Remove unrestricted_admin

[Daniel J Walsh <dwalsh@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 119 bytes --]

Remove unrestricted_admin tunable.  This was a bad idea :^(

Add modutil for targteted to get relabel to work better.


[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 5298 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/admin.te policy-1.17.20/domains/admin.te
--- nsapolicy/domains/admin.te	2004-09-09 15:36:12.000000000 -0400
+++ policy-1.17.20/domains/admin.te	2004-09-23 09:29:42.799096131 -0400
@@ -4,7 +4,6 @@
 
 # sysadm_t is the system administrator domain.
 type sysadm_t, domain, privlog, privowner, admin, userdomain, web_client_domain, privhome, etc_writer, privmodule, nscd_client_domain
-ifdef(`unrestricted_admin', `, fs_domain, privmem, sysctl_kernel_writer, auth, auth_write, unrestricted')
 ifdef(`direct_sysadm_daemon', `, priv_system_role')
 ; dnl end of sysadm_t type declaration
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.17.20/domains/program/fsadm.te
--- nsapolicy/domains/program/fsadm.te	2004-09-10 10:17:48.000000000 -0400
+++ policy-1.17.20/domains/program/fsadm.te	2004-09-23 09:29:14.470353752 -0400
@@ -49,12 +49,7 @@
 
 type fsadm_exec_t, file_type, sysadmfile, exec_type;
 domain_auto_trans(initrc_t, fsadm_exec_t, fsadm_t)
-ifdef(`unrestricted_admin', `
-allow sysadm_t fixed_disk_device_t:devfile_class_set rw_file_perms;
-allow sysadm_t removable_device_t:devfile_class_set rw_file_perms;
-', `
 domain_auto_trans(sysadm_t, fsadm_exec_t, fsadm_t)
-')
 
 tmp_domain(fsadm)
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/admin_macros.te policy-1.17.20/macros/admin_macros.te
--- nsapolicy/macros/admin_macros.te	2004-09-21 12:51:06.000000000 -0400
+++ policy-1.17.20/macros/admin_macros.te	2004-09-23 09:28:52.371898273 -0400
@@ -106,14 +106,10 @@
 # allow setting up tunnels
 allow $1_t tun_tap_device_t:chr_file rw_file_perms;
 
-ifdef(`unrestricted_admin', `
-unconfined_domain($1_t) 
-', `
 # run ls -l /dev
 allow $1_t device_t:dir r_dir_perms;
 allow $1_t { device_t device_type }:{ chr_file blk_file } getattr;
 allow $1_t ptyfile:chr_file getattr;
-')
 
 # Run programs from staff home directories.
 # Not ideal, but typical if users want to login as both sysadm_t or staff_t.
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/modutil.te policy-1.17.20/targeted/domains/program/modutil.te
--- nsapolicy/targeted/domains/program/modutil.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.20/targeted/domains/program/modutil.te	2004-09-23 09:26:44.919632619 -0400
@@ -0,0 +1,17 @@
+#DESC Modutil - Dynamic module utilities
+#
+# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  
+# X-Debian-Packages: modutils
+#
+
+#################################
+#
+# Rules for the module utility domains.
+#
+type modules_dep_t, file_type, sysadmfile;
+type modules_conf_t, file_type, sysadmfile;
+type modules_object_t, file_type, sysadmfile;
+type depmod_exec_t, file_type, exec_type, sysadmfile;
+type insmod_exec_t, file_type, exec_type, sysadmfile;
+type update_modules_exec_t, file_type, exec_type, sysadmfile;
+
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.17.20/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2004-09-09 15:36:11.000000000 -0400
+++ policy-1.17.20/tunables/distro.tun	2004-09-23 09:26:44.920632503 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.17.20/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2004-09-23 09:26:36.631594339 -0400
+++ policy-1.17.20/tunables/tunable.tun	2004-09-23 09:27:08.175936391 -0400
@@ -1,51 +1,48 @@
 # Allow all domains to connect to nscd
-dnl define(`nscd_all_connect')
+define(`nscd_all_connect')
 
 # Allow users to control network interfaces (also needs USERCTL=true)
 dnl define(`user_net_control')
 
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Support NFS home directories
-dnl define(`nfs_home_dirs')
+define(`nfs_home_dirs')
 
 # Allow users to run games
-dnl define(`use_games')
+define(`use_games')
 
 # Allow ypbind to run with NIS
-dnl define(`allow_ypbind')
+define(`allow_ypbind')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
-
-# Allow sysadm_t to do almost everything
-dnl define(`unrestricted_admin')
+define(`hide_broken_symptoms')
 
 # Allow the read/write/create on any NFS file system
-dnl define(`nfs_export_all_rw')
+define(`nfs_export_all_rw')
 
 # Allow the reading on any NFS file system
 dnl define(`nfs_export_all_ro')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.