[selinux-policy/f13/master] Remove allow_sysadm_manage_security boolean
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Apr 5 18:24:39 UTC 2011
commit 6ba07b7f1c54ea0f5f2c2cf44511099b19b077e3
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Apr 5 20:25:08 2011 +0000
Remove allow_sysadm_manage_security boolean
booleans-mls.conf | 4 --
policy-F13.patch | 82 ++++++++++++++++------------------------------------
2 files changed, 25 insertions(+), 61 deletions(-)
---
diff --git a/booleans-mls.conf b/booleans-mls.conf
index 4367df5..1dabe0b 100644
--- a/booleans-mls.conf
+++ b/booleans-mls.conf
@@ -232,7 +232,3 @@ xserver_object_manager = true
#
init_upstart = true
-#
-# Allow sysadm to become security admin.
-#
-allow_sysadm_manage_security = false
diff --git a/policy-F13.patch b/policy-F13.patch
index 1c933f8..ad1a2c6 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -13700,22 +13700,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.19/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/roles/sysadm.te 2011-04-05 19:09:49.889000002 +0000
-@@ -13,6 +13,13 @@
- ## </desc>
- gen_tunable(allow_ptrace, false)
-
-+## <desc>
-+## <p>
-+## Allow sysadm to become security admin.
-+## </p>
-+## </desc>
-+gen_tunable(allow_sysadm_manage_security, false)
-+
- role sysadm_r;
-
- userdom_admin_user_template(sysadm)
-@@ -28,17 +35,31 @@
++++ serefpolicy-3.7.19/policy/modules/roles/sysadm.te 2011-04-05 20:22:37.666000001 +0000
+@@ -28,17 +28,31 @@
corecmd_exec_shell(sysadm_t)
@@ -13747,7 +13733,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
ifdef(`direct_sysadm_daemon',`
optional_policy(`
-@@ -56,12 +77,25 @@
+@@ -56,6 +70,7 @@
logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)
logging_run_auditctl(sysadm_t, sysadm_r)
@@ -13755,25 +13741,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
')
tunable_policy(`allow_ptrace',`
- domain_ptrace_all_domains(sysadm_t)
- ')
-
-+ifdef(`enable_mls',`
-+ tunable_policy(`allow_sysadm_manage_security',`
-+ userdom_security_admin_template(sysadm_t, sysadm_r)
-+
-+ logging_manage_audit_log(sysadm_t)
-+ logging_manage_audit_config(sysadm_t)
-+ logging_run_auditctl(sysadm_t, sysadm_r)
-+ logging_run_auditd(sysadm_t, sysadm_r)
-+ logging_stream_connect_syslog(sysadm_t)
-+ ')
-+')
-+
- optional_policy(`
- amanda_run_recover(sysadm_t, sysadm_r)
- ')
-@@ -70,7 +104,9 @@
+@@ -70,7 +85,9 @@
apache_run_helper(sysadm_t, sysadm_r)
#apache_run_all_scripts(sysadm_t, sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
@@ -13784,7 +13752,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
')
optional_policy(`
-@@ -98,17 +134,25 @@
+@@ -98,17 +115,25 @@
bind_run_ndc(sysadm_t, sysadm_r)
')
@@ -13810,7 +13778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
certwatch_run(sysadm_t, sysadm_r)
-@@ -126,16 +170,18 @@
+@@ -126,16 +151,18 @@
consoletype_run(sysadm_t, sysadm_r)
')
@@ -13831,7 +13799,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
')
optional_policy(`
-@@ -165,9 +211,11 @@
+@@ -165,9 +192,11 @@
ethereal_run_tethereal(sysadm_t, sysadm_r)
')
@@ -13843,7 +13811,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
firstboot_run(sysadm_t, sysadm_r)
-@@ -177,6 +225,7 @@
+@@ -177,6 +206,7 @@
fstools_run(sysadm_t, sysadm_r)
')
@@ -13851,7 +13819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
games_role(sysadm_r, sysadm_t)
')
-@@ -192,6 +241,7 @@
+@@ -192,6 +222,7 @@
optional_policy(`
gpg_role(sysadm_r, sysadm_t)
')
@@ -13859,7 +13827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
hostname_run(sysadm_t, sysadm_r)
-@@ -205,6 +255,13 @@
+@@ -205,6 +236,13 @@
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -13873,7 +13841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
')
optional_policy(`
-@@ -212,12 +269,18 @@
+@@ -212,12 +250,18 @@
')
optional_policy(`
@@ -13892,7 +13860,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
kudzu_run(sysadm_t, sysadm_r)
-@@ -227,9 +290,11 @@
+@@ -227,9 +271,11 @@
libs_run_ldconfig(sysadm_t, sysadm_r)
')
@@ -13904,7 +13872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
logrotate_run(sysadm_t, sysadm_r)
-@@ -252,8 +317,10 @@
+@@ -252,8 +298,10 @@
optional_policy(`
mount_run(sysadm_t, sysadm_r)
@@ -13915,7 +13883,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
mozilla_role(sysadm_r, sysadm_t)
')
-@@ -261,6 +328,7 @@
+@@ -261,6 +309,7 @@
optional_policy(`
mplayer_role(sysadm_r, sysadm_t)
')
@@ -13923,7 +13891,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
mta_role(sysadm_r, sysadm_t)
-@@ -275,6 +343,10 @@
+@@ -275,6 +324,10 @@
')
optional_policy(`
@@ -13934,7 +13902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
netutils_run(sysadm_t, sysadm_r)
netutils_run_ping(sysadm_t, sysadm_r)
netutils_run_traceroute(sysadm_t, sysadm_r)
-@@ -308,8 +380,14 @@
+@@ -308,8 +361,14 @@
')
optional_policy(`
@@ -13949,7 +13917,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
quota_run(sysadm_t, sysadm_r)
-@@ -319,9 +397,11 @@
+@@ -319,9 +378,11 @@
raid_domtrans_mdadm(sysadm_t)
')
@@ -13961,7 +13929,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
rpc_domtrans_nfsd(sysadm_t)
-@@ -331,9 +411,11 @@
+@@ -331,9 +392,11 @@
rpm_run(sysadm_t, sysadm_r)
')
@@ -13973,7 +13941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
rsync_exec(sysadm_t)
-@@ -346,6 +428,7 @@
+@@ -346,6 +409,7 @@
optional_policy(`
screen_role_template(sysadm, sysadm_r, sysadm_t)
@@ -13981,7 +13949,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
')
optional_policy(`
-@@ -358,8 +441,14 @@
+@@ -358,8 +422,14 @@
')
optional_policy(`
@@ -13996,7 +13964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
ssh_role_template(sysadm, sysadm_r, sysadm_t)
-@@ -382,9 +471,11 @@
+@@ -382,9 +452,11 @@
sysnet_run_dhcpc(sysadm_t, sysadm_r)
')
@@ -14008,7 +13976,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
tripwire_run_siggen(sysadm_t, sysadm_r)
-@@ -393,23 +484,31 @@
+@@ -393,23 +465,31 @@
tripwire_run_twprint(sysadm_t, sysadm_r)
')
@@ -14040,7 +14008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
unprivuser_role_change(sysadm_r)
')
-@@ -417,9 +516,11 @@
+@@ -417,9 +497,11 @@
usbmodules_run(sysadm_t, sysadm_r)
')
@@ -14052,7 +14020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
-@@ -427,9 +528,15 @@
+@@ -427,9 +509,15 @@
usermanage_run_useradd(sysadm_t, sysadm_r)
')
@@ -14068,7 +14036,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
vpn_run(sysadm_t, sysadm_r)
-@@ -440,13 +547,30 @@
+@@ -440,13 +528,30 @@
')
optional_policy(`
More information about the scm-commits
mailing list