From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/, policy/modules/admin/, ...
Date: Sun, 21 Mar 2021 22:10:59 +0000 (UTC) [thread overview]
Message-ID: <1616362703.9d92c27494dc086745e0d0dadf249f34f932559a.perfinion@gentoo> (raw)
commit: 9d92c27494dc086745e0d0dadf249f34f932559a
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Mar 6 18:40:58 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Mar 21 21:38:23 2021 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9d92c274
Remove additional unused modules
Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/admin/bcfg2.fc | 9 -
policy/modules/admin/bcfg2.if | 151 ---------
policy/modules/admin/bcfg2.te | 59 ----
policy/modules/admin/ddcprobe.fc | 3 -
policy/modules/admin/ddcprobe.if | 47 ---
policy/modules/admin/ddcprobe.te | 51 ---
policy/modules/admin/logrotate.te | 9 -
policy/modules/apps/lockdev.fc | 5 -
policy/modules/apps/lockdev.if | 42 ---
policy/modules/apps/lockdev.te | 35 --
policy/modules/roles/staff.te | 4 -
policy/modules/roles/sysadm.te | 82 -----
policy/modules/roles/unprivuser.te | 4 -
policy/modules/services/aiccu.fc | 9 -
policy/modules/services/aiccu.if | 87 -----
policy/modules/services/aiccu.te | 74 -----
policy/modules/services/aisexec.te | 16 -
policy/modules/services/amavis.te | 5 -
policy/modules/services/apache.te | 4 -
policy/modules/services/callweaver.fc | 13 -
policy/modules/services/callweaver.if | 78 -----
policy/modules/services/callweaver.te | 85 -----
policy/modules/services/ccs.fc | 14 -
policy/modules/services/ccs.if | 124 -------
policy/modules/services/ccs.te | 126 -------
policy/modules/services/cipe.fc | 5 -
policy/modules/services/cipe.if | 29 --
policy/modules/services/cipe.te | 67 ----
policy/modules/services/clockspeed.fc | 7 -
policy/modules/services/clockspeed.if | 48 ---
policy/modules/services/clockspeed.te | 73 -----
policy/modules/services/clogd.fc | 5 -
policy/modules/services/clogd.if | 59 ----
policy/modules/services/clogd.te | 49 ---
policy/modules/services/cmirrord.fc | 7 -
policy/modules/services/cmirrord.if | 108 ------
policy/modules/services/cmirrord.te | 57 ----
policy/modules/services/condor.te | 4 -
policy/modules/services/corosync.te | 19 --
policy/modules/services/dcc.fc | 30 --
policy/modules/services/dcc.if | 178 ----------
policy/modules/services/dcc.te | 338 -------------------
policy/modules/services/denyhosts.fc | 9 -
policy/modules/services/denyhosts.if | 76 -----
policy/modules/services/denyhosts.te | 71 ----
policy/modules/services/dspam.fc | 12 -
policy/modules/services/dspam.if | 79 -----
policy/modules/services/dspam.te | 87 -----
policy/modules/services/howl.fc | 6 -
policy/modules/services/howl.if | 50 ---
policy/modules/services/howl.te | 73 -----
policy/modules/services/imaze.fc | 7 -
policy/modules/services/imaze.if | 1 -
policy/modules/services/imaze.te | 79 -----
policy/modules/services/jockey.fc | 6 -
policy/modules/services/jockey.if | 1 -
policy/modules/services/jockey.te | 59 ----
policy/modules/services/ktalk.fc | 9 -
policy/modules/services/ktalk.if | 1 -
policy/modules/services/ktalk.te | 59 ----
policy/modules/services/mailscanner.fc | 15 -
policy/modules/services/mailscanner.if | 60 ----
policy/modules/services/mailscanner.te | 98 ------
policy/modules/services/networkmanager.te | 8 -
policy/modules/services/oav.fc | 12 -
policy/modules/services/oav.if | 47 ---
policy/modules/services/oav.te | 122 -------
policy/modules/services/polipo.fc | 15 -
policy/modules/services/polipo.if | 141 --------
policy/modules/services/polipo.te | 167 ----------
policy/modules/services/postfix.te | 8 -
policy/modules/services/pyicqt.fc | 11 -
policy/modules/services/pyicqt.if | 42 ---
policy/modules/services/pyicqt.te | 90 -----
policy/modules/services/rgmanager.fc | 15 -
policy/modules/services/rgmanager.if | 120 -------
policy/modules/services/rgmanager.te | 199 ------------
policy/modules/services/rhcs.fc | 40 ---
policy/modules/services/rhcs.if | 496 ----------------------------
policy/modules/services/rhcs.te | 319 ------------------
policy/modules/services/ricci.fc | 21 --
policy/modules/services/ricci.if | 219 -------------
policy/modules/services/ricci.te | 523 ------------------------------
policy/modules/services/rpc.te | 4 -
policy/modules/services/samba.te | 4 -
policy/modules/services/snmp.te | 4 -
policy/modules/services/spamassassin.te | 7 -
policy/modules/system/lvm.fc | 2 -
policy/modules/system/lvm.if | 30 +-
policy/modules/system/lvm.te | 123 -------
90 files changed, 4 insertions(+), 5862 deletions(-)
diff --git a/policy/modules/admin/bcfg2.fc b/policy/modules/admin/bcfg2.fc
deleted file mode 100644
index cd2da279..00000000
--- a/policy/modules/admin/bcfg2.fc
+++ /dev/null
@@ -1,9 +0,0 @@
-/etc/rc\.d/init\.d/bcfg2-server -- gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0)
-
-/usr/bin/bcfg2-server -- gen_context(system_u:object_r:bcfg2_exec_t,s0)
-
-/usr/sbin/bcfg2-server -- gen_context(system_u:object_r:bcfg2_exec_t,s0)
-
-/var/lib/bcfg2(/.*)? gen_context(system_u:object_r:bcfg2_var_lib_t,s0)
-
-/run/bcfg2-server\.pid -- gen_context(system_u:object_r:bcfg2_runtime_t,s0)
diff --git a/policy/modules/admin/bcfg2.if b/policy/modules/admin/bcfg2.if
deleted file mode 100644
index 9ab71d21..00000000
--- a/policy/modules/admin/bcfg2.if
+++ /dev/null
@@ -1,151 +0,0 @@
-## <summary>configuration management suite.</summary>
-
-########################################
-## <summary>
-## Execute bcfg2 in the bcfg2 domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`bcfg2_domtrans',`
- gen_require(`
- type bcfg2_t, bcfg2_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, bcfg2_exec_t, bcfg2_t)
-')
-
-########################################
-## <summary>
-## Execute bcfg2 server in the bcfg2 domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`bcfg2_initrc_domtrans',`
- gen_require(`
- type bcfg2_initrc_exec_t;
- ')
-
- init_labeled_script_domtrans($1, bcfg2_initrc_exec_t)
-')
-
-########################################
-## <summary>
-## Search bcfg2 lib directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`bcfg2_search_lib',`
- gen_require(`
- type bcfg2_var_lib_t;
- ')
-
- allow $1 bcfg2_var_lib_t:dir search_dir_perms;
- files_search_var_lib($1)
-')
-
-########################################
-## <summary>
-## Read bcfg2 lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`bcfg2_read_lib_files',`
- gen_require(`
- type bcfg2_var_lib_t;
- ')
-
- files_search_var_lib($1)
- read_files_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## bcfg2 lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`bcfg2_manage_lib_files',`
- gen_require(`
- type bcfg2_var_lib_t;
- ')
-
- files_search_var_lib($1)
- manage_files_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## bcfg2 lib directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`bcfg2_manage_lib_dirs',`
- gen_require(`
- type bcfg2_var_lib_t;
- ')
-
- files_search_var_lib($1)
- manage_dirs_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t)
-')
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an bcfg2 environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`bcfg2_admin',`
- gen_require(`
- type bcfg2_t, bcfg2_initrc_exec_t, bcfg2_var_lib_t;
- type bcfg2_runtime_t;
- ')
-
- allow $1 bcfg2_t:process { ptrace signal_perms };
- ps_process_pattern($1, bcfg2_t)
-
- init_startstop_service($1, $2, bcfg2_t, bcfg2_initrc_exec_t)
-
- files_search_runtime($1)
- admin_pattern($1, bcfg2_runtime_t)
-
- files_search_var_lib($1)
- admin_pattern($1, bcfg2_var_lib_t)
-')
diff --git a/policy/modules/admin/bcfg2.te b/policy/modules/admin/bcfg2.te
deleted file mode 100644
index 4bad05be..00000000
--- a/policy/modules/admin/bcfg2.te
+++ /dev/null
@@ -1,59 +0,0 @@
-policy_module(bcfg2, 1.6.0)
-
-########################################
-#
-# Declarations
-#
-
-type bcfg2_t;
-type bcfg2_exec_t;
-init_daemon_domain(bcfg2_t, bcfg2_exec_t)
-
-type bcfg2_initrc_exec_t;
-init_script_file(bcfg2_initrc_exec_t)
-
-type bcfg2_runtime_t alias bcfg2_var_run_t;
-files_runtime_file(bcfg2_runtime_t)
-
-type bcfg2_var_lib_t;
-files_type(bcfg2_var_lib_t)
-
-########################################
-#
-# Local policy
-#
-
-allow bcfg2_t self:fifo_file rw_fifo_file_perms;
-allow bcfg2_t self:tcp_socket { accept listen };
-allow bcfg2_t self:unix_stream_socket { accept connectto listen };
-
-manage_dirs_pattern(bcfg2_t, bcfg2_var_lib_t, bcfg2_var_lib_t)
-manage_files_pattern(bcfg2_t, bcfg2_var_lib_t, bcfg2_var_lib_t)
-files_var_lib_filetrans(bcfg2_t, bcfg2_var_lib_t, dir)
-
-manage_files_pattern(bcfg2_t, bcfg2_runtime_t, bcfg2_runtime_t)
-files_runtime_filetrans(bcfg2_t, bcfg2_runtime_t, file)
-
-kernel_read_system_state(bcfg2_t)
-
-corenet_all_recvfrom_netlabel(bcfg2_t)
-corenet_tcp_sendrecv_generic_if(bcfg2_t)
-corenet_tcp_sendrecv_generic_node(bcfg2_t)
-corenet_tcp_bind_generic_node(bcfg2_t)
-
-corenet_sendrecv_cyphesis_server_packets(bcfg2_t)
-corenet_tcp_bind_cyphesis_port(bcfg2_t)
-
-corecmd_exec_bin(bcfg2_t)
-
-dev_read_urand(bcfg2_t)
-
-domain_use_interactive_fds(bcfg2_t)
-
-files_read_usr_files(bcfg2_t)
-
-auth_use_nsswitch(bcfg2_t)
-
-logging_send_syslog_msg(bcfg2_t)
-
-miscfiles_read_localization(bcfg2_t)
diff --git a/policy/modules/admin/ddcprobe.fc b/policy/modules/admin/ddcprobe.fc
deleted file mode 100644
index 747c416e..00000000
--- a/policy/modules/admin/ddcprobe.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-/usr/bin/ddcprobe -- gen_context(system_u:object_r:ddcprobe_exec_t,s0)
-
-/usr/sbin/ddcprobe -- gen_context(system_u:object_r:ddcprobe_exec_t,s0)
diff --git a/policy/modules/admin/ddcprobe.if b/policy/modules/admin/ddcprobe.if
deleted file mode 100644
index aeddb697..00000000
--- a/policy/modules/admin/ddcprobe.if
+++ /dev/null
@@ -1,47 +0,0 @@
-## <summary>ddcprobe retrieves monitor and graphics card information.</summary>
-
-########################################
-## <summary>
-## Execute ddcprobe in the ddcprobe domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`ddcprobe_domtrans',`
- gen_require(`
- type ddcprobe_t, ddcprobe_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, ddcprobe_exec_t, ddcprobe_t)
-')
-
-########################################
-## <summary>
-## Execute ddcprobe in the ddcprobe
-## domain, and allow the specified
-## role the ddcprobe domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`ddcprobe_run',`
- gen_require(`
- attribute_role ddcprobe_roles;
- ')
-
- ddcprobe_domtrans($1)
- roleattribute $2 ddcprobe_roles;
-')
diff --git a/policy/modules/admin/ddcprobe.te b/policy/modules/admin/ddcprobe.te
deleted file mode 100644
index df8ae72c..00000000
--- a/policy/modules/admin/ddcprobe.te
+++ /dev/null
@@ -1,51 +0,0 @@
-policy_module(ddcprobe, 1.6.0)
-
-########################################
-#
-# Declarations
-#
-
-attribute_role ddcprobe_roles;
-roleattribute system_r ddcprobe_roles;
-
-type ddcprobe_t;
-type ddcprobe_exec_t;
-application_domain(ddcprobe_t, ddcprobe_exec_t)
-role ddcprobe_roles types ddcprobe_t;
-
-########################################
-#
-# Local policy
-#
-
-allow ddcprobe_t self:capability { sys_admin sys_rawio };
-allow ddcprobe_t self:process execmem;
-
-kernel_read_system_state(ddcprobe_t)
-kernel_read_kernel_sysctls(ddcprobe_t)
-kernel_change_ring_buffer_level(ddcprobe_t)
-
-files_search_kernel_modules(ddcprobe_t)
-
-corecmd_list_bin(ddcprobe_t)
-corecmd_exec_bin(ddcprobe_t)
-
-dev_read_urand(ddcprobe_t)
-dev_read_raw_memory_cond(ddcprobe_t, allow_raw_memory_access)
-dev_wx_raw_memory_cond(ddcprobe_t, allow_raw_memory_access)
-
-files_read_etc_files(ddcprobe_t)
-files_read_etc_runtime_files(ddcprobe_t)
-files_read_usr_files(ddcprobe_t)
-
-term_use_all_ttys(ddcprobe_t)
-term_use_all_ptys(ddcprobe_t)
-
-libs_read_lib_files(ddcprobe_t)
-
-miscfiles_read_localization(ddcprobe_t)
-
-modutils_read_module_deps(ddcprobe_t)
-
-userdom_use_user_terminals(ddcprobe_t)
-userdom_use_all_users_fds(ddcprobe_t)
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
index 3d79620c..7538100a 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -166,11 +166,6 @@ optional_policy(`
bind_manage_cache(logrotate_t)
')
-optional_policy(`
- callweaver_exec(logrotate_t)
- callweaver_stream_connect(logrotate_t)
-')
-
optional_policy(`
consoletype_exec(logrotate_t)
')
@@ -234,10 +229,6 @@ optional_policy(`
openvswitch_domtrans(logrotate_t)
')
-optional_policy(`
- polipo_log_filetrans_log(logrotate_t, file, "polipo")
-')
-
optional_policy(`
psad_domtrans(logrotate_t)
')
diff --git a/policy/modules/apps/lockdev.fc b/policy/modules/apps/lockdev.fc
deleted file mode 100644
index 65ed30df..00000000
--- a/policy/modules/apps/lockdev.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-/usr/bin/lockdev -- gen_context(system_u:object_r:lockdev_exec_t,s0)
-
-/usr/sbin/lockdev -- gen_context(system_u:object_r:lockdev_exec_t,s0)
-
-/var/lock/lockdev(/.*)? gen_context(system_u:object_r:lockdev_lock_t,s0)
diff --git a/policy/modules/apps/lockdev.if b/policy/modules/apps/lockdev.if
deleted file mode 100644
index 4313b8bc..00000000
--- a/policy/modules/apps/lockdev.if
+++ /dev/null
@@ -1,42 +0,0 @@
-## <summary>Library for locking devices.</summary>
-
-########################################
-## <summary>
-## Role access for lockdev.
-## </summary>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## User domain for the role.
-## </summary>
-## </param>
-#
-interface(`lockdev_role',`
- gen_require(`
- attribute_role lockdev_roles;
- type lockdev_t, lockdev_exec_t;
- ')
-
- ########################################
- #
- # Declarations
- #
-
- roleattribute $1 lockdev_roles;
-
- ########################################
- #
- # Policy
- #
-
- domtrans_pattern($2, lockdev_exec_t, lockdev_t)
-
- allow $2 lockdev_t:process { ptrace signal_perms };
- ps_process_pattern($2, lockdev_t)
-
- allow lockdev_t $2:process signull;
-')
diff --git a/policy/modules/apps/lockdev.te b/policy/modules/apps/lockdev.te
deleted file mode 100644
index 056663ab..00000000
--- a/policy/modules/apps/lockdev.te
+++ /dev/null
@@ -1,35 +0,0 @@
-policy_module(lockdev, 1.7.0)
-
-########################################
-#
-# Declarations
-#
-
-attribute_role lockdev_roles;
-
-type lockdev_t;
-type lockdev_exec_t;
-userdom_user_application_domain(lockdev_t, lockdev_exec_t)
-role lockdev_roles types lockdev_t;
-
-type lockdev_lock_t;
-files_lock_file(lockdev_lock_t)
-ubac_constrained(lockdev_lock_t)
-
-########################################
-#
-# Local policy
-#
-
-allow lockdev_t self:capability setgid;
-
-manage_files_pattern(lockdev_t, lockdev_lock_t, lockdev_lock_t)
-files_lock_filetrans(lockdev_t, lockdev_lock_t, file)
-
-files_read_all_locks(lockdev_t)
-
-fs_getattr_xattr_fs(lockdev_t)
-
-logging_send_syslog_msg(lockdev_t)
-
-userdom_use_user_terminals(lockdev_t)
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 75087aa6..437f578b 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -137,10 +137,6 @@ ifndef(`distro_redhat',`
libmtp_role(staff_r, staff_t)
')
- optional_policy(`
- lockdev_role(staff_r, staff_t)
- ')
-
optional_policy(`
lpd_role(staff_r, staff_t)
')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index e24fa660..af41c83f 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -108,10 +108,6 @@ optional_policy(`
afs_admin(sysadm_t, sysadm_r)
')
-optional_policy(`
- aiccu_admin(sysadm_t, sysadm_r)
-')
-
optional_policy(`
aide_admin(sysadm_t, sysadm_r)
')
@@ -182,10 +178,6 @@ optional_policy(`
bacula_admin(sysadm_t, sysadm_r)
')
-optional_policy(`
- bcfg2_admin(sysadm_t, sysadm_r)
-')
-
optional_policy(`
bind_admin(sysadm_t, sysadm_r)
bind_run_ndc(sysadm_t, sysadm_r)
@@ -219,18 +211,10 @@ optional_policy(`
calamaris_admin(sysadm_t, sysadm_r)
')
-optional_policy(`
- callweaver_admin(sysadm_t, sysadm_r)
-')
-
optional_policy(`
canna_admin(sysadm_t, sysadm_r)
')
-optional_policy(`
- ccs_admin(sysadm_t, sysadm_r)
-')
-
optional_policy(`
certbot_run(sysadm_t, sysadm_r)
')
@@ -263,10 +247,6 @@ optional_policy(`
chronyd_admin(sysadm_t, sysadm_r)
')
-optional_policy(`
- cipe_admin(sysadm_t, sysadm_r)
-')
-
optional_policy(`
clamav_admin(sysadm_t, sysadm_r)
')
@@ -275,14 +255,6 @@ optional_policy(`
clock_run(sysadm_t, sysadm_r)
')
-optional_policy(`
- clockspeed_run_cli(sysadm_t, sysadm_r)
-')
-
-optional_policy(`
- cmirrord_admin(sysadm_t, sysadm_r)
-')
-
optional_policy(`
cobbler_admin(sysadm_t, sysadm_r)
')
@@ -336,24 +308,10 @@ optional_policy(`
dante_admin(sysadm_t, sysadm_r)
')
-optional_policy(`
- dcc_run_cdcc(sysadm_t, sysadm_r)
- dcc_run_client(sysadm_t, sysadm_r)
- dcc_run_dbclean(sysadm_t, sysadm_r)
-')
-
optional_policy(`
ddclient_admin(sysadm_t, sysadm_r)
')
-optional_policy(`
- ddcprobe_run(sysadm_t, sysadm_r)
-')
-
-optional_policy(`
- denyhosts_admin(sysadm_t, sysadm_r)
-')
-
optional_policy(`
devicekit_admin(sysadm_t, sysadm_r)
')
@@ -406,10 +364,6 @@ optional_policy(`
drbd_admin(sysadm_t, sysadm_r)
')
-optional_policy(`
- dspam_admin(sysadm_t, sysadm_r)
-')
-
optional_policy(`
entropyd_admin(sysadm_t, sysadm_r)
')
@@ -491,10 +445,6 @@ optional_policy(`
hwloc_run_dhwd(sysadm_t, sysadm_r)
')
-optional_policy(`
- howl_admin(sysadm_t, sysadm_r)
-')
-
optional_policy(`
hypervkvp_admin(sysadm_t, sysadm_r)
')
@@ -605,10 +555,6 @@ optional_policy(`
lldpad_admin(sysadm_t, sysadm_r)
')
-optional_policy(`
- lockdev_role(sysadm_r, sysadm_t)
-')
-
optional_policy(`
logrotate_run(sysadm_t, sysadm_r)
')
@@ -683,10 +629,6 @@ optional_policy(`
mrtg_admin(sysadm_t, sysadm_r)
')
-optional_policy(`
- mscan_admin(sysadm_t, sysadm_r)
-')
-
optional_policy(`
mta_role(sysadm_r, sysadm_t)
')
@@ -751,10 +693,6 @@ optional_policy(`
nut_admin(sysadm_t, sysadm_r)
')
-optional_policy(`
- oav_run_update(sysadm_t, sysadm_r)
-')
-
optional_policy(`
oident_admin(sysadm_t, sysadm_r)
')
@@ -811,10 +749,6 @@ optional_policy(`
plymouthd_admin(sysadm_t, sysadm_r)
')
-optional_policy(`
- polipo_admin(sysadm_t, sysadm_r)
-')
-
optional_policy(`
portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r)
@@ -866,10 +800,6 @@ optional_policy(`
pxe_admin(sysadm_t, sysadm_r)
')
-optional_policy(`
- pyicqt_admin(sysadm_t, sysadm_r)
-')
-
optional_policy(`
pyzor_admin(sysadm_t, sysadm_r)
pyzor_role(sysadm_r, sysadm_t)
@@ -917,22 +847,10 @@ optional_policy(`
resmgr_admin(sysadm_t, sysadm_r)
')
-optional_policy(`
- rgmanager_admin(sysadm_t, sysadm_r)
-')
-
-optional_policy(`
- rhcs_admin(sysadm_t, sysadm_r)
-')
-
optional_policy(`
rhsmcertd_admin(sysadm_t, sysadm_r)
')
-optional_policy(`
- ricci_admin(sysadm_t, sysadm_r)
-')
-
optional_policy(`
rkhunter_run(sysadm_t, sysadm_r)
')
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 64586765..41f6b8ec 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -109,10 +109,6 @@ ifndef(`distro_redhat',`
libmtp_role(user_r, user_t)
')
- optional_policy(`
- lockdev_role(user_r, user_t)
- ')
-
optional_policy(`
lpd_role(user_r, user_t)
')
diff --git a/policy/modules/services/aiccu.fc b/policy/modules/services/aiccu.fc
deleted file mode 100644
index 573b04fd..00000000
--- a/policy/modules/services/aiccu.fc
+++ /dev/null
@@ -1,9 +0,0 @@
-/etc/aiccu\.conf -- gen_context(system_u:object_r:aiccu_etc_t,s0)
-
-/etc/rc\.d/init\.d/aiccu -- gen_context(system_u:object_r:aiccu_initrc_exec_t,s0)
-
-/usr/bin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0)
-
-/usr/sbin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0)
-
-/run/aiccu\.pid -- gen_context(system_u:object_r:aiccu_runtime_t,s0)
diff --git a/policy/modules/services/aiccu.if b/policy/modules/services/aiccu.if
deleted file mode 100644
index b3e39e0f..00000000
--- a/policy/modules/services/aiccu.if
+++ /dev/null
@@ -1,87 +0,0 @@
-## <summary>Automatic IPv6 Connectivity Client Utility.</summary>
-
-########################################
-## <summary>
-## Execute a domain transition to run aiccu.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`aiccu_domtrans',`
- gen_require(`
- type aiccu_t, aiccu_exec_t;
- ')
-
- domtrans_pattern($1, aiccu_exec_t, aiccu_t)
- corecmd_search_bin($1)
-')
-
-########################################
-## <summary>
-## Execute aiccu server in the aiccu domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`aiccu_initrc_domtrans',`
- gen_require(`
- type aiccu_initrc_exec_t;
- ')
-
- init_labeled_script_domtrans($1, aiccu_initrc_exec_t)
-')
-
-########################################
-## <summary>
-## Read aiccu PID files. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`aiccu_read_pid_files',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an aiccu environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`aiccu_admin',`
- gen_require(`
- type aiccu_t, aiccu_initrc_exec_t, aiccu_etc_t;
- type aiccu_runtime_t;
- ')
-
- allow $1 aiccu_t:process { ptrace signal_perms };
- ps_process_pattern($1, aiccu_t)
-
- init_startstop_service($1, $2, aiccu_t, aiccu_initrc_exec_t)
-
- admin_pattern($1, aiccu_etc_t)
- files_list_etc($1)
-
- admin_pattern($1, aiccu_runtime_t)
- files_list_runtime($1)
-')
diff --git a/policy/modules/services/aiccu.te b/policy/modules/services/aiccu.te
deleted file mode 100644
index adb4ae5d..00000000
--- a/policy/modules/services/aiccu.te
+++ /dev/null
@@ -1,74 +0,0 @@
-policy_module(aiccu, 1.6.0)
-
-########################################
-#
-# Declarations
-#
-
-type aiccu_t;
-type aiccu_exec_t;
-init_daemon_domain(aiccu_t, aiccu_exec_t)
-
-type aiccu_initrc_exec_t;
-init_script_file(aiccu_initrc_exec_t)
-
-type aiccu_etc_t;
-files_config_file(aiccu_etc_t)
-
-type aiccu_runtime_t alias aiccu_var_run_t;
-files_runtime_file(aiccu_runtime_t)
-
-########################################
-#
-# Local policy
-#
-
-allow aiccu_t self:capability { kill net_admin net_raw };
-dontaudit aiccu_t self:capability sys_tty_config;
-allow aiccu_t self:process signal;
-allow aiccu_t self:fifo_file rw_fifo_file_perms;
-allow aiccu_t self:netlink_route_socket nlmsg_write;
-allow aiccu_t self:tcp_socket { accept listen };
-allow aiccu_t self:tun_socket create_socket_perms;
-allow aiccu_t self:udp_socket { accept listen };
-allow aiccu_t self:unix_stream_socket { accept listen };
-
-allow aiccu_t aiccu_etc_t:file read_file_perms;
-
-manage_dirs_pattern(aiccu_t, aiccu_runtime_t, aiccu_runtime_t)
-manage_files_pattern(aiccu_t, aiccu_runtime_t, aiccu_runtime_t)
-files_runtime_filetrans(aiccu_t, aiccu_runtime_t, { file dir })
-
-kernel_read_system_state(aiccu_t)
-
-corecmd_exec_shell(aiccu_t)
-
-corenet_all_recvfrom_netlabel(aiccu_t)
-corenet_tcp_bind_generic_node(aiccu_t)
-corenet_tcp_sendrecv_generic_if(aiccu_t)
-corenet_tcp_sendrecv_generic_node(aiccu_t)
-
-corenet_sendrecv_sixxsconfig_client_packets(aiccu_t)
-corenet_tcp_connect_sixxsconfig_port(aiccu_t)
-
-corenet_rw_tun_tap_dev(aiccu_t)
-
-domain_use_interactive_fds(aiccu_t)
-
-dev_read_rand(aiccu_t)
-dev_read_urand(aiccu_t)
-
-files_read_etc_files(aiccu_t)
-
-logging_send_syslog_msg(aiccu_t)
-
-miscfiles_read_localization(aiccu_t)
-
-optional_policy(`
- modutils_domtrans(aiccu_t)
-')
-
-optional_policy(`
- sysnet_dns_name_resolve(aiccu_t)
- sysnet_domtrans_ifconfig(aiccu_t)
-')
diff --git a/policy/modules/services/aisexec.te b/policy/modules/services/aisexec.te
index d9af2b65..e03912e3 100644
--- a/policy/modules/services/aisexec.te
+++ b/policy/modules/services/aisexec.te
@@ -95,19 +95,3 @@ miscfiles_read_localization(aisexec_t)
userdom_rw_unpriv_user_semaphores(aisexec_t)
userdom_rw_unpriv_user_shared_mem(aisexec_t)
-
-optional_policy(`
- ccs_stream_connect(aisexec_t)
-')
-
-optional_policy(`
- rhcs_rw_dlm_controld_semaphores(aisexec_t)
-
- rhcs_rw_fenced_semaphores(aisexec_t)
-
- rhcs_rw_gfs_controld_semaphores(aisexec_t)
- rhcs_rw_gfs_controld_shm(aisexec_t)
-
- rhcs_rw_groupd_semaphores(aisexec_t)
- rhcs_rw_groupd_shm(aisexec_t)
-')
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
index bd188224..325e489d 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -161,11 +161,6 @@ optional_policy(`
cron_rw_pipes(amavis_t)
')
-optional_policy(`
- dcc_domtrans_client(amavis_t)
- dcc_stream_connect_dccifd(amavis_t)
-')
-
optional_policy(`
mta_read_config(amavis_t)
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index b6216a33..2348f6c6 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -757,10 +757,6 @@ optional_policy(`
calamaris_read_www_files(httpd_t)
')
-optional_policy(`
- ccs_read_config(httpd_t)
-')
-
optional_policy(`
clamav_domtrans_clamscan(httpd_t)
')
diff --git a/policy/modules/services/callweaver.fc b/policy/modules/services/callweaver.fc
deleted file mode 100644
index 130b409b..00000000
--- a/policy/modules/services/callweaver.fc
+++ /dev/null
@@ -1,13 +0,0 @@
-/etc/rc\.d/init\.d/callweaver -- gen_context(system_u:object_r:callweaver_initrc_exec_t,s0)
-
-/usr/bin/callweaver -- gen_context(system_u:object_r:callweaver_exec_t,s0)
-
-/usr/sbin/callweaver -- gen_context(system_u:object_r:callweaver_exec_t,s0)
-
-/var/lib/callweaver(/.*)? gen_context(system_u:object_r:callweaver_var_lib_t,s0)
-
-/var/log/callweaver(/.*)? gen_context(system_u:object_r:callweaver_log_t,s0)
-
-/run/callweaver(/.*)? gen_context(system_u:object_r:callweaver_runtime_t,s0)
-
-/var/spool/callweaver(/.*)? gen_context(system_u:object_r:callweaver_spool_t,s0)
diff --git a/policy/modules/services/callweaver.if b/policy/modules/services/callweaver.if
deleted file mode 100644
index 0da1411f..00000000
--- a/policy/modules/services/callweaver.if
+++ /dev/null
@@ -1,78 +0,0 @@
-## <summary>PBX software.</summary>
-
-########################################
-## <summary>
-## Execute callweaver in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`callweaver_exec',`
- gen_require(`
- type callweaver_exec_t;
- ')
-
- corecmd_search_bin($1)
- can_exec($1, callweaver_exec_t)
-')
-
-########################################
-## <summary>
-## Connect to callweaver over a
-## unix stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`callweaver_stream_connect',`
- gen_require(`
- type callweaver_t, callweaver_runtime_t;
- ')
-
- files_search_runtime($1)
- stream_connect_pattern($1, callweaver_runtime_t, callweaver_runtime_t, callweaver_t)
-')
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an callweaver environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`callweaver_admin',`
- gen_require(`
- type callweaver_t, callweaver_initrc_exec_t, callweaver_log_t;
- type callweaver_var_lib_t, callweaver_runtime_t, callweaver_spool_t;
- ')
-
- allow $1 callweaver_t:process { ptrace signal_perms };
- ps_process_pattern($1, callweaver_t)
-
- init_startstop_service($1, $2, callweaver_t, callweaver_initrc_exec_t)
-
- logging_search_logs($1)
- admin_pattern($1, callweaver_log_t)
-
- files_search_runtime($1)
- admin_pattern($1, callweaver_runtime_t)
-
- files_search_var_lib($1)
- admin_pattern($1, { callweaver_spool_t callweaver_var_lib_t })
-')
diff --git a/policy/modules/services/callweaver.te b/policy/modules/services/callweaver.te
deleted file mode 100644
index b14fe861..00000000
--- a/policy/modules/services/callweaver.te
+++ /dev/null
@@ -1,85 +0,0 @@
-policy_module(callweaver, 1.6.0)
-
-########################################
-#
-# Declarations
-#
-
-type callweaver_t;
-type callweaver_exec_t;
-init_daemon_domain(callweaver_t, callweaver_exec_t)
-
-type callweaver_initrc_exec_t;
-init_script_file(callweaver_initrc_exec_t)
-
-type callweaver_log_t;
-logging_log_file(callweaver_log_t)
-
-type callweaver_runtime_t alias callweaver_var_run_t;
-files_runtime_file(callweaver_runtime_t)
-
-type callweaver_var_lib_t;
-files_type(callweaver_var_lib_t)
-
-type callweaver_spool_t;
-files_type(callweaver_spool_t)
-
-########################################
-#
-# Local policy
-#
-
-allow callweaver_t self:capability { setgid setuid sys_nice };
-allow callweaver_t self:process { setsched signal };
-allow callweaver_t self:fifo_file rw_fifo_file_perms;
-allow callweaver_t self:tcp_socket { accept listen };
-allow callweaver_t self:unix_stream_socket create_stream_socket_perms;
-
-manage_dirs_pattern(callweaver_t, callweaver_log_t, callweaver_log_t)
-append_files_pattern(callweaver_t, callweaver_log_t, callweaver_log_t)
-create_files_pattern(callweaver_t, callweaver_log_t, callweaver_log_t)
-setattr_files_pattern(callweaver_t, callweaver_log_t, callweaver_log_t)
-logging_log_filetrans(callweaver_t, callweaver_log_t, { dir file })
-
-manage_dirs_pattern(callweaver_t, callweaver_var_lib_t, callweaver_var_lib_t)
-manage_files_pattern(callweaver_t, callweaver_var_lib_t, callweaver_var_lib_t)
-files_var_lib_filetrans(callweaver_t, callweaver_var_lib_t, { dir file })
-
-manage_dirs_pattern(callweaver_t, callweaver_runtime_t, callweaver_runtime_t)
-manage_files_pattern(callweaver_t, callweaver_runtime_t, callweaver_runtime_t)
-manage_sock_files_pattern(callweaver_t, callweaver_runtime_t, callweaver_runtime_t)
-files_runtime_filetrans(callweaver_t, callweaver_runtime_t, { dir file sock_file })
-
-manage_dirs_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t)
-manage_files_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t)
-manage_lnk_files_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t)
-files_spool_filetrans(callweaver_t, callweaver_spool_t, { dir file })
-
-kernel_read_kernel_sysctls(callweaver_t)
-kernel_read_sysctl(callweaver_t)
-
-corenet_all_recvfrom_netlabel(callweaver_t)
-corenet_udp_sendrecv_generic_if(callweaver_t)
-corenet_udp_sendrecv_generic_node(callweaver_t)
-corenet_udp_bind_generic_node(callweaver_t)
-
-corenet_sendrecv_asterisk_server_packets(callweaver_t)
-corenet_udp_bind_asterisk_port(callweaver_t)
-
-corenet_sendrecv_generic_server_packets(callweaver_t)
-corenet_udp_bind_generic_port(callweaver_t)
-
-corenet_sendrecv_sip_server_packets(callweaver_t)
-corenet_udp_bind_sip_port(callweaver_t)
-
-dev_manage_generic_symlinks(callweaver_t)
-
-domain_use_interactive_fds(callweaver_t)
-
-term_getattr_pty_fs(callweaver_t)
-term_use_generic_ptys(callweaver_t)
-term_use_ptmx(callweaver_t)
-
-auth_use_nsswitch(callweaver_t)
-
-miscfiles_read_localization(callweaver_t)
diff --git a/policy/modules/services/ccs.fc b/policy/modules/services/ccs.fc
deleted file mode 100644
index fb224aaa..00000000
--- a/policy/modules/services/ccs.fc
+++ /dev/null
@@ -1,14 +0,0 @@
-/etc/cluster(/.*)? gen_context(system_u:object_r:cluster_conf_t,s0)
-
-/etc/rc\.d/init\.d/((ccs)|(ccsd)) -- gen_context(system_u:object_r:ccs_initrc_exec_t,s0)
-
-/usr/bin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0)
-
-/usr/sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0)
-
-/var/lib/cluster/((ccs)|(ccsd)).* gen_context(system_u:object_r:ccs_var_lib_t,s0)
-
-/var/log/cluster/((ccs)|(ccsd)).* gen_context(system_u:object_r:ccs_var_log_t,s0)
-
-/run/cluster/((ccs)|(ccsd))\.pid -- gen_context(system_u:object_r:ccs_runtime_t,s0)
-/run/cluster/((ccs)|(ccsd))\.sock -s gen_context(system_u:object_r:ccs_runtime_t,s0)
diff --git a/policy/modules/services/ccs.if b/policy/modules/services/ccs.if
deleted file mode 100644
index 05c1adc8..00000000
--- a/policy/modules/services/ccs.if
+++ /dev/null
@@ -1,124 +0,0 @@
-## <summary>Cluster Configuration System.</summary>
-
-########################################
-## <summary>
-## Execute a domain transition to run ccs.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`ccs_domtrans',`
- gen_require(`
- type ccs_t, ccs_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, ccs_exec_t, ccs_t)
-')
-
-########################################
-## <summary>
-## Connect to ccs over an unix stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`ccs_stream_connect',`
- gen_require(`
- type ccs_t, ccs_runtime_t;
- ')
-
- files_search_runtime($1)
- stream_connect_pattern($1, ccs_runtime_t, ccs_runtime_t, ccs_t)
-')
-
-########################################
-## <summary>
-## Read cluster configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`ccs_read_config',`
- gen_require(`
- type cluster_conf_t;
- ')
-
- files_search_etc($1)
- read_files_pattern($1, cluster_conf_t, cluster_conf_t)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## cluster configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`ccs_manage_config',`
- gen_require(`
- type cluster_conf_t;
- ')
-
- files_search_etc($1)
- manage_dirs_pattern($1, cluster_conf_t, cluster_conf_t)
- manage_files_pattern($1, cluster_conf_t, cluster_conf_t)
-')
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an ccs environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`ccs_admin',`
- gen_require(`
- type ccs_t, ccs_initrc_exec_t, cluster_conf_t;
- type ccs_var_lib_t, ccs_var_log_t;
- type ccs_runtime_t, ccs_tmp_t;
- ')
-
- allow $1 ccs_t:process { ptrace signal_perms };
- ps_process_pattern($1, ccs_t)
-
- init_startstop_service($1, $2, ccs_t, ccs_initrc_exec_t)
-
- files_search_etc($1)
- admin_pattern($1, cluster_conf_t)
-
- files_search_var_lib($1)
- admin_pattern($1, ccs_var_lib_t)
-
- logging_search_logs($1)
- admin_pattern($1, ccs_var_log_t)
-
- files_search_runtime($1)
- admin_pattern($1, ccs_runtime_t)
-
- files_search_tmp($1)
- admin_pattern($1, ccs_tmp_t)
-')
diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te
deleted file mode 100644
index 66ac1d76..00000000
--- a/policy/modules/services/ccs.te
+++ /dev/null
@@ -1,126 +0,0 @@
-policy_module(ccs, 1.14.0)
-
-########################################
-#
-# Declarations
-#
-
-type ccs_t;
-type ccs_exec_t;
-init_daemon_domain(ccs_t, ccs_exec_t)
-
-type ccs_initrc_exec_t;
-init_script_file(ccs_initrc_exec_t)
-
-type cluster_conf_t;
-files_config_file(cluster_conf_t)
-
-type ccs_runtime_t alias ccs_var_run_t;
-files_runtime_file(ccs_runtime_t)
-
-type ccs_tmp_t;
-files_tmp_file(ccs_tmp_t)
-
-type ccs_tmpfs_t;
-files_tmpfs_file(ccs_tmpfs_t)
-
-type ccs_var_lib_t;
-logging_log_file(ccs_var_lib_t)
-
-type ccs_var_log_t;
-logging_log_file(ccs_var_log_t)
-
-########################################
-#
-# Local policy
-#
-
-allow ccs_t self:capability { ipc_lock ipc_owner sys_admin sys_nice sys_resource };
-allow ccs_t self:process { signal setrlimit setsched };
-dontaudit ccs_t self:process ptrace;
-allow ccs_t self:fifo_file rw_fifo_file_perms;
-allow ccs_t self:unix_stream_socket { accept connectto listen };
-allow ccs_t self:tcp_socket { accept listen };
-allow ccs_t self:udp_socket { accept listen };
-allow ccs_t self:socket create_socket_perms;
-
-manage_files_pattern(ccs_t, cluster_conf_t, cluster_conf_t)
-
-allow ccs_t ccs_tmp_t:dir manage_dir_perms;
-manage_dirs_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t)
-manage_files_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t)
-files_tmp_filetrans(ccs_t, ccs_tmp_t, { dir file })
-
-manage_dirs_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t)
-manage_files_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t)
-fs_tmpfs_filetrans(ccs_t, ccs_tmpfs_t, { dir file })
-
-manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
-manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
-files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { dir file })
-
-allow ccs_t ccs_var_log_t:dir setattr_dir_perms;
-append_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
-create_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
-setattr_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
-manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
-logging_log_filetrans(ccs_t, ccs_var_log_t, { file sock_file })
-
-manage_files_pattern(ccs_t, ccs_runtime_t, ccs_runtime_t)
-manage_sock_files_pattern(ccs_t, ccs_runtime_t, ccs_runtime_t)
-files_runtime_filetrans(ccs_t, ccs_runtime_t, { file sock_file })
-
-kernel_read_kernel_sysctls(ccs_t)
-
-corecmd_list_bin(ccs_t)
-corecmd_exec_bin(ccs_t)
-
-corenet_all_recvfrom_netlabel(ccs_t)
-corenet_tcp_sendrecv_generic_if(ccs_t)
-corenet_udp_sendrecv_generic_if(ccs_t)
-corenet_tcp_sendrecv_generic_node(ccs_t)
-corenet_udp_sendrecv_generic_node(ccs_t)
-corenet_tcp_bind_generic_node(ccs_t)
-corenet_udp_bind_generic_node(ccs_t)
-
-corenet_sendrecv_cluster_server_packets(ccs_t)
-corenet_tcp_bind_cluster_port(ccs_t)
-corenet_udp_bind_cluster_port(ccs_t)
-
-corenet_sendrecv_netsupport_server_packets(ccs_t)
-corenet_udp_bind_netsupport_port(ccs_t)
-
-dev_read_urand(ccs_t)
-
-files_read_etc_files(ccs_t)
-files_read_etc_runtime_files(ccs_t)
-
-init_rw_script_tmp_files(ccs_t)
-
-logging_send_syslog_msg(ccs_t)
-
-miscfiles_read_localization(ccs_t)
-
-sysnet_dns_name_resolve(ccs_t)
-
-userdom_manage_unpriv_user_shared_mem(ccs_t)
-userdom_manage_unpriv_user_semaphores(ccs_t)
-
-ifdef(`hide_broken_symptoms',`
- kernel_manage_unlabeled_files(ccs_t)
- corecmd_dontaudit_write_bin_dirs(ccs_t)
-')
-
-optional_policy(`
- aisexec_stream_connect(ccs_t)
- corosync_stream_connect(ccs_t)
-')
-
-optional_policy(`
- qpidd_rw_semaphores(ccs_t)
- qpidd_rw_shm(ccs_t)
-')
-
-optional_policy(`
- unconfined_use_fds(ccs_t)
-')
diff --git a/policy/modules/services/cipe.fc b/policy/modules/services/cipe.fc
deleted file mode 100644
index 2cfb0ae9..00000000
--- a/policy/modules/services/cipe.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-/etc/rc\.d/init\.d/ciped.* -- gen_context(system_u:object_r:ciped_initrc_exec_t,s0)
-
-/usr/bin/ciped.* -- gen_context(system_u:object_r:ciped_exec_t,s0)
-
-/usr/sbin/ciped.* -- gen_context(system_u:object_r:ciped_exec_t,s0)
diff --git a/policy/modules/services/cipe.if b/policy/modules/services/cipe.if
deleted file mode 100644
index 11ec9dc5..00000000
--- a/policy/modules/services/cipe.if
+++ /dev/null
@@ -1,29 +0,0 @@
-## <summary>Encrypted tunnel daemon.</summary>
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an cipe environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`cipe_admin',`
- gen_require(`
- type ciped_t, ciped_initrc_exec_t;
- ')
-
- allow $1 ciped_t:process { ptrace signal_perms };
- ps_process_pattern($1, ciped_t)
-
- init_startstop_service($1, $2, ciped_t, ciped_initrc_exec_t)
-')
diff --git a/policy/modules/services/cipe.te b/policy/modules/services/cipe.te
deleted file mode 100644
index 65b80c76..00000000
--- a/policy/modules/services/cipe.te
+++ /dev/null
@@ -1,67 +0,0 @@
-policy_module(cipe, 1.11.0)
-
-########################################
-#
-# Declarations
-#
-
-type ciped_t;
-type ciped_exec_t;
-init_daemon_domain(ciped_t, ciped_exec_t)
-
-type ciped_initrc_exec_t;
-init_script_file(ciped_initrc_exec_t)
-
-########################################
-#
-# Local policy
-#
-
-allow ciped_t self:capability { ipc_lock net_admin sys_tty_config };
-dontaudit ciped_t self:capability sys_tty_config;
-allow ciped_t self:process signal_perms;
-allow ciped_t self:fifo_file rw_fifo_file_perms;
-allow ciped_t self:udp_socket create_socket_perms;
-
-kernel_read_kernel_sysctls(ciped_t)
-kernel_read_system_state(ciped_t)
-
-corecmd_exec_shell(ciped_t)
-corecmd_exec_bin(ciped_t)
-
-corenet_all_recvfrom_netlabel(ciped_t)
-corenet_udp_sendrecv_generic_if(ciped_t)
-corenet_udp_sendrecv_generic_node(ciped_t)
-corenet_udp_bind_generic_node(ciped_t)
-
-corenet_sendrecv_afs_bos_server_packets(ciped_t)
-corenet_udp_bind_afs_bos_port(ciped_t)
-
-dev_read_rand(ciped_t)
-dev_read_sysfs(ciped_t)
-dev_read_urand(ciped_t)
-
-domain_use_interactive_fds(ciped_t)
-
-files_read_etc_files(ciped_t)
-files_read_etc_runtime_files(ciped_t)
-files_dontaudit_search_var(ciped_t)
-
-fs_search_auto_mountpoints(ciped_t)
-
-logging_send_syslog_msg(ciped_t)
-
-miscfiles_read_localization(ciped_t)
-
-sysnet_read_config(ciped_t)
-
-userdom_dontaudit_use_unpriv_user_fds(ciped_t)
-
-optional_policy(`
- nis_use_ypbind(ciped_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(ciped_t)
-')
-
diff --git a/policy/modules/services/clockspeed.fc b/policy/modules/services/clockspeed.fc
deleted file mode 100644
index 093366f1..00000000
--- a/policy/modules/services/clockspeed.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-/usr/bin/clockadd -- gen_context(system_u:object_r:clockspeed_cli_exec_t,s0)
-/usr/bin/clockspeed -- gen_context(system_u:object_r:clockspeed_srv_exec_t,s0)
-/usr/bin/sntpclock -- gen_context(system_u:object_r:clockspeed_cli_exec_t,s0)
-/usr/bin/taiclock -- gen_context(system_u:object_r:clockspeed_cli_exec_t,s0)
-/usr/bin/taiclockd -- gen_context(system_u:object_r:clockspeed_srv_exec_t,s0)
-
-/var/lib/clockspeed(/.*)? gen_context(system_u:object_r:clockspeed_var_lib_t,s0)
diff --git a/policy/modules/services/clockspeed.if b/policy/modules/services/clockspeed.if
deleted file mode 100644
index 2cb7bf7c..00000000
--- a/policy/modules/services/clockspeed.if
+++ /dev/null
@@ -1,48 +0,0 @@
-## <summary>Clock speed measurement and manipulation.</summary>
-
-########################################
-## <summary>
-## Execute clockspeed utilities in
-## the clockspeed_cli domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`clockspeed_domtrans_cli',`
- gen_require(`
- type clockspeed_cli_t, clockspeed_cli_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, clockspeed_cli_exec_t, clockspeed_cli_t)
-')
-
-########################################
-## <summary>
-## Execute clockspeed utilities in the
-## clockspeed cli domain, and allow the
-## specified role the clockspeed cli domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`clockspeed_run_cli',`
- gen_require(`
- attribute_role clockspeed_cli_roles;
- ')
-
- clockspeed_domtrans_cli($1)
- roleattribute $2 clockspeed_cli_roles;
-')
diff --git a/policy/modules/services/clockspeed.te b/policy/modules/services/clockspeed.te
deleted file mode 100644
index eb2c7324..00000000
--- a/policy/modules/services/clockspeed.te
+++ /dev/null
@@ -1,73 +0,0 @@
-policy_module(clockspeed, 1.8.0)
-
-########################################
-#
-# Declarations
-#
-
-attribute_role clockspeed_cli_roles;
-
-type clockspeed_cli_t;
-type clockspeed_cli_exec_t;
-application_domain(clockspeed_cli_t, clockspeed_cli_exec_t)
-role clockspeed_cli_roles types clockspeed_cli_t;
-
-type clockspeed_srv_t;
-type clockspeed_srv_exec_t;
-init_daemon_domain(clockspeed_srv_t, clockspeed_srv_exec_t)
-
-type clockspeed_var_lib_t;
-files_type(clockspeed_var_lib_t)
-
-########################################
-#
-# Client local policy
-#
-
-allow clockspeed_cli_t self:capability sys_time;
-allow clockspeed_cli_t self:udp_socket create_socket_perms;
-
-read_files_pattern(clockspeed_cli_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
-
-corenet_all_recvfrom_netlabel(clockspeed_cli_t)
-corenet_udp_sendrecv_generic_if(clockspeed_cli_t)
-corenet_udp_sendrecv_generic_node(clockspeed_cli_t)
-
-corenet_sendrecv_ntp_client_packets(clockspeed_cli_t)
-
-files_list_var_lib(clockspeed_cli_t)
-files_read_etc_files(clockspeed_cli_t)
-
-miscfiles_read_localization(clockspeed_cli_t)
-
-userdom_use_user_terminals(clockspeed_cli_t)
-
-########################################
-#
-# Server local policy
-#
-
-allow clockspeed_srv_t self:capability { net_bind_service sys_time };
-allow clockspeed_srv_t self:udp_socket create_socket_perms;
-allow clockspeed_srv_t self:unix_dgram_socket create_socket_perms;
-allow clockspeed_srv_t self:unix_stream_socket create_socket_perms;
-
-manage_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
-manage_fifo_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
-
-corenet_all_recvfrom_netlabel(clockspeed_srv_t)
-corenet_udp_sendrecv_generic_if(clockspeed_srv_t)
-corenet_udp_sendrecv_generic_node(clockspeed_srv_t)
-corenet_udp_bind_generic_node(clockspeed_srv_t)
-
-corenet_sendrecv_clockspeed_server_packets(clockspeed_srv_t)
-corenet_udp_bind_clockspeed_port(clockspeed_srv_t)
-
-files_list_var_lib(clockspeed_srv_t)
-files_read_etc_files(clockspeed_srv_t)
-
-miscfiles_read_localization(clockspeed_srv_t)
-
-optional_policy(`
- daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t)
-')
diff --git a/policy/modules/services/clogd.fc b/policy/modules/services/clogd.fc
deleted file mode 100644
index 38a26207..00000000
--- a/policy/modules/services/clogd.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-/usr/bin/clogd -- gen_context(system_u:object_r:clogd_exec_t,s0)
-
-/usr/sbin/clogd -- gen_context(system_u:object_r:clogd_exec_t,s0)
-
-/run/clogd\.pid -- gen_context(system_u:object_r:clogd_runtime_t,s0)
diff --git a/policy/modules/services/clogd.if b/policy/modules/services/clogd.if
deleted file mode 100644
index dce4cb19..00000000
--- a/policy/modules/services/clogd.if
+++ /dev/null
@@ -1,59 +0,0 @@
-## <summary>Clustered Mirror Log Server.</summary>
-
-######################################
-## <summary>
-## Execute a domain transition to run clogd.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`clogd_domtrans',`
- gen_require(`
- type clogd_t, clogd_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, clogd_exec_t, clogd_t)
-')
-
-#####################################
-## <summary>
-## Read and write clogd semaphores.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`clogd_rw_semaphores',`
- gen_require(`
- type clogd_t;
- ')
-
- allow $1 clogd_t:sem rw_sem_perms;
-')
-
-########################################
-## <summary>
-## Read and write clogd shared memory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`clogd_rw_shm',`
- gen_require(`
- type clogd_t, clogd_tmpfs_t;
- ')
-
- allow $1 clogd_t:shm rw_shm_perms;
- allow $1 clogd_tmpfs_t:dir list_dir_perms;
- rw_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t)
- fs_search_tmpfs($1)
-')
diff --git a/policy/modules/services/clogd.te b/policy/modules/services/clogd.te
deleted file mode 100644
index 4146b82f..00000000
--- a/policy/modules/services/clogd.te
+++ /dev/null
@@ -1,49 +0,0 @@
-policy_module(clogd, 1.5.0)
-
-########################################
-#
-# Declarations
-#
-
-type clogd_t;
-type clogd_exec_t;
-init_daemon_domain(clogd_t, clogd_exec_t)
-
-type clogd_runtime_t alias clogd_var_run_t;
-files_runtime_file(clogd_runtime_t)
-
-type clogd_tmpfs_t;
-files_tmpfs_file(clogd_tmpfs_t)
-
-########################################
-#
-# Local policy
-#
-
-allow clogd_t self:capability { mknod net_admin };
-allow clogd_t self:process signal;
-allow clogd_t self:sem create_sem_perms;
-allow clogd_t self:shm create_shm_perms;
-allow clogd_t self:netlink_socket create_socket_perms;
-
-manage_dirs_pattern(clogd_t, clogd_tmpfs_t, clogd_tmpfs_t)
-manage_files_pattern(clogd_t, clogd_tmpfs_t, clogd_tmpfs_t)
-fs_tmpfs_filetrans(clogd_t, clogd_tmpfs_t, { dir file })
-
-manage_files_pattern(clogd_t, clogd_runtime_t, clogd_runtime_t)
-files_runtime_filetrans(clogd_t, clogd_runtime_t, file)
-
-dev_manage_generic_blk_files(clogd_t)
-dev_read_lvm_control(clogd_t)
-
-storage_raw_read_fixed_disk(clogd_t)
-storage_raw_write_fixed_disk(clogd_t)
-
-logging_send_syslog_msg(clogd_t)
-
-miscfiles_read_localization(clogd_t)
-
-optional_policy(`
- aisexec_stream_connect(clogd_t)
- corosync_stream_connect(clogd_t)
-')
diff --git a/policy/modules/services/cmirrord.fc b/policy/modules/services/cmirrord.fc
deleted file mode 100644
index d511f3e3..00000000
--- a/policy/modules/services/cmirrord.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-/etc/rc\.d/init\.d/cmirrord -- gen_context(system_u:object_r:cmirrord_initrc_exec_t,s0)
-
-/usr/bin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0)
-
-/usr/sbin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0)
-
-/run/cmirrord\.pid -- gen_context(system_u:object_r:cmirrord_runtime_t,s0)
diff --git a/policy/modules/services/cmirrord.if b/policy/modules/services/cmirrord.if
deleted file mode 100644
index f4fed673..00000000
--- a/policy/modules/services/cmirrord.if
+++ /dev/null
@@ -1,108 +0,0 @@
-## <summary>Cluster mirror log daemon.</summary>
-
-########################################
-## <summary>
-## Execute a domain transition to
-## run cmirrord.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`cmirrord_domtrans',`
- gen_require(`
- type cmirrord_t, cmirrord_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, cmirrord_exec_t, cmirrord_t)
-')
-
-########################################
-## <summary>
-## Execute cmirrord server in the
-## cmirrord domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`cmirrord_initrc_domtrans',`
- gen_require(`
- type cmirrord_initrc_exec_t;
- ')
-
- init_labeled_script_domtrans($1, cmirrord_initrc_exec_t)
-')
-
-########################################
-## <summary>
-## Read cmirrord PID files. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`cmirrord_read_pid_files',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-#######################################
-## <summary>
-## Read and write cmirrord shared memory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`cmirrord_rw_shm',`
- gen_require(`
- type cmirrord_t, cmirrord_tmpfs_t;
- ')
-
- allow $1 cmirrord_t:shm rw_shm_perms;
-
- allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
- rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
- read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
- fs_search_tmpfs($1)
-')
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an cmirrord environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`cmirrord_admin',`
- gen_require(`
- type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_runtime_t;
- ')
-
- allow $1 cmirrord_t:process { ptrace signal_perms };
- ps_process_pattern($1, cmirrord_t)
-
- init_startstop_service($1, $2, cmirrord_t, cmirrord_initrc_exec_t)
-
- files_list_runtime($1)
- admin_pattern($1, cmirrord_runtime_t)
-')
diff --git a/policy/modules/services/cmirrord.te b/policy/modules/services/cmirrord.te
deleted file mode 100644
index 47aea030..00000000
--- a/policy/modules/services/cmirrord.te
+++ /dev/null
@@ -1,57 +0,0 @@
-policy_module(cmirrord, 1.6.0)
-
-########################################
-#
-# Declarations
-#
-
-type cmirrord_t;
-type cmirrord_exec_t;
-init_daemon_domain(cmirrord_t, cmirrord_exec_t)
-
-type cmirrord_initrc_exec_t;
-init_script_file(cmirrord_initrc_exec_t)
-
-type cmirrord_runtime_t alias cmirrord_var_run_t;
-files_runtime_file(cmirrord_runtime_t)
-
-type cmirrord_tmpfs_t;
-files_tmpfs_file(cmirrord_tmpfs_t)
-
-########################################
-#
-# Local policy
-#
-
-allow cmirrord_t self:capability { kill net_admin };
-dontaudit cmirrord_t self:capability sys_tty_config;
-allow cmirrord_t self:process { setfscreate signal };
-allow cmirrord_t self:fifo_file rw_fifo_file_perms;
-allow cmirrord_t self:sem create_sem_perms;
-allow cmirrord_t self:shm create_shm_perms;
-allow cmirrord_t self:netlink_socket create_socket_perms;
-allow cmirrord_t self:unix_stream_socket { accept listen };
-
-manage_dirs_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
-manage_files_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
-fs_tmpfs_filetrans(cmirrord_t, cmirrord_tmpfs_t, { dir file })
-
-manage_files_pattern(cmirrord_t, cmirrord_runtime_t, cmirrord_runtime_t)
-files_runtime_filetrans(cmirrord_t, cmirrord_runtime_t, file)
-
-domain_use_interactive_fds(cmirrord_t)
-domain_obj_id_change_exemption(cmirrord_t)
-
-files_read_etc_files(cmirrord_t)
-
-storage_create_fixed_disk_dev(cmirrord_t)
-
-seutil_read_file_contexts(cmirrord_t)
-
-logging_send_syslog_msg(cmirrord_t)
-
-miscfiles_read_localization(cmirrord_t)
-
-optional_policy(`
- corosync_stream_connect(cmirrord_t)
-')
diff --git a/policy/modules/services/condor.te b/policy/modules/services/condor.te
index 43044e2c..ddc7738a 100644
--- a/policy/modules/services/condor.te
+++ b/policy/modules/services/condor.te
@@ -118,10 +118,6 @@ tunable_policy(`condor_tcp_network_connect',`
corenet_tcp_connect_all_ports(condor_domain)
')
-optional_policy(`
- rhcs_stream_connect_cluster(condor_domain)
-')
-
#####################################
#
# Master local policy
diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te
index c012d088..66063be5 100644
--- a/policy/modules/services/corosync.te
+++ b/policy/modules/services/corosync.te
@@ -113,14 +113,6 @@ miscfiles_read_localization(corosync_t)
userdom_read_user_tmp_files(corosync_t)
userdom_manage_user_tmpfs_files(corosync_t)
-optional_policy(`
- ccs_read_config(corosync_t)
-')
-
-optional_policy(`
- cmirrord_rw_shm(corosync_t)
-')
-
optional_policy(`
consoletype_exec(corosync_t)
')
@@ -137,17 +129,6 @@ optional_policy(`
qpidd_rw_shm(corosync_t)
')
-optional_policy(`
- rhcs_getattr_fenced_exec_files(corosync_t)
- rhcs_rw_cluster_shm(corosync_t)
- rhcs_rw_cluster_semaphores(corosync_t)
- rhcs_stream_connect_cluster(corosync_t)
-')
-
-optional_policy(`
- rgmanager_manage_tmpfs_files(corosync_t)
-')
-
optional_policy(`
rpc_search_nfs_state_data(corosync_t)
')
diff --git a/policy/modules/services/dcc.fc b/policy/modules/services/dcc.fc
deleted file mode 100644
index 204b444d..00000000
--- a/policy/modules/services/dcc.fc
+++ /dev/null
@@ -1,30 +0,0 @@
-/etc/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
-/etc/dcc/dccifd -s gen_context(system_u:object_r:dccifd_runtime_t,s0)
-/etc/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
-
-/usr/bin/cdcc -- gen_context(system_u:object_r:cdcc_exec_t,s0)
-/usr/bin/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0)
-/usr/bin/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
-/usr/bin/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0)
-/usr/bin/dccproc -- gen_context(system_u:object_r:dcc_client_exec_t,s0)
-/usr/bin/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
-
-/usr/libexec/dcc/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
-/usr/libexec/dcc/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0)
-/usr/libexec/dcc/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
-/usr/libexec/dcc/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0)
-
-/usr/sbin/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
-/usr/sbin/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0)
-/usr/sbin/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
-/usr/sbin/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0)
-
-/var/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
-/var/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
-
-/var/lib/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
-/var/lib/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
-
-/run/dcc(/.*)? gen_context(system_u:object_r:dcc_runtime_t,s0)
-/run/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
-/run/dcc/dccifd -s gen_context(system_u:object_r:dccifd_runtime_t,s0)
diff --git a/policy/modules/services/dcc.if b/policy/modules/services/dcc.if
deleted file mode 100644
index 31d97127..00000000
--- a/policy/modules/services/dcc.if
+++ /dev/null
@@ -1,178 +0,0 @@
-## <summary>Distributed checksum clearinghouse spam filtering.</summary>
-
-########################################
-## <summary>
-## Execute cdcc in the cdcc domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`dcc_domtrans_cdcc',`
- gen_require(`
- type cdcc_t, cdcc_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, cdcc_exec_t, cdcc_t)
-')
-
-########################################
-## <summary>
-## Execute cdcc in the cdcc domain, and
-## allow the specified role the
-## cdcc domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`dcc_run_cdcc',`
- gen_require(`
- attribute_role cdcc_roles;
- ')
-
- dcc_domtrans_cdcc($1)
- roleattribute $2 cdcc_roles;
-')
-
-########################################
-## <summary>
-## Execute dcc client in the dcc
-## client domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`dcc_domtrans_client',`
- gen_require(`
- type dcc_client_t, dcc_client_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, dcc_client_exec_t, dcc_client_t)
-')
-
-########################################
-## <summary>
-## Send generic signals to dcc client.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dcc_signal_client',`
- gen_require(`
- type dcc_client_t;
- ')
-
- allow $1 dcc_client_t:process signal;
-')
-
-########################################
-## <summary>
-## Execute dcc client in the dcc
-## client domain, and allow the
-## specified role the dcc client domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`dcc_run_client',`
- gen_require(`
- attribute_role dcc_client_roles;
- ')
-
- dcc_domtrans_client($1)
- roleattribute $2 dcc_client_roles;
-')
-
-########################################
-## <summary>
-## Execute dbclean in the dcc dbclean domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`dcc_domtrans_dbclean',`
- gen_require(`
- type dcc_dbclean_t, dcc_dbclean_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, dcc_dbclean_exec_t, dcc_dbclean_t)
-')
-
-########################################
-## <summary>
-## Execute dbclean in the dcc dbclean
-## domain, and allow the specified
-## role the dcc dbclean domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`dcc_run_dbclean',`
- gen_require(`
- attribute_role dcc_dbclean_roles;
- ')
-
- dcc_domtrans_dbclean($1)
- roleattribute $2 dcc_dbclean_roles;
-')
-
-########################################
-## <summary>
-## Connect to dccifd over a unix
-## domain stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dcc_stream_connect_dccifd',`
- gen_require(`
- type dcc_var_t, dccifd_runtime_t, dccifd_t;
- ')
-
- files_search_var($1)
- stream_connect_pattern($1, dcc_var_t, dccifd_runtime_t, dccifd_t)
-')
diff --git a/policy/modules/services/dcc.te b/policy/modules/services/dcc.te
deleted file mode 100644
index 4f713f54..00000000
--- a/policy/modules/services/dcc.te
+++ /dev/null
@@ -1,338 +0,0 @@
-policy_module(dcc, 1.17.0)
-
-########################################
-#
-# Declarations
-#
-
-attribute_role cdcc_roles;
-roleattribute system_r cdcc_roles;
-
-attribute_role dcc_client_roles;
-roleattribute system_r dcc_client_roles;
-
-attribute_role dcc_dbclean_roles;
-roleattribute system_r dcc_dbclean_roles;
-
-type cdcc_t;
-type cdcc_exec_t;
-application_domain(cdcc_t, cdcc_exec_t)
-role cdcc_roles types cdcc_t;
-
-type cdcc_tmp_t;
-files_tmp_file(cdcc_tmp_t)
-
-type dcc_client_t;
-type dcc_client_exec_t;
-application_domain(dcc_client_t, dcc_client_exec_t)
-role dcc_client_roles types dcc_client_t;
-
-type dcc_client_map_t;
-files_type(dcc_client_map_t)
-
-type dcc_client_tmp_t;
-files_tmp_file(dcc_client_tmp_t)
-
-type dcc_dbclean_t;
-type dcc_dbclean_exec_t;
-application_domain(dcc_dbclean_t, dcc_dbclean_exec_t)
-role dcc_dbclean_roles types dcc_dbclean_t;
-
-type dcc_dbclean_tmp_t;
-files_tmp_file(dcc_dbclean_tmp_t)
-
-type dcc_var_t;
-files_type(dcc_var_t)
-
-type dcc_runtime_t;
-files_type(dcc_runtime_t)
-
-type dccd_t;
-type dccd_exec_t;
-init_daemon_domain(dccd_t, dccd_exec_t)
-
-type dccd_tmp_t;
-files_tmp_file(dccd_tmp_t)
-
-type dccd_runtime_t;
-files_runtime_file(dccd_runtime_t)
-
-type dccifd_t;
-type dccifd_exec_t;
-init_daemon_domain(dccifd_t, dccifd_exec_t)
-
-type dccifd_runtime_t alias dccifd_var_run_t;
-files_runtime_file(dccifd_runtime_t)
-
-type dccifd_tmp_t;
-files_tmp_file(dccifd_tmp_t)
-
-type dccm_t;
-type dccm_exec_t;
-init_daemon_domain(dccm_t, dccm_exec_t)
-
-type dccm_runtime_t alias dccm_var_run_t;
-files_runtime_file(dccm_runtime_t)
-
-type dccm_tmp_t;
-files_tmp_file(dccm_tmp_t)
-
-########################################
-#
-# Daemon controller local policy
-#
-
-allow cdcc_t self:capability { setgid setuid };
-
-manage_dirs_pattern(cdcc_t, cdcc_tmp_t, cdcc_tmp_t)
-manage_files_pattern(cdcc_t, cdcc_tmp_t, cdcc_tmp_t)
-files_tmp_filetrans(cdcc_t, cdcc_tmp_t, { file dir })
-
-allow cdcc_t dcc_client_map_t:file rw_file_perms;
-
-allow cdcc_t dcc_var_t:dir list_dir_perms;
-read_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
-read_lnk_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
-
-files_read_etc_runtime_files(cdcc_t)
-
-auth_use_nsswitch(cdcc_t)
-
-logging_send_syslog_msg(cdcc_t)
-
-miscfiles_read_localization(cdcc_t)
-
-userdom_use_user_terminals(cdcc_t)
-
-########################################
-#
-# Procmail interface local policy
-#
-
-allow dcc_client_t self:capability { setgid setuid };
-
-allow dcc_client_t dcc_client_map_t:file rw_file_perms;
-
-manage_dirs_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t)
-manage_files_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t)
-files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir })
-
-allow dcc_client_t dcc_var_t:dir list_dir_perms;
-manage_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
-read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
-
-kernel_read_system_state(dcc_client_t)
-
-files_read_etc_runtime_files(dcc_client_t)
-
-fs_getattr_all_fs(dcc_client_t)
-
-auth_use_nsswitch(dcc_client_t)
-
-logging_send_syslog_msg(dcc_client_t)
-
-miscfiles_read_localization(dcc_client_t)
-
-userdom_use_user_terminals(dcc_client_t)
-
-optional_policy(`
- amavis_read_spool_files(dcc_client_t)
-')
-
-optional_policy(`
- spamassassin_read_spamd_tmp_files(dcc_client_t)
-')
-
-########################################
-#
-# Database cleanup local policy
-#
-
-allow dcc_dbclean_t dcc_client_map_t:file rw_file_perms;
-
-manage_dirs_pattern(dcc_dbclean_t, dcc_dbclean_tmp_t, dcc_dbclean_tmp_t)
-manage_files_pattern(dcc_dbclean_t, dcc_dbclean_tmp_t, dcc_dbclean_tmp_t)
-files_tmp_filetrans(dcc_dbclean_t, dcc_dbclean_tmp_t, { file dir })
-
-manage_dirs_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
-manage_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
-manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
-
-kernel_read_system_state(dcc_dbclean_t)
-
-files_read_etc_runtime_files(dcc_dbclean_t)
-
-auth_use_nsswitch(dcc_dbclean_t)
-
-logging_send_syslog_msg(dcc_dbclean_t)
-
-miscfiles_read_localization(dcc_dbclean_t)
-
-userdom_use_user_terminals(dcc_dbclean_t)
-
-########################################
-#
-# Server local policy
-#
-
-allow dccd_t self:capability net_admin;
-dontaudit dccd_t self:capability sys_tty_config;
-allow dccd_t self:process signal_perms;
-
-allow dccd_t dcc_client_map_t:file rw_file_perms;
-
-allow dccd_t dcc_var_t:dir list_dir_perms;
-read_files_pattern(dccd_t, dcc_var_t, dcc_var_t)
-read_lnk_files_pattern(dccd_t, dcc_var_t, dcc_var_t)
-
-domtrans_pattern(dccd_t, dcc_dbclean_exec_t, dcc_dbclean_t)
-
-manage_dirs_pattern(dccd_t, dcc_var_t, dcc_var_t)
-manage_files_pattern(dccd_t, dcc_var_t, dcc_var_t)
-manage_lnk_files_pattern(dccd_t, dcc_var_t, dcc_var_t)
-
-manage_dirs_pattern(dccd_t, dccd_tmp_t, dccd_tmp_t)
-manage_files_pattern(dccd_t, dccd_tmp_t, dccd_tmp_t)
-files_tmp_filetrans(dccd_t, dccd_tmp_t, { file dir })
-
-manage_dirs_pattern(dccd_t, dccd_runtime_t, dccd_runtime_t)
-manage_files_pattern(dccd_t, dccd_runtime_t, dccd_runtime_t)
-files_runtime_filetrans(dccd_t, dccd_runtime_t, { dir file })
-
-kernel_read_system_state(dccd_t)
-kernel_read_kernel_sysctls(dccd_t)
-
-corenet_all_recvfrom_netlabel(dccd_t)
-corenet_udp_sendrecv_generic_if(dccd_t)
-corenet_udp_sendrecv_generic_node(dccd_t)
-corenet_udp_bind_generic_node(dccd_t)
-
-corenet_udp_bind_dcc_port(dccd_t)
-corenet_sendrecv_dcc_server_packets(dccd_t)
-
-corecmd_search_bin(dccd_t)
-
-dev_read_sysfs(dccd_t)
-
-domain_use_interactive_fds(dccd_t)
-
-files_read_etc_runtime_files(dccd_t)
-
-fs_getattr_all_fs(dccd_t)
-fs_search_auto_mountpoints(dccd_t)
-
-auth_use_nsswitch(dccd_t)
-
-logging_send_syslog_msg(dccd_t)
-
-miscfiles_read_localization(dccd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(dccd_t)
-userdom_dontaudit_search_user_home_dirs(dccd_t)
-
-optional_policy(`
- seutil_sigchld_newrole(dccd_t)
-')
-
-########################################
-#
-# Spamassassin and general MTA persistent client local policy
-#
-
-dontaudit dccifd_t self:capability sys_tty_config;
-allow dccifd_t self:process signal_perms;
-allow dccifd_t self:unix_stream_socket { accept listen };
-
-allow dccifd_t dcc_client_map_t:file rw_file_perms;
-
-manage_dirs_pattern(dccifd_t, dcc_var_t, dcc_var_t)
-manage_files_pattern(dccifd_t, dcc_var_t, dcc_var_t)
-manage_lnk_files_pattern(dccifd_t, dcc_var_t, dcc_var_t)
-manage_fifo_files_pattern(dccifd_t, dcc_var_t, dcc_var_t)
-manage_sock_files_pattern(dccifd_t, dcc_var_t, dcc_var_t)
-
-manage_dirs_pattern(dccifd_t, dccifd_tmp_t, dccifd_tmp_t)
-manage_files_pattern(dccifd_t, dccifd_tmp_t, dccifd_tmp_t)
-files_tmp_filetrans(dccifd_t, dccifd_tmp_t, { file dir })
-
-manage_files_pattern(dccifd_t, dccifd_runtime_t, dccifd_runtime_t)
-manage_sock_files_pattern(dccifd_t, dccifd_runtime_t, dccifd_runtime_t)
-filetrans_pattern(dccifd_t, dcc_var_t, dccifd_runtime_t, { file sock_file })
-files_runtime_filetrans(dccifd_t, dccifd_runtime_t, file)
-
-kernel_read_system_state(dccifd_t)
-kernel_read_kernel_sysctls(dccifd_t)
-
-dev_read_sysfs(dccifd_t)
-
-domain_use_interactive_fds(dccifd_t)
-
-files_read_etc_runtime_files(dccifd_t)
-
-fs_getattr_all_fs(dccifd_t)
-fs_search_auto_mountpoints(dccifd_t)
-
-auth_use_nsswitch(dccifd_t)
-
-logging_send_syslog_msg(dccifd_t)
-
-miscfiles_read_localization(dccifd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
-userdom_dontaudit_search_user_home_dirs(dccifd_t)
-
-optional_policy(`
- seutil_sigchld_newrole(dccifd_t)
-')
-
-########################################
-#
-# Sendmail milter client local policy
-#
-
-dontaudit dccm_t self:capability sys_tty_config;
-allow dccm_t self:process signal_perms;
-allow dccm_t self:unix_stream_socket { accept listen };
-
-allow dccm_t dcc_client_map_t:file rw_file_perms;
-
-manage_dirs_pattern(dccm_t, dcc_var_t, dcc_var_t)
-manage_files_pattern(dccm_t, dcc_var_t, dcc_var_t)
-manage_lnk_files_pattern(dccm_t, dcc_var_t, dcc_var_t)
-manage_fifo_files_pattern(dccm_t, dcc_var_t, dcc_var_t)
-manage_sock_files_pattern(dccm_t, dcc_var_t, dcc_var_t)
-
-manage_dirs_pattern(dccm_t, dccm_tmp_t, dccm_tmp_t)
-manage_files_pattern(dccm_t, dccm_tmp_t, dccm_tmp_t)
-files_tmp_filetrans(dccm_t, dccm_tmp_t, { file dir })
-
-manage_files_pattern(dccm_t, dccm_runtime_t, dccm_runtime_t)
-manage_sock_files_pattern(dccm_t, dccm_runtime_t, dccm_runtime_t)
-filetrans_pattern(dccm_t, dcc_runtime_t, dccm_runtime_t, { file sock_file })
-files_runtime_filetrans(dccm_t, dccm_runtime_t, file)
-
-kernel_read_system_state(dccm_t)
-kernel_read_kernel_sysctls(dccm_t)
-
-dev_read_sysfs(dccm_t)
-
-domain_use_interactive_fds(dccm_t)
-
-files_read_etc_runtime_files(dccm_t)
-
-fs_getattr_all_fs(dccm_t)
-fs_search_auto_mountpoints(dccm_t)
-
-auth_use_nsswitch(dccm_t)
-
-logging_send_syslog_msg(dccm_t)
-
-miscfiles_read_localization(dccm_t)
-
-userdom_dontaudit_use_unpriv_user_fds(dccm_t)
-userdom_dontaudit_search_user_home_dirs(dccm_t)
-
-optional_policy(`
- seutil_sigchld_newrole(dccm_t)
-')
-
diff --git a/policy/modules/services/denyhosts.fc b/policy/modules/services/denyhosts.fc
deleted file mode 100644
index 89b0b77d..00000000
--- a/policy/modules/services/denyhosts.fc
+++ /dev/null
@@ -1,9 +0,0 @@
-/etc/rc\.d/init\.d/denyhosts -- gen_context(system_u:object_r:denyhosts_initrc_exec_t,s0)
-
-/usr/bin/denyhosts\.py -- gen_context(system_u:object_r:denyhosts_exec_t,s0)
-
-/var/lib/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_lib_t,s0)
-
-/var/lock/subsys/denyhosts -- gen_context(system_u:object_r:denyhosts_var_lock_t,s0)
-
-/var/log/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_log_t,s0)
diff --git a/policy/modules/services/denyhosts.if b/policy/modules/services/denyhosts.if
deleted file mode 100644
index 0fb8ec7c..00000000
--- a/policy/modules/services/denyhosts.if
+++ /dev/null
@@ -1,76 +0,0 @@
-## <summary>SSH dictionary attack mitigation.</summary>
-
-########################################
-## <summary>
-## Execute a domain transition to run denyhosts.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`denyhosts_domtrans',`
- gen_require(`
- type denyhosts_t, denyhosts_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, denyhosts_exec_t, denyhosts_t)
-')
-
-########################################
-## <summary>
-## Execute denyhost server in the
-## denyhost domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`denyhosts_initrc_domtrans',`
- gen_require(`
- type denyhosts_initrc_exec_t;
- ')
-
- init_labeled_script_domtrans($1, denyhosts_initrc_exec_t)
-')
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an denyhosts environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-#
-interface(`denyhosts_admin',`
- gen_require(`
- type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t;
- type denyhosts_var_log_t, denyhosts_initrc_exec_t;
- ')
-
- allow $1 denyhosts_t:process { ptrace signal_perms };
- ps_process_pattern($1, denyhosts_t)
-
- init_startstop_service($1, $2, denyhosts_t, denyhosts_initrc_exec_t)
-
- files_search_var_lib($1)
- admin_pattern($1, denyhosts_var_lib_t)
-
- logging_search_logs($1)
- admin_pattern($1, denyhosts_var_log_t)
-
- files_search_locks($1)
- admin_pattern($1, denyhosts_var_lock_t)
-')
diff --git a/policy/modules/services/denyhosts.te b/policy/modules/services/denyhosts.te
deleted file mode 100644
index 5beff9d9..00000000
--- a/policy/modules/services/denyhosts.te
+++ /dev/null
@@ -1,71 +0,0 @@
-policy_module(denyhosts, 1.4.0)
-
-########################################
-#
-# Declarations
-#
-
-type denyhosts_t;
-type denyhosts_exec_t;
-init_daemon_domain(denyhosts_t, denyhosts_exec_t)
-
-type denyhosts_initrc_exec_t;
-init_script_file(denyhosts_initrc_exec_t)
-
-type denyhosts_var_lib_t;
-files_type(denyhosts_var_lib_t)
-
-type denyhosts_var_lock_t;
-files_lock_file(denyhosts_var_lock_t)
-
-type denyhosts_var_log_t;
-logging_log_file(denyhosts_var_log_t)
-
-########################################
-#
-# Local policy
-#
-
-allow denyhosts_t self:capability sys_tty_config;
-allow denyhosts_t self:fifo_file rw_fifo_file_perms;
-allow denyhosts_t self:netlink_route_socket nlmsg_write;
-
-manage_files_pattern(denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lib_t)
-
-manage_dirs_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t)
-manage_files_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t)
-files_lock_filetrans(denyhosts_t, denyhosts_var_lock_t, { dir file })
-
-append_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
-create_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
-read_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
-setattr_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
-logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file)
-
-kernel_read_network_state(denyhosts_t)
-kernel_read_system_state(denyhosts_t)
-
-corecmd_exec_bin(denyhosts_t)
-corecmd_exec_shell(denyhosts_t)
-
-corenet_all_recvfrom_netlabel(denyhosts_t)
-corenet_tcp_sendrecv_generic_if(denyhosts_t)
-corenet_tcp_sendrecv_generic_node(denyhosts_t)
-
-corenet_sendrecv_smtp_client_packets(denyhosts_t)
-corenet_tcp_connect_smtp_port(denyhosts_t)
-
-dev_read_urand(denyhosts_t)
-
-logging_read_generic_logs(denyhosts_t)
-logging_send_syslog_msg(denyhosts_t)
-
-miscfiles_read_localization(denyhosts_t)
-
-sysnet_dns_name_resolve(denyhosts_t)
-sysnet_manage_config(denyhosts_t)
-sysnet_etc_filetrans_config(denyhosts_t)
-
-optional_policy(`
- cron_system_entry(denyhosts_t, denyhosts_exec_t)
-')
diff --git a/policy/modules/services/dspam.fc b/policy/modules/services/dspam.fc
deleted file mode 100644
index be76b9db..00000000
--- a/policy/modules/services/dspam.fc
+++ /dev/null
@@ -1,12 +0,0 @@
-/etc/rc\.d/init\.d/dspam -- gen_context(system_u:object_r:dspam_initrc_exec_t,s0)
-
-/usr/bin/dspam -- gen_context(system_u:object_r:dspam_exec_t,s0)
-
-/usr/share/dspam-web/dspam\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0)
-
-/var/lib/dspam(/.*)? gen_context(system_u:object_r:dspam_var_lib_t,s0)
-/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:httpd_dspam_rw_content_t,s0)
-
-/var/log/dspam(/.*)? gen_context(system_u:object_r:dspam_log_t,s0)
-
-/run/dspam(/.*)? gen_context(system_u:object_r:dspam_runtime_t,s0)
diff --git a/policy/modules/services/dspam.if b/policy/modules/services/dspam.if
deleted file mode 100644
index c2ec6be7..00000000
--- a/policy/modules/services/dspam.if
+++ /dev/null
@@ -1,79 +0,0 @@
-## <summary>Content-based spam filter designed for multi-user enterprise systems.</summary>
-
-########################################
-## <summary>
-## Execute a domain transition to run dspam.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dspam_domtrans',`
- gen_require(`
- type dspam_t, dspam_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, dspam_exec_t, dspam_t)
-')
-
-#######################################
-## <summary>
-## Connect to dspam using a unix
-## domain stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dspam_stream_connect',`
- gen_require(`
- type dspam_t, dspam_runtime_t;
- ')
-
- files_search_runtime($1)
- files_search_tmp($1)
- stream_connect_pattern($1, dspam_runtime_t, dspam_runtime_t, dspam_t)
-')
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an dspam environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`dspam_admin',`
- gen_require(`
- type dspam_t, dspam_initrc_exec_t, dspam_log_t;
- type dspam_var_lib_t, dspam_runtime_t;
- ')
-
- allow $1 dspam_t:process { ptrace signal_perms };
- ps_process_pattern($1, dspam_t)
-
- init_startstop_service($1, $2, dspam_t, dspam_initrc_exec_t)
-
- logging_search_logs($1)
- admin_pattern($1, dspam_log_t)
-
- files_search_var_lib($1)
- admin_pattern($1, dspam_var_lib_t)
-
- files_search_runtime($1)
- admin_pattern($1, dspam_runtime_t)
-')
diff --git a/policy/modules/services/dspam.te b/policy/modules/services/dspam.te
deleted file mode 100644
index 5a6b0a92..00000000
--- a/policy/modules/services/dspam.te
+++ /dev/null
@@ -1,87 +0,0 @@
-policy_module(dspam, 1.6.0)
-
-########################################
-#
-# Declarations
-#
-
-type dspam_t;
-type dspam_exec_t;
-init_daemon_domain(dspam_t, dspam_exec_t)
-
-type dspam_initrc_exec_t;
-init_script_file(dspam_initrc_exec_t)
-
-type dspam_log_t;
-logging_log_file(dspam_log_t)
-
-type dspam_runtime_t alias dspam_var_run_t;
-files_runtime_file(dspam_runtime_t)
-
-type dspam_var_lib_t;
-files_type(dspam_var_lib_t)
-
-########################################
-#
-# Local policy
-#
-
-allow dspam_t self:capability net_admin;
-allow dspam_t self:process signal;
-allow dspam_t self:fifo_file rw_fifo_file_perms;
-allow dspam_t self:unix_stream_socket { accept listen };
-
-manage_dirs_pattern(dspam_t, dspam_log_t, dspam_log_t)
-append_files_pattern(dspam_t, dspam_log_t, dspam_log_t)
-create_files_pattern(dspam_t, dspam_log_t, dspam_log_t)
-setattr_files_pattern(dspam_t, dspam_log_t, dspam_log_t)
-logging_log_filetrans(dspam_t, dspam_log_t, dir)
-
-manage_dirs_pattern(dspam_t, dspam_var_lib_t, dspam_var_lib_t)
-manage_files_pattern(dspam_t, dspam_var_lib_t, dspam_var_lib_t)
-files_var_lib_filetrans(dspam_t, dspam_var_lib_t, dir)
-
-manage_dirs_pattern(dspam_t, dspam_runtime_t, dspam_runtime_t)
-manage_files_pattern(dspam_t, dspam_runtime_t, dspam_runtime_t)
-manage_sock_files_pattern(dspam_t, dspam_runtime_t, dspam_runtime_t)
-files_runtime_filetrans(dspam_t, dspam_runtime_t, dir)
-
-corenet_all_recvfrom_netlabel(dspam_t)
-corenet_tcp_sendrecv_generic_if(dspam_t)
-corenet_tcp_sendrecv_generic_node(dspam_t)
-corenet_tcp_bind_generic_node(dspam_t)
-
-corenet_sendrecv_spamd_client_packets(dspam_t)
-corenet_sendrecv_spamd_server_packets(dspam_t)
-corenet_tcp_bind_spamd_port(dspam_t)
-corenet_tcp_connect_spamd_port(dspam_t)
-
-files_search_spool(dspam_t)
-
-auth_use_nsswitch(dspam_t)
-
-logging_send_syslog_msg(dspam_t)
-
-miscfiles_read_localization(dspam_t)
-
-optional_policy(`
- apache_content_template(dspam)
-
- list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t)
- manage_dirs_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t)
- manage_files_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t)
-')
-
-optional_policy(`
- mysql_stream_connect(dspam_t)
- mysql_read_config(dspam_t)
-
- mysql_tcp_connect(dspam_t)
-')
-
-optional_policy(`
- postgresql_stream_connect(dspam_t)
- postgresql_unpriv_client(dspam_t)
-
- postgresql_tcp_connect(dspam_t)
-')
diff --git a/policy/modules/services/howl.fc b/policy/modules/services/howl.fc
deleted file mode 100644
index a7a9bf07..00000000
--- a/policy/modules/services/howl.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-/etc/rc\.d/init\.d/((nifd)|(mDNSResponder)) -- gen_context(system_u:object_r:howl_initrc_exec_t,s0)
-
-/usr/bin/mDNSResponder -- gen_context(system_u:object_r:howl_exec_t,s0)
-/usr/bin/nifd -- gen_context(system_u:object_r:howl_exec_t,s0)
-
-/run/nifd\.pid -- gen_context(system_u:object_r:howl_runtime_t,s0)
diff --git a/policy/modules/services/howl.if b/policy/modules/services/howl.if
deleted file mode 100644
index 67617c75..00000000
--- a/policy/modules/services/howl.if
+++ /dev/null
@@ -1,50 +0,0 @@
-## <summary>Port of Apple Rendezvous multicast DNS.</summary>
-
-########################################
-## <summary>
-## Send generic signals to howl.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`howl_signal',`
- gen_require(`
- type howl_t;
- ')
-
- allow $1 howl_t:process signal;
-')
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an howl environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`howl_admin',`
- gen_require(`
- type howl_t, howl_initrc_exec_t, howl_runtime_t;
- ')
-
- allow $1 howl_t:process { ptrace signal_perms };
- ps_process_pattern($1, howl_t)
-
- init_startstop_service($1, $2, howl_t, howl_initrc_exec_t)
-
- files_search_runtime($1)
- admin_pattern($1, howl_runtime_t)
-')
diff --git a/policy/modules/services/howl.te b/policy/modules/services/howl.te
deleted file mode 100644
index fb276e69..00000000
--- a/policy/modules/services/howl.te
+++ /dev/null
@@ -1,73 +0,0 @@
-policy_module(howl, 1.15.0)
-
-########################################
-#
-# Declarations
-#
-
-type howl_t;
-type howl_exec_t;
-application_executable_file(howl_exec_t)
-init_daemon_domain(howl_t, howl_exec_t)
-
-type howl_initrc_exec_t;
-init_script_file(howl_initrc_exec_t)
-
-type howl_runtime_t alias howl_var_run_t;
-files_runtime_file(howl_runtime_t)
-
-########################################
-#
-# Local policy
-#
-
-allow howl_t self:capability { kill net_admin };
-dontaudit howl_t self:capability sys_tty_config;
-allow howl_t self:process signal_perms;
-allow howl_t self:fifo_file rw_fifo_file_perms;
-allow howl_t self:tcp_socket { accept listen };
-
-manage_files_pattern(howl_t, howl_runtime_t, howl_runtime_t)
-files_runtime_filetrans(howl_t, howl_runtime_t, file)
-
-kernel_read_network_state(howl_t)
-kernel_read_kernel_sysctls(howl_t)
-kernel_request_load_module(howl_t)
-kernel_list_proc(howl_t)
-kernel_read_proc_symlinks(howl_t)
-
-corenet_all_recvfrom_netlabel(howl_t)
-corenet_tcp_sendrecv_generic_if(howl_t)
-corenet_udp_sendrecv_generic_if(howl_t)
-corenet_tcp_sendrecv_generic_node(howl_t)
-corenet_udp_sendrecv_generic_node(howl_t)
-corenet_tcp_bind_generic_node(howl_t)
-corenet_udp_bind_generic_node(howl_t)
-
-corenet_sendrecv_howl_server_packets(howl_t)
-corenet_tcp_bind_howl_port(howl_t)
-corenet_udp_bind_howl_port(howl_t)
-
-dev_read_sysfs(howl_t)
-
-fs_getattr_all_fs(howl_t)
-fs_search_auto_mountpoints(howl_t)
-
-domain_use_interactive_fds(howl_t)
-
-auth_use_nsswitch(howl_t)
-
-init_read_utmp(howl_t)
-init_dontaudit_write_utmp(howl_t)
-
-logging_send_syslog_msg(howl_t)
-
-miscfiles_read_localization(howl_t)
-
-userdom_dontaudit_use_unpriv_user_fds(howl_t)
-userdom_dontaudit_search_user_home_dirs(howl_t)
-
-optional_policy(`
- seutil_sigchld_newrole(howl_t)
-')
-
diff --git a/policy/modules/services/imaze.fc b/policy/modules/services/imaze.fc
deleted file mode 100644
index c189a195..00000000
--- a/policy/modules/services/imaze.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-/usr/games/imazesrv -- gen_context(system_u:object_r:imazesrv_exec_t,s0)
-
-/usr/share/games/imaze(/.*)? gen_context(system_u:object_r:imazesrv_data_t,s0)
-
-/var/log/imaze\.log.* -- gen_context(system_u:object_r:imazesrv_log_t,s0)
-
-/run/imaze\.pid -- gen_context(system_u:object_r:imazesrv_runtime_t,s0)
diff --git a/policy/modules/services/imaze.if b/policy/modules/services/imaze.if
deleted file mode 100644
index db53881d..00000000
--- a/policy/modules/services/imaze.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>iMaze game server.</summary>
diff --git a/policy/modules/services/imaze.te b/policy/modules/services/imaze.te
deleted file mode 100644
index 13181d6f..00000000
--- a/policy/modules/services/imaze.te
+++ /dev/null
@@ -1,79 +0,0 @@
-policy_module(imaze, 1.12.0)
-
-########################################
-#
-# Declarations
-#
-
-type imazesrv_t;
-type imazesrv_exec_t;
-application_executable_file(imazesrv_exec_t)
-init_daemon_domain(imazesrv_t, imazesrv_exec_t)
-
-type imazesrv_data_t;
-files_type(imazesrv_data_t)
-
-type imazesrv_log_t;
-logging_log_file(imazesrv_log_t)
-
-type imazesrv_runtime_t alias imazesrv_var_run_t;
-files_runtime_file(imazesrv_runtime_t)
-
-########################################
-#
-# Local policy
-#
-
-dontaudit imazesrv_t self:capability sys_tty_config;
-allow imazesrv_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
-allow imazesrv_t self:fifo_file rw_fifo_file_perms;
-allow imazesrv_t self:tcp_socket { accept listen };
-allow imazesrv_t self:unix_dgram_socket sendto;
-allow imazesrv_t self:unix_stream_socket { accept connectto listen };
-
-allow imazesrv_t imazesrv_data_t:dir list_dir_perms;
-read_files_pattern(imazesrv_t, imazesrv_data_t, imazesrv_data_t)
-read_lnk_files_pattern(imazesrv_t, imazesrv_data_t, imazesrv_data_t)
-
-allow imazesrv_t imazesrv_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-logging_log_filetrans(imazesrv_t, imazesrv_log_t, file)
-
-manage_files_pattern(imazesrv_t, imazesrv_runtime_t, imazesrv_runtime_t)
-files_runtime_filetrans(imazesrv_t, imazesrv_runtime_t, file)
-
-kernel_list_proc(imazesrv_t)
-kernel_read_kernel_sysctls(imazesrv_t)
-kernel_read_proc_symlinks(imazesrv_t)
-
-corenet_all_recvfrom_netlabel(imazesrv_t)
-corenet_tcp_sendrecv_generic_if(imazesrv_t)
-corenet_udp_sendrecv_generic_if(imazesrv_t)
-corenet_tcp_sendrecv_generic_node(imazesrv_t)
-corenet_udp_sendrecv_generic_node(imazesrv_t)
-corenet_tcp_bind_generic_node(imazesrv_t)
-corenet_udp_bind_generic_node(imazesrv_t)
-
-corenet_sendrecv_imaze_server_packets(imazesrv_t)
-corenet_tcp_bind_imaze_port(imazesrv_t)
-corenet_udp_bind_imaze_port(imazesrv_t)
-
-dev_read_sysfs(imazesrv_t)
-
-domain_use_interactive_fds(imazesrv_t)
-
-fs_getattr_all_fs(imazesrv_t)
-fs_search_auto_mountpoints(imazesrv_t)
-
-auth_use_nsswitch(imazesrv_t)
-
-logging_send_syslog_msg(imazesrv_t)
-
-miscfiles_read_localization(imazesrv_t)
-
-userdom_use_unpriv_users_fds(imazesrv_t)
-userdom_dontaudit_search_user_home_dirs(imazesrv_t)
-
-optional_policy(`
- seutil_sigchld_newrole(imazesrv_t)
-')
-
diff --git a/policy/modules/services/jockey.fc b/policy/modules/services/jockey.fc
deleted file mode 100644
index d57dad40..00000000
--- a/policy/modules/services/jockey.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-/usr/share/jockey/jockey-backend -- gen_context(system_u:object_r:jockey_exec_t,s0)
-
-/var/cache/jockey(/.*)? gen_context(system_u:object_r:jockey_cache_t,s0)
-
-/var/log/jockey(/.*)? gen_context(system_u:object_r:jockey_var_log_t,s0)
-/var/log/jockey\.log.* -- gen_context(system_u:object_r:jockey_var_log_t,s0)
diff --git a/policy/modules/services/jockey.if b/policy/modules/services/jockey.if
deleted file mode 100644
index 2fb7a20f..00000000
--- a/policy/modules/services/jockey.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>Jockey driver manager.</summary>
diff --git a/policy/modules/services/jockey.te b/policy/modules/services/jockey.te
deleted file mode 100644
index 520543c0..00000000
--- a/policy/modules/services/jockey.te
+++ /dev/null
@@ -1,59 +0,0 @@
-policy_module(jockey, 1.1.0)
-
-########################################
-#
-# Declarations
-#
-
-type jockey_t;
-type jockey_exec_t;
-init_daemon_domain(jockey_t, jockey_exec_t)
-
-type jockey_cache_t;
-files_type(jockey_cache_t)
-
-type jockey_var_log_t;
-logging_log_file(jockey_var_log_t)
-
-########################################
-#
-# Local policy
-#
-
-allow jockey_t self:fifo_file rw_fifo_file_perms;
-
-manage_dirs_pattern(jockey_t, jockey_cache_t, jockey_cache_t)
-manage_files_pattern(jockey_t, jockey_cache_t, jockey_cache_t)
-manage_lnk_files_pattern(jockey_t, jockey_cache_t, jockey_cache_t)
-files_var_filetrans(jockey_t, jockey_cache_t, { dir file })
-
-manage_dirs_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
-append_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
-create_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
-setattr_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
-logging_log_filetrans(jockey_t, jockey_var_log_t, { file dir })
-
-kernel_read_system_state(jockey_t)
-
-corecmd_exec_bin(jockey_t)
-corecmd_exec_shell(jockey_t)
-
-dev_read_rand(jockey_t)
-dev_read_sysfs(jockey_t)
-dev_read_urand(jockey_t)
-
-domain_use_interactive_fds(jockey_t)
-
-files_read_etc_files(jockey_t)
-files_read_usr_files(jockey_t)
-
-miscfiles_read_localization(jockey_t)
-
-optional_policy(`
- dbus_system_domain(jockey_t, jockey_exec_t)
-')
-
-optional_policy(`
- modutils_domtrans(jockey_t)
- modutils_read_module_config(jockey_t)
-')
diff --git a/policy/modules/services/ktalk.fc b/policy/modules/services/ktalk.fc
deleted file mode 100644
index fae3b8c4..00000000
--- a/policy/modules/services/ktalk.fc
+++ /dev/null
@@ -1,9 +0,0 @@
-/usr/bin/in\.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
-/usr/bin/in\.ntalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
-/usr/bin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
-
-/usr/sbin/in\.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
-/usr/sbin/in\.ntalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
-/usr/sbin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
-
-/var/log/talkd.* -- gen_context(system_u:object_r:ktalkd_log_t,s0)
diff --git a/policy/modules/services/ktalk.if b/policy/modules/services/ktalk.if
deleted file mode 100644
index 19777b80..00000000
--- a/policy/modules/services/ktalk.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>KDE Talk daemon.</summary>
diff --git a/policy/modules/services/ktalk.te b/policy/modules/services/ktalk.te
deleted file mode 100644
index 8b56ae6d..00000000
--- a/policy/modules/services/ktalk.te
+++ /dev/null
@@ -1,59 +0,0 @@
-policy_module(ktalk, 1.13.0)
-
-########################################
-#
-# Declarations
-#
-
-type ktalkd_t;
-type ktalkd_exec_t;
-init_daemon_domain(ktalkd_t, ktalkd_exec_t)
-inetd_udp_service_domain(ktalkd_t, ktalkd_exec_t)
-
-type ktalkd_log_t;
-logging_log_file(ktalkd_log_t)
-
-type ktalkd_tmp_t;
-files_tmp_file(ktalkd_tmp_t)
-
-########################################
-#
-# Local policy
-#
-
-allow ktalkd_t self:process signal_perms;
-allow ktalkd_t self:fifo_file rw_fifo_file_perms;
-allow ktalkd_t self:tcp_socket { accept listen };
-
-allow ktalkd_t ktalkd_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-logging_log_filetrans(ktalkd_t, ktalkd_log_t, file)
-
-manage_dirs_pattern(ktalkd_t, ktalkd_tmp_t, ktalkd_tmp_t)
-manage_files_pattern(ktalkd_t, ktalkd_tmp_t, ktalkd_tmp_t)
-files_tmp_filetrans(ktalkd_t, ktalkd_tmp_t, { file dir })
-
-kernel_read_kernel_sysctls(ktalkd_t)
-kernel_read_system_state(ktalkd_t)
-kernel_read_network_state(ktalkd_t)
-
-corenet_all_recvfrom_netlabel(ktalkd_t)
-corenet_udp_sendrecv_generic_if(ktalkd_t)
-corenet_udp_sendrecv_generic_node(ktalkd_t)
-corenet_udp_bind_generic_node(ktalkd_t)
-
-corenet_sendrecv_ktalkd_server_packets(ktalkd_t)
-corenet_udp_bind_ktalkd_port(ktalkd_t)
-
-dev_read_urand(ktalkd_t)
-
-fs_getattr_xattr_fs(ktalkd_t)
-
-term_use_all_terms(ktalkd_t)
-
-auth_use_nsswitch(ktalkd_t)
-
-init_read_utmp(ktalkd_t)
-
-logging_send_syslog_msg(ktalkd_t)
-
-miscfiles_read_localization(ktalkd_t)
diff --git a/policy/modules/services/mailscanner.fc b/policy/modules/services/mailscanner.fc
deleted file mode 100644
index 9e33585c..00000000
--- a/policy/modules/services/mailscanner.fc
+++ /dev/null
@@ -1,15 +0,0 @@
-/etc/MailScanner(/.*)? gen_context(system_u:object_r:mscan_etc_t,s0)
-
-/etc/rc\.d/init\.d/MailScanner -- gen_context(system_u:object_r:mscan_initrc_exec_t,s0)
-
-/etc/sysconfig/MailScanner -- gen_context(system_u:object_r:mscan_etc_t,s0)
-
-/etc/sysconfig/update_spamassassin -- gen_context(system_u:object_r:mscan_etc_t,s0)
-
-/usr/bin/MailScanner -- gen_context(system_u:object_r:mscan_exec_t,s0)
-
-/usr/sbin/MailScanner -- gen_context(system_u:object_r:mscan_exec_t,s0)
-
-/run/MailScanner\.pid -- gen_context(system_u:object_r:mscan_runtime_t,s0)
-
-/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:mscan_spool_t,s0)
diff --git a/policy/modules/services/mailscanner.if b/policy/modules/services/mailscanner.if
deleted file mode 100644
index 732fdbcf..00000000
--- a/policy/modules/services/mailscanner.if
+++ /dev/null
@@ -1,60 +0,0 @@
-## <summary>E-mail security and anti-spam package for e-mail gateway systems.</summary>
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## mscan spool content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mscan_manage_spool_content',`
- gen_require(`
- type mscan_spool_t;
- ')
-
- files_search_spool($1)
- manage_dirs_pattern($1, mscan_spool_t, mscan_spool_t)
- manage_files_pattern($1, mscan_spool_t, mscan_spool_t)
-')
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an mscan environment
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`mscan_admin',`
- gen_require(`
- type mscan_t, mscan_etc_t, mscan_initrc_exec_t;
- type mscan_runtime_t, mscan_spool_t;
- ')
-
- allow $1 mscan_t:process { ptrace signal_perms };
- ps_process_pattern($1, mscan_t)
-
- init_startstop_service($1, $2, mscan_t, mscan_initrc_exec_t)
-
- files_search_etc($1)
- admin_pattern($1, mscan_etc_t)
-
- files_search_runtime($1)
- admin_pattern($1, mscan_runtime_t)
-
- files_search_spool($1)
- admin_pattern($1, mscan_spool_t)
-')
diff --git a/policy/modules/services/mailscanner.te b/policy/modules/services/mailscanner.te
deleted file mode 100644
index bcd7f2f0..00000000
--- a/policy/modules/services/mailscanner.te
+++ /dev/null
@@ -1,98 +0,0 @@
-policy_module(mailscanner, 1.6.0)
-
-########################################
-#
-# Declarations
-#
-
-type mscan_t;
-type mscan_exec_t;
-init_daemon_domain(mscan_t, mscan_exec_t)
-
-type mscan_initrc_exec_t;
-init_script_file(mscan_initrc_exec_t)
-
-type mscan_etc_t;
-files_config_file(mscan_etc_t)
-
-type mscan_runtime_t alias mscan_var_run_t;
-files_runtime_file(mscan_runtime_t)
-
-type mscan_spool_t;
-files_type(mscan_spool_t)
-
-type mscan_tmp_t;
-files_tmp_file(mscan_tmp_t)
-
-########################################
-#
-# Local policy
-#
-
-allow mscan_t self:capability { chown dac_override setgid setuid };
-allow mscan_t self:process signal;
-allow mscan_t self:fifo_file rw_fifo_file_perms;
-
-read_files_pattern(mscan_t, mscan_etc_t, mscan_etc_t)
-
-manage_files_pattern(mscan_t, mscan_runtime_t, mscan_runtime_t)
-files_runtime_filetrans(mscan_t, mscan_runtime_t, file)
-
-manage_dirs_pattern(mscan_t, mscan_spool_t, mscan_spool_t)
-manage_files_pattern(mscan_t, mscan_spool_t, mscan_spool_t)
-files_spool_filetrans(mscan_t, mscan_spool_t, dir)
-
-manage_dirs_pattern(mscan_t, mscan_tmp_t, mscan_tmp_t)
-manage_files_pattern(mscan_t, mscan_tmp_t, mscan_tmp_t)
-files_tmp_filetrans(mscan_t, mscan_tmp_t, { dir file })
-
-can_exec(mscan_t, mscan_exec_t)
-
-kernel_read_system_state(mscan_t)
-
-corecmd_exec_bin(mscan_t)
-corecmd_exec_shell(mscan_t)
-
-corenet_all_recvfrom_netlabel(mscan_t)
-corenet_tcp_bind_generic_node(mscan_t)
-corenet_udp_bind_generic_node(mscan_t)
-corenet_tcp_sendrecv_generic_if(mscan_t)
-corenet_udp_sendrecv_generic_if(mscan_t)
-corenet_tcp_sendrecv_generic_node(mscan_t)
-corenet_udp_sendrecv_generic_node(mscan_t)
-
-corenet_sendrecv_trisoap_client_packets(mscan_t)
-corenet_tcp_connect_trisoap_port(mscan_t)
-
-corenet_sendrecv_generic_server_packets(mscan_t)
-corenet_udp_bind_generic_port(mscan_t)
-
-dev_read_urand(mscan_t)
-
-files_read_usr_files(mscan_t)
-
-fs_getattr_xattr_fs(mscan_t)
-
-auth_dontaudit_read_shadow(mscan_t)
-auth_use_nsswitch(mscan_t)
-
-logging_send_syslog_msg(mscan_t)
-
-miscfiles_read_localization(mscan_t)
-
-optional_policy(`
- clamav_domtrans_clamscan(mscan_t)
-')
-
-optional_policy(`
- mta_send_mail(mscan_t)
- mta_manage_queue(mscan_t)
-')
-
-optional_policy(`
- procmail_domtrans(mscan_t)
-')
-
-optional_policy(`
- spamassassin_read_lib_files(mscan_t)
-')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index ba45dbe0..756b52b5 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -263,10 +263,6 @@ optional_policy(`
gnome_stream_connect_all_gkeyringd(NetworkManager_t)
')
-optional_policy(`
- howl_signal(NetworkManager_t)
-')
-
optional_policy(`
ipsec_domtrans_mgmt(NetworkManager_t)
ipsec_kill_mgmt(NetworkManager_t)
@@ -318,10 +314,6 @@ optional_policy(`
userdom_read_all_users_state(NetworkManager_t)
')
-optional_policy(`
- polipo_initrc_domtrans(NetworkManager_t)
-')
-
optional_policy(`
ppp_initrc_domtrans(NetworkManager_t)
ppp_domtrans(NetworkManager_t)
diff --git a/policy/modules/services/oav.fc b/policy/modules/services/oav.fc
deleted file mode 100644
index dabf41ee..00000000
--- a/policy/modules/services/oav.fc
+++ /dev/null
@@ -1,12 +0,0 @@
-/etc/oav-update(/.*)? gen_context(system_u:object_r:oav_update_etc_t,s0)
-/etc/scannerdaemon/scannerdaemon\.conf -- gen_context(system_u:object_r:scannerdaemon_etc_t,s0)
-
-/usr/bin/oav-update -- gen_context(system_u:object_r:oav_update_exec_t,s0)
-/usr/bin/scannerdaemon -- gen_context(system_u:object_r:scannerdaemon_exec_t,s0)
-
-/usr/sbin/oav-update -- gen_context(system_u:object_r:oav_update_exec_t,s0)
-/usr/sbin/scannerdaemon -- gen_context(system_u:object_r:scannerdaemon_exec_t,s0)
-
-/var/lib/oav-virussignatures -- gen_context(system_u:object_r:oav_update_var_lib_t,s0)
-/var/lib/oav-update(/.*)? gen_context(system_u:object_r:oav_update_var_lib_t,s0)
-/var/log/scannerdaemon\.log.* -- gen_context(system_u:object_r:scannerdaemon_log_t,s0)
diff --git a/policy/modules/services/oav.if b/policy/modules/services/oav.if
deleted file mode 100644
index b096e3fb..00000000
--- a/policy/modules/services/oav.if
+++ /dev/null
@@ -1,47 +0,0 @@
-## <summary>Open AntiVirus scannerdaemon and signature update.</summary>
-
-########################################
-## <summary>
-## Execute oav_update in the oav_update domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`oav_domtrans_update',`
- gen_require(`
- type oav_update_t, oav_update_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, oav_update_exec_t, oav_update_t)
-')
-
-########################################
-## <summary>
-## Execute oav_update in the oav update
-## domain, and allow the specified role
-## the oav_update domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`oav_run_update',`
- gen_require(`
- attribute_role oav_update_roles;
- ')
-
- oav_domtrans_update($1)
- roleattribute $2 oav_update_roles;
-')
diff --git a/policy/modules/services/oav.te b/policy/modules/services/oav.te
deleted file mode 100644
index c8559678..00000000
--- a/policy/modules/services/oav.te
+++ /dev/null
@@ -1,122 +0,0 @@
-policy_module(oav, 1.14.0)
-
-########################################
-#
-# Declarations
-#
-
-attribute_role oav_update_roles;
-
-type oav_update_t;
-type oav_update_exec_t;
-application_domain(oav_update_t, oav_update_exec_t)
-role oav_update_roles types oav_update_t;
-
-type oav_update_etc_t;
-files_config_file(oav_update_etc_t)
-
-type oav_update_var_lib_t;
-files_type(oav_update_var_lib_t)
-
-type scannerdaemon_t;
-type scannerdaemon_exec_t;
-init_daemon_domain(scannerdaemon_t, scannerdaemon_exec_t)
-
-type scannerdaemon_etc_t;
-files_config_file(scannerdaemon_etc_t)
-
-type scannerdaemon_log_t;
-logging_log_file(scannerdaemon_log_t)
-
-type scannerdaemon_runtime_t alias scannerdaemon_var_run_t;
-files_runtime_file(scannerdaemon_runtime_t)
-
-########################################
-#
-# Update local policy
-#
-
-allow oav_update_t self:tcp_socket create_stream_socket_perms;
-allow oav_update_t self:udp_socket create_socket_perms;
-
-allow oav_update_t oav_update_etc_t:dir list_dir_perms;
-allow oav_update_t oav_update_etc_t:file read_file_perms;
-
-manage_dirs_pattern(oav_update_t, oav_update_var_lib_t, oav_update_var_lib_t)
-manage_files_pattern(oav_update_t, oav_update_var_lib_t, oav_update_var_lib_t)
-read_lnk_files_pattern(oav_update_t, oav_update_var_lib_t, oav_update_var_lib_t)
-
-corecmd_exec_all_executables(oav_update_t)
-
-files_exec_etc_files(oav_update_t)
-
-libs_exec_ld_so(oav_update_t)
-libs_exec_lib_files(oav_update_t)
-
-logging_send_syslog_msg(oav_update_t)
-
-sysnet_read_config(oav_update_t)
-
-userdom_use_user_terminals(oav_update_t)
-
-optional_policy(`
- cron_system_entry(oav_update_t, oav_update_exec_t)
-')
-
-########################################
-#
-# Scannerdaemon local policy
-#
-
-dontaudit scannerdaemon_t self:capability sys_tty_config;
-allow scannerdaemon_t self:process signal_perms;
-allow scannerdaemon_t self:fifo_file rw_fifo_file_perms;
-allow scannerdaemon_t self:tcp_socket create_stream_socket_perms;
-allow scannerdaemon_t self:udp_socket create_socket_perms;
-
-allow scannerdaemon_t oav_update_var_lib_t:dir list_dir_perms;
-allow scannerdaemon_t oav_update_var_lib_t:file read_file_perms;
-
-allow scannerdaemon_t scannerdaemon_etc_t:file read_file_perms;
-
-allow scannerdaemon_t scannerdaemon_log_t:file manage_file_perms;
-logging_log_filetrans(scannerdaemon_t, scannerdaemon_log_t, file)
-
-manage_files_pattern(scannerdaemon_t, scannerdaemon_runtime_t, scannerdaemon_runtime_t)
-files_runtime_filetrans(scannerdaemon_t, scannerdaemon_runtime_t, file)
-
-kernel_read_system_state(scannerdaemon_t)
-kernel_read_kernel_sysctls(scannerdaemon_t)
-
-corecmd_exec_all_executables(scannerdaemon_t)
-
-dev_read_sysfs(scannerdaemon_t)
-
-domain_use_interactive_fds(scannerdaemon_t)
-
-files_exec_etc_files(scannerdaemon_t)
-files_read_etc_files(scannerdaemon_t)
-files_read_etc_runtime_files(scannerdaemon_t)
-files_search_var_lib(scannerdaemon_t)
-
-fs_getattr_all_fs(scannerdaemon_t)
-fs_search_auto_mountpoints(scannerdaemon_t)
-
-auth_dontaudit_read_shadow(scannerdaemon_t)
-
-libs_exec_ld_so(scannerdaemon_t)
-libs_exec_lib_files(scannerdaemon_t)
-
-logging_send_syslog_msg(scannerdaemon_t)
-
-miscfiles_read_localization(scannerdaemon_t)
-
-sysnet_read_config(scannerdaemon_t)
-
-userdom_dontaudit_use_unpriv_user_fds(scannerdaemon_t)
-userdom_dontaudit_search_user_home_dirs(scannerdaemon_t)
-
-optional_policy(`
- seutil_sigchld_newrole(scannerdaemon_t)
-')
-
diff --git a/policy/modules/services/polipo.fc b/policy/modules/services/polipo.fc
deleted file mode 100644
index 6e1b4703..00000000
--- a/policy/modules/services/polipo.fc
+++ /dev/null
@@ -1,15 +0,0 @@
-HOME_DIR/\.forbidden -- gen_context(system_u:object_r:polipo_config_home_t,s0)
-HOME_DIR/\.polipo -- gen_context(system_u:object_r:polipo_config_home_t,s0)
-HOME_DIR/\.polipo-cache(/.*)? gen_context(system_u:object_r:polipo_cache_home_t,s0)
-
-/etc/polipo(/.*)? gen_context(system_u:object_r:polipo_conf_t,s0)
-
-/etc/rc\.d/init\.d/polipo -- gen_context(system_u:object_r:polipo_initrc_exec_t,s0)
-
-/usr/bin/polipo -- gen_context(system_u:object_r:polipo_exec_t,s0)
-
-/var/cache/polipo(/.*)? gen_context(system_u:object_r:polipo_cache_t,s0)
-
-/var/log/polipo.* -- gen_context(system_u:object_r:polipo_log_t,s0)
-
-/run/polipo(/.*)? gen_context(system_u:object_r:polipo_runtime_t,s0)
diff --git a/policy/modules/services/polipo.if b/policy/modules/services/polipo.if
deleted file mode 100644
index 5ec68a93..00000000
--- a/policy/modules/services/polipo.if
+++ /dev/null
@@ -1,141 +0,0 @@
-## <summary>Lightweight forwarding and caching proxy server.</summary>
-
-########################################
-## <summary>
-## Role access for Polipo session.
-## </summary>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## User domain for the role.
-## </summary>
-## </param>
-#
-template(`polipo_role',`
- gen_require(`
- type polipo_session_t, polipo_exec_t, polipo_config_home_t;
- type polipo_cache_home_t;
- ')
-
- ########################################
- #
- # Declarations
- #
-
- role $1 types polipo_session_t;
-
- ########################################
- #
- # Policy
- #
-
- allow $2 polipo_cache_home_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 { polipo_cache_home_t polipo_config_home_t }:file { manage_file_perms relabel_file_perms };
-
- userdom_user_home_dir_filetrans($2, polipo_config_home_t, file, ".forbidden")
- userdom_user_home_dir_filetrans($2, polipo_config_home_t, file, ".polipo")
- userdom_user_home_dir_filetrans($2, polipo_cache_home_t, dir, ".polipo-cache")
-
- allow $2 polipo_session_t:process { ptrace signal_perms };
- ps_process_pattern($2, polipo_session_t)
-
- tunable_policy(`polipo_session_users',`
- domtrans_pattern($2, polipo_exec_t, polipo_session_t)
- ',`
- can_exec($2, polipo_exec_t)
- ')
-')
-
-########################################
-## <summary>
-## Execute Polipo in the Polipo
-## system domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`polipo_initrc_domtrans',`
- gen_require(`
- type polipo_initrc_exec_t;
- ')
-
- init_labeled_script_domtrans($1, polipo_initrc_exec_t)
-')
-
-########################################
-## <summary>
-## Create specified objects in generic
-## log directories with the polipo
-## log file type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="object_class">
-## <summary>
-## Class of the object being created.
-## </summary>
-## </param>
-## <param name="name" optional="true">
-## <summary>
-## The name of the object being created.
-## </summary>
-## </param>
-#
-interface(`polipo_log_filetrans_log',`
- gen_require(`
- type polipo_log_t;
- ')
-
- logging_log_filetrans($1, polipo_log_t, $2, $3)
-')
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an polipo environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`polipo_admin',`
- gen_require(`
- type polipo_system_t, polipo_initrc_exec_t, polipo_cache_t;
- type polipo_conf_t, polipo_log_t, polipo_runtime_t;
- ')
-
- allow $1 polipo_system_t:process { ptrace signal_perms };
- ps_process_pattern($1, polipo_system_t)
-
- init_startstop_service($1, $2, polipo_t, polipo_initrc_exec_t)
-
- files_search_var($1)
- admin_pattern($1, polipo_cache_t)
-
- files_search_etc($1)
- admin_pattern($1, polipo_conf_t)
-
- logging_search_logs($1)
- admin_pattern($1, polipo_log_t)
-
- files_search_runtime($1)
- admin_pattern($1, polipo_runtime_t)
-')
diff --git a/policy/modules/services/polipo.te b/policy/modules/services/polipo.te
deleted file mode 100644
index 44e37bc5..00000000
--- a/policy/modules/services/polipo.te
+++ /dev/null
@@ -1,167 +0,0 @@
-policy_module(polipo, 1.6.0)
-
-########################################
-#
-# Declarations
-#
-
-## <desc>
-## <p>
-## Determine whether Polipo system
-## daemon can access CIFS file systems.
-## </p>
-## </desc>
-gen_tunable(polipo_system_use_cifs, false)
-
-## <desc>
-## <p>
-## Determine whether Polipo system
-## daemon can access NFS file systems.
-## </p>
-## </desc>
-gen_tunable(polipo_system_use_nfs, false)
-
-## <desc>
-## <p>
-## Determine whether calling user domains
-## can execute Polipo daemon in the
-## polipo_session_t domain.
-## </p>
-## </desc>
-gen_tunable(polipo_session_users, false)
-
-## <desc>
-## <p>
-## Determine whether Polipo session daemon
-## can send syslog messages.
-## </p>
-## </desc>
-gen_tunable(polipo_session_send_syslog_msg, false)
-
-attribute polipo_daemon;
-
-type polipo_system_t, polipo_daemon;
-type polipo_exec_t;
-init_daemon_domain(polipo_system_t, polipo_exec_t)
-
-type polipo_conf_t;
-files_config_file(polipo_conf_t)
-
-type polipo_cache_t;
-files_type(polipo_cache_t)
-
-type polipo_cache_home_t;
-userdom_user_home_content(polipo_cache_home_t)
-
-type polipo_config_home_t;
-userdom_user_home_content(polipo_config_home_t)
-
-type polipo_initrc_exec_t;
-init_script_file(polipo_initrc_exec_t)
-
-type polipo_log_t;
-logging_log_file(polipo_log_t)
-
-type polipo_runtime_t alias polipo_var_run_t;
-files_runtime_file(polipo_runtime_t)
-
-type polipo_session_t, polipo_daemon;
-userdom_user_application_domain(polipo_session_t, polipo_exec_t)
-
-########################################
-#
-# Session local policy
-#
-
-allow polipo_session_t polipo_config_home_t:file read_file_perms;
-
-manage_dirs_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t)
-manage_files_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t)
-userdom_user_home_dir_filetrans(polipo_session_t, polipo_cache_home_t, dir, ".polipo-cache")
-
-auth_use_nsswitch(polipo_session_t)
-
-userdom_use_user_terminals(polipo_session_t)
-
-tunable_policy(`polipo_session_send_syslog_msg',`
- logging_send_syslog_msg(polipo_session_t)
-')
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(polipo_session_t)
-',`
- fs_dontaudit_read_nfs_files(polipo_session_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(polipo_session_t)
-',`
- fs_dontaudit_read_cifs_files(polipo_session_t)
-')
-
-########################################
-#
-# System local policy
-#
-
-read_files_pattern(polipo_system_t, polipo_conf_t, polipo_conf_t)
-
-manage_files_pattern(polipo_system_t, polipo_cache_t, polipo_cache_t)
-manage_dirs_pattern(polipo_system_t, polipo_cache_t, polipo_cache_t)
-files_var_filetrans(polipo_system_t, polipo_cache_t, dir)
-
-append_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t)
-create_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t)
-setattr_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t)
-logging_log_filetrans(polipo_system_t, polipo_log_t, file)
-
-manage_files_pattern(polipo_system_t, polipo_runtime_t, polipo_runtime_t)
-files_runtime_filetrans(polipo_system_t, polipo_runtime_t, file)
-
-auth_use_nsswitch(polipo_system_t)
-
-logging_send_syslog_msg(polipo_system_t)
-
-optional_policy(`
- cron_system_entry(polipo_system_t, polipo_exec_t)
-')
-
-tunable_policy(`polipo_system_use_cifs',`
- fs_manage_cifs_files(polipo_system_t)
-',`
- fs_dontaudit_read_cifs_files(polipo_system_t)
-')
-
-tunable_policy(`polipo_system_use_nfs',`
- fs_manage_nfs_files(polipo_system_t)
-',`
- fs_dontaudit_read_nfs_files(polipo_system_t)
-')
-
-########################################
-#
-# Polipo global local policy
-#
-
-allow polipo_daemon self:fifo_file rw_fifo_file_perms;
-allow polipo_daemon self:tcp_socket { listen accept };
-
-corenet_all_recvfrom_netlabel(polipo_daemon)
-corenet_tcp_sendrecv_generic_if(polipo_daemon)
-corenet_tcp_sendrecv_generic_node(polipo_daemon)
-corenet_tcp_bind_generic_node(polipo_daemon)
-
-corenet_sendrecv_http_client_packets(polipo_daemon)
-corenet_tcp_connect_http_port(polipo_daemon)
-
-corenet_sendrecv_http_cache_server_packets(polipo_daemon)
-corenet_tcp_bind_http_cache_port(polipo_daemon)
-
-corenet_sendrecv_tor_client_packets(polipo_daemon)
-corenet_tcp_connect_tor_port(polipo_daemon)
-
-files_read_usr_files(polipo_daemon)
-
-fs_search_auto_mountpoints(polipo_daemon)
-
-miscfiles_read_localization(polipo_daemon)
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 690b06ce..6c6bdde0 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -472,10 +472,6 @@ optional_policy(`
dovecot_domtrans_deliver(postfix_local_t)
')
-optional_policy(`
- dspam_domtrans(postfix_local_t)
-')
-
optional_policy(`
mailman_manage_data_files(postfix_local_t)
mailman_append_log(postfix_local_t)
@@ -775,10 +771,6 @@ optional_policy(`
dovecot_stream_connect(postfix_smtp_t)
')
-optional_policy(`
- dspam_stream_connect(postfix_smtp_t)
-')
-
optional_policy(`
milter_stream_connect_all(postfix_smtp_t)
')
diff --git a/policy/modules/services/pyicqt.fc b/policy/modules/services/pyicqt.fc
deleted file mode 100644
index 756de346..00000000
--- a/policy/modules/services/pyicqt.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-/etc/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_conf_t,s0)
-
-/etc/rc\.d/init\.d/pyicq-t -- gen_context(system_u:object_r:pyicqt_initrc_exec_t,s0)
-
-/usr/share/pyicq-t/PyICQt\.py -- gen_context(system_u:object_r:pyicqt_exec_t,s0)
-
-/var/log/pyicq-t\.log.* -- gen_context(system_u:object_r:pyicqt_log_t,s0)
-
-/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_runtime_t,s0)
-
-/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_spool_t,s0)
diff --git a/policy/modules/services/pyicqt.if b/policy/modules/services/pyicqt.if
deleted file mode 100644
index 1372d96f..00000000
--- a/policy/modules/services/pyicqt.if
+++ /dev/null
@@ -1,42 +0,0 @@
-## <summary>ICQ transport for XMPP server.</summary>
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an pyicqt environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`pyicqt_admin',`
- gen_require(`
- type pyicqt_t, pyicqt_log_t, pyicqt_spool_t;
- type pyicqt_runtime_t, pyicqt_initrc_exec_t, pyicqt_conf_t;
- ')
-
- allow $1 pyicqt_t:process { ptrace signal_perms };
- ps_process_pattern($1, pyicqt_t)
-
- init_startstop_service($1, $2, pyicqt_t, pyicqt_initrc_exec_t)
-
- files_search_etc($1)
- admin_pattern($1, pyicqt_conf_t)
-
- logging_search_logs($1)
- admin_pattern($1, pyicqt_log_t)
-
- files_search_spool($1)
- admin_pattern($1, pyicqt_spool_t)
-
- files_search_runtime($1)
- admin_pattern($1, pyicqt_runtime_t)
-')
diff --git a/policy/modules/services/pyicqt.te b/policy/modules/services/pyicqt.te
deleted file mode 100644
index 70f6fd2e..00000000
--- a/policy/modules/services/pyicqt.te
+++ /dev/null
@@ -1,90 +0,0 @@
-policy_module(pyicqt, 1.5.0)
-
-########################################
-#
-# Declarations
-#
-
-type pyicqt_t;
-type pyicqt_exec_t;
-init_daemon_domain(pyicqt_t, pyicqt_exec_t)
-
-type pyicqt_initrc_exec_t;
-init_script_file(pyicqt_initrc_exec_t)
-
-type pyicqt_conf_t;
-files_config_file(pyicqt_conf_t)
-
-type pyicqt_log_t;
-logging_log_file(pyicqt_log_t)
-
-type pyicqt_runtime_t alias pyicqt_var_run_t;
-files_runtime_file(pyicqt_runtime_t)
-
-type pyicqt_spool_t;
-files_type(pyicqt_spool_t)
-
-########################################
-#
-# Local policy
-#
-
-allow pyicqt_t self:process signal_perms;
-allow pyicqt_t self:fifo_file rw_fifo_file_perms;
-allow pyicqt_t self:tcp_socket { accept listen };
-
-read_files_pattern(pyicqt_t, pyicqt_conf_t, pyicqt_conf_t)
-
-allow pyicqt_t pyicqt_log_t:file append_file_perms;
-allow pyicqt_t pyicqt_log_t:file create_file_perms;
-allow pyicqt_t pyicqt_log_t:file setattr_file_perms;
-logging_log_filetrans(pyicqt_t, pyicqt_log_t, file)
-
-manage_dirs_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t)
-manage_files_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t)
-files_spool_filetrans(pyicqt_t, pyicqt_spool_t, dir)
-
-manage_files_pattern(pyicqt_t, pyicqt_runtime_t, pyicqt_runtime_t)
-files_runtime_filetrans(pyicqt_t, pyicqt_runtime_t, file)
-
-kernel_read_system_state(pyicqt_t)
-
-corecmd_exec_bin(pyicqt_t)
-
-corenet_all_recvfrom_netlabel(pyicqt_t)
-corenet_tcp_sendrecv_generic_if(pyicqt_t)
-corenet_tcp_sendrecv_generic_node(pyicqt_t)
-corenet_tcp_bind_generic_node(pyicqt_t)
-
-# corenet_sendrecv_jabber_router_server_packets(pyicqt_t)
-# corenet_tcp_bind_jabber_router_port(pyicqt_t)
-# corenet_sendrecv_jabber_router_client_packets(pyicqt_t)
-# corenet_tcp_connect_jabber_router_port(pyicqt_t)
-
-dev_read_sysfs(pyicqt_t)
-dev_read_urand(pyicqt_t)
-
-files_read_usr_files(pyicqt_t)
-
-fs_getattr_all_fs(pyicqt_t)
-
-auth_use_nsswitch(pyicqt_t)
-
-libs_read_lib_files(pyicqt_t)
-
-logging_send_syslog_msg(pyicqt_t)
-
-miscfiles_read_localization(pyicqt_t)
-
-optional_policy(`
- jabber_manage_lib_files(pyicqt_t)
-')
-
-optional_policy(`
- mysql_stream_connect(pyicqt_t)
- mysql_tcp_connect(pyicqt_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(pyicqt_t)
-')
diff --git a/policy/modules/services/rgmanager.fc b/policy/modules/services/rgmanager.fc
deleted file mode 100644
index b43ee046..00000000
--- a/policy/modules/services/rgmanager.fc
+++ /dev/null
@@ -1,15 +0,0 @@
-/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
-
-/usr/bin/ccs_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
-/usr/bin/cman_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
-/usr/bin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
-
-/usr/sbin/ccs_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
-/usr/sbin/cman_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
-/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
-
-/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
-
-/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_runtime_t,s0)
-
-/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_runtime_t,s0)
diff --git a/policy/modules/services/rgmanager.if b/policy/modules/services/rgmanager.if
deleted file mode 100644
index 9cac56cb..00000000
--- a/policy/modules/services/rgmanager.if
+++ /dev/null
@@ -1,120 +0,0 @@
-## <summary>Resource Group Manager.</summary>
-
-#######################################
-## <summary>
-## Execute a domain transition to run rgmanager.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`rgmanager_domtrans',`
- gen_require(`
- type rgmanager_t, rgmanager_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, rgmanager_exec_t, rgmanager_t)
-')
-
-########################################
-## <summary>
-## Connect to rgmanager with a unix
-## domain stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`rgmanager_stream_connect',`
- gen_require(`
- type rgmanager_t, rgmanager_runtime_t;
- ')
-
- files_search_runtime($1)
- stream_connect_pattern($1, rgmanager_runtime_t, rgmanager_runtime_t, rgmanager_t)
-')
-
-######################################
-## <summary>
-## Create, read, write, and delete
-## rgmanager tmp files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`rgmanager_manage_tmp_files',`
- gen_require(`
- type rgmanager_tmp_t;
- ')
-
- files_search_tmp($1)
- manage_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t)
-')
-
-######################################
-## <summary>
-## Create, read, write, and delete
-## rgmanager tmpfs files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`rgmanager_manage_tmpfs_files',`
- gen_require(`
- type rgmanager_tmpfs_t;
- ')
-
- fs_search_tmpfs($1)
- manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
-')
-
-######################################
-## <summary>
-## All of the rules required to
-## administrate an rgmanager environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`rgmanager_admin',`
- gen_require(`
- type rgmanager_t, rgmanager_initrc_exec_t, rgmanager_tmp_t;
- type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_runtime_t;
- ')
-
- allow $1 rgmanager_t:process { ptrace signal_perms };
- ps_process_pattern($1, rgmanager_t)
-
- init_startstop_service($1, $2, rgmanager_t, rgmanager_initrc_exec_t)
-
- files_list_tmp($1)
- admin_pattern($1, rgmanager_tmp_t)
-
- admin_pattern($1, rgmanager_tmpfs_t)
-
- logging_list_logs($1)
- admin_pattern($1, rgmanager_var_log_t)
-
- files_list_runtime($1)
- admin_pattern($1, rgmanager_runtime_t)
-')
diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
deleted file mode 100644
index 089721b3..00000000
--- a/policy/modules/services/rgmanager.te
+++ /dev/null
@@ -1,199 +0,0 @@
-policy_module(rgmanager, 1.10.0)
-
-########################################
-#
-# Declarations
-#
-
-## <desc>
-## <p>
-## Determine whether rgmanager can
-## connect to the network using TCP.
-## </p>
-## </desc>
-gen_tunable(rgmanager_can_network_connect, false)
-
-type rgmanager_t;
-type rgmanager_exec_t;
-init_daemon_domain(rgmanager_t, rgmanager_exec_t)
-
-type rgmanager_initrc_exec_t;
-init_script_file(rgmanager_initrc_exec_t)
-
-type rgmanager_runtime_t alias rgmanager_var_run_t;
-files_runtime_file(rgmanager_runtime_t)
-
-type rgmanager_tmp_t;
-files_tmp_file(rgmanager_tmp_t)
-
-type rgmanager_tmpfs_t;
-files_tmpfs_file(rgmanager_tmpfs_t)
-
-type rgmanager_var_log_t;
-logging_log_file(rgmanager_var_log_t)
-
-########################################
-#
-# Local policy
-#
-
-allow rgmanager_t self:capability { dac_override ipc_lock net_raw sys_admin sys_nice sys_resource };
-allow rgmanager_t self:process { setsched signal };
-allow rgmanager_t self:fifo_file rw_fifo_file_perms;
-allow rgmanager_t self:unix_stream_socket { accept listen };
-allow rgmanager_t self:tcp_socket { accept listen };
-
-manage_dirs_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
-manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
-files_tmp_filetrans(rgmanager_t, rgmanager_tmp_t, { file dir })
-
-manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
-manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
-fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file })
-
-allow rgmanager_t rgmanager_var_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, file)
-
-manage_files_pattern(rgmanager_t, rgmanager_runtime_t, rgmanager_runtime_t)
-manage_sock_files_pattern(rgmanager_t, rgmanager_runtime_t, rgmanager_runtime_t)
-files_runtime_filetrans(rgmanager_t, rgmanager_runtime_t, { file sock_file })
-
-kernel_read_kernel_sysctls(rgmanager_t)
-kernel_read_system_state(rgmanager_t)
-kernel_rw_rpc_sysctls(rgmanager_t)
-kernel_search_debugfs(rgmanager_t)
-kernel_search_network_state(rgmanager_t)
-kernel_manage_unlabeled_dirs(rgmanager_t)
-
-corenet_all_recvfrom_netlabel(rgmanager_t)
-corenet_tcp_sendrecv_generic_if(rgmanager_t)
-corenet_tcp_sendrecv_generic_node(rgmanager_t)
-
-corecmd_exec_bin(rgmanager_t)
-corecmd_exec_shell(rgmanager_t)
-
-dev_rw_dlm_control(rgmanager_t)
-dev_setattr_dlm_control(rgmanager_t)
-dev_search_sysfs(rgmanager_t)
-
-domain_read_all_domains_state(rgmanager_t)
-domain_getattr_all_domains(rgmanager_t)
-domain_dontaudit_ptrace_all_domains(rgmanager_t)
-
-files_list_all(rgmanager_t)
-files_getattr_all_symlinks(rgmanager_t)
-files_manage_mnt_dirs(rgmanager_t)
-files_read_non_security_files(rgmanager_t)
-
-fs_getattr_all_fs(rgmanager_t)
-
-storage_raw_read_fixed_disk(rgmanager_t)
-
-term_getattr_pty_fs(rgmanager_t)
-
-auth_dontaudit_getattr_shadow(rgmanager_t)
-auth_use_nsswitch(rgmanager_t)
-
-init_domtrans_script(rgmanager_t)
-
-logging_send_syslog_msg(rgmanager_t)
-
-miscfiles_read_localization(rgmanager_t)
-
-tunable_policy(`rgmanager_can_network_connect',`
- corenet_sendrecv_all_client_packets(rgmanager_t)
- corenet_tcp_connect_all_ports(rgmanager_t)
-')
-
-optional_policy(`
- aisexec_stream_connect(rgmanager_t)
-')
-
-optional_policy(`
- consoletype_exec(rgmanager_t)
-')
-
-optional_policy(`
- corosync_stream_connect(rgmanager_t)
-')
-
-optional_policy(`
- apache_domtrans(rgmanager_t)
- apache_signal(rgmanager_t)
-')
-
-optional_policy(`
- fstools_domtrans(rgmanager_t)
-')
-
-optional_policy(`
- rhcs_stream_connect_groupd(rgmanager_t)
- rhcs_stream_connect_gfs_controld(rgmanager_t)
-')
-
-optional_policy(`
- hostname_exec(rgmanager_t)
-')
-
-optional_policy(`
- ccs_manage_config(rgmanager_t)
- ccs_stream_connect(rgmanager_t)
-')
-
-optional_policy(`
- lvm_domtrans(rgmanager_t)
-')
-
-optional_policy(`
- mount_domtrans(rgmanager_t)
-')
-
-optional_policy(`
- mysql_domtrans_mysql_safe(rgmanager_t)
- mysql_stream_connect(rgmanager_t)
-')
-
-optional_policy(`
- netutils_domtrans(rgmanager_t)
- netutils_domtrans_ping(rgmanager_t)
-')
-
-optional_policy(`
- postgresql_domtrans(rgmanager_t)
- postgresql_signal(rgmanager_t)
-')
-
-optional_policy(`
- rdisc_exec(rgmanager_t)
-')
-
-optional_policy(`
- ricci_dontaudit_rw_modcluster_pipes(rgmanager_t)
-')
-
-optional_policy(`
- rpc_domtrans_nfsd(rgmanager_t)
- rpc_domtrans_rpcd(rgmanager_t)
- rpc_manage_nfs_state_data(rgmanager_t)
-')
-
-optional_policy(`
- samba_domtrans_smbd(rgmanager_t)
- samba_domtrans_nmbd(rgmanager_t)
- samba_manage_var_files(rgmanager_t)
- samba_rw_config(rgmanager_t)
- samba_signal_smbd(rgmanager_t)
- samba_signal_nmbd(rgmanager_t)
-')
-
-optional_policy(`
- sysnet_domtrans_ifconfig(rgmanager_t)
-')
-
-optional_policy(`
- virt_stream_connect(rgmanager_t)
-')
-
-optional_policy(`
- xen_domtrans_xm(rgmanager_t)
-')
diff --git a/policy/modules/services/rhcs.fc b/policy/modules/services/rhcs.fc
deleted file mode 100644
index d03725ab..00000000
--- a/policy/modules/services/rhcs.fc
+++ /dev/null
@@ -1,40 +0,0 @@
-/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
-
-/usr/bin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
-/usr/bin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
-/usr/bin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
-/usr/bin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0)
-/usr/bin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0)
-/usr/bin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
-/usr/bin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
-/usr/bin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
-
-/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
-/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
-/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
-/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0)
-/usr/sbin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0)
-/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
-/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
-/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
-
-/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0)
-
-/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
-
-/var/log/cluster/.*\.log <<none>>
-/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
-/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
-/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
-/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
-/var/log/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
-
-/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_runtime_t,s0)
-/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_runtime_t,s0)
-/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_runtime_t,s0)
-/run/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_runtime_t,s0)
-/run/fenced\.pid -- gen_context(system_u:object_r:fenced_runtime_t,s0)
-/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_runtime_t,s0)
-/run/groupd\.pid -- gen_context(system_u:object_r:groupd_runtime_t,s0)
-/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_runtime_t,s0)
diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if
deleted file mode 100644
index ffc99b4d..00000000
--- a/policy/modules/services/rhcs.if
+++ /dev/null
@@ -1,496 +0,0 @@
-## <summary>Red Hat Cluster Suite.</summary>
-
-#######################################
-## <summary>
-## The template to define a rhcs domain.
-## </summary>
-## <param name="domain_prefix">
-## <summary>
-## Domain prefix to be used.
-## </summary>
-## </param>
-#
-template(`rhcs_domain_template',`
- gen_require(`
- attribute cluster_domain, cluster_pid, cluster_tmpfs;
- attribute cluster_log;
- ')
-
- ##############################
- #
- # Declarations
- #
-
- type $1_t, cluster_domain;
- type $1_exec_t;
- init_daemon_domain($1_t, $1_exec_t)
-
- type $1_runtime_t alias $1_var_run_t, cluster_pid;
- files_runtime_file($1_runtime_t)
-
- type $1_tmpfs_t, cluster_tmpfs;
- files_tmpfs_file($1_tmpfs_t)
-
- type $1_var_log_t, cluster_log;
- logging_log_file($1_var_log_t)
-
- ##############################
- #
- # Local policy
- #
-
- manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
- manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
- fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file })
-
- manage_dirs_pattern($1_t, $1_var_log_t, $1_var_log_t)
- append_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
- create_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
- setattr_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
- manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
- logging_log_filetrans($1_t, $1_var_log_t, { dir file sock_file })
-
- manage_dirs_pattern($1_t, $1_runtime_t, $1_runtime_t)
- manage_files_pattern($1_t, $1_runtime_t, $1_runtime_t)
- manage_fifo_files_pattern($1_t, $1_runtime_t, $1_runtime_t)
- manage_sock_files_pattern($1_t, $1_runtime_t, $1_runtime_t)
- files_runtime_filetrans($1_t, $1_runtime_t, { dir file sock_file fifo_file })
-
- optional_policy(`
- dbus_system_bus_client($1_t)
- ')
-')
-
-######################################
-## <summary>
-## Execute a domain transition to
-## run dlm_controld.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`rhcs_domtrans_dlm_controld',`
- gen_require(`
- type dlm_controld_t, dlm_controld_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, dlm_controld_exec_t, dlm_controld_t)
-')
-
-#####################################
-## <summary>
-## Get attributes of fenced
-## executable files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`rhcs_getattr_fenced_exec_files',`
- gen_require(`
- type fenced_exec_t;
- ')
-
- allow $1 fenced_exec_t:file getattr_file_perms;
-')
-
-#####################################
-## <summary>
-## Connect to dlm_controld with a
-## unix domain stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`rhcs_stream_connect_dlm_controld',`
- gen_require(`
- type dlm_controld_t, dlm_controld_runtime_t;
- ')
-
- files_search_runtime($1)
- stream_connect_pattern($1, dlm_controld_runtime_t, dlm_controld_runtime_t, dlm_controld_t)
-')
-
-#####################################
-## <summary>
-## Read and write dlm_controld semaphores.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`rhcs_rw_dlm_controld_semaphores',`
- gen_require(`
- type dlm_controld_t, dlm_controld_tmpfs_t;
- ')
-
- allow $1 dlm_controld_t:sem { rw_sem_perms destroy };
-
- fs_search_tmpfs($1)
- manage_files_pattern($1, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t)
-')
-
-######################################
-## <summary>
-## Execute a domain transition to run fenced.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`rhcs_domtrans_fenced',`
- gen_require(`
- type fenced_t, fenced_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, fenced_exec_t, fenced_t)
-')
-
-######################################
-## <summary>
-## Read and write fenced semaphores.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`rhcs_rw_fenced_semaphores',`
- gen_require(`
- type fenced_t, fenced_tmpfs_t;
- ')
-
- allow $1 fenced_t:sem { rw_sem_perms destroy };
-
- fs_search_tmpfs($1)
- manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t)
-')
-
-####################################
-## <summary>
-## Connect to all cluster domains
-## with a unix domain stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`rhcs_stream_connect_cluster',`
- gen_require(`
- attribute cluster_domain, cluster_pid;
- ')
-
- files_search_runtime($1)
- stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain)
-')
-
-######################################
-## <summary>
-## Connect to fenced with an unix
-## domain stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`rhcs_stream_connect_fenced',`
- gen_require(`
- type fenced_runtime_t, fenced_t;
- ')
-
- files_search_runtime($1)
- stream_connect_pattern($1, fenced_runtime_t, fenced_runtime_t, fenced_t)
-')
-
-#####################################
-## <summary>
-## Execute a domain transition
-## to run gfs_controld.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`rhcs_domtrans_gfs_controld',`
- gen_require(`
- type gfs_controld_t, gfs_controld_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, gfs_controld_exec_t, gfs_controld_t)
-')
-
-####################################
-## <summary>
-## Read and write gfs_controld semaphores.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`rhcs_rw_gfs_controld_semaphores',`
- gen_require(`
- type gfs_controld_t, gfs_controld_tmpfs_t;
- ')
-
- allow $1 gfs_controld_t:sem { rw_sem_perms destroy };
-
- fs_search_tmpfs($1)
- manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
-')
-
-########################################
-## <summary>
-## Read and write gfs_controld_t shared memory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`rhcs_rw_gfs_controld_shm',`
- gen_require(`
- type gfs_controld_t, gfs_controld_tmpfs_t;
- ')
-
- allow $1 gfs_controld_t:shm { rw_shm_perms destroy };
-
- fs_search_tmpfs($1)
- manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
-')
-
-#####################################
-## <summary>
-## Connect to gfs_controld_t with
-## a unix domain stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`rhcs_stream_connect_gfs_controld',`
- gen_require(`
- type gfs_controld_t, gfs_controld_runtime_t;
- ')
-
- files_search_runtime($1)
- stream_connect_pattern($1, gfs_controld_runtime_t, gfs_controld_runtime_t, gfs_controld_t)
-')
-
-######################################
-## <summary>
-## Execute a domain transition to run groupd.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`rhcs_domtrans_groupd',`
- gen_require(`
- type groupd_t, groupd_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, groupd_exec_t, groupd_t)
-')
-
-#####################################
-## <summary>
-## Connect to groupd with a unix
-## domain stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`rhcs_stream_connect_groupd',`
- gen_require(`
- type groupd_t, groupd_runtime_t;
- ')
-
- files_search_runtime($1)
- stream_connect_pattern($1, groupd_runtime_t, groupd_runtime_t, groupd_t)
-')
-
-########################################
-## <summary>
-## Read and write all cluster domains
-## shared memory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`rhcs_rw_cluster_shm',`
- gen_require(`
- attribute cluster_domain, cluster_tmpfs;
- ')
-
- allow $1 cluster_domain:shm { rw_shm_perms destroy };
-
- fs_search_tmpfs($1)
- manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs)
-')
-
-####################################
-## <summary>
-## Read and write all cluster
-## domains semaphores.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`rhcs_rw_cluster_semaphores',`
- gen_require(`
- attribute cluster_domain;
- ')
-
- allow $1 cluster_domain:sem { rw_sem_perms destroy };
-')
-
-#####################################
-## <summary>
-## Read and write groupd semaphores.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`rhcs_rw_groupd_semaphores',`
- gen_require(`
- type groupd_t, groupd_tmpfs_t;
- ')
-
- allow $1 groupd_t:sem { rw_sem_perms destroy };
-
- fs_search_tmpfs($1)
- manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
-')
-
-########################################
-## <summary>
-## Read and write groupd shared memory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`rhcs_rw_groupd_shm',`
- gen_require(`
- type groupd_t, groupd_tmpfs_t;
- ')
-
- allow $1 groupd_t:shm { rw_shm_perms destroy };
-
- fs_search_tmpfs($1)
- manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
-')
-
-######################################
-## <summary>
-## Execute a domain transition to run qdiskd.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`rhcs_domtrans_qdiskd',`
- gen_require(`
- type qdiskd_t, qdiskd_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, qdiskd_exec_t, qdiskd_t)
-')
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an rhcs environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`rhcs_admin',`
- gen_require(`
- attribute cluster_domain, cluster_pid, cluster_tmpfs;
- attribute cluster_log;
- type dlm_controld_initrc_exec_t, foghorn_initrc_exec_t, fenced_lock_t;
- type fenced_tmp_t, qdiskd_var_lib_t;
- type dlm_controld_t, foghorn_t;
- ')
-
- allow $1 cluster_domain:process { ptrace signal_perms };
- ps_process_pattern($1, cluster_domain)
-
- init_startstop_service($1, $2, dlm_controld_t, dlm_controld_initrc_exec_t)
- init_startstop_service($1, $2, foghorn_t, foghorn_initrc_exec_t)
-
- files_search_runtime($1)
- admin_pattern($1, cluster_pid)
-
- files_search_locks($1)
- admin_pattern($1, fenced_lock_t)
-
- files_search_tmp($1)
- admin_pattern($1, fenced_tmp_t)
-
- files_search_var_lib($1)
- admin_pattern($1, qdiskd_var_lib_t)
-
- fs_search_tmpfs($1)
- admin_pattern($1, cluster_tmpfs)
-
- logging_search_logs($1)
- admin_pattern($1, cluster_log)
-')
diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te
deleted file mode 100644
index 16b08f61..00000000
--- a/policy/modules/services/rhcs.te
+++ /dev/null
@@ -1,319 +0,0 @@
-policy_module(rhcs, 1.10.0)
-
-########################################
-#
-# Declarations
-#
-
-## <desc>
-## <p>
-## Determine whether fenced can
-## connect to the TCP network.
-## </p>
-## </desc>
-gen_tunable(fenced_can_network_connect, false)
-
-## <desc>
-## <p>
-## Determine whether fenced can use ssh.
-## </p>
-## </desc>
-gen_tunable(fenced_can_ssh, false)
-
-attribute cluster_domain;
-attribute cluster_log;
-attribute cluster_pid;
-attribute cluster_tmpfs;
-
-rhcs_domain_template(dlm_controld)
-
-type dlm_controld_initrc_exec_t;
-init_script_file(dlm_controld_initrc_exec_t)
-
-rhcs_domain_template(fenced)
-
-type fenced_lock_t;
-files_lock_file(fenced_lock_t)
-
-type fenced_tmp_t;
-files_tmp_file(fenced_tmp_t)
-
-rhcs_domain_template(foghorn)
-
-type foghorn_initrc_exec_t;
-init_script_file(foghorn_initrc_exec_t)
-
-rhcs_domain_template(gfs_controld)
-rhcs_domain_template(groupd)
-rhcs_domain_template(qdiskd)
-
-type qdiskd_var_lib_t;
-files_type(qdiskd_var_lib_t)
-
-#####################################
-#
-# Common cluster domains local policy
-#
-
-allow cluster_domain self:capability sys_nice;
-allow cluster_domain self:process setsched;
-allow cluster_domain self:sem create_sem_perms;
-allow cluster_domain self:fifo_file rw_fifo_file_perms;
-allow cluster_domain self:unix_stream_socket create_stream_socket_perms;
-allow cluster_domain self:unix_dgram_socket create_socket_perms;
-
-logging_send_syslog_msg(cluster_domain)
-
-miscfiles_read_localization(cluster_domain)
-
-optional_policy(`
- ccs_stream_connect(cluster_domain)
-')
-
-optional_policy(`
- corosync_stream_connect(cluster_domain)
-')
-
-#####################################
-#
-# dlm_controld local policy
-#
-
-allow dlm_controld_t self:capability { net_admin sys_admin sys_resource };
-allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
-
-stream_connect_pattern(dlm_controld_t, fenced_runtime_t, fenced_runtime_t, fenced_t)
-stream_connect_pattern(dlm_controld_t, groupd_runtime_t, groupd_runtime_t, groupd_t)
-
-kernel_read_system_state(dlm_controld_t)
-kernel_rw_net_sysctls(dlm_controld_t)
-
-corecmd_exec_bin(dlm_controld_t)
-
-dev_rw_dlm_control(dlm_controld_t)
-dev_rw_sysfs(dlm_controld_t)
-
-fs_manage_configfs_files(dlm_controld_t)
-fs_manage_configfs_dirs(dlm_controld_t)
-
-init_rw_script_tmp_files(dlm_controld_t)
-
-#######################################
-#
-# fenced local policy
-#
-
-allow fenced_t self:capability { sys_rawio sys_resource };
-allow fenced_t self:process { getsched signal_perms };
-allow fenced_t self:tcp_socket { accept listen };
-allow fenced_t self:unix_stream_socket connectto;
-
-manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
-files_lock_filetrans(fenced_t, fenced_lock_t, file)
-
-manage_dirs_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
-manage_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
-manage_fifo_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
-files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
-
-stream_connect_pattern(fenced_t, groupd_runtime_t, groupd_runtime_t, groupd_t)
-
-can_exec(fenced_t, fenced_exec_t)
-
-kernel_read_system_state(fenced_t)
-
-corecmd_exec_bin(fenced_t)
-corecmd_exec_shell(fenced_t)
-
-corenet_all_recvfrom_netlabel(fenced_t)
-corenet_tcp_sendrecv_generic_if(fenced_t)
-corenet_udp_sendrecv_generic_if(fenced_t)
-corenet_tcp_sendrecv_generic_node(fenced_t)
-corenet_udp_sendrecv_generic_node(fenced_t)
-corenet_tcp_bind_generic_node(fenced_t)
-corenet_udp_bind_generic_node(fenced_t)
-
-corenet_sendrecv_ionixnetmon_server_packets(fenced_t)
-corenet_udp_bind_ionixnetmon_port(fenced_t)
-
-corenet_sendrecv_zented_server_packets(fenced_t)
-corenet_tcp_bind_zented_port(fenced_t)
-
-corenet_sendrecv_http_client_packets(fenced_t)
-corenet_tcp_connect_http_port(fenced_t)
-
-dev_read_sysfs(fenced_t)
-dev_read_urand(fenced_t)
-
-files_read_usr_files(fenced_t)
-files_read_usr_symlinks(fenced_t)
-
-storage_raw_read_fixed_disk(fenced_t)
-storage_raw_write_fixed_disk(fenced_t)
-storage_raw_read_removable_device(fenced_t)
-
-term_getattr_pty_fs(fenced_t)
-term_use_generic_ptys(fenced_t)
-term_use_ptmx(fenced_t)
-
-auth_use_nsswitch(fenced_t)
-
-tunable_policy(`fenced_can_network_connect',`
- corenet_sendrecv_all_client_packets(fenced_t)
- corenet_tcp_connect_all_ports(fenced_t)
-')
-
-optional_policy(`
- tunable_policy(`fenced_can_ssh',`
- allow fenced_t self:capability { setgid setuid };
-
- corenet_sendrecv_ssh_client_packets(fenced_t)
- corenet_tcp_connect_ssh_port(fenced_t)
-
- ssh_exec(fenced_t)
- ssh_read_user_home_files(fenced_t)
- ')
-')
-
-optional_policy(`
- corosync_exec(fenced_t)
-')
-
-optional_policy(`
- ccs_read_config(fenced_t)
-')
-
-optional_policy(`
- gnome_read_generic_home_content(fenced_t)
-')
-
-optional_policy(`
- lvm_domtrans(fenced_t)
- lvm_read_config(fenced_t)
-')
-
-optional_policy(`
- snmp_manage_var_lib_files(fenced_t)
- snmp_manage_var_lib_dirs(fenced_t)
-')
-
-#######################################
-#
-# foghorn local policy
-#
-
-allow foghorn_t self:process signal;
-allow foghorn_t self:tcp_socket create_stream_socket_perms;
-allow foghorn_t self:udp_socket create_socket_perms;
-
-corenet_all_recvfrom_netlabel(foghorn_t)
-corenet_tcp_sendrecv_generic_if(foghorn_t)
-corenet_tcp_sendrecv_generic_node(foghorn_t)
-
-corenet_sendrecv_agentx_client_packets(foghorn_t)
-corenet_tcp_connect_agentx_port(foghorn_t)
-
-dev_read_urand(foghorn_t)
-
-files_read_usr_files(foghorn_t)
-
-optional_policy(`
- dbus_connect_system_bus(foghorn_t)
-')
-
-optional_policy(`
- snmp_read_snmp_var_lib_files(foghorn_t)
- snmp_stream_connect(foghorn_t)
-')
-
-######################################
-#
-# gfs_controld local policy
-#
-
-allow gfs_controld_t self:capability { net_admin sys_resource };
-allow gfs_controld_t self:shm create_shm_perms;
-allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
-
-stream_connect_pattern(gfs_controld_t, dlm_controld_runtime_t, dlm_controld_runtime_t, dlm_controld_t)
-stream_connect_pattern(gfs_controld_t, fenced_runtime_t, fenced_runtime_t, fenced_t)
-stream_connect_pattern(gfs_controld_t, groupd_runtime_t, groupd_runtime_t, groupd_t)
-
-kernel_read_system_state(gfs_controld_t)
-
-dev_rw_dlm_control(gfs_controld_t)
-dev_setattr_dlm_control(gfs_controld_t)
-dev_rw_sysfs(gfs_controld_t)
-
-storage_getattr_removable_dev(gfs_controld_t)
-
-init_rw_script_tmp_files(gfs_controld_t)
-
-optional_policy(`
- lvm_exec(gfs_controld_t)
- dev_rw_lvm_control(gfs_controld_t)
-')
-
-#######################################
-#
-# groupd local policy
-#
-
-allow groupd_t self:capability { sys_nice sys_resource };
-allow groupd_t self:process setsched;
-allow groupd_t self:shm create_shm_perms;
-
-domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
-
-dev_list_sysfs(groupd_t)
-
-files_read_etc_files(groupd_t)
-
-init_rw_script_tmp_files(groupd_t)
-
-######################################
-#
-# qdiskd local policy
-#
-
-allow qdiskd_t self:capability { ipc_lock sys_boot };
-allow qdiskd_t self:tcp_socket { accept listen };
-
-manage_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
-manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
-manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
-files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file })
-
-kernel_read_system_state(qdiskd_t)
-kernel_read_software_raid_state(qdiskd_t)
-kernel_getattr_core_if(qdiskd_t)
-
-corecmd_exec_bin(qdiskd_t)
-corecmd_exec_shell(qdiskd_t)
-
-dev_read_sysfs(qdiskd_t)
-dev_list_all_dev_nodes(qdiskd_t)
-dev_getattr_all_blk_files(qdiskd_t)
-dev_getattr_all_chr_files(qdiskd_t)
-dev_manage_generic_blk_files(qdiskd_t)
-dev_manage_generic_chr_files(qdiskd_t)
-
-domain_dontaudit_getattr_all_pipes(qdiskd_t)
-domain_dontaudit_getattr_all_sockets(qdiskd_t)
-
-files_dontaudit_getattr_all_sockets(qdiskd_t)
-files_dontaudit_getattr_all_pipes(qdiskd_t)
-
-fs_list_hugetlbfs(qdiskd_t)
-
-storage_raw_read_removable_device(qdiskd_t)
-storage_raw_write_removable_device(qdiskd_t)
-storage_raw_read_fixed_disk(qdiskd_t)
-storage_raw_write_fixed_disk(qdiskd_t)
-
-auth_use_nsswitch(qdiskd_t)
-
-optional_policy(`
- netutils_domtrans_ping(qdiskd_t)
-')
-
diff --git a/policy/modules/services/ricci.fc b/policy/modules/services/ricci.fc
deleted file mode 100644
index 1cdd4bdc..00000000
--- a/policy/modules/services/ricci.fc
+++ /dev/null
@@ -1,21 +0,0 @@
-/etc/rc\.d/init\.d/ricci -- gen_context(system_u:object_r:ricci_initrc_exec_t,s0)
-
-/usr/bin/modclusterd -- gen_context(system_u:object_r:ricci_modclusterd_exec_t,s0)
-/usr/bin/ricci -- gen_context(system_u:object_r:ricci_exec_t,s0)
-
-/usr/libexec/modcluster -- gen_context(system_u:object_r:ricci_modcluster_exec_t,s0)
-/usr/libexec/ricci-modlog -- gen_context(system_u:object_r:ricci_modlog_exec_t,s0)
-/usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0)
-/usr/libexec/ricci-modservice -- gen_context(system_u:object_r:ricci_modservice_exec_t,s0)
-/usr/libexec/ricci-modstorage -- gen_context(system_u:object_r:ricci_modstorage_exec_t,s0)
-
-/usr/sbin/modclusterd -- gen_context(system_u:object_r:ricci_modclusterd_exec_t,s0)
-/usr/sbin/ricci -- gen_context(system_u:object_r:ricci_exec_t,s0)
-
-/var/lib/ricci(/.*)? gen_context(system_u:object_r:ricci_var_lib_t,s0)
-
-/var/log/clumond\.log.* -- gen_context(system_u:object_r:ricci_modcluster_var_log_t,s0)
-
-/run/clumond\.sock -s gen_context(system_u:object_r:ricci_modcluster_runtime_t,s0)
-/run/modclusterd\.pid -- gen_context(system_u:object_r:ricci_modcluster_runtime_t,s0)
-/run/ricci\.pid -- gen_context(system_u:object_r:ricci_runtime_t,s0)
diff --git a/policy/modules/services/ricci.if b/policy/modules/services/ricci.if
deleted file mode 100644
index 3e828adc..00000000
--- a/policy/modules/services/ricci.if
+++ /dev/null
@@ -1,219 +0,0 @@
-## <summary>Ricci cluster management agent.</summary>
-
-########################################
-## <summary>
-## Execute a domain transition to run ricci.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`ricci_domtrans',`
- gen_require(`
- type ricci_t, ricci_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, ricci_exec_t, ricci_t)
-')
-
-########################################
-## <summary>
-## Execute a domain transition to
-## run ricci modcluster.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`ricci_domtrans_modcluster',`
- gen_require(`
- type ricci_modcluster_t, ricci_modcluster_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, ricci_modcluster_exec_t, ricci_modcluster_t)
-')
-
-########################################
-## <summary>
-## Do not audit attempts to use
-## ricci modcluster file descriptors.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`ricci_dontaudit_use_modcluster_fds',`
- gen_require(`
- type ricci_modcluster_t;
- ')
-
- dontaudit $1 ricci_modcluster_t:fd use;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read write
-## ricci modcluster unnamed pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`ricci_dontaudit_rw_modcluster_pipes',`
- gen_require(`
- type ricci_modcluster_t;
- ')
-
- dontaudit $1 ricci_modcluster_t:fifo_file { read write };
-')
-
-########################################
-## <summary>
-## Connect to ricci_modclusterd with
-## a unix domain stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`ricci_stream_connect_modclusterd',`
- gen_require(`
- type ricci_modclusterd_t, ricci_modcluster_runtime_t;
- ')
-
- files_search_runtime($1)
- stream_connect_pattern($1, ricci_modcluster_runtime_t, ricci_modcluster_runtime_t, ricci_modclusterd_t)
-')
-
-########################################
-## <summary>
-## Execute a domain transition to
-## run ricci modlog.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`ricci_domtrans_modlog',`
- gen_require(`
- type ricci_modlog_t, ricci_modlog_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, ricci_modlog_exec_t, ricci_modlog_t)
-')
-
-########################################
-## <summary>
-## Execute a domain transition to
-## run ricci modrpm.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`ricci_domtrans_modrpm',`
- gen_require(`
- type ricci_modrpm_t, ricci_modrpm_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, ricci_modrpm_exec_t, ricci_modrpm_t)
-')
-
-########################################
-## <summary>
-## Execute a domain transition to
-## run ricci modservice.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`ricci_domtrans_modservice',`
- gen_require(`
- type ricci_modservice_t, ricci_modservice_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, ricci_modservice_exec_t, ricci_modservice_t)
-')
-
-########################################
-## <summary>
-## Execute a domain transition to
-## run ricci modstorage.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`ricci_domtrans_modstorage',`
- gen_require(`
- type ricci_modstorage_t, ricci_modstorage_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t)
-')
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an ricci environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`ricci_admin',`
- gen_require(`
- type ricci_t, ricci_initrc_exec_t, ricci_tmp_t;
- type ricci_var_lib_t, ricci_var_log_t, ricci_runtime_t;
- ')
-
- allow $1 ricci_t:process { ptrace signal_perms };
- ps_process_pattern($1, ricci_t)
-
- init_startstop_service($1, $2, ricci_t, ricci_initrc_exec_t)
-
- files_list_tmp($1)
- admin_pattern($1, ricci_tmp_t)
-
- files_list_var_lib($1)
- admin_pattern($1, ricci_var_lib_t)
-
- logging_list_logs($1)
- admin_pattern($1, ricci_var_log_t)
-
- files_list_runtime($1)
- admin_pattern($1, ricci_runtime_t)
-')
diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
deleted file mode 100644
index 6e04afb0..00000000
--- a/policy/modules/services/ricci.te
+++ /dev/null
@@ -1,523 +0,0 @@
-policy_module(ricci, 1.13.0)
-
-########################################
-#
-# Declarations
-#
-
-type ricci_t;
-type ricci_exec_t;
-init_daemon_domain(ricci_t, ricci_exec_t)
-
-type ricci_initrc_exec_t;
-init_script_file(ricci_initrc_exec_t)
-
-type ricci_runtime_t alias ricci_var_run_t;
-files_runtime_file(ricci_runtime_t)
-
-type ricci_tmp_t;
-files_tmp_file(ricci_tmp_t)
-
-type ricci_var_lib_t;
-files_type(ricci_var_lib_t)
-
-type ricci_var_log_t;
-logging_log_file(ricci_var_log_t)
-
-type ricci_modcluster_t;
-type ricci_modcluster_exec_t;
-domain_type(ricci_modcluster_t)
-domain_entry_file(ricci_modcluster_t, ricci_modcluster_exec_t)
-role system_r types ricci_modcluster_t;
-
-type ricci_modcluster_runtime_t alias ricci_modcluster_var_run_t;
-files_runtime_file(ricci_modcluster_runtime_t)
-
-type ricci_modcluster_var_lib_t;
-files_type(ricci_modcluster_var_lib_t)
-
-type ricci_modcluster_var_log_t;
-logging_log_file(ricci_modcluster_var_log_t)
-
-type ricci_modclusterd_t;
-type ricci_modclusterd_exec_t;
-init_daemon_domain(ricci_modclusterd_t, ricci_modclusterd_exec_t)
-
-type ricci_modclusterd_tmpfs_t;
-files_tmpfs_file(ricci_modclusterd_tmpfs_t)
-
-type ricci_modlog_t;
-type ricci_modlog_exec_t;
-domain_type(ricci_modlog_t)
-domain_entry_file(ricci_modlog_t, ricci_modlog_exec_t)
-role system_r types ricci_modlog_t;
-
-type ricci_modrpm_t;
-type ricci_modrpm_exec_t;
-domain_type(ricci_modrpm_t)
-domain_entry_file(ricci_modrpm_t, ricci_modrpm_exec_t)
-role system_r types ricci_modrpm_t;
-
-type ricci_modservice_t;
-type ricci_modservice_exec_t;
-domain_type(ricci_modservice_t)
-domain_entry_file(ricci_modservice_t, ricci_modservice_exec_t)
-role system_r types ricci_modservice_t;
-
-type ricci_modstorage_t;
-type ricci_modstorage_exec_t;
-domain_type(ricci_modstorage_t)
-domain_entry_file(ricci_modstorage_t, ricci_modstorage_exec_t)
-role system_r types ricci_modstorage_t;
-
-type ricci_modstorage_lock_t;
-files_lock_file(ricci_modstorage_lock_t)
-
-########################################
-#
-# Local policy
-#
-
-allow ricci_t self:capability { setuid sys_boot sys_nice };
-allow ricci_t self:process setsched;
-allow ricci_t self:fifo_file rw_fifo_file_perms;
-allow ricci_t self:unix_stream_socket { accept connectto listen };
-allow ricci_t self:tcp_socket { accept listen };
-
-domtrans_pattern(ricci_t, ricci_modcluster_exec_t, ricci_modcluster_t)
-domtrans_pattern(ricci_t, ricci_modlog_exec_t, ricci_modlog_t)
-domtrans_pattern(ricci_t, ricci_modrpm_exec_t, ricci_modrpm_t)
-domtrans_pattern(ricci_t, ricci_modservice_exec_t, ricci_modservice_t)
-domtrans_pattern(ricci_t, ricci_modstorage_exec_t, ricci_modstorage_t)
-
-manage_dirs_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t)
-manage_files_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t)
-files_tmp_filetrans(ricci_t, ricci_tmp_t, { file dir })
-
-manage_dirs_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
-manage_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
-manage_sock_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
-files_var_lib_filetrans(ricci_t, ricci_var_lib_t, { file dir sock_file })
-
-allow ricci_t ricci_var_log_t:dir setattr_dir_perms;
-append_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
-create_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
-setattr_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
-manage_sock_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
-logging_log_filetrans(ricci_t, ricci_var_log_t, { sock_file file dir })
-
-manage_files_pattern(ricci_t, ricci_runtime_t, ricci_runtime_t)
-manage_sock_files_pattern(ricci_t, ricci_runtime_t, ricci_runtime_t)
-files_runtime_filetrans(ricci_t, ricci_runtime_t, { file sock_file })
-
-kernel_read_kernel_sysctls(ricci_t)
-kernel_read_system_state(ricci_t)
-
-corecmd_exec_bin(ricci_t)
-
-corenet_all_recvfrom_netlabel(ricci_t)
-corenet_tcp_sendrecv_generic_if(ricci_t)
-corenet_tcp_sendrecv_generic_node(ricci_t)
-corenet_tcp_bind_generic_node(ricci_t)
-corenet_udp_bind_generic_node(ricci_t)
-
-corenet_sendrecv_ricci_server_packets(ricci_t)
-corenet_tcp_bind_ricci_port(ricci_t)
-corenet_udp_bind_ricci_port(ricci_t)
-
-corenet_sendrecv_http_client_packets(ricci_t)
-corenet_tcp_connect_http_port(ricci_t)
-
-dev_read_urand(ricci_t)
-
-domain_read_all_domains_state(ricci_t)
-
-files_read_etc_files(ricci_t)
-files_read_etc_runtime_files(ricci_t)
-files_create_boot_flag(ricci_t)
-
-auth_domtrans_chk_passwd(ricci_t)
-auth_append_login_records(ricci_t)
-
-init_stream_connect_script(ricci_t)
-
-locallogin_dontaudit_use_fds(ricci_t)
-
-logging_send_syslog_msg(ricci_t)
-
-miscfiles_read_localization(ricci_t)
-
-sysnet_dns_name_resolve(ricci_t)
-
-optional_policy(`
- ccs_read_config(ricci_t)
-')
-
-optional_policy(`
- dbus_system_bus_client(ricci_t)
-
- optional_policy(`
- oddjob_dbus_chat(ricci_t)
- ')
-')
-
-optional_policy(`
- corecmd_bin_entry_type(ricci_t)
- term_dontaudit_search_ptys(ricci_t)
- init_exec(ricci_t)
-
- oddjob_system_entry(ricci_t, ricci_exec_t)
-')
-
-optional_policy(`
- rpm_use_script_fds(ricci_t)
-')
-
-optional_policy(`
- sasl_connect(ricci_t)
-')
-
-optional_policy(`
- shutdown_domtrans(ricci_t)
-')
-
-optional_policy(`
- unconfined_use_fds(ricci_t)
-')
-
-optional_policy(`
- xen_domtrans_xm(ricci_t)
-')
-
-########################################
-#
-# Modcluster local policy
-#
-
-allow ricci_modcluster_t self:capability sys_nice;
-allow ricci_modcluster_t self:process setsched;
-allow ricci_modcluster_t self:fifo_file rw_fifo_file_perms;
-
-kernel_read_kernel_sysctls(ricci_modcluster_t)
-kernel_read_system_state(ricci_modcluster_t)
-
-corecmd_exec_bin(ricci_modcluster_t)
-corecmd_exec_shell(ricci_modcluster_t)
-
-corenet_all_recvfrom_netlabel(ricci_modcluster_t)
-corenet_tcp_sendrecv_generic_if(ricci_modcluster_t)
-corenet_tcp_sendrecv_generic_node(ricci_modcluster_t)
-corenet_tcp_bind_generic_node(ricci_modcluster_t)
-
-corenet_sendrecv_all_server_packets(ricci_modcluster_t)
-corenet_tcp_bind_all_rpc_ports(ricci_modcluster_t)
-
-corenet_tcp_bind_cluster_port(ricci_modcluster_t)
-corenet_sendrecv_cluster_client_packets(ricci_modcluster_t)
-corenet_tcp_connect_cluster_port(ricci_modcluster_t)
-
-domain_read_all_domains_state(ricci_modcluster_t)
-
-files_search_locks(ricci_modcluster_t)
-files_read_etc_runtime_files(ricci_modcluster_t)
-files_search_usr(ricci_modcluster_t)
-
-auth_use_nsswitch(ricci_modcluster_t)
-
-init_exec(ricci_modcluster_t)
-init_domtrans_script(ricci_modcluster_t)
-
-logging_send_syslog_msg(ricci_modcluster_t)
-
-miscfiles_read_localization(ricci_modcluster_t)
-
-ricci_stream_connect_modclusterd(ricci_modcluster_t)
-
-optional_policy(`
- aisexec_stream_connect(ricci_modcluster_t)
- corosync_stream_connect(ricci_modcluster_t)
-')
-
-optional_policy(`
- ccs_stream_connect(ricci_modcluster_t)
- ccs_domtrans(ricci_modcluster_t)
- ccs_manage_config(ricci_modcluster_t)
-')
-
-optional_policy(`
- lvm_domtrans(ricci_modcluster_t)
-')
-
-optional_policy(`
- modutils_domtrans(ricci_modcluster_t)
-')
-
-optional_policy(`
- mount_domtrans(ricci_modcluster_t)
-')
-
-optional_policy(`
- consoletype_exec(ricci_modcluster_t)
-')
-
-optional_policy(`
- oddjob_system_entry(ricci_modcluster_t, ricci_modcluster_exec_t)
-')
-
-optional_policy(`
- rgmanager_stream_connect(ricci_modcluster_t)
-')
-
-########################################
-#
-# Modclusterd local policy
-#
-
-allow ricci_modclusterd_t self:capability { sys_nice sys_tty_config };
-allow ricci_modclusterd_t self:process { signal sigkill setsched };
-allow ricci_modclusterd_t self:fifo_file rw_fifo_file_perms;
-allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms;
-allow ricci_modclusterd_t self:tcp_socket create_stream_socket_perms;
-allow ricci_modclusterd_t self:socket create_socket_perms;
-
-allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
-allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_fifo_file_perms;
-
-manage_dirs_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t)
-manage_files_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t)
-fs_tmpfs_filetrans(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, { dir file })
-
-allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr_dir_perms;
-append_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
-create_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
-setattr_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
-manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
-logging_log_filetrans(ricci_modclusterd_t, ricci_modcluster_var_log_t, { sock_file file dir })
-
-manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_runtime_t, ricci_modcluster_runtime_t)
-manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_runtime_t, ricci_modcluster_runtime_t)
-files_runtime_filetrans(ricci_modclusterd_t, ricci_modcluster_runtime_t, { file sock_file })
-
-kernel_read_kernel_sysctls(ricci_modclusterd_t)
-kernel_read_system_state(ricci_modclusterd_t)
-kernel_request_load_module(ricci_modclusterd_t)
-
-corecmd_exec_bin(ricci_modclusterd_t)
-
-corenet_all_recvfrom_netlabel(ricci_modclusterd_t)
-corenet_tcp_sendrecv_generic_if(ricci_modclusterd_t)
-corenet_tcp_sendrecv_generic_node(ricci_modclusterd_t)
-corenet_tcp_bind_generic_node(ricci_modclusterd_t)
-
-corenet_sendrecv_ricci_modcluster_server_packets(ricci_modclusterd_t)
-corenet_tcp_bind_ricci_modcluster_port(ricci_modclusterd_t)
-corenet_sendrecv_ricci_modcluster_client_packets(ricci_modclusterd_t)
-corenet_tcp_connect_ricci_modcluster_port(ricci_modclusterd_t)
-
-domain_read_all_domains_state(ricci_modclusterd_t)
-
-files_read_etc_runtime_files(ricci_modclusterd_t)
-
-fs_getattr_xattr_fs(ricci_modclusterd_t)
-
-auth_use_nsswitch(ricci_modclusterd_t)
-
-init_stream_connect_script(ricci_modclusterd_t)
-
-locallogin_dontaudit_use_fds(ricci_modclusterd_t)
-
-logging_send_syslog_msg(ricci_modclusterd_t)
-
-miscfiles_read_localization(ricci_modclusterd_t)
-
-sysnet_domtrans_ifconfig(ricci_modclusterd_t)
-
-optional_policy(`
- aisexec_stream_connect(ricci_modclusterd_t)
- corosync_stream_connect(ricci_modclusterd_t)
-')
-
-optional_policy(`
- ccs_domtrans(ricci_modclusterd_t)
- ccs_stream_connect(ricci_modclusterd_t)
- ccs_read_config(ricci_modclusterd_t)
-')
-
-optional_policy(`
- rgmanager_stream_connect(ricci_modclusterd_t)
-')
-
-optional_policy(`
- unconfined_use_fds(ricci_modclusterd_t)
-')
-
-########################################
-#
-# Modlog local policy
-#
-
-allow ricci_modlog_t self:capability sys_nice;
-allow ricci_modlog_t self:process setsched;
-
-kernel_read_kernel_sysctls(ricci_modlog_t)
-kernel_read_system_state(ricci_modlog_t)
-
-corecmd_exec_bin(ricci_modlog_t)
-
-domain_read_all_domains_state(ricci_modlog_t)
-
-files_read_etc_files(ricci_modlog_t)
-files_search_usr(ricci_modlog_t)
-
-logging_read_generic_logs(ricci_modlog_t)
-
-miscfiles_read_localization(ricci_modlog_t)
-
-optional_policy(`
- nscd_dontaudit_search_runtime(ricci_modlog_t)
-')
-
-optional_policy(`
- oddjob_system_entry(ricci_modlog_t, ricci_modlog_exec_t)
-')
-
-########################################
-#
-# Modrpm local policy
-#
-
-allow ricci_modrpm_t self:fifo_file read_fifo_file_perms;
-
-kernel_read_kernel_sysctls(ricci_modrpm_t)
-
-corecmd_exec_bin(ricci_modrpm_t)
-
-files_search_usr(ricci_modrpm_t)
-files_read_etc_files(ricci_modrpm_t)
-
-miscfiles_read_localization(ricci_modrpm_t)
-
-optional_policy(`
- oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t)
-')
-
-optional_policy(`
- rpm_domtrans(ricci_modrpm_t)
-')
-
-########################################
-#
-# Modservice local policy
-#
-
-allow ricci_modservice_t self:capability { dac_override sys_nice };
-allow ricci_modservice_t self:process setsched;
-allow ricci_modservice_t self:fifo_file rw_fifo_file_perms;
-
-kernel_read_kernel_sysctls(ricci_modservice_t)
-kernel_read_system_state(ricci_modservice_t)
-
-corecmd_exec_bin(ricci_modservice_t)
-corecmd_exec_shell(ricci_modservice_t)
-
-files_read_etc_files(ricci_modservice_t)
-files_read_etc_runtime_files(ricci_modservice_t)
-files_search_usr(ricci_modservice_t)
-files_manage_etc_symlinks(ricci_modservice_t)
-
-init_domtrans_script(ricci_modservice_t)
-
-miscfiles_read_localization(ricci_modservice_t)
-
-optional_policy(`
- ccs_read_config(ricci_modservice_t)
-')
-
-optional_policy(`
- consoletype_exec(ricci_modservice_t)
-')
-
-optional_policy(`
- nscd_dontaudit_search_runtime(ricci_modservice_t)
-')
-
-optional_policy(`
- oddjob_system_entry(ricci_modservice_t, ricci_modservice_exec_t)
-')
-
-########################################
-#
-# Modstorage local policy
-#
-
-allow ricci_modstorage_t self:capability { mknod sys_nice };
-allow ricci_modstorage_t self:process { setsched signal };
-dontaudit ricci_modstorage_t self:process ptrace;
-allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms;
-
-kernel_read_kernel_sysctls(ricci_modstorage_t)
-kernel_read_system_state(ricci_modstorage_t)
-
-create_files_pattern(ricci_modstorage_t, ricci_modstorage_lock_t, ricci_modstorage_lock_t)
-files_lock_filetrans(ricci_modstorage_t, ricci_modstorage_lock_t, file)
-
-corecmd_exec_bin(ricci_modstorage_t)
-corecmd_exec_shell(ricci_modstorage_t)
-
-dev_read_sysfs(ricci_modstorage_t)
-dev_read_urand(ricci_modstorage_t)
-dev_manage_generic_blk_files(ricci_modstorage_t)
-
-domain_read_all_domains_state(ricci_modstorage_t)
-
-files_manage_etc_files(ricci_modstorage_t)
-files_read_etc_runtime_files(ricci_modstorage_t)
-files_read_usr_files(ricci_modstorage_t)
-files_read_kernel_modules(ricci_modstorage_t)
-
-storage_raw_read_fixed_disk(ricci_modstorage_t)
-
-term_dontaudit_use_console(ricci_modstorage_t)
-
-logging_send_syslog_msg(ricci_modstorage_t)
-
-miscfiles_read_localization(ricci_modstorage_t)
-
-optional_policy(`
- aisexec_stream_connect(ricci_modstorage_t)
- corosync_stream_connect(ricci_modstorage_t)
-')
-
-optional_policy(`
- ccs_stream_connect(ricci_modstorage_t)
- ccs_read_config(ricci_modstorage_t)
-')
-
-optional_policy(`
- consoletype_exec(ricci_modstorage_t)
-')
-
-optional_policy(`
- fstools_domtrans(ricci_modstorage_t)
-')
-
-optional_policy(`
- lvm_domtrans(ricci_modstorage_t)
- lvm_manage_config(ricci_modstorage_t)
-')
-
-optional_policy(`
- modutils_read_module_deps(ricci_modstorage_t)
-')
-
-optional_policy(`
- mount_domtrans(ricci_modstorage_t)
-')
-
-optional_policy(`
- oddjob_system_entry(ricci_modstorage_t, ricci_modstorage_exec_t)
-')
-
-optional_policy(`
- raid_domtrans_mdadm(ricci_modstorage_t)
-')
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 89dfbef5..acb5c27e 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -292,10 +292,6 @@ optional_policy(`
quota_manage_db_files(rpcd_t)
')
-optional_policy(`
- rgmanager_manage_tmp_files(rpcd_t)
-')
-
optional_policy(`
unconfined_signal(rpcd_t)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index cd494d84..7a92a32a 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -469,10 +469,6 @@ tunable_policy(`samba_export_all_rw',`
files_manage_non_auth_files(smbd_t)
')
-optional_policy(`
- ccs_read_config(smbd_t)
-')
-
optional_policy(`
ctdbd_stream_connect(smbd_t)
ctdbd_manage_lib_files(smbd_t)
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
index 621c627f..083ecd2b 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -137,10 +137,6 @@ optional_policy(`
mta_search_queue(snmpd_t)
')
-optional_policy(`
- ricci_stream_connect_modclusterd(snmpd_t)
-')
-
optional_policy(`
rpc_search_nfs_state_data(snmpd_t)
')
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index 61537239..18335811 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -447,13 +447,6 @@ optional_policy(`
daemontools_service_domain(spamd_t, spamd_exec_t)
')
-optional_policy(`
- dcc_domtrans_cdcc(spamd_t)
- dcc_domtrans_client(spamd_t)
- dcc_signal_client(spamd_t)
- dcc_stream_connect_dccifd(spamd_t)
-')
-
optional_policy(`
evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file })
')
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
index 8d50e1f2..6dcfd9fd 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -18,7 +18,6 @@
#
# /usr
#
-/usr/bin/clvmd -- gen_context(system_u:object_r:clvmd_exec_t,s0)
/usr/bin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/bin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/bin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -82,7 +81,6 @@
/usr/lib/systemd/system/lvm2-lvmetad.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
/usr/lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/usr/sbin/clvmd -- gen_context(system_u:object_r:clvmd_exec_t,s0)
/usr/sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index 766233b0..9d79acba 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -186,25 +186,6 @@ interface(`lvm_rw_inherited_pid_pipes',`
refpolicywarn(`$0($*) has been deprecated.')
')
-######################################
-## <summary>
-## Execute a domain transition to run clvmd.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`lvm_domtrans_clvmd',`
- gen_require(`
- type clvmd_t, clvmd_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, clvmd_exec_t, clvmd_t)
-')
-
######################################
## <summary>
## All of the rules required to
@@ -223,14 +204,11 @@ interface(`lvm_domtrans_clvmd',`
#
interface(`lvm_admin',`
gen_require(`
- type clvmd_t, clvmd_initrc_exec_t, lvm_t, lvm_unit_t;
- type lvm_etc_t, lvm_lock_t, lvm_metadata_t;
- type lvm_var_lib_t, lvm_runtime_t, clvmd_runtime_t, lvm_tmp_t;
+ type lvm_t, lvm_etc_t, lvm_lock_t, lvm_metadata_t;
+ type lvm_var_lib_t, lvm_runtime_t, lvm_tmp_t;
')
- admin_process_pattern($1, { clvmd_t lvm_t })
-
- init_startstop_service($1, $2, clvmd_t, clvmd_initrc_exec_t, lvm_unit_t)
+ admin_process_pattern($1, lvm_t)
files_search_etc($1)
admin_pattern($1, { lvm_etc_t lvm_metadata_t })
@@ -242,7 +220,7 @@ interface(`lvm_admin',`
admin_pattern($1, lvm_var_lib_t)
files_search_runtime($1)
- admin_pattern($1, { lvm_runtime_t clvmd_runtime_t })
+ admin_pattern($1, lvm_runtime_t)
files_search_tmp($1)
admin_pattern($1, lvm_tmp_t)
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 91d88067..68b8614f 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -5,16 +5,6 @@ policy_module(lvm, 1.26.1)
# Declarations
#
-type clvmd_t;
-type clvmd_exec_t;
-init_daemon_domain(clvmd_t, clvmd_exec_t)
-
-type clvmd_initrc_exec_t;
-init_script_file(clvmd_initrc_exec_t)
-
-type clvmd_runtime_t alias clvmd_var_run_t;
-files_runtime_file(clvmd_runtime_t)
-
type lvm_t;
type lvm_exec_t;
init_system_domain(lvm_t, lvm_exec_t)
@@ -51,114 +41,6 @@ files_tmpfs_file(lvm_tmpfs_t)
type lvm_var_lib_t;
files_type(lvm_var_lib_t)
-########################################
-#
-# Cluster LVM daemon local policy
-#
-
-allow clvmd_t self:capability { chown ipc_lock mknod sys_admin sys_nice };
-dontaudit clvmd_t self:capability sys_tty_config;
-allow clvmd_t self:process { signal_perms setsched };
-dontaudit clvmd_t self:process ptrace;
-allow clvmd_t self:socket create_socket_perms;
-allow clvmd_t self:fifo_file rw_fifo_file_perms;
-allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow clvmd_t self:tcp_socket create_stream_socket_perms;
-allow clvmd_t self:udp_socket create_socket_perms;
-
-manage_files_pattern(clvmd_t, clvmd_runtime_t, clvmd_runtime_t)
-files_runtime_filetrans(clvmd_t, clvmd_runtime_t, file)
-
-read_files_pattern(clvmd_t, lvm_metadata_t, lvm_metadata_t)
-
-kernel_read_kernel_sysctls(clvmd_t)
-kernel_read_system_state(clvmd_t)
-kernel_list_proc(clvmd_t)
-kernel_read_proc_symlinks(clvmd_t)
-kernel_search_debugfs(clvmd_t)
-kernel_dontaudit_getattr_core_if(clvmd_t)
-
-corecmd_exec_shell(clvmd_t)
-corecmd_getattr_bin_files(clvmd_t)
-
-corenet_all_recvfrom_netlabel(clvmd_t)
-corenet_tcp_sendrecv_generic_if(clvmd_t)
-corenet_udp_sendrecv_generic_if(clvmd_t)
-corenet_raw_sendrecv_generic_if(clvmd_t)
-corenet_tcp_sendrecv_generic_node(clvmd_t)
-corenet_udp_sendrecv_generic_node(clvmd_t)
-corenet_raw_sendrecv_generic_node(clvmd_t)
-corenet_tcp_bind_generic_node(clvmd_t)
-corenet_tcp_bind_reserved_port(clvmd_t)
-corenet_dontaudit_tcp_bind_all_reserved_ports(clvmd_t)
-corenet_sendrecv_generic_server_packets(clvmd_t)
-
-dev_read_sysfs(clvmd_t)
-dev_manage_generic_symlinks(clvmd_t)
-dev_relabel_generic_dev_dirs(clvmd_t)
-dev_manage_generic_blk_files(clvmd_t)
-dev_manage_generic_chr_files(clvmd_t)
-dev_rw_lvm_control(clvmd_t)
-dev_dontaudit_getattr_all_blk_files(clvmd_t)
-dev_dontaudit_getattr_all_chr_files(clvmd_t)
-dev_create_generic_dirs(clvmd_t)
-dev_delete_generic_dirs(clvmd_t)
-
-files_read_etc_files(clvmd_t)
-files_list_usr(clvmd_t)
-
-fs_getattr_all_fs(clvmd_t)
-fs_search_auto_mountpoints(clvmd_t)
-fs_dontaudit_list_tmpfs(clvmd_t)
-fs_dontaudit_read_removable_files(clvmd_t)
-fs_rw_anon_inodefs_files(clvmd_t)
-
-storage_dontaudit_getattr_removable_dev(clvmd_t)
-storage_manage_fixed_disk(clvmd_t)
-storage_dev_filetrans_fixed_disk(clvmd_t)
-storage_relabel_fixed_disk(clvmd_t)
-storage_raw_read_fixed_disk(clvmd_t)
-
-domain_use_interactive_fds(clvmd_t)
-
-auth_use_nsswitch(clvmd_t)
-
-init_dontaudit_getattr_initctl(clvmd_t)
-
-logging_send_syslog_msg(clvmd_t)
-
-miscfiles_read_localization(clvmd_t)
-
-seutil_sigchld_newrole(clvmd_t)
-seutil_read_config(clvmd_t)
-seutil_read_file_contexts(clvmd_t)
-seutil_search_default_contexts(clvmd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(clvmd_t)
-userdom_dontaudit_search_user_home_dirs(clvmd_t)
-
-lvm_domtrans(clvmd_t)
-lvm_read_config(clvmd_t)
-
-ifdef(`distro_redhat',`
- optional_policy(`
- unconfined_domain(clvmd_t)
- ')
-')
-
-optional_policy(`
- ccs_stream_connect(clvmd_t)
-')
-
-optional_policy(`
- gpm_dontaudit_getattr_gpmctl(clvmd_t)
-')
-
-optional_policy(`
- ricci_dontaudit_rw_modcluster_pipes(clvmd_t)
- ricci_dontaudit_use_modcluster_fds(clvmd_t)
-')
-
########################################
#
# LVM Local policy
@@ -183,7 +65,6 @@ allow lvm_t self:socket create_stream_socket_perms;
allow lvm_t self:key { search write };
allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms };
manage_dirs_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t)
manage_files_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t)
@@ -350,10 +231,6 @@ optional_policy(`
bootloader_rw_tmp_files(lvm_t)
')
-optional_policy(`
- ccs_stream_connect(lvm_t)
-')
-
optional_policy(`
dpkg_script_rw_pipes(lvm_t)
')
next reply other threads:[~2021-03-21 22:11 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-21 22:10 Jason Zaman [this message]
-- strict thread matches above, loose matches on Subject: below --
2019-02-10 4:14 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/, policy/modules/admin/, Jason Zaman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1616362703.9d92c27494dc086745e0d0dadf249f34f932559a.perfinion@gentoo \
--to=perfinion@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox