1 |
commit: e2ae0ff011ca8e38472e44f381b4f0d0bc1d706e |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Wed Nov 21 21:09:38 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Wed Nov 21 21:09:38 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e2ae0ff0 |
7 |
|
8 |
Remove calls that are now handled in the upstream code (was in distro_gentoo earlier) |
9 |
|
10 |
--- |
11 |
policy/modules/contrib/cron.fc | 1 - |
12 |
policy/modules/contrib/cron.if | 8 -------- |
13 |
policy/modules/contrib/cron.te | 24 +++++------------------- |
14 |
policy/modules/contrib/postfix.fc | 4 ---- |
15 |
policy/modules/contrib/postfix.te | 6 ------ |
16 |
policy/modules/contrib/qemu.te | 5 ----- |
17 |
6 files changed, 5 insertions(+), 43 deletions(-) |
18 |
|
19 |
diff --git a/policy/modules/contrib/cron.fc b/policy/modules/contrib/cron.fc |
20 |
index b2d6309..a7bfe6d 100644 |
21 |
--- a/policy/modules/contrib/cron.fc |
22 |
+++ b/policy/modules/contrib/cron.fc |
23 |
@@ -50,7 +50,6 @@ ifdef(`distro_debian',` |
24 |
') |
25 |
|
26 |
ifdef(`distro_gentoo',` |
27 |
-/var/spool/at/atspool(/.*)? gen_context(system_u:object_r:user_cron_spool_log_t,s0) |
28 |
/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) |
29 |
/var/spool/cron/lastrun/[^/]* -- <<none>> |
30 |
') |
31 |
|
32 |
diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if |
33 |
index 2b859e5..01ba3ce 100644 |
34 |
--- a/policy/modules/contrib/cron.if |
35 |
+++ b/policy/modules/contrib/cron.if |
36 |
@@ -316,14 +316,6 @@ interface(`cron_system_entry',` |
37 |
domtrans_pattern(crond_t, $2, $1) |
38 |
|
39 |
role system_r types $1; |
40 |
- |
41 |
- ifdef(`distro_gentoo',` |
42 |
- gen_require(` |
43 |
- type user_cron_spool_log_t; |
44 |
- ') |
45 |
- |
46 |
- rw_files_pattern($1, user_cron_spool_log_t, user_cron_spool_log_t) |
47 |
- ') |
48 |
') |
49 |
|
50 |
######################################## |
51 |
|
52 |
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te |
53 |
index 039526d..f383f5f 100644 |
54 |
--- a/policy/modules/contrib/cron.te |
55 |
+++ b/policy/modules/contrib/cron.te |
56 |
@@ -121,24 +121,19 @@ files_type(user_cron_spool_t) |
57 |
ubac_constrained(user_cron_spool_t) |
58 |
mta_system_content(user_cron_spool_t) |
59 |
|
60 |
+type user_cron_spool_log_t; |
61 |
+logging_log_file(user_cron_spool_log_t) |
62 |
+ubac_constrained(user_cron_spool_log_t) |
63 |
+mta_system_content(user_cron_spool_log_t) |
64 |
+ |
65 |
ifdef(`distro_gentoo',` |
66 |
# Logging for atd jobs |
67 |
- type user_cron_spool_log_t; |
68 |
- logging_log_file(user_cron_spool_log_t) |
69 |
- ubac_constrained(user_cron_spool_log_t) |
70 |
- mta_system_content(user_cron_spool_log_t) |
71 |
- |
72 |
domain_interactive_fd(cronjob_t) |
73 |
domain_interactive_fd(system_cronjob_t) |
74 |
|
75 |
logging_syslog_managed_log_file(cron_log_t, "cron.log") |
76 |
') |
77 |
|
78 |
-type user_cron_spool_log_t; |
79 |
-logging_log_file(user_cron_spool_log_t) |
80 |
-ubac_constrained(user_cron_spool_log_t) |
81 |
-mta_system_content(user_cron_spool_log_t) |
82 |
- |
83 |
ifdef(`enable_mcs',` |
84 |
init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh) |
85 |
') |
86 |
@@ -216,10 +211,6 @@ selinux_compute_create_context(admin_crontab_t) |
87 |
selinux_compute_relabel_context(admin_crontab_t) |
88 |
selinux_compute_user_contexts(admin_crontab_t) |
89 |
|
90 |
-ifdef(`distro_gentoo',` |
91 |
- allow admin_crontab_t self:capability fsetid; |
92 |
-') |
93 |
- |
94 |
tunable_policy(`fcron_crond',` |
95 |
allow admin_crontab_t self:process setfscreate; |
96 |
') |
97 |
@@ -351,11 +342,6 @@ ifdef(`distro_debian',` |
98 |
') |
99 |
') |
100 |
|
101 |
-ifdef(`distro_gentoo',` |
102 |
- manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) |
103 |
- manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t) |
104 |
-') |
105 |
- |
106 |
ifdef(`distro_redhat',` |
107 |
optional_policy(` |
108 |
rpm_manage_log(crond_t) |
109 |
|
110 |
diff --git a/policy/modules/contrib/postfix.fc b/policy/modules/contrib/postfix.fc |
111 |
index 76e1469..c0e8785 100644 |
112 |
--- a/policy/modules/contrib/postfix.fc |
113 |
+++ b/policy/modules/contrib/postfix.fc |
114 |
@@ -55,7 +55,3 @@ |
115 |
/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0) |
116 |
/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0) |
117 |
/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0) |
118 |
- |
119 |
-ifdef(`distro_gentoo',` |
120 |
-/var/spool/postfix/pid(/.*)? gen_context(system_u:object_r:postfix_var_run_t,s0) |
121 |
-') |
122 |
|
123 |
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te |
124 |
index 913530e..12db12d 100644 |
125 |
--- a/policy/modules/contrib/postfix.te |
126 |
+++ b/policy/modules/contrib/postfix.te |
127 |
@@ -158,10 +158,6 @@ miscfiles_read_generic_certs(postfix_domain) |
128 |
|
129 |
userdom_dontaudit_use_unpriv_user_fds(postfix_domain) |
130 |
|
131 |
-ifdef(`distro_gentoo',` |
132 |
-manage_files_pattern(postfix_domain, postfix_var_run_t, postfix_var_run_t) |
133 |
-') |
134 |
- |
135 |
optional_policy(` |
136 |
udev_read_db(postfix_domain) |
137 |
') |
138 |
@@ -312,8 +308,6 @@ mta_read_sendmail_bin(postfix_master_t) |
139 |
mta_getattr_spool(postfix_master_t) |
140 |
|
141 |
ifdef(`distro_gentoo',` |
142 |
- allow postfix_master_t self:capability fowner; |
143 |
- |
144 |
filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "defer") |
145 |
filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "deferred") |
146 |
') |
147 |
|
148 |
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te |
149 |
index ee05637..e21eee6 100644 |
150 |
--- a/policy/modules/contrib/qemu.te |
151 |
+++ b/policy/modules/contrib/qemu.te |
152 |
@@ -31,11 +31,6 @@ ifdef(`distro_gentoo',` |
153 |
optional_policy(` |
154 |
vde_connect(qemu_t) |
155 |
') |
156 |
- |
157 |
- optional_policy(` |
158 |
- # When qemu is built with SDL support |
159 |
- xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t) |
160 |
- ') |
161 |
') |
162 |
|
163 |
tunable_policy(`qemu_full_network',` |