From 21d173a460c206c6b69fe781b8e31cc3b1d6d497 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Fri, 12 May 2006 19:37:56 +0000
Subject: [PATCH] remove rules added to make sediff easier

---
 refpolicy/policy/modules/services/apache.if    |  7 -------
 refpolicy/policy/modules/services/apache.te    |  8 +-------
 refpolicy/policy/modules/services/inetd.if     |  6 ------
 refpolicy/policy/modules/services/inetd.te     |  2 +-
 refpolicy/policy/modules/system/init.if        |  6 ------
 refpolicy/policy/modules/system/init.te        |  2 +-
 refpolicy/policy/modules/system/selinuxutil.te | 11 ++---------
 7 files changed, 5 insertions(+), 37 deletions(-)

diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
index 87445c78..f4233764 100644
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@@ -185,13 +185,6 @@ template(`apache_content_template',`
 		libs_read_lib_files(httpd_$1_script_t)
 
 		miscfiles_read_localization(httpd_$1_script_t)
-
-		# added back to make sediff nicer
-		dev_rw_null(httpd_$1_script_t)
-		term_use_controlling_term(httpd_$1_script_t)
-		allow httpd_$1_script_t self:dir r_dir_perms;
-		allow httpd_$1_script_t self:file r_file_perms;
-		allow httpd_$1_script_t self:lnk_file read;
 	')
 
 	tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index 5e7e5c1c..710c28b2 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
 
-policy_module(apache,1.3.9)
+policy_module(apache,1.3.10)
 
 #
 # NOTES: 
@@ -332,9 +332,6 @@ tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
 	allow httpd_t httpdcontent:dir create_dir_perms;
 	allow httpd_t httpdcontent:file create_file_perms;
 	allow httpd_t httpdcontent:lnk_file create_lnk_perms;
-
-	# make sediff easier
-	allow httpd_sys_script_t httpdcontent:file { rx_file_perms entrypoint };
 ')
 
 tunable_policy(`httpd_enable_ftp_server',`
@@ -591,9 +588,6 @@ tunable_policy(`httpd_enable_cgi',`
 	allow httpd_unconfined_script_t httpd_suexec_t:fd use;
 	allow httpd_unconfined_script_t httpd_suexec_t:fifo_file rw_file_perms;
 	allow httpd_unconfined_script_t httpd_suexec_t:process sigchld;
-
-	# make sediff happy
-	allow httpd_unconfined_script_t httpd_unconfined_script_exec_t:file { ioctl read getattr lock execute entrypoint };
 ')
 
 tunable_policy(`httpd_enable_cgi && httpd_unified',`
diff --git a/refpolicy/policy/modules/services/inetd.if b/refpolicy/policy/modules/services/inetd.if
index 5974b1c8..eded4039 100644
--- a/refpolicy/policy/modules/services/inetd.if
+++ b/refpolicy/policy/modules/services/inetd.if
@@ -59,9 +59,6 @@ interface(`inetd_core_service_domain',`
 			dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
 
 			allow inetd_t $1:process sigkill;
-
-			# make sediff happy
-			allow $1 $2:file { rx_file_perms entrypoint };
 		}
 	',`
 		domain_auto_trans(inetd_t,$2,$1)
@@ -72,9 +69,6 @@ interface(`inetd_core_service_domain',`
 		dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
 
 		allow inetd_t $1:process sigkill;
-
-		# make sediff happy
-		allow $1 $2:file { rx_file_perms entrypoint };
 	')
 ')
 
diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te
index d92c91d4..7c035f5e 100644
--- a/refpolicy/policy/modules/services/inetd.te
+++ b/refpolicy/policy/modules/services/inetd.te
@@ -1,5 +1,5 @@
 
-policy_module(inetd,1.1.0)
+policy_module(inetd,1.1.1)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index 3cf76fa4..3b837719 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -93,9 +93,6 @@ interface(`init_daemon_domain',`
 			allow $1 initrc_t:fifo_file rw_file_perms;
 			allow $1 initrc_t:process sigchld;
 			allow initrc_t $1:process { noatsecure siginh rlimitinh };
-
-			# make sediff happy
-			allow $1 $2:file { rx_file_perms entrypoint };
 		}
 	',`
 		domain_auto_trans(initrc_t,$2,$1)
@@ -104,9 +101,6 @@ interface(`init_daemon_domain',`
 		allow $1 initrc_t:fifo_file rw_file_perms;
 		allow $1 initrc_t:process sigchld;
 		dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
-
-		# make sediff happy
-		allow $1 $2:file { rx_file_perms entrypoint };
 	')
 
 	optional_policy(`
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index c4136d21..761985c6 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -1,5 +1,5 @@
 
-policy_module(init,1.3.11)
+policy_module(init,1.3.12)
 
 gen_require(`
 	class passwd rootok;
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 57d13e8f..84fe30e5 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -1,5 +1,5 @@
 
-policy_module(selinuxutil,1.2.5)
+policy_module(selinuxutil,1.2.6)
 
 gen_require(`
 	bool secure_mode;
@@ -306,14 +306,7 @@ userdom_use_unpriv_users_fds(newrole_t)
 # for some PAM modules and for cwd
 userdom_dontaudit_search_all_users_home_content(newrole_t)
 
-ifdef(`targeted_policy',`
-	# newrole does not make any sense in
-	# the targeted policy.  This is to
-	# make sediff easier.
-	if(!secure_mode) {
-		unconfined_domtrans(newrole_t)
-	}
-',`
+ifdef(`strict_policy',`
 	# if secure mode is enabled, then newrole
 	# can only transition to unprivileged users
 	if(secure_mode) {