Remove all patches to execmem, java, openoffice and mono

diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index 17b542633403e87f5b6019db377b7be2acf9f1d6..a485d760c466010c51c929009bbc09b8d70f49f4 100644 (file)
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -419,7 +419,6 @@ optional_policy(`
 optional_policy(`
        unconfined_domain_noaudit(rpm_script_t)
        unconfined_domtrans(rpm_script_t)
-       unconfined_execmem_domtrans(rpm_script_t)
 
        optional_policy(`
                java_domtrans_unconfined(rpm_script_t)

diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
index 6c642a2ce17c129a0e4b760bff8e1eefdea688e9..acb325cb05feb5c3a0753af5414e6a16937cf68d 100644 (file)
--- a/policy/modules/apps/chrome.te
+++ b/policy/modules/apps/chrome.te
@@ -91,11 +91,6 @@ miscfiles_read_fonts(chrome_sandbox_t)
 
 sysnet_dns_name_resolve(chrome_sandbox_t)
 
-optional_policy(`
-       execmem_exec(chrome_sandbox_t)
-       execmem_execmod(chrome_sandbox_t)
-')
-
 optional_policy(`
        gnome_rw_inherited_config(chrome_sandbox_t)
        gnome_read_home_config(chrome_sandbox_t)

diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc
deleted file mode 100644 (file)
index 5e09952..0000000
--- a/policy/modules/apps/execmem.fc
+++ /dev/null
@@ -1,49 +0,0 @@
-
-/usr/bin/aticonfig     --      gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/bin/darcs                 --      gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/bin/dosbox                --      gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/bin/haddock.*     --      gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/bin/hasktags      --      gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/bin/plasma-desktop        --      gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/bin/runghc                --      gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/bin/runhaskell    --      gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/bin/sbcl          --      gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/bin/skype         --      gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/bin/valgrind      --      gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/sbin/vboxadd-service      --      gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/sbin/VBox.*       --      gen_context(system_u:object_r:execmem_exec_t,s0)
-
-ifdef(`distro_gentoo',`
-/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
-')
-/usr/lib/chromium-browser/chromium-browser  gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/lib/erlang/erts-[^/]+/bin/beam.smp --     gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/lib/R/bin/exec/R          --      gen_context(system_u:object_r:execmem_exec_t,s0)
-
-/usr/libexec/ghc-[^/]+/.*bin  --       gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/libexec/ghc-[^/]+/ghc.*  --       gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/lib/ghc-[^/]+/ghc.*  --   gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/lib/ia32el/ia32x_loader   --      gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/lib/virtualbox/VirtualBox  --     gen_context(system_u:object_r:execmem_exec_t,s0)
-
-/opt/real/(.*/)?realplay\.bin      --  gen_context(system_u:object_r:execmem_exec_t,s0)
-/opt/secondlife-install/bin/SLPlugin --        gen_context(system_u:object_r:execmem_exec_t,s0)
-
-/opt/real/RealPlayer/realplay\.bin --  gen_context(system_u:object_r:execmem_exec_t,s0)
-
-/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
-
-/usr/lib/gimp/[^/]+/plug-ins/help-browser -- gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/lib/wingide-[^/]+/bin/PyCore/python -- gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/lib/thunderbird-[^/]+/thunderbird-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
-
-/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Updater -- gen_context(system_u:object_r:execmem_exec_t,s0)
-/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Application -- gen_context(system_u:object_r:execmem_exec_t,s0)
-
-/opt/likewise/bin/domainjoin-cli -- gen_context(system_u:object_r:execmem_exec_t,s0)
-
-/opt/google/chrome/chrome -- gen_context(system_u:object_r:execmem_exec_t,s0)
-/opt/google/chrome/google-chrome -- gen_context(system_u:object_r:execmem_exec_t,s0)
-/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
-/opt/Adobe/Reader9/Reader/intellinux/bin/acroread -- gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/local/Wolfram/Mathematica(/.*)?MathKernel   -- gen_context(system_u:object_r:execmem_exec_t,s0)

diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if
deleted file mode 100644 (file)
index e23f640..0000000
--- a/policy/modules/apps/execmem.if
+++ /dev/null
@@ -1,132 +0,0 @@
-## <summary>execmem domain</summary>
-
-########################################
-## <summary>
-##     Execute the execmem program
-##     in the caller domain.
-## </summary>
-## <param name="domain">
-##     <summary>
-##     Domain allowed access.
-##     </summary>
-## </param>
-#
-interface(`execmem_exec',`
-       gen_require(`
-               type execmem_exec_t;
-       ')
-
-       can_exec($1, execmem_exec_t)
-')
-
-#######################################
-## <summary>
-##     The role template for the execmem module.
-## </summary>
-## <desc>
-##     <p>
-##     This template creates a derived domains which are used
-##     for execmem applications.
-##     </p>
-## </desc>
-## <param name="role_prefix">
-##     <summary>
-##     The prefix of the user domain (e.g., user
-##     is the prefix for user_t).
-##     </summary>
-## </param>
-## <param name="user_role">
-##     <summary>
-##     The role associated with the user domain.
-##     </summary>
-## </param>
-## <param name="user_domain">
-##     <summary>
-##     The type of the user domain.
-##     </summary>
-## </param>
-#
-template(`execmem_role_template',`
-       gen_require(`
-               type execmem_exec_t;
-       ')
-
-       type $1_execmem_t;
-       domain_type($1_execmem_t)
-       domain_entry_file($1_execmem_t, execmem_exec_t)
-       role $2 types $1_execmem_t;
-
-       userdom_unpriv_usertype($1, $1_execmem_t)
-       userdom_manage_tmp_role($2, $1_execmem_t)
-       userdom_manage_tmpfs_role($2, $1_execmem_t)
-
-       allow $1_execmem_t self:process { execmem execstack };
-       allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms };
-       domtrans_pattern($3, execmem_exec_t, $1_execmem_t)
-
-       files_execmod_tmp($1_execmem_t)
-
-       allow $3 execmem_exec_t:file execmod;
-       allow $1_execmem_t execmem_exec_t:file execmod;
-
-       # needed by plasma-desktop
-       optional_policy(`
-               gnome_read_usr_config($1_execmem_t)
-       ')
-       
-       optional_policy(`
-               mozilla_execmod_user_home_files($1_execmem_t)
-       ')
-
-       optional_policy(`
-               nsplugin_rw_shm($1_execmem_t)
-               nsplugin_rw_semaphores($1_execmem_t)
-       ')
-
-       optional_policy(`
-               xserver_role($2, $1_execmem_t)
-       ')
-')
-
-########################################
-## <summary>
-##     Execute a execmem_exec file
-##     in the specified domain.
-## </summary>
-## <param name="domain">
-##     <summary>
-##     Domain allowed access.
-##     </summary>
-## </param>
-## <param name="target_domain">
-##     <summary>
-##     The type of the new process.
-##     </summary>
-## </param>
-#
-interface(`execmem_domtrans',`
-       gen_require(`
-               type execmem_exec_t;
-       ')
-
-       domtrans_pattern($1, execmem_exec_t, $2)
-')
-
-########################################
-## <summary>
-##     Execmod the execmem_exec applications
-## </summary>
-## <param name="domain">
-##     <summary>
-##     Domain allowed access.
-##     </summary>
-## </param>
-#
-interface(`execmem_execmod',`
-       gen_require(`
-               type execmem_exec_t;
-       ')
-
-       allow $1 execmem_exec_t:file execmod;
-')
-

diff --git a/policy/modules/apps/execmem.te b/policy/modules/apps/execmem.te
deleted file mode 100644 (file)
index a7d37e2..0000000
--- a/policy/modules/apps/execmem.te
+++ /dev/null
@@ -1,10 +0,0 @@
-policy_module(execmem, 1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type execmem_exec_t alias unconfined_execmem_exec_t;
-application_executable_file(execmem_exec_t)
-

diff --git a/policy/modules/apps/java.fc b/policy/modules/apps/java.fc
index 5d2130cf5ffd3c5242fac48df6e3d167789318a2..86c176876c9d1d1511f12c617b9237ffb31f2898 100644 (file)
--- a/policy/modules/apps/java.fc
+++ b/policy/modules/apps/java.fc
@@ -5,13 +5,10 @@
 /opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
 /opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
 /opt/matlab.*/bin.*/MATLAB.* --        gen_context(system_u:object_r:java_exec_t,s0)
-/opt/local/MATLAB.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
-/opt/MATLAB.*/bin.*/MATLAB.* --        gen_context(system_u:object_r:java_exec_t,s0)
 
 #
 # /usr
 #
-/usr/Aptana[^/]*/AptanaStudio  --      gen_context(system_u:object_r:java_exec_t,s0)
 /usr/(.*/)?bin/java.*  --      gen_context(system_u:object_r:java_exec_t,s0)
 /usr/bin/fastjar       --      gen_context(system_u:object_r:java_exec_t,s0)
 /usr/bin/frysk         --      gen_context(system_u:object_r:java_exec_t,s0)
@@ -30,14 +27,12 @@
 /usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
 /usr/lib/opera(/.*)?/opera --  gen_context(system_u:object_r:java_exec_t,s0)
 /usr/lib/opera(/.*)?/works --  gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib64/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
 
 /usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
 
 /usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
 
-/opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins(/.*)?    --      gen_context(system_u:object_r:java_exec_t,s0)
-/opt/ibm(/.*)?/eclipse/plugins(/.*)?   --      gen_context(system_u:object_r:java_exec_t,s0)
-
 ifdef(`distro_redhat',`
 /usr/java/eclipse[^/]*/eclipse --      gen_context(system_u:object_r:java_exec_t,s0)
 ')

diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if
index 7c398c0c3881428c536a0023d878d11183d05844..e6d84e86fd6a738ebf42c0794020f0bb63e99d7f 100644 (file)
--- a/policy/modules/apps/java.if
+++ b/policy/modules/apps/java.if
@@ -72,8 +72,7 @@ template(`java_role_template',`
 
        domain_interactive_fd($1_java_t)
 
-       userdom_unpriv_usertype($1, $1_java_t)
-       userdom_manage_tmpfs_role($2, $1_java_t)
+       userdom_manage_user_tmpfs_files($1_java_t)
 
        allow $1_java_t self:process { ptrace signal getsched execmem execstack };
 
@@ -83,7 +82,7 @@ template(`java_role_template',`
 
        domtrans_pattern($3, java_exec_t, $1_java_t)
 
-       corecmd_bin_domtrans($1_java_t, $1_t)
+       corecmd_bin_domtrans($1_java_t, $3)
 
        dev_dontaudit_append_rand($1_java_t)
 
@@ -106,7 +105,7 @@ template(`java_role_template',`
 ##     </summary>
 ## </param>
 #
-interface(`java_domtrans',`
+template(`java_domtrans',`
        gen_require(`
                type java_t, java_exec_t;
        ')
@@ -180,10 +179,6 @@ interface(`java_run_unconfined',`
 
        java_domtrans_unconfined($1)
        role $2 types unconfined_java_t;
-
-       optional_policy(`
-               nsplugin_role_notrans($2, unconfined_java_t)
-       ')
 ')
 
 ########################################

diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
index 27d37b0061958f765fb315099a3fce40de9a32fa..167950d772655de09626b35243c850eb434cc982 100644 (file)
--- a/policy/modules/apps/java.te
+++ b/policy/modules/apps/java.te
@@ -82,20 +82,18 @@ dev_read_urand(java_t)
 dev_read_rand(java_t)
 dev_dontaudit_append_rand(java_t)
 
-files_read_etc_files(java_t)
 files_read_usr_files(java_t)
 files_search_home(java_t)
 files_search_var_lib(java_t)
 files_read_etc_runtime_files(java_t)
 # Read global fonts and font config
+files_read_etc_files(java_t)
 
 fs_getattr_xattr_fs(java_t)
 fs_dontaudit_rw_tmpfs_files(java_t)
 
 logging_send_syslog_msg(java_t)
 
-auth_use_nsswitch(java_t)
-
 miscfiles_read_localization(java_t)
 # Read global fonts and font config
 miscfiles_read_fonts(java_t)
@@ -124,6 +122,14 @@ tunable_policy(`allow_java_execstack',`
        miscfiles_legacy_read_localization(java_t)
 ')
 
+optional_policy(`
+       nis_use_ypbind(java_t)
+')
+
+optional_policy(`
+       nscd_socket_use(java_t)
+')
+
 optional_policy(`
        xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
 ')
@@ -137,21 +143,14 @@ optional_policy(`
        # execheap is needed for itanium/BEA jrocket
        allow unconfined_java_t self:process { execstack execmem execheap };
 
-       init_dbus_chat_script(unconfined_java_t)
-
        files_execmod_all_files(unconfined_java_t)
 
        init_dbus_chat_script(unconfined_java_t)
 
        unconfined_domain_noaudit(unconfined_java_t)
        unconfined_dbus_chat(unconfined_java_t)
-       userdom_unpriv_usertype(unconfined, unconfined_java_t)
 
        optional_policy(`
                rpm_domtrans(unconfined_java_t)
        ')
-
-       optional_policy(`
-        wine_domtrans(unconfined_java_t)
-    ')
 ')

diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if
index b2b83ad9467ca1835e5dcae78e5b58d086e3b9f9..7b08e138e521643fcc74c720fd27e120f3f1b27e 100644 (file)
--- a/policy/modules/apps/mono.if
+++ b/policy/modules/apps/mono.if
@@ -40,16 +40,16 @@ template(`mono_role_template',`
        domain_interactive_fd($1_mono_t)
        application_type($1_mono_t)
 
-       allow $1_mono_t self:process { signal getsched execheap execmem execstack };
-       allow $3 $1_mono_t:process { getattr noatsecure signal_perms };
+       allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack };
+
+       allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
 
        domtrans_pattern($3, mono_exec_t, $1_mono_t)
 
        fs_dontaudit_rw_tmpfs_files($1_mono_t)
        corecmd_bin_domtrans($1_mono_t, $1_t)
 
-       userdom_unpriv_usertype($1, $1_mono_t)
-       userdom_manage_tmpfs_role($2, $1_mono_t)
+       userdom_manage_user_tmpfs_files($1_mono_t)
 
        optional_policy(`
                xserver_role($1_r, $1_mono_t)

diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te
index ecab36dc9c9d21f478e907a5dca1ca810b2fff67..dff0f12790f902946655a185f20d8e0c1bdf56b0 100644 (file)
--- a/policy/modules/apps/mono.te
+++ b/policy/modules/apps/mono.te
@@ -15,7 +15,7 @@ init_system_domain(mono_t, mono_exec_t)
 # Local policy
 #
 
-allow mono_t self:process { signal getsched execheap execmem execstack };
+allow mono_t self:process { ptrace signal getsched execheap execmem execstack };
 
 init_dbus_chat_script(mono_t)
 

diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
index 3b6b4cb3f710712e4b8470595faa6ae5ac1a4386..cc6b555234a049433d48121923db39f3f5a74217 100644 (file)
--- a/policy/modules/apps/nsplugin.te
+++ b/policy/modules/apps/nsplugin.te
@@ -207,10 +207,6 @@ optional_policy(`
        mplayer_read_user_home_files(nsplugin_t)
 ')
 
-optional_policy(`
-       unconfined_execmem_signull(nsplugin_t)
-')
-
 optional_policy(`
        sandbox_read_tmpfs_files(nsplugin_t)
 ')
@@ -329,7 +325,3 @@ optional_policy(`
        pulseaudio_manage_home_files(nsplugin_t)
        pulseaudio_setattr_home_dir(nsplugin_t)
 ')
-
-optional_policy(`
-       unconfined_execmem_exec(nsplugin_t)
-')

diff --git a/policy/modules/apps/openoffice.fc b/policy/modules/apps/openoffice.fc
deleted file mode 100644 (file)
index 4428be4..0000000
--- a/policy/modules/apps/openoffice.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
-/opt/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
-

diff --git a/policy/modules/apps/openoffice.if b/policy/modules/apps/openoffice.if
deleted file mode 100644 (file)
index 792bf9c..0000000
--- a/policy/modules/apps/openoffice.if
+++ /dev/null
@@ -1,124 +0,0 @@
-## <summary>Openoffice</summary>
-
-#######################################
-## <summary>
-##     The per role template for the openoffice module.
-## </summary>
-## <param name="user_domain">
-##     <summary>
-##     The type of the user domain.
-##     </summary>
-## </param>
-#
-interface(`openoffice_plugin_role',`
-       gen_require(`
-               type openoffice_exec_t;
-               type openoffice_t;
-       ')
-       
-       ########################################
-       #
-       # Local policy
-       #
-
-       domtrans_pattern($1, openoffice_exec_t, openoffice_t)
-       allow $1 openoffice_t:process { signal sigkill };
-')
-
-#######################################
-## <summary>
-##     role for openoffice
-## </summary>
-## <desc>
-##     <p>
-##     This template creates a derived domains which are used
-##     for java applications.
-##     </p>
-## </desc>
-## <param name="role_prefix">
-##     <summary>
-##     The prefix of the user domain (e.g., user
-##     is the prefix for user_t).
-##     </summary>
-## </param>
-## <param name="user_role">
-##     <summary>
-##     The role associated with the user domain.
-##     </summary>
-## </param>
-## <param name="user_domain">
-##     <summary>
-##     The type of the user domain.
-##     </summary>
-## </param>
-#
-interface(`openoffice_role_template',`
-       gen_require(`
-               type openoffice_exec_t;
-       ')
-
-       role $2 types $1_openoffice_t;
-
-       type $1_openoffice_t;
-       domain_type($1_openoffice_t)
-       domain_entry_file($1_openoffice_t, openoffice_exec_t)
-       domain_interactive_fd($1_openoffice_t)
-
-       userdom_unpriv_usertype($1, $1_openoffice_t)
-       userdom_exec_user_home_content_files($1_openoffice_t)
-
-       allow $1_openoffice_t self:process { getsched sigkill execmem execstack };
-
-       allow $3 $1_openoffice_t:process { getattr signal_perms noatsecure siginh rlimitinh };
-       allow $1_openoffice_t $3:tcp_socket { read write };
-
-       domtrans_pattern($3, openoffice_exec_t, $1_openoffice_t)
-
-       dev_read_urand($1_openoffice_t)
-       dev_read_rand($1_openoffice_t)
-
-       fs_dontaudit_rw_tmpfs_files($1_openoffice_t)
-
-       allow $3 $1_openoffice_t:process { signal sigkill };
-       allow $1_openoffice_t $3:unix_stream_socket connectto;
-
-       optional_policy(`
-               xserver_role($2, $1_openoffice_t)
-       ')
-')
-
-########################################
-## <summary>
-##     Execute openoffice_exec_t 
-##     in the specified domain.
-## </summary>
-## <desc>
-##     <p>
-##     Execute a openoffice_exec_t
-##     in the specified domain.  
-##     </p>
-##     <p>
-##     No interprocess communication (signals, pipes,
-##     etc.) is provided by this interface since
-##     the domains are not owned by this module.
-##     </p>
-## </desc>
-## <param name="domain">
-##     <summary>
-##     Domain allowed access.
-##     </summary>
-## </param>
-## <param name="target_domain">
-##     <summary>
-##     The type of the new process.
-##     </summary>
-## </param>
-#
-interface(`openoffice_exec_domtrans',`
-       gen_require(`
-               type openoffice_exec_t;
-       ')
-
-       allow $2 openoffice_exec_t:file entrypoint;
-       domtrans_pattern($1, openoffice_exec_t, $2)
-')

diff --git a/policy/modules/apps/openoffice.te b/policy/modules/apps/openoffice.te
deleted file mode 100644 (file)
index a842371..0000000
--- a/policy/modules/apps/openoffice.te
+++ /dev/null
@@ -1,16 +0,0 @@
-policy_module(openoffice, 1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type openoffice_t;
-type openoffice_exec_t;
-application_domain(openoffice_t, openoffice_exec_t)
-
-########################################
-#
-# Unconfined java local policy
-#
-

diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if
index 8b2cdf33be88216952aafc90559bb865d5668ae0..bac0dc0257be43360bd83f4c452cf9981637ee03 100644 (file)
--- a/policy/modules/roles/unconfineduser.if
+++ b/policy/modules/roles/unconfineduser.if
@@ -218,42 +218,6 @@ interface(`unconfined_signull',`
        allow $1 unconfined_t:process signull;
 ')
 
-########################################
-## <summary>
-##     Send a SIGNULL signal to the unconfined execmem domain.
-## </summary>
-## <param name="domain">
-##     <summary>
-##     Domain allowed access.
-##     </summary>
-## </param>
-#
-interface(`unconfined_execmem_signull',`
-       gen_require(`
-               type unconfined_execmem_t;
-       ')
-
-       allow $1 unconfined_execmem_t:process signull;
-')
-
-########################################
-## <summary>
-##     Send a signal to the unconfined execmem domain.
-## </summary>
-## <param name="domain">
-##     <summary>
-##     Domain allowed access.
-##     </summary>
-## </param>
-#
-interface(`unconfined_execmem_signal',`
-       gen_require(`
-               type unconfined_execmem_t;
-       ')
-
-       allow $1 unconfined_execmem_t:process signal;
-')
-
 ########################################
 ## <summary>
 ##     Send generic signals to the unconfined domain.
@@ -555,62 +519,6 @@ interface(`unconfined_rw_shm',`
        allow $1 unconfined_t:shm rw_shm_perms;
 ')
 
-########################################
-## <summary>
-##     Read and write to unconfined execmem shared memory.
-## </summary>
-## <param name="domain">
-##     <summary>
-##     The type of the process performing this action.
-##     </summary>
-## </param>
-#
-interface(`unconfined_execmem_rw_shm',`
-       gen_require(`
-               type unconfined_execmem_t;
-       ')
-
-       allow $1 unconfined_execmem_t:shm rw_shm_perms;
-')
-
-########################################
-## <summary>
-##     Transition to the unconfined_execmem domain.
-## </summary>
-## <param name="domain">
-##     <summary>
-##     Domain allowed access.
-##     </summary>
-## </param>
-#
-interface(`unconfined_execmem_domtrans',`
-
-       gen_require(`
-               type unconfined_execmem_t;
-       ')
-
-       execmem_domtrans($1, unconfined_execmem_t)
-')
-
-########################################
-## <summary>
-##     execute the execmem applications
-## </summary>
-## <param name="domain">
-##     <summary>
-##     Domain allowed access.
-##     </summary>
-## </param>
-#
-interface(`unconfined_execmem_exec',`
-
-       gen_require(`
-               type execmem_exec_t;
-       ')
-
-       can_exec($1, execmem_exec_t)
-')
-
 ########################################
 ## <summary>
 ##     Allow apps to set rlimits on userdomain

diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
index 4ce26858d8042e452497d80d81bce053946c14b8..11ad8fb17350cb2a3d9f0e944f42a820970685b3 100644 (file)
--- a/policy/modules/roles/unconfineduser.te
+++ b/policy/modules/roles/unconfineduser.te
@@ -319,13 +319,6 @@ optional_policy(`
        modutils_run_update_mods(unconfined_t, unconfined_r)
 ')
 
-optional_policy(`
-       mono_role_template(unconfined, unconfined_r, unconfined_t)
-       unconfined_domain_noaudit(unconfined_mono_t)
-       role system_r types unconfined_mono_t;
-')
-
-
 optional_policy(`
        mozilla_role_plugin(unconfined_r)
 

diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
index b1ea76e577ffac680a0848038e0d48c3d54defe7..070814d91af7d4e5d4c31ab37e332f1081387bfd 100644 (file)
--- a/policy/modules/roles/xguest.te
+++ b/policy/modules/roles/xguest.te
@@ -105,10 +105,6 @@ optional_policy(`
        gnomeclock_dontaudit_dbus_chat(xguest_t)
 ')
 
-optional_policy(`
-       mono_role_template(xguest, xguest_r, xguest_t)
-')
-
 optional_policy(`
        mozilla_run_plugin(xguest_usertype, xguest_r)
 ')

diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 258a3d7ffb07bd6fcc66b3b19b06e1c4d7e1d7e3..a2e960c6beff66b621d86a40741ab4ffefb24f01 100644 (file)
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -299,10 +299,6 @@ optional_policy(`
        init_dbus_chat(crond_t)
 ')
 
-optional_policy(`
-       mono_domtrans(crond_t)
-')
-
 optional_policy(`
        amanda_search_var_lib(crond_t)
 ')
@@ -552,10 +548,6 @@ optional_policy(`
        lpd_list_spool(system_cronjob_t)
 ')
 
-optional_policy(`
-       mono_domtrans(system_cronjob_t)
-')
-
 optional_policy(`
        mrtg_append_create_logs(system_cronjob_t)
 ')

diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index 3619ec3c97c599c97e446a5d69c1d910fb9ae75b..629863fb951339fbf8426730cad232759888925c 100644 (file)
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -842,10 +842,6 @@ miscfiles_read_localization(virtd_lxc_t)
 
 sysnet_domtrans_ifconfig(virtd_lxc_t)
 
-optional_policy(`
-       execmem_exec(virtd_lxc_t)
-')
-
 #optional_policy(`
 #      unconfined_shell_domtrans(virtd_lxc_t)
 #      unconfined_signal(virtd_t)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 611ee4c9ecd277cb89b478fc272fdd0599fa9636..918721c4db64802cc536965d20e00852f52fe561 100644 (file)
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1435,7 +1435,6 @@ tunable_policy(`use_nfs_home_dirs',`
 
 optional_policy(`
        unconfined_rw_shm(xserver_t)
-       unconfined_execmem_rw_shm(xserver_t)
 
        # xserver signals unconfined user on startx
        unconfined_signal(xserver_t)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 75f6d6b3b4f2426bc634aa49b9440bf039e04939..f44bdae867d101105a2ec767a83683bf66614f7f 100644 (file)
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1205,13 +1205,6 @@ optional_policy(`
        # Allow SELinux aware applications to request rpm_script_t execution
        rpm_transition_script(initrc_t)
        
-       optional_policy(`
-               gen_require(`
-                       type unconfined_execmem_t, execmem_exec_t;              
-               ')
-               init_system_domain(unconfined_execmem_t, execmem_exec_t)
-       ')
-
        optional_policy(`
                rtkit_scheduled(initrc_t)
        ')

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 31047e820ec21b755af3de43dce2957cc64afa78..3fc47c58795cb8e1ab137c5dd0896bed97695f74 100644 (file)
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1143,10 +1143,6 @@ template(`userdom_restricted_xwindows_user_template',`
                ')
        ')
 
-       optional_policy(`
-               openoffice_role_template($1, $1_r, $1_usertype)
-       ')
-
        optional_policy(`
                policykit_role($1_r, $1_usertype)
        ')
@@ -1281,10 +1277,6 @@ template(`userdom_unpriv_user_template', `
                gpm_stream_connect($1_usertype)
        ')
 
-       optional_policy(`
-               mono_role_template($1, $1_r, $1_t)
-       ')
-
        optional_policy(`
                mount_run_fusermount($1_t, $1_r)
                mount_read_pid_files($1_t)