[selinux-policy: 1443/3172] remove rules added to make sediff easier

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:10:05 UTC 2010 

commit 21d173a460c206c6b69fe781b8e31cc3b1d6d497
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri May 12 19:37:56 2006 +0000

    remove rules added to make sediff easier

 refpolicy/policy/modules/services/apache.if    |    7 -------
 refpolicy/policy/modules/services/apache.te    |    8 +-------
 refpolicy/policy/modules/services/inetd.if     |    6 ------
 refpolicy/policy/modules/services/inetd.te     |    2 +-
 refpolicy/policy/modules/system/init.if        |    6 ------
 refpolicy/policy/modules/system/init.te        |    2 +-
 refpolicy/policy/modules/system/selinuxutil.te |   11 ++---------
 7 files changed, 5 insertions(+), 37 deletions(-)
---
diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
index 87445c7..f423376 100644
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@@ -185,13 +185,6 @@ template(`apache_content_template',`
 		libs_read_lib_files(httpd_$1_script_t)
 
 		miscfiles_read_localization(httpd_$1_script_t)
-
-		# added back to make sediff nicer
-		dev_rw_null(httpd_$1_script_t)
-		term_use_controlling_term(httpd_$1_script_t)
-		allow httpd_$1_script_t self:dir r_dir_perms;
-		allow httpd_$1_script_t self:file r_file_perms;
-		allow httpd_$1_script_t self:lnk_file read;
 	')
 
 	tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index 5e7e5c1..710c28b 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
 
-policy_module(apache,1.3.9)
+policy_module(apache,1.3.10)
 
 #
 # NOTES: 
@@ -332,9 +332,6 @@ tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
 	allow httpd_t httpdcontent:dir create_dir_perms;
 	allow httpd_t httpdcontent:file create_file_perms;
 	allow httpd_t httpdcontent:lnk_file create_lnk_perms;
-
-	# make sediff easier
-	allow httpd_sys_script_t httpdcontent:file { rx_file_perms entrypoint };
 ')
 
 tunable_policy(`httpd_enable_ftp_server',`
@@ -591,9 +588,6 @@ tunable_policy(`httpd_enable_cgi',`
 	allow httpd_unconfined_script_t httpd_suexec_t:fd use;
 	allow httpd_unconfined_script_t httpd_suexec_t:fifo_file rw_file_perms;
 	allow httpd_unconfined_script_t httpd_suexec_t:process sigchld;
-
-	# make sediff happy
-	allow httpd_unconfined_script_t httpd_unconfined_script_exec_t:file { ioctl read getattr lock execute entrypoint };
 ')
 
 tunable_policy(`httpd_enable_cgi && httpd_unified',`
diff --git a/refpolicy/policy/modules/services/inetd.if b/refpolicy/policy/modules/services/inetd.if
index 5974b1c..eded403 100644
--- a/refpolicy/policy/modules/services/inetd.if
+++ b/refpolicy/policy/modules/services/inetd.if
@@ -59,9 +59,6 @@ interface(`inetd_core_service_domain',`
 			dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
 
 			allow inetd_t $1:process sigkill;
-
-			# make sediff happy
-			allow $1 $2:file { rx_file_perms entrypoint };
 		}
 	',`
 		domain_auto_trans(inetd_t,$2,$1)
@@ -72,9 +69,6 @@ interface(`inetd_core_service_domain',`
 		dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
 
 		allow inetd_t $1:process sigkill;
-
-		# make sediff happy
-		allow $1 $2:file { rx_file_perms entrypoint };
 	')
 ')
 
diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te
index d92c91d..7c035f5 100644
--- a/refpolicy/policy/modules/services/inetd.te
+++ b/refpolicy/policy/modules/services/inetd.te
@@ -1,5 +1,5 @@
 
-policy_module(inetd,1.1.0)
+policy_module(inetd,1.1.1)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index 3cf76fa..3b83771 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -93,9 +93,6 @@ interface(`init_daemon_domain',`
 			allow $1 initrc_t:fifo_file rw_file_perms;
 			allow $1 initrc_t:process sigchld;
 			allow initrc_t $1:process { noatsecure siginh rlimitinh };
-
-			# make sediff happy
-			allow $1 $2:file { rx_file_perms entrypoint };
 		}
 	',`
 		domain_auto_trans(initrc_t,$2,$1)
@@ -104,9 +101,6 @@ interface(`init_daemon_domain',`
 		allow $1 initrc_t:fifo_file rw_file_perms;
 		allow $1 initrc_t:process sigchld;
 		dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
-
-		# make sediff happy
-		allow $1 $2:file { rx_file_perms entrypoint };
 	')
 
 	optional_policy(`
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index c4136d2..761985c 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -1,5 +1,5 @@
 
-policy_module(init,1.3.11)
+policy_module(init,1.3.12)
 
 gen_require(`
 	class passwd rootok;
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 57d13e8..84fe30e 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -1,5 +1,5 @@
 
-policy_module(selinuxutil,1.2.5)
+policy_module(selinuxutil,1.2.6)
 
 gen_require(`
 	bool secure_mode;
@@ -306,14 +306,7 @@ userdom_use_unpriv_users_fds(newrole_t)
 # for some PAM modules and for cwd
 userdom_dontaudit_search_all_users_home_content(newrole_t)
 
-ifdef(`targeted_policy',`
-	# newrole does not make any sense in
-	# the targeted policy.  This is to
-	# make sediff easier.
-	if(!secure_mode) {
-		unconfined_domtrans(newrole_t)
-	}
-',`
+ifdef(`strict_policy',`
 	# if secure mode is enabled, then newrole
 	# can only transition to unprivileged users
 	if(secure_mode) {

More information about the scm-commits mailing list