libs_use_shared_libs(dirsrv_snmp_t)
-dev_read_rand(dirsrv_snmp_t)
-dev_read_urand(dirsrv_snmp_t)
-files_read_usr_files(dirsrv_snmp_t)
-fs_getattr_tmpfs(dirsrv_snmp_t)
-fs_search_tmpfs(dirsrv_snmp_t)
-allow dirsrv_snmp_t self:fifo_file { read write };
-sysnet_read_config(dirsrv_snmp_t)
-sysnet_dns_name_resolve(dirsrv_snmp_t)
-
-# Net-SNMP /var/lib files (includes agentx unix domain socket)
-snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t)
-snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t)
-# NGK - there really should be a macro for this. (see bz 523771)
-allow dirsrv_snmp_t snmpd_var_lib_t:file append;
-# NGK - use snmp_stream_connect(dirsrv_snmp_t) when it is made
-# available on all platforms we build on (see bz 478629 and bz 523548)
-stream_connect_pattern(dirsrv_snmp_t, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)
-
-# Net-SNMP agentx tcp socket
-corenet_tcp_connect_agentx_port(dirsrv_snmp_t)
-
-# Net-SNMP persistent data file
-files_manage_var_files(dirsrv_snmp_t)
-
-# stats file semaphore
-rw_files_pattern(dirsrv_snmp_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
-
-# stats file
-read_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
-
-# process stuff
-allow dirsrv_snmp_t self:capability { dac_override dac_read_search };
-
-# config file
-read_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t)
-
-# pid file
-manage_files_pattern(dirsrv_snmp_t, dirsrv_snmp_var_run_t, dirsrv_snmp_var_run_t)
-files_pid_filetrans(dirsrv_snmp_t, dirsrv_snmp_var_run_t, { file sock_file })
-search_dirs_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
-
-# log file
-manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t);
-filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file)
-
-# Init script handling
-init_use_fds(dirsrv_snmp_t)
-init_use_script_ptys(dirsrv_snmp_t)
-domain_use_interactive_fds(dirsrv_snmp_t)
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.