[selinux-policy: 1521/3172] remove raw network, make mta optional, and a little cleanup.

Thu Oct 7 21:16:44 UTC 2010

commit cc0c00d044d1d644e71f8f7b13d67927028406c1
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Jun 16 19:54:21 2006 +0000

    remove raw network, make mta optional, and a little cleanup.

 refpolicy/policy/modules/system/userdomain.if |   31 +++++-------------------
 1 files changed, 7 insertions(+), 24 deletions(-)
---

diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 25e4ab8..fc6cc33 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -165,10 +165,8 @@ template(`base_user_template',`
 
 	corenet_non_ipsec_sendrecv($1_t)
 	corenet_tcp_sendrecv_all_if($1_t)
-	corenet_raw_sendrecv_all_if($1_t)
 	corenet_udp_sendrecv_all_if($1_t)
 	corenet_tcp_sendrecv_all_nodes($1_t)
-	corenet_raw_sendrecv_all_nodes($1_t)
 	corenet_udp_sendrecv_all_nodes($1_t)
 	corenet_tcp_sendrecv_all_ports($1_t)
 	corenet_udp_sendrecv_all_ports($1_t)
@@ -256,8 +254,6 @@ template(`base_user_template',`
 	seutil_read_default_contexts($1_t)
 	seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
 
-	mta_rw_spool($1_t)
-
 	tunable_policy(`allow_execmem',`
 		# Allow loading DSOs that require executable stack.
 		allow $1_t self:process execmem;
@@ -385,6 +381,10 @@ template(`base_user_template',`
 	')
 
 	optional_policy(`
+		mta_rw_spool($1_t)
+	')
+
+	optional_policy(`
 		nis_use_ypbind($1_t)
 	')
 
@@ -643,7 +643,7 @@ template(`unpriv_user_template', `
 	')
 
 	ifdef(`TODO',`
-	ifdef(`enable_mls',`',`
+	ifndef(`enable_mls',`
 		fs_exec_noxattr($1_t)
 
 		tunable_policy(`user_rw_noexattrfile',`
@@ -654,8 +654,8 @@ template(`unpriv_user_template', `
 			# cjp: what does this have to do with removable devices?
 			allow $1_t usbtty_device_t:chr_file write;
 		',`
+			fs_read_noxattr_files($1_t)
 			r_dir_file($1_t, noexattrfile)
-			r_dir_file($1_t, removable_t)
 			allow $1_t removable_device_t:blk_file r_file_perms;
 		')
 	')
@@ -703,14 +703,6 @@ template(`unpriv_user_template', `
 
 	dontaudit $1_t sysadm_home_t:file { read append };
 
-	ifdef(`syslogd.te', `
-		# Some programs that are left in $1_t will try to connect
-		# to syslogd, but we do not want to let them generate log messages.
-		# Do not audit.
-		dontaudit $1_t devlog_t:sock_file { read write };
-		dontaudit $1_t syslogd_t:unix_dgram_socket sendto;
-	')
-
 	allow $1_t initrc_t:fifo_file write;
 	') dnl end TODO
 ')
@@ -923,12 +915,6 @@ template(`admin_user_template',`
 		can_pipe_xdm($1_t)
 	')
 
-	# Connect data port to ftpd.
-	ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)')
-
-	# Connect second port to rshd.
-	ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)')
-
 	# Allow MAKEDEV to work
 	allow $1_t device_t:dir rw_dir_perms;
 	allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
@@ -960,11 +946,8 @@ template(`admin_user_template',`
 		allow $1_t usbtty_device_t:chr_file write;
 	',`
 		r_dir_file($1_t, noexattrfile)
-		r_dir_file($1_t, removable_t)
-		allow $1_t removable_device_t:blk_file r_file_perms;
+		storage_raw_read_removable_device($1_t)
 	')
-	allow $1 removable_t:filesystem getattr;
-
 	') dnl endif TODO
 ')
 
