[node-patches] Change in ovirt-node[master]: selinux: Drop auditd_log_t related rules

Fri Oct 10 14:45:37 UTC 2014

Fabian Deutsch has uploaded a new change for review.

Change subject: selinux: Drop auditd_log_t related rules
......................................................................

selinux: Drop auditd_log_t related rules

Due tue some misslabeling some rules were added allowing several
applications to access auditd_log_t labeled objects.
After the labeling has been fixed, the rules can now be removed again.

Change-Id: I3f5c501a15f31d8e8836465df5c833ac1318adf7
Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1128065
Signed-off-by: Fabian Deutsch <fabiand at fedoraproject.org>
---
M semodule/ovirt.te.in
1 file changed, 0 insertions(+), 19 deletions(-)


  git pull ssh://gerrit.ovirt.org:29418/ovirt-node refs/changes/07/34007/1

diff --git a/semodule/ovirt.te.in b/semodule/ovirt.te.in
index d279129..c735914 100644
--- a/semodule/ovirt.te.in
+++ b/semodule/ovirt.te.in
@@ -11,7 +11,6 @@
 @SEMODULE_WITH_SYSTEMD@    type systemd_localed_t;
 @SEMODULE_WITH_SYSTEMD@    type systemd_unit_file_t;
 @SEMODULE_WITH_SYSTEMD@    type systemd_hostnamed_t;
-    type auditd_log_t;
     type etc_t;
     type device_t;
     type dmesg_t;
@@ -76,7 +75,6 @@
     require {
         type ldconfig_t;
     }
-    allow ldconfig_t auditd_log_t:file append;
     allow ldconfig_t tmpfs_t:dir search;
 ')
 
@@ -115,8 +113,6 @@
 
 #============= sanlock_t ==============
 allow sanlock_t tmpfs_t:dir search;
-allow sanlock_t auditd_log_t:dir search;
-allow sanlock_t auditd_log_t:file { read getattr open append };
 allow sanlock_t nfs_t:dir search;
 allow sanlock_t nfs_t:file open;
 
@@ -172,8 +168,6 @@
     }
     allow local_login_t passwd_file_t:file write;
 ')
-allow local_login_t auditd_log_t:dir { search write add_name };
-allow local_login_t auditd_log_t:file { write lock create open read };
 allow local_login_t chkpwd_t:process { siginh rlimitinh noatsecure };
 allow local_login_t shadow_t:file { write rename create unlink setattr };
 allow local_login_t tmpfs_t:dir { write remove_name add_name };
@@ -223,7 +217,6 @@
 allow sshd_t var_log_t:file { read open write };
 allow sshd_t device_t:sock_file write;
 allow sshd_t ovirt_t:unix_dgram_socket sendto;
-allow sshd_t auditd_log_t:file { read lock open };
 
 #============= svirt_t ==============
 allow svirt_t initrc_t:unix_stream_socket connectto;
@@ -233,8 +226,6 @@
 
 #============= syslogd_t ==============
 allow syslogd_t var_lib_t:file { write getattr open };
-allow syslogd_t auditd_log_t:dir { search write add_name };
-allow syslogd_t auditd_log_t:file { ioctl open create append getattr };
 
 
 #============= sysstat_t ==============
@@ -243,8 +234,6 @@
     type admin_home_t;
 }
 allow sysstat_t admin_home_t:dir { search getattr };
-allow sysstat_t auditd_log_t:file { read lock open append getattr };
-allow sysstat_t auditd_log_t:dir { write search getattr add_name };
 allow sysstat_t tmpfs_t:dir search;
 allow sysstat_t var_lib_t:file { read append };
 allow sysstat_t var_log_t:file { open read };
@@ -351,8 +340,6 @@
     }
     allow rhsmcertd_t tmpfs_t:dir search;
     allow rhsmcertd_t var_log_t:file open;
-    allow rhsmcertd_t auditd_log_t:dir { write getattr add_name search };
-    allow rhsmcertd_t auditd_log_t:file { create open getattr append };
 ')
 
 
@@ -483,8 +470,6 @@
 allow getty_t local_login_t:process { siginh rlimitinh noatsecure };
 allow getty_t var_log_t:file { open write };
 allow getty_t tmpfs_t:dir search;
-allow getty_t auditd_log_t:file { write lock open };
-allow getty_t auditd_log_t:dir search;
 
 
 #============= ifconfig_t ==============
@@ -535,8 +520,6 @@
 
 
 #============= logrotate_t ==============
-allow logrotate_t auditd_log_t:dir read;
-allow logrotate_t auditd_log_t:file getattr;
 allow logrotate_t var_lib_t:file write;
 allow logrotate_t virt_cache_t:dir { read getattr write remove_name add_name };
 allow logrotate_t virt_cache_t:file { rename setattr read create getattr write ioctl unlink open };
@@ -549,8 +532,6 @@
         type iptables_t;
     }
     allow firewalld_t ovirt_t:dbus send_msg;
-    allow firewalld_t auditd_log_t:dir { write add_name search };
-    allow firewalld_t auditd_log_t:file { create open getattr append };
     allow firewalld_t init_t:dbus send_msg;
     allow firewalld_t iptables_t:process { siginh noatsecure rlimitinh };
 ')


-- 
To view, visit http://gerrit.ovirt.org/34007
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I3f5c501a15f31d8e8836465df5c833ac1318adf7
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-node
Gerrit-Branch: master
Gerrit-Owner: Fabian Deutsch <fabiand at redhat.com>
Gerrit-Reviewer: Fabian Deutsch <fabiand at redhat.com>

