From c0d1566a13a6d7876a753afbe2553a0751ddcfb7 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 1 Sep 2005 13:52:59 +0000 Subject: [PATCH] move rhgb_domain into TODO so modules can compile as binary modules --- refpolicy/policy/modules/admin/acct.te | 10 ++++++---- refpolicy/policy/modules/admin/quota.te | 7 +++---- refpolicy/policy/modules/admin/updfstab.te | 10 ++++++---- refpolicy/policy/modules/services/bind.te | 19 +++++++++---------- refpolicy/policy/modules/services/dbus.te | 10 ++++++---- refpolicy/policy/modules/services/gpm.te | 7 +++---- refpolicy/policy/modules/services/howl.te | 10 ++++++---- refpolicy/policy/modules/services/inetd.te | 7 ------- refpolicy/policy/modules/services/ldap.te | 7 +++---- refpolicy/policy/modules/services/mysql.te | 9 ++++----- refpolicy/policy/modules/services/nscd.te | 8 +++----- refpolicy/policy/modules/services/privoxy.te | 10 ++++++---- refpolicy/policy/modules/services/ssh.te | 12 +++++++----- refpolicy/policy/modules/system/ipsec.te | 10 ++++++---- refpolicy/policy/modules/system/pcmcia.te | 7 +++---- refpolicy/policy/modules/system/raid.te | 7 +++---- 16 files changed, 74 insertions(+), 76 deletions(-) diff --git a/refpolicy/policy/modules/admin/acct.te b/refpolicy/policy/modules/admin/acct.te index c8098d733..88b7c599f 100644 --- a/refpolicy/policy/modules/admin/acct.te +++ b/refpolicy/policy/modules/admin/acct.te @@ -85,10 +85,6 @@ optional_policy(`cron.te',` cron_system_entry(acct_t,acct_exec_t) ') -optional_policy(`rhgb.te',` - rhgb_domain(acct_t) -') - optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(acct_t) ') @@ -96,3 +92,9 @@ optional_policy(`selinuxutil.te',` optional_policy(`udev.te', ` udev_read_db(acct_t) ') + +ifdef(`TODO',` +optional_policy(`rhgb.te',` + rhgb_domain(acct_t) +') +') diff --git a/refpolicy/policy/modules/admin/quota.te b/refpolicy/policy/modules/admin/quota.te index 4005a807b..f4b52460a 100644 --- a/refpolicy/policy/modules/admin/quota.te +++ b/refpolicy/policy/modules/admin/quota.te @@ -67,10 +67,6 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_file(quota_t) ') -optional_policy(`rhgb.te',` - rhgb_domain(quota_t) -') - optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(quota_t) ') @@ -86,4 +82,7 @@ file_type_auto_trans(quota_t, { root_t home_root_t var_t usr_t src_t var_spool_t allow quota_t file_t:file quotaon; allow quota_t proc_t:file getattr; +optional_policy(`rhgb.te',` + rhgb_domain(quota_t) +') ') dnl end TODO diff --git a/refpolicy/policy/modules/admin/updfstab.te b/refpolicy/policy/modules/admin/updfstab.te index 4c15864cf..ad6ffc923 100644 --- a/refpolicy/policy/modules/admin/updfstab.te +++ b/refpolicy/policy/modules/admin/updfstab.te @@ -104,10 +104,6 @@ optional_policy(`modutils.te',` modutils_read_mods_deps(updfstab_t) ') -optional_policy(`rhgb.te',` - rhgb_domain(updfstab_t) -') - optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(updfstab_t) ') @@ -115,3 +111,9 @@ optional_policy(`selinuxutil.te',` optional_policy(`udev.te',` udev_read_db(updfstab_t) ') + +ifdef(`TODO',` +optional_policy(`rhgb.te',` + rhgb_domain(updfstab_t) +') +') diff --git a/refpolicy/policy/modules/services/bind.te b/refpolicy/policy/modules/services/bind.te index 49c4a5848..cf278f83c 100644 --- a/refpolicy/policy/modules/services/bind.te +++ b/refpolicy/policy/modules/services/bind.te @@ -146,10 +146,6 @@ optional_policy(`nscd.te',` nscd_use_socket(named_t) ') -optional_policy(`rhgb.te',` - rhgb_domain(named_t) -') - optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(named_t) ') @@ -158,6 +154,15 @@ optional_policy(`udev.te',` udev_read_db(named_t) ') +ifdef(`TODO',` +can_udp_send(domain, named_t) +can_udp_send(named_t, domain) +can_tcp_connect(domain, named_t) +optional_policy(`rhgb.te',` + rhgb_domain(named_t) +') +') + ######################################## # # NDC local policy @@ -241,9 +246,3 @@ optional_policy(`nis.te',` optional_policy(`nscd.te',` nscd_use_socket(ndc_t) ') - -ifdef(`TODO',` -can_udp_send(domain, named_t) -can_udp_send(named_t, domain) -can_tcp_connect(domain, named_t) -') diff --git a/refpolicy/policy/modules/services/dbus.te b/refpolicy/policy/modules/services/dbus.te index f2c468857..0ceff77ec 100644 --- a/refpolicy/policy/modules/services/dbus.te +++ b/refpolicy/policy/modules/services/dbus.te @@ -125,10 +125,12 @@ optional_policy(`nscd.te',` nscd_use_socket(system_dbusd_t) ') -optional_policy(`rhgb.te',` - rhgb_domain(system_dbusd_t) -') - optional_policy(`udev.te', ` udev_read_db(system_dbusd_t) ') + +ifdef(`TODO',` +optional_policy(`rhgb.te',` + rhgb_domain(system_dbusd_t) +') +') diff --git a/refpolicy/policy/modules/services/gpm.te b/refpolicy/policy/modules/services/gpm.te index 44c5c0366..151087d44 100644 --- a/refpolicy/policy/modules/services/gpm.te +++ b/refpolicy/policy/modules/services/gpm.te @@ -83,10 +83,6 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_file(gpm_t) ') -optional_policy(`rhgb.te',` - rhgb_domain(gpm_t) -') - optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(gpm_t) ') @@ -99,4 +95,7 @@ ifdef(`TODO',` # Access the mouse. # cjp: why write? allow gpm_t { event_device_t mouse_device_t }:chr_file rw_file_perms; +optional_policy(`rhgb.te',` + rhgb_domain(gpm_t) +') ') diff --git a/refpolicy/policy/modules/services/howl.te b/refpolicy/policy/modules/services/howl.te index 8e6ed7dd5..ae49234f8 100644 --- a/refpolicy/policy/modules/services/howl.te +++ b/refpolicy/policy/modules/services/howl.te @@ -79,10 +79,6 @@ optional_policy(`nis.te',` nis_use_ypbind(howl_t) ') -optional_policy(`rhgb.te',` - rhgb_domain(howl_t) -') - optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(howl_t) ') @@ -90,3 +86,9 @@ optional_policy(`selinuxutil.te',` optional_policy(`udev.te', ` udev_read_db(howl_t) ') + +ifdef(`TODO',` +optional_policy(`rhgb.te',` + rhgb_domain(howl_t) +') +') diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te index 9919d1d33..924a4805c 100644 --- a/refpolicy/policy/modules/services/inetd.te +++ b/refpolicy/policy/modules/services/inetd.te @@ -147,13 +147,6 @@ optional_policy(`rhgb.te',` rhgb_domain(inetd_t) ') -# Bind to the telnet, ftp, rlogin and rsh ports. -# cjp: these ports currently dont exist in the NSA example -ifdef(`talk.te', ` -allow inetd_t talk_port_t:tcp_socket name_bind; -allow inetd_t ntalk_port_t:tcp_socket name_bind; -') - # Communicate with the portmapper. ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)') ') dnl TODO diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te index a7ffb9cf2..91f5b8ebc 100644 --- a/refpolicy/policy/modules/services/ldap.te +++ b/refpolicy/policy/modules/services/ldap.te @@ -110,10 +110,6 @@ optional_policy(`nis.te',` nis_use_ypbind(slapd_t) ') -optional_policy(`rhgb.te',` - rhgb_domain(slapd_t) -') - optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(slapd_t) ') @@ -123,6 +119,9 @@ optional_policy(`udev.te', ` ') ifdef(`TODO',` +optional_policy(`rhgb.te',` + rhgb_domain(slapd_t) +') # allow any domain to connect to the LDAP server # cjp: how does this relate to the old can_ldap() macro? can_tcp_connect(domain, slapd_t) diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te index 2f4898531..d8b8374c2 100644 --- a/refpolicy/policy/modules/services/mysql.te +++ b/refpolicy/policy/modules/services/mysql.te @@ -111,10 +111,6 @@ optional_policy(`nis.te',` nis_use_ypbind(mysqld_t) ') -optional_policy(`rhgb.te',` - rhgb_domain(mysqld_t) -') - optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(mysqld_t) ') @@ -123,7 +119,10 @@ optional_policy(`udev.te', ` udev_read_db(mysqld_t) ') -ifdef(`TODO', +ifdef(`TODO',` +optional_policy(`rhgb.te',` + rhgb_domain(mysqld_t) +') optional_policy(`daemontools.te',` domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t) mysqld_signal(svc_start_t) diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te index 792d14a82..4c54c2c4d 100644 --- a/refpolicy/policy/modules/services/nscd.te +++ b/refpolicy/policy/modules/services/nscd.te @@ -95,10 +95,6 @@ optional_policy(`nis.te',` nis_use_ypbind(nscd_t) ') -optional_policy(`rhgb.te',` - rhgb_domain(nscd_t) -') - optional_policy(`selinuxutils.te',` seutil_sigchld_newrole(nscd_t) ') @@ -119,7 +115,9 @@ optional_policy(`winbind.te', ` allow nscd_t samba_var_t:dir search; allow nscd_t winbind_var_run_t:dir { getattr search }; ') - +optional_policy(`rhgb.te',` + rhgb_domain(nscd_t) +') allow nscd_t tmp_t:dir { search getattr }; allow nscd_t tmp_t:lnk_file read; ') dnl end TODO diff --git a/refpolicy/policy/modules/services/privoxy.te b/refpolicy/policy/modules/services/privoxy.te index d1c5f3e1f..36ee8a50b 100644 --- a/refpolicy/policy/modules/services/privoxy.te +++ b/refpolicy/policy/modules/services/privoxy.te @@ -83,10 +83,6 @@ optional_policy(`mount.te',` mount_send_nfs_client_request(privoxy_t) ') -optional_policy(`rhgb.te',` - rhgb_domain(privoxy_t) -') - optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(privoxy_t) ') @@ -94,3 +90,9 @@ optional_policy(`selinuxutil.te',` optional_policy(`udev.te', ` udev_read_db(privoxy_t) ') + +ifdef(`TODO',` +optional_policy(`rhgb.te',` + rhgb_domain(privoxy_t) +') +') diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te index 139c5248a..85491677e 100644 --- a/refpolicy/policy/modules/services/ssh.te +++ b/refpolicy/policy/modules/services/ssh.te @@ -24,7 +24,7 @@ role system_r types ssh_keygen_t; ssh_server_template(sshd) optional_policy(`inetd.te',` -# CJP: commenting this out until typeattribute works in a conditional +# cjp: commenting this out until typeattribute works in a conditional # tunable_policy(`run_ssh_inetd',` inetd_tcp_service_domain(sshd_t,sshd_exec_t) # ',` @@ -221,10 +221,6 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_file(ssh_keygen_t) ') -optional_policy(`rhgb.te', ` - rhgb_domain(ssh_keygen_t) -') - optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(ssh_keygen_t) ') @@ -232,3 +228,9 @@ optional_policy(`selinuxutil.te',` optional_policy(`udev.te', ` udev_read_db(ssh_keygen_t) ') + +ifdef(`TODO',` +optional_policy(`rhgb.te', ` + rhgb_domain(ssh_keygen_t) +') +') diff --git a/refpolicy/policy/modules/system/ipsec.te b/refpolicy/policy/modules/system/ipsec.te index cc06b3e60..a30a31465 100644 --- a/refpolicy/policy/modules/system/ipsec.te +++ b/refpolicy/policy/modules/system/ipsec.te @@ -128,10 +128,6 @@ optional_policy(`nis.te',` nis_use_ypbind(ipsec_t) ') -optional_policy(`rhgb.te',` - rhgb_domain(ipsec_t) -') - optional_policy(`selinuxutils.te',` seutil_sigchld_newrole(ipsec_t) ') @@ -140,6 +136,12 @@ optional_policy(`udev.te', ` udev_read_db(ipsec_t) ') +ifdef(`TODO',` +optional_policy(`rhgb.te',` + rhgb_domain(ipsec_t) +') +') + ######################################## # # ipsec_mgmt Local policy diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te index 133694ade..025c886bd 100644 --- a/refpolicy/policy/modules/system/pcmcia.te +++ b/refpolicy/policy/modules/system/pcmcia.te @@ -116,10 +116,6 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_file(cardmgr_t) ') -optional_policy(`rhgb.te',` - rhgb_domain(cardmgr_t) -') - optional_policy(`selinuxutils.te',` seutil_sigchld_newrole(cardmgr_t) ') @@ -157,4 +153,7 @@ optional_policy(`pcmcia.te',` pcmcia_manage_pid(hald_t) pcmcia_manage_runtime_chr(hald_t) ') +optional_policy(`rhgb.te',` + rhgb_domain(cardmgr_t) +') ') dnl end TODO diff --git a/refpolicy/policy/modules/system/raid.te b/refpolicy/policy/modules/system/raid.te index a8a2f469d..c58e7af45 100644 --- a/refpolicy/policy/modules/system/raid.te +++ b/refpolicy/policy/modules/system/raid.te @@ -73,10 +73,6 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_file(mdadm_t) ') -optional_policy(`rhgb.te',` - rhgb_domain(mdadm_t) -') - optional_policy(`selinux.te',` seutil_sigchld_newrole(mdadm_t) ') @@ -90,4 +86,7 @@ ifdef(`TODO',` dontaudit mdadm_t device_t:{ fifo_file file chr_file blk_file } { read getattr }; allow mdadm_t var_t:dir getattr; +optional_policy(`rhgb.te',` + rhgb_domain(mdadm_t) +') ') dnl TODO