From bca0cdb86e54b910ff3794acf394339251e7b3b6 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Jul 07 2010 12:41:20 +0000 Subject: Remove duplicate/redundant rules, from Russell Coker. --- diff --git a/Changelog b/Changelog index 749a17b..6a7d362 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- Remove duplicate/redundant rules, from Russell Coker. - Increased default number of categories to 1024, from Russell Coker. - Added modules: cgroup (Dominick Grift) diff --git a/policy/modules/apps/ethereal.te b/policy/modules/apps/ethereal.te index 6c3b760..c102195 100644 --- a/policy/modules/apps/ethereal.te +++ b/policy/modules/apps/ethereal.te @@ -78,8 +78,6 @@ kernel_read_kernel_sysctls(ethereal_t) kernel_read_system_state(ethereal_t) kernel_read_sysctl(ethereal_t) -corecmd_search_bin(ethereal_t) - corenet_tcp_connect_generic_port(ethereal_t) corenet_tcp_sendrecv_generic_if(ethereal_t) diff --git a/policy/modules/apps/gift.te b/policy/modules/apps/gift.te index 202d4b8..4204eec 100644 --- a/policy/modules/apps/gift.te +++ b/policy/modules/apps/gift.te @@ -53,7 +53,7 @@ userdom_user_home_dir_filetrans(gift_t, gift_home_t, dir) domtrans_pattern(gift_t, giftd_exec_t, giftd_t) # Read /proc/meminfo -kernel_read_system_state(giftd_t) +kernel_read_system_state(gift_t) # Connect to gift daemon corenet_all_recvfrom_unlabeled(gift_t) diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te index aa8ace6..726e853 100644 --- a/policy/modules/apps/java.te +++ b/policy/modules/apps/java.te @@ -82,7 +82,6 @@ dev_read_urand(java_t) dev_read_rand(java_t) dev_dontaudit_append_rand(java_t) -files_read_etc_files(java_t) files_read_usr_files(java_t) files_search_home(java_t) files_search_var_lib(java_t) @@ -144,8 +143,6 @@ optional_policy(` # execheap is needed for itanium/BEA jrocket allow unconfined_java_t self:process { execstack execmem execheap }; - init_dbus_chat_script(unconfined_java_t) - files_execmod_all_files(unconfined_java_t) init_dbus_chat_script(unconfined_java_t) diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te index 9b73284..3c43106 100644 --- a/policy/modules/apps/wireshark.te +++ b/policy/modules/apps/wireshark.te @@ -71,8 +71,6 @@ kernel_read_kernel_sysctls(wireshark_t) kernel_read_system_state(wireshark_t) kernel_read_sysctl(wireshark_t) -corecmd_search_bin(wireshark_t) - corenet_tcp_connect_generic_port(wireshark_t) corenet_tcp_sendrecv_generic_if(wireshark_t) diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te index 8529043..33621bb 100644 --- a/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te @@ -89,7 +89,6 @@ manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t) logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file }) # pid file -manage_dirs_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t) manage_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t) manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t) files_pid_filetrans(clamd_t, clamd_var_run_t, { file dir }) diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te index 72901d8..b96c242 100644 --- a/policy/modules/services/courier.te +++ b/policy/modules/services/courier.te @@ -48,7 +48,6 @@ allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_fifo_file_perms; allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms; allow courier_authdaemon_t courier_tcpd_t:process sigchld; -allow courier_authdaemon_t courier_tcpd_t:fd use; allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms; diff --git a/policy/modules/services/djbdns.te b/policy/modules/services/djbdns.te index bd97d09..22221ad 100644 --- a/policy/modules/services/djbdns.te +++ b/policy/modules/services/djbdns.te @@ -22,8 +22,6 @@ djbdns_daemontools_domain_template(tinydns) # Local policy for axfrdns component # -files_config_file(djbdns_axfrdns_conf_t) - daemontools_ipc_domain(djbdns_axfrdns_t) daemontools_read_svc(djbdns_axfrdns_t) diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te index 230b076..93c14ca 100644 --- a/policy/modules/services/lpd.te +++ b/policy/modules/services/lpd.te @@ -308,14 +308,12 @@ tunable_policy(`use_lpd_server',` ') tunable_policy(`use_nfs_home_dirs',` - files_list_home(lpr_t) fs_list_auto_mountpoints(lpr_t) fs_read_nfs_files(lpr_t) fs_read_nfs_symlinks(lpr_t) ') tunable_policy(`use_samba_home_dirs',` - files_list_home(lpr_t) fs_list_auto_mountpoints(lpr_t) fs_read_cifs_files(lpr_t) fs_read_cifs_symlinks(lpr_t) diff --git a/policy/modules/services/prelude.te b/policy/modules/services/prelude.te index 1adbca2..4d66b76 100644 --- a/policy/modules/services/prelude.te +++ b/policy/modules/services/prelude.te @@ -98,7 +98,6 @@ files_read_etc_files(prelude_t) files_read_etc_runtime_files(prelude_t) files_read_usr_files(prelude_t) files_search_tmp(prelude_t) -files_search_tmp(prelude_t) fs_rw_anon_inodefs_files(prelude_t) diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te index 29d8607..33e72e8 100644 --- a/policy/modules/services/ricci.te +++ b/policy/modules/services/ricci.te @@ -241,10 +241,6 @@ optional_policy(` ') optional_policy(` - rgmanager_stream_connect(ricci_modclusterd_t) -') - -optional_policy(` # XXX This has got to go. unconfined_domain(ricci_modcluster_t) ') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index eca9400..2dad3c8 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -200,54 +200,6 @@ optional_policy(` xserver_domtrans_xauth(ssh_t) ') -######################################## -# -# ssh_keygen local policy -# - -# ssh_keygen_t is the type of the ssh-keygen program when run at install time -# and by sysadm_t - -dontaudit ssh_keygen_t self:capability sys_tty_config; -allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; - -allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; - -allow ssh_keygen_t sshd_key_t:file manage_file_perms; -files_etc_filetrans(ssh_keygen_t, sshd_key_t, file) - -kernel_read_kernel_sysctls(ssh_keygen_t) - -fs_search_auto_mountpoints(ssh_keygen_t) - -dev_read_sysfs(ssh_keygen_t) -dev_read_urand(ssh_keygen_t) - -term_dontaudit_use_console(ssh_keygen_t) - -domain_use_interactive_fds(ssh_keygen_t) - -files_read_etc_files(ssh_keygen_t) - -init_use_fds(ssh_keygen_t) -init_use_script_ptys(ssh_keygen_t) - -logging_send_syslog_msg(ssh_keygen_t) - -userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) - -optional_policy(` - nscd_socket_use(ssh_keygen_t) -') - -optional_policy(` - seutil_sigchld_newrole(ssh_keygen_t) -') - -optional_policy(` - udev_read_db(ssh_keygen_t) -') - ############################## # # ssh_keysign_t local policy @@ -401,6 +353,10 @@ logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) optional_policy(` + nscd_socket_use(ssh_keygen_t) +') + +optional_policy(` seutil_sigchld_newrole(ssh_keygen_t) ') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te index 3151f51..3cce663 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -168,10 +168,6 @@ optional_policy(` xen_rw_image_files(svirt_t) ') -optional_policy(` - xen_rw_image_files(svirt_t) -') - ######################################## # # virtd local policy diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index d19c42b..4566008 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -166,7 +166,6 @@ init_domain(xdm_t, xdm_exec_t) init_daemon_domain(xdm_t, xdm_exec_t) xserver_object_types_template(xdm) xserver_common_x_domain_template(xdm, xdm_t) -xserver_unconfined(xdm_t) type xdm_lock_t; files_lock_file(xdm_lock_t) @@ -832,8 +831,6 @@ init_use_fds(xserver_t) # (xauth?) userdom_read_user_home_content_files(xserver_t) -xserver_use_user_fonts(xserver_t) - tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index d9d2789..29f9757 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -126,7 +126,6 @@ domain_kill_all_domains(init_t) domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) -domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) files_read_etc_files(init_t) @@ -299,13 +298,10 @@ dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) -corecmd_exec_all_executables(initrc_t) - domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) domain_signull_all_domains(initrc_t) domain_sigstop_all_domains(initrc_t) -domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 3da53c1..828156a 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -372,9 +372,6 @@ files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t) files_search_var_lib(syslogd_t) -allow syslogd_t syslogd_var_run_t:file manage_file_perms; -files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) - # manage pid file manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te index 0860841..86ef2da 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -211,7 +211,6 @@ files_etc_filetrans(lvm_t, lvm_metadata_t, file) files_search_mnt(lvm_t) kernel_read_system_state(lvm_t) -kernel_read_kernel_sysctls(lvm_t) # Read system variables in /proc/sys kernel_read_kernel_sysctls(lvm_t) # it has no reason to need this diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index 7d565ea..dfbe736 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -334,10 +334,6 @@ optional_policy(` ') optional_policy(` - netutils_domtrans(dhcpc_t) -') - -optional_policy(` nis_use_ypbind(ifconfig_t) ') diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te index f0a4fde..f661f5a 100644 --- a/policy/modules/system/xen.te +++ b/policy/modules/system/xen.te @@ -353,7 +353,6 @@ storage_raw_write_fixed_disk(xenstored_t) storage_raw_read_removable_device(xenstored_t) term_use_generic_ptys(xenstored_t) -term_use_console(xenconsoled_t) init_use_fds(xenstored_t) init_use_script_ptys(xenstored_t)