[selinux-policy: 1443/3172] remove rules added to make sediff easier
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:10:05 UTC 2010
commit 21d173a460c206c6b69fe781b8e31cc3b1d6d497
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri May 12 19:37:56 2006 +0000
remove rules added to make sediff easier
refpolicy/policy/modules/services/apache.if | 7 -------
refpolicy/policy/modules/services/apache.te | 8 +-------
refpolicy/policy/modules/services/inetd.if | 6 ------
refpolicy/policy/modules/services/inetd.te | 2 +-
refpolicy/policy/modules/system/init.if | 6 ------
refpolicy/policy/modules/system/init.te | 2 +-
refpolicy/policy/modules/system/selinuxutil.te | 11 ++---------
7 files changed, 5 insertions(+), 37 deletions(-)
---
diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
index 87445c7..f423376 100644
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@@ -185,13 +185,6 @@ template(`apache_content_template',`
libs_read_lib_files(httpd_$1_script_t)
miscfiles_read_localization(httpd_$1_script_t)
-
- # added back to make sediff nicer
- dev_rw_null(httpd_$1_script_t)
- term_use_controlling_term(httpd_$1_script_t)
- allow httpd_$1_script_t self:dir r_dir_perms;
- allow httpd_$1_script_t self:file r_file_perms;
- allow httpd_$1_script_t self:lnk_file read;
')
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index 5e7e5c1..710c28b 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
-policy_module(apache,1.3.9)
+policy_module(apache,1.3.10)
#
# NOTES:
@@ -332,9 +332,6 @@ tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
allow httpd_t httpdcontent:dir create_dir_perms;
allow httpd_t httpdcontent:file create_file_perms;
allow httpd_t httpdcontent:lnk_file create_lnk_perms;
-
- # make sediff easier
- allow httpd_sys_script_t httpdcontent:file { rx_file_perms entrypoint };
')
tunable_policy(`httpd_enable_ftp_server',`
@@ -591,9 +588,6 @@ tunable_policy(`httpd_enable_cgi',`
allow httpd_unconfined_script_t httpd_suexec_t:fd use;
allow httpd_unconfined_script_t httpd_suexec_t:fifo_file rw_file_perms;
allow httpd_unconfined_script_t httpd_suexec_t:process sigchld;
-
- # make sediff happy
- allow httpd_unconfined_script_t httpd_unconfined_script_exec_t:file { ioctl read getattr lock execute entrypoint };
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
diff --git a/refpolicy/policy/modules/services/inetd.if b/refpolicy/policy/modules/services/inetd.if
index 5974b1c..eded403 100644
--- a/refpolicy/policy/modules/services/inetd.if
+++ b/refpolicy/policy/modules/services/inetd.if
@@ -59,9 +59,6 @@ interface(`inetd_core_service_domain',`
dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
allow inetd_t $1:process sigkill;
-
- # make sediff happy
- allow $1 $2:file { rx_file_perms entrypoint };
}
',`
domain_auto_trans(inetd_t,$2,$1)
@@ -72,9 +69,6 @@ interface(`inetd_core_service_domain',`
dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
allow inetd_t $1:process sigkill;
-
- # make sediff happy
- allow $1 $2:file { rx_file_perms entrypoint };
')
')
diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te
index d92c91d..7c035f5 100644
--- a/refpolicy/policy/modules/services/inetd.te
+++ b/refpolicy/policy/modules/services/inetd.te
@@ -1,5 +1,5 @@
-policy_module(inetd,1.1.0)
+policy_module(inetd,1.1.1)
########################################
#
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index 3cf76fa..3b83771 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -93,9 +93,6 @@ interface(`init_daemon_domain',`
allow $1 initrc_t:fifo_file rw_file_perms;
allow $1 initrc_t:process sigchld;
allow initrc_t $1:process { noatsecure siginh rlimitinh };
-
- # make sediff happy
- allow $1 $2:file { rx_file_perms entrypoint };
}
',`
domain_auto_trans(initrc_t,$2,$1)
@@ -104,9 +101,6 @@ interface(`init_daemon_domain',`
allow $1 initrc_t:fifo_file rw_file_perms;
allow $1 initrc_t:process sigchld;
dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
-
- # make sediff happy
- allow $1 $2:file { rx_file_perms entrypoint };
')
optional_policy(`
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index c4136d2..761985c 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -1,5 +1,5 @@
-policy_module(init,1.3.11)
+policy_module(init,1.3.12)
gen_require(`
class passwd rootok;
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 57d13e8..84fe30e 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -1,5 +1,5 @@
-policy_module(selinuxutil,1.2.5)
+policy_module(selinuxutil,1.2.6)
gen_require(`
bool secure_mode;
@@ -306,14 +306,7 @@ userdom_use_unpriv_users_fds(newrole_t)
# for some PAM modules and for cwd
userdom_dontaudit_search_all_users_home_content(newrole_t)
-ifdef(`targeted_policy',`
- # newrole does not make any sense in
- # the targeted policy. This is to
- # make sediff easier.
- if(!secure_mode) {
- unconfined_domtrans(newrole_t)
- }
-',`
+ifdef(`strict_policy',`
# if secure mode is enabled, then newrole
# can only transition to unprivileged users
if(secure_mode) {
More information about the scm-commits
mailing list