Merge pull request #356 from pebenito/drop-dead-modules2

policy/modules/admin/bcfg2.fc

@@ -1,9 +0,0 @@
-/etc/rc\.d/init\.d/bcfg2-server	--	gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0)
-
-/usr/bin/bcfg2-server	--	gen_context(system_u:object_r:bcfg2_exec_t,s0)
-
-/usr/sbin/bcfg2-server	--	gen_context(system_u:object_r:bcfg2_exec_t,s0)
-
-/var/lib/bcfg2(/.*)?	gen_context(system_u:object_r:bcfg2_var_lib_t,s0)
-
-/run/bcfg2-server\.pid	--	gen_context(system_u:object_r:bcfg2_runtime_t,s0)

policy/modules/admin/bcfg2.if

@@ -1,151 +0,0 @@
-## <summary>configuration management suite.</summary>
-
-########################################
-## <summary>
-##	Execute bcfg2 in the bcfg2 domain.
-## </summary>
-## <param name="domain">
-## <summary>
-##	Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`bcfg2_domtrans',`
-	gen_require(`
-		type bcfg2_t, bcfg2_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, bcfg2_exec_t, bcfg2_t)
-')
-
-########################################
-## <summary>
-##	Execute bcfg2 server in the bcfg2 domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-#
-interface(`bcfg2_initrc_domtrans',`
-	gen_require(`
-		type bcfg2_initrc_exec_t;
-	')
-
-	init_labeled_script_domtrans($1, bcfg2_initrc_exec_t)
-')
-
-########################################
-## <summary>
-##	Search bcfg2 lib directories.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`bcfg2_search_lib',`
-	gen_require(`
-		type bcfg2_var_lib_t;
-	')
-
-	allow $1 bcfg2_var_lib_t:dir search_dir_perms;
-	files_search_var_lib($1)
-')
-
-########################################
-## <summary>
-##	Read bcfg2 lib files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`bcfg2_read_lib_files',`
-	gen_require(`
-		type bcfg2_var_lib_t;
-	')
-
-	files_search_var_lib($1)
-	read_files_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t)
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	bcfg2 lib files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`bcfg2_manage_lib_files',`
-	gen_require(`
-		type bcfg2_var_lib_t;
-	')
-
-	files_search_var_lib($1)
-	manage_files_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t)
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	bcfg2 lib directories.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`bcfg2_manage_lib_dirs',`
-	gen_require(`
-		type bcfg2_var_lib_t;
-	')
-
-	files_search_var_lib($1)
-	manage_dirs_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t)
-')
-
-########################################
-## <summary>
-##	All of the rules required to
-##	administrate an bcfg2 environment.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`bcfg2_admin',`
-	gen_require(`
-		type bcfg2_t, bcfg2_initrc_exec_t, bcfg2_var_lib_t;
-		type bcfg2_runtime_t;
-	')
-
-	allow $1 bcfg2_t:process { ptrace signal_perms };
-	ps_process_pattern($1, bcfg2_t)
-
-	init_startstop_service($1, $2, bcfg2_t, bcfg2_initrc_exec_t)
-
-	files_search_runtime($1)
-	admin_pattern($1, bcfg2_runtime_t)
-
-	files_search_var_lib($1)
-	admin_pattern($1, bcfg2_var_lib_t)
-')

policy/modules/admin/bcfg2.te

@@ -1,59 +0,0 @@
-policy_module(bcfg2, 1.6.0)
-
-########################################
-#
-# Declarations
-#
-
-type bcfg2_t;
-type bcfg2_exec_t;
-init_daemon_domain(bcfg2_t, bcfg2_exec_t)
-
-type bcfg2_initrc_exec_t;
-init_script_file(bcfg2_initrc_exec_t)
-
-type bcfg2_runtime_t alias bcfg2_var_run_t;
-files_runtime_file(bcfg2_runtime_t)
-
-type bcfg2_var_lib_t;
-files_type(bcfg2_var_lib_t)
-
-########################################
-#
-# Local policy
-#
-
-allow bcfg2_t self:fifo_file rw_fifo_file_perms;
-allow bcfg2_t self:tcp_socket { accept listen };
-allow bcfg2_t self:unix_stream_socket { accept connectto listen };
-
-manage_dirs_pattern(bcfg2_t, bcfg2_var_lib_t, bcfg2_var_lib_t)
-manage_files_pattern(bcfg2_t, bcfg2_var_lib_t, bcfg2_var_lib_t)
-files_var_lib_filetrans(bcfg2_t, bcfg2_var_lib_t, dir)
-
-manage_files_pattern(bcfg2_t, bcfg2_runtime_t, bcfg2_runtime_t)
-files_runtime_filetrans(bcfg2_t, bcfg2_runtime_t, file)
-
-kernel_read_system_state(bcfg2_t)
-
-corenet_all_recvfrom_netlabel(bcfg2_t)
-corenet_tcp_sendrecv_generic_if(bcfg2_t)
-corenet_tcp_sendrecv_generic_node(bcfg2_t)
-corenet_tcp_bind_generic_node(bcfg2_t)
-
-corenet_sendrecv_cyphesis_server_packets(bcfg2_t)
-corenet_tcp_bind_cyphesis_port(bcfg2_t)
-
-corecmd_exec_bin(bcfg2_t)
-
-dev_read_urand(bcfg2_t)
-
-domain_use_interactive_fds(bcfg2_t)
-
-files_read_usr_files(bcfg2_t)
-
-auth_use_nsswitch(bcfg2_t)
-
-logging_send_syslog_msg(bcfg2_t)
-
-miscfiles_read_localization(bcfg2_t)

policy/modules/admin/ddcprobe.fc

@@ -1,3 +0,0 @@
-/usr/bin/ddcprobe	--	gen_context(system_u:object_r:ddcprobe_exec_t,s0)
-
-/usr/sbin/ddcprobe	--	gen_context(system_u:object_r:ddcprobe_exec_t,s0)

policy/modules/admin/ddcprobe.if

@@ -1,47 +0,0 @@
-## <summary>ddcprobe retrieves monitor and graphics card information.</summary>
-
-########################################
-## <summary>
-##	Execute ddcprobe in the ddcprobe domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-#
-interface(`ddcprobe_domtrans',`
-	gen_require(`
-		type ddcprobe_t, ddcprobe_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, ddcprobe_exec_t, ddcprobe_t)
-')
-
-########################################
-## <summary>
-##	Execute ddcprobe in the ddcprobe
-##	domain, and allow the specified
-##	role the ddcprobe domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`ddcprobe_run',`
-	gen_require(`
-		attribute_role ddcprobe_roles;
-	')
-
-	ddcprobe_domtrans($1)
-	roleattribute $2 ddcprobe_roles;
-')

policy/modules/admin/ddcprobe.te

@@ -1,51 +0,0 @@
-policy_module(ddcprobe, 1.6.0)
-
-########################################
-#
-# Declarations
-#
-
-attribute_role ddcprobe_roles;
-roleattribute system_r ddcprobe_roles;
-
-type ddcprobe_t;
-type ddcprobe_exec_t;
-application_domain(ddcprobe_t, ddcprobe_exec_t)
-role ddcprobe_roles types ddcprobe_t;
-
-########################################
-#
-# Local policy
-#
-
-allow ddcprobe_t self:capability { sys_admin sys_rawio };
-allow ddcprobe_t self:process execmem;
-
-kernel_read_system_state(ddcprobe_t)
-kernel_read_kernel_sysctls(ddcprobe_t)
-kernel_change_ring_buffer_level(ddcprobe_t)
-
-files_search_kernel_modules(ddcprobe_t)
-
-corecmd_list_bin(ddcprobe_t)
-corecmd_exec_bin(ddcprobe_t)
-
-dev_read_urand(ddcprobe_t)
-dev_read_raw_memory_cond(ddcprobe_t, allow_raw_memory_access)
-dev_wx_raw_memory_cond(ddcprobe_t, allow_raw_memory_access)
-
-files_read_etc_files(ddcprobe_t)
-files_read_etc_runtime_files(ddcprobe_t)
-files_read_usr_files(ddcprobe_t)
-
-term_use_all_ttys(ddcprobe_t)
-term_use_all_ptys(ddcprobe_t)
-
-libs_read_lib_files(ddcprobe_t)
-
-miscfiles_read_localization(ddcprobe_t)
-
-modutils_read_module_deps(ddcprobe_t)
-
-userdom_use_user_terminals(ddcprobe_t)
-userdom_use_all_users_fds(ddcprobe_t)

policy/modules/admin/logrotate.te

@@ -166,11 +166,6 @@ optional_policy(`
 	bind_manage_cache(logrotate_t)
 ')
 
-optional_policy(`
-	callweaver_exec(logrotate_t)
-	callweaver_stream_connect(logrotate_t)
-')
-
 optional_policy(`
 	consoletype_exec(logrotate_t)
 ')
@@ -234,10 +229,6 @@ optional_policy(`
 	openvswitch_domtrans(logrotate_t)
 ')
 
-optional_policy(`
-	polipo_log_filetrans_log(logrotate_t, file, "polipo")
-')
-
 optional_policy(`
 	psad_domtrans(logrotate_t)
 ')

policy/modules/apps/lockdev.fc

@@ -1,5 +0,0 @@
-/usr/bin/lockdev	--	gen_context(system_u:object_r:lockdev_exec_t,s0)
-
-/usr/sbin/lockdev	--	gen_context(system_u:object_r:lockdev_exec_t,s0)
-
-/var/lock/lockdev(/.*)?	gen_context(system_u:object_r:lockdev_lock_t,s0)

policy/modules/apps/lockdev.if

@@ -1,42 +0,0 @@
-## <summary>Library for locking devices.</summary>
-
-########################################
-## <summary>
-##	Role access for lockdev.
-## </summary>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	User domain for the role.
-##	</summary>
-## </param>
-#
-interface(`lockdev_role',`
-	gen_require(`
-		attribute_role lockdev_roles;
-		type lockdev_t, lockdev_exec_t;
-	')
-
-	########################################
-	#
-	# Declarations
-	#
-
-	roleattribute $1 lockdev_roles;
-
-	########################################
-	#
-	# Policy
-	#
-
-	domtrans_pattern($2, lockdev_exec_t, lockdev_t)
-
-	allow $2 lockdev_t:process { ptrace signal_perms };
-	ps_process_pattern($2, lockdev_t)
-
-	allow lockdev_t $2:process signull;
-')

policy/modules/apps/lockdev.te

@@ -1,35 +0,0 @@
-policy_module(lockdev, 1.7.0)
-
-########################################
-#
-# Declarations
-#
-
-attribute_role lockdev_roles;
-
-type lockdev_t;
-type lockdev_exec_t;
-userdom_user_application_domain(lockdev_t, lockdev_exec_t)
-role lockdev_roles types lockdev_t;
-
-type lockdev_lock_t;
-files_lock_file(lockdev_lock_t)
-ubac_constrained(lockdev_lock_t)
-
-########################################
-#
-# Local policy
-#
-
-allow lockdev_t self:capability setgid;
-
-manage_files_pattern(lockdev_t, lockdev_lock_t, lockdev_lock_t)
-files_lock_filetrans(lockdev_t, lockdev_lock_t, file)
-
-files_read_all_locks(lockdev_t)
-
-fs_getattr_xattr_fs(lockdev_t)
-
-logging_send_syslog_msg(lockdev_t)
-
-userdom_use_user_terminals(lockdev_t)

policy/modules/roles/staff.te

@@ -137,10 +137,6 @@ ifndef(`distro_redhat',`
 		libmtp_role(staff_r, staff_t)
 	')
 
-	optional_policy(`
-		lockdev_role(staff_r, staff_t)
-	')
-
 	optional_policy(`
 		lpd_role(staff_r, staff_t)
 	')

policy/modules/roles/sysadm.te

@@ -108,10 +108,6 @@ optional_policy(`
 	afs_admin(sysadm_t, sysadm_r)
 ')
 
-optional_policy(`
-	aiccu_admin(sysadm_t, sysadm_r)
-')
-
 optional_policy(`
 	aide_admin(sysadm_t, sysadm_r)
 ')
@@ -182,10 +178,6 @@ optional_policy(`
 	bacula_admin(sysadm_t, sysadm_r)
 ')
 
-optional_policy(`
-	bcfg2_admin(sysadm_t, sysadm_r)
-')
-
 optional_policy(`
 	bind_admin(sysadm_t, sysadm_r)
 	bind_run_ndc(sysadm_t, sysadm_r)
@@ -219,18 +211,10 @@ optional_policy(`
 	calamaris_admin(sysadm_t, sysadm_r)
 ')
 
-optional_policy(`
-	callweaver_admin(sysadm_t, sysadm_r)
-')
-
 optional_policy(`
 	canna_admin(sysadm_t, sysadm_r)
 ')
 
-optional_policy(`
-	ccs_admin(sysadm_t, sysadm_r)
-')
-
 optional_policy(`
 	certbot_run(sysadm_t, sysadm_r)
 ')
@@ -263,10 +247,6 @@ optional_policy(`
 	chronyd_admin(sysadm_t, sysadm_r)
 ')
 
-optional_policy(`
-	cipe_admin(sysadm_t, sysadm_r)
-')
-
 optional_policy(`
 	clamav_admin(sysadm_t, sysadm_r)
 ')
@@ -275,14 +255,6 @@ optional_policy(`
 	clock_run(sysadm_t, sysadm_r)
 ')
 
-optional_policy(`
-	clockspeed_run_cli(sysadm_t, sysadm_r)
-')
-
-optional_policy(`
-	cmirrord_admin(sysadm_t, sysadm_r)
-')
-
 optional_policy(`
 	cobbler_admin(sysadm_t, sysadm_r)
 ')
@@ -336,24 +308,10 @@ optional_policy(`
 	dante_admin(sysadm_t, sysadm_r)
 ')
 
-optional_policy(`
-	dcc_run_cdcc(sysadm_t, sysadm_r)
-	dcc_run_client(sysadm_t, sysadm_r)
-	dcc_run_dbclean(sysadm_t, sysadm_r)
-')
-
 optional_policy(`
 	ddclient_admin(sysadm_t, sysadm_r)
 ')
 
-optional_policy(`
-	ddcprobe_run(sysadm_t, sysadm_r)
-')
-
-optional_policy(`
-	denyhosts_admin(sysadm_t, sysadm_r)
-')
-
 optional_policy(`
 	devicekit_admin(sysadm_t, sysadm_r)
 ')
@@ -406,10 +364,6 @@ optional_policy(`
 	drbd_admin(sysadm_t, sysadm_r)
 ')
 
-optional_policy(`
-	dspam_admin(sysadm_t, sysadm_r)
-')
-
 optional_policy(`
 	entropyd_admin(sysadm_t, sysadm_r)
 ')
@@ -491,10 +445,6 @@ optional_policy(`
 	hwloc_run_dhwd(sysadm_t, sysadm_r)
 ')
 
-optional_policy(`
-	howl_admin(sysadm_t, sysadm_r)
-')
-
 optional_policy(`
 	hypervkvp_admin(sysadm_t, sysadm_r)
 ')
@@ -605,10 +555,6 @@ optional_policy(`
 	lldpad_admin(sysadm_t, sysadm_r)
 ')
 
-optional_policy(`
-	lockdev_role(sysadm_r, sysadm_t)
-')
-
 optional_policy(`
 	logrotate_run(sysadm_t, sysadm_r)
 ')
@@ -683,10 +629,6 @@ optional_policy(`
 	mrtg_admin(sysadm_t, sysadm_r)
 ')
 
-optional_policy(`
-	mscan_admin(sysadm_t, sysadm_r)
-')
-
 optional_policy(`
 	mta_role(sysadm_r, sysadm_t)
 ')
@@ -751,10 +693,6 @@ optional_policy(`
 	nut_admin(sysadm_t, sysadm_r)
 ')
 
-optional_policy(`
-	oav_run_update(sysadm_t, sysadm_r)
-')
-
 optional_policy(`
 	oident_admin(sysadm_t, sysadm_r)
 ')
@@ -811,10 +749,6 @@ optional_policy(`
 	plymouthd_admin(sysadm_t, sysadm_r)
 ')
 
-optional_policy(`
-	polipo_admin(sysadm_t, sysadm_r)
-')
-
 optional_policy(`
 	portage_run(sysadm_t, sysadm_r)
 	portage_run_fetch(sysadm_t, sysadm_r)
@@ -866,10 +800,6 @@ optional_policy(`
 	pxe_admin(sysadm_t, sysadm_r)
 ')
 
-optional_policy(`
-	pyicqt_admin(sysadm_t, sysadm_r)
-')
-
 optional_policy(`
 	pyzor_admin(sysadm_t, sysadm_r)
 	pyzor_role(sysadm_r, sysadm_t)
@@ -917,22 +847,10 @@ optional_policy(`
 	resmgr_admin(sysadm_t, sysadm_r)
 ')
 
-optional_policy(`
-	rgmanager_admin(sysadm_t, sysadm_r)
-')
-
-optional_policy(`
-	rhcs_admin(sysadm_t, sysadm_r)
-')
-
 optional_policy(`
 	rhsmcertd_admin(sysadm_t, sysadm_r)
 ')
 
-optional_policy(`
-	ricci_admin(sysadm_t, sysadm_r)
-')
-
 optional_policy(`
 	rkhunter_run(sysadm_t, sysadm_r)
 ')

policy/modules/roles/unprivuser.te

@@ -109,10 +109,6 @@ ifndef(`distro_redhat',`
 		libmtp_role(user_r, user_t)
 	')
 
-	optional_policy(`
-		lockdev_role(user_r, user_t)
-	')
-
 	optional_policy(`
 		lpd_role(user_r, user_t)
 	')

policy/modules/services/aiccu.fc

@@ -1,9 +0,0 @@
-/etc/aiccu\.conf	--	gen_context(system_u:object_r:aiccu_etc_t,s0)
-
-/etc/rc\.d/init\.d/aiccu	--	gen_context(system_u:object_r:aiccu_initrc_exec_t,s0)
-
-/usr/bin/aiccu	--	gen_context(system_u:object_r:aiccu_exec_t,s0)
-
-/usr/sbin/aiccu	--	gen_context(system_u:object_r:aiccu_exec_t,s0)
-
-/run/aiccu\.pid	--	gen_context(system_u:object_r:aiccu_runtime_t,s0)

policy/modules/services/aiccu.if

@@ -1,87 +0,0 @@
-## <summary>Automatic IPv6 Connectivity Client Utility.</summary>
-
-########################################
-## <summary>
-##	Execute a domain transition to run aiccu.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-#
-interface(`aiccu_domtrans',`
-	gen_require(`
-		type aiccu_t, aiccu_exec_t;
-	')
-
-	domtrans_pattern($1, aiccu_exec_t, aiccu_t)
-	corecmd_search_bin($1)
-')
-
-########################################
-## <summary>
-##	Execute aiccu server in the aiccu domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-#
-interface(`aiccu_initrc_domtrans',`
-	gen_require(`
-		type aiccu_initrc_exec_t;
-	')
-
-	init_labeled_script_domtrans($1, aiccu_initrc_exec_t)
-')
-
-########################################
-## <summary>
-##	Read aiccu PID files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`aiccu_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
-##	All of the rules required to
-##	administrate an aiccu environment.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`aiccu_admin',`
-	gen_require(`
-		type aiccu_t, aiccu_initrc_exec_t, aiccu_etc_t;
-		type aiccu_runtime_t;
-	')
-
-	allow $1 aiccu_t:process { ptrace signal_perms };
-	ps_process_pattern($1, aiccu_t)
-
-	init_startstop_service($1, $2, aiccu_t, aiccu_initrc_exec_t)
-
-	admin_pattern($1, aiccu_etc_t)
-	files_list_etc($1)
-
-	admin_pattern($1, aiccu_runtime_t)
-	files_list_runtime($1)
-')

policy/modules/services/aiccu.te

@@ -1,74 +0,0 @@
-policy_module(aiccu, 1.6.0)
-
-########################################
-#
-# Declarations
-#
-
-type aiccu_t;
-type aiccu_exec_t;
-init_daemon_domain(aiccu_t, aiccu_exec_t)
-
-type aiccu_initrc_exec_t;
-init_script_file(aiccu_initrc_exec_t)
-
-type aiccu_etc_t;
-files_config_file(aiccu_etc_t)
-
-type aiccu_runtime_t alias aiccu_var_run_t;
-files_runtime_file(aiccu_runtime_t)
-
-########################################
-#
-# Local policy
-#
-
-allow aiccu_t self:capability { kill net_admin net_raw };
-dontaudit aiccu_t self:capability sys_tty_config;
-allow aiccu_t self:process signal;
-allow aiccu_t self:fifo_file rw_fifo_file_perms;
-allow aiccu_t self:netlink_route_socket nlmsg_write;
-allow aiccu_t self:tcp_socket { accept listen };
-allow aiccu_t self:tun_socket create_socket_perms;
-allow aiccu_t self:udp_socket { accept listen };
-allow aiccu_t self:unix_stream_socket { accept listen };
-
-allow aiccu_t aiccu_etc_t:file read_file_perms;
-
-manage_dirs_pattern(aiccu_t, aiccu_runtime_t, aiccu_runtime_t)
-manage_files_pattern(aiccu_t, aiccu_runtime_t, aiccu_runtime_t)
-files_runtime_filetrans(aiccu_t, aiccu_runtime_t, { file dir })
-
-kernel_read_system_state(aiccu_t)
-
-corecmd_exec_shell(aiccu_t)
-
-corenet_all_recvfrom_netlabel(aiccu_t)
-corenet_tcp_bind_generic_node(aiccu_t)
-corenet_tcp_sendrecv_generic_if(aiccu_t)
-corenet_tcp_sendrecv_generic_node(aiccu_t)
-
-corenet_sendrecv_sixxsconfig_client_packets(aiccu_t)
-corenet_tcp_connect_sixxsconfig_port(aiccu_t)
-
-corenet_rw_tun_tap_dev(aiccu_t)
-
-domain_use_interactive_fds(aiccu_t)
-
-dev_read_rand(aiccu_t)
-dev_read_urand(aiccu_t)
-
-files_read_etc_files(aiccu_t)
-
-logging_send_syslog_msg(aiccu_t)
-
-miscfiles_read_localization(aiccu_t)
-
-optional_policy(`
-	modutils_domtrans(aiccu_t)
-')
-
-optional_policy(`
-	sysnet_dns_name_resolve(aiccu_t)
-	sysnet_domtrans_ifconfig(aiccu_t)
-')

policy/modules/services/aisexec.te

@@ -95,19 +95,3 @@ miscfiles_read_localization(aisexec_t)
 
 userdom_rw_unpriv_user_semaphores(aisexec_t)
 userdom_rw_unpriv_user_shared_mem(aisexec_t)
-
-optional_policy(`
-	ccs_stream_connect(aisexec_t)
-')
-
-optional_policy(`
-	rhcs_rw_dlm_controld_semaphores(aisexec_t)
-
-	rhcs_rw_fenced_semaphores(aisexec_t)
-
-	rhcs_rw_gfs_controld_semaphores(aisexec_t)
-	rhcs_rw_gfs_controld_shm(aisexec_t)
-
-	rhcs_rw_groupd_semaphores(aisexec_t)
-	rhcs_rw_groupd_shm(aisexec_t)
-')

policy/modules/services/amavis.te

@@ -161,11 +161,6 @@ optional_policy(`
 	cron_rw_pipes(amavis_t)
 ')
 
-optional_policy(`
-	dcc_domtrans_client(amavis_t)
-	dcc_stream_connect_dccifd(amavis_t)
-')
-
 optional_policy(`
 	mta_read_config(amavis_t)
 ')

policy/modules/services/apache.te

@@ -757,10 +757,6 @@ optional_policy(`
 	calamaris_read_www_files(httpd_t)
 ')
 
-optional_policy(`
-	ccs_read_config(httpd_t)
-')
-
 optional_policy(`
 	clamav_domtrans_clamscan(httpd_t)
 ')

policy/modules/services/callweaver.fc

@@ -1,13 +0,0 @@
-/etc/rc\.d/init\.d/callweaver	--	gen_context(system_u:object_r:callweaver_initrc_exec_t,s0)
-
-/usr/bin/callweaver	--	gen_context(system_u:object_r:callweaver_exec_t,s0)
-
-/usr/sbin/callweaver	--	gen_context(system_u:object_r:callweaver_exec_t,s0)
-
-/var/lib/callweaver(/.*)?	gen_context(system_u:object_r:callweaver_var_lib_t,s0)
-
-/var/log/callweaver(/.*)?	gen_context(system_u:object_r:callweaver_log_t,s0)
-
-/run/callweaver(/.*)?	gen_context(system_u:object_r:callweaver_runtime_t,s0)
-
-/var/spool/callweaver(/.*)?	gen_context(system_u:object_r:callweaver_spool_t,s0)

policy/modules/services/callweaver.if

@@ -1,78 +0,0 @@
-## <summary>PBX software.</summary>
-
-########################################
-## <summary>
-##	Execute callweaver in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-##	Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`callweaver_exec',`
-	gen_require(`
-		type callweaver_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	can_exec($1, callweaver_exec_t)
-')
-
-########################################
-## <summary>
-##	Connect to callweaver over a
-##	unix stream socket.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`callweaver_stream_connect',`
-	gen_require(`
-		type callweaver_t, callweaver_runtime_t;
-	')
-
-	files_search_runtime($1)
-	stream_connect_pattern($1, callweaver_runtime_t, callweaver_runtime_t, callweaver_t)
-')
-
-########################################
-## <summary>
-##	All of the rules required to
-##	administrate an callweaver environment.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`callweaver_admin',`
-	gen_require(`
-		type callweaver_t, callweaver_initrc_exec_t, callweaver_log_t;
-		type callweaver_var_lib_t, callweaver_runtime_t, callweaver_spool_t;
-	')
-
-	allow $1 callweaver_t:process { ptrace signal_perms };
-	ps_process_pattern($1, callweaver_t)
-
-	init_startstop_service($1, $2, callweaver_t, callweaver_initrc_exec_t)
-
-	logging_search_logs($1)
-	admin_pattern($1, callweaver_log_t)
-
-	files_search_runtime($1)
-	admin_pattern($1, callweaver_runtime_t)
-
-	files_search_var_lib($1)
-	admin_pattern($1, { callweaver_spool_t callweaver_var_lib_t })
-')

policy/modules/services/callweaver.te

@@ -1,85 +0,0 @@
-policy_module(callweaver, 1.6.0)
-
-########################################
-#
-# Declarations
-#
-
-type callweaver_t;
-type callweaver_exec_t;
-init_daemon_domain(callweaver_t, callweaver_exec_t)
-
-type callweaver_initrc_exec_t;
-init_script_file(callweaver_initrc_exec_t)
-
-type callweaver_log_t;
-logging_log_file(callweaver_log_t)
-
-type callweaver_runtime_t alias callweaver_var_run_t;
-files_runtime_file(callweaver_runtime_t)
-
-type callweaver_var_lib_t;
-files_type(callweaver_var_lib_t)
-
-type callweaver_spool_t;
-files_type(callweaver_spool_t)
-
-########################################
-#
-# Local policy
-#
-
-allow callweaver_t self:capability { setgid setuid sys_nice };
-allow callweaver_t self:process { setsched signal };
-allow callweaver_t self:fifo_file rw_fifo_file_perms;
-allow callweaver_t self:tcp_socket { accept listen };
-allow callweaver_t self:unix_stream_socket create_stream_socket_perms;
-
-manage_dirs_pattern(callweaver_t, callweaver_log_t, callweaver_log_t)
-append_files_pattern(callweaver_t, callweaver_log_t, callweaver_log_t)
-create_files_pattern(callweaver_t, callweaver_log_t, callweaver_log_t)
-setattr_files_pattern(callweaver_t, callweaver_log_t, callweaver_log_t)
-logging_log_filetrans(callweaver_t, callweaver_log_t, { dir file })
-
-manage_dirs_pattern(callweaver_t, callweaver_var_lib_t, callweaver_var_lib_t)
-manage_files_pattern(callweaver_t, callweaver_var_lib_t, callweaver_var_lib_t)
-files_var_lib_filetrans(callweaver_t, callweaver_var_lib_t, { dir file })
-
-manage_dirs_pattern(callweaver_t, callweaver_runtime_t, callweaver_runtime_t)
-manage_files_pattern(callweaver_t, callweaver_runtime_t, callweaver_runtime_t)
-manage_sock_files_pattern(callweaver_t, callweaver_runtime_t, callweaver_runtime_t)
-files_runtime_filetrans(callweaver_t, callweaver_runtime_t, { dir file sock_file })
-
-manage_dirs_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t)
-manage_files_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t)
-manage_lnk_files_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t)
-files_spool_filetrans(callweaver_t, callweaver_spool_t, { dir file })
-
-kernel_read_kernel_sysctls(callweaver_t)
-kernel_read_sysctl(callweaver_t)
-
-corenet_all_recvfrom_netlabel(callweaver_t)
-corenet_udp_sendrecv_generic_if(callweaver_t)
-corenet_udp_sendrecv_generic_node(callweaver_t)
-corenet_udp_bind_generic_node(callweaver_t)
-
-corenet_sendrecv_asterisk_server_packets(callweaver_t)
-corenet_udp_bind_asterisk_port(callweaver_t)
-
-corenet_sendrecv_generic_server_packets(callweaver_t)
-corenet_udp_bind_generic_port(callweaver_t)
-
-corenet_sendrecv_sip_server_packets(callweaver_t)
-corenet_udp_bind_sip_port(callweaver_t)
-
-dev_manage_generic_symlinks(callweaver_t)
-
-domain_use_interactive_fds(callweaver_t)
-
-term_getattr_pty_fs(callweaver_t)
-term_use_generic_ptys(callweaver_t)
-term_use_ptmx(callweaver_t)
-
-auth_use_nsswitch(callweaver_t)
-
-miscfiles_read_localization(callweaver_t)

policy/modules/services/ccs.fc

@@ -1,14 +0,0 @@
-/etc/cluster(/.*)?	gen_context(system_u:object_r:cluster_conf_t,s0)
-
-/etc/rc\.d/init\.d/((ccs)|(ccsd))	--	gen_context(system_u:object_r:ccs_initrc_exec_t,s0)
-
-/usr/bin/ccsd	--	gen_context(system_u:object_r:ccs_exec_t,s0)
-
-/usr/sbin/ccsd	--	gen_context(system_u:object_r:ccs_exec_t,s0)
-
-/var/lib/cluster/((ccs)|(ccsd)).*	gen_context(system_u:object_r:ccs_var_lib_t,s0)
-
-/var/log/cluster/((ccs)|(ccsd)).*	gen_context(system_u:object_r:ccs_var_log_t,s0)
-
-/run/cluster/((ccs)|(ccsd))\.pid	--	gen_context(system_u:object_r:ccs_runtime_t,s0)
-/run/cluster/((ccs)|(ccsd))\.sock	-s	gen_context(system_u:object_r:ccs_runtime_t,s0)

policy/modules/services/ccs.if

@@ -1,124 +0,0 @@
-## <summary>Cluster Configuration System.</summary>
-
-########################################
-## <summary>
-##	Execute a domain transition to run ccs.
-## </summary>
-## <param name="domain">
-## <summary>
-##	Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`ccs_domtrans',`
-	gen_require(`
-		type ccs_t, ccs_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, ccs_exec_t, ccs_t)
-')
-
-########################################
-## <summary>
-##	Connect to ccs over an unix stream socket.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`ccs_stream_connect',`
-	gen_require(`
-		type ccs_t, ccs_runtime_t;
-	')
-
-	files_search_runtime($1)
-	stream_connect_pattern($1, ccs_runtime_t, ccs_runtime_t, ccs_t)
-')
-
-########################################
-## <summary>
-##	Read cluster configuration files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`ccs_read_config',`
-	gen_require(`
-		type cluster_conf_t;
-	')
-
-	files_search_etc($1)
-	read_files_pattern($1, cluster_conf_t, cluster_conf_t)
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	cluster configuration files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`ccs_manage_config',`
-	gen_require(`
-		type cluster_conf_t;
-	')
-
-	files_search_etc($1)
-	manage_dirs_pattern($1, cluster_conf_t, cluster_conf_t)
-	manage_files_pattern($1, cluster_conf_t, cluster_conf_t)
-')
-
-########################################
-## <summary>
-##	All of the rules required to
-##	administrate an ccs environment.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`ccs_admin',`
-	gen_require(`
-		type ccs_t, ccs_initrc_exec_t, cluster_conf_t;
-		type ccs_var_lib_t, ccs_var_log_t;
-		type ccs_runtime_t, ccs_tmp_t;
-	')
-
-	allow $1 ccs_t:process { ptrace signal_perms };
-	ps_process_pattern($1, ccs_t)
-
-	init_startstop_service($1, $2, ccs_t, ccs_initrc_exec_t)
-
-	files_search_etc($1)
-	admin_pattern($1, cluster_conf_t)
-
-	files_search_var_lib($1)
-	admin_pattern($1, ccs_var_lib_t)
-
-	logging_search_logs($1)
-	admin_pattern($1, ccs_var_log_t)
-
-	files_search_runtime($1)
-	admin_pattern($1, ccs_runtime_t)
-
-	files_search_tmp($1)
-	admin_pattern($1, ccs_tmp_t)
-')

policy/modules/services/ccs.te

@@ -1,126 +0,0 @@
-policy_module(ccs, 1.14.0)
-
-########################################
-#
-# Declarations
-#
-
-type ccs_t;
-type ccs_exec_t;
-init_daemon_domain(ccs_t, ccs_exec_t)
-
-type ccs_initrc_exec_t;
-init_script_file(ccs_initrc_exec_t)
-
-type cluster_conf_t;
-files_config_file(cluster_conf_t)
-
-type ccs_runtime_t alias ccs_var_run_t;
-files_runtime_file(ccs_runtime_t)
-
-type ccs_tmp_t;
-files_tmp_file(ccs_tmp_t)
-
-type ccs_tmpfs_t;
-files_tmpfs_file(ccs_tmpfs_t)
-
-type ccs_var_lib_t;
-logging_log_file(ccs_var_lib_t)
-
-type ccs_var_log_t;
-logging_log_file(ccs_var_log_t)
-
-########################################
-#
-# Local policy
-#
-
-allow ccs_t self:capability { ipc_lock ipc_owner sys_admin sys_nice sys_resource };
-allow ccs_t self:process { signal setrlimit setsched };
-dontaudit ccs_t self:process ptrace;
-allow ccs_t self:fifo_file rw_fifo_file_perms;
-allow ccs_t self:unix_stream_socket { accept connectto listen };
-allow ccs_t self:tcp_socket { accept listen };
-allow ccs_t self:udp_socket { accept listen };
-allow ccs_t self:socket create_socket_perms;
-
-manage_files_pattern(ccs_t, cluster_conf_t, cluster_conf_t)
-
-allow ccs_t ccs_tmp_t:dir manage_dir_perms;
-manage_dirs_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t)
-manage_files_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t)
-files_tmp_filetrans(ccs_t, ccs_tmp_t, { dir file })
-
-manage_dirs_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t)
-manage_files_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t)
-fs_tmpfs_filetrans(ccs_t, ccs_tmpfs_t, { dir file })
-
-manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
-manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
-files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { dir file })
-
-allow ccs_t ccs_var_log_t:dir setattr_dir_perms;
-append_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
-create_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
-setattr_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
-manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
-logging_log_filetrans(ccs_t, ccs_var_log_t, { file sock_file })
-
-manage_files_pattern(ccs_t, ccs_runtime_t, ccs_runtime_t)
-manage_sock_files_pattern(ccs_t, ccs_runtime_t, ccs_runtime_t)
-files_runtime_filetrans(ccs_t, ccs_runtime_t, { file sock_file })
-
-kernel_read_kernel_sysctls(ccs_t)
-
-corecmd_list_bin(ccs_t)
-corecmd_exec_bin(ccs_t)
-
-corenet_all_recvfrom_netlabel(ccs_t)
-corenet_tcp_sendrecv_generic_if(ccs_t)
-corenet_udp_sendrecv_generic_if(ccs_t)
-corenet_tcp_sendrecv_generic_node(ccs_t)
-corenet_udp_sendrecv_generic_node(ccs_t)
-corenet_tcp_bind_generic_node(ccs_t)
-corenet_udp_bind_generic_node(ccs_t)
-
-corenet_sendrecv_cluster_server_packets(ccs_t)
-corenet_tcp_bind_cluster_port(ccs_t)
-corenet_udp_bind_cluster_port(ccs_t)
-
-corenet_sendrecv_netsupport_server_packets(ccs_t)
-corenet_udp_bind_netsupport_port(ccs_t)
-
-dev_read_urand(ccs_t)
-
-files_read_etc_files(ccs_t)
-files_read_etc_runtime_files(ccs_t)
-
-init_rw_script_tmp_files(ccs_t)
-
-logging_send_syslog_msg(ccs_t)
-
-miscfiles_read_localization(ccs_t)
-
-sysnet_dns_name_resolve(ccs_t)
-
-userdom_manage_unpriv_user_shared_mem(ccs_t)
-userdom_manage_unpriv_user_semaphores(ccs_t)
-
-ifdef(`hide_broken_symptoms',`
-	kernel_manage_unlabeled_files(ccs_t)
-	corecmd_dontaudit_write_bin_dirs(ccs_t)
-')
-
-optional_policy(`
-	aisexec_stream_connect(ccs_t)
-	corosync_stream_connect(ccs_t)
-')
-
-optional_policy(`
-	qpidd_rw_semaphores(ccs_t)
-	qpidd_rw_shm(ccs_t)
-')
-
-optional_policy(`
-	unconfined_use_fds(ccs_t)
-')

policy/modules/services/cipe.fc

@@ -1,5 +0,0 @@
-/etc/rc\.d/init\.d/ciped.*	--	gen_context(system_u:object_r:ciped_initrc_exec_t,s0)
-
-/usr/bin/ciped.*	--	gen_context(system_u:object_r:ciped_exec_t,s0)
-
-/usr/sbin/ciped.*	--	gen_context(system_u:object_r:ciped_exec_t,s0)

policy/modules/services/cipe.if

@@ -1,29 +0,0 @@
-## <summary>Encrypted tunnel daemon.</summary>
-
-########################################
-## <summary>
-##	All of the rules required to
-##	administrate an cipe environment.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`cipe_admin',`
-	gen_require(`
-		type ciped_t, ciped_initrc_exec_t;
-	')
-
-	allow $1 ciped_t:process { ptrace signal_perms };
-	ps_process_pattern($1, ciped_t)
-
-	init_startstop_service($1, $2, ciped_t, ciped_initrc_exec_t)
-')

policy/modules/services/cipe.te

@@ -1,67 +0,0 @@
-policy_module(cipe, 1.11.0)
-
-########################################
-#
-# Declarations
-#
-
-type ciped_t;
-type ciped_exec_t;
-init_daemon_domain(ciped_t, ciped_exec_t)
-
-type ciped_initrc_exec_t;
-init_script_file(ciped_initrc_exec_t)
-
-########################################
-#
-# Local policy
-#
-
-allow ciped_t self:capability { ipc_lock net_admin sys_tty_config };
-dontaudit ciped_t self:capability sys_tty_config;
-allow ciped_t self:process signal_perms;
-allow ciped_t self:fifo_file rw_fifo_file_perms;
-allow ciped_t self:udp_socket create_socket_perms;
-
-kernel_read_kernel_sysctls(ciped_t)
-kernel_read_system_state(ciped_t)
-
-corecmd_exec_shell(ciped_t)
-corecmd_exec_bin(ciped_t)
-
-corenet_all_recvfrom_netlabel(ciped_t)
-corenet_udp_sendrecv_generic_if(ciped_t)
-corenet_udp_sendrecv_generic_node(ciped_t)
-corenet_udp_bind_generic_node(ciped_t)
-
-corenet_sendrecv_afs_bos_server_packets(ciped_t)
-corenet_udp_bind_afs_bos_port(ciped_t)
-
-dev_read_rand(ciped_t)
-dev_read_sysfs(ciped_t)
-dev_read_urand(ciped_t)
-
-domain_use_interactive_fds(ciped_t)
-
-files_read_etc_files(ciped_t)
-files_read_etc_runtime_files(ciped_t)
-files_dontaudit_search_var(ciped_t)
-
-fs_search_auto_mountpoints(ciped_t)
-
-logging_send_syslog_msg(ciped_t)
-
-miscfiles_read_localization(ciped_t)
-
-sysnet_read_config(ciped_t)
-
-userdom_dontaudit_use_unpriv_user_fds(ciped_t)
-
-optional_policy(`
-	nis_use_ypbind(ciped_t)
-')
-
-optional_policy(`
-	seutil_sigchld_newrole(ciped_t)
-')
-

policy/modules/services/clockspeed.fc

@@ -1,7 +0,0 @@
-/usr/bin/clockadd	--	gen_context(system_u:object_r:clockspeed_cli_exec_t,s0)
-/usr/bin/clockspeed	--	gen_context(system_u:object_r:clockspeed_srv_exec_t,s0)
-/usr/bin/sntpclock	--	gen_context(system_u:object_r:clockspeed_cli_exec_t,s0)
-/usr/bin/taiclock	--	gen_context(system_u:object_r:clockspeed_cli_exec_t,s0)
-/usr/bin/taiclockd	--	gen_context(system_u:object_r:clockspeed_srv_exec_t,s0)
-
-/var/lib/clockspeed(/.*)?	gen_context(system_u:object_r:clockspeed_var_lib_t,s0)

policy/modules/services/clockspeed.if

@@ -1,48 +0,0 @@
-## <summary>Clock speed measurement and manipulation.</summary>
-
-########################################
-## <summary>
-##	Execute clockspeed utilities in
-##	the clockspeed_cli domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-#
-interface(`clockspeed_domtrans_cli',`
-	gen_require(`
-		type clockspeed_cli_t, clockspeed_cli_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, clockspeed_cli_exec_t, clockspeed_cli_t)
-')
-
-########################################
-## <summary>
-##	Execute clockspeed utilities in the
-##	clockspeed cli domain, and allow the
-##	specified role the clockspeed cli domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`clockspeed_run_cli',`
-	gen_require(`
-		attribute_role clockspeed_cli_roles;
-	')
-
-	clockspeed_domtrans_cli($1)
-	roleattribute $2 clockspeed_cli_roles;
-')

policy/modules/services/clockspeed.te

@@ -1,73 +0,0 @@
-policy_module(clockspeed, 1.8.0)
-
-########################################
-#
-# Declarations
-#
-
-attribute_role clockspeed_cli_roles;
-
-type clockspeed_cli_t;
-type clockspeed_cli_exec_t;
-application_domain(clockspeed_cli_t, clockspeed_cli_exec_t)
-role clockspeed_cli_roles types clockspeed_cli_t;
-
-type clockspeed_srv_t;
-type clockspeed_srv_exec_t;
-init_daemon_domain(clockspeed_srv_t, clockspeed_srv_exec_t)
-
-type clockspeed_var_lib_t;
-files_type(clockspeed_var_lib_t)
-
-########################################
-#
-# Client local policy
-#
-
-allow clockspeed_cli_t self:capability sys_time;
-allow clockspeed_cli_t self:udp_socket create_socket_perms;
-
-read_files_pattern(clockspeed_cli_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
-
-corenet_all_recvfrom_netlabel(clockspeed_cli_t)
-corenet_udp_sendrecv_generic_if(clockspeed_cli_t)
-corenet_udp_sendrecv_generic_node(clockspeed_cli_t)
-
-corenet_sendrecv_ntp_client_packets(clockspeed_cli_t)
-
-files_list_var_lib(clockspeed_cli_t)
-files_read_etc_files(clockspeed_cli_t)
-
-miscfiles_read_localization(clockspeed_cli_t)
-
-userdom_use_user_terminals(clockspeed_cli_t)
-
-########################################
-#
-# Server local policy
-#
-
-allow clockspeed_srv_t self:capability { net_bind_service sys_time };
-allow clockspeed_srv_t self:udp_socket create_socket_perms;
-allow clockspeed_srv_t self:unix_dgram_socket create_socket_perms;
-allow clockspeed_srv_t self:unix_stream_socket create_socket_perms;
-
-manage_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
-manage_fifo_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
-
-corenet_all_recvfrom_netlabel(clockspeed_srv_t)
-corenet_udp_sendrecv_generic_if(clockspeed_srv_t)
-corenet_udp_sendrecv_generic_node(clockspeed_srv_t)
-corenet_udp_bind_generic_node(clockspeed_srv_t)
-
-corenet_sendrecv_clockspeed_server_packets(clockspeed_srv_t)
-corenet_udp_bind_clockspeed_port(clockspeed_srv_t)
-
-files_list_var_lib(clockspeed_srv_t)
-files_read_etc_files(clockspeed_srv_t)
-
-miscfiles_read_localization(clockspeed_srv_t)
-
-optional_policy(`
-	daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t)
-')

policy/modules/services/clogd.fc

@@ -1,5 +0,0 @@
-/usr/bin/clogd	--	gen_context(system_u:object_r:clogd_exec_t,s0)
-
-/usr/sbin/clogd	--	gen_context(system_u:object_r:clogd_exec_t,s0)
-
-/run/clogd\.pid	--	gen_context(system_u:object_r:clogd_runtime_t,s0)

policy/modules/services/clogd.if

@@ -1,59 +0,0 @@
-## <summary>Clustered Mirror Log Server.</summary>
-
-######################################
-## <summary>
-##	Execute a domain transition to run clogd.
-## </summary>
-## <param name="domain">
-## <summary>
-##	Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`clogd_domtrans',`
-	gen_require(`
-		type clogd_t, clogd_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, clogd_exec_t, clogd_t)
-')
-
-#####################################
-## <summary>
-##	Read and write clogd semaphores.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`clogd_rw_semaphores',`
-	gen_require(`
-		type clogd_t;
-	')
-
-	allow $1 clogd_t:sem rw_sem_perms;
-')
-
-########################################
-## <summary>
-##	Read and write clogd shared memory.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`clogd_rw_shm',`
-	gen_require(`
-		type clogd_t, clogd_tmpfs_t;
-	')
-
-	allow $1 clogd_t:shm rw_shm_perms;
-	allow $1 clogd_tmpfs_t:dir list_dir_perms;
-	rw_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t)
-	fs_search_tmpfs($1)
-')

policy/modules/services/clogd.te

@@ -1,49 +0,0 @@
-policy_module(clogd, 1.5.0)
-
-########################################
-#
-# Declarations
-#
-
-type clogd_t;
-type clogd_exec_t;
-init_daemon_domain(clogd_t, clogd_exec_t)
-
-type clogd_runtime_t alias clogd_var_run_t;
-files_runtime_file(clogd_runtime_t)
-
-type clogd_tmpfs_t;
-files_tmpfs_file(clogd_tmpfs_t)
-
-########################################
-#
-# Local policy
-#
-
-allow clogd_t self:capability { mknod net_admin };
-allow clogd_t self:process signal;
-allow clogd_t self:sem create_sem_perms;
-allow clogd_t self:shm create_shm_perms;
-allow clogd_t self:netlink_socket create_socket_perms;
-
-manage_dirs_pattern(clogd_t, clogd_tmpfs_t, clogd_tmpfs_t)
-manage_files_pattern(clogd_t, clogd_tmpfs_t, clogd_tmpfs_t)
-fs_tmpfs_filetrans(clogd_t, clogd_tmpfs_t, { dir file })
-
-manage_files_pattern(clogd_t, clogd_runtime_t, clogd_runtime_t)
-files_runtime_filetrans(clogd_t, clogd_runtime_t, file)
-
-dev_manage_generic_blk_files(clogd_t)
-dev_read_lvm_control(clogd_t)
-
-storage_raw_read_fixed_disk(clogd_t)
-storage_raw_write_fixed_disk(clogd_t)
-
-logging_send_syslog_msg(clogd_t)
-
-miscfiles_read_localization(clogd_t)
-
-optional_policy(`
-	aisexec_stream_connect(clogd_t)
-	corosync_stream_connect(clogd_t)
-')

policy/modules/services/cmirrord.fc

@@ -1,7 +0,0 @@
-/etc/rc\.d/init\.d/cmirrord	--	gen_context(system_u:object_r:cmirrord_initrc_exec_t,s0)
-
-/usr/bin/cmirrord	--	gen_context(system_u:object_r:cmirrord_exec_t,s0)
-
-/usr/sbin/cmirrord	--	gen_context(system_u:object_r:cmirrord_exec_t,s0)
-
-/run/cmirrord\.pid	--	gen_context(system_u:object_r:cmirrord_runtime_t,s0)

policy/modules/services/cmirrord.if

@@ -1,108 +0,0 @@
-## <summary>Cluster mirror log daemon.</summary>
-
-########################################
-## <summary>
-##	Execute a domain transition to
-##	run cmirrord.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-#
-interface(`cmirrord_domtrans',`
-	gen_require(`
-		type cmirrord_t, cmirrord_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, cmirrord_exec_t, cmirrord_t)
-')
-
-########################################
-## <summary>
-##	Execute cmirrord server in the
-##	cmirrord domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-#
-interface(`cmirrord_initrc_domtrans',`
-	gen_require(`
-		type cmirrord_initrc_exec_t;
-	')
-
-	init_labeled_script_domtrans($1, cmirrord_initrc_exec_t)
-')
-
-########################################
-## <summary>
-##	Read cmirrord PID files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`cmirrord_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
-#######################################
-## <summary>
-##	Read and write cmirrord shared memory.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`cmirrord_rw_shm',`
-	gen_require(`
-		type cmirrord_t, cmirrord_tmpfs_t;
-	')
-
-	allow $1 cmirrord_t:shm rw_shm_perms;
-
-	allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
-	rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
-	read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
-	fs_search_tmpfs($1)
-')
-
-########################################
-## <summary>
-##	All of the rules required to
-##	administrate an cmirrord environment.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`cmirrord_admin',`
-	gen_require(`
-		type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_runtime_t;
-	')
-
-	allow $1 cmirrord_t:process { ptrace signal_perms };
-	ps_process_pattern($1, cmirrord_t)
-
-	init_startstop_service($1, $2, cmirrord_t, cmirrord_initrc_exec_t)
-
-	files_list_runtime($1)
-	admin_pattern($1, cmirrord_runtime_t)
-')

policy/modules/services/cmirrord.te

@@ -1,57 +0,0 @@
-policy_module(cmirrord, 1.6.0)
-
-########################################
-#
-# Declarations
-#
-
-type cmirrord_t;
-type cmirrord_exec_t;
-init_daemon_domain(cmirrord_t, cmirrord_exec_t)
-
-type cmirrord_initrc_exec_t;
-init_script_file(cmirrord_initrc_exec_t)
-
-type cmirrord_runtime_t alias cmirrord_var_run_t;
-files_runtime_file(cmirrord_runtime_t)
-
-type cmirrord_tmpfs_t;
-files_tmpfs_file(cmirrord_tmpfs_t)
-
-########################################
-#
-# Local policy
-#
-
-allow cmirrord_t self:capability { kill net_admin };
-dontaudit cmirrord_t self:capability sys_tty_config;
-allow cmirrord_t self:process { setfscreate signal };
-allow cmirrord_t self:fifo_file rw_fifo_file_perms;
-allow cmirrord_t self:sem create_sem_perms;
-allow cmirrord_t self:shm create_shm_perms;
-allow cmirrord_t self:netlink_socket create_socket_perms;
-allow cmirrord_t self:unix_stream_socket { accept listen };
-
-manage_dirs_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
-manage_files_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
-fs_tmpfs_filetrans(cmirrord_t, cmirrord_tmpfs_t, { dir file })
-
-manage_files_pattern(cmirrord_t, cmirrord_runtime_t, cmirrord_runtime_t)
-files_runtime_filetrans(cmirrord_t, cmirrord_runtime_t, file)
-
-domain_use_interactive_fds(cmirrord_t)
-domain_obj_id_change_exemption(cmirrord_t)
-
-files_read_etc_files(cmirrord_t)
-
-storage_create_fixed_disk_dev(cmirrord_t)
-
-seutil_read_file_contexts(cmirrord_t)
-
-logging_send_syslog_msg(cmirrord_t)
-
-miscfiles_read_localization(cmirrord_t)
-
-optional_policy(`
-	corosync_stream_connect(cmirrord_t)
-')

policy/modules/services/condor.te

@@ -118,10 +118,6 @@ tunable_policy(`condor_tcp_network_connect',`
 	corenet_tcp_connect_all_ports(condor_domain)
 ')
 
-optional_policy(`
-	rhcs_stream_connect_cluster(condor_domain)
-')
-
 #####################################
 #
 # Master local policy

policy/modules/services/corosync.te

@@ -113,14 +113,6 @@ miscfiles_read_localization(corosync_t)
 userdom_read_user_tmp_files(corosync_t)
 userdom_manage_user_tmpfs_files(corosync_t)
 
-optional_policy(`
-	ccs_read_config(corosync_t)
-')
-
-optional_policy(`
-	cmirrord_rw_shm(corosync_t)
-')
-
 optional_policy(`
 	consoletype_exec(corosync_t)
 ')
@@ -137,17 +129,6 @@ optional_policy(`
 	qpidd_rw_shm(corosync_t)
 ')
 
-optional_policy(`
-	rhcs_getattr_fenced_exec_files(corosync_t)
-	rhcs_rw_cluster_shm(corosync_t)
-	rhcs_rw_cluster_semaphores(corosync_t)
-	rhcs_stream_connect_cluster(corosync_t)
-')
-
-optional_policy(`
-	rgmanager_manage_tmpfs_files(corosync_t)
-')
-
 optional_policy(`
 	rpc_search_nfs_state_data(corosync_t)
 ')

policy/modules/services/dcc.fc

@@ -1,30 +0,0 @@
-/etc/dcc(/.*)?	gen_context(system_u:object_r:dcc_var_t,s0)
-/etc/dcc/dccifd	-s	gen_context(system_u:object_r:dccifd_runtime_t,s0)
-/etc/dcc/map	--	gen_context(system_u:object_r:dcc_client_map_t,s0)
-
-/usr/bin/cdcc		--	gen_context(system_u:object_r:cdcc_exec_t,s0)
-/usr/bin/dccd		--	gen_context(system_u:object_r:dccd_exec_t,s0)
-/usr/bin/dccifd		--	gen_context(system_u:object_r:dccifd_exec_t,s0)
-/usr/bin/dccm		--	gen_context(system_u:object_r:dccm_exec_t,s0)
-/usr/bin/dccproc	--	gen_context(system_u:object_r:dcc_client_exec_t,s0)
-/usr/bin/dbclean	--	gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
-
-/usr/libexec/dcc/dbclean	--	gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
-/usr/libexec/dcc/dccd	--	gen_context(system_u:object_r:dccd_exec_t,s0)
-/usr/libexec/dcc/dccifd	--	gen_context(system_u:object_r:dccifd_exec_t,s0)
-/usr/libexec/dcc/dccm	--	gen_context(system_u:object_r:dccm_exec_t,s0)
-
-/usr/sbin/dbclean	--	gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
-/usr/sbin/dccd	--	gen_context(system_u:object_r:dccd_exec_t,s0)
-/usr/sbin/dccifd	--	gen_context(system_u:object_r:dccifd_exec_t,s0)
-/usr/sbin/dccm	--	gen_context(system_u:object_r:dccm_exec_t,s0)
-
-/var/dcc(/.*)?	gen_context(system_u:object_r:dcc_var_t,s0)
-/var/dcc/map	--	gen_context(system_u:object_r:dcc_client_map_t,s0)
-
-/var/lib/dcc(/.*)?	gen_context(system_u:object_r:dcc_var_t,s0)
-/var/lib/dcc/map	--	gen_context(system_u:object_r:dcc_client_map_t,s0)
-
-/run/dcc(/.*)?	gen_context(system_u:object_r:dcc_runtime_t,s0)
-/run/dcc/map	--	gen_context(system_u:object_r:dcc_client_map_t,s0)
-/run/dcc/dccifd	-s	gen_context(system_u:object_r:dccifd_runtime_t,s0)

policy/modules/services/dcc.if

@@ -1,178 +0,0 @@
-## <summary>Distributed checksum clearinghouse spam filtering.</summary>
-
-########################################
-## <summary>
-##	Execute cdcc in the cdcc domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-#
-interface(`dcc_domtrans_cdcc',`
-	gen_require(`
-		type cdcc_t, cdcc_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, cdcc_exec_t, cdcc_t)
-')
-
-########################################
-## <summary>
-##	Execute cdcc in the cdcc domain, and
-##	allow the specified role the
-##	cdcc domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`dcc_run_cdcc',`
-	gen_require(`
-		attribute_role cdcc_roles;
-	')
-
-	dcc_domtrans_cdcc($1)
-	roleattribute $2 cdcc_roles;
-')
-
-########################################
-## <summary>
-##	Execute dcc client in the dcc
-##	client domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-#
-interface(`dcc_domtrans_client',`
-	gen_require(`
-		type dcc_client_t, dcc_client_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, dcc_client_exec_t, dcc_client_t)
-')
-
-########################################
-## <summary>
-##	Send generic signals to dcc client.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`dcc_signal_client',`
-	gen_require(`
-		type dcc_client_t;
-	')
-
-	allow $1 dcc_client_t:process signal;
-')
-
-########################################
-## <summary>
-##	Execute dcc client in the dcc
-##	client domain, and allow the
-##	specified role the dcc client domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`dcc_run_client',`
-	gen_require(`
-		attribute_role dcc_client_roles;
-	')
-
-	dcc_domtrans_client($1)
-	roleattribute $2 dcc_client_roles;
-')
-
-########################################
-## <summary>
-##	Execute dbclean in the dcc dbclean domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-#
-interface(`dcc_domtrans_dbclean',`
-	gen_require(`
-		type dcc_dbclean_t, dcc_dbclean_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, dcc_dbclean_exec_t, dcc_dbclean_t)
-')
-
-########################################
-## <summary>
-##	Execute dbclean in the dcc dbclean
-##	domain, and allow the specified
-##	role the dcc dbclean domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`dcc_run_dbclean',`
-	gen_require(`
-		attribute_role dcc_dbclean_roles;
-	')
-
-	dcc_domtrans_dbclean($1)
-	roleattribute $2 dcc_dbclean_roles;
-')
-
-########################################
-## <summary>
-##	Connect to dccifd over a unix
-##	domain stream socket.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`dcc_stream_connect_dccifd',`
-	gen_require(`
-		type dcc_var_t, dccifd_runtime_t, dccifd_t;
-	')
-
-	files_search_var($1)
-	stream_connect_pattern($1, dcc_var_t, dccifd_runtime_t, dccifd_t)
-')

policy/modules/services/dcc.te

@@ -1,338 +0,0 @@
-policy_module(dcc, 1.17.0)
-
-########################################
-#
-# Declarations
-#
-
-attribute_role cdcc_roles;
-roleattribute system_r cdcc_roles;
-
-attribute_role dcc_client_roles;
-roleattribute system_r dcc_client_roles;
-
-attribute_role dcc_dbclean_roles;
-roleattribute system_r dcc_dbclean_roles;
-
-type cdcc_t;
-type cdcc_exec_t;
-application_domain(cdcc_t, cdcc_exec_t)
-role cdcc_roles types cdcc_t;
-
-type cdcc_tmp_t;
-files_tmp_file(cdcc_tmp_t)
-
-type dcc_client_t;
-type dcc_client_exec_t;
-application_domain(dcc_client_t, dcc_client_exec_t)
-role dcc_client_roles types dcc_client_t;
-
-type dcc_client_map_t;
-files_type(dcc_client_map_t)
-
-type dcc_client_tmp_t;
-files_tmp_file(dcc_client_tmp_t)
-
-type dcc_dbclean_t;
-type dcc_dbclean_exec_t;
-application_domain(dcc_dbclean_t, dcc_dbclean_exec_t)
-role dcc_dbclean_roles types dcc_dbclean_t;
-
-type dcc_dbclean_tmp_t;
-files_tmp_file(dcc_dbclean_tmp_t)
-
-type dcc_var_t;
-files_type(dcc_var_t)
-
-type dcc_runtime_t;
-files_type(dcc_runtime_t)
-
-type dccd_t;
-type dccd_exec_t;
-init_daemon_domain(dccd_t, dccd_exec_t)
-
-type dccd_tmp_t;
-files_tmp_file(dccd_tmp_t)
-
-type dccd_runtime_t;
-files_runtime_file(dccd_runtime_t)
-
-type dccifd_t;
-type dccifd_exec_t;
-init_daemon_domain(dccifd_t, dccifd_exec_t)
-
-type dccifd_runtime_t alias dccifd_var_run_t;
-files_runtime_file(dccifd_runtime_t)
-
-type dccifd_tmp_t;
-files_tmp_file(dccifd_tmp_t)
-
-type dccm_t;
-type dccm_exec_t;
-init_daemon_domain(dccm_t, dccm_exec_t)
-
-type dccm_runtime_t alias dccm_var_run_t;
-files_runtime_file(dccm_runtime_t)
-
-type dccm_tmp_t;
-files_tmp_file(dccm_tmp_t)
-
-########################################
-#
-# Daemon controller local policy
-#
-
-allow cdcc_t self:capability { setgid setuid };
-
-manage_dirs_pattern(cdcc_t, cdcc_tmp_t, cdcc_tmp_t)
-manage_files_pattern(cdcc_t, cdcc_tmp_t, cdcc_tmp_t)
-files_tmp_filetrans(cdcc_t, cdcc_tmp_t, { file dir })
-
-allow cdcc_t dcc_client_map_t:file rw_file_perms;
-
-allow cdcc_t dcc_var_t:dir list_dir_perms;
-read_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
-read_lnk_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
-
-files_read_etc_runtime_files(cdcc_t)
-
-auth_use_nsswitch(cdcc_t)
-
-logging_send_syslog_msg(cdcc_t)
-
-miscfiles_read_localization(cdcc_t)
-
-userdom_use_user_terminals(cdcc_t)
-
-########################################
-#
-# Procmail interface local policy
-#
-
-allow dcc_client_t self:capability { setgid setuid };
-
-allow dcc_client_t dcc_client_map_t:file rw_file_perms;
-
-manage_dirs_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t)
-manage_files_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t)
-files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir })
-
-allow dcc_client_t dcc_var_t:dir list_dir_perms;
-manage_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
-read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
-
-kernel_read_system_state(dcc_client_t)
-
-files_read_etc_runtime_files(dcc_client_t)
-
-fs_getattr_all_fs(dcc_client_t)
-
-auth_use_nsswitch(dcc_client_t)
-
-logging_send_syslog_msg(dcc_client_t)
-
-miscfiles_read_localization(dcc_client_t)
-
-userdom_use_user_terminals(dcc_client_t)
-
-optional_policy(`
-	amavis_read_spool_files(dcc_client_t)
-')
-
-optional_policy(`
-	spamassassin_read_spamd_tmp_files(dcc_client_t)
-')
-
-########################################
-#
-# Database cleanup local policy
-#
-
-allow dcc_dbclean_t dcc_client_map_t:file rw_file_perms;
-
-manage_dirs_pattern(dcc_dbclean_t, dcc_dbclean_tmp_t, dcc_dbclean_tmp_t)
-manage_files_pattern(dcc_dbclean_t, dcc_dbclean_tmp_t, dcc_dbclean_tmp_t)
-files_tmp_filetrans(dcc_dbclean_t, dcc_dbclean_tmp_t, { file dir })
-
-manage_dirs_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
-manage_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
-manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
-
-kernel_read_system_state(dcc_dbclean_t)
-
-files_read_etc_runtime_files(dcc_dbclean_t)
-
-auth_use_nsswitch(dcc_dbclean_t)
-
-logging_send_syslog_msg(dcc_dbclean_t)
-
-miscfiles_read_localization(dcc_dbclean_t)
-
-userdom_use_user_terminals(dcc_dbclean_t)
-
-########################################
-#
-# Server local policy
-#
-
-allow dccd_t self:capability net_admin;
-dontaudit dccd_t self:capability sys_tty_config;
-allow dccd_t self:process signal_perms;
-
-allow dccd_t dcc_client_map_t:file rw_file_perms;
-
-allow dccd_t dcc_var_t:dir list_dir_perms;
-read_files_pattern(dccd_t, dcc_var_t, dcc_var_t)
-read_lnk_files_pattern(dccd_t, dcc_var_t, dcc_var_t)
-
-domtrans_pattern(dccd_t, dcc_dbclean_exec_t, dcc_dbclean_t)
-
-manage_dirs_pattern(dccd_t, dcc_var_t, dcc_var_t)
-manage_files_pattern(dccd_t, dcc_var_t, dcc_var_t)
-manage_lnk_files_pattern(dccd_t, dcc_var_t, dcc_var_t)
-
-manage_dirs_pattern(dccd_t, dccd_tmp_t, dccd_tmp_t)
-manage_files_pattern(dccd_t, dccd_tmp_t, dccd_tmp_t)
-files_tmp_filetrans(dccd_t, dccd_tmp_t, { file dir })
-
-manage_dirs_pattern(dccd_t, dccd_runtime_t, dccd_runtime_t)
-manage_files_pattern(dccd_t, dccd_runtime_t, dccd_runtime_t)
-files_runtime_filetrans(dccd_t, dccd_runtime_t, { dir file })
-
-kernel_read_system_state(dccd_t)
-kernel_read_kernel_sysctls(dccd_t)
-
-corenet_all_recvfrom_netlabel(dccd_t)
-corenet_udp_sendrecv_generic_if(dccd_t)
-corenet_udp_sendrecv_generic_node(dccd_t)
-corenet_udp_bind_generic_node(dccd_t)
-
-corenet_udp_bind_dcc_port(dccd_t)
-corenet_sendrecv_dcc_server_packets(dccd_t)
-
-corecmd_search_bin(dccd_t)
-
-dev_read_sysfs(dccd_t)
-
-domain_use_interactive_fds(dccd_t)
-
-files_read_etc_runtime_files(dccd_t)
-
-fs_getattr_all_fs(dccd_t)
-fs_search_auto_mountpoints(dccd_t)
-
-auth_use_nsswitch(dccd_t)
-
-logging_send_syslog_msg(dccd_t)
-
-miscfiles_read_localization(dccd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(dccd_t)
-userdom_dontaudit_search_user_home_dirs(dccd_t)
-
-optional_policy(`
-	seutil_sigchld_newrole(dccd_t)
-')
-
-########################################
-#
-# Spamassassin and general MTA persistent client local policy
-#
-
-dontaudit dccifd_t self:capability sys_tty_config;
-allow dccifd_t self:process signal_perms;
-allow dccifd_t self:unix_stream_socket { accept listen };
-
-allow dccifd_t dcc_client_map_t:file rw_file_perms;
-
-manage_dirs_pattern(dccifd_t, dcc_var_t, dcc_var_t)
-manage_files_pattern(dccifd_t, dcc_var_t, dcc_var_t)
-manage_lnk_files_pattern(dccifd_t, dcc_var_t, dcc_var_t)
-manage_fifo_files_pattern(dccifd_t, dcc_var_t, dcc_var_t)
-manage_sock_files_pattern(dccifd_t, dcc_var_t, dcc_var_t)
-
-manage_dirs_pattern(dccifd_t, dccifd_tmp_t, dccifd_tmp_t)
-manage_files_pattern(dccifd_t, dccifd_tmp_t, dccifd_tmp_t)
-files_tmp_filetrans(dccifd_t, dccifd_tmp_t, { file dir })
-
-manage_files_pattern(dccifd_t, dccifd_runtime_t, dccifd_runtime_t)
-manage_sock_files_pattern(dccifd_t, dccifd_runtime_t, dccifd_runtime_t)
-filetrans_pattern(dccifd_t, dcc_var_t, dccifd_runtime_t, { file sock_file })
-files_runtime_filetrans(dccifd_t, dccifd_runtime_t, file)
-
-kernel_read_system_state(dccifd_t)
-kernel_read_kernel_sysctls(dccifd_t)
-
-dev_read_sysfs(dccifd_t)
-
-domain_use_interactive_fds(dccifd_t)
-
-files_read_etc_runtime_files(dccifd_t)
-
-fs_getattr_all_fs(dccifd_t)
-fs_search_auto_mountpoints(dccifd_t)
-
-auth_use_nsswitch(dccifd_t)
-
-logging_send_syslog_msg(dccifd_t)
-
-miscfiles_read_localization(dccifd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
-userdom_dontaudit_search_user_home_dirs(dccifd_t)
-
-optional_policy(`
-	seutil_sigchld_newrole(dccifd_t)
-')
-
-########################################
-#
-# Sendmail milter client local policy
-#
-
-dontaudit dccm_t self:capability sys_tty_config;
-allow dccm_t self:process signal_perms;
-allow dccm_t self:unix_stream_socket { accept listen };
-
-allow dccm_t dcc_client_map_t:file rw_file_perms;
-
-manage_dirs_pattern(dccm_t, dcc_var_t, dcc_var_t)
-manage_files_pattern(dccm_t, dcc_var_t, dcc_var_t)
-manage_lnk_files_pattern(dccm_t, dcc_var_t, dcc_var_t)
-manage_fifo_files_pattern(dccm_t, dcc_var_t, dcc_var_t)
-manage_sock_files_pattern(dccm_t, dcc_var_t, dcc_var_t)
-
-manage_dirs_pattern(dccm_t, dccm_tmp_t, dccm_tmp_t)
-manage_files_pattern(dccm_t, dccm_tmp_t, dccm_tmp_t)
-files_tmp_filetrans(dccm_t, dccm_tmp_t, { file dir })
-
-manage_files_pattern(dccm_t, dccm_runtime_t, dccm_runtime_t)
-manage_sock_files_pattern(dccm_t, dccm_runtime_t, dccm_runtime_t)
-filetrans_pattern(dccm_t, dcc_runtime_t, dccm_runtime_t, { file sock_file })
-files_runtime_filetrans(dccm_t, dccm_runtime_t, file)
-
-kernel_read_system_state(dccm_t)
-kernel_read_kernel_sysctls(dccm_t)
-
-dev_read_sysfs(dccm_t)
-
-domain_use_interactive_fds(dccm_t)
-
-files_read_etc_runtime_files(dccm_t)
-
-fs_getattr_all_fs(dccm_t)
-fs_search_auto_mountpoints(dccm_t)
-
-auth_use_nsswitch(dccm_t)
-
-logging_send_syslog_msg(dccm_t)
-
-miscfiles_read_localization(dccm_t)
-
-userdom_dontaudit_use_unpriv_user_fds(dccm_t)
-userdom_dontaudit_search_user_home_dirs(dccm_t)
-
-optional_policy(`
-	seutil_sigchld_newrole(dccm_t)
-')
-

policy/modules/services/denyhosts.fc

@@ -1,9 +0,0 @@
-/etc/rc\.d/init\.d/denyhosts	--	gen_context(system_u:object_r:denyhosts_initrc_exec_t,s0)
-
-/usr/bin/denyhosts\.py	--	gen_context(system_u:object_r:denyhosts_exec_t,s0)
-
-/var/lib/denyhosts(/.*)?	gen_context(system_u:object_r:denyhosts_var_lib_t,s0)
-
-/var/lock/subsys/denyhosts	--	gen_context(system_u:object_r:denyhosts_var_lock_t,s0)
-
-/var/log/denyhosts(/.*)?	gen_context(system_u:object_r:denyhosts_var_log_t,s0)

policy/modules/services/denyhosts.if

@@ -1,76 +0,0 @@
-## <summary>SSH dictionary attack mitigation.</summary>
-
-########################################
-## <summary>
-##	Execute a domain transition to run denyhosts.
-## </summary>
-## <param name="domain">
-## <summary>
-##	Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`denyhosts_domtrans',`
-	gen_require(`
-		type denyhosts_t, denyhosts_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, denyhosts_exec_t, denyhosts_t)
-')
-
-########################################
-## <summary>
-##	Execute denyhost server in the
-##	denyhost domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-#
-interface(`denyhosts_initrc_domtrans',`
-	gen_require(`
-		type denyhosts_initrc_exec_t;
-	')
-
-	init_labeled_script_domtrans($1, denyhosts_initrc_exec_t)
-')
-
-########################################
-## <summary>
-##	All of the rules required to
-##	administrate an denyhosts environment.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-#
-interface(`denyhosts_admin',`
-	gen_require(`
-		type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t;
-		type denyhosts_var_log_t, denyhosts_initrc_exec_t;
-	')
-
-	allow $1 denyhosts_t:process { ptrace signal_perms };
-	ps_process_pattern($1, denyhosts_t)
-
-	init_startstop_service($1, $2, denyhosts_t, denyhosts_initrc_exec_t)
-
-	files_search_var_lib($1)
-	admin_pattern($1, denyhosts_var_lib_t)
-
-	logging_search_logs($1)
-	admin_pattern($1, denyhosts_var_log_t)
-
-	files_search_locks($1)
-	admin_pattern($1, denyhosts_var_lock_t)
-')

policy/modules/services/denyhosts.te

@@ -1,71 +0,0 @@
-policy_module(denyhosts, 1.4.0)
-
-########################################
-#
-# Declarations
-#
-
-type denyhosts_t;
-type denyhosts_exec_t;
-init_daemon_domain(denyhosts_t, denyhosts_exec_t)
-
-type denyhosts_initrc_exec_t;
-init_script_file(denyhosts_initrc_exec_t)
-
-type denyhosts_var_lib_t;
-files_type(denyhosts_var_lib_t)
-
-type denyhosts_var_lock_t;
-files_lock_file(denyhosts_var_lock_t)
-
-type denyhosts_var_log_t;
-logging_log_file(denyhosts_var_log_t)
-
-########################################
-#
-# Local policy
-#
-
-allow denyhosts_t self:capability sys_tty_config;
-allow denyhosts_t self:fifo_file rw_fifo_file_perms;
-allow denyhosts_t self:netlink_route_socket nlmsg_write;
-
-manage_files_pattern(denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lib_t)
-
-manage_dirs_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t)
-manage_files_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t)
-files_lock_filetrans(denyhosts_t, denyhosts_var_lock_t, { dir file })
-
-append_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
-create_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
-read_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
-setattr_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
-logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file)
-
-kernel_read_network_state(denyhosts_t)
-kernel_read_system_state(denyhosts_t)
-
-corecmd_exec_bin(denyhosts_t)
-corecmd_exec_shell(denyhosts_t)
-
-corenet_all_recvfrom_netlabel(denyhosts_t)
-corenet_tcp_sendrecv_generic_if(denyhosts_t)
-corenet_tcp_sendrecv_generic_node(denyhosts_t)
-
-corenet_sendrecv_smtp_client_packets(denyhosts_t)
-corenet_tcp_connect_smtp_port(denyhosts_t)
-
-dev_read_urand(denyhosts_t)
-
-logging_read_generic_logs(denyhosts_t)
-logging_send_syslog_msg(denyhosts_t)
-
-miscfiles_read_localization(denyhosts_t)
-
-sysnet_dns_name_resolve(denyhosts_t)
-sysnet_manage_config(denyhosts_t)
-sysnet_etc_filetrans_config(denyhosts_t)
-
-optional_policy(`
-	cron_system_entry(denyhosts_t, denyhosts_exec_t)
-')

policy/modules/services/dspam.fc

@@ -1,12 +0,0 @@
-/etc/rc\.d/init\.d/dspam	--	gen_context(system_u:object_r:dspam_initrc_exec_t,s0)
-
-/usr/bin/dspam	--	gen_context(system_u:object_r:dspam_exec_t,s0)
-
-/usr/share/dspam-web/dspam\.cgi	--	gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0)
-
-/var/lib/dspam(/.*)?	gen_context(system_u:object_r:dspam_var_lib_t,s0)
-/var/lib/dspam/data(/.*)?	gen_context(system_u:object_r:httpd_dspam_rw_content_t,s0)
-
-/var/log/dspam(/.*)?	gen_context(system_u:object_r:dspam_log_t,s0)
-
-/run/dspam(/.*)?	gen_context(system_u:object_r:dspam_runtime_t,s0)

policy/modules/services/dspam.if

@@ -1,79 +0,0 @@
-## <summary>Content-based spam filter designed for multi-user enterprise systems.</summary>
-
-########################################
-## <summary>
-##	Execute a domain transition to run dspam.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`dspam_domtrans',`
-	gen_require(`
-		type dspam_t, dspam_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, dspam_exec_t, dspam_t)
-')
-
-#######################################
-## <summary>
-##	Connect to dspam using a unix
-##	domain stream socket.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`dspam_stream_connect',`
-	gen_require(`
-		type dspam_t, dspam_runtime_t;
-	')
-
-	files_search_runtime($1)
-	files_search_tmp($1)
-	stream_connect_pattern($1, dspam_runtime_t, dspam_runtime_t, dspam_t)
-')
-
-########################################
-## <summary>
-##	All of the rules required to
-##	administrate an dspam environment.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`dspam_admin',`
-	gen_require(`
-		type dspam_t, dspam_initrc_exec_t, dspam_log_t;
-		type dspam_var_lib_t, dspam_runtime_t;
-	')
-
-	allow $1 dspam_t:process { ptrace signal_perms };
-	ps_process_pattern($1, dspam_t)
-
-	init_startstop_service($1, $2, dspam_t, dspam_initrc_exec_t)
-
-	logging_search_logs($1)
-	admin_pattern($1, dspam_log_t)
-
-	files_search_var_lib($1)
-	admin_pattern($1, dspam_var_lib_t)
-
-	files_search_runtime($1)
-	admin_pattern($1, dspam_runtime_t)
-')

policy/modules/services/dspam.te

@@ -1,87 +0,0 @@
-policy_module(dspam, 1.6.0)
-
-########################################
-#
-# Declarations
-#
-
-type dspam_t;
-type dspam_exec_t;
-init_daemon_domain(dspam_t, dspam_exec_t)
-
-type dspam_initrc_exec_t;
-init_script_file(dspam_initrc_exec_t)
-
-type dspam_log_t;
-logging_log_file(dspam_log_t)
-
-type dspam_runtime_t alias dspam_var_run_t;
-files_runtime_file(dspam_runtime_t)
-
-type dspam_var_lib_t;
-files_type(dspam_var_lib_t)
-
-########################################
-#
-# Local policy
-#
-
-allow dspam_t self:capability net_admin;
-allow dspam_t self:process signal;
-allow dspam_t self:fifo_file rw_fifo_file_perms;
-allow dspam_t self:unix_stream_socket { accept listen };
-
-manage_dirs_pattern(dspam_t, dspam_log_t, dspam_log_t)
-append_files_pattern(dspam_t, dspam_log_t, dspam_log_t)
-create_files_pattern(dspam_t, dspam_log_t, dspam_log_t)
-setattr_files_pattern(dspam_t, dspam_log_t, dspam_log_t)
-logging_log_filetrans(dspam_t, dspam_log_t, dir)
-
-manage_dirs_pattern(dspam_t, dspam_var_lib_t, dspam_var_lib_t)
-manage_files_pattern(dspam_t, dspam_var_lib_t, dspam_var_lib_t)
-files_var_lib_filetrans(dspam_t, dspam_var_lib_t, dir)
-
-manage_dirs_pattern(dspam_t, dspam_runtime_t, dspam_runtime_t)
-manage_files_pattern(dspam_t, dspam_runtime_t, dspam_runtime_t)
-manage_sock_files_pattern(dspam_t, dspam_runtime_t, dspam_runtime_t)
-files_runtime_filetrans(dspam_t, dspam_runtime_t, dir)
-
-corenet_all_recvfrom_netlabel(dspam_t)
-corenet_tcp_sendrecv_generic_if(dspam_t)
-corenet_tcp_sendrecv_generic_node(dspam_t)
-corenet_tcp_bind_generic_node(dspam_t)
-
-corenet_sendrecv_spamd_client_packets(dspam_t)
-corenet_sendrecv_spamd_server_packets(dspam_t)
-corenet_tcp_bind_spamd_port(dspam_t)
-corenet_tcp_connect_spamd_port(dspam_t)
-
-files_search_spool(dspam_t)
-
-auth_use_nsswitch(dspam_t)
-
-logging_send_syslog_msg(dspam_t)
-
-miscfiles_read_localization(dspam_t)
-
-optional_policy(`
-	apache_content_template(dspam)
-
-	list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t)
-	manage_dirs_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t)
-	manage_files_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t)
-')
-
-optional_policy(`
-	mysql_stream_connect(dspam_t)
-	mysql_read_config(dspam_t)
-
-	mysql_tcp_connect(dspam_t)
-')
-
-optional_policy(`
-	postgresql_stream_connect(dspam_t)
-	postgresql_unpriv_client(dspam_t)
-
-	postgresql_tcp_connect(dspam_t)
-')

policy/modules/services/howl.fc

@@ -1,6 +0,0 @@
-/etc/rc\.d/init\.d/((nifd)|(mDNSResponder))	--	gen_context(system_u:object_r:howl_initrc_exec_t,s0)
-
-/usr/bin/mDNSResponder	--	gen_context(system_u:object_r:howl_exec_t,s0)
-/usr/bin/nifd	--	gen_context(system_u:object_r:howl_exec_t,s0)
-
-/run/nifd\.pid	--	gen_context(system_u:object_r:howl_runtime_t,s0)

policy/modules/services/howl.if

@@ -1,50 +0,0 @@
-## <summary>Port of Apple Rendezvous multicast DNS.</summary>
-
-########################################
-## <summary>
-##	Send generic signals to howl.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`howl_signal',`
-	gen_require(`
-		type howl_t;
-	')
-
-	allow $1 howl_t:process signal;
-')
-
-########################################
-## <summary>
-##	All of the rules required to
-##	administrate an howl environment.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`howl_admin',`
-	gen_require(`
-		type howl_t, howl_initrc_exec_t, howl_runtime_t;
-	')
-
-	allow $1 howl_t:process { ptrace signal_perms };
-	ps_process_pattern($1, howl_t)
-
-	init_startstop_service($1, $2, howl_t, howl_initrc_exec_t)
-
-	files_search_runtime($1)
-	admin_pattern($1, howl_runtime_t)
-')

policy/modules/services/howl.te

@@ -1,73 +0,0 @@
-policy_module(howl, 1.15.0)
-
-########################################
-#
-# Declarations
-#
-
-type howl_t;
-type howl_exec_t;
-application_executable_file(howl_exec_t)
-init_daemon_domain(howl_t, howl_exec_t)
-
-type howl_initrc_exec_t;
-init_script_file(howl_initrc_exec_t)
-
-type howl_runtime_t alias howl_var_run_t;
-files_runtime_file(howl_runtime_t)
-
-########################################
-#
-# Local policy
-#
-
-allow howl_t self:capability { kill net_admin };
-dontaudit howl_t self:capability sys_tty_config;
-allow howl_t self:process signal_perms;
-allow howl_t self:fifo_file rw_fifo_file_perms;
-allow howl_t self:tcp_socket { accept listen };
-
-manage_files_pattern(howl_t, howl_runtime_t, howl_runtime_t)
-files_runtime_filetrans(howl_t, howl_runtime_t, file)
-
-kernel_read_network_state(howl_t)
-kernel_read_kernel_sysctls(howl_t)
-kernel_request_load_module(howl_t)
-kernel_list_proc(howl_t)
-kernel_read_proc_symlinks(howl_t)
-
-corenet_all_recvfrom_netlabel(howl_t)
-corenet_tcp_sendrecv_generic_if(howl_t)
-corenet_udp_sendrecv_generic_if(howl_t)
-corenet_tcp_sendrecv_generic_node(howl_t)
-corenet_udp_sendrecv_generic_node(howl_t)
-corenet_tcp_bind_generic_node(howl_t)
-corenet_udp_bind_generic_node(howl_t)
-
-corenet_sendrecv_howl_server_packets(howl_t)
-corenet_tcp_bind_howl_port(howl_t)
-corenet_udp_bind_howl_port(howl_t)
-
-dev_read_sysfs(howl_t)
-
-fs_getattr_all_fs(howl_t)
-fs_search_auto_mountpoints(howl_t)
-
-domain_use_interactive_fds(howl_t)
-
-auth_use_nsswitch(howl_t)
-
-init_read_utmp(howl_t)
-init_dontaudit_write_utmp(howl_t)
-
-logging_send_syslog_msg(howl_t)
-
-miscfiles_read_localization(howl_t)
-
-userdom_dontaudit_use_unpriv_user_fds(howl_t)
-userdom_dontaudit_search_user_home_dirs(howl_t)
-
-optional_policy(`
-	seutil_sigchld_newrole(howl_t)
-')
-

policy/modules/services/imaze.fc

@@ -1,7 +0,0 @@
-/usr/games/imazesrv	--	gen_context(system_u:object_r:imazesrv_exec_t,s0)
-
-/usr/share/games/imaze(/.*)?	gen_context(system_u:object_r:imazesrv_data_t,s0)
-
-/var/log/imaze\.log.*	--	gen_context(system_u:object_r:imazesrv_log_t,s0)
-
-/run/imaze\.pid	--	gen_context(system_u:object_r:imazesrv_runtime_t,s0)

policy/modules/services/imaze.if

@@ -1 +0,0 @@
-## <summary>iMaze game server.</summary>

policy/modules/services/imaze.te

@@ -1,79 +0,0 @@
-policy_module(imaze, 1.12.0)
-
-########################################
-#
-# Declarations
-#
-
-type imazesrv_t;
-type imazesrv_exec_t;
-application_executable_file(imazesrv_exec_t)
-init_daemon_domain(imazesrv_t, imazesrv_exec_t)
-
-type imazesrv_data_t;
-files_type(imazesrv_data_t)
-
-type imazesrv_log_t;
-logging_log_file(imazesrv_log_t)
-
-type imazesrv_runtime_t alias imazesrv_var_run_t;
-files_runtime_file(imazesrv_runtime_t)
-
-########################################
-#
-# Local policy
-#
-
-dontaudit imazesrv_t self:capability sys_tty_config;
-allow imazesrv_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
-allow imazesrv_t self:fifo_file rw_fifo_file_perms;
-allow imazesrv_t self:tcp_socket { accept listen };
-allow imazesrv_t self:unix_dgram_socket sendto;
-allow imazesrv_t self:unix_stream_socket { accept connectto listen };
-
-allow imazesrv_t imazesrv_data_t:dir list_dir_perms;
-read_files_pattern(imazesrv_t, imazesrv_data_t, imazesrv_data_t)
-read_lnk_files_pattern(imazesrv_t, imazesrv_data_t, imazesrv_data_t)
-
-allow imazesrv_t imazesrv_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-logging_log_filetrans(imazesrv_t, imazesrv_log_t, file)
-
-manage_files_pattern(imazesrv_t, imazesrv_runtime_t, imazesrv_runtime_t)
-files_runtime_filetrans(imazesrv_t, imazesrv_runtime_t, file)
-
-kernel_list_proc(imazesrv_t)
-kernel_read_kernel_sysctls(imazesrv_t)
-kernel_read_proc_symlinks(imazesrv_t)
-
-corenet_all_recvfrom_netlabel(imazesrv_t)
-corenet_tcp_sendrecv_generic_if(imazesrv_t)
-corenet_udp_sendrecv_generic_if(imazesrv_t)
-corenet_tcp_sendrecv_generic_node(imazesrv_t)
-corenet_udp_sendrecv_generic_node(imazesrv_t)
-corenet_tcp_bind_generic_node(imazesrv_t)
-corenet_udp_bind_generic_node(imazesrv_t)
-
-corenet_sendrecv_imaze_server_packets(imazesrv_t)
-corenet_tcp_bind_imaze_port(imazesrv_t)
-corenet_udp_bind_imaze_port(imazesrv_t)
-
-dev_read_sysfs(imazesrv_t)
-
-domain_use_interactive_fds(imazesrv_t)
-
-fs_getattr_all_fs(imazesrv_t)
-fs_search_auto_mountpoints(imazesrv_t)
-
-auth_use_nsswitch(imazesrv_t)
-
-logging_send_syslog_msg(imazesrv_t)
-
-miscfiles_read_localization(imazesrv_t)
-
-userdom_use_unpriv_users_fds(imazesrv_t)
-userdom_dontaudit_search_user_home_dirs(imazesrv_t)
-
-optional_policy(`
-	seutil_sigchld_newrole(imazesrv_t)
-')
-

policy/modules/services/jockey.fc

@@ -1,6 +0,0 @@
-/usr/share/jockey/jockey-backend	--	gen_context(system_u:object_r:jockey_exec_t,s0)
-
-/var/cache/jockey(/.*)?	gen_context(system_u:object_r:jockey_cache_t,s0)
-
-/var/log/jockey(/.*)?	gen_context(system_u:object_r:jockey_var_log_t,s0)
-/var/log/jockey\.log.*	--	gen_context(system_u:object_r:jockey_var_log_t,s0)

policy/modules/services/jockey.if

@@ -1 +0,0 @@
-## <summary>Jockey driver manager.</summary>

policy/modules/services/jockey.te

@@ -1,59 +0,0 @@
-policy_module(jockey, 1.1.0)
-
-########################################
-#
-# Declarations
-#
-
-type jockey_t;
-type jockey_exec_t;
-init_daemon_domain(jockey_t, jockey_exec_t)
-
-type jockey_cache_t;
-files_type(jockey_cache_t)
-
-type jockey_var_log_t;
-logging_log_file(jockey_var_log_t)
-
-########################################
-#
-# Local policy
-#
-
-allow jockey_t self:fifo_file rw_fifo_file_perms;
-
-manage_dirs_pattern(jockey_t, jockey_cache_t, jockey_cache_t)
-manage_files_pattern(jockey_t, jockey_cache_t, jockey_cache_t)
-manage_lnk_files_pattern(jockey_t, jockey_cache_t, jockey_cache_t)
-files_var_filetrans(jockey_t, jockey_cache_t, { dir file })
-
-manage_dirs_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
-append_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
-create_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
-setattr_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
-logging_log_filetrans(jockey_t, jockey_var_log_t, { file dir })
-
-kernel_read_system_state(jockey_t)
-
-corecmd_exec_bin(jockey_t)
-corecmd_exec_shell(jockey_t)
-
-dev_read_rand(jockey_t)
-dev_read_sysfs(jockey_t)
-dev_read_urand(jockey_t)
-
-domain_use_interactive_fds(jockey_t)
-
-files_read_etc_files(jockey_t)
-files_read_usr_files(jockey_t)
-
-miscfiles_read_localization(jockey_t)
-
-optional_policy(`
-	dbus_system_domain(jockey_t, jockey_exec_t)
-')
-
-optional_policy(`
-	modutils_domtrans(jockey_t)
-	modutils_read_module_config(jockey_t)
-')

policy/modules/services/ktalk.fc

@@ -1,9 +0,0 @@
-/usr/bin/in\.talkd	--	gen_context(system_u:object_r:ktalkd_exec_t,s0)
-/usr/bin/in\.ntalkd	--	gen_context(system_u:object_r:ktalkd_exec_t,s0)
-/usr/bin/ktalkd		--	gen_context(system_u:object_r:ktalkd_exec_t,s0)
-
-/usr/sbin/in\.talkd	--	gen_context(system_u:object_r:ktalkd_exec_t,s0)
-/usr/sbin/in\.ntalkd	--	gen_context(system_u:object_r:ktalkd_exec_t,s0)
-/usr/sbin/ktalkd	--	gen_context(system_u:object_r:ktalkd_exec_t,s0)
-
-/var/log/talkd.*	--	gen_context(system_u:object_r:ktalkd_log_t,s0)

policy/modules/services/ktalk.if

@@ -1 +0,0 @@
-## <summary>KDE Talk daemon.</summary>

policy/modules/services/ktalk.te

@@ -1,59 +0,0 @@
-policy_module(ktalk, 1.13.0)
-
-########################################
-#
-# Declarations
-#
-
-type ktalkd_t;
-type ktalkd_exec_t;
-init_daemon_domain(ktalkd_t, ktalkd_exec_t)
-inetd_udp_service_domain(ktalkd_t, ktalkd_exec_t)
-
-type ktalkd_log_t;
-logging_log_file(ktalkd_log_t)
-
-type ktalkd_tmp_t;
-files_tmp_file(ktalkd_tmp_t)
-
-########################################
-#
-# Local policy
-#
-
-allow ktalkd_t self:process signal_perms;
-allow ktalkd_t self:fifo_file rw_fifo_file_perms;
-allow ktalkd_t self:tcp_socket { accept listen };
-
-allow ktalkd_t ktalkd_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-logging_log_filetrans(ktalkd_t, ktalkd_log_t, file)
-
-manage_dirs_pattern(ktalkd_t, ktalkd_tmp_t, ktalkd_tmp_t)
-manage_files_pattern(ktalkd_t, ktalkd_tmp_t, ktalkd_tmp_t)
-files_tmp_filetrans(ktalkd_t, ktalkd_tmp_t, { file dir })
-
-kernel_read_kernel_sysctls(ktalkd_t)
-kernel_read_system_state(ktalkd_t)
-kernel_read_network_state(ktalkd_t)
-
-corenet_all_recvfrom_netlabel(ktalkd_t)
-corenet_udp_sendrecv_generic_if(ktalkd_t)
-corenet_udp_sendrecv_generic_node(ktalkd_t)
-corenet_udp_bind_generic_node(ktalkd_t)
-
-corenet_sendrecv_ktalkd_server_packets(ktalkd_t)
-corenet_udp_bind_ktalkd_port(ktalkd_t)
-
-dev_read_urand(ktalkd_t)
-
-fs_getattr_xattr_fs(ktalkd_t)
-
-term_use_all_terms(ktalkd_t)
-
-auth_use_nsswitch(ktalkd_t)
-
-init_read_utmp(ktalkd_t)
-
-logging_send_syslog_msg(ktalkd_t)
-
-miscfiles_read_localization(ktalkd_t)

policy/modules/services/mailscanner.fc

@@ -1,15 +0,0 @@
-/etc/MailScanner(/.*)?	gen_context(system_u:object_r:mscan_etc_t,s0)
-
-/etc/rc\.d/init\.d/MailScanner	--	gen_context(system_u:object_r:mscan_initrc_exec_t,s0)
-
-/etc/sysconfig/MailScanner	--	gen_context(system_u:object_r:mscan_etc_t,s0)
-
-/etc/sysconfig/update_spamassassin	--	gen_context(system_u:object_r:mscan_etc_t,s0)
-
-/usr/bin/MailScanner	--	gen_context(system_u:object_r:mscan_exec_t,s0)
-
-/usr/sbin/MailScanner	--	gen_context(system_u:object_r:mscan_exec_t,s0)
-
-/run/MailScanner\.pid	--	gen_context(system_u:object_r:mscan_runtime_t,s0)
-
-/var/spool/MailScanner(/.*)?	gen_context(system_u:object_r:mscan_spool_t,s0)

policy/modules/services/mailscanner.if

@@ -1,60 +0,0 @@
-## <summary>E-mail security and anti-spam package for e-mail gateway systems.</summary>
-
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	mscan spool content.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`mscan_manage_spool_content',`
-	gen_require(`
-		type mscan_spool_t;
-	')
-
-	files_search_spool($1)
-	manage_dirs_pattern($1, mscan_spool_t, mscan_spool_t)
-	manage_files_pattern($1, mscan_spool_t, mscan_spool_t)
-')
-
-########################################
-## <summary>
-##	All of the rules required to
-##	administrate an mscan environment
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`mscan_admin',`
-	gen_require(`
-		type mscan_t, mscan_etc_t, mscan_initrc_exec_t;
-		type mscan_runtime_t, mscan_spool_t;
-	')
-
-	allow $1 mscan_t:process { ptrace signal_perms };
-	ps_process_pattern($1, mscan_t)
-
-	init_startstop_service($1, $2, mscan_t, mscan_initrc_exec_t)
-
-	files_search_etc($1)
-	admin_pattern($1, mscan_etc_t)
-
-	files_search_runtime($1)
-	admin_pattern($1, mscan_runtime_t)
-
-	files_search_spool($1)
-	admin_pattern($1, mscan_spool_t)
-')

policy/modules/services/mailscanner.te

@@ -1,98 +0,0 @@
-policy_module(mailscanner, 1.6.0)
-
-########################################
-#
-# Declarations
-#
-
-type mscan_t;
-type mscan_exec_t;
-init_daemon_domain(mscan_t, mscan_exec_t)
-
-type mscan_initrc_exec_t;
-init_script_file(mscan_initrc_exec_t)
-
-type mscan_etc_t;
-files_config_file(mscan_etc_t)
-
-type mscan_runtime_t alias mscan_var_run_t;
-files_runtime_file(mscan_runtime_t)
-
-type mscan_spool_t;
-files_type(mscan_spool_t)
-
-type mscan_tmp_t;
-files_tmp_file(mscan_tmp_t)
-
-########################################
-#
-# Local policy
-#
-
-allow mscan_t self:capability { chown dac_override setgid setuid };
-allow mscan_t self:process signal;
-allow mscan_t self:fifo_file rw_fifo_file_perms;
-
-read_files_pattern(mscan_t, mscan_etc_t, mscan_etc_t)
-
-manage_files_pattern(mscan_t, mscan_runtime_t, mscan_runtime_t)
-files_runtime_filetrans(mscan_t, mscan_runtime_t, file)
-
-manage_dirs_pattern(mscan_t, mscan_spool_t, mscan_spool_t)
-manage_files_pattern(mscan_t, mscan_spool_t, mscan_spool_t)
-files_spool_filetrans(mscan_t, mscan_spool_t, dir)
-
-manage_dirs_pattern(mscan_t, mscan_tmp_t, mscan_tmp_t)
-manage_files_pattern(mscan_t, mscan_tmp_t, mscan_tmp_t)
-files_tmp_filetrans(mscan_t, mscan_tmp_t, { dir file })
-
-can_exec(mscan_t, mscan_exec_t)
-
-kernel_read_system_state(mscan_t)
-
-corecmd_exec_bin(mscan_t)
-corecmd_exec_shell(mscan_t)
-
-corenet_all_recvfrom_netlabel(mscan_t)
-corenet_tcp_bind_generic_node(mscan_t)
-corenet_udp_bind_generic_node(mscan_t)
-corenet_tcp_sendrecv_generic_if(mscan_t)
-corenet_udp_sendrecv_generic_if(mscan_t)
-corenet_tcp_sendrecv_generic_node(mscan_t)
-corenet_udp_sendrecv_generic_node(mscan_t)
-
-corenet_sendrecv_trisoap_client_packets(mscan_t)
-corenet_tcp_connect_trisoap_port(mscan_t)
-
-corenet_sendrecv_generic_server_packets(mscan_t)
-corenet_udp_bind_generic_port(mscan_t)
-
-dev_read_urand(mscan_t)
-
-files_read_usr_files(mscan_t)
-
-fs_getattr_xattr_fs(mscan_t)
-
-auth_dontaudit_read_shadow(mscan_t)
-auth_use_nsswitch(mscan_t)
-
-logging_send_syslog_msg(mscan_t)
-
-miscfiles_read_localization(mscan_t)
-
-optional_policy(`
-	clamav_domtrans_clamscan(mscan_t)
-')
-
-optional_policy(`
-	mta_send_mail(mscan_t)
-	mta_manage_queue(mscan_t)
-')
-
-optional_policy(`
-	procmail_domtrans(mscan_t)
-')
-
-optional_policy(`
-	spamassassin_read_lib_files(mscan_t)
-')

policy/modules/services/networkmanager.te

@@ -258,10 +258,6 @@ optional_policy(`
 	gnome_stream_connect_all_gkeyringd(NetworkManager_t)
 ')
 
-optional_policy(`
-	howl_signal(NetworkManager_t)
-')
-
 optional_policy(`
 	ipsec_domtrans_mgmt(NetworkManager_t)
 	ipsec_kill_mgmt(NetworkManager_t)
@@ -313,10 +309,6 @@ optional_policy(`
 	userdom_read_all_users_state(NetworkManager_t)
 ')
 
-optional_policy(`
-	polipo_initrc_domtrans(NetworkManager_t)
-')
-
 optional_policy(`
 	ppp_initrc_domtrans(NetworkManager_t)
 	ppp_domtrans(NetworkManager_t)

policy/modules/services/oav.fc

@@ -1,12 +0,0 @@
-/etc/oav-update(/.*)?	gen_context(system_u:object_r:oav_update_etc_t,s0)
-/etc/scannerdaemon/scannerdaemon\.conf	--	gen_context(system_u:object_r:scannerdaemon_etc_t,s0)
-
-/usr/bin/oav-update	--	gen_context(system_u:object_r:oav_update_exec_t,s0)
-/usr/bin/scannerdaemon	--	gen_context(system_u:object_r:scannerdaemon_exec_t,s0)
-
-/usr/sbin/oav-update	--	gen_context(system_u:object_r:oav_update_exec_t,s0)
-/usr/sbin/scannerdaemon	--	gen_context(system_u:object_r:scannerdaemon_exec_t,s0)
-
-/var/lib/oav-virussignatures	--	gen_context(system_u:object_r:oav_update_var_lib_t,s0)
-/var/lib/oav-update(/.*)?	gen_context(system_u:object_r:oav_update_var_lib_t,s0)
-/var/log/scannerdaemon\.log.*	--	gen_context(system_u:object_r:scannerdaemon_log_t,s0)

policy/modules/services/oav.if

@@ -1,47 +0,0 @@
-## <summary>Open AntiVirus scannerdaemon and signature update.</summary>
-
-########################################
-## <summary>
-##	Execute oav_update in the oav_update domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-#
-interface(`oav_domtrans_update',`
-	gen_require(`
-		type oav_update_t, oav_update_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, oav_update_exec_t, oav_update_t)
-')
-
-########################################
-## <summary>
-##	Execute oav_update in the oav update
-##	domain, and allow the specified role
-##	the oav_update domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`oav_run_update',`
-	gen_require(`
-		attribute_role oav_update_roles;
-	')
-
-	oav_domtrans_update($1)
-	roleattribute $2 oav_update_roles;
-')

policy/modules/services/oav.te

@@ -1,122 +0,0 @@
-policy_module(oav, 1.14.0)
-
-########################################
-#
-# Declarations
-#
-
-attribute_role oav_update_roles;
-
-type oav_update_t;
-type oav_update_exec_t;
-application_domain(oav_update_t, oav_update_exec_t)
-role oav_update_roles types oav_update_t;
-
-type oav_update_etc_t;
-files_config_file(oav_update_etc_t)
-
-type oav_update_var_lib_t;
-files_type(oav_update_var_lib_t)
-
-type scannerdaemon_t;
-type scannerdaemon_exec_t;
-init_daemon_domain(scannerdaemon_t, scannerdaemon_exec_t)
-
-type scannerdaemon_etc_t;
-files_config_file(scannerdaemon_etc_t)
-
-type scannerdaemon_log_t;
-logging_log_file(scannerdaemon_log_t)
-
-type scannerdaemon_runtime_t alias scannerdaemon_var_run_t;
-files_runtime_file(scannerdaemon_runtime_t)
-
-########################################
-#
-# Update local policy
-#
-
-allow oav_update_t self:tcp_socket create_stream_socket_perms;
-allow oav_update_t self:udp_socket create_socket_perms;
-
-allow oav_update_t oav_update_etc_t:dir list_dir_perms;
-allow oav_update_t oav_update_etc_t:file read_file_perms;
-
-manage_dirs_pattern(oav_update_t, oav_update_var_lib_t, oav_update_var_lib_t)
-manage_files_pattern(oav_update_t, oav_update_var_lib_t, oav_update_var_lib_t)
-read_lnk_files_pattern(oav_update_t, oav_update_var_lib_t, oav_update_var_lib_t)
-
-corecmd_exec_all_executables(oav_update_t)
-
-files_exec_etc_files(oav_update_t)
-
-libs_exec_ld_so(oav_update_t)
-libs_exec_lib_files(oav_update_t)
-
-logging_send_syslog_msg(oav_update_t)
-
-sysnet_read_config(oav_update_t)
-
-userdom_use_user_terminals(oav_update_t)
-
-optional_policy(`
-	cron_system_entry(oav_update_t, oav_update_exec_t)
-')
-
-########################################
-#
-# Scannerdaemon local policy
-#
-
-dontaudit scannerdaemon_t self:capability sys_tty_config;
-allow scannerdaemon_t self:process signal_perms;
-allow scannerdaemon_t self:fifo_file rw_fifo_file_perms;
-allow scannerdaemon_t self:tcp_socket create_stream_socket_perms;
-allow scannerdaemon_t self:udp_socket create_socket_perms;
-
-allow scannerdaemon_t oav_update_var_lib_t:dir list_dir_perms;
-allow scannerdaemon_t oav_update_var_lib_t:file read_file_perms;
-
-allow scannerdaemon_t scannerdaemon_etc_t:file read_file_perms;
-
-allow scannerdaemon_t scannerdaemon_log_t:file manage_file_perms;
-logging_log_filetrans(scannerdaemon_t, scannerdaemon_log_t, file)
-
-manage_files_pattern(scannerdaemon_t, scannerdaemon_runtime_t, scannerdaemon_runtime_t)
-files_runtime_filetrans(scannerdaemon_t, scannerdaemon_runtime_t, file)
-
-kernel_read_system_state(scannerdaemon_t)
-kernel_read_kernel_sysctls(scannerdaemon_t)
-
-corecmd_exec_all_executables(scannerdaemon_t)
-
-dev_read_sysfs(scannerdaemon_t)
-
-domain_use_interactive_fds(scannerdaemon_t)
-
-files_exec_etc_files(scannerdaemon_t)
-files_read_etc_files(scannerdaemon_t)
-files_read_etc_runtime_files(scannerdaemon_t)
-files_search_var_lib(scannerdaemon_t)
-
-fs_getattr_all_fs(scannerdaemon_t)
-fs_search_auto_mountpoints(scannerdaemon_t)
-
-auth_dontaudit_read_shadow(scannerdaemon_t)
-
-libs_exec_ld_so(scannerdaemon_t)
-libs_exec_lib_files(scannerdaemon_t)
-
-logging_send_syslog_msg(scannerdaemon_t)
-
-miscfiles_read_localization(scannerdaemon_t)
-
-sysnet_read_config(scannerdaemon_t)
-
-userdom_dontaudit_use_unpriv_user_fds(scannerdaemon_t)
-userdom_dontaudit_search_user_home_dirs(scannerdaemon_t)
-
-optional_policy(`
-	seutil_sigchld_newrole(scannerdaemon_t)
-')
-

policy/modules/services/polipo.fc

@@ -1,15 +0,0 @@
-HOME_DIR/\.forbidden	--	gen_context(system_u:object_r:polipo_config_home_t,s0)
-HOME_DIR/\.polipo	--	gen_context(system_u:object_r:polipo_config_home_t,s0)
-HOME_DIR/\.polipo-cache(/.*)?	gen_context(system_u:object_r:polipo_cache_home_t,s0)
-
-/etc/polipo(/.*)?	gen_context(system_u:object_r:polipo_conf_t,s0)
-
-/etc/rc\.d/init\.d/polipo	--	gen_context(system_u:object_r:polipo_initrc_exec_t,s0)
-
-/usr/bin/polipo	--	gen_context(system_u:object_r:polipo_exec_t,s0)
-
-/var/cache/polipo(/.*)?	gen_context(system_u:object_r:polipo_cache_t,s0)
-
-/var/log/polipo.*	--	gen_context(system_u:object_r:polipo_log_t,s0)
-
-/run/polipo(/.*)?	gen_context(system_u:object_r:polipo_runtime_t,s0)

policy/modules/services/polipo.if

@@ -1,141 +0,0 @@
-## <summary>Lightweight forwarding and caching proxy server.</summary>
-
-########################################
-## <summary>
-##	Role access for Polipo session.
-## </summary>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	User domain for the role.
-##	</summary>
-## </param>
-#
-template(`polipo_role',`
-	gen_require(`
-		type polipo_session_t, polipo_exec_t, polipo_config_home_t;
-		type polipo_cache_home_t;
-	')
-
-	########################################
-	#
-	# Declarations
-	#
-
-	role $1 types polipo_session_t;
-
-	########################################
-	#
-	# Policy
-	#
-
-	allow $2 polipo_cache_home_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 { polipo_cache_home_t polipo_config_home_t }:file { manage_file_perms relabel_file_perms };
-
-	userdom_user_home_dir_filetrans($2, polipo_config_home_t, file, ".forbidden")
-	userdom_user_home_dir_filetrans($2, polipo_config_home_t, file, ".polipo")
-	userdom_user_home_dir_filetrans($2, polipo_cache_home_t, dir, ".polipo-cache")
-
-	allow $2 polipo_session_t:process { ptrace signal_perms };
-	ps_process_pattern($2, polipo_session_t)
-
-	tunable_policy(`polipo_session_users',`
-		domtrans_pattern($2, polipo_exec_t, polipo_session_t)
-	',`
-		can_exec($2, polipo_exec_t)
-	')
-')
-
-########################################
-## <summary>
-##	Execute Polipo in the Polipo
-##	system domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-#
-interface(`polipo_initrc_domtrans',`
-	gen_require(`
-		type polipo_initrc_exec_t;
-	')
-
-	init_labeled_script_domtrans($1, polipo_initrc_exec_t)
-')
-
-########################################
-## <summary>
-##	Create specified objects in generic
-##	log directories with the polipo
-##	log file type.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
-#
-interface(`polipo_log_filetrans_log',`
-	gen_require(`
-		type polipo_log_t;
-	')
-
-	logging_log_filetrans($1, polipo_log_t, $2, $3)
-')
-
-########################################
-## <summary>
-##	All of the rules required to
-##	administrate an polipo environment.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`polipo_admin',`
-	gen_require(`
-		type polipo_system_t, polipo_initrc_exec_t, polipo_cache_t;
-		type polipo_conf_t, polipo_log_t, polipo_runtime_t;
-	')
-
-	allow $1 polipo_system_t:process { ptrace signal_perms };
-	ps_process_pattern($1, polipo_system_t)
-
-	init_startstop_service($1, $2, polipo_t, polipo_initrc_exec_t)
-
-	files_search_var($1)
-	admin_pattern($1, polipo_cache_t)
-
-	files_search_etc($1)
-	admin_pattern($1, polipo_conf_t)
-
-	logging_search_logs($1)
-	admin_pattern($1, polipo_log_t)
-
-	files_search_runtime($1)
-	admin_pattern($1, polipo_runtime_t)
-')

policy/modules/services/polipo.te

@@ -1,167 +0,0 @@
-policy_module(polipo, 1.6.0)
-
-########################################
-#
-# Declarations
-#
-
-## <desc>
-##	<p>
-##	Determine whether Polipo system
-##	daemon can access CIFS file systems.
-##	</p>
-## </desc>
-gen_tunable(polipo_system_use_cifs, false)
-
-## <desc>
-##	<p>
-##	Determine whether Polipo system
-##	daemon can access NFS file systems.
-##	</p>
-## </desc>
-gen_tunable(polipo_system_use_nfs, false)
-
-## <desc>
-##	<p>
-##	Determine whether calling user domains
-##	can execute Polipo daemon in the
-##	polipo_session_t domain.
-##	</p>
-## </desc>
-gen_tunable(polipo_session_users, false)
-
-## <desc>
-##	<p>
-##	Determine whether Polipo session daemon
-##	can send syslog messages.
-##	</p>
-## </desc>
-gen_tunable(polipo_session_send_syslog_msg, false)
-
-attribute polipo_daemon;
-
-type polipo_system_t, polipo_daemon;
-type polipo_exec_t;
-init_daemon_domain(polipo_system_t, polipo_exec_t)
-
-type polipo_conf_t;
-files_config_file(polipo_conf_t)
-
-type polipo_cache_t;
-files_type(polipo_cache_t)
-
-type polipo_cache_home_t;
-userdom_user_home_content(polipo_cache_home_t)
-
-type polipo_config_home_t;
-userdom_user_home_content(polipo_config_home_t)
-
-type polipo_initrc_exec_t;
-init_script_file(polipo_initrc_exec_t)
-
-type polipo_log_t;
-logging_log_file(polipo_log_t)
-
-type polipo_runtime_t alias polipo_var_run_t;
-files_runtime_file(polipo_runtime_t)
-
-type polipo_session_t, polipo_daemon;
-userdom_user_application_domain(polipo_session_t, polipo_exec_t)
-
-########################################
-#
-# Session local policy
-#
-
-allow polipo_session_t polipo_config_home_t:file read_file_perms;
-
-manage_dirs_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t)
-manage_files_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t)
-userdom_user_home_dir_filetrans(polipo_session_t, polipo_cache_home_t, dir, ".polipo-cache")
-
-auth_use_nsswitch(polipo_session_t)
-
-userdom_use_user_terminals(polipo_session_t)
-
-tunable_policy(`polipo_session_send_syslog_msg',`
-	logging_send_syslog_msg(polipo_session_t)
-')
-
-tunable_policy(`use_nfs_home_dirs',`
-	fs_read_nfs_files(polipo_session_t)
-',`
-	fs_dontaudit_read_nfs_files(polipo_session_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
-	fs_read_cifs_files(polipo_session_t)
-',`
-	fs_dontaudit_read_cifs_files(polipo_session_t)
-')
-
-########################################
-#
-# System local policy
-#
-
-read_files_pattern(polipo_system_t, polipo_conf_t, polipo_conf_t)
-
-manage_files_pattern(polipo_system_t, polipo_cache_t, polipo_cache_t)
-manage_dirs_pattern(polipo_system_t, polipo_cache_t, polipo_cache_t)
-files_var_filetrans(polipo_system_t, polipo_cache_t, dir)
-
-append_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t)
-create_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t)
-setattr_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t)
-logging_log_filetrans(polipo_system_t, polipo_log_t, file)
-
-manage_files_pattern(polipo_system_t, polipo_runtime_t, polipo_runtime_t)
-files_runtime_filetrans(polipo_system_t, polipo_runtime_t, file)
-
-auth_use_nsswitch(polipo_system_t)
-
-logging_send_syslog_msg(polipo_system_t)
-
-optional_policy(`
-	cron_system_entry(polipo_system_t, polipo_exec_t)
-')
-
-tunable_policy(`polipo_system_use_cifs',`
-	fs_manage_cifs_files(polipo_system_t)
-',`
-	fs_dontaudit_read_cifs_files(polipo_system_t)
-')
-
-tunable_policy(`polipo_system_use_nfs',`
-	fs_manage_nfs_files(polipo_system_t)
-',`
-	fs_dontaudit_read_nfs_files(polipo_system_t)
-')
-
-########################################
-#
-# Polipo global local policy
-#
-
-allow polipo_daemon self:fifo_file rw_fifo_file_perms;
-allow polipo_daemon self:tcp_socket { listen accept };
-
-corenet_all_recvfrom_netlabel(polipo_daemon)
-corenet_tcp_sendrecv_generic_if(polipo_daemon)
-corenet_tcp_sendrecv_generic_node(polipo_daemon)
-corenet_tcp_bind_generic_node(polipo_daemon)
-
-corenet_sendrecv_http_client_packets(polipo_daemon)
-corenet_tcp_connect_http_port(polipo_daemon)
-
-corenet_sendrecv_http_cache_server_packets(polipo_daemon)
-corenet_tcp_bind_http_cache_port(polipo_daemon)
-
-corenet_sendrecv_tor_client_packets(polipo_daemon)
-corenet_tcp_connect_tor_port(polipo_daemon)
-
-files_read_usr_files(polipo_daemon)
-
-fs_search_auto_mountpoints(polipo_daemon)
-
-miscfiles_read_localization(polipo_daemon)

policy/modules/services/postfix.te

@@ -472,10 +472,6 @@ optional_policy(`
 	dovecot_domtrans_deliver(postfix_local_t)
 ')
 
-optional_policy(`
-	dspam_domtrans(postfix_local_t)
-')
-
 optional_policy(`
 	mailman_manage_data_files(postfix_local_t)
 	mailman_append_log(postfix_local_t)
@@ -775,10 +771,6 @@ optional_policy(`
 	dovecot_stream_connect(postfix_smtp_t)
 ')
 
-optional_policy(`
-	dspam_stream_connect(postfix_smtp_t)
-')
-
 optional_policy(`
 	milter_stream_connect_all(postfix_smtp_t)
 ')

policy/modules/services/pyicqt.fc

@@ -1,11 +0,0 @@
-/etc/pyicq-t(/.*)?	gen_context(system_u:object_r:pyicqt_conf_t,s0)
-
-/etc/rc\.d/init\.d/pyicq-t	--	gen_context(system_u:object_r:pyicqt_initrc_exec_t,s0)
-
-/usr/share/pyicq-t/PyICQt\.py	--	gen_context(system_u:object_r:pyicqt_exec_t,s0)
-
-/var/log/pyicq-t\.log.*	--	gen_context(system_u:object_r:pyicqt_log_t,s0)
-
-/run/pyicq-t(/.*)?	gen_context(system_u:object_r:pyicqt_runtime_t,s0)
-
-/var/spool/pyicq-t(/.*)?	gen_context(system_u:object_r:pyicqt_spool_t,s0)

policy/modules/services/pyicqt.if

@@ -1,42 +0,0 @@
-## <summary>ICQ transport for XMPP server.</summary>
-
-########################################
-## <summary>
-##	All of the rules required to
-##	administrate an pyicqt environment.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`pyicqt_admin',`
-	gen_require(`
-		type pyicqt_t, pyicqt_log_t, pyicqt_spool_t;
-		type pyicqt_runtime_t, pyicqt_initrc_exec_t, pyicqt_conf_t;
-	')
-
-	allow $1 pyicqt_t:process { ptrace signal_perms };
-	ps_process_pattern($1, pyicqt_t)
-
-	init_startstop_service($1, $2, pyicqt_t, pyicqt_initrc_exec_t)
-
-	files_search_etc($1)
-	admin_pattern($1, pyicqt_conf_t)
-
-	logging_search_logs($1)
-	admin_pattern($1, pyicqt_log_t)
-
-	files_search_spool($1)
-	admin_pattern($1, pyicqt_spool_t)
-
-	files_search_runtime($1)
-	admin_pattern($1, pyicqt_runtime_t)
-')

policy/modules/services/pyicqt.te

@@ -1,90 +0,0 @@
-policy_module(pyicqt, 1.5.0)
-
-########################################
-#
-# Declarations
-#
-
-type pyicqt_t;
-type pyicqt_exec_t;
-init_daemon_domain(pyicqt_t, pyicqt_exec_t)
-
-type pyicqt_initrc_exec_t;
-init_script_file(pyicqt_initrc_exec_t)
-
-type pyicqt_conf_t;
-files_config_file(pyicqt_conf_t)
-
-type pyicqt_log_t;
-logging_log_file(pyicqt_log_t)
-
-type pyicqt_runtime_t alias pyicqt_var_run_t;
-files_runtime_file(pyicqt_runtime_t)
-
-type pyicqt_spool_t;
-files_type(pyicqt_spool_t)
-
-########################################
-#
-# Local policy
-#
-
-allow pyicqt_t self:process signal_perms;
-allow pyicqt_t self:fifo_file rw_fifo_file_perms;
-allow pyicqt_t self:tcp_socket { accept listen };
-
-read_files_pattern(pyicqt_t, pyicqt_conf_t, pyicqt_conf_t)
-
-allow pyicqt_t pyicqt_log_t:file append_file_perms;
-allow pyicqt_t pyicqt_log_t:file create_file_perms;
-allow pyicqt_t pyicqt_log_t:file setattr_file_perms;
-logging_log_filetrans(pyicqt_t, pyicqt_log_t, file)
-
-manage_dirs_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t)
-manage_files_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t)
-files_spool_filetrans(pyicqt_t, pyicqt_spool_t, dir)
-
-manage_files_pattern(pyicqt_t, pyicqt_runtime_t, pyicqt_runtime_t)
-files_runtime_filetrans(pyicqt_t, pyicqt_runtime_t, file)
-
-kernel_read_system_state(pyicqt_t)
-
-corecmd_exec_bin(pyicqt_t)
-
-corenet_all_recvfrom_netlabel(pyicqt_t)
-corenet_tcp_sendrecv_generic_if(pyicqt_t)
-corenet_tcp_sendrecv_generic_node(pyicqt_t)
-corenet_tcp_bind_generic_node(pyicqt_t)
-
-# corenet_sendrecv_jabber_router_server_packets(pyicqt_t)
-# corenet_tcp_bind_jabber_router_port(pyicqt_t)
-# corenet_sendrecv_jabber_router_client_packets(pyicqt_t)
-# corenet_tcp_connect_jabber_router_port(pyicqt_t)
-
-dev_read_sysfs(pyicqt_t)
-dev_read_urand(pyicqt_t)
-
-files_read_usr_files(pyicqt_t)
-
-fs_getattr_all_fs(pyicqt_t)
-
-auth_use_nsswitch(pyicqt_t)
-
-libs_read_lib_files(pyicqt_t)
-
-logging_send_syslog_msg(pyicqt_t)
-
-miscfiles_read_localization(pyicqt_t)
-
-optional_policy(`
-	jabber_manage_lib_files(pyicqt_t)
-')
-
-optional_policy(`
-	mysql_stream_connect(pyicqt_t)
-	mysql_tcp_connect(pyicqt_t)
-')
-
-optional_policy(`
-	seutil_sigchld_newrole(pyicqt_t)
-')

policy/modules/services/rgmanager.fc

@@ -1,15 +0,0 @@
-/etc/rc\.d/init\.d/rgmanager	--	gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
-
-/usr/bin/ccs_tool	--	gen_context(system_u:object_r:rgmanager_exec_t,s0)
-/usr/bin/cman_tool	--	gen_context(system_u:object_r:rgmanager_exec_t,s0)
-/usr/bin/rgmanager	--	gen_context(system_u:object_r:rgmanager_exec_t,s0)
-
-/usr/sbin/ccs_tool	--	gen_context(system_u:object_r:rgmanager_exec_t,s0)
-/usr/sbin/cman_tool	--	gen_context(system_u:object_r:rgmanager_exec_t,s0)
-/usr/sbin/rgmanager	--	gen_context(system_u:object_r:rgmanager_exec_t,s0)
-
-/var/log/cluster/rgmanager\.log.*	--	gen_context(system_u:object_r:rgmanager_var_log_t,s0)
-
-/run/cluster/rgmanager\.sk	-s	gen_context(system_u:object_r:rgmanager_runtime_t,s0)
-
-/run/rgmanager\.pid	--	gen_context(system_u:object_r:rgmanager_runtime_t,s0)

policy/modules/services/rgmanager.if

@@ -1,120 +0,0 @@
-## <summary>Resource Group Manager.</summary>
-
-#######################################
-## <summary>
-##	Execute a domain transition to run rgmanager.
-## </summary>
-## <param name="domain">
-## <summary>
-##	Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`rgmanager_domtrans',`
-	gen_require(`
-		type rgmanager_t, rgmanager_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, rgmanager_exec_t, rgmanager_t)
-')
-
-########################################
-## <summary>
-##	Connect to rgmanager with a unix
-##	domain stream socket.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`rgmanager_stream_connect',`
-	gen_require(`
-		type rgmanager_t, rgmanager_runtime_t;
-	')
-
-	files_search_runtime($1)
-	stream_connect_pattern($1, rgmanager_runtime_t, rgmanager_runtime_t, rgmanager_t)
-')
-
-######################################
-## <summary>
-##	Create, read, write, and delete
-##	rgmanager tmp files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`rgmanager_manage_tmp_files',`
-	gen_require(`
-		type rgmanager_tmp_t;
-	')
-
-	files_search_tmp($1)
-	manage_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t)
-')
-
-######################################
-## <summary>
-##	Create, read, write, and delete
-##	rgmanager tmpfs files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`rgmanager_manage_tmpfs_files',`
-	gen_require(`
-		type rgmanager_tmpfs_t;
-	')
-
-	fs_search_tmpfs($1)
-	manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
-')
-
-######################################
-## <summary>
-##	All of the rules required to
-##	administrate an rgmanager environment.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`rgmanager_admin',`
-	gen_require(`
-		type rgmanager_t, rgmanager_initrc_exec_t, rgmanager_tmp_t;
-		type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_runtime_t;
-	')
-
-	allow $1 rgmanager_t:process { ptrace signal_perms };
-	ps_process_pattern($1, rgmanager_t)
-
-	init_startstop_service($1, $2, rgmanager_t, rgmanager_initrc_exec_t)
-
-	files_list_tmp($1)
-	admin_pattern($1, rgmanager_tmp_t)
-
-	admin_pattern($1, rgmanager_tmpfs_t)
-
-	logging_list_logs($1)
-	admin_pattern($1, rgmanager_var_log_t)
-
-	files_list_runtime($1)
-	admin_pattern($1, rgmanager_runtime_t)
-')

policy/modules/services/rgmanager.te

@@ -1,199 +0,0 @@
-policy_module(rgmanager, 1.10.0)
-
-########################################
-#
-# Declarations
-#
-
-## <desc>
-##	<p>
-##	Determine whether rgmanager can
-##	connect to the network using TCP.
-##	</p>
-## </desc>
-gen_tunable(rgmanager_can_network_connect, false)
-
-type rgmanager_t;
-type rgmanager_exec_t;
-init_daemon_domain(rgmanager_t, rgmanager_exec_t)
-
-type rgmanager_initrc_exec_t;
-init_script_file(rgmanager_initrc_exec_t)
-
-type rgmanager_runtime_t alias rgmanager_var_run_t;
-files_runtime_file(rgmanager_runtime_t)
-
-type rgmanager_tmp_t;
-files_tmp_file(rgmanager_tmp_t)
-
-type rgmanager_tmpfs_t;
-files_tmpfs_file(rgmanager_tmpfs_t)
-
-type rgmanager_var_log_t;
-logging_log_file(rgmanager_var_log_t)
-
-########################################
-#
-# Local policy
-#
-
-allow rgmanager_t self:capability { dac_override ipc_lock net_raw sys_admin sys_nice sys_resource };
-allow rgmanager_t self:process { setsched signal };
-allow rgmanager_t self:fifo_file rw_fifo_file_perms;
-allow rgmanager_t self:unix_stream_socket { accept listen };
-allow rgmanager_t self:tcp_socket { accept listen };
-
-manage_dirs_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
-manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
-files_tmp_filetrans(rgmanager_t, rgmanager_tmp_t, { file dir })
-
-manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
-manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
-fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file })
-
-allow rgmanager_t rgmanager_var_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, file)
-
-manage_files_pattern(rgmanager_t, rgmanager_runtime_t, rgmanager_runtime_t)
-manage_sock_files_pattern(rgmanager_t, rgmanager_runtime_t, rgmanager_runtime_t)
-files_runtime_filetrans(rgmanager_t, rgmanager_runtime_t, { file sock_file })
-
-kernel_read_kernel_sysctls(rgmanager_t)
-kernel_read_system_state(rgmanager_t)
-kernel_rw_rpc_sysctls(rgmanager_t)
-kernel_search_debugfs(rgmanager_t)
-kernel_search_network_state(rgmanager_t)
-kernel_manage_unlabeled_dirs(rgmanager_t)
-
-corenet_all_recvfrom_netlabel(rgmanager_t)
-corenet_tcp_sendrecv_generic_if(rgmanager_t)
-corenet_tcp_sendrecv_generic_node(rgmanager_t)
-
-corecmd_exec_bin(rgmanager_t)
-corecmd_exec_shell(rgmanager_t)
-
-dev_rw_dlm_control(rgmanager_t)
-dev_setattr_dlm_control(rgmanager_t)
-dev_search_sysfs(rgmanager_t)
-
-domain_read_all_domains_state(rgmanager_t)
-domain_getattr_all_domains(rgmanager_t)
-domain_dontaudit_ptrace_all_domains(rgmanager_t)
-
-files_list_all(rgmanager_t)
-files_getattr_all_symlinks(rgmanager_t)
-files_manage_mnt_dirs(rgmanager_t)
-files_read_non_security_files(rgmanager_t)
-
-fs_getattr_all_fs(rgmanager_t)
-
-storage_raw_read_fixed_disk(rgmanager_t)
-
-term_getattr_pty_fs(rgmanager_t)
-
-auth_dontaudit_getattr_shadow(rgmanager_t)
-auth_use_nsswitch(rgmanager_t)
-
-init_domtrans_script(rgmanager_t)
-
-logging_send_syslog_msg(rgmanager_t)
-
-miscfiles_read_localization(rgmanager_t)
-
-tunable_policy(`rgmanager_can_network_connect',`
-	corenet_sendrecv_all_client_packets(rgmanager_t)
-	corenet_tcp_connect_all_ports(rgmanager_t)
-')
-
-optional_policy(`
-	aisexec_stream_connect(rgmanager_t)
-')
-
-optional_policy(`
-	consoletype_exec(rgmanager_t)
-')
-
-optional_policy(`
-	corosync_stream_connect(rgmanager_t)
-')
-
-optional_policy(`
-	apache_domtrans(rgmanager_t)
-	apache_signal(rgmanager_t)
-')
-
-optional_policy(`
-	fstools_domtrans(rgmanager_t)
-')
-
-optional_policy(`
-	rhcs_stream_connect_groupd(rgmanager_t)
-	rhcs_stream_connect_gfs_controld(rgmanager_t)
-')
-
-optional_policy(`
-	hostname_exec(rgmanager_t)
-')
-
-optional_policy(`
-	ccs_manage_config(rgmanager_t)
-	ccs_stream_connect(rgmanager_t)
-')
-
-optional_policy(`
-	lvm_domtrans(rgmanager_t)
-')
-
-optional_policy(`
-	mount_domtrans(rgmanager_t)
-')
-
-optional_policy(`
-	mysql_domtrans_mysql_safe(rgmanager_t)
-	mysql_stream_connect(rgmanager_t)
-')
-
-optional_policy(`
-	netutils_domtrans(rgmanager_t)
-	netutils_domtrans_ping(rgmanager_t)
-')
-
-optional_policy(`
-	postgresql_domtrans(rgmanager_t)
-	postgresql_signal(rgmanager_t)
-')
-
-optional_policy(`
-	rdisc_exec(rgmanager_t)
-')
-
-optional_policy(`
-	ricci_dontaudit_rw_modcluster_pipes(rgmanager_t)
-')
-
-optional_policy(`
-	rpc_domtrans_nfsd(rgmanager_t)
-	rpc_domtrans_rpcd(rgmanager_t)
-	rpc_manage_nfs_state_data(rgmanager_t)
-')
-
-optional_policy(`
-	samba_domtrans_smbd(rgmanager_t)
-	samba_domtrans_nmbd(rgmanager_t)
-	samba_manage_var_files(rgmanager_t)
-	samba_rw_config(rgmanager_t)
-	samba_signal_smbd(rgmanager_t)
-	samba_signal_nmbd(rgmanager_t)
-')
-
-optional_policy(`
-	sysnet_domtrans_ifconfig(rgmanager_t)
-')
-
-optional_policy(`
-	virt_stream_connect(rgmanager_t)
-')
-
-optional_policy(`
-	xen_domtrans_xm(rgmanager_t)
-')

policy/modules/services/rhcs.fc

@@ -1,40 +0,0 @@
-/etc/rc\.d/init\.d/dlm	--	gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/foghorn	--	gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
-
-/usr/bin/dlm_controld	--	gen_context(system_u:object_r:dlm_controld_exec_t,s0)
-/usr/bin/fenced		--	gen_context(system_u:object_r:fenced_exec_t,s0)
-/usr/bin/fence_node	--	gen_context(system_u:object_r:fenced_exec_t,s0)
-/usr/bin/fence_tool	--	gen_context(system_u:object_r:fenced_exec_t,s0)
-/usr/bin/foghorn	--	gen_context(system_u:object_r:foghorn_exec_t,s0)
-/usr/bin/gfs_controld	--	gen_context(system_u:object_r:gfs_controld_exec_t,s0)
-/usr/bin/groupd		--	gen_context(system_u:object_r:groupd_exec_t,s0)
-/usr/bin/qdiskd		--	gen_context(system_u:object_r:qdiskd_exec_t,s0)
-
-/usr/sbin/dlm_controld	--	gen_context(system_u:object_r:dlm_controld_exec_t,s0)
-/usr/sbin/fenced	--	gen_context(system_u:object_r:fenced_exec_t,s0)
-/usr/sbin/fence_node	--	gen_context(system_u:object_r:fenced_exec_t,s0)
-/usr/sbin/fence_tool	--	gen_context(system_u:object_r:fenced_exec_t,s0)
-/usr/sbin/foghorn	--	gen_context(system_u:object_r:foghorn_exec_t,s0)
-/usr/sbin/gfs_controld	--	gen_context(system_u:object_r:gfs_controld_exec_t,s0)
-/usr/sbin/groupd	--	gen_context(system_u:object_r:groupd_exec_t,s0)
-/usr/sbin/qdiskd	--	gen_context(system_u:object_r:qdiskd_exec_t,s0)
-
-/var/lock/fence_manual\.lock	--	gen_context(system_u:object_r:fenced_lock_t,s0)
-
-/var/lib/qdiskd(/.*)?	gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
-
-/var/log/cluster/.*\.log	<<none>>
-/var/log/cluster/dlm_controld\.log.*	--	gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
-/var/log/cluster/fenced\.log.*	--	gen_context(system_u:object_r:fenced_var_log_t,s0)
-/var/log/cluster/gfs_controld\.log.*	--	gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
-/var/log/cluster/qdiskd\.log.*	--	gen_context(system_u:object_r:qdiskd_var_log_t,s0)
-/var/log/dlm_controld(/.*)?	gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
-
-/run/cluster/fenced_override	--	gen_context(system_u:object_r:fenced_runtime_t,s0)
-/run/cluster/fence_scsi.*	--	gen_context(system_u:object_r:fenced_runtime_t,s0)
-/run/dlm_controld\.pid	--	gen_context(system_u:object_r:dlm_controld_runtime_t,s0)
-/run/dlm_controld(/.*)?	gen_context(system_u:object_r:dlm_controld_runtime_t,s0)
-/run/fenced\.pid	--	gen_context(system_u:object_r:fenced_runtime_t,s0)
-/run/gfs_controld\.pid	--	gen_context(system_u:object_r:gfs_controld_runtime_t,s0)
-/run/groupd\.pid	--	gen_context(system_u:object_r:groupd_runtime_t,s0)
-/run/qdiskd\.pid	--	gen_context(system_u:object_r:qdiskd_runtime_t,s0)

policy/modules/services/rhcs.if

@@ -1,496 +0,0 @@
-## <summary>Red Hat Cluster Suite.</summary>
-
-#######################################
-## <summary>
-##	The template to define a rhcs domain.
-## </summary>
-## <param name="domain_prefix">
-##	<summary>
-##	Domain prefix to be used.
-##	</summary>
-## </param>
-#
-template(`rhcs_domain_template',`
-	gen_require(`
-		attribute cluster_domain, cluster_pid, cluster_tmpfs;
-		attribute cluster_log;
-	')
-
-	##############################
-	#
-	# Declarations
-	#
-
-	type $1_t, cluster_domain;
-	type $1_exec_t;
-	init_daemon_domain($1_t, $1_exec_t)
-
-	type $1_runtime_t alias $1_var_run_t, cluster_pid;
-	files_runtime_file($1_runtime_t)
-
-	type $1_tmpfs_t, cluster_tmpfs;
-	files_tmpfs_file($1_tmpfs_t)
-
-	type $1_var_log_t, cluster_log;
-	logging_log_file($1_var_log_t)
-
-	##############################
-	#
-	# Local policy
-	#
-
-	manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
-	manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
-	fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file })
-
-	manage_dirs_pattern($1_t, $1_var_log_t, $1_var_log_t)
-	append_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
-	create_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
-	setattr_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
-	manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
-	logging_log_filetrans($1_t, $1_var_log_t, { dir file sock_file })
-
-	manage_dirs_pattern($1_t, $1_runtime_t, $1_runtime_t)
-	manage_files_pattern($1_t, $1_runtime_t, $1_runtime_t)
-	manage_fifo_files_pattern($1_t, $1_runtime_t, $1_runtime_t)
-	manage_sock_files_pattern($1_t, $1_runtime_t, $1_runtime_t)
-	files_runtime_filetrans($1_t, $1_runtime_t, { dir file sock_file fifo_file })
-
-	optional_policy(`
-		dbus_system_bus_client($1_t)
-	')
-')
-
-######################################
-## <summary>
-##	Execute a domain transition to
-##	run dlm_controld.
-## </summary>
-## <param name="domain">
-## <summary>
-##	Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`rhcs_domtrans_dlm_controld',`
-	gen_require(`
-	type dlm_controld_t, dlm_controld_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, dlm_controld_exec_t, dlm_controld_t)
-')
-
-#####################################
-## <summary>
-##	Get attributes of fenced
-##	executable files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`rhcs_getattr_fenced_exec_files',`
-	gen_require(`
-		type fenced_exec_t;
-	')
-
-	allow $1 fenced_exec_t:file getattr_file_perms;
-')
-
-#####################################
-## <summary>
-##	Connect to dlm_controld with a
-##	unix domain stream socket.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`rhcs_stream_connect_dlm_controld',`
-	gen_require(`
-		type dlm_controld_t, dlm_controld_runtime_t;
-	')
-
-	files_search_runtime($1)
-	stream_connect_pattern($1, dlm_controld_runtime_t, dlm_controld_runtime_t, dlm_controld_t)
-')
-
-#####################################
-## <summary>
-##	Read and write dlm_controld semaphores.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`rhcs_rw_dlm_controld_semaphores',`
-	gen_require(`
-		type dlm_controld_t, dlm_controld_tmpfs_t;
-	')
-
-	allow $1 dlm_controld_t:sem { rw_sem_perms destroy };
-
-	fs_search_tmpfs($1)
-	manage_files_pattern($1, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t)
-')
-
-######################################
-## <summary>
-##	Execute a domain transition to run fenced.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-#
-interface(`rhcs_domtrans_fenced',`
-	gen_require(`
-		type fenced_t, fenced_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, fenced_exec_t, fenced_t)
-')
-
-######################################
-## <summary>
-##	Read and write fenced semaphores.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`rhcs_rw_fenced_semaphores',`
-	gen_require(`
-		type fenced_t, fenced_tmpfs_t;
-	')
-
-	allow $1 fenced_t:sem { rw_sem_perms destroy };
-
-	fs_search_tmpfs($1)
-	manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t)
-')
-
-####################################
-## <summary>
-##	Connect to all cluster domains
-##	with a unix domain stream socket.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`rhcs_stream_connect_cluster',`
-	gen_require(`
-		attribute cluster_domain, cluster_pid;
-	')
-
-	files_search_runtime($1)
-	stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain)
-')
-
-######################################
-## <summary>
-##	Connect to fenced with an unix
-##	domain stream socket.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`rhcs_stream_connect_fenced',`
-	gen_require(`
-		type fenced_runtime_t, fenced_t;
-	')
-
-	files_search_runtime($1)
-	stream_connect_pattern($1, fenced_runtime_t, fenced_runtime_t, fenced_t)
-')
-
-#####################################
-## <summary>
-##	Execute a domain transition
-##	to run gfs_controld.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-#
-interface(`rhcs_domtrans_gfs_controld',`
-	gen_require(`
-	type gfs_controld_t, gfs_controld_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, gfs_controld_exec_t, gfs_controld_t)
-')
-
-####################################
-## <summary>
-##	Read and write gfs_controld semaphores.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`rhcs_rw_gfs_controld_semaphores',`
-	gen_require(`
-		type gfs_controld_t, gfs_controld_tmpfs_t;
-	')
-
-	allow $1 gfs_controld_t:sem { rw_sem_perms destroy };
-
-	fs_search_tmpfs($1)
-	manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
-')
-
-########################################
-## <summary>
-##	Read and write gfs_controld_t shared memory.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`rhcs_rw_gfs_controld_shm',`
-	gen_require(`
-		type gfs_controld_t, gfs_controld_tmpfs_t;
-	')
-
-	allow $1 gfs_controld_t:shm { rw_shm_perms destroy };
-
-	fs_search_tmpfs($1)
-	manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
-')
-
-#####################################
-## <summary>
-##	Connect to gfs_controld_t with
-##	a unix domain stream socket.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`rhcs_stream_connect_gfs_controld',`
-	gen_require(`
-		type gfs_controld_t, gfs_controld_runtime_t;
-	')
-
-	files_search_runtime($1)
-	stream_connect_pattern($1, gfs_controld_runtime_t, gfs_controld_runtime_t, gfs_controld_t)
-')
-
-######################################
-## <summary>
-##	Execute a domain transition to run groupd.
-## </summary>
-## <param name="domain">
-## <summary>
-##	Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`rhcs_domtrans_groupd',`
-	gen_require(`
-		type groupd_t, groupd_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, groupd_exec_t, groupd_t)
-')
-
-#####################################
-## <summary>
-##	Connect to groupd with a unix
-##	domain stream socket.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`rhcs_stream_connect_groupd',`
-	gen_require(`
-		type groupd_t, groupd_runtime_t;
-	')
-
-	files_search_runtime($1)
-	stream_connect_pattern($1, groupd_runtime_t, groupd_runtime_t, groupd_t)
-')
-
-########################################
-## <summary>
-##	Read and write all cluster domains
-##	shared memory.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`rhcs_rw_cluster_shm',`
-	gen_require(`
-		attribute cluster_domain, cluster_tmpfs;
-	')
-
-	allow $1 cluster_domain:shm { rw_shm_perms destroy };
-
-	fs_search_tmpfs($1)
-	manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs)
-')
-
-####################################
-## <summary>
-##	Read and write all cluster
-##	domains semaphores.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`rhcs_rw_cluster_semaphores',`
-	gen_require(`
-		attribute cluster_domain;
-	')
-
-	allow $1 cluster_domain:sem { rw_sem_perms destroy };
-')
-
-#####################################
-## <summary>
-##	Read and write groupd semaphores.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`rhcs_rw_groupd_semaphores',`
-	gen_require(`
-		type groupd_t, groupd_tmpfs_t;
-	')
-
-	allow $1 groupd_t:sem { rw_sem_perms destroy };
-
-	fs_search_tmpfs($1)
-	manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
-')
-
-########################################
-## <summary>
-##	Read and write groupd shared memory.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`rhcs_rw_groupd_shm',`
-	gen_require(`
-		type groupd_t, groupd_tmpfs_t;
-	')
-
-	allow $1 groupd_t:shm { rw_shm_perms destroy };
-
-	fs_search_tmpfs($1)
-	manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
-')
-
-######################################
-## <summary>
-##	Execute a domain transition to run qdiskd.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-#
-interface(`rhcs_domtrans_qdiskd',`
-	gen_require(`
-		type qdiskd_t, qdiskd_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, qdiskd_exec_t, qdiskd_t)
-')
-
-########################################
-## <summary>
-##	All of the rules required to
-##	administrate an rhcs environment.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`rhcs_admin',`
-	gen_require(`
-		attribute cluster_domain, cluster_pid, cluster_tmpfs;
-		attribute cluster_log;
-		type dlm_controld_initrc_exec_t, foghorn_initrc_exec_t, fenced_lock_t;
-		type fenced_tmp_t, qdiskd_var_lib_t;
-		type dlm_controld_t, foghorn_t;
-	')
-
-	allow $1 cluster_domain:process { ptrace signal_perms };
-	ps_process_pattern($1, cluster_domain)
-
-	init_startstop_service($1, $2, dlm_controld_t, dlm_controld_initrc_exec_t)
-	init_startstop_service($1, $2, foghorn_t, foghorn_initrc_exec_t)
-
-	files_search_runtime($1)
-	admin_pattern($1, cluster_pid)
-
-	files_search_locks($1)
-	admin_pattern($1, fenced_lock_t)
-
-	files_search_tmp($1)
-	admin_pattern($1, fenced_tmp_t)
-
-	files_search_var_lib($1)
-	admin_pattern($1, qdiskd_var_lib_t)
-
-	fs_search_tmpfs($1)
-	admin_pattern($1, cluster_tmpfs)
-
-	logging_search_logs($1)
-	admin_pattern($1, cluster_log)
-')

policy/modules/services/rhcs.te

@@ -1,319 +0,0 @@
-policy_module(rhcs, 1.10.0)
-
-########################################
-#
-# Declarations
-#
-
-## <desc>
-##	<p>
-##	Determine whether fenced can
-##	connect to the TCP network.
-##	</p>
-## </desc>
-gen_tunable(fenced_can_network_connect, false)
-
-## <desc>
-##	<p>
-##	Determine whether fenced can use ssh.
-##	</p>
-## </desc>
-gen_tunable(fenced_can_ssh, false)
-
-attribute cluster_domain;
-attribute cluster_log;
-attribute cluster_pid;
-attribute cluster_tmpfs;
-
-rhcs_domain_template(dlm_controld)
-
-type dlm_controld_initrc_exec_t;
-init_script_file(dlm_controld_initrc_exec_t)
-
-rhcs_domain_template(fenced)
-
-type fenced_lock_t;
-files_lock_file(fenced_lock_t)
-
-type fenced_tmp_t;
-files_tmp_file(fenced_tmp_t)
-
-rhcs_domain_template(foghorn)
-
-type foghorn_initrc_exec_t;
-init_script_file(foghorn_initrc_exec_t)
-
-rhcs_domain_template(gfs_controld)
-rhcs_domain_template(groupd)
-rhcs_domain_template(qdiskd)
-
-type qdiskd_var_lib_t;
-files_type(qdiskd_var_lib_t)
-
-#####################################
-#
-# Common cluster domains local policy
-#
-
-allow cluster_domain self:capability sys_nice;
-allow cluster_domain self:process setsched;
-allow cluster_domain self:sem create_sem_perms;
-allow cluster_domain self:fifo_file rw_fifo_file_perms;
-allow cluster_domain self:unix_stream_socket create_stream_socket_perms;
-allow cluster_domain self:unix_dgram_socket create_socket_perms;
-
-logging_send_syslog_msg(cluster_domain)
-
-miscfiles_read_localization(cluster_domain)
-
-optional_policy(`
-	ccs_stream_connect(cluster_domain)
-')
-
-optional_policy(`
-	corosync_stream_connect(cluster_domain)
-')
-
-#####################################
-#
-# dlm_controld local policy
-#
-
-allow dlm_controld_t self:capability { net_admin sys_admin sys_resource };
-allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
-
-stream_connect_pattern(dlm_controld_t, fenced_runtime_t, fenced_runtime_t, fenced_t)
-stream_connect_pattern(dlm_controld_t, groupd_runtime_t, groupd_runtime_t, groupd_t)
-
-kernel_read_system_state(dlm_controld_t)
-kernel_rw_net_sysctls(dlm_controld_t)
-
-corecmd_exec_bin(dlm_controld_t)
-
-dev_rw_dlm_control(dlm_controld_t)
-dev_rw_sysfs(dlm_controld_t)
-
-fs_manage_configfs_files(dlm_controld_t)
-fs_manage_configfs_dirs(dlm_controld_t)
-
-init_rw_script_tmp_files(dlm_controld_t)
-
-#######################################
-#
-# fenced local policy
-#
-
-allow fenced_t self:capability { sys_rawio sys_resource };
-allow fenced_t self:process { getsched signal_perms };
-allow fenced_t self:tcp_socket { accept listen };
-allow fenced_t self:unix_stream_socket connectto;
-
-manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
-files_lock_filetrans(fenced_t, fenced_lock_t, file)
-
-manage_dirs_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
-manage_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
-manage_fifo_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
-files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
-
-stream_connect_pattern(fenced_t, groupd_runtime_t, groupd_runtime_t, groupd_t)
-
-can_exec(fenced_t, fenced_exec_t)
-
-kernel_read_system_state(fenced_t)
-
-corecmd_exec_bin(fenced_t)
-corecmd_exec_shell(fenced_t)
-
-corenet_all_recvfrom_netlabel(fenced_t)
-corenet_tcp_sendrecv_generic_if(fenced_t)
-corenet_udp_sendrecv_generic_if(fenced_t)
-corenet_tcp_sendrecv_generic_node(fenced_t)
-corenet_udp_sendrecv_generic_node(fenced_t)
-corenet_tcp_bind_generic_node(fenced_t)
-corenet_udp_bind_generic_node(fenced_t)
-
-corenet_sendrecv_ionixnetmon_server_packets(fenced_t)
-corenet_udp_bind_ionixnetmon_port(fenced_t)
-
-corenet_sendrecv_zented_server_packets(fenced_t)
-corenet_tcp_bind_zented_port(fenced_t)
-
-corenet_sendrecv_http_client_packets(fenced_t)
-corenet_tcp_connect_http_port(fenced_t)
-
-dev_read_sysfs(fenced_t)
-dev_read_urand(fenced_t)
-
-files_read_usr_files(fenced_t)
-files_read_usr_symlinks(fenced_t)
-
-storage_raw_read_fixed_disk(fenced_t)
-storage_raw_write_fixed_disk(fenced_t)
-storage_raw_read_removable_device(fenced_t)
-
-term_getattr_pty_fs(fenced_t)
-term_use_generic_ptys(fenced_t)
-term_use_ptmx(fenced_t)
-
-auth_use_nsswitch(fenced_t)
-
-tunable_policy(`fenced_can_network_connect',`
-	corenet_sendrecv_all_client_packets(fenced_t)
-	corenet_tcp_connect_all_ports(fenced_t)
-')
-
-optional_policy(`
-	tunable_policy(`fenced_can_ssh',`
-		allow fenced_t self:capability { setgid setuid };
-
-		corenet_sendrecv_ssh_client_packets(fenced_t)
-		corenet_tcp_connect_ssh_port(fenced_t)
-
-		ssh_exec(fenced_t)
-		ssh_read_user_home_files(fenced_t)
-	')
-')
-
-optional_policy(`
-	corosync_exec(fenced_t)
-')
-
-optional_policy(`
-	ccs_read_config(fenced_t)
-')
-
-optional_policy(`
-	gnome_read_generic_home_content(fenced_t)
-')
-
-optional_policy(`
-	lvm_domtrans(fenced_t)
-	lvm_read_config(fenced_t)
-')
-
-optional_policy(`
-	snmp_manage_var_lib_files(fenced_t)
-	snmp_manage_var_lib_dirs(fenced_t)
-')
-
-#######################################
-#
-# foghorn local policy
-#
-
-allow foghorn_t self:process signal;
-allow foghorn_t self:tcp_socket create_stream_socket_perms;
-allow foghorn_t self:udp_socket create_socket_perms;
-
-corenet_all_recvfrom_netlabel(foghorn_t)
-corenet_tcp_sendrecv_generic_if(foghorn_t)
-corenet_tcp_sendrecv_generic_node(foghorn_t)
-
-corenet_sendrecv_agentx_client_packets(foghorn_t)
-corenet_tcp_connect_agentx_port(foghorn_t)
-
-dev_read_urand(foghorn_t)
-
-files_read_usr_files(foghorn_t)
-
-optional_policy(`
-	dbus_connect_system_bus(foghorn_t)
-')
-
-optional_policy(`
-	snmp_read_snmp_var_lib_files(foghorn_t)
-	snmp_stream_connect(foghorn_t)
-')
-
-######################################
-#
-# gfs_controld local policy
-#
-
-allow gfs_controld_t self:capability { net_admin sys_resource };
-allow gfs_controld_t self:shm create_shm_perms;
-allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
-
-stream_connect_pattern(gfs_controld_t, dlm_controld_runtime_t, dlm_controld_runtime_t, dlm_controld_t)
-stream_connect_pattern(gfs_controld_t, fenced_runtime_t, fenced_runtime_t, fenced_t)
-stream_connect_pattern(gfs_controld_t, groupd_runtime_t, groupd_runtime_t, groupd_t)
-
-kernel_read_system_state(gfs_controld_t)
-
-dev_rw_dlm_control(gfs_controld_t)
-dev_setattr_dlm_control(gfs_controld_t)
-dev_rw_sysfs(gfs_controld_t)
-
-storage_getattr_removable_dev(gfs_controld_t)
-
-init_rw_script_tmp_files(gfs_controld_t)
-
-optional_policy(`
-	lvm_exec(gfs_controld_t)
-	dev_rw_lvm_control(gfs_controld_t)
-')
-
-#######################################
-#
-# groupd local policy
-#
-
-allow groupd_t self:capability { sys_nice sys_resource };
-allow groupd_t self:process setsched;
-allow groupd_t self:shm create_shm_perms;
-
-domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
-
-dev_list_sysfs(groupd_t)
-
-files_read_etc_files(groupd_t)
-
-init_rw_script_tmp_files(groupd_t)
-
-######################################
-#
-# qdiskd local policy
-#
-
-allow qdiskd_t self:capability { ipc_lock sys_boot };
-allow qdiskd_t self:tcp_socket { accept listen };
-
-manage_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
-manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
-manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
-files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file })
-
-kernel_read_system_state(qdiskd_t)
-kernel_read_software_raid_state(qdiskd_t)
-kernel_getattr_core_if(qdiskd_t)
-
-corecmd_exec_bin(qdiskd_t)
-corecmd_exec_shell(qdiskd_t)
-
-dev_read_sysfs(qdiskd_t)
-dev_list_all_dev_nodes(qdiskd_t)
-dev_getattr_all_blk_files(qdiskd_t)
-dev_getattr_all_chr_files(qdiskd_t)
-dev_manage_generic_blk_files(qdiskd_t)
-dev_manage_generic_chr_files(qdiskd_t)
-
-domain_dontaudit_getattr_all_pipes(qdiskd_t)
-domain_dontaudit_getattr_all_sockets(qdiskd_t)
-
-files_dontaudit_getattr_all_sockets(qdiskd_t)
-files_dontaudit_getattr_all_pipes(qdiskd_t)
-
-fs_list_hugetlbfs(qdiskd_t)
-
-storage_raw_read_removable_device(qdiskd_t)
-storage_raw_write_removable_device(qdiskd_t)
-storage_raw_read_fixed_disk(qdiskd_t)
-storage_raw_write_fixed_disk(qdiskd_t)
-
-auth_use_nsswitch(qdiskd_t)
-
-optional_policy(`
-	netutils_domtrans_ping(qdiskd_t)
-')
-

policy/modules/services/ricci.fc

@@ -1,21 +0,0 @@
-/etc/rc\.d/init\.d/ricci	--	gen_context(system_u:object_r:ricci_initrc_exec_t,s0)
-
-/usr/bin/modclusterd	--	gen_context(system_u:object_r:ricci_modclusterd_exec_t,s0)
-/usr/bin/ricci	--	gen_context(system_u:object_r:ricci_exec_t,s0)
-
-/usr/libexec/modcluster	--	gen_context(system_u:object_r:ricci_modcluster_exec_t,s0)
-/usr/libexec/ricci-modlog	--	gen_context(system_u:object_r:ricci_modlog_exec_t,s0)
-/usr/libexec/ricci-modrpm	--	gen_context(system_u:object_r:ricci_modrpm_exec_t,s0)
-/usr/libexec/ricci-modservice	--	gen_context(system_u:object_r:ricci_modservice_exec_t,s0)
-/usr/libexec/ricci-modstorage	--	gen_context(system_u:object_r:ricci_modstorage_exec_t,s0)
-
-/usr/sbin/modclusterd	--	gen_context(system_u:object_r:ricci_modclusterd_exec_t,s0)
-/usr/sbin/ricci	--	gen_context(system_u:object_r:ricci_exec_t,s0)
-
-/var/lib/ricci(/.*)?	gen_context(system_u:object_r:ricci_var_lib_t,s0)
-
-/var/log/clumond\.log.*	--	gen_context(system_u:object_r:ricci_modcluster_var_log_t,s0)
-
-/run/clumond\.sock	-s	gen_context(system_u:object_r:ricci_modcluster_runtime_t,s0)
-/run/modclusterd\.pid	--	gen_context(system_u:object_r:ricci_modcluster_runtime_t,s0)
-/run/ricci\.pid	--	gen_context(system_u:object_r:ricci_runtime_t,s0)

policy/modules/services/ricci.if

@@ -1,219 +0,0 @@
-## <summary>Ricci cluster management agent.</summary>
-
-########################################
-## <summary>
-##	Execute a domain transition to run ricci.
-## </summary>
-## <param name="domain">
-## <summary>
-##	Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`ricci_domtrans',`
-	gen_require(`
-		type ricci_t, ricci_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, ricci_exec_t, ricci_t)
-')
-
-########################################
-## <summary>
-##	Execute a domain transition to
-##	run ricci modcluster.
-## </summary>
-## <param name="domain">
-## <summary>
-##	Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`ricci_domtrans_modcluster',`
-	gen_require(`
-		type ricci_modcluster_t, ricci_modcluster_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, ricci_modcluster_exec_t, ricci_modcluster_t)
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to use
-##	ricci modcluster file descriptors.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`ricci_dontaudit_use_modcluster_fds',`
-	gen_require(`
-		type ricci_modcluster_t;
-	')
-
-	dontaudit $1 ricci_modcluster_t:fd use;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to read write
-##	ricci modcluster unnamed pipes.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`ricci_dontaudit_rw_modcluster_pipes',`
-	gen_require(`
-		type ricci_modcluster_t;
-	')
-
-	dontaudit $1 ricci_modcluster_t:fifo_file { read write };
-')
-
-########################################
-## <summary>
-##	Connect to ricci_modclusterd with
-##	a unix domain stream socket.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`ricci_stream_connect_modclusterd',`
-	gen_require(`
-		type ricci_modclusterd_t, ricci_modcluster_runtime_t;
-	')
-
-	files_search_runtime($1)
-	stream_connect_pattern($1, ricci_modcluster_runtime_t, ricci_modcluster_runtime_t, ricci_modclusterd_t)
-')
-
-########################################
-## <summary>
-##	Execute a domain transition to
-##	run ricci modlog.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-#
-interface(`ricci_domtrans_modlog',`
-	gen_require(`
-		type ricci_modlog_t, ricci_modlog_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, ricci_modlog_exec_t, ricci_modlog_t)
-')
-
-########################################
-## <summary>
-##	Execute a domain transition to
-##	run ricci modrpm.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-#
-interface(`ricci_domtrans_modrpm',`
-	gen_require(`
-		type ricci_modrpm_t, ricci_modrpm_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, ricci_modrpm_exec_t, ricci_modrpm_t)
-')
-
-########################################
-## <summary>
-##	Execute a domain transition to
-##	run ricci modservice.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-#
-interface(`ricci_domtrans_modservice',`
-	gen_require(`
-		type ricci_modservice_t, ricci_modservice_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, ricci_modservice_exec_t, ricci_modservice_t)
-')
-
-########################################
-## <summary>
-##	Execute a domain transition to
-##	run ricci modstorage.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-#
-interface(`ricci_domtrans_modstorage',`
-	gen_require(`
-		type ricci_modstorage_t, ricci_modstorage_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t)
-')
-
-########################################
-## <summary>
-##	All of the rules required to
-##	administrate an ricci environment.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`ricci_admin',`
-	gen_require(`
-		type ricci_t, ricci_initrc_exec_t, ricci_tmp_t;
-		type ricci_var_lib_t, ricci_var_log_t, ricci_runtime_t;
-	')
-
-	allow $1 ricci_t:process { ptrace signal_perms };
-	ps_process_pattern($1, ricci_t)
-
-	init_startstop_service($1, $2, ricci_t, ricci_initrc_exec_t)
-
-	files_list_tmp($1)
-	admin_pattern($1, ricci_tmp_t)
-
-	files_list_var_lib($1)
-	admin_pattern($1, ricci_var_lib_t)
-
-	logging_list_logs($1)
-	admin_pattern($1, ricci_var_log_t)
-
-	files_list_runtime($1)
-	admin_pattern($1, ricci_runtime_t)
-')

policy/modules/services/ricci.te

@@ -1,523 +0,0 @@
-policy_module(ricci, 1.13.0)
-
-########################################
-#
-# Declarations
-#
-
-type ricci_t;
-type ricci_exec_t;
-init_daemon_domain(ricci_t, ricci_exec_t)
-
-type ricci_initrc_exec_t;
-init_script_file(ricci_initrc_exec_t)
-
-type ricci_runtime_t alias ricci_var_run_t;
-files_runtime_file(ricci_runtime_t)
-
-type ricci_tmp_t;
-files_tmp_file(ricci_tmp_t)
-
-type ricci_var_lib_t;
-files_type(ricci_var_lib_t)
-
-type ricci_var_log_t;
-logging_log_file(ricci_var_log_t)
-
-type ricci_modcluster_t;
-type ricci_modcluster_exec_t;
-domain_type(ricci_modcluster_t)
-domain_entry_file(ricci_modcluster_t, ricci_modcluster_exec_t)
-role system_r types ricci_modcluster_t;
-
-type ricci_modcluster_runtime_t alias ricci_modcluster_var_run_t;
-files_runtime_file(ricci_modcluster_runtime_t)
-
-type ricci_modcluster_var_lib_t;
-files_type(ricci_modcluster_var_lib_t)
-
-type ricci_modcluster_var_log_t;
-logging_log_file(ricci_modcluster_var_log_t)
-
-type ricci_modclusterd_t;
-type ricci_modclusterd_exec_t;
-init_daemon_domain(ricci_modclusterd_t, ricci_modclusterd_exec_t)
-
-type ricci_modclusterd_tmpfs_t;
-files_tmpfs_file(ricci_modclusterd_tmpfs_t)
-
-type ricci_modlog_t;
-type ricci_modlog_exec_t;
-domain_type(ricci_modlog_t)
-domain_entry_file(ricci_modlog_t, ricci_modlog_exec_t)
-role system_r types ricci_modlog_t;
-
-type ricci_modrpm_t;
-type ricci_modrpm_exec_t;
-domain_type(ricci_modrpm_t)
-domain_entry_file(ricci_modrpm_t, ricci_modrpm_exec_t)
-role system_r types ricci_modrpm_t;
-
-type ricci_modservice_t;
-type ricci_modservice_exec_t;
-domain_type(ricci_modservice_t)
-domain_entry_file(ricci_modservice_t, ricci_modservice_exec_t)
-role system_r types ricci_modservice_t;
-
-type ricci_modstorage_t;
-type ricci_modstorage_exec_t;
-domain_type(ricci_modstorage_t)
-domain_entry_file(ricci_modstorage_t, ricci_modstorage_exec_t)
-role system_r types ricci_modstorage_t;
-
-type ricci_modstorage_lock_t;
-files_lock_file(ricci_modstorage_lock_t)
-
-########################################
-#
-# Local policy
-#
-
-allow ricci_t self:capability { setuid sys_boot sys_nice };
-allow ricci_t self:process setsched;
-allow ricci_t self:fifo_file rw_fifo_file_perms;
-allow ricci_t self:unix_stream_socket { accept connectto listen };
-allow ricci_t self:tcp_socket { accept listen };
-
-domtrans_pattern(ricci_t, ricci_modcluster_exec_t, ricci_modcluster_t)
-domtrans_pattern(ricci_t, ricci_modlog_exec_t, ricci_modlog_t)
-domtrans_pattern(ricci_t, ricci_modrpm_exec_t, ricci_modrpm_t)
-domtrans_pattern(ricci_t, ricci_modservice_exec_t, ricci_modservice_t)
-domtrans_pattern(ricci_t, ricci_modstorage_exec_t, ricci_modstorage_t)
-
-manage_dirs_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t)
-manage_files_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t)
-files_tmp_filetrans(ricci_t, ricci_tmp_t, { file dir })
-
-manage_dirs_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
-manage_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
-manage_sock_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
-files_var_lib_filetrans(ricci_t, ricci_var_lib_t, { file dir sock_file })
-
-allow ricci_t ricci_var_log_t:dir setattr_dir_perms;
-append_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
-create_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
-setattr_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
-manage_sock_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
-logging_log_filetrans(ricci_t, ricci_var_log_t, { sock_file file dir })
-
-manage_files_pattern(ricci_t, ricci_runtime_t, ricci_runtime_t)
-manage_sock_files_pattern(ricci_t, ricci_runtime_t, ricci_runtime_t)
-files_runtime_filetrans(ricci_t, ricci_runtime_t, { file sock_file })
-
-kernel_read_kernel_sysctls(ricci_t)
-kernel_read_system_state(ricci_t)
-
-corecmd_exec_bin(ricci_t)
-
-corenet_all_recvfrom_netlabel(ricci_t)
-corenet_tcp_sendrecv_generic_if(ricci_t)
-corenet_tcp_sendrecv_generic_node(ricci_t)
-corenet_tcp_bind_generic_node(ricci_t)
-corenet_udp_bind_generic_node(ricci_t)
-
-corenet_sendrecv_ricci_server_packets(ricci_t)
-corenet_tcp_bind_ricci_port(ricci_t)
-corenet_udp_bind_ricci_port(ricci_t)
-
-corenet_sendrecv_http_client_packets(ricci_t)
-corenet_tcp_connect_http_port(ricci_t)
-
-dev_read_urand(ricci_t)
-
-domain_read_all_domains_state(ricci_t)
-
-files_read_etc_files(ricci_t)
-files_read_etc_runtime_files(ricci_t)
-files_create_boot_flag(ricci_t)
-
-auth_domtrans_chk_passwd(ricci_t)
-auth_append_login_records(ricci_t)
-
-init_stream_connect_script(ricci_t)
-
-locallogin_dontaudit_use_fds(ricci_t)
-
-logging_send_syslog_msg(ricci_t)
-
-miscfiles_read_localization(ricci_t)
-
-sysnet_dns_name_resolve(ricci_t)
-
-optional_policy(`
-	ccs_read_config(ricci_t)
-')
-
-optional_policy(`
-	dbus_system_bus_client(ricci_t)
-
-	optional_policy(`
-		oddjob_dbus_chat(ricci_t)
-	')
-')
-
-optional_policy(`
-	corecmd_bin_entry_type(ricci_t)
-	term_dontaudit_search_ptys(ricci_t)
-	init_exec(ricci_t)
-
-	oddjob_system_entry(ricci_t, ricci_exec_t)
-')
-
-optional_policy(`
-	rpm_use_script_fds(ricci_t)
-')
-
-optional_policy(`
-	sasl_connect(ricci_t)
-')
-
-optional_policy(`
-	shutdown_domtrans(ricci_t)
-')
-
-optional_policy(`
-	unconfined_use_fds(ricci_t)
-')
-
-optional_policy(`
-	xen_domtrans_xm(ricci_t)
-')
-
-########################################
-#
-# Modcluster local policy
-#
-
-allow ricci_modcluster_t self:capability sys_nice;
-allow ricci_modcluster_t self:process setsched;
-allow ricci_modcluster_t self:fifo_file rw_fifo_file_perms;
-
-kernel_read_kernel_sysctls(ricci_modcluster_t)
-kernel_read_system_state(ricci_modcluster_t)
-
-corecmd_exec_bin(ricci_modcluster_t)
-corecmd_exec_shell(ricci_modcluster_t)
-
-corenet_all_recvfrom_netlabel(ricci_modcluster_t)
-corenet_tcp_sendrecv_generic_if(ricci_modcluster_t)
-corenet_tcp_sendrecv_generic_node(ricci_modcluster_t)
-corenet_tcp_bind_generic_node(ricci_modcluster_t)
-
-corenet_sendrecv_all_server_packets(ricci_modcluster_t)
-corenet_tcp_bind_all_rpc_ports(ricci_modcluster_t)
-
-corenet_tcp_bind_cluster_port(ricci_modcluster_t)
-corenet_sendrecv_cluster_client_packets(ricci_modcluster_t)
-corenet_tcp_connect_cluster_port(ricci_modcluster_t)
-
-domain_read_all_domains_state(ricci_modcluster_t)
-
-files_search_locks(ricci_modcluster_t)
-files_read_etc_runtime_files(ricci_modcluster_t)
-files_search_usr(ricci_modcluster_t)
-
-auth_use_nsswitch(ricci_modcluster_t)
-
-init_exec(ricci_modcluster_t)
-init_domtrans_script(ricci_modcluster_t)
-
-logging_send_syslog_msg(ricci_modcluster_t)
-
-miscfiles_read_localization(ricci_modcluster_t)
-
-ricci_stream_connect_modclusterd(ricci_modcluster_t)
-
-optional_policy(`
-	aisexec_stream_connect(ricci_modcluster_t)
-	corosync_stream_connect(ricci_modcluster_t)
-')
-
-optional_policy(`
-	ccs_stream_connect(ricci_modcluster_t)
-	ccs_domtrans(ricci_modcluster_t)
-	ccs_manage_config(ricci_modcluster_t)
-')
-
-optional_policy(`
-	lvm_domtrans(ricci_modcluster_t)
-')
-
-optional_policy(`
-	modutils_domtrans(ricci_modcluster_t)
-')
-
-optional_policy(`
-	mount_domtrans(ricci_modcluster_t)
-')
-
-optional_policy(`
-	consoletype_exec(ricci_modcluster_t)
-')
-
-optional_policy(`
-	oddjob_system_entry(ricci_modcluster_t, ricci_modcluster_exec_t)
-')
-
-optional_policy(`
-	rgmanager_stream_connect(ricci_modcluster_t)
-')
-
-########################################
-#
-# Modclusterd local policy
-#
-
-allow ricci_modclusterd_t self:capability { sys_nice sys_tty_config };
-allow ricci_modclusterd_t self:process { signal sigkill setsched };
-allow ricci_modclusterd_t self:fifo_file rw_fifo_file_perms;
-allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms;
-allow ricci_modclusterd_t self:tcp_socket create_stream_socket_perms;
-allow ricci_modclusterd_t self:socket create_socket_perms;
-
-allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
-allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_fifo_file_perms;
-
-manage_dirs_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t)
-manage_files_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t)
-fs_tmpfs_filetrans(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, { dir file })
-
-allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr_dir_perms;
-append_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
-create_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
-setattr_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
-manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
-logging_log_filetrans(ricci_modclusterd_t, ricci_modcluster_var_log_t, { sock_file file dir })
-
-manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_runtime_t, ricci_modcluster_runtime_t)
-manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_runtime_t, ricci_modcluster_runtime_t)
-files_runtime_filetrans(ricci_modclusterd_t, ricci_modcluster_runtime_t, { file sock_file })
-
-kernel_read_kernel_sysctls(ricci_modclusterd_t)
-kernel_read_system_state(ricci_modclusterd_t)
-kernel_request_load_module(ricci_modclusterd_t)
-
-corecmd_exec_bin(ricci_modclusterd_t)
-
-corenet_all_recvfrom_netlabel(ricci_modclusterd_t)
-corenet_tcp_sendrecv_generic_if(ricci_modclusterd_t)
-corenet_tcp_sendrecv_generic_node(ricci_modclusterd_t)
-corenet_tcp_bind_generic_node(ricci_modclusterd_t)
-
-corenet_sendrecv_ricci_modcluster_server_packets(ricci_modclusterd_t)
-corenet_tcp_bind_ricci_modcluster_port(ricci_modclusterd_t)
-corenet_sendrecv_ricci_modcluster_client_packets(ricci_modclusterd_t)
-corenet_tcp_connect_ricci_modcluster_port(ricci_modclusterd_t)
-
-domain_read_all_domains_state(ricci_modclusterd_t)
-
-files_read_etc_runtime_files(ricci_modclusterd_t)
-
-fs_getattr_xattr_fs(ricci_modclusterd_t)
-
-auth_use_nsswitch(ricci_modclusterd_t)
-
-init_stream_connect_script(ricci_modclusterd_t)
-
-locallogin_dontaudit_use_fds(ricci_modclusterd_t)
-
-logging_send_syslog_msg(ricci_modclusterd_t)
-
-miscfiles_read_localization(ricci_modclusterd_t)
-
-sysnet_domtrans_ifconfig(ricci_modclusterd_t)
-
-optional_policy(`
-	aisexec_stream_connect(ricci_modclusterd_t)
-	corosync_stream_connect(ricci_modclusterd_t)
-')
-
-optional_policy(`
-	ccs_domtrans(ricci_modclusterd_t)
-	ccs_stream_connect(ricci_modclusterd_t)
-	ccs_read_config(ricci_modclusterd_t)
-')
-
-optional_policy(`
-	rgmanager_stream_connect(ricci_modclusterd_t)
-')
-
-optional_policy(`
-	unconfined_use_fds(ricci_modclusterd_t)
-')
-
-########################################
-#
-# Modlog local policy
-#
-
-allow ricci_modlog_t self:capability sys_nice;
-allow ricci_modlog_t self:process setsched;
-
-kernel_read_kernel_sysctls(ricci_modlog_t)
-kernel_read_system_state(ricci_modlog_t)
-
-corecmd_exec_bin(ricci_modlog_t)
-
-domain_read_all_domains_state(ricci_modlog_t)
-
-files_read_etc_files(ricci_modlog_t)
-files_search_usr(ricci_modlog_t)
-
-logging_read_generic_logs(ricci_modlog_t)
-
-miscfiles_read_localization(ricci_modlog_t)
-
-optional_policy(`
-	nscd_dontaudit_search_runtime(ricci_modlog_t)
-')
-
-optional_policy(`
-	oddjob_system_entry(ricci_modlog_t, ricci_modlog_exec_t)
-')
-
-########################################
-#
-# Modrpm local policy
-#
-
-allow ricci_modrpm_t self:fifo_file read_fifo_file_perms;
-
-kernel_read_kernel_sysctls(ricci_modrpm_t)
-
-corecmd_exec_bin(ricci_modrpm_t)
-
-files_search_usr(ricci_modrpm_t)
-files_read_etc_files(ricci_modrpm_t)
-
-miscfiles_read_localization(ricci_modrpm_t)
-
-optional_policy(`
-	oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t)
-')
-
-optional_policy(`
-	rpm_domtrans(ricci_modrpm_t)
-')
-
-########################################
-#
-# Modservice local policy
-#
-
-allow ricci_modservice_t self:capability { dac_override sys_nice };
-allow ricci_modservice_t self:process setsched;
-allow ricci_modservice_t self:fifo_file rw_fifo_file_perms;
-
-kernel_read_kernel_sysctls(ricci_modservice_t)
-kernel_read_system_state(ricci_modservice_t)
-
-corecmd_exec_bin(ricci_modservice_t)
-corecmd_exec_shell(ricci_modservice_t)
-
-files_read_etc_files(ricci_modservice_t)
-files_read_etc_runtime_files(ricci_modservice_t)
-files_search_usr(ricci_modservice_t)
-files_manage_etc_symlinks(ricci_modservice_t)
-
-init_domtrans_script(ricci_modservice_t)
-
-miscfiles_read_localization(ricci_modservice_t)
-
-optional_policy(`
-	ccs_read_config(ricci_modservice_t)
-')
-
-optional_policy(`
-	consoletype_exec(ricci_modservice_t)
-')
-
-optional_policy(`
-	nscd_dontaudit_search_runtime(ricci_modservice_t)
-')
-
-optional_policy(`
-	oddjob_system_entry(ricci_modservice_t, ricci_modservice_exec_t)
-')
-
-########################################
-#
-# Modstorage local policy
-#
-
-allow ricci_modstorage_t self:capability { mknod sys_nice };
-allow ricci_modstorage_t self:process { setsched signal };
-dontaudit ricci_modstorage_t self:process ptrace;
-allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms;
-
-kernel_read_kernel_sysctls(ricci_modstorage_t)
-kernel_read_system_state(ricci_modstorage_t)
-
-create_files_pattern(ricci_modstorage_t, ricci_modstorage_lock_t, ricci_modstorage_lock_t)
-files_lock_filetrans(ricci_modstorage_t, ricci_modstorage_lock_t, file)
-
-corecmd_exec_bin(ricci_modstorage_t)
-corecmd_exec_shell(ricci_modstorage_t)
-
-dev_read_sysfs(ricci_modstorage_t)
-dev_read_urand(ricci_modstorage_t)
-dev_manage_generic_blk_files(ricci_modstorage_t)
-
-domain_read_all_domains_state(ricci_modstorage_t)
-
-files_manage_etc_files(ricci_modstorage_t)
-files_read_etc_runtime_files(ricci_modstorage_t)
-files_read_usr_files(ricci_modstorage_t)
-files_read_kernel_modules(ricci_modstorage_t)
-
-storage_raw_read_fixed_disk(ricci_modstorage_t)
-
-term_dontaudit_use_console(ricci_modstorage_t)
-
-logging_send_syslog_msg(ricci_modstorage_t)
-
-miscfiles_read_localization(ricci_modstorage_t)
-
-optional_policy(`
-	aisexec_stream_connect(ricci_modstorage_t)
-	corosync_stream_connect(ricci_modstorage_t)
-')
-
-optional_policy(`
-	ccs_stream_connect(ricci_modstorage_t)
-	ccs_read_config(ricci_modstorage_t)
-')
-
-optional_policy(`
-	consoletype_exec(ricci_modstorage_t)
-')
-
-optional_policy(`
-	fstools_domtrans(ricci_modstorage_t)
-')
-
-optional_policy(`
-	lvm_domtrans(ricci_modstorage_t)
-	lvm_manage_config(ricci_modstorage_t)
-')
-
-optional_policy(`
-	modutils_read_module_deps(ricci_modstorage_t)
-')
-
-optional_policy(`
-	mount_domtrans(ricci_modstorage_t)
-')
-
-optional_policy(`
-	oddjob_system_entry(ricci_modstorage_t, ricci_modstorage_exec_t)
-')
-
-optional_policy(`
-	raid_domtrans_mdadm(ricci_modstorage_t)
-')

policy/modules/services/rpc.te

@@ -292,10 +292,6 @@ optional_policy(`
 	quota_manage_db_files(rpcd_t)
 ')
 
-optional_policy(`
-	rgmanager_manage_tmp_files(rpcd_t)
-')
-
 optional_policy(`
 	unconfined_signal(rpcd_t)
 ')

policy/modules/services/samba.te

@@ -469,10 +469,6 @@ tunable_policy(`samba_export_all_rw',`
 	files_manage_non_auth_files(smbd_t)
 ')
 
-optional_policy(`
-	ccs_read_config(smbd_t)
-')
-
 optional_policy(`
 	ctdbd_stream_connect(smbd_t)
 	ctdbd_manage_lib_files(smbd_t)

policy/modules/services/snmp.te

@@ -137,10 +137,6 @@ optional_policy(`
 	mta_search_queue(snmpd_t)
 ')
 
-optional_policy(`
-	ricci_stream_connect_modclusterd(snmpd_t)
-')
-
 optional_policy(`
 	rpc_search_nfs_state_data(snmpd_t)
 ')

policy/modules/services/spamassassin.te

@@ -447,13 +447,6 @@ optional_policy(`
 	daemontools_service_domain(spamd_t, spamd_exec_t)
 ')
 
-optional_policy(`
-	dcc_domtrans_cdcc(spamd_t)
-	dcc_domtrans_client(spamd_t)
-	dcc_signal_client(spamd_t)
-	dcc_stream_connect_dccifd(spamd_t)
-')
-
 optional_policy(`
 	evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file })
 ')

policy/modules/system/lvm.fc

@@ -18,7 +18,6 @@
 #
 # /usr
 #
-/usr/bin/clvmd			--	gen_context(system_u:object_r:clvmd_exec_t,s0)
 /usr/bin/cryptsetup		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/bin/dmraid			--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/bin/dmsetup		--	gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -82,7 +81,6 @@
 /usr/lib/systemd/system/lvm2-lvmetad.*		--	gen_context(system_u:object_r:lvm_unit_t,s0)
 /usr/lib/udev/udisks-lvm-pv-export		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 
-/usr/sbin/clvmd			--	gen_context(system_u:object_r:clvmd_exec_t,s0)
 /usr/sbin/cryptsetup		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/sbin/dmraid		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/sbin/dmsetup		--	gen_context(system_u:object_r:lvm_exec_t,s0)

policy/modules/system/lvm.if

@@ -186,25 +186,6 @@ interface(`lvm_rw_inherited_pid_pipes',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
 
-######################################
-## <summary>
-##	Execute a domain transition to run clvmd.
-## </summary>
-## <param name="domain">
-## <summary>
-##	Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`lvm_domtrans_clvmd',`
-	gen_require(`
-		type clvmd_t, clvmd_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, clvmd_exec_t, clvmd_t)
-')
-
 ######################################
 ## <summary>
 ##	All of the rules required to
@@ -223,14 +204,11 @@ interface(`lvm_domtrans_clvmd',`
 #
 interface(`lvm_admin',`
 	gen_require(`
-		type clvmd_t, clvmd_initrc_exec_t, lvm_t, lvm_unit_t;
-		type lvm_etc_t, lvm_lock_t, lvm_metadata_t;
-		type lvm_var_lib_t, lvm_runtime_t, clvmd_runtime_t, lvm_tmp_t;
+		type lvm_t, lvm_etc_t, lvm_lock_t, lvm_metadata_t;
+		type lvm_var_lib_t, lvm_runtime_t, lvm_tmp_t;
 	')
 
-	admin_process_pattern($1, { clvmd_t lvm_t })
-
-	init_startstop_service($1, $2, clvmd_t, clvmd_initrc_exec_t, lvm_unit_t)
+	admin_process_pattern($1, lvm_t)
 
 	files_search_etc($1)
 	admin_pattern($1, { lvm_etc_t lvm_metadata_t })
@@ -242,7 +220,7 @@ interface(`lvm_admin',`
 	admin_pattern($1, lvm_var_lib_t)
 
 	files_search_runtime($1)
-	admin_pattern($1, { lvm_runtime_t clvmd_runtime_t })
+	admin_pattern($1, lvm_runtime_t)
 
 	files_search_tmp($1)
 	admin_pattern($1, lvm_tmp_t)

policy/modules/system/lvm.te

@@ -5,16 +5,6 @@ policy_module(lvm, 1.26.1)
 # Declarations
 #
 
-type clvmd_t;
-type clvmd_exec_t;
-init_daemon_domain(clvmd_t, clvmd_exec_t)
-
-type clvmd_initrc_exec_t;
-init_script_file(clvmd_initrc_exec_t)
-
-type clvmd_runtime_t alias clvmd_var_run_t;
-files_runtime_file(clvmd_runtime_t)
-
 type lvm_t;
 type lvm_exec_t;
 init_system_domain(lvm_t, lvm_exec_t)
@@ -51,114 +41,6 @@ files_tmpfs_file(lvm_tmpfs_t)
 type lvm_var_lib_t;
 files_type(lvm_var_lib_t)
 
-########################################
-#
-# Cluster LVM daemon local policy
-#
-
-allow clvmd_t self:capability { chown ipc_lock mknod sys_admin sys_nice };
-dontaudit clvmd_t self:capability sys_tty_config;
-allow clvmd_t self:process { signal_perms setsched };
-dontaudit clvmd_t self:process ptrace;
-allow clvmd_t self:socket create_socket_perms;
-allow clvmd_t self:fifo_file rw_fifo_file_perms;
-allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow clvmd_t self:tcp_socket create_stream_socket_perms;
-allow clvmd_t self:udp_socket create_socket_perms;
-
-manage_files_pattern(clvmd_t, clvmd_runtime_t, clvmd_runtime_t)
-files_runtime_filetrans(clvmd_t, clvmd_runtime_t, file)
-
-read_files_pattern(clvmd_t, lvm_metadata_t, lvm_metadata_t)
-
-kernel_read_kernel_sysctls(clvmd_t)
-kernel_read_system_state(clvmd_t)
-kernel_list_proc(clvmd_t)
-kernel_read_proc_symlinks(clvmd_t)
-kernel_search_debugfs(clvmd_t)
-kernel_dontaudit_getattr_core_if(clvmd_t)
-
-corecmd_exec_shell(clvmd_t)
-corecmd_getattr_bin_files(clvmd_t)
-
-corenet_all_recvfrom_netlabel(clvmd_t)
-corenet_tcp_sendrecv_generic_if(clvmd_t)
-corenet_udp_sendrecv_generic_if(clvmd_t)
-corenet_raw_sendrecv_generic_if(clvmd_t)
-corenet_tcp_sendrecv_generic_node(clvmd_t)
-corenet_udp_sendrecv_generic_node(clvmd_t)
-corenet_raw_sendrecv_generic_node(clvmd_t)
-corenet_tcp_bind_generic_node(clvmd_t)
-corenet_tcp_bind_reserved_port(clvmd_t)
-corenet_dontaudit_tcp_bind_all_reserved_ports(clvmd_t)
-corenet_sendrecv_generic_server_packets(clvmd_t)
-
-dev_read_sysfs(clvmd_t)
-dev_manage_generic_symlinks(clvmd_t)
-dev_relabel_generic_dev_dirs(clvmd_t)
-dev_manage_generic_blk_files(clvmd_t)
-dev_manage_generic_chr_files(clvmd_t)
-dev_rw_lvm_control(clvmd_t)
-dev_dontaudit_getattr_all_blk_files(clvmd_t)
-dev_dontaudit_getattr_all_chr_files(clvmd_t)
-dev_create_generic_dirs(clvmd_t)
-dev_delete_generic_dirs(clvmd_t)
-
-files_read_etc_files(clvmd_t)
-files_list_usr(clvmd_t)
-
-fs_getattr_all_fs(clvmd_t)
-fs_search_auto_mountpoints(clvmd_t)
-fs_dontaudit_list_tmpfs(clvmd_t)
-fs_dontaudit_read_removable_files(clvmd_t)
-fs_rw_anon_inodefs_files(clvmd_t)
-
-storage_dontaudit_getattr_removable_dev(clvmd_t)
-storage_manage_fixed_disk(clvmd_t)
-storage_dev_filetrans_fixed_disk(clvmd_t)
-storage_relabel_fixed_disk(clvmd_t)
-storage_raw_read_fixed_disk(clvmd_t)
-
-domain_use_interactive_fds(clvmd_t)
-
-auth_use_nsswitch(clvmd_t)
-
-init_dontaudit_getattr_initctl(clvmd_t)
-
-logging_send_syslog_msg(clvmd_t)
-
-miscfiles_read_localization(clvmd_t)
-
-seutil_sigchld_newrole(clvmd_t)
-seutil_read_config(clvmd_t)
-seutil_read_file_contexts(clvmd_t)
-seutil_search_default_contexts(clvmd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(clvmd_t)
-userdom_dontaudit_search_user_home_dirs(clvmd_t)
-
-lvm_domtrans(clvmd_t)
-lvm_read_config(clvmd_t)
-
-ifdef(`distro_redhat',`
-	optional_policy(`
-		unconfined_domain(clvmd_t)
-	')
-')
-
-optional_policy(`
-	ccs_stream_connect(clvmd_t)
-')
-
-optional_policy(`
-	gpm_dontaudit_getattr_gpmctl(clvmd_t)
-')
-
-optional_policy(`
-	ricci_dontaudit_rw_modcluster_pipes(clvmd_t)
-	ricci_dontaudit_use_modcluster_fds(clvmd_t)
-')
-
 ########################################
 #
 # LVM Local policy
@@ -183,7 +65,6 @@ allow lvm_t self:socket create_stream_socket_perms;
 allow lvm_t self:key { search write };
 
 allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms };
 
 manage_dirs_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t)
 manage_files_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t)
@@ -350,10 +231,6 @@ optional_policy(`
 	bootloader_rw_tmp_files(lvm_t)
 ')
 
-optional_policy(`
-	ccs_stream_connect(lvm_t)
-')
-
 optional_policy(`
 	dpkg_script_rw_pipes(lvm_t)
 ')