nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Drop RHEL4 and RHEL5 support.

Browse Source
This commit is contained in:
Chris PeBenito 2014-09-24 13:10:37 -04:00
parent 35860e6459
commit 6624f9cf7a
9 changed files with 3 additions and 148 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Makefile
View File

@ -186,11 +186,6 @@ ifneq ($(DISTRO),)
M4PARAM += -D distro_$(DISTRO) M4PARAM += -D distro_$(DISTRO)
endif endif
# rhel4 also implies redhat
ifeq "$(DISTRO)" "rhel4"
M4PARAM += -D distro_redhat
endif
ifeq "$(DISTRO)" "ubuntu" ifeq "$(DISTRO)" "ubuntu"
M4PARAM += -D distro_debian M4PARAM += -D distro_debian
endif endif

7
README
View File

@ -95,10 +95,9 @@ NAME String (optional). Sets the name of the policy; the
set, the policy type (TYPE) is used. set, the policy type (TYPE) is used.
DISTRO String (optional). Enable distribution-specific policy. DISTRO String (optional). Enable distribution-specific policy.
Available options are redhat, rhel4, gentoo, debian, Available options are redhat, gentoo, and debian.
and suse. This option controls distro_redhat, This option controls distro_redhat, distro_gentoo, and
distro_rhel4, distro_gentoo, distro_debian, and distro_debian build option policy blocks.
distro_suse policy blocks.
MONOLITHIC Boolean. If set, a monolithic policy is built, MONOLITHIC Boolean. If set, a monolithic policy is built,
otherwise a modular policy is built. otherwise a modular policy is built.

7
Rules.monolithic
View File

@ -195,13 +195,6 @@ $(fcpath): $(fc) $(loadpath) $(userpath)/system.users
$(verbose) $(INSTALL) -m 0644 $(fc) $(fcpath) $(verbose) $(INSTALL) -m 0644 $(fc) $(fcpath)
$(verbose) $(INSTALL) -m 0644 $(homedir_template) $(homedirpath) $(verbose) $(INSTALL) -m 0644 $(homedir_template) $(homedirpath)
$(verbose) $(UMASK) 022 ; $(genhomedircon) -d $(topdir) -t $(NAME) $(USEPWD) $(verbose) $(UMASK) 022 ; $(genhomedircon) -d $(topdir) -t $(NAME) $(USEPWD)
ifeq "$(DISTRO)" "rhel4"
# Setfiles in RHEL4 does not look at file_contexts.homedirs.
$(verbose) cat $@.homedirs >> $@
# Delete the file_contexts.homedirs in case the toolchain has
# been updated, to prevent duplicate match errors.
$(verbose) rm -f $@.homedirs
endif
######################################## ########################################
# #

54
policy/modules/admin/su.if
View File

@ -100,25 +100,6 @@ template(`su_restricted_domain_template', `
') ')
') ')
ifdef(`distro_rhel4',`
domain_role_change_exemption($1_su_t)
domain_subj_id_change_exemption($1_su_t)
domain_obj_id_change_exemption($1_su_t)
selinux_get_fs_mount($1_su_t)
selinux_validate_context($1_su_t)
selinux_compute_access_vector($1_su_t)
selinux_compute_create_context($1_su_t)
selinux_compute_relabel_context($1_su_t)
selinux_compute_user_contexts($1_su_t)
seutil_read_config($1_su_t)
seutil_read_default_contexts($1_su_t)
# Only allow transitions to unprivileged user domains.
userdom_spec_domtrans_unpriv_users($1_su_t)
')
ifdef(`hide_broken_symptoms',` ifdef(`hide_broken_symptoms',`
# dontaudit leaked sockets from parent # dontaudit leaked sockets from parent
dontaudit $1_su_t $2:socket_class_set { read write }; dontaudit $1_su_t $2:socket_class_set { read write };
@ -242,41 +223,6 @@ template(`su_role_template',`
') ')
') ')
ifdef(`distro_rhel4',`
domain_role_change_exemption($1_su_t)
domain_subj_id_change_exemption($1_su_t)
domain_obj_id_change_exemption($1_su_t)
selinux_get_fs_mount($1_su_t)
selinux_validate_context($1_su_t)
selinux_compute_create_context($1_su_t)
selinux_compute_relabel_context($1_su_t)
selinux_compute_user_contexts($1_su_t)
# Relabel ttys and ptys.
term_relabel_all_ttys($1_su_t)
term_relabel_all_ptys($1_su_t)
# Close and re-open ttys and ptys to get the fd into the correct domain.
term_use_all_ttys($1_su_t)
term_use_all_ptys($1_su_t)
seutil_read_config($1_su_t)
seutil_read_default_contexts($1_su_t)
if(secure_mode) {
# Only allow transitions to unprivileged user domains.
userdom_spec_domtrans_unpriv_users($1_su_t)
} else {
# Allow transitions to all user domains
userdom_spec_domtrans_all_users($1_su_t)
}
optional_policy(`
unconfined_domtrans($1_su_t)
unconfined_signal($1_su_t)
')
')
ifdef(`hide_broken_symptoms',` ifdef(`hide_broken_symptoms',`
# dontaudit leaked sockets from parent # dontaudit leaked sockets from parent
dontaudit $1_su_t $3:socket_class_set { read write }; dontaudit $1_su_t $3:socket_class_set { read write };

16
policy/modules/kernel/kernel.if
View File

@ -495,14 +495,6 @@ interface(`kernel_change_ring_buffer_level',`
allow $1 self:capability2 syslog; allow $1 self:capability2 syslog;
allow $1 kernel_t:system syslog_console; allow $1 kernel_t:system syslog_console;
ifdef(`distro_rhel4',`
allow $1 self:capability sys_admin;
')
ifdef(`distro_rhel5',`
allow $1 self:capability sys_admin;
')
') ')
######################################## ########################################
@ -523,14 +515,6 @@ interface(`kernel_clear_ring_buffer',`
allow $1 self:capability2 syslog; allow $1 self:capability2 syslog;
allow $1 kernel_t:system syslog_mod; allow $1 kernel_t:system syslog_mod;
ifdef(`distro_rhel4',`
allow $1 self:capability sys_admin;
')
ifdef(`distro_rhel5',`
allow $1 self:capability sys_admin;
')
') ')
######################################## ########################################

20
policy/modules/kernel/selinux.if
View File

@ -334,11 +334,6 @@ interface(`selinux_set_enforce_mode',`
if(!secure_mode_policyload) { if(!secure_mode_policyload) {
allow $1 security_t:security setenforce; allow $1 security_t:security setenforce;
ifdef(`distro_rhel4',`
# needed for systems without audit support
auditallow $1 security_t:security setenforce;
')
} }
') ')
@ -366,11 +361,6 @@ interface(`selinux_load_policy',`
if(!secure_mode_policyload) { if(!secure_mode_policyload) {
allow $1 security_t:security load_policy; allow $1 security_t:security load_policy;
ifdef(`distro_rhel4',`
# needed for systems without audit support
auditallow $1 security_t:security load_policy;
')
} }
') ')
@ -460,11 +450,6 @@ interface(`selinux_set_generic_booleans',`
allow $1 security_t:file rw_file_perms; allow $1 security_t:file rw_file_perms;
allow $1 security_t:security setbool; allow $1 security_t:security setbool;
ifdef(`distro_rhel4',`
# needed for systems without audit support
auditallow $1 security_t:security setbool;
')
') ')
######################################## ########################################
@ -504,11 +489,6 @@ interface(`selinux_set_all_booleans',`
allow $1 security_t:security setbool; allow $1 security_t:security setbool;
ifdef(`distro_rhel4',`
# needed for systems without audit support
auditallow $1 security_t:security setbool;
')
if(!secure_mode_policyload) { if(!secure_mode_policyload) {
allow $1 secure_mode_policyload_t:file write_file_perms; allow $1 secure_mode_policyload_t:file write_file_perms;
} }

10
policy/modules/kernel/selinux.te
View File

@ -54,17 +54,7 @@ allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file wr
# Access the security API. # Access the security API.
allow selinux_unconfined_type security_t:security ~{ load_policy setenforce }; allow selinux_unconfined_type security_t:security ~{ load_policy setenforce };
ifdef(`distro_rhel4',`
# needed for systems without audit support
auditallow selinux_unconfined_type security_t:security setbool;
')
if(!secure_mode_policyload) { if(!secure_mode_policyload) {
allow selinux_unconfined_type security_t:security { load_policy setenforce }; allow selinux_unconfined_type security_t:security { load_policy setenforce };
allow selinux_unconfined_type secure_mode_policyload_t:file write_file_perms; allow selinux_unconfined_type secure_mode_policyload_t:file write_file_perms;
ifdef(`distro_rhel4',`
# needed for systems without audit support
auditallow selinux_unconfined_type security_t:security { load_policy setenforce };
')
} }

8
policy/modules/services/xserver.te
View File

@ -573,10 +573,6 @@ optional_policy(`
ifndef(`distro_redhat',` ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem }; allow xdm_t self:process { execheap execmem };
') ')
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
') ')
optional_policy(` optional_policy(`
@ -749,10 +745,6 @@ userdom_rw_user_tmpfs_files(xserver_t)
xserver_use_user_fonts(xserver_t) xserver_use_user_fonts(xserver_t)
ifdef(`distro_rhel4',`
allow xserver_t self:process { execmem execheap execstack };
')
ifdef(`enable_mls',` ifdef(`enable_mls',`
range_transition xserver_t xserver_tmp_t:sock_file s0 - mls_systemhigh; range_transition xserver_t xserver_tmp_t:sock_file s0 - mls_systemhigh;
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh; range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;

24
policy/modules/system/init.if
View File

@ -108,14 +108,6 @@ interface(`init_domain',`
role system_r types $1; role system_r types $1;
domtrans_pattern(init_t, $2, $1) domtrans_pattern(init_t, $2, $1)
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
# fds open from the initrd
ifdef(`distro_rhel4',`
kernel_dontaudit_use_fds($1)
')
')
') ')
######################################## ########################################
@ -220,14 +212,6 @@ interface(`init_daemon_domain',`
userdom_dontaudit_use_user_terminals($1) userdom_dontaudit_use_user_terminals($1)
') ')
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
# fds open from the initrd
ifdef(`distro_rhel4',`
kernel_dontaudit_use_fds($1)
')
')
optional_policy(` optional_policy(`
nscd_use($1) nscd_use($1)
') ')
@ -340,14 +324,6 @@ interface(`init_system_domain',`
role system_r types $1; role system_r types $1;
domtrans_pattern(initrc_t, $2, $1) domtrans_pattern(initrc_t, $2, $1)
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
# fds open from the initrd
ifdef(`distro_rhel4',`
kernel_dontaudit_use_fds($1)
')
')
') ')
######################################## ########################################