From bca0cdb86e54b910ff3794acf394339251e7b3b6 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Wed, 7 Jul 2010 08:41:20 -0400 Subject: [PATCH] Remove duplicate/redundant rules, from Russell Coker. --- Changelog | 1 + policy/modules/apps/ethereal.te | 2 -- policy/modules/apps/gift.te | 2 +- policy/modules/apps/java.te | 3 -- policy/modules/apps/wireshark.te | 2 -- policy/modules/services/clamav.te | 1 - policy/modules/services/courier.te | 1 - policy/modules/services/djbdns.te | 2 -- policy/modules/services/lpd.te | 2 -- policy/modules/services/prelude.te | 1 - policy/modules/services/ricci.te | 4 --- policy/modules/services/ssh.te | 52 +++-------------------------- policy/modules/services/virt.te | 4 --- policy/modules/services/xserver.te | 3 -- policy/modules/system/init.te | 4 --- policy/modules/system/logging.te | 3 -- policy/modules/system/lvm.te | 1 - policy/modules/system/sysnetwork.te | 4 --- policy/modules/system/xen.te | 1 - 19 files changed, 6 insertions(+), 87 deletions(-) diff --git a/Changelog b/Changelog index 749a17b8..6a7d362b 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- Remove duplicate/redundant rules, from Russell Coker. - Increased default number of categories to 1024, from Russell Coker. - Added modules: cgroup (Dominick Grift) diff --git a/policy/modules/apps/ethereal.te b/policy/modules/apps/ethereal.te index 6c3b760f..c102195b 100644 --- a/policy/modules/apps/ethereal.te +++ b/policy/modules/apps/ethereal.te @@ -78,8 +78,6 @@ kernel_read_kernel_sysctls(ethereal_t) kernel_read_system_state(ethereal_t) kernel_read_sysctl(ethereal_t) -corecmd_search_bin(ethereal_t) - corenet_tcp_connect_generic_port(ethereal_t) corenet_tcp_sendrecv_generic_if(ethereal_t) diff --git a/policy/modules/apps/gift.te b/policy/modules/apps/gift.te index 202d4b8b..4204eec5 100644 --- a/policy/modules/apps/gift.te +++ b/policy/modules/apps/gift.te @@ -53,7 +53,7 @@ userdom_user_home_dir_filetrans(gift_t, gift_home_t, dir) domtrans_pattern(gift_t, giftd_exec_t, giftd_t) # Read /proc/meminfo -kernel_read_system_state(giftd_t) +kernel_read_system_state(gift_t) # Connect to gift daemon corenet_all_recvfrom_unlabeled(gift_t) diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te index aa8ace65..726e8537 100644 --- a/policy/modules/apps/java.te +++ b/policy/modules/apps/java.te @@ -82,7 +82,6 @@ dev_read_urand(java_t) dev_read_rand(java_t) dev_dontaudit_append_rand(java_t) -files_read_etc_files(java_t) files_read_usr_files(java_t) files_search_home(java_t) files_search_var_lib(java_t) @@ -144,8 +143,6 @@ optional_policy(` # execheap is needed for itanium/BEA jrocket allow unconfined_java_t self:process { execstack execmem execheap }; - init_dbus_chat_script(unconfined_java_t) - files_execmod_all_files(unconfined_java_t) init_dbus_chat_script(unconfined_java_t) diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te index 9b732845..3c431060 100644 --- a/policy/modules/apps/wireshark.te +++ b/policy/modules/apps/wireshark.te @@ -71,8 +71,6 @@ kernel_read_kernel_sysctls(wireshark_t) kernel_read_system_state(wireshark_t) kernel_read_sysctl(wireshark_t) -corecmd_search_bin(wireshark_t) - corenet_tcp_connect_generic_port(wireshark_t) corenet_tcp_sendrecv_generic_if(wireshark_t) diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te index 85290433..33621bbd 100644 --- a/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te @@ -89,7 +89,6 @@ manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t) logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file }) # pid file -manage_dirs_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t) manage_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t) manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t) files_pid_filetrans(clamd_t, clamd_var_run_t, { file dir }) diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te index 72901d88..b96c242a 100644 --- a/policy/modules/services/courier.te +++ b/policy/modules/services/courier.te @@ -48,7 +48,6 @@ allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_fifo_file_perms; allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms; allow courier_authdaemon_t courier_tcpd_t:process sigchld; -allow courier_authdaemon_t courier_tcpd_t:fd use; allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms; diff --git a/policy/modules/services/djbdns.te b/policy/modules/services/djbdns.te index bd97d09c..22221adb 100644 --- a/policy/modules/services/djbdns.te +++ b/policy/modules/services/djbdns.te @@ -22,8 +22,6 @@ djbdns_daemontools_domain_template(tinydns) # Local policy for axfrdns component # -files_config_file(djbdns_axfrdns_conf_t) - daemontools_ipc_domain(djbdns_axfrdns_t) daemontools_read_svc(djbdns_axfrdns_t) diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te index 230b0767..93c14ca4 100644 --- a/policy/modules/services/lpd.te +++ b/policy/modules/services/lpd.te @@ -308,14 +308,12 @@ tunable_policy(`use_lpd_server',` ') tunable_policy(`use_nfs_home_dirs',` - files_list_home(lpr_t) fs_list_auto_mountpoints(lpr_t) fs_read_nfs_files(lpr_t) fs_read_nfs_symlinks(lpr_t) ') tunable_policy(`use_samba_home_dirs',` - files_list_home(lpr_t) fs_list_auto_mountpoints(lpr_t) fs_read_cifs_files(lpr_t) fs_read_cifs_symlinks(lpr_t) diff --git a/policy/modules/services/prelude.te b/policy/modules/services/prelude.te index 1adbca27..4d66b765 100644 --- a/policy/modules/services/prelude.te +++ b/policy/modules/services/prelude.te @@ -98,7 +98,6 @@ files_read_etc_files(prelude_t) files_read_etc_runtime_files(prelude_t) files_read_usr_files(prelude_t) files_search_tmp(prelude_t) -files_search_tmp(prelude_t) fs_rw_anon_inodefs_files(prelude_t) diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te index 29d86072..33e72e80 100644 --- a/policy/modules/services/ricci.te +++ b/policy/modules/services/ricci.te @@ -240,10 +240,6 @@ optional_policy(` oddjob_system_entry(ricci_modcluster_t, ricci_modcluster_exec_t) ') -optional_policy(` - rgmanager_stream_connect(ricci_modclusterd_t) -') - optional_policy(` # XXX This has got to go. unconfined_domain(ricci_modcluster_t) diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index eca9400b..2dad3c8e 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -200,54 +200,6 @@ optional_policy(` xserver_domtrans_xauth(ssh_t) ') -######################################## -# -# ssh_keygen local policy -# - -# ssh_keygen_t is the type of the ssh-keygen program when run at install time -# and by sysadm_t - -dontaudit ssh_keygen_t self:capability sys_tty_config; -allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; - -allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; - -allow ssh_keygen_t sshd_key_t:file manage_file_perms; -files_etc_filetrans(ssh_keygen_t, sshd_key_t, file) - -kernel_read_kernel_sysctls(ssh_keygen_t) - -fs_search_auto_mountpoints(ssh_keygen_t) - -dev_read_sysfs(ssh_keygen_t) -dev_read_urand(ssh_keygen_t) - -term_dontaudit_use_console(ssh_keygen_t) - -domain_use_interactive_fds(ssh_keygen_t) - -files_read_etc_files(ssh_keygen_t) - -init_use_fds(ssh_keygen_t) -init_use_script_ptys(ssh_keygen_t) - -logging_send_syslog_msg(ssh_keygen_t) - -userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) - -optional_policy(` - nscd_socket_use(ssh_keygen_t) -') - -optional_policy(` - seutil_sigchld_newrole(ssh_keygen_t) -') - -optional_policy(` - udev_read_db(ssh_keygen_t) -') - ############################## # # ssh_keysign_t local policy @@ -400,6 +352,10 @@ logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) +optional_policy(` + nscd_socket_use(ssh_keygen_t) +') + optional_policy(` seutil_sigchld_newrole(ssh_keygen_t) ') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te index 3151f519..3cce663f 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -168,10 +168,6 @@ optional_policy(` xen_rw_image_files(svirt_t) ') -optional_policy(` - xen_rw_image_files(svirt_t) -') - ######################################## # # virtd local policy diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index d19c42ba..4566008f 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -166,7 +166,6 @@ init_domain(xdm_t, xdm_exec_t) init_daemon_domain(xdm_t, xdm_exec_t) xserver_object_types_template(xdm) xserver_common_x_domain_template(xdm, xdm_t) -xserver_unconfined(xdm_t) type xdm_lock_t; files_lock_file(xdm_lock_t) @@ -832,8 +831,6 @@ init_use_fds(xserver_t) # (xauth?) userdom_read_user_home_content_files(xserver_t) -xserver_use_user_fonts(xserver_t) - tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index d9d27896..29f9757d 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -126,7 +126,6 @@ domain_kill_all_domains(init_t) domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) -domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) files_read_etc_files(init_t) @@ -299,13 +298,10 @@ dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) -corecmd_exec_all_executables(initrc_t) - domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) domain_signull_all_domains(initrc_t) domain_sigstop_all_domains(initrc_t) -domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 3da53c1d..828156a3 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -372,9 +372,6 @@ files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t) files_search_var_lib(syslogd_t) -allow syslogd_t syslogd_var_run_t:file manage_file_perms; -files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) - # manage pid file manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te index 0860841f..86ef2da2 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -211,7 +211,6 @@ files_etc_filetrans(lvm_t, lvm_metadata_t, file) files_search_mnt(lvm_t) kernel_read_system_state(lvm_t) -kernel_read_kernel_sysctls(lvm_t) # Read system variables in /proc/sys kernel_read_kernel_sysctls(lvm_t) # it has no reason to need this diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index 7d565ea8..dfbe7365 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -333,10 +333,6 @@ optional_policy(` ipsec_write_pid(ifconfig_t) ') -optional_policy(` - netutils_domtrans(dhcpc_t) -') - optional_policy(` nis_use_ypbind(ifconfig_t) ') diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te index f0a4fdee..f661f5a5 100644 --- a/policy/modules/system/xen.te +++ b/policy/modules/system/xen.te @@ -353,7 +353,6 @@ storage_raw_write_fixed_disk(xenstored_t) storage_raw_read_removable_device(xenstored_t) term_use_generic_ptys(xenstored_t) -term_use_console(xenconsoled_t) init_use_fds(xenstored_t) init_use_script_ptys(xenstored_t)