Drop RHEL4 and RHEL5 support.

Makefile

@@ -186,11 +186,6 @@ ifneq ($(DISTRO),)
 	M4PARAM += -D distro_$(DISTRO)
 endif
 
-# rhel4 also implies redhat
-ifeq "$(DISTRO)" "rhel4"
-	M4PARAM += -D distro_redhat
-endif
-
 ifeq "$(DISTRO)" "ubuntu"
 	M4PARAM += -D distro_debian
 endif

README

@@ -95,10 +95,9 @@ NAME			String (optional).  Sets the name of the policy; the
 			set, the policy type (TYPE) is used.
 
 DISTRO			String (optional).  Enable distribution-specific policy.
-			Available options are redhat, rhel4, gentoo, debian,
-			and suse.  This option controls distro_redhat,
-			distro_rhel4, distro_gentoo, distro_debian, and
-			distro_suse policy blocks.
+			Available options are redhat, gentoo, and debian.
+			This option controls distro_redhat, distro_gentoo, and
+			distro_debian build option policy blocks.
 
 MONOLITHIC		Boolean.  If set, a monolithic policy is built,
 			otherwise a modular policy is built.

Rules.monolithic

@@ -195,13 +195,6 @@ $(fcpath): $(fc) $(loadpath) $(userpath)/system.users
 	$(verbose) $(INSTALL) -m 0644 $(fc) $(fcpath)
 	$(verbose) $(INSTALL) -m 0644 $(homedir_template) $(homedirpath)
 	$(verbose) $(UMASK) 022 ; $(genhomedircon) -d $(topdir) -t $(NAME) $(USEPWD)
-ifeq "$(DISTRO)" "rhel4"
-# Setfiles in RHEL4 does not look at file_contexts.homedirs.
-	$(verbose) cat $@.homedirs >> $@
-# Delete the file_contexts.homedirs in case the toolchain has
-# been updated, to prevent duplicate match errors.
-	$(verbose) rm -f $@.homedirs
-endif
 
 ########################################
 #

policy/modules/admin/su.if

@@ -100,25 +100,6 @@ template(`su_restricted_domain_template', `
 		')
 	')
 
-	ifdef(`distro_rhel4',`
-		domain_role_change_exemption($1_su_t)
-		domain_subj_id_change_exemption($1_su_t)
-		domain_obj_id_change_exemption($1_su_t)
-
-		selinux_get_fs_mount($1_su_t)
-		selinux_validate_context($1_su_t)
-		selinux_compute_access_vector($1_su_t)
-		selinux_compute_create_context($1_su_t)
-		selinux_compute_relabel_context($1_su_t)
-		selinux_compute_user_contexts($1_su_t)
-
-		seutil_read_config($1_su_t)
-		seutil_read_default_contexts($1_su_t)
-
-		# Only allow transitions to unprivileged user domains.
-		userdom_spec_domtrans_unpriv_users($1_su_t)
-	')
-
 	ifdef(`hide_broken_symptoms',`
 		# dontaudit leaked sockets from parent
 		dontaudit $1_su_t $2:socket_class_set { read write };
@@ -242,41 +223,6 @@ template(`su_role_template',`
 		')
 	')
 
-	ifdef(`distro_rhel4',`
-		domain_role_change_exemption($1_su_t)
-		domain_subj_id_change_exemption($1_su_t)
-		domain_obj_id_change_exemption($1_su_t)
-
-		selinux_get_fs_mount($1_su_t)
-		selinux_validate_context($1_su_t)
-		selinux_compute_create_context($1_su_t)
-		selinux_compute_relabel_context($1_su_t)
-		selinux_compute_user_contexts($1_su_t)
-
-		# Relabel ttys and ptys.
-		term_relabel_all_ttys($1_su_t)
-		term_relabel_all_ptys($1_su_t)
-		# Close and re-open ttys and ptys to get the fd into the correct domain.
-		term_use_all_ttys($1_su_t)
-		term_use_all_ptys($1_su_t)
-
-		seutil_read_config($1_su_t)
-		seutil_read_default_contexts($1_su_t)
-
-		if(secure_mode) {
-			# Only allow transitions to unprivileged user domains.
-			userdom_spec_domtrans_unpriv_users($1_su_t)
-		} else {
-			# Allow transitions to all user domains
-			userdom_spec_domtrans_all_users($1_su_t)
-		}
-
-		optional_policy(`
-			unconfined_domtrans($1_su_t)
-			unconfined_signal($1_su_t)
-		')
-	')
-
 	ifdef(`hide_broken_symptoms',`
 		# dontaudit leaked sockets from parent
 		dontaudit $1_su_t $3:socket_class_set { read write };

policy/modules/kernel/kernel.if

@@ -495,14 +495,6 @@ interface(`kernel_change_ring_buffer_level',`
 
 	allow $1 self:capability2 syslog;
 	allow $1 kernel_t:system syslog_console;
-
-	ifdef(`distro_rhel4',`
-		allow $1 self:capability sys_admin;
-	')
-
-	ifdef(`distro_rhel5',`
-		allow $1 self:capability sys_admin;
-	')
 ')
 
 ########################################
@@ -523,14 +515,6 @@ interface(`kernel_clear_ring_buffer',`
 
 	allow $1 self:capability2 syslog;
 	allow $1 kernel_t:system syslog_mod;
-
-	ifdef(`distro_rhel4',`
-		allow $1 self:capability sys_admin;
-	')
-
-	ifdef(`distro_rhel5',`
-		allow $1 self:capability sys_admin;
-	')
 ')
 
 ########################################

policy/modules/kernel/selinux.if

@@ -334,11 +334,6 @@ interface(`selinux_set_enforce_mode',`
 
 	if(!secure_mode_policyload) {
 		allow $1 security_t:security setenforce;
-
-		ifdef(`distro_rhel4',`
-			# needed for systems without audit support
-			auditallow $1 security_t:security setenforce;
-		')
 	}
 ')
 
@@ -366,11 +361,6 @@ interface(`selinux_load_policy',`
 
 	if(!secure_mode_policyload) {
 		allow $1 security_t:security load_policy;
-
-		ifdef(`distro_rhel4',`
-			# needed for systems without audit support
-			auditallow $1 security_t:security load_policy;
-		')
 	}
 ')
 
@@ -460,11 +450,6 @@ interface(`selinux_set_generic_booleans',`
 	allow $1 security_t:file rw_file_perms;
 
 	allow $1 security_t:security setbool;
-
-	ifdef(`distro_rhel4',`
-		# needed for systems without audit support
-		auditallow $1 security_t:security setbool;
-	')
 ')
 
 ########################################
@@ -504,11 +489,6 @@ interface(`selinux_set_all_booleans',`
 
 	allow $1 security_t:security setbool;
 
-	ifdef(`distro_rhel4',`
-		# needed for systems without audit support
-		auditallow $1 security_t:security setbool;
-	')
-
 	if(!secure_mode_policyload) {
 		allow $1 secure_mode_policyload_t:file write_file_perms;
 	}

policy/modules/kernel/selinux.te

@@ -54,17 +54,7 @@ allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file wr
 # Access the security API.
 allow selinux_unconfined_type security_t:security ~{ load_policy setenforce };
 
-ifdef(`distro_rhel4',`
-	# needed for systems without audit support
-	auditallow selinux_unconfined_type security_t:security setbool;
-')
-
 if(!secure_mode_policyload) {
 	allow selinux_unconfined_type security_t:security { load_policy setenforce };
 	allow selinux_unconfined_type secure_mode_policyload_t:file write_file_perms;
-
-	ifdef(`distro_rhel4',`
-		# needed for systems without audit support
-		auditallow selinux_unconfined_type security_t:security { load_policy setenforce };
-	')
 }

policy/modules/services/xserver.te

@@ -573,10 +573,6 @@ optional_policy(`
 	ifndef(`distro_redhat',`
 		allow xdm_t self:process { execheap execmem };
 	')
-
-	ifdef(`distro_rhel4',`
-		allow xdm_t self:process { execheap execmem };
-	')
 ')
 
 optional_policy(`
@@ -749,10 +745,6 @@ userdom_rw_user_tmpfs_files(xserver_t)
 
 xserver_use_user_fonts(xserver_t)
 
-ifdef(`distro_rhel4',`
-	allow xserver_t self:process { execmem execheap execstack };
-')
-
 ifdef(`enable_mls',`
 	range_transition xserver_t xserver_tmp_t:sock_file s0 - mls_systemhigh;
 	range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;

policy/modules/system/init.if

@@ -108,14 +108,6 @@ interface(`init_domain',`
 	role system_r types $1;
 
 	domtrans_pattern(init_t, $2, $1)
-
-	ifdef(`hide_broken_symptoms',`
-		# RHEL4 systems seem to have a stray
-		# fds open from the initrd
-		ifdef(`distro_rhel4',`
-			kernel_dontaudit_use_fds($1)
-		')
-	')
 ')
 
 ########################################
@@ -220,14 +212,6 @@ interface(`init_daemon_domain',`
 		userdom_dontaudit_use_user_terminals($1)
 	')
 
-	ifdef(`hide_broken_symptoms',`
-		# RHEL4 systems seem to have a stray
-		# fds open from the initrd
-		ifdef(`distro_rhel4',`
-			kernel_dontaudit_use_fds($1)
-		')
-	')
-
 	optional_policy(`
 		nscd_use($1)
 	')
@@ -340,14 +324,6 @@ interface(`init_system_domain',`
 	role system_r types $1;
 
 	domtrans_pattern(initrc_t, $2, $1)
-
-	ifdef(`hide_broken_symptoms',`
-		# RHEL4 systems seem to have a stray
-		# fds open from the initrd
-		ifdef(`distro_rhel4',`
-			kernel_dontaudit_use_fds($1)
-		')
-	')
 ')
 
 ########################################