From 09516cb4bec24fb6bf6107a5b6471e7160225d14 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 23 Jul 2009 08:58:35 -0400 Subject: [PATCH] remove read_default_t tunable --- Changelog | 1 + policy/global_tunables | 7 ------- policy/modules/apps/cdrecord.te | 12 +----------- policy/modules/apps/evolution.te | 11 +---------- policy/modules/apps/mozilla.te | 11 +---------- policy/modules/apps/mplayer.te | 20 +------------------- policy/modules/apps/screen.if | 8 -------- policy/modules/apps/screen.te | 2 +- policy/modules/apps/thunderbird.te | 11 +---------- policy/modules/kernel/kernel.te | 10 +--------- policy/modules/services/dbus.if | 8 -------- policy/modules/services/dbus.te | 10 +--------- policy/modules/services/lpd.te | 8 +------- policy/modules/services/postfix.te | 10 +--------- policy/modules/services/remotelogin.te | 10 +--------- policy/modules/services/spamassassin.te | 20 +------------------- policy/modules/services/ssh.if | 8 -------- policy/modules/services/ssh.te | 10 +--------- policy/modules/system/fstools.te | 10 +--------- policy/modules/system/locallogin.te | 10 +--------- policy/modules/system/userdomain.if | 8 -------- policy/modules/system/userdomain.te | 2 +- 22 files changed, 17 insertions(+), 190 deletions(-) diff --git a/Changelog b/Changelog index ea6ab0b3..a48f9c93 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- Remove read_default_t tunable. - Greylist milter from Paul Howarth. - Crack db access for su to handle password expiration, from Brandon Whalen. - Misc fixes for unix_update from Brandon Whalen. diff --git a/policy/global_tunables b/policy/global_tunables index c08ca6ff..3316f6ef 100644 --- a/policy/global_tunables +++ b/policy/global_tunables @@ -82,13 +82,6 @@ gen_tunable(nfs_export_all_rw,false) ## gen_tunable(nfs_export_all_ro,false) -## -##

-## Allow reading of default_t files. -##

-## -gen_tunable(read_default_t,false) - ## ##

## Support NFS home directories diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te index 74dd2448..96e50c36 100644 --- a/policy/modules/apps/cdrecord.te +++ b/policy/modules/apps/cdrecord.te @@ -1,5 +1,5 @@ -policy_module(cdrecord, 2.0.2) +policy_module(cdrecord, 2.0.3) ######################################## # @@ -105,16 +105,6 @@ tunable_policy(`cdrecord_read_content',` userdom_dontaudit_read_user_home_content_files(cdrecord_t) ') -# Handle default_t content -tunable_policy(`cdrecord_read_content && read_default_t',` - files_list_default(cdrecord_t) - files_read_default_files(cdrecord_t) - files_read_default_symlinks(cdrecord_t) -',` - files_dontaudit_read_default_files(cdrecord_t) - files_dontaudit_list_default(cdrecord_t) -') - tunable_policy(`use_nfs_home_dirs',` files_search_mnt(cdrecord_t) fs_read_nfs_files(cdrecord_t) diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te index 03611448..9b371bb3 100644 --- a/policy/modules/apps/evolution.te +++ b/policy/modules/apps/evolution.te @@ -1,5 +1,5 @@ -policy_module(evolution, 2.0.1) +policy_module(evolution, 2.0.2) ######################################## # @@ -288,15 +288,6 @@ tunable_policy(`mail_read_content',` userdom_dontaudit_read_user_home_content_files(evolution_t) ') -tunable_policy(`mail_read_content && read_default_t',` - files_list_default(evolution_t) - files_read_default_files(evolution_t) - files_read_default_symlinks(evolution_t) -',` - files_dontaudit_read_default_files(evolution_t) - files_dontaudit_list_default(evolution_t) -') - optional_policy(` automount_read_state(evolution_t) ') diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te index ec723410..db466cb7 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -1,5 +1,5 @@ -policy_module(mozilla, 2.0.1) +policy_module(mozilla, 2.0.2) ######################################## # @@ -213,15 +213,6 @@ tunable_policy(`mozilla_read_content',` userdom_dontaudit_read_user_home_content_files(mozilla_t) ') -tunable_policy(`mozilla_read_content && read_default_t',` - files_list_default(mozilla_t) - files_read_default_files(mozilla_t) - files_read_default_symlinks(mozilla_t) -',` - files_dontaudit_read_default_files(mozilla_t) - files_dontaudit_list_default(mozilla_t) -') - optional_policy(` apache_read_user_scripts(mozilla_t) apache_read_user_content(mozilla_t) diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te index fe54f003..b363e452 100644 --- a/policy/modules/apps/mplayer.te +++ b/policy/modules/apps/mplayer.te @@ -1,5 +1,5 @@ -policy_module(mplayer, 2.0.1) +policy_module(mplayer, 2.0.2) ######################################## # @@ -145,15 +145,6 @@ tunable_policy(`use_samba_home_dirs',` fs_dontaudit_list_cifs(mencoder_t) ') -tunable_policy(`read_default_t',` - files_list_default(mencoder_t) - files_read_default_files(mencoder_t) - files_read_default_symlinks(mencoder_t) -',` - files_dontaudit_read_default_files(mencoder_t) - files_dontaudit_list_default(mencoder_t) -') - ######################################## # # mplayer local policy @@ -294,15 +285,6 @@ tunable_policy(`use_samba_home_dirs',` fs_dontaudit_list_cifs(mplayer_t) ') -tunable_policy(`read_default_t',` - files_list_default(mplayer_t) - files_read_default_files(mplayer_t) - files_read_default_symlinks(mplayer_t) -',` - files_dontaudit_read_default_files(mplayer_t) - files_dontaudit_list_default(mplayer_t) -') - optional_policy(` alsa_read_rw_config(mplayer_t) ') diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if index 08020204..4b8fda0b 100644 --- a/policy/modules/apps/screen.if +++ b/policy/modules/apps/screen.if @@ -137,14 +137,6 @@ template(`screen_role_template',` userdom_user_home_domtrans($1_screen_t, $3) userdom_setattr_user_ptys($1_screen_t) - tunable_policy(`read_default_t',` - files_list_default($1_screen_t) - files_read_default_files($1_screen_t) - files_read_default_symlinks($1_screen_t) - files_read_default_sockets($1_screen_t) - files_read_default_pipes($1_screen_t) - ') - tunable_policy(`use_samba_home_dirs',` fs_cifs_domtrans($1_screen_t, $3) fs_read_cifs_symlinks($1_screen_t) diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te index 08e5d9da..d6166fa1 100644 --- a/policy/modules/apps/screen.te +++ b/policy/modules/apps/screen.te @@ -1,5 +1,5 @@ -policy_module(screen, 2.0.2) +policy_module(screen, 2.0.3) ######################################## # diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te index b0aeff3f..f473afeb 100644 --- a/policy/modules/apps/thunderbird.te +++ b/policy/modules/apps/thunderbird.te @@ -1,5 +1,5 @@ -policy_module(thunderbird, 2.0.1) +policy_module(thunderbird, 2.0.2) ######################################## # @@ -181,15 +181,6 @@ tunable_policy(`mail_read_content',` userdom_dontaudit_read_user_home_content_files(thunderbird_t) ') -tunable_policy(`mail_read_content && read_default_t',` - files_list_default(thunderbird_t) - files_read_default_files(thunderbird_t) - files_read_default_symlinks(thunderbird_t) -',` - files_dontaudit_read_default_files(thunderbird_t) - files_dontaudit_list_default(thunderbird_t) -') - optional_policy(` dbus_system_bus_client(thunderbird_t) dbus_session_bus_client(thunderbird_t) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 4fa91a39..7fde5408 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -1,5 +1,5 @@ -policy_module(kernel, 1.10.4) +policy_module(kernel, 1.10.5) ######################################## # @@ -282,14 +282,6 @@ ifdef(`distro_redhat',` fs_rw_tmpfs_chr_files(kernel_t) ') -tunable_policy(`read_default_t',` - files_list_default(kernel_t) - files_read_default_files(kernel_t) - files_read_default_symlinks(kernel_t) - files_read_default_sockets(kernel_t) - files_read_default_pipes(kernel_t) -') - optional_policy(` hotplug_search_config(kernel_t) ') diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if index 729f32af..0f435c54 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if @@ -151,14 +151,6 @@ template(`dbus_role_template',` dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write }; ') - tunable_policy(`read_default_t',` - files_list_default($1_dbusd_t) - files_read_default_files($1_dbusd_t) - files_read_default_symlinks($1_dbusd_t) - files_read_default_sockets($1_dbusd_t) - files_read_default_pipes($1_dbusd_t) - ') - optional_policy(` hal_dbus_chat($1_dbusd_t) ') diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index 3e06c735..bdd09674 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -1,5 +1,5 @@ -policy_module(dbus, 1.10.2) +policy_module(dbus, 1.10.3) gen_require(` class dbus all_dbus_perms; @@ -115,14 +115,6 @@ seutil_sigchld_newrole(system_dbusd_t) userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t) userdom_dontaudit_search_user_home_dirs(system_dbusd_t) -tunable_policy(`read_default_t',` - files_list_default(system_dbusd_t) - files_read_default_files(system_dbusd_t) - files_read_default_symlinks(system_dbusd_t) - files_read_default_sockets(system_dbusd_t) - files_read_default_pipes(system_dbusd_t) -') - optional_policy(` bind_domtrans(system_dbusd_t) ') diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te index 39915eb7..12c9e733 100644 --- a/policy/modules/services/lpd.te +++ b/policy/modules/services/lpd.te @@ -1,5 +1,5 @@ -policy_module(lpd, 1.11.3) +policy_module(lpd, 1.11.4) ######################################## # @@ -282,12 +282,6 @@ userdom_use_user_terminals(lpr_t) userdom_read_user_home_content_files(lpr_t) userdom_read_user_tmp_files(lpr_t) -tunable_policy(`read_default_t',` - files_list_default(lpr_t) - files_read_default_symlinks(lpr_t) - files_read_default_files(lpr_t) -') - tunable_policy(`use_lpd_server',` # lpr can run in lightweight mode, without a local print spooler. allow lpr_t lpd_var_run_t:dir search; diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index 12aed734..d067177c 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -1,5 +1,5 @@ -policy_module(postfix, 1.10.2) +policy_module(postfix, 1.10.3) ######################################## # @@ -344,14 +344,6 @@ seutil_read_config(postfix_map_t) userdom_use_user_terminals(postfix_map_t) -tunable_policy(`read_default_t',` - files_list_default(postfix_map_t) - files_read_default_files(postfix_map_t) - files_read_default_symlinks(postfix_map_t) - files_read_default_sockets(postfix_map_t) - files_read_default_pipes(postfix_map_t) -') - optional_policy(` locallogin_dontaudit_use_fds(postfix_map_t) ') diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te index 49484628..e381aff0 100644 --- a/policy/modules/services/remotelogin.te +++ b/policy/modules/services/remotelogin.te @@ -1,5 +1,5 @@ -policy_module(remotelogin, 1.6.0) +policy_module(remotelogin, 1.6.1) ######################################## # @@ -92,14 +92,6 @@ userdom_spec_domtrans_unpriv_users(remote_login_t) # Search for mail spool file. mta_getattr_spool(remote_login_t) -tunable_policy(`read_default_t',` - files_list_default(remote_login_t) - files_read_default_files(remote_login_t) - files_read_default_symlinks(remote_login_t) - files_read_default_sockets(remote_login_t) - files_read_default_pipes(remote_login_t) -') - tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(remote_login_t) fs_read_nfs_symlinks(remote_login_t) diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te index 50b62dd4..ccfc6b66 100644 --- a/policy/modules/services/spamassassin.te +++ b/policy/modules/services/spamassassin.te @@ -1,5 +1,5 @@ -policy_module(spamassassin, 2.1.3) +policy_module(spamassassin, 2.1.4) ######################################## # @@ -135,15 +135,6 @@ seutil_read_config(spamassassin_t) sysnet_dns_name_resolve(spamassassin_t) -# this should probably be removed: -tunable_policy(`read_default_t',` - files_list_default(spamassassin_t) - files_read_default_files(spamassassin_t) - files_read_default_symlinks(spamassassin_t) - files_read_default_sockets(spamassassin_t) - files_read_default_pipes(spamassassin_t) -') - # set tunable if you have spamassassin do DNS lookups tunable_policy(`spamassassin_can_network',` allow spamassassin_t self:tcp_socket create_stream_socket_perms; @@ -265,15 +256,6 @@ seutil_read_config(spamc_t) sysnet_read_config(spamc_t) -# cjp: this should probably be removed: -tunable_policy(`read_default_t',` - files_list_default(spamc_t) - files_read_default_files(spamc_t) - files_read_default_symlinks(spamc_t) - files_read_default_sockets(spamc_t) - files_read_default_pipes(spamc_t) -') - optional_policy(` # Allow connection to spamd socket above evolution_stream_connect(spamc_t) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index c057256e..12f23381 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -143,14 +143,6 @@ template(`ssh_basic_client_template',` sysnet_read_config($1_ssh_t) sysnet_dns_name_resolve($1_ssh_t) - tunable_policy(`read_default_t',` - files_list_default($1_ssh_t) - files_read_default_files($1_ssh_t) - files_read_default_symlinks($1_ssh_t) - files_read_default_sockets($1_ssh_t) - files_read_default_pipes($1_ssh_t) - ') - optional_policy(` kerberos_use($1_ssh_t) ') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 5e62ab4b..cde906c3 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -1,5 +1,5 @@ -policy_module(ssh, 2.0.2) +policy_module(ssh, 2.0.3) ######################################## # @@ -181,14 +181,6 @@ tunable_policy(`allow_ssh_keysign',` allow ssh_keysign_t ssh_t:fifo_file rw_file_perms; ') -tunable_policy(`read_default_t',` - files_list_default(ssh_t) - files_read_default_files(ssh_t) - files_read_default_symlinks(ssh_t) - files_read_default_sockets(ssh_t) - files_read_default_pipes(ssh_t) -') - tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(ssh_t) fs_manage_nfs_files(ssh_t) diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te index e204c3ae..49083728 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -1,5 +1,5 @@ -policy_module(fstools, 1.12.1) +policy_module(fstools, 1.12.2) ######################################## # @@ -159,14 +159,6 @@ ifdef(`distro_redhat',` ') ') -tunable_policy(`read_default_t',` - files_list_default(fsadm_t) - files_read_default_files(fsadm_t) - files_read_default_symlinks(fsadm_t) - files_read_default_sockets(fsadm_t) - files_read_default_pipes(fsadm_t) -') - optional_policy(` amanda_rw_dumpdates_files(fsadm_t) amanda_append_log_files(fsadm_t) diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index 10889513..3cb6ca26 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -1,5 +1,5 @@ -policy_module(locallogin, 1.9.0) +policy_module(locallogin, 1.9.1) ######################################## # @@ -142,14 +142,6 @@ ifdef(`distro_ubuntu',` ') ') -tunable_policy(`read_default_t',` - files_list_default(local_login_t) - files_read_default_files(local_login_t) - files_read_default_symlinks(local_login_t) - files_read_default_sockets(local_login_t) - files_read_default_pipes(local_login_t) -') - tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(local_login_t) fs_read_nfs_symlinks(local_login_t) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 8634334b..b487fd42 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -574,14 +574,6 @@ template(`userdom_common_user_template',` # to this one. seutil_dontaudit_signal_newrole($1_t) - tunable_policy(`read_default_t',` - files_list_default($1_t) - files_read_default_files($1_t) - files_read_default_symlinks($1_t) - files_read_default_sockets($1_t) - files_read_default_pipes($1_t) - ') - tunable_policy(`user_direct_mouse',` dev_read_mouse($1_t) ') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index cb0d5124..19e8ef71 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -1,5 +1,5 @@ -policy_module(userdomain, 4.1.3) +policy_module(userdomain, 4.1.4) ######################################## #