commit: 465454fc28242165142d26bacbca592ca0565849
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Sep 24 17:10:37 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Oct 12 08:24:27 2014 +0000
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=465454fc
Drop RHEL4 and RHEL5 support.
---
Makefile | 5 ----
README | 7 +++--
Rules.monolithic | 7 -----
policy/modules/admin/su.if | 54 --------------------------------------
policy/modules/kernel/kernel.if | 16 -----------
policy/modules/kernel/selinux.if | 20 --------------
policy/modules/kernel/selinux.te | 10 -------
policy/modules/services/xserver.te | 8 ------
policy/modules/system/init.if | 24 -----------------
9 files changed, 3 insertions(+), 148 deletions(-)
diff --git a/Makefile b/Makefile
index 70b213a..09fae9d 100644
--- a/Makefile
+++ b/Makefile
@@ -188,11 +188,6 @@ ifneq ($(DISTRO),)
M4PARAM += -D distro_$(DISTRO)
endif
-# rhel4 also implies redhat
-ifeq "$(DISTRO)" "rhel4"
- M4PARAM += -D distro_redhat
-endif
-
ifeq "$(DISTRO)" "ubuntu"
M4PARAM += -D distro_debian
endif
diff --git a/README b/README
index a3e8082..9a97ecf 100644
--- a/README
+++ b/README
@@ -95,10 +95,9 @@ NAME String (optional). Sets the name of
the policy; the
set, the policy type (TYPE) is used.
DISTRO String (optional). Enable distribution-specific policy.
- Available options are redhat, rhel4, gentoo, debian,
- and suse. This option controls distro_redhat,
- distro_rhel4, distro_gentoo, distro_debian, and
- distro_suse policy blocks.
+ Available options are redhat, gentoo, and debian.
+ This option controls distro_redhat, distro_gentoo, and
+ distro_debian build option policy blocks.
MONOLITHIC Boolean. If set, a monolithic policy is built,
otherwise a modular policy is built.
diff --git a/Rules.monolithic b/Rules.monolithic
index 6505550..d2de916 100644
--- a/Rules.monolithic
+++ b/Rules.monolithic
@@ -195,13 +195,6 @@ $(fcpath): $(fc) $(loadpath) $(userpath)/system.users
$(verbose) $(INSTALL) -m 0644 $(fc) $(fcpath)
$(verbose) $(INSTALL) -m 0644 $(homedir_template) $(homedirpath)
$(verbose) $(UMASK) 022 ; $(genhomedircon) -d $(topdir) -t $(NAME)
$(USEPWD)
-ifeq "$(DISTRO)" "rhel4"
-# Setfiles in RHEL4 does not look at file_contexts.homedirs.
- $(verbose) cat $@.homedirs >> $@
-# Delete the file_contexts.homedirs in case the toolchain has
-# been updated, to prevent duplicate match errors.
- $(verbose) rm -f $@.homedirs
-endif
########################################
#
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index 5437f9c..aea8a4f 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -100,25 +100,6 @@ template(`su_restricted_domain_template', `
')
')
- ifdef(`distro_rhel4',`
- domain_role_change_exemption($1_su_t)
- domain_subj_id_change_exemption($1_su_t)
- domain_obj_id_change_exemption($1_su_t)
-
- selinux_get_fs_mount($1_su_t)
- selinux_validate_context($1_su_t)
- selinux_compute_access_vector($1_su_t)
- selinux_compute_create_context($1_su_t)
- selinux_compute_relabel_context($1_su_t)
- selinux_compute_user_contexts($1_su_t)
-
- seutil_read_config($1_su_t)
- seutil_read_default_contexts($1_su_t)
-
- # Only allow transitions to unprivileged user domains.
- userdom_spec_domtrans_unpriv_users($1_su_t)
- ')
-
ifdef(`hide_broken_symptoms',`
# dontaudit leaked sockets from parent
dontaudit $1_su_t $2:socket_class_set { read write };
@@ -246,41 +227,6 @@ template(`su_role_template',`
')
')
- ifdef(`distro_rhel4',`
- domain_role_change_exemption($1_su_t)
- domain_subj_id_change_exemption($1_su_t)
- domain_obj_id_change_exemption($1_su_t)
-
- selinux_get_fs_mount($1_su_t)
- selinux_validate_context($1_su_t)
- selinux_compute_create_context($1_su_t)
- selinux_compute_relabel_context($1_su_t)
- selinux_compute_user_contexts($1_su_t)
-
- # Relabel ttys and ptys.
- term_relabel_all_ttys($1_su_t)
- term_relabel_all_ptys($1_su_t)
- # Close and re-open ttys and ptys to get the fd into the
correct domain.
- term_use_all_ttys($1_su_t)
- term_use_all_ptys($1_su_t)
-
- seutil_read_config($1_su_t)
- seutil_read_default_contexts($1_su_t)
-
- if(secure_mode) {
- # Only allow transitions to unprivileged user domains.
- userdom_spec_domtrans_unpriv_users($1_su_t)
- } else {
- # Allow transitions to all user domains
- userdom_spec_domtrans_all_users($1_su_t)
- }
-
- optional_policy(`
- unconfined_domtrans($1_su_t)
- unconfined_signal($1_su_t)
- ')
- ')
-
ifdef(`hide_broken_symptoms',`
# dontaudit leaked sockets from parent
dontaudit $1_su_t $3:socket_class_set { read write };
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index c100068..faa19d7 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -495,14 +495,6 @@ interface(`kernel_change_ring_buffer_level',`
allow $1 self:capability2 syslog;
allow $1 kernel_t:system syslog_console;
-
- ifdef(`distro_rhel4',`
- allow $1 self:capability sys_admin;
- ')
-
- ifdef(`distro_rhel5',`
- allow $1 self:capability sys_admin;
- ')
')
########################################
@@ -523,14 +515,6 @@ interface(`kernel_clear_ring_buffer',`
allow $1 self:capability2 syslog;
allow $1 kernel_t:system syslog_mod;
-
- ifdef(`distro_rhel4',`
- allow $1 self:capability sys_admin;
- ')
-
- ifdef(`distro_rhel5',`
- allow $1 self:capability sys_admin;
- ')
')
########################################
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 9192d23..8d5feca 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -334,11 +334,6 @@ interface(`selinux_set_enforce_mode',`
if(!secure_mode_policyload) {
allow $1 security_t:security setenforce;
-
- ifdef(`distro_rhel4',`
- # needed for systems without audit support
- auditallow $1 security_t:security setenforce;
- ')
}
')
@@ -366,11 +361,6 @@ interface(`selinux_load_policy',`
if(!secure_mode_policyload) {
allow $1 security_t:security load_policy;
-
- ifdef(`distro_rhel4',`
- # needed for systems without audit support
- auditallow $1 security_t:security load_policy;
- ')
}
')
@@ -460,11 +450,6 @@ interface(`selinux_set_generic_booleans',`
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security setbool;
-
- ifdef(`distro_rhel4',`
- # needed for systems without audit support
- auditallow $1 security_t:security setbool;
- ')
')
########################################
@@ -504,11 +489,6 @@ interface(`selinux_set_all_booleans',`
allow $1 security_t:security setbool;
- ifdef(`distro_rhel4',`
- # needed for systems without audit support
- auditallow $1 security_t:security setbool;
- ')
-
if(!secure_mode_policyload) {
allow $1 secure_mode_policyload_t:file write_file_perms;
}
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index 4f94796..1908c34 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -54,17 +54,7 @@ allow selinux_unconfined_type { boolean_type
-secure_mode_policyload_t }:file wr
# Access the security API.
allow selinux_unconfined_type security_t:security ~{ load_policy setenforce };
-ifdef(`distro_rhel4',`
- # needed for systems without audit support
- auditallow selinux_unconfined_type security_t:security setbool;
-')
-
if(!secure_mode_policyload) {
allow selinux_unconfined_type security_t:security { load_policy
setenforce };
allow selinux_unconfined_type secure_mode_policyload_t:file
write_file_perms;
-
- ifdef(`distro_rhel4',`
- # needed for systems without audit support
- auditallow selinux_unconfined_type security_t:security {
load_policy setenforce };
- ')
}
diff --git a/policy/modules/services/xserver.te
b/policy/modules/services/xserver.te
index 3eb114f..ee3773d 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -573,10 +573,6 @@ optional_policy(`
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
')
-
- ifdef(`distro_rhel4',`
- allow xdm_t self:process { execheap execmem };
- ')
')
optional_policy(`
@@ -749,10 +745,6 @@ userdom_rw_user_tmpfs_files(xserver_t)
xserver_use_user_fonts(xserver_t)
-ifdef(`distro_rhel4',`
- allow xserver_t self:process { execmem execheap execstack };
-')
-
ifdef(`enable_mls',`
range_transition xserver_t xserver_tmp_t:sock_file s0 - mls_systemhigh;
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 76ef0dc..36eb078 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -108,14 +108,6 @@ interface(`init_domain',`
role system_r types $1;
domtrans_pattern(init_t, $2, $1)
-
- ifdef(`hide_broken_symptoms',`
- # RHEL4 systems seem to have a stray
- # fds open from the initrd
- ifdef(`distro_rhel4',`
- kernel_dontaudit_use_fds($1)
- ')
- ')
')
########################################
@@ -253,14 +245,6 @@ interface(`init_daemon_domain',`
userdom_dontaudit_use_user_terminals($1)
')
- ifdef(`hide_broken_symptoms',`
- # RHEL4 systems seem to have a stray
- # fds open from the initrd
- ifdef(`distro_rhel4',`
- kernel_dontaudit_use_fds($1)
- ')
- ')
-
optional_policy(`
nscd_use($1)
')
@@ -373,14 +357,6 @@ interface(`init_system_domain',`
role system_r types $1;
domtrans_pattern(initrc_t, $2, $1)
-
- ifdef(`hide_broken_symptoms',`
- # RHEL4 systems seem to have a stray
- # fds open from the initrd
- ifdef(`distro_rhel4',`
- kernel_dontaudit_use_fds($1)
- ')
- ')
')
########################################
