Allow the locallogin module to be turned off. This required any
interface use to be moved into an optional_policy block.
Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/admin/dmidecode.te | 7 +++++--
policy/modules/admin/firstboot.te | 6 ++++--
policy/modules/admin/mcelog.te | 6 ++++--
policy/modules/admin/tzdata.te | 6 ++++--
policy/modules/admin/vpn.te | 6 ++++--
policy/modules/apps/java.te | 6 ++++--
policy/modules/apps/loadkeys.te | 6 ++++--
policy/modules/apps/wm.te | 6 ++++--
policy/modules/services/bluetooth.te | 5 ++++-
policy/modules/services/chronyd.te | 5 +++--
policy/modules/services/oddjob.te | 6 ++++--
policy/modules/services/pcscd.te | 6 ++++--
policy/modules/services/pyzor.te | 6 ++++--
policy/modules/services/ricci.te | 12 ++++++++----
policy/modules/services/samba.te | 6 ++++--
policy/modules/services/setroubleshoot.te | 6 ++++--
policy/modules/services/sysstat.te | 6 ++++--
policy/modules/services/xserver.te | 6 ++++--
policy/modules/system/getty.te | 6 ++++--
policy/modules/system/ipsec.te | 12 ++++++++----
policy/modules/system/setrans.te | 6 ++++--
policy/modules/system/systemd.te | 6 ++++--
policy/modules/system/xen.te | 6 ++++--
23 files changed, 100 insertions(+), 49 deletions(-)
diff --git a/policy/modules/admin/dmidecode.te b/policy/modules/admin/dmidecode.te
index bda30744..e5a481fa 100644
--- a/policy/modules/admin/dmidecode.te
+++ b/policy/modules/admin/dmidecode.te
@@ -29,6 +29,9 @@ files_list_usr(dmidecode_t)
mls_file_read_all_levels(dmidecode_t)
-locallogin_use_fds(dmidecode_t)
-
userdom_use_inherited_user_terminals(dmidecode_t)
+
+optional_policy(`
+ locallogin_use_fds(dmidecode_t)
+')
+
diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te
index 2ac82a13..140933f4 100644
--- a/policy/modules/admin/firstboot.te
+++ b/policy/modules/admin/firstboot.te
@@ -69,8 +69,6 @@ init_rw_utmp(firstboot_t)
libs_exec_ld_so(firstboot_t)
libs_exec_lib_files(firstboot_t)
-locallogin_use_fds(firstboot_t)
-
logging_send_syslog_msg(firstboot_t)
miscfiles_read_localization(firstboot_t)
@@ -96,6 +94,10 @@ optional_policy(`
')
')
+optional_policy(`
+ locallogin_use_fds(firstboot_t)
+')
+
optional_policy(`
modutils_domtrans(firstboot_t)
modutils_read_module_config(firstboot_t)
diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te
index 1c342132..1728052e 100644
--- a/policy/modules/admin/mcelog.te
+++ b/policy/modules/admin/mcelog.te
@@ -93,8 +93,6 @@ files_read_etc_files(mcelog_t)
mls_file_read_all_levels(mcelog_t)
-locallogin_use_fds(mcelog_t)
-
miscfiles_read_localization(mcelog_t)
tunable_policy(`mcelog_client',`
@@ -122,3 +120,7 @@ tunable_policy(`mcelog_syslog',`
optional_policy(`
cron_system_entry(mcelog_t, mcelog_exec_t)
')
+
+optional_policy(`
+ locallogin_use_fds(mcelog_t)
+')
diff --git a/policy/modules/admin/tzdata.te b/policy/modules/admin/tzdata.te
index cbfb2299..35cd0fcc 100644
--- a/policy/modules/admin/tzdata.te
+++ b/policy/modules/admin/tzdata.te
@@ -25,14 +25,16 @@ fs_getattr_xattr_fs(tzdata_t)
term_dontaudit_list_ptys(tzdata_t)
-locallogin_dontaudit_use_fds(tzdata_t)
-
miscfiles_read_localization(tzdata_t)
miscfiles_manage_localization(tzdata_t)
miscfiles_etc_filetrans_localization(tzdata_t)
userdom_use_user_terminals(tzdata_t)
+optional_policy(`
+ locallogin_dontaudit_use_fds(tzdata_t)
+')
+
optional_policy(`
postfix_search_spool(tzdata_t)
')
diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
index 65de9063..99a9310b 100644
--- a/policy/modules/admin/vpn.te
+++ b/policy/modules/admin/vpn.te
@@ -98,8 +98,6 @@ init_dontaudit_use_fds(vpnc_t)
libs_exec_ld_so(vpnc_t)
libs_exec_lib_files(vpnc_t)
-locallogin_use_fds(vpnc_t)
-
logging_send_syslog_msg(vpnc_t)
logging_dontaudit_search_logs(vpnc_t)
@@ -122,6 +120,10 @@ optional_policy(`
')
')
+optional_policy(`
+ locallogin_use_fds(vpnc_t)
+')
+
optional_policy(`
networkmanager_attach_tun_iface(vpnc_t)
')
diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
index 6502efeb..5cb8588d 100644
--- a/policy/modules/apps/java.te
+++ b/policy/modules/apps/java.te
@@ -139,11 +139,13 @@ corecmd_search_bin(java_t)
dev_read_sysfs(java_t)
-locallogin_use_fds(java_t)
-
userdom_read_user_tmp_files(java_t)
userdom_use_user_terminals(java_t)
+optional_policy(`
+ locallogin_use_fds(java_t)
+')
+
optional_policy(`
xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
')
diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
index 1976e2cb..71725fde 100644
--- a/policy/modules/apps/loadkeys.te
+++ b/policy/modules/apps/loadkeys.te
@@ -41,8 +41,6 @@ term_use_unallocated_ttys(loadkeys_t)
init_read_script_tmp_files(loadkeys_t)
-locallogin_use_fds(loadkeys_t)
-
miscfiles_read_localization(loadkeys_t)
userdom_use_user_ttys(loadkeys_t)
@@ -52,6 +50,10 @@ optional_policy(`
keyboardd_read_pipes(loadkeys_t)
')
+optional_policy(`
+ locallogin_use_fds(loadkeys_t)
+')
+
optional_policy(`
nscd_dontaudit_search_pid(loadkeys_t)
')
diff --git a/policy/modules/apps/wm.te b/policy/modules/apps/wm.te
index df481cc7..99bf1299 100644
--- a/policy/modules/apps/wm.te
+++ b/policy/modules/apps/wm.te
@@ -65,8 +65,6 @@ kernel_read_fs_sysctls(wm_domain)
kernel_read_proc_symlinks(wm_domain)
kernel_read_sysctl(wm_domain)
-locallogin_dontaudit_use_fds(wm_domain)
-
miscfiles_read_fonts(wm_domain)
miscfiles_read_generic_certs(wm_domain)
miscfiles_read_localization(wm_domain)
@@ -120,6 +118,10 @@ optional_policy(`
games_dbus_chat(wm_domain)
')
+optional_policy(`
+ locallogin_dontaudit_use_fds(wm_domain)
+')
+
optional_policy(`
# gnome-shell
mount_exec(wm_domain)
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
index 45e5a361..1498e243 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -210,7 +210,6 @@ term_dontaudit_use_all_ttys(bluetooth_helper_t)
auth_use_nsswitch(bluetooth_helper_t)
-locallogin_dontaudit_use_fds(bluetooth_helper_t)
logging_send_syslog_msg(bluetooth_helper_t)
@@ -223,6 +222,10 @@ optional_policy(`
dbus_connect_system_bus(bluetooth_helper_t)
')
+optional_policy(`
+ locallogin_dontaudit_use_fds(bluetooth_helper_t)
+')
+
optional_policy(`
xserver_user_x_domain_template(bluetooth_helper, bluetooth_helper_t, bluetooth_helper_tmpfs_t)
')
diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
index 77716407..54985b68 100644
--- a/policy/modules/services/chronyd.te
+++ b/policy/modules/services/chronyd.te
@@ -136,8 +136,6 @@ corenet_udp_sendrecv_chronyd_port(chronyc_t)
files_read_etc_files(chronyc_t)
files_read_usr_files(chronyc_t)
-locallogin_use_fds(chronyc_t)
-
logging_send_syslog_msg(chronyc_t)
sysnet_read_config(chronyc_t)
@@ -150,3 +148,6 @@ userdom_use_user_ttys(chronyc_t)
chronyd_dgram_send(chronyc_t)
chronyd_read_config(chronyc_t)
+optional_policy(`
+ locallogin_use_fds(chronyc_t)
+')
diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te
index 39e2dcf5..e656bea6 100644
--- a/policy/modules/services/oddjob.te
+++ b/policy/modules/services/oddjob.te
@@ -58,13 +58,15 @@ auth_use_nsswitch(oddjob_t)
miscfiles_read_localization(oddjob_t)
-locallogin_dontaudit_use_fds(oddjob_t)
-
optional_policy(`
dbus_system_bus_client(oddjob_t)
dbus_connect_system_bus(oddjob_t)
')
+optional_policy(`
+ locallogin_dontaudit_use_fds(oddjob_t)
+')
+
optional_policy(`
unconfined_domtrans(oddjob_t)
')
diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te
index 247fe5c8..bca54f9d 100644
--- a/policy/modules/services/pcscd.te
+++ b/policy/modules/services/pcscd.te
@@ -59,8 +59,6 @@ files_read_etc_runtime_files(pcscd_t)
term_use_unallocated_ttys(pcscd_t)
term_dontaudit_getattr_pty_dirs(pcscd_t)
-locallogin_use_fds(pcscd_t)
-
logging_send_syslog_msg(pcscd_t)
miscfiles_read_localization(pcscd_t)
@@ -79,6 +77,10 @@ optional_policy(`
')
')
+optional_policy(`
+ locallogin_use_fds(pcscd_t)
+')
+
optional_policy(`
openct_stream_connect(pcscd_t)
openct_read_pid_files(pcscd_t)
diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te
index 3119df00..cdea0bfd 100644
--- a/policy/modules/services/pyzor.te
+++ b/policy/modules/services/pyzor.te
@@ -151,10 +151,12 @@ auth_use_nsswitch(pyzord_t)
logging_send_syslog_msg(pyzord_t)
-locallogin_dontaudit_use_fds(pyzord_t)
-
miscfiles_read_localization(pyzord_t)
userdom_dontaudit_search_user_home_dirs(pyzord_t)
mta_manage_spool(pyzord_t)
+
+optional_policy(`
+ locallogin_dontaudit_use_fds(pyzord_t)
+')
diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
index d808ab66..048ae41e 100644
--- a/policy/modules/services/ricci.te
+++ b/policy/modules/services/ricci.te
@@ -145,8 +145,6 @@ auth_append_login_records(ricci_t)
init_stream_connect_script(ricci_t)
-locallogin_dontaudit_use_fds(ricci_t)
-
logging_send_syslog_msg(ricci_t)
miscfiles_read_localization(ricci_t)
@@ -173,6 +171,10 @@ optional_policy(`
oddjob_system_entry(ricci_t, ricci_exec_t)
')
+optional_policy(`
+ locallogin_dontaudit_use_fds(ricci_t)
+')
+
optional_policy(`
rpm_use_script_fds(ricci_t)
')
@@ -332,8 +334,6 @@ auth_use_nsswitch(ricci_modclusterd_t)
init_stream_connect_script(ricci_modclusterd_t)
-locallogin_dontaudit_use_fds(ricci_modclusterd_t)
-
logging_send_syslog_msg(ricci_modclusterd_t)
miscfiles_read_localization(ricci_modclusterd_t)
@@ -351,6 +351,10 @@ optional_policy(`
ccs_read_config(ricci_modclusterd_t)
')
+optional_policy(`
+ locallogin_dontaudit_use_fds(ricci_modclusterd_t)
+')
+
optional_policy(`
rgmanager_stream_connect(ricci_modclusterd_t)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index 6d8c0cbe..eb497b8d 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -720,8 +720,6 @@ miscfiles_read_localization(smbmount_t)
mount_use_fds(smbmount_t)
-locallogin_use_fds(smbmount_t)
-
logging_search_logs(smbmount_t)
userdom_use_user_terminals(smbmount_t)
@@ -731,6 +729,10 @@ optional_policy(`
cups_read_rw_config(smbmount_t)
')
+optional_policy(`
+ locallogin_use_fds(smbmount_t)
+')
+
########################################
#
# Swat Local policy
diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
index 3ee1e0d5..56dc8c2c 100644
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
@@ -110,8 +110,6 @@ init_dontaudit_write_utmp(setroubleshootd_t)
libs_exec_ld_so(setroubleshootd_t)
-locallogin_dontaudit_use_fds(setroubleshootd_t)
-
logging_send_audit_msgs(setroubleshootd_t)
logging_send_syslog_msg(setroubleshootd_t)
logging_stream_connect_dispatcher(setroubleshootd_t)
@@ -132,6 +130,10 @@ optional_policy(`
')
')
+optional_policy(`
+ locallogin_dontaudit_use_fds(setroubleshootd_t)
+')
+
optional_policy(`
locate_read_lib_files(setroubleshootd_t)
')
diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te
index ffa56160..2ef803d0 100644
--- a/policy/modules/services/sysstat.te
+++ b/policy/modules/services/sysstat.te
@@ -58,8 +58,6 @@ auth_use_nsswitch(sysstat_t)
init_use_fds(sysstat_t)
-locallogin_use_fds(sysstat_t)
-
logging_send_syslog_msg(sysstat_t)
miscfiles_read_localization(sysstat_t)
@@ -70,3 +68,7 @@ optional_policy(`
cron_system_entry(sysstat_t, sysstat_exec_t)
cron_rw_tmp_files(sysstat_t)
')
+
+optional_policy(`
+ locallogin_use_fds(sysstat_t)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 7d4c0c1b..06022f2c 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -785,8 +785,6 @@ term_use_unallocated_ttys(xserver_t)
getty_use_fds(xserver_t)
-locallogin_use_fds(xserver_t)
-
logging_send_syslog_msg(xserver_t)
logging_send_audit_msgs(xserver_t)
@@ -841,6 +839,10 @@ optional_policy(`
auth_search_pam_console_data(xserver_t)
')
+optional_policy(`
+ locallogin_use_fds(xserver_t)
+')
+
optional_policy(`
rhgb_getpgid(xserver_t)
rhgb_signal(xserver_t)
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index 6d3c4284..88b408a9 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -85,8 +85,6 @@ auth_rw_login_records(getty_t)
init_rw_utmp(getty_t)
-locallogin_domtrans(getty_t)
-
logging_send_syslog_msg(getty_t)
miscfiles_read_localization(getty_t)
@@ -114,6 +112,10 @@ optional_policy(`
mta_send_mail(getty_t)
')
+optional_policy(`
+ locallogin_domtrans(getty_t)
+')
+
optional_policy(`
nscd_use(getty_t)
')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 7dc80136..2855174d 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -411,8 +411,6 @@ auth_use_nsswitch(racoon_t)
ipsec_setcontext_default_spd(racoon_t)
-locallogin_use_fds(racoon_t)
-
logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t)
@@ -425,6 +423,10 @@ tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
')
+optional_policy(`
+ locallogin_use_fds(racoon_t)
+')
+
########################################
#
# Setkey local policy
@@ -451,14 +453,16 @@ init_read_script_tmp_files(setkey_t)
# allow setkey to set the context for ipsec SAs and policy.
corenet_setcontext_all_spds(setkey_t)
-locallogin_use_fds(setkey_t)
-
miscfiles_read_localization(setkey_t)
seutil_read_config(setkey_t)
userdom_use_user_terminals(setkey_t)
+optional_policy(`
+ locallogin_use_fds(setkey_t)
+')
+
########################################
#
# ipsec_supervisor policy
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 24c3577e..3182f83e 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -81,14 +81,16 @@ term_dontaudit_use_unallocated_ttys(setrans_t)
init_dontaudit_use_script_ptys(setrans_t)
-locallogin_dontaudit_use_fds(setrans_t)
-
logging_send_syslog_msg(setrans_t)
miscfiles_read_localization(setrans_t)
seutil_libselinux_linked(setrans_t)
+optional_policy(`
+ locallogin_dontaudit_use_fds(setrans_t)
+')
+
optional_policy(`
rpm_use_script_fds(setrans_t)
')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index e9b74257..251094b9 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -464,8 +464,6 @@ init_stop_all_units(systemd_logind_t)
init_start_system(systemd_logind_t)
init_stop_system(systemd_logind_t)
-locallogin_read_state(systemd_logind_t)
-
seutil_libselinux_linked(systemd_logind_t)
seutil_read_default_contexts(systemd_logind_t)
seutil_read_file_contexts(systemd_logind_t)
@@ -514,6 +512,10 @@ optional_policy(`
devicekit_dbus_chat_power(systemd_logind_t)
')
+optional_policy(`
+ locallogin_read_state(systemd_logind_t)
+')
+
optional_policy(`
modemmanager_dbus_chat(systemd_logind_t)
')
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
index 04dd1ea7..67552cca 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -297,8 +297,6 @@ term_getattr_pty_fs(xend_t)
init_stream_connect_script(xend_t)
-locallogin_dontaudit_use_fds(xend_t)
-
logging_send_syslog_msg(xend_t)
miscfiles_read_localization(xend_t)
@@ -340,6 +338,10 @@ optional_policy(`
consoletype_exec(xend_t)
')
+optional_policy(`
+ locallogin_dontaudit_use_fds(xend_t)
+')
+
optional_policy(`
lvm_domtrans(xend_t)
')
--
2.19.1
On 11/16/18 11:37 PM, David Sugar wrote:
> Allow the locallogin module to be turned off. This required any
> interface use to be moved into an optional_policy block.
Why? Even embedded systems have serial consoles.
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/admin/dmidecode.te | 7 +++++--
> policy/modules/admin/firstboot.te | 6 ++++--
> policy/modules/admin/mcelog.te | 6 ++++--
> policy/modules/admin/tzdata.te | 6 ++++--
> policy/modules/admin/vpn.te | 6 ++++--
> policy/modules/apps/java.te | 6 ++++--
> policy/modules/apps/loadkeys.te | 6 ++++--
> policy/modules/apps/wm.te | 6 ++++--
> policy/modules/services/bluetooth.te | 5 ++++-
> policy/modules/services/chronyd.te | 5 +++--
> policy/modules/services/oddjob.te | 6 ++++--
> policy/modules/services/pcscd.te | 6 ++++--
> policy/modules/services/pyzor.te | 6 ++++--
> policy/modules/services/ricci.te | 12 ++++++++----
> policy/modules/services/samba.te | 6 ++++--
> policy/modules/services/setroubleshoot.te | 6 ++++--
> policy/modules/services/sysstat.te | 6 ++++--
> policy/modules/services/xserver.te | 6 ++++--
> policy/modules/system/getty.te | 6 ++++--
> policy/modules/system/ipsec.te | 12 ++++++++----
> policy/modules/system/setrans.te | 6 ++++--
> policy/modules/system/systemd.te | 6 ++++--
> policy/modules/system/xen.te | 6 ++++--
> 23 files changed, 100 insertions(+), 49 deletions(-)
>
> diff --git a/policy/modules/admin/dmidecode.te b/policy/modules/admin/dmidecode.te
> index bda30744..e5a481fa 100644
> --- a/policy/modules/admin/dmidecode.te
> +++ b/policy/modules/admin/dmidecode.te
> @@ -29,6 +29,9 @@ files_list_usr(dmidecode_t)
>
> mls_file_read_all_levels(dmidecode_t)
>
> -locallogin_use_fds(dmidecode_t)
> -
> userdom_use_inherited_user_terminals(dmidecode_t)
> +
> +optional_policy(`
> + locallogin_use_fds(dmidecode_t)
> +')
> +
> diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te
> index 2ac82a13..140933f4 100644
> --- a/policy/modules/admin/firstboot.te
> +++ b/policy/modules/admin/firstboot.te
> @@ -69,8 +69,6 @@ init_rw_utmp(firstboot_t)
> libs_exec_ld_so(firstboot_t)
> libs_exec_lib_files(firstboot_t)
>
> -locallogin_use_fds(firstboot_t)
> -
> logging_send_syslog_msg(firstboot_t)
>
> miscfiles_read_localization(firstboot_t)
> @@ -96,6 +94,10 @@ optional_policy(`
> ')
> ')
>
> +optional_policy(`
> + locallogin_use_fds(firstboot_t)
> +')
> +
> optional_policy(`
> modutils_domtrans(firstboot_t)
> modutils_read_module_config(firstboot_t)
> diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te
> index 1c342132..1728052e 100644
> --- a/policy/modules/admin/mcelog.te
> +++ b/policy/modules/admin/mcelog.te
> @@ -93,8 +93,6 @@ files_read_etc_files(mcelog_t)
>
> mls_file_read_all_levels(mcelog_t)
>
> -locallogin_use_fds(mcelog_t)
> -
> miscfiles_read_localization(mcelog_t)
>
> tunable_policy(`mcelog_client',`
> @@ -122,3 +120,7 @@ tunable_policy(`mcelog_syslog',`
> optional_policy(`
> cron_system_entry(mcelog_t, mcelog_exec_t)
> ')
> +
> +optional_policy(`
> + locallogin_use_fds(mcelog_t)
> +')
> diff --git a/policy/modules/admin/tzdata.te b/policy/modules/admin/tzdata.te
> index cbfb2299..35cd0fcc 100644
> --- a/policy/modules/admin/tzdata.te
> +++ b/policy/modules/admin/tzdata.te
> @@ -25,14 +25,16 @@ fs_getattr_xattr_fs(tzdata_t)
>
> term_dontaudit_list_ptys(tzdata_t)
>
> -locallogin_dontaudit_use_fds(tzdata_t)
> -
> miscfiles_read_localization(tzdata_t)
> miscfiles_manage_localization(tzdata_t)
> miscfiles_etc_filetrans_localization(tzdata_t)
>
> userdom_use_user_terminals(tzdata_t)
>
> +optional_policy(`
> + locallogin_dontaudit_use_fds(tzdata_t)
> +')
> +
> optional_policy(`
> postfix_search_spool(tzdata_t)
> ')
> diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
> index 65de9063..99a9310b 100644
> --- a/policy/modules/admin/vpn.te
> +++ b/policy/modules/admin/vpn.te
> @@ -98,8 +98,6 @@ init_dontaudit_use_fds(vpnc_t)
> libs_exec_ld_so(vpnc_t)
> libs_exec_lib_files(vpnc_t)
>
> -locallogin_use_fds(vpnc_t)
> -
> logging_send_syslog_msg(vpnc_t)
> logging_dontaudit_search_logs(vpnc_t)
>
> @@ -122,6 +120,10 @@ optional_policy(`
> ')
> ')
>
> +optional_policy(`
> + locallogin_use_fds(vpnc_t)
> +')
> +
> optional_policy(`
> networkmanager_attach_tun_iface(vpnc_t)
> ')
> diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
> index 6502efeb..5cb8588d 100644
> --- a/policy/modules/apps/java.te
> +++ b/policy/modules/apps/java.te
> @@ -139,11 +139,13 @@ corecmd_search_bin(java_t)
>
> dev_read_sysfs(java_t)
>
> -locallogin_use_fds(java_t)
> -
> userdom_read_user_tmp_files(java_t)
> userdom_use_user_terminals(java_t)
>
> +optional_policy(`
> + locallogin_use_fds(java_t)
> +')
> +
> optional_policy(`
> xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
> ')
> diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
> index 1976e2cb..71725fde 100644
> --- a/policy/modules/apps/loadkeys.te
> +++ b/policy/modules/apps/loadkeys.te
> @@ -41,8 +41,6 @@ term_use_unallocated_ttys(loadkeys_t)
>
> init_read_script_tmp_files(loadkeys_t)
>
> -locallogin_use_fds(loadkeys_t)
> -
> miscfiles_read_localization(loadkeys_t)
>
> userdom_use_user_ttys(loadkeys_t)
> @@ -52,6 +50,10 @@ optional_policy(`
> keyboardd_read_pipes(loadkeys_t)
> ')
>
> +optional_policy(`
> + locallogin_use_fds(loadkeys_t)
> +')
> +
> optional_policy(`
> nscd_dontaudit_search_pid(loadkeys_t)
> ')
> diff --git a/policy/modules/apps/wm.te b/policy/modules/apps/wm.te
> index df481cc7..99bf1299 100644
> --- a/policy/modules/apps/wm.te
> +++ b/policy/modules/apps/wm.te
> @@ -65,8 +65,6 @@ kernel_read_fs_sysctls(wm_domain)
> kernel_read_proc_symlinks(wm_domain)
> kernel_read_sysctl(wm_domain)
>
> -locallogin_dontaudit_use_fds(wm_domain)
> -
> miscfiles_read_fonts(wm_domain)
> miscfiles_read_generic_certs(wm_domain)
> miscfiles_read_localization(wm_domain)
> @@ -120,6 +118,10 @@ optional_policy(`
> games_dbus_chat(wm_domain)
> ')
>
> +optional_policy(`
> + locallogin_dontaudit_use_fds(wm_domain)
> +')
> +
> optional_policy(`
> # gnome-shell
> mount_exec(wm_domain)
> diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
> index 45e5a361..1498e243 100644
> --- a/policy/modules/services/bluetooth.te
> +++ b/policy/modules/services/bluetooth.te
> @@ -210,7 +210,6 @@ term_dontaudit_use_all_ttys(bluetooth_helper_t)
>
> auth_use_nsswitch(bluetooth_helper_t)
>
> -locallogin_dontaudit_use_fds(bluetooth_helper_t)
>
> logging_send_syslog_msg(bluetooth_helper_t)
>
> @@ -223,6 +222,10 @@ optional_policy(`
> dbus_connect_system_bus(bluetooth_helper_t)
> ')
>
> +optional_policy(`
> + locallogin_dontaudit_use_fds(bluetooth_helper_t)
> +')
> +
> optional_policy(`
> xserver_user_x_domain_template(bluetooth_helper, bluetooth_helper_t, bluetooth_helper_tmpfs_t)
> ')
> diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
> index 77716407..54985b68 100644
> --- a/policy/modules/services/chronyd.te
> +++ b/policy/modules/services/chronyd.te
> @@ -136,8 +136,6 @@ corenet_udp_sendrecv_chronyd_port(chronyc_t)
> files_read_etc_files(chronyc_t)
> files_read_usr_files(chronyc_t)
>
> -locallogin_use_fds(chronyc_t)
> -
> logging_send_syslog_msg(chronyc_t)
>
> sysnet_read_config(chronyc_t)
> @@ -150,3 +148,6 @@ userdom_use_user_ttys(chronyc_t)
> chronyd_dgram_send(chronyc_t)
> chronyd_read_config(chronyc_t)
>
> +optional_policy(`
> + locallogin_use_fds(chronyc_t)
> +')
> diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te
> index 39e2dcf5..e656bea6 100644
> --- a/policy/modules/services/oddjob.te
> +++ b/policy/modules/services/oddjob.te
> @@ -58,13 +58,15 @@ auth_use_nsswitch(oddjob_t)
>
> miscfiles_read_localization(oddjob_t)
>
> -locallogin_dontaudit_use_fds(oddjob_t)
> -
> optional_policy(`
> dbus_system_bus_client(oddjob_t)
> dbus_connect_system_bus(oddjob_t)
> ')
>
> +optional_policy(`
> + locallogin_dontaudit_use_fds(oddjob_t)
> +')
> +
> optional_policy(`
> unconfined_domtrans(oddjob_t)
> ')
> diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te
> index 247fe5c8..bca54f9d 100644
> --- a/policy/modules/services/pcscd.te
> +++ b/policy/modules/services/pcscd.te
> @@ -59,8 +59,6 @@ files_read_etc_runtime_files(pcscd_t)
> term_use_unallocated_ttys(pcscd_t)
> term_dontaudit_getattr_pty_dirs(pcscd_t)
>
> -locallogin_use_fds(pcscd_t)
> -
> logging_send_syslog_msg(pcscd_t)
>
> miscfiles_read_localization(pcscd_t)
> @@ -79,6 +77,10 @@ optional_policy(`
> ')
> ')
>
> +optional_policy(`
> + locallogin_use_fds(pcscd_t)
> +')
> +
> optional_policy(`
> openct_stream_connect(pcscd_t)
> openct_read_pid_files(pcscd_t)
> diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te
> index 3119df00..cdea0bfd 100644
> --- a/policy/modules/services/pyzor.te
> +++ b/policy/modules/services/pyzor.te
> @@ -151,10 +151,12 @@ auth_use_nsswitch(pyzord_t)
>
> logging_send_syslog_msg(pyzord_t)
>
> -locallogin_dontaudit_use_fds(pyzord_t)
> -
> miscfiles_read_localization(pyzord_t)
>
> userdom_dontaudit_search_user_home_dirs(pyzord_t)
>
> mta_manage_spool(pyzord_t)
> +
> +optional_policy(`
> + locallogin_dontaudit_use_fds(pyzord_t)
> +')
> diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
> index d808ab66..048ae41e 100644
> --- a/policy/modules/services/ricci.te
> +++ b/policy/modules/services/ricci.te
> @@ -145,8 +145,6 @@ auth_append_login_records(ricci_t)
>
> init_stream_connect_script(ricci_t)
>
> -locallogin_dontaudit_use_fds(ricci_t)
> -
> logging_send_syslog_msg(ricci_t)
>
> miscfiles_read_localization(ricci_t)
> @@ -173,6 +171,10 @@ optional_policy(`
> oddjob_system_entry(ricci_t, ricci_exec_t)
> ')
>
> +optional_policy(`
> + locallogin_dontaudit_use_fds(ricci_t)
> +')
> +
> optional_policy(`
> rpm_use_script_fds(ricci_t)
> ')
> @@ -332,8 +334,6 @@ auth_use_nsswitch(ricci_modclusterd_t)
>
> init_stream_connect_script(ricci_modclusterd_t)
>
> -locallogin_dontaudit_use_fds(ricci_modclusterd_t)
> -
> logging_send_syslog_msg(ricci_modclusterd_t)
>
> miscfiles_read_localization(ricci_modclusterd_t)
> @@ -351,6 +351,10 @@ optional_policy(`
> ccs_read_config(ricci_modclusterd_t)
> ')
>
> +optional_policy(`
> + locallogin_dontaudit_use_fds(ricci_modclusterd_t)
> +')
> +
> optional_policy(`
> rgmanager_stream_connect(ricci_modclusterd_t)
> ')
> diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
> index 6d8c0cbe..eb497b8d 100644
> --- a/policy/modules/services/samba.te
> +++ b/policy/modules/services/samba.te
> @@ -720,8 +720,6 @@ miscfiles_read_localization(smbmount_t)
>
> mount_use_fds(smbmount_t)
>
> -locallogin_use_fds(smbmount_t)
> -
> logging_search_logs(smbmount_t)
>
> userdom_use_user_terminals(smbmount_t)
> @@ -731,6 +729,10 @@ optional_policy(`
> cups_read_rw_config(smbmount_t)
> ')
>
> +optional_policy(`
> + locallogin_use_fds(smbmount_t)
> +')
> +
> ########################################
> #
> # Swat Local policy
> diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
> index 3ee1e0d5..56dc8c2c 100644
> --- a/policy/modules/services/setroubleshoot.te
> +++ b/policy/modules/services/setroubleshoot.te
> @@ -110,8 +110,6 @@ init_dontaudit_write_utmp(setroubleshootd_t)
>
> libs_exec_ld_so(setroubleshootd_t)
>
> -locallogin_dontaudit_use_fds(setroubleshootd_t)
> -
> logging_send_audit_msgs(setroubleshootd_t)
> logging_send_syslog_msg(setroubleshootd_t)
> logging_stream_connect_dispatcher(setroubleshootd_t)
> @@ -132,6 +130,10 @@ optional_policy(`
> ')
> ')
>
> +optional_policy(`
> + locallogin_dontaudit_use_fds(setroubleshootd_t)
> +')
> +
> optional_policy(`
> locate_read_lib_files(setroubleshootd_t)
> ')
> diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te
> index ffa56160..2ef803d0 100644
> --- a/policy/modules/services/sysstat.te
> +++ b/policy/modules/services/sysstat.te
> @@ -58,8 +58,6 @@ auth_use_nsswitch(sysstat_t)
>
> init_use_fds(sysstat_t)
>
> -locallogin_use_fds(sysstat_t)
> -
> logging_send_syslog_msg(sysstat_t)
>
> miscfiles_read_localization(sysstat_t)
> @@ -70,3 +68,7 @@ optional_policy(`
> cron_system_entry(sysstat_t, sysstat_exec_t)
> cron_rw_tmp_files(sysstat_t)
> ')
> +
> +optional_policy(`
> + locallogin_use_fds(sysstat_t)
> +')
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index 7d4c0c1b..06022f2c 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -785,8 +785,6 @@ term_use_unallocated_ttys(xserver_t)
>
> getty_use_fds(xserver_t)
>
> -locallogin_use_fds(xserver_t)
> -
> logging_send_syslog_msg(xserver_t)
> logging_send_audit_msgs(xserver_t)
>
> @@ -841,6 +839,10 @@ optional_policy(`
> auth_search_pam_console_data(xserver_t)
> ')
>
> +optional_policy(`
> + locallogin_use_fds(xserver_t)
> +')
> +
> optional_policy(`
> rhgb_getpgid(xserver_t)
> rhgb_signal(xserver_t)
> diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
> index 6d3c4284..88b408a9 100644
> --- a/policy/modules/system/getty.te
> +++ b/policy/modules/system/getty.te
> @@ -85,8 +85,6 @@ auth_rw_login_records(getty_t)
>
> init_rw_utmp(getty_t)
>
> -locallogin_domtrans(getty_t)
> -
> logging_send_syslog_msg(getty_t)
>
> miscfiles_read_localization(getty_t)
> @@ -114,6 +112,10 @@ optional_policy(`
> mta_send_mail(getty_t)
> ')
>
> +optional_policy(`
> + locallogin_domtrans(getty_t)
> +')
> +
> optional_policy(`
> nscd_use(getty_t)
> ')
> diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
> index 7dc80136..2855174d 100644
> --- a/policy/modules/system/ipsec.te
> +++ b/policy/modules/system/ipsec.te
> @@ -411,8 +411,6 @@ auth_use_nsswitch(racoon_t)
>
> ipsec_setcontext_default_spd(racoon_t)
>
> -locallogin_use_fds(racoon_t)
> -
> logging_send_syslog_msg(racoon_t)
> logging_send_audit_msgs(racoon_t)
>
> @@ -425,6 +423,10 @@ tunable_policy(`racoon_read_shadow',`
> auth_tunable_read_shadow(racoon_t)
> ')
>
> +optional_policy(`
> + locallogin_use_fds(racoon_t)
> +')
> +
> ########################################
> #
> # Setkey local policy
> @@ -451,14 +453,16 @@ init_read_script_tmp_files(setkey_t)
> # allow setkey to set the context for ipsec SAs and policy.
> corenet_setcontext_all_spds(setkey_t)
>
> -locallogin_use_fds(setkey_t)
> -
> miscfiles_read_localization(setkey_t)
>
> seutil_read_config(setkey_t)
>
> userdom_use_user_terminals(setkey_t)
>
> +optional_policy(`
> + locallogin_use_fds(setkey_t)
> +')
> +
> ########################################
> #
> # ipsec_supervisor policy
> diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
> index 24c3577e..3182f83e 100644
> --- a/policy/modules/system/setrans.te
> +++ b/policy/modules/system/setrans.te
> @@ -81,14 +81,16 @@ term_dontaudit_use_unallocated_ttys(setrans_t)
>
> init_dontaudit_use_script_ptys(setrans_t)
>
> -locallogin_dontaudit_use_fds(setrans_t)
> -
> logging_send_syslog_msg(setrans_t)
>
> miscfiles_read_localization(setrans_t)
>
> seutil_libselinux_linked(setrans_t)
>
> +optional_policy(`
> + locallogin_dontaudit_use_fds(setrans_t)
> +')
> +
> optional_policy(`
> rpm_use_script_fds(setrans_t)
> ')
> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> index e9b74257..251094b9 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -464,8 +464,6 @@ init_stop_all_units(systemd_logind_t)
> init_start_system(systemd_logind_t)
> init_stop_system(systemd_logind_t)
>
> -locallogin_read_state(systemd_logind_t)
> -
> seutil_libselinux_linked(systemd_logind_t)
> seutil_read_default_contexts(systemd_logind_t)
> seutil_read_file_contexts(systemd_logind_t)
> @@ -514,6 +512,10 @@ optional_policy(`
> devicekit_dbus_chat_power(systemd_logind_t)
> ')
>
> +optional_policy(`
> + locallogin_read_state(systemd_logind_t)
> +')
> +
> optional_policy(`
> modemmanager_dbus_chat(systemd_logind_t)
> ')
> diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
> index 04dd1ea7..67552cca 100644
> --- a/policy/modules/system/xen.te
> +++ b/policy/modules/system/xen.te
> @@ -297,8 +297,6 @@ term_getattr_pty_fs(xend_t)
>
> init_stream_connect_script(xend_t)
>
> -locallogin_dontaudit_use_fds(xend_t)
> -
> logging_send_syslog_msg(xend_t)
>
> miscfiles_read_localization(xend_t)
> @@ -340,6 +338,10 @@ optional_policy(`
> consoletype_exec(xend_t)
> ')
>
> +optional_policy(`
> + locallogin_dontaudit_use_fds(xend_t)
> +')
> +
> optional_policy(`
> lvm_domtrans(xend_t)
> ')
>
--
Chris PeBenito