remove rules added to make sediff easier

refpolicy/policy/modules/services/apache.if

@@ -185,13 +185,6 @@ template(`apache_content_template',`
 		libs_read_lib_files(httpd_$1_script_t)
 
 		miscfiles_read_localization(httpd_$1_script_t)
-
-		# added back to make sediff nicer
-		dev_rw_null(httpd_$1_script_t)
-		term_use_controlling_term(httpd_$1_script_t)
-		allow httpd_$1_script_t self:dir r_dir_perms;
-		allow httpd_$1_script_t self:file r_file_perms;
-		allow httpd_$1_script_t self:lnk_file read;
 	')
 
 	tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`

refpolicy/policy/modules/services/apache.te

@@ -1,5 +1,5 @@
 
-policy_module(apache,1.3.9)
+policy_module(apache,1.3.10)
 
 #
 # NOTES: 
@@ -332,9 +332,6 @@ tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
 	allow httpd_t httpdcontent:dir create_dir_perms;
 	allow httpd_t httpdcontent:file create_file_perms;
 	allow httpd_t httpdcontent:lnk_file create_lnk_perms;
-
-	# make sediff easier
-	allow httpd_sys_script_t httpdcontent:file { rx_file_perms entrypoint };
 ')
 
 tunable_policy(`httpd_enable_ftp_server',`
@@ -591,9 +588,6 @@ tunable_policy(`httpd_enable_cgi',`
 	allow httpd_unconfined_script_t httpd_suexec_t:fd use;
 	allow httpd_unconfined_script_t httpd_suexec_t:fifo_file rw_file_perms;
 	allow httpd_unconfined_script_t httpd_suexec_t:process sigchld;
-
-	# make sediff happy
-	allow httpd_unconfined_script_t httpd_unconfined_script_exec_t:file { ioctl read getattr lock execute entrypoint };
 ')
 
 tunable_policy(`httpd_enable_cgi && httpd_unified',`

refpolicy/policy/modules/services/inetd.if

@@ -59,9 +59,6 @@ interface(`inetd_core_service_domain',`
 			dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
 
 			allow inetd_t $1:process sigkill;
-
-			# make sediff happy
-			allow $1 $2:file { rx_file_perms entrypoint };
 		}
 	',`
 		domain_auto_trans(inetd_t,$2,$1)
@@ -72,9 +69,6 @@ interface(`inetd_core_service_domain',`
 		dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
 
 		allow inetd_t $1:process sigkill;
-
-		# make sediff happy
-		allow $1 $2:file { rx_file_perms entrypoint };
 	')
 ')
 

refpolicy/policy/modules/services/inetd.te

@@ -1,5 +1,5 @@
 
-policy_module(inetd,1.1.0)
+policy_module(inetd,1.1.1)
 
 ########################################
 #

refpolicy/policy/modules/system/init.if

@@ -93,9 +93,6 @@ interface(`init_daemon_domain',`
 			allow $1 initrc_t:fifo_file rw_file_perms;
 			allow $1 initrc_t:process sigchld;
 			allow initrc_t $1:process { noatsecure siginh rlimitinh };
-
-			# make sediff happy
-			allow $1 $2:file { rx_file_perms entrypoint };
 		}
 	',`
 		domain_auto_trans(initrc_t,$2,$1)
@@ -104,9 +101,6 @@ interface(`init_daemon_domain',`
 		allow $1 initrc_t:fifo_file rw_file_perms;
 		allow $1 initrc_t:process sigchld;
 		dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
-
-		# make sediff happy
-		allow $1 $2:file { rx_file_perms entrypoint };
 	')
 
 	optional_policy(`

refpolicy/policy/modules/system/init.te

@@ -1,5 +1,5 @@
 
-policy_module(init,1.3.11)
+policy_module(init,1.3.12)
 
 gen_require(`
 	class passwd rootok;

refpolicy/policy/modules/system/selinuxutil.te

@@ -1,5 +1,5 @@
 
-policy_module(selinuxutil,1.2.5)
+policy_module(selinuxutil,1.2.6)
 
 gen_require(`
 	bool secure_mode;
@@ -306,14 +306,7 @@ userdom_use_unpriv_users_fds(newrole_t)
 # for some PAM modules and for cwd
 userdom_dontaudit_search_all_users_home_content(newrole_t)
 
-ifdef(`targeted_policy',`
-	# newrole does not make any sense in
-	# the targeted policy.  This is to
-	# make sediff easier.
-	if(!secure_mode) {
-		unconfined_domtrans(newrole_t)
-	}
-',`
+ifdef(`strict_policy',`
 	# if secure mode is enabled, then newrole
 	# can only transition to unprivileged users
 	if(secure_mode) {