From 133000c2860d49d04941db20773e6bcbf4f3bd98 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Thu, 13 Jul 2006 14:22:21 +0000
Subject: [PATCH] remove setbool auditallow, except for distro_rhel4.

---
 Changelog                        | 1 +
 policy/modules/kernel/selinux.if | 6 +++++-
 policy/modules/kernel/selinux.te | 7 ++++++-
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/Changelog b/Changelog
index c79ac180..8c4b73f0 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Remove setbool auditallow, except for RHEL4.
 - Change eventpollfs to task SID labeling.
 - Add key support from Michael LeMay.
 - Add ftpdctl domain to ftp, from Paul Howarth.
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 08c29074..f080e2a0 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -214,7 +214,11 @@ interface(`selinux_set_boolean',`
 
 	if(!secure_mode_policyload) {
 		allow $1 security_t:security setbool;
-		auditallow $1 security_t:security setbool;
+
+		ifdef(`distro_rhel4',`
+			# needed for systems without audit support
+			auditallow $1 security_t:security setbool;
+		')
 	}
 ')
 
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index 5d609384..b62940e6 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -40,5 +40,10 @@ allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setb
 
 if(!secure_mode_policyload) {
 	allow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
-	auditallow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
+	auditallow selinux_unconfined_type security_t:security { load_policy setenforce };
+
+	ifdef(`distro_rhel4',`
+		# needed for systems without audit support
+		auditallow selinux_unconfined_type security_t:security setbool;
+	')
 }