remove read_default_t tunable

Changelog

@@ -1,3 +1,4 @@
+- Remove read_default_t tunable.
 - Greylist milter from Paul Howarth.
 - Crack db access for su to handle password expiration, from Brandon Whalen.
 - Misc fixes for unix_update from Brandon Whalen.

policy/global_tunables

@@ -82,13 +82,6 @@ gen_tunable(nfs_export_all_rw,false)
 ## </desc>
 gen_tunable(nfs_export_all_ro,false)
 
-## <desc>
-## <p>
-## Allow reading of default_t files.
-## </p>
-## </desc>
-gen_tunable(read_default_t,false)
-
 ## <desc>
 ## <p>
 ## Support NFS home directories

policy/modules/apps/cdrecord.te

@@ -1,5 +1,5 @@
 
-policy_module(cdrecord, 2.0.2)
+policy_module(cdrecord, 2.0.3)
 
 ########################################
 #
@@ -105,16 +105,6 @@ tunable_policy(`cdrecord_read_content',`
 	userdom_dontaudit_read_user_home_content_files(cdrecord_t)
 ')
 
-# Handle default_t content
-tunable_policy(`cdrecord_read_content && read_default_t',`
-	files_list_default(cdrecord_t)
-	files_read_default_files(cdrecord_t)
-	files_read_default_symlinks(cdrecord_t)
-',`
-	files_dontaudit_read_default_files(cdrecord_t)
-	files_dontaudit_list_default(cdrecord_t)
-')
-
 tunable_policy(`use_nfs_home_dirs',`
 	files_search_mnt(cdrecord_t)
 	fs_read_nfs_files(cdrecord_t)

policy/modules/apps/evolution.te

@@ -1,5 +1,5 @@
 
-policy_module(evolution, 2.0.1)
+policy_module(evolution, 2.0.2)
 
 ########################################
 #
@@ -288,15 +288,6 @@ tunable_policy(`mail_read_content',`
 	userdom_dontaudit_read_user_home_content_files(evolution_t)
 ')
 
-tunable_policy(`mail_read_content && read_default_t',`
-	files_list_default(evolution_t)
-	files_read_default_files(evolution_t)
-	files_read_default_symlinks(evolution_t)
-',`
-	files_dontaudit_read_default_files(evolution_t)
-	files_dontaudit_list_default(evolution_t)
-')
-
 optional_policy(`
 	automount_read_state(evolution_t)
 ')

policy/modules/apps/mozilla.te

@@ -1,5 +1,5 @@
 
-policy_module(mozilla, 2.0.1)
+policy_module(mozilla, 2.0.2)
 
 ########################################
 #
@@ -213,15 +213,6 @@ tunable_policy(`mozilla_read_content',`
 	userdom_dontaudit_read_user_home_content_files(mozilla_t)
 ')
 
-tunable_policy(`mozilla_read_content && read_default_t',`
-	files_list_default(mozilla_t)
-	files_read_default_files(mozilla_t)
-	files_read_default_symlinks(mozilla_t)
-',`
-	files_dontaudit_read_default_files(mozilla_t)
-	files_dontaudit_list_default(mozilla_t)
-')
-
 optional_policy(`
 	apache_read_user_scripts(mozilla_t)
 	apache_read_user_content(mozilla_t)

policy/modules/apps/mplayer.te

@@ -1,5 +1,5 @@
 
-policy_module(mplayer, 2.0.1)
+policy_module(mplayer, 2.0.2)
 
 ########################################
 #
@@ -145,15 +145,6 @@ tunable_policy(`use_samba_home_dirs',`
 	fs_dontaudit_list_cifs(mencoder_t)
 ')
 
-tunable_policy(`read_default_t',`
-	files_list_default(mencoder_t)
-	files_read_default_files(mencoder_t)
-	files_read_default_symlinks(mencoder_t)
-',`
-	files_dontaudit_read_default_files(mencoder_t)
-	files_dontaudit_list_default(mencoder_t)
-')
-
 ########################################
 #
 # mplayer local policy
@@ -294,15 +285,6 @@ tunable_policy(`use_samba_home_dirs',`
 	fs_dontaudit_list_cifs(mplayer_t)
 ')
 
-tunable_policy(`read_default_t',`
-	files_list_default(mplayer_t)
-	files_read_default_files(mplayer_t)
-	files_read_default_symlinks(mplayer_t)
-',`
-	files_dontaudit_read_default_files(mplayer_t)
-	files_dontaudit_list_default(mplayer_t)
-')
-
 optional_policy(`
 	alsa_read_rw_config(mplayer_t)
 ')

policy/modules/apps/screen.if

@@ -137,14 +137,6 @@ template(`screen_role_template',`
 	userdom_user_home_domtrans($1_screen_t, $3)
 	userdom_setattr_user_ptys($1_screen_t)
 
-	tunable_policy(`read_default_t',`
-		files_list_default($1_screen_t)
-		files_read_default_files($1_screen_t)
-		files_read_default_symlinks($1_screen_t)
-		files_read_default_sockets($1_screen_t)
-		files_read_default_pipes($1_screen_t)
-	')
-
 	tunable_policy(`use_samba_home_dirs',`
 		fs_cifs_domtrans($1_screen_t, $3)
 		fs_read_cifs_symlinks($1_screen_t)

policy/modules/apps/screen.te

@@ -1,5 +1,5 @@
 
-policy_module(screen, 2.0.2)
+policy_module(screen, 2.0.3)
 
 ########################################
 #

policy/modules/apps/thunderbird.te

@@ -1,5 +1,5 @@
 
-policy_module(thunderbird, 2.0.1)
+policy_module(thunderbird, 2.0.2)
 
 ########################################
 #
@@ -181,15 +181,6 @@ tunable_policy(`mail_read_content',`
 	userdom_dontaudit_read_user_home_content_files(thunderbird_t)
 ')
 
-tunable_policy(`mail_read_content && read_default_t',`
-	files_list_default(thunderbird_t)
-	files_read_default_files(thunderbird_t)
-	files_read_default_symlinks(thunderbird_t)
-',`
-	files_dontaudit_read_default_files(thunderbird_t)
-	files_dontaudit_list_default(thunderbird_t)
-')
-
 optional_policy(`
 	dbus_system_bus_client(thunderbird_t)
 	dbus_session_bus_client(thunderbird_t)

policy/modules/kernel/kernel.te

@@ -1,5 +1,5 @@
 
-policy_module(kernel, 1.10.4)
+policy_module(kernel, 1.10.5)
 
 ########################################
 #
@@ -282,14 +282,6 @@ ifdef(`distro_redhat',`
 	fs_rw_tmpfs_chr_files(kernel_t)
 ')
 
-tunable_policy(`read_default_t',`
-	files_list_default(kernel_t)
-	files_read_default_files(kernel_t)
-	files_read_default_symlinks(kernel_t)
-	files_read_default_sockets(kernel_t)
-	files_read_default_pipes(kernel_t)
-')
-
 optional_policy(`
 	hotplug_search_config(kernel_t)
 ')

policy/modules/services/dbus.if

@@ -151,14 +151,6 @@ template(`dbus_role_template',`
 		dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
 	')
 
-	tunable_policy(`read_default_t',`
-		files_list_default($1_dbusd_t)
-		files_read_default_files($1_dbusd_t)
-		files_read_default_symlinks($1_dbusd_t)
-		files_read_default_sockets($1_dbusd_t)
-		files_read_default_pipes($1_dbusd_t)
-	')
-
 	optional_policy(`
 		hal_dbus_chat($1_dbusd_t)
 	')

policy/modules/services/dbus.te

@@ -1,5 +1,5 @@
 
-policy_module(dbus, 1.10.2)
+policy_module(dbus, 1.10.3)
 
 gen_require(`
 	class dbus all_dbus_perms;
@@ -115,14 +115,6 @@ seutil_sigchld_newrole(system_dbusd_t)
 userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
 userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
 
-tunable_policy(`read_default_t',`
-	files_list_default(system_dbusd_t)
-	files_read_default_files(system_dbusd_t)
-	files_read_default_symlinks(system_dbusd_t)
-	files_read_default_sockets(system_dbusd_t)
-	files_read_default_pipes(system_dbusd_t)
-')
-
 optional_policy(`
 	bind_domtrans(system_dbusd_t)
 ')

policy/modules/services/lpd.te

@@ -1,5 +1,5 @@
 
-policy_module(lpd, 1.11.3)
+policy_module(lpd, 1.11.4)
 
 ########################################
 #
@@ -282,12 +282,6 @@ userdom_use_user_terminals(lpr_t)
 userdom_read_user_home_content_files(lpr_t)
 userdom_read_user_tmp_files(lpr_t)
 
-tunable_policy(`read_default_t',`
-	files_list_default(lpr_t)
-	files_read_default_symlinks(lpr_t)
-	files_read_default_files(lpr_t)
-')
-
 tunable_policy(`use_lpd_server',`
 	# lpr can run in lightweight mode, without a local print spooler.
 	allow lpr_t lpd_var_run_t:dir search;

policy/modules/services/postfix.te

@@ -1,5 +1,5 @@
 
-policy_module(postfix, 1.10.2)
+policy_module(postfix, 1.10.3)
 
 ########################################
 #
@@ -344,14 +344,6 @@ seutil_read_config(postfix_map_t)
 
 userdom_use_user_terminals(postfix_map_t)
 
-tunable_policy(`read_default_t',`
-	files_list_default(postfix_map_t)
-	files_read_default_files(postfix_map_t)
-	files_read_default_symlinks(postfix_map_t)
-	files_read_default_sockets(postfix_map_t)
-	files_read_default_pipes(postfix_map_t)
-')
-
 optional_policy(`
 	locallogin_dontaudit_use_fds(postfix_map_t)
 ')

policy/modules/services/remotelogin.te

@@ -1,5 +1,5 @@
 
-policy_module(remotelogin, 1.6.0)
+policy_module(remotelogin, 1.6.1)
 
 ########################################
 #
@@ -92,14 +92,6 @@ userdom_spec_domtrans_unpriv_users(remote_login_t)
 # Search for mail spool file.
 mta_getattr_spool(remote_login_t)
 
-tunable_policy(`read_default_t',`
-	files_list_default(remote_login_t)
-	files_read_default_files(remote_login_t)
-	files_read_default_symlinks(remote_login_t)
-	files_read_default_sockets(remote_login_t)
-	files_read_default_pipes(remote_login_t)
-')
-
 tunable_policy(`use_nfs_home_dirs',`
 	fs_read_nfs_files(remote_login_t)
 	fs_read_nfs_symlinks(remote_login_t)

policy/modules/services/spamassassin.te

@@ -1,5 +1,5 @@
 
-policy_module(spamassassin, 2.1.3)
+policy_module(spamassassin, 2.1.4)
 
 ########################################
 #
@@ -135,15 +135,6 @@ seutil_read_config(spamassassin_t)
 
 sysnet_dns_name_resolve(spamassassin_t)
 
-# this should probably be removed:
-tunable_policy(`read_default_t',`
-	files_list_default(spamassassin_t)
-	files_read_default_files(spamassassin_t)
-	files_read_default_symlinks(spamassassin_t)
-	files_read_default_sockets(spamassassin_t)
-	files_read_default_pipes(spamassassin_t)
-')
-
 # set tunable if you have spamassassin do DNS lookups
 tunable_policy(`spamassassin_can_network',`
 	allow spamassassin_t self:tcp_socket create_stream_socket_perms;
@@ -265,15 +256,6 @@ seutil_read_config(spamc_t)
 
 sysnet_read_config(spamc_t)
 
-# cjp: this should probably be removed:
-tunable_policy(`read_default_t',`
-	files_list_default(spamc_t)
-	files_read_default_files(spamc_t)
-	files_read_default_symlinks(spamc_t)
-	files_read_default_sockets(spamc_t)
-	files_read_default_pipes(spamc_t)
-')
-
 optional_policy(`
 	# Allow connection to spamd socket above
 	evolution_stream_connect(spamc_t)

policy/modules/services/ssh.if

@@ -143,14 +143,6 @@ template(`ssh_basic_client_template',`
 	sysnet_read_config($1_ssh_t)
 	sysnet_dns_name_resolve($1_ssh_t)
 
-	tunable_policy(`read_default_t',`
-		files_list_default($1_ssh_t)
-		files_read_default_files($1_ssh_t)
-		files_read_default_symlinks($1_ssh_t)
-		files_read_default_sockets($1_ssh_t)
-		files_read_default_pipes($1_ssh_t)
-	')
-
 	optional_policy(`
 		kerberos_use($1_ssh_t)
 	')

policy/modules/services/ssh.te

@@ -1,5 +1,5 @@
 
-policy_module(ssh, 2.0.2)
+policy_module(ssh, 2.0.3)
 
 ########################################
 #
@@ -181,14 +181,6 @@ tunable_policy(`allow_ssh_keysign',`
 	allow ssh_keysign_t ssh_t:fifo_file rw_file_perms;
 ')
 
-tunable_policy(`read_default_t',`
-	files_list_default(ssh_t)
-	files_read_default_files(ssh_t)
-	files_read_default_symlinks(ssh_t)
-	files_read_default_sockets(ssh_t)
-	files_read_default_pipes(ssh_t)
-')
-
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(ssh_t)
 	fs_manage_nfs_files(ssh_t)

policy/modules/system/fstools.te

@@ -1,5 +1,5 @@
 
-policy_module(fstools, 1.12.1)
+policy_module(fstools, 1.12.2)
 
 ########################################
 #
@@ -159,14 +159,6 @@ ifdef(`distro_redhat',`
 	')
 ')
 
-tunable_policy(`read_default_t',`
-	files_list_default(fsadm_t)
-	files_read_default_files(fsadm_t)
-	files_read_default_symlinks(fsadm_t)
-	files_read_default_sockets(fsadm_t)
-	files_read_default_pipes(fsadm_t)
-')
-
 optional_policy(`
 	amanda_rw_dumpdates_files(fsadm_t)
 	amanda_append_log_files(fsadm_t)

policy/modules/system/locallogin.te

@@ -1,5 +1,5 @@
 
-policy_module(locallogin, 1.9.0)
+policy_module(locallogin, 1.9.1)
 
 ########################################
 #
@@ -142,14 +142,6 @@ ifdef(`distro_ubuntu',`
 	')
 ')
 
-tunable_policy(`read_default_t',`
-	files_list_default(local_login_t)
-	files_read_default_files(local_login_t)
-	files_read_default_symlinks(local_login_t)
-	files_read_default_sockets(local_login_t)
-	files_read_default_pipes(local_login_t)
-')
-
 tunable_policy(`use_nfs_home_dirs',`
 	fs_read_nfs_files(local_login_t)
 	fs_read_nfs_symlinks(local_login_t)

policy/modules/system/userdomain.if

@@ -574,14 +574,6 @@ template(`userdom_common_user_template',`
 	# to this one.
 	seutil_dontaudit_signal_newrole($1_t)
 
-	tunable_policy(`read_default_t',`
-		files_list_default($1_t)
-		files_read_default_files($1_t)
-		files_read_default_symlinks($1_t)
-		files_read_default_sockets($1_t)
-		files_read_default_pipes($1_t)
-	')
-
 	tunable_policy(`user_direct_mouse',`
 		dev_read_mouse($1_t)
 	')

policy/modules/system/userdomain.te

@@ -1,5 +1,5 @@
 
-policy_module(userdomain, 4.1.3)
+policy_module(userdomain, 4.1.4)
 
 ########################################
 #