move rhgb_domain into TODO so modules can compile as binary modules

2005-09-01 13:52:59 +00:00 · 2005-09-01 13:52:59 +00:00 · c0d1566a13
parent 631ee4d3cf
commit c0d1566a13
16 changed files with 74 additions and 76 deletions
--- a/refpolicy/policy/modules/admin/acct.te
+++ b/refpolicy/policy/modules/admin/acct.te
@ -85,10 +85,6 @@ optional_policy(`cron.te',`
 	cron_system_entry(acct_t,acct_exec_t)
 ')

-optional_policy(`rhgb.te',`
-	rhgb_domain(acct_t)
-')
-
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(acct_t)
 ')
@ -96,3 +92,9 @@ optional_policy(`selinuxutil.te',`
 optional_policy(`udev.te', `
 	udev_read_db(acct_t)
 ')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(acct_t)
+')
+')
--- a/refpolicy/policy/modules/admin/quota.te
+++ b/refpolicy/policy/modules/admin/quota.te
@ -67,10 +67,6 @@ ifdef(`targeted_policy',`
 	files_dontaudit_read_root_file(quota_t)
 ')

-optional_policy(`rhgb.te',`
-	rhgb_domain(quota_t)
-')
-
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(quota_t)
 ')
@ -86,4 +82,7 @@ file_type_auto_trans(quota_t, { root_t home_root_t var_t usr_t src_t var_spool_t
 allow quota_t file_t:file quotaon;

 allow quota_t proc_t:file getattr;
+optional_policy(`rhgb.te',`
+	rhgb_domain(quota_t)
+')
 ') dnl end TODO
--- a/refpolicy/policy/modules/admin/updfstab.te
+++ b/refpolicy/policy/modules/admin/updfstab.te
@ -104,10 +104,6 @@ optional_policy(`modutils.te',`
 	modutils_read_mods_deps(updfstab_t)
 ')

-optional_policy(`rhgb.te',`
-	rhgb_domain(updfstab_t)
-')
-
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(updfstab_t)
 ')
@ -115,3 +111,9 @@ optional_policy(`selinuxutil.te',`
 optional_policy(`udev.te',`
 	udev_read_db(updfstab_t)
 ')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(updfstab_t)
+')
+')
--- a/refpolicy/policy/modules/services/bind.te
+++ b/refpolicy/policy/modules/services/bind.te
@ -146,10 +146,6 @@ optional_policy(`nscd.te',`
 	nscd_use_socket(named_t)
 ')

-optional_policy(`rhgb.te',`
-	rhgb_domain(named_t)
-')
-
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(named_t)
 ')
@ -158,6 +154,15 @@ optional_policy(`udev.te',`
 	udev_read_db(named_t)
 ')

+ifdef(`TODO',`
+can_udp_send(domain, named_t)
+can_udp_send(named_t, domain)
+can_tcp_connect(domain, named_t)
+optional_policy(`rhgb.te',`
+	rhgb_domain(named_t)
+')
+')
+
 ########################################
 #
 # NDC local policy
@ -241,9 +246,3 @@ optional_policy(`nis.te',`
 optional_policy(`nscd.te',`
 	nscd_use_socket(ndc_t)
 ')
-
-ifdef(`TODO',`
-can_udp_send(domain, named_t)
-can_udp_send(named_t, domain)
-can_tcp_connect(domain, named_t)
-')
--- a/refpolicy/policy/modules/services/dbus.te
+++ b/refpolicy/policy/modules/services/dbus.te
@ -125,10 +125,12 @@ optional_policy(`nscd.te',`
 	nscd_use_socket(system_dbusd_t)
 ')

-optional_policy(`rhgb.te',`
-	rhgb_domain(system_dbusd_t)
-')
-
 optional_policy(`udev.te', `
 	udev_read_db(system_dbusd_t)
 ')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(system_dbusd_t)
+')
+')
--- a/refpolicy/policy/modules/services/gpm.te
+++ b/refpolicy/policy/modules/services/gpm.te
@ -83,10 +83,6 @@ ifdef(`targeted_policy', `
 	files_dontaudit_read_root_file(gpm_t)
 ')

-optional_policy(`rhgb.te',`
-	rhgb_domain(gpm_t)
-')
-
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(gpm_t)
 ')
@ -99,4 +95,7 @@ ifdef(`TODO',`
 # Access the mouse.
 # cjp: why write?
 allow gpm_t { event_device_t mouse_device_t }:chr_file rw_file_perms;
+optional_policy(`rhgb.te',`
+	rhgb_domain(gpm_t)
+')
 ')
--- a/refpolicy/policy/modules/services/howl.te
+++ b/refpolicy/policy/modules/services/howl.te
@ -79,10 +79,6 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(howl_t)
 ')

-optional_policy(`rhgb.te',`
-	rhgb_domain(howl_t)
-')
-
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(howl_t)
 ')
@ -90,3 +86,9 @@ optional_policy(`selinuxutil.te',`
 optional_policy(`udev.te', `
 	udev_read_db(howl_t)
 ')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(howl_t)
+')
+')
--- a/refpolicy/policy/modules/services/inetd.te
+++ b/refpolicy/policy/modules/services/inetd.te
@ -147,13 +147,6 @@ optional_policy(`rhgb.te',`
 	rhgb_domain(inetd_t)
 ')

-# Bind to the telnet, ftp, rlogin and rsh ports.
-# cjp: these ports currently dont exist in the NSA example
-ifdef(`talk.te', `
-allow inetd_t talk_port_t:tcp_socket name_bind;
-allow inetd_t ntalk_port_t:tcp_socket name_bind;
-')
-
 # Communicate with the portmapper.
 ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)')
 ') dnl TODO
--- a/refpolicy/policy/modules/services/ldap.te
+++ b/refpolicy/policy/modules/services/ldap.te
@ -110,10 +110,6 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(slapd_t)
 ')

-optional_policy(`rhgb.te',`
-	rhgb_domain(slapd_t)
-')
-
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(slapd_t)
 ')
@ -123,6 +119,9 @@ optional_policy(`udev.te', `
 ')

 ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(slapd_t)
+')
 # allow any domain to connect to the LDAP server
 # cjp: how does this relate to the old can_ldap() macro?
 can_tcp_connect(domain, slapd_t)
--- a/refpolicy/policy/modules/services/mysql.te
+++ b/refpolicy/policy/modules/services/mysql.te
@ -111,10 +111,6 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(mysqld_t)
 ')

-optional_policy(`rhgb.te',`
-	rhgb_domain(mysqld_t)
-')
-
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(mysqld_t)
 ')
@ -123,7 +119,10 @@ optional_policy(`udev.te', `
 	udev_read_db(mysqld_t)
 ')

-ifdef(`TODO',
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(mysqld_t)
+')
 optional_policy(`daemontools.te',`
 	domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t)
 	mysqld_signal(svc_start_t)
--- a/refpolicy/policy/modules/services/nscd.te
+++ b/refpolicy/policy/modules/services/nscd.te
@ -95,10 +95,6 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(nscd_t)
 ')

-optional_policy(`rhgb.te',`
-	rhgb_domain(nscd_t)
-')
-
 optional_policy(`selinuxutils.te',`
 	seutil_sigchld_newrole(nscd_t)
 ')
@ -119,7 +115,9 @@ optional_policy(`winbind.te', `
 	allow nscd_t samba_var_t:dir search;
 	allow nscd_t winbind_var_run_t:dir { getattr search };
 ')
-
+optional_policy(`rhgb.te',`
+	rhgb_domain(nscd_t)
+')
 allow nscd_t tmp_t:dir { search getattr };
 allow nscd_t tmp_t:lnk_file read;
 ') dnl end TODO
--- a/refpolicy/policy/modules/services/privoxy.te
+++ b/refpolicy/policy/modules/services/privoxy.te
@ -83,10 +83,6 @@ optional_policy(`mount.te',`
 	mount_send_nfs_client_request(privoxy_t)
 ')

-optional_policy(`rhgb.te',`
-	rhgb_domain(privoxy_t)
-')
-
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(privoxy_t)
 ')
@ -94,3 +90,9 @@ optional_policy(`selinuxutil.te',`
 optional_policy(`udev.te', `
 	udev_read_db(privoxy_t)
 ')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(privoxy_t)
+')
+')
--- a/refpolicy/policy/modules/services/ssh.te
+++ b/refpolicy/policy/modules/services/ssh.te
@ -24,7 +24,7 @@ role system_r types ssh_keygen_t;
 ssh_server_template(sshd)

 optional_policy(`inetd.te',`
-# CJP: commenting this out until typeattribute works in a conditional
+# cjp: commenting this out until typeattribute works in a conditional
 #	tunable_policy(`run_ssh_inetd',`
 		inetd_tcp_service_domain(sshd_t,sshd_exec_t)
 #	',`
@ -221,10 +221,6 @@ ifdef(`targeted_policy', `
 	files_dontaudit_read_root_file(ssh_keygen_t)
 ')

-optional_policy(`rhgb.te', `
-	rhgb_domain(ssh_keygen_t)
-')
-
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(ssh_keygen_t)
 ')
@ -232,3 +228,9 @@ optional_policy(`selinuxutil.te',`
 optional_policy(`udev.te', `
 	udev_read_db(ssh_keygen_t)
 ')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te', `
+	rhgb_domain(ssh_keygen_t)
+')
+')
--- a/refpolicy/policy/modules/system/ipsec.te
+++ b/refpolicy/policy/modules/system/ipsec.te
@ -128,10 +128,6 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(ipsec_t)
 ')

-optional_policy(`rhgb.te',`
-	rhgb_domain(ipsec_t)
-')
-
 optional_policy(`selinuxutils.te',`
 	seutil_sigchld_newrole(ipsec_t)
 ')
@ -140,6 +136,12 @@ optional_policy(`udev.te', `
 	udev_read_db(ipsec_t)
 ')

+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(ipsec_t)
+')
+')
+
 ########################################
 #
 # ipsec_mgmt Local policy
--- a/refpolicy/policy/modules/system/pcmcia.te
+++ b/refpolicy/policy/modules/system/pcmcia.te
@ -116,10 +116,6 @@ ifdef(`targeted_policy', `
 	files_dontaudit_read_root_file(cardmgr_t)
 ')

-optional_policy(`rhgb.te',`
-	rhgb_domain(cardmgr_t)
-')
-
 optional_policy(`selinuxutils.te',`
 	seutil_sigchld_newrole(cardmgr_t)
 ')
@ -157,4 +153,7 @@ optional_policy(`pcmcia.te',`
 	pcmcia_manage_pid(hald_t)
 	pcmcia_manage_runtime_chr(hald_t)
 ')
+optional_policy(`rhgb.te',`
+	rhgb_domain(cardmgr_t)
+')
 ') dnl end TODO
--- a/refpolicy/policy/modules/system/raid.te
+++ b/refpolicy/policy/modules/system/raid.te
@ -73,10 +73,6 @@ ifdef(`targeted_policy',`
 	files_dontaudit_read_root_file(mdadm_t)
 ')

-optional_policy(`rhgb.te',`
-	rhgb_domain(mdadm_t)
-')
-
 optional_policy(`selinux.te',`
 	seutil_sigchld_newrole(mdadm_t)
 ')
@ -90,4 +86,7 @@ ifdef(`TODO',`
 dontaudit mdadm_t device_t:{ fifo_file file chr_file blk_file } { read getattr };

 allow mdadm_t var_t:dir getattr;
+optional_policy(`rhgb.te',`
+	rhgb_domain(mdadm_t)
+')
 ') dnl TODO