From 6ba07b7f1c54ea0f5f2c2cf44511099b19b077e3 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Apr 05 2011 20:25:08 +0000 Subject: Remove allow_sysadm_manage_security boolean --- diff --git a/booleans-mls.conf b/booleans-mls.conf index 4367df5..1dabe0b 100644 --- a/booleans-mls.conf +++ b/booleans-mls.conf @@ -232,7 +232,3 @@ xserver_object_manager = true # init_upstart = true -# -# Allow sysadm to become security admin. -# -allow_sysadm_manage_security = false diff --git a/policy-F13.patch b/policy-F13.patch index 1c933f8..ad1a2c6 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -13700,22 +13700,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.19/policy/modules/roles/sysadm.te --- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/roles/sysadm.te 2011-04-05 19:09:49.889000002 +0000 -@@ -13,6 +13,13 @@ - ## - gen_tunable(allow_ptrace, false) - -+## -+##

-+## Allow sysadm to become security admin. -+##

-+## -+gen_tunable(allow_sysadm_manage_security, false) -+ - role sysadm_r; - - userdom_admin_user_template(sysadm) -@@ -28,17 +35,31 @@ ++++ serefpolicy-3.7.19/policy/modules/roles/sysadm.te 2011-04-05 20:22:37.666000001 +0000 +@@ -28,17 +28,31 @@ corecmd_exec_shell(sysadm_t) @@ -13747,7 +13733,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. ifdef(`direct_sysadm_daemon',` optional_policy(` -@@ -56,12 +77,25 @@ +@@ -56,6 +70,7 @@ logging_manage_audit_log(sysadm_t) logging_manage_audit_config(sysadm_t) logging_run_auditctl(sysadm_t, sysadm_r) @@ -13755,25 +13741,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. ') tunable_policy(`allow_ptrace',` - domain_ptrace_all_domains(sysadm_t) - ') - -+ifdef(`enable_mls',` -+ tunable_policy(`allow_sysadm_manage_security',` -+ userdom_security_admin_template(sysadm_t, sysadm_r) -+ -+ logging_manage_audit_log(sysadm_t) -+ logging_manage_audit_config(sysadm_t) -+ logging_run_auditctl(sysadm_t, sysadm_r) -+ logging_run_auditd(sysadm_t, sysadm_r) -+ logging_stream_connect_syslog(sysadm_t) -+ ') -+') -+ - optional_policy(` - amanda_run_recover(sysadm_t, sysadm_r) - ') -@@ -70,7 +104,9 @@ +@@ -70,7 +85,9 @@ apache_run_helper(sysadm_t, sysadm_r) #apache_run_all_scripts(sysadm_t, sysadm_r) #apache_domtrans_sys_script(sysadm_t) @@ -13784,7 +13752,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. ') optional_policy(` -@@ -98,17 +134,25 @@ +@@ -98,17 +115,25 @@ bind_run_ndc(sysadm_t, sysadm_r) ') @@ -13810,7 +13778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` certwatch_run(sysadm_t, sysadm_r) -@@ -126,16 +170,18 @@ +@@ -126,16 +151,18 @@ consoletype_run(sysadm_t, sysadm_r) ') @@ -13831,7 +13799,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. ') optional_policy(` -@@ -165,9 +211,11 @@ +@@ -165,9 +192,11 @@ ethereal_run_tethereal(sysadm_t, sysadm_r) ') @@ -13843,7 +13811,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` firstboot_run(sysadm_t, sysadm_r) -@@ -177,6 +225,7 @@ +@@ -177,6 +206,7 @@ fstools_run(sysadm_t, sysadm_r) ') @@ -13851,7 +13819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` games_role(sysadm_r, sysadm_t) ') -@@ -192,6 +241,7 @@ +@@ -192,6 +222,7 @@ optional_policy(` gpg_role(sysadm_r, sysadm_t) ') @@ -13859,7 +13827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` hostname_run(sysadm_t, sysadm_r) -@@ -205,6 +255,13 @@ +@@ -205,6 +236,13 @@ ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -13873,7 +13841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. ') optional_policy(` -@@ -212,12 +269,18 @@ +@@ -212,12 +250,18 @@ ') optional_policy(` @@ -13892,7 +13860,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` kudzu_run(sysadm_t, sysadm_r) -@@ -227,9 +290,11 @@ +@@ -227,9 +271,11 @@ libs_run_ldconfig(sysadm_t, sysadm_r) ') @@ -13904,7 +13872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` logrotate_run(sysadm_t, sysadm_r) -@@ -252,8 +317,10 @@ +@@ -252,8 +298,10 @@ optional_policy(` mount_run(sysadm_t, sysadm_r) @@ -13915,7 +13883,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` mozilla_role(sysadm_r, sysadm_t) ') -@@ -261,6 +328,7 @@ +@@ -261,6 +309,7 @@ optional_policy(` mplayer_role(sysadm_r, sysadm_t) ') @@ -13923,7 +13891,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` mta_role(sysadm_r, sysadm_t) -@@ -275,6 +343,10 @@ +@@ -275,6 +324,10 @@ ') optional_policy(` @@ -13934,7 +13902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. netutils_run(sysadm_t, sysadm_r) netutils_run_ping(sysadm_t, sysadm_r) netutils_run_traceroute(sysadm_t, sysadm_r) -@@ -308,8 +380,14 @@ +@@ -308,8 +361,14 @@ ') optional_policy(` @@ -13949,7 +13917,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` quota_run(sysadm_t, sysadm_r) -@@ -319,9 +397,11 @@ +@@ -319,9 +378,11 @@ raid_domtrans_mdadm(sysadm_t) ') @@ -13961,7 +13929,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` rpc_domtrans_nfsd(sysadm_t) -@@ -331,9 +411,11 @@ +@@ -331,9 +392,11 @@ rpm_run(sysadm_t, sysadm_r) ') @@ -13973,7 +13941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` rsync_exec(sysadm_t) -@@ -346,6 +428,7 @@ +@@ -346,6 +409,7 @@ optional_policy(` screen_role_template(sysadm, sysadm_r, sysadm_t) @@ -13981,7 +13949,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. ') optional_policy(` -@@ -358,8 +441,14 @@ +@@ -358,8 +422,14 @@ ') optional_policy(` @@ -13996,7 +13964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` ssh_role_template(sysadm, sysadm_r, sysadm_t) -@@ -382,9 +471,11 @@ +@@ -382,9 +452,11 @@ sysnet_run_dhcpc(sysadm_t, sysadm_r) ') @@ -14008,7 +13976,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` tripwire_run_siggen(sysadm_t, sysadm_r) -@@ -393,23 +484,31 @@ +@@ -393,23 +465,31 @@ tripwire_run_twprint(sysadm_t, sysadm_r) ') @@ -14040,7 +14008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. unprivuser_role_change(sysadm_r) ') -@@ -417,9 +516,11 @@ +@@ -417,9 +497,11 @@ usbmodules_run(sysadm_t, sysadm_r) ') @@ -14052,7 +14020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` usermanage_run_admin_passwd(sysadm_t, sysadm_r) -@@ -427,9 +528,15 @@ +@@ -427,9 +509,15 @@ usermanage_run_useradd(sysadm_t, sysadm_r) ') @@ -14068,7 +14036,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` vpn_run(sysadm_t, sysadm_r) -@@ -440,13 +547,30 @@ +@@ -440,13 +528,30 @@ ') optional_policy(`