diff --git a/refpolicy/policy/modules/admin/acct.te b/refpolicy/policy/modules/admin/acct.te index c8098d7..88b7c59 100644 --- a/refpolicy/policy/modules/admin/acct.te +++ b/refpolicy/policy/modules/admin/acct.te @@ -85,10 +85,6 @@ optional_policy(`cron.te',` cron_system_entry(acct_t,acct_exec_t) ') -optional_policy(`rhgb.te',` - rhgb_domain(acct_t) -') - optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(acct_t) ') @@ -96,3 +92,9 @@ optional_policy(`selinuxutil.te',` optional_policy(`udev.te', ` udev_read_db(acct_t) ') + +ifdef(`TODO',` +optional_policy(`rhgb.te',` + rhgb_domain(acct_t) +') +') diff --git a/refpolicy/policy/modules/admin/quota.te b/refpolicy/policy/modules/admin/quota.te index 4005a80..f4b5246 100644 --- a/refpolicy/policy/modules/admin/quota.te +++ b/refpolicy/policy/modules/admin/quota.te @@ -67,10 +67,6 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_file(quota_t) ') -optional_policy(`rhgb.te',` - rhgb_domain(quota_t) -') - optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(quota_t) ') @@ -86,4 +82,7 @@ file_type_auto_trans(quota_t, { root_t home_root_t var_t usr_t src_t var_spool_t allow quota_t file_t:file quotaon; allow quota_t proc_t:file getattr; +optional_policy(`rhgb.te',` + rhgb_domain(quota_t) +') ') dnl end TODO diff --git a/refpolicy/policy/modules/admin/updfstab.te b/refpolicy/policy/modules/admin/updfstab.te index 4c15864..ad6ffc9 100644 --- a/refpolicy/policy/modules/admin/updfstab.te +++ b/refpolicy/policy/modules/admin/updfstab.te @@ -104,10 +104,6 @@ optional_policy(`modutils.te',` modutils_read_mods_deps(updfstab_t) ') -optional_policy(`rhgb.te',` - rhgb_domain(updfstab_t) -') - optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(updfstab_t) ') @@ -115,3 +111,9 @@ optional_policy(`selinuxutil.te',` optional_policy(`udev.te',` udev_read_db(updfstab_t) ') + +ifdef(`TODO',` +optional_policy(`rhgb.te',` + rhgb_domain(updfstab_t) +') +') diff --git a/refpolicy/policy/modules/services/bind.te b/refpolicy/policy/modules/services/bind.te index 49c4a58..cf278f8 100644 --- a/refpolicy/policy/modules/services/bind.te +++ b/refpolicy/policy/modules/services/bind.te @@ -146,10 +146,6 @@ optional_policy(`nscd.te',` nscd_use_socket(named_t) ') -optional_policy(`rhgb.te',` - rhgb_domain(named_t) -') - optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(named_t) ') @@ -158,6 +154,15 @@ optional_policy(`udev.te',` udev_read_db(named_t) ') +ifdef(`TODO',` +can_udp_send(domain, named_t) +can_udp_send(named_t, domain) +can_tcp_connect(domain, named_t) +optional_policy(`rhgb.te',` + rhgb_domain(named_t) +') +') + ######################################## # # NDC local policy @@ -241,9 +246,3 @@ optional_policy(`nis.te',` optional_policy(`nscd.te',` nscd_use_socket(ndc_t) ') - -ifdef(`TODO',` -can_udp_send(domain, named_t) -can_udp_send(named_t, domain) -can_tcp_connect(domain, named_t) -') diff --git a/refpolicy/policy/modules/services/dbus.te b/refpolicy/policy/modules/services/dbus.te index f2c4688..0ceff77 100644 --- a/refpolicy/policy/modules/services/dbus.te +++ b/refpolicy/policy/modules/services/dbus.te @@ -125,10 +125,12 @@ optional_policy(`nscd.te',` nscd_use_socket(system_dbusd_t) ') +optional_policy(`udev.te', ` + udev_read_db(system_dbusd_t) +') + +ifdef(`TODO',` optional_policy(`rhgb.te',` rhgb_domain(system_dbusd_t) ') - -optional_policy(`udev.te', ` - udev_read_db(system_dbusd_t) ') diff --git a/refpolicy/policy/modules/services/gpm.te b/refpolicy/policy/modules/services/gpm.te index 44c5c03..151087d 100644 --- a/refpolicy/policy/modules/services/gpm.te +++ b/refpolicy/policy/modules/services/gpm.te @@ -83,10 +83,6 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_file(gpm_t) ') -optional_policy(`rhgb.te',` - rhgb_domain(gpm_t) -') - optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(gpm_t) ') @@ -99,4 +95,7 @@ ifdef(`TODO',` # Access the mouse. # cjp: why write? allow gpm_t { event_device_t mouse_device_t }:chr_file rw_file_perms; +optional_policy(`rhgb.te',` + rhgb_domain(gpm_t) +') ') diff --git a/refpolicy/policy/modules/services/howl.te b/refpolicy/policy/modules/services/howl.te index 8e6ed7d..ae49234 100644 --- a/refpolicy/policy/modules/services/howl.te +++ b/refpolicy/policy/modules/services/howl.te @@ -79,10 +79,6 @@ optional_policy(`nis.te',` nis_use_ypbind(howl_t) ') -optional_policy(`rhgb.te',` - rhgb_domain(howl_t) -') - optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(howl_t) ') @@ -90,3 +86,9 @@ optional_policy(`selinuxutil.te',` optional_policy(`udev.te', ` udev_read_db(howl_t) ') + +ifdef(`TODO',` +optional_policy(`rhgb.te',` + rhgb_domain(howl_t) +') +') diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te index 9919d1d..924a480 100644 --- a/refpolicy/policy/modules/services/inetd.te +++ b/refpolicy/policy/modules/services/inetd.te @@ -147,13 +147,6 @@ optional_policy(`rhgb.te',` rhgb_domain(inetd_t) ') -# Bind to the telnet, ftp, rlogin and rsh ports. -# cjp: these ports currently dont exist in the NSA example -ifdef(`talk.te', ` -allow inetd_t talk_port_t:tcp_socket name_bind; -allow inetd_t ntalk_port_t:tcp_socket name_bind; -') - # Communicate with the portmapper. ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)') ') dnl TODO diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te index a7ffb9c..91f5b8e 100644 --- a/refpolicy/policy/modules/services/ldap.te +++ b/refpolicy/policy/modules/services/ldap.te @@ -110,10 +110,6 @@ optional_policy(`nis.te',` nis_use_ypbind(slapd_t) ') -optional_policy(`rhgb.te',` - rhgb_domain(slapd_t) -') - optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(slapd_t) ') @@ -123,6 +119,9 @@ optional_policy(`udev.te', ` ') ifdef(`TODO',` +optional_policy(`rhgb.te',` + rhgb_domain(slapd_t) +') # allow any domain to connect to the LDAP server # cjp: how does this relate to the old can_ldap() macro? can_tcp_connect(domain, slapd_t) diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te index 2f48985..d8b8374 100644 --- a/refpolicy/policy/modules/services/mysql.te +++ b/refpolicy/policy/modules/services/mysql.te @@ -111,10 +111,6 @@ optional_policy(`nis.te',` nis_use_ypbind(mysqld_t) ') -optional_policy(`rhgb.te',` - rhgb_domain(mysqld_t) -') - optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(mysqld_t) ') @@ -123,7 +119,10 @@ optional_policy(`udev.te', ` udev_read_db(mysqld_t) ') -ifdef(`TODO', +ifdef(`TODO',` +optional_policy(`rhgb.te',` + rhgb_domain(mysqld_t) +') optional_policy(`daemontools.te',` domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t) mysqld_signal(svc_start_t) diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te index 792d14a..4c54c2c 100644 --- a/refpolicy/policy/modules/services/nscd.te +++ b/refpolicy/policy/modules/services/nscd.te @@ -95,10 +95,6 @@ optional_policy(`nis.te',` nis_use_ypbind(nscd_t) ') -optional_policy(`rhgb.te',` - rhgb_domain(nscd_t) -') - optional_policy(`selinuxutils.te',` seutil_sigchld_newrole(nscd_t) ') @@ -119,7 +115,9 @@ optional_policy(`winbind.te', ` allow nscd_t samba_var_t:dir search; allow nscd_t winbind_var_run_t:dir { getattr search }; ') - +optional_policy(`rhgb.te',` + rhgb_domain(nscd_t) +') allow nscd_t tmp_t:dir { search getattr }; allow nscd_t tmp_t:lnk_file read; ') dnl end TODO diff --git a/refpolicy/policy/modules/services/privoxy.te b/refpolicy/policy/modules/services/privoxy.te index d1c5f3e..36ee8a5 100644 --- a/refpolicy/policy/modules/services/privoxy.te +++ b/refpolicy/policy/modules/services/privoxy.te @@ -83,10 +83,6 @@ optional_policy(`mount.te',` mount_send_nfs_client_request(privoxy_t) ') -optional_policy(`rhgb.te',` - rhgb_domain(privoxy_t) -') - optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(privoxy_t) ') @@ -94,3 +90,9 @@ optional_policy(`selinuxutil.te',` optional_policy(`udev.te', ` udev_read_db(privoxy_t) ') + +ifdef(`TODO',` +optional_policy(`rhgb.te',` + rhgb_domain(privoxy_t) +') +') diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te index 139c524..8549167 100644 --- a/refpolicy/policy/modules/services/ssh.te +++ b/refpolicy/policy/modules/services/ssh.te @@ -24,7 +24,7 @@ role system_r types ssh_keygen_t; ssh_server_template(sshd) optional_policy(`inetd.te',` -# CJP: commenting this out until typeattribute works in a conditional +# cjp: commenting this out until typeattribute works in a conditional # tunable_policy(`run_ssh_inetd',` inetd_tcp_service_domain(sshd_t,sshd_exec_t) # ',` @@ -221,10 +221,6 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_file(ssh_keygen_t) ') -optional_policy(`rhgb.te', ` - rhgb_domain(ssh_keygen_t) -') - optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(ssh_keygen_t) ') @@ -232,3 +228,9 @@ optional_policy(`selinuxutil.te',` optional_policy(`udev.te', ` udev_read_db(ssh_keygen_t) ') + +ifdef(`TODO',` +optional_policy(`rhgb.te', ` + rhgb_domain(ssh_keygen_t) +') +') diff --git a/refpolicy/policy/modules/system/ipsec.te b/refpolicy/policy/modules/system/ipsec.te index cc06b3e..a30a314 100644 --- a/refpolicy/policy/modules/system/ipsec.te +++ b/refpolicy/policy/modules/system/ipsec.te @@ -128,10 +128,6 @@ optional_policy(`nis.te',` nis_use_ypbind(ipsec_t) ') -optional_policy(`rhgb.te',` - rhgb_domain(ipsec_t) -') - optional_policy(`selinuxutils.te',` seutil_sigchld_newrole(ipsec_t) ') @@ -140,6 +136,12 @@ optional_policy(`udev.te', ` udev_read_db(ipsec_t) ') +ifdef(`TODO',` +optional_policy(`rhgb.te',` + rhgb_domain(ipsec_t) +') +') + ######################################## # # ipsec_mgmt Local policy diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te index 133694a..025c886 100644 --- a/refpolicy/policy/modules/system/pcmcia.te +++ b/refpolicy/policy/modules/system/pcmcia.te @@ -116,10 +116,6 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_file(cardmgr_t) ') -optional_policy(`rhgb.te',` - rhgb_domain(cardmgr_t) -') - optional_policy(`selinuxutils.te',` seutil_sigchld_newrole(cardmgr_t) ') @@ -157,4 +153,7 @@ optional_policy(`pcmcia.te',` pcmcia_manage_pid(hald_t) pcmcia_manage_runtime_chr(hald_t) ') +optional_policy(`rhgb.te',` + rhgb_domain(cardmgr_t) +') ') dnl end TODO diff --git a/refpolicy/policy/modules/system/raid.te b/refpolicy/policy/modules/system/raid.te index a8a2f46..c58e7af 100644 --- a/refpolicy/policy/modules/system/raid.te +++ b/refpolicy/policy/modules/system/raid.te @@ -73,10 +73,6 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_file(mdadm_t) ') -optional_policy(`rhgb.te',` - rhgb_domain(mdadm_t) -') - optional_policy(`selinux.te',` seutil_sigchld_newrole(mdadm_t) ') @@ -90,4 +86,7 @@ ifdef(`TODO',` dontaudit mdadm_t device_t:{ fifo_file file chr_file blk_file } { read getattr }; allow mdadm_t var_t:dir getattr; +optional_policy(`rhgb.te',` + rhgb_domain(mdadm_t) +') ') dnl TODO