Ticket 49151 - Remove defunct selinux policy

Bug Description:  Remove defunct and unused selinux policy from
the source tree.

Fix Description:  rm -r selinux :)

https://pagure.io/389-ds-base/issue/49151

Author: wibrown

Review by: mreynolds (Thanks!)

Makefile.am

@@ -240,19 +240,12 @@ CLEANFILES =  dberrstrs.h ns-slapd.properties \
 
 clean-local:
 	-rm -rf dist
-	-rm -rf selinux-built
 	-rm -rf $(abs_top_builddir)/html
 	-rm -rf $(abs_top_builddir)/man
 
 dberrstrs.h: Makefile
 	perl $(srcdir)/ldap/servers/slapd/mkDBErrStrs.pl -i @db_incdir@ -o .
 
-selinux-built:
-	cp -r $(srcdir)/selinux $@
-
-selinux-built/dirsrv.fc: selinux-built
-	$(fixupcmd) selinux-built/dirsrv.fc.in > $@
-
 
 #------------------------
 # Install Paths
@@ -316,10 +309,6 @@ else
 enable_presence = off
 endif
 
-if SELINUX
-POLICY_FC = selinux-built/dirsrv.fc
-endif
-
 if enable_acctpolicy
 LIBACCTPOLICY_PLUGIN = libacctpolicy-plugin.la
 LIBACCTPOLICY_SCHEMA = $(srcdir)/ldap/schema/60acctpolicy.ldif
@@ -591,7 +580,6 @@ dist_noinst_DATA = \
 	$(srcdir)/rpm/389-ds-base.spec.in \
 	$(srcdir)/rpm/389-ds-base-devel.README \
 	$(srcdir)/rpm/389-ds-base-git.sh \
-	$(srcdir)/selinux \
 	$(srcdir)/README \
 	$(srcdir)/LICENSE \
 	$(srcdir)/LICENSE.* \

configure.ac

@@ -765,7 +765,6 @@ else
   sasl_path="$sasl_libdir/sasl2"
 fi
 
-AM_CONDITIONAL(SELINUX,test "$with_selinux" = "yes")
 AM_CONDITIONAL(OPENLDAP,test "$with_openldap" = "yes")
 AM_CONDITIONAL(SOLARIS,test "$platform" = "solaris")
 AM_CONDITIONAL(SPARC,test "x$TARGET" = xSPARC)

m4/selinux.m4

@@ -10,7 +10,7 @@ AC_CHECKING(for SELinux)
 
 # check for --with-selinux
 AC_MSG_CHECKING(for --with-selinux)
-AC_ARG_WITH(selinux, AS_HELP_STRING([--with-selinux],[Support SELinux policy]),
+AC_ARG_WITH(selinux, AS_HELP_STRING([--with-selinux],[Support SELinux features]),
 [
   if test "$withval" = "no"; then
     AC_MSG_RESULT(no)
@@ -21,3 +21,6 @@ AC_ARG_WITH(selinux, AS_HELP_STRING([--with-selinux],[Support SELinux policy]),
   fi
 ],
 AC_MSG_RESULT(no))
+
+AM_CONDITIONAL(SELINUX,test "$with_selinux" = "yes")
+

selinux/Makefile

@@ -1,17 +0,0 @@
-POLICY_MAKEFILE = /usr/share/selinux/devel/Makefile
-POLICY_DIR = $(DESTDIR)/usr/share/selinux/targeted
-
-all:
-	if [ ! -e $(POLICY_MAKEFILE) ]; then echo "You need to install the SELinux policy development tools (selinux-policy)" && exit 1; fi
-
-	$(MAKE) -f $(POLICY_MAKEFILE) $@ || exit 1;
-
-clean:
-	$(MAKE) -f $(POLICY_MAKEFILE) $@ || exit 1;
-
-install: all
-	install -d $(POLICY_DIR)
-	install -m 644 dirsrv.pp $(POLICY_DIR)
-
-load:
-	/usr/sbin/semodule -i dirsrv.pp

selinux/dirsrv.fc.in

@@ -1,24 +0,0 @@
-# dirsrv executable will have:
-# label: system_u:object_r:dirsrv_exec_t
-# MLS sensitivity: s0
-# MCS categories: <none>
-
-@sbindir@/ns-slapd			--	gen_context(system_u:object_r:dirsrv_exec_t,s0)
-@sbindir@/ldap-agent			--	gen_context(system_u:object_r:initrc_exec_t,s0)
-@sbindir@/ldap-agent-bin		--	gen_context(system_u:object_r:dirsrv_snmp_exec_t,s0)
-@sbindir@/start-dirsrv			--	gen_context(system_u:object_r:initrc_exec_t,s0)
-@sbindir@/restart-dirsrv		--	gen_context(system_u:object_r:initrc_exec_t,s0)
-@localstatedir@/run/@package_name@		gen_context(system_u:object_r:dirsrv_var_run_t,s0)
-@localstatedir@/run/@package_name@(/.*)		gen_context(system_u:object_r:dirsrv_var_run_t,s0)
-@localstatedir@/run/ldap-agent.pid		gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0)
-@localstatedir@/log/@package_name@		gen_context(system_u:object_r:dirsrv_var_log_t,s0)
-@localstatedir@/log/@package_name@(/.*)		gen_context(system_u:object_r:dirsrv_var_log_t,s0)
-@localstatedir@/log/@package_name@/ldap-agent.log	gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0)
-@localstatedir@/lock/@package_name@		gen_context(system_u:object_r:dirsrv_var_lock_t,s0)
-@localstatedir@/lock/@package_name@(/.*)	gen_context(system_u:object_r:dirsrv_var_lock_t,s0)
-@localstatedir@/lib/@package_name@		gen_context(system_u:object_r:dirsrv_var_lib_t,s0)
-@localstatedir@/lib/@package_name@(/.*)		gen_context(system_u:object_r:dirsrv_var_lib_t,s0)
-@sysconfdir@/@package_name@			gen_context(system_u:object_r:dirsrv_config_t,s0)
-@sysconfdir@/@package_name@(/.*)		gen_context(system_u:object_r:dirsrv_config_t,s0)
-@datadir@/@package_name@			gen_context(system_u:object_r:dirsrv_share_t,s0)
-@datadir@/@package_name@(/.*)			gen_context(system_u:object_r:dirsrv_share_t,s0)

selinux/dirsrv.if

@@ -1,193 +0,0 @@
-## <summary>policy for dirsrv</summary>
-
-########################################
-## <summary>
-##	Execute a domain transition to run dirsrv.
-## </summary>
-## <param name="domain">
-## <summary>
-##	Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`dirsrv_domtrans',`
-	gen_require(`
-		type dirsrv_t, dirsrv_exec_t;
-	')
-
-	domain_auto_trans($1,dirsrv_exec_t,dirsrv_t)
-
-	allow dirsrv_t $1:fd use;
-	allow dirsrv_t $1:fifo_file rw_file_perms;
-	allow dirsrv_t $1:process sigchld;
-')
-
-
-########################################
-## <summary>
-##  Allow caller to signal dirsrv.
-## </summary>
-## <param name="domain">
-##      <summary>
-##      Domain allowed access.
-##      </summary>
-## </param>
-#
-interface(`dirsrv_signal',`
-	gen_require(`
-		type dirsrv_t;
-	')
-
-	allow $1 dirsrv_t:process signal;
-')
-
-
-########################################
-## <summary>
-##      Send a null signal to dirsrv.
-## </summary>
-## <param name="domain">
-##      <summary>
-##      Domain allowed access.
-##      </summary>
-## </param>
-#
-interface(`dirsrv_signull',`
-	gen_require(`
-		type dirsrv_t;
-	')
-
-	allow $1 dirsrv_t:process signull;
-')
-
-#######################################
-## <summary>
-##      Allow a domain to manage dirsrv logs.
-## </summary>
-## <param name="domain">
-## <summary>
-##      Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dirsrv_manage_log',`
-	gen_require(`
-		type dirsrv_var_log_t;
-	')
-
-	allow $1 dirsrv_var_log_t:dir manage_dir_perms;
-	allow $1 dirsrv_var_log_t:file manage_file_perms;
-	allow $1 dirsrv_var_log_t:fifo_file manage_fifo_file_perms;
-')
-
-#######################################
-## <summary>
-##      Allow a domain to manage dirsrv /var/lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-##      Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dirsrv_manage_var_lib',`
-        gen_require(`
-                type dirsrv_var_lib_t;
-        ')
-        allow $1 dirsrv_var_lib_t:dir manage_dir_perms;
-        allow $1 dirsrv_var_lib_t:file manage_file_perms;
-')
-
-#######################################
-## <summary>
-##      Allow a domain to manage dirsrv /var/run files.
-## </summary>
-## <param name="domain">
-## <summary>
-##      Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dirsrv_manage_var_run',`
-	gen_require(`
-		type dirsrv_var_run_t;
-	')
-	allow $1 dirsrv_var_run_t:dir manage_dir_perms;
-	allow $1 dirsrv_var_run_t:file manage_file_perms;
-	allow $1 dirsrv_var_run_t:sock_file manage_file_perms;
-')
-
-#####################################
-# <summary>
-#      Allow a domain to create dirsrv pid directories.
-# </summary>
-# <param name="domain">
-# <summary>
-#      Domain allowed access.
-# </summary>
-# </param>
-#
-interface(`dirsrv_pid_filetrans',`
-        gen_require(`
-                type dirsrv_var_run_t;
-        ')
-        # Allow creating a dir in /var/run with this type
-        files_pid_filetrans($1, dirsrv_var_run_t, dir)
-')
-
-#######################################
-## <summary>
-##      Allow a domain to read dirsrv /var/run files.
-## </summary>
-## <param name="domain">
-## <summary>
-##      Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dirsrv_read_var_run',`
-        gen_require(`
-                type dirsrv_var_run_t;
-        ')
-        allow $1 dirsrv_var_run_t:dir list_dir_perms;
-        allow $1 dirsrv_var_run_t:file read_file_perms;
-')
-
-########################################
-## <summary>
-##      Manage dirsrv configuration files.
-## </summary>
-## <param name="domain">
-##      <summary>
-##      Domain allowed access.
-##      </summary>
-## </param>
-#
-interface(`dirsrv_manage_config',`
-	gen_require(`
-		type dirsrv_config_t;
-	')
-
-	allow $1 dirsrv_config_t:dir manage_dir_perms;
-	allow $1 dirsrv_config_t:file manage_file_perms;
-')
-
-########################################
-## <summary>
-##      Read dirsrv share files.
-## </summary>
-## <param name="domain">
-##      <summary>
-##      Domain allowed access.
-##      </summary>
-## </param>
-#
-interface(`dirsrv_read_share',`
-	gen_require(`
-		type dirsrv_share_t;
-	')
-
-	allow $1 dirsrv_share_t:dir list_dir_perms;
-	allow $1 dirsrv_share_t:file read_file_perms;
-	allow $1 dirsrv_share_t:lnk_file read;
-')

selinux/dirsrv.te

@@ -1,212 +0,0 @@
-policy_module(dirsrv,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-# NGK - this can go away when bz 478629, bz 523548,
-# and bz 523771 are addressed.  See the notes below
-# where we work around those issues.
-require {
-    type snmpd_var_lib_t;
-    type snmpd_t;
-}
-
-# main daemon
-type dirsrv_t;
-type dirsrv_exec_t;
-domain_type(dirsrv_t)
-init_daemon_domain(dirsrv_t, dirsrv_exec_t)
-
-# snmp subagent daemon
-type dirsrv_snmp_t;
-type dirsrv_snmp_exec_t;
-domain_type(dirsrv_snmp_t)
-init_daemon_domain(dirsrv_snmp_t, dirsrv_snmp_exec_t)
-
-# var/lib files
-type dirsrv_var_lib_t;
-files_type(dirsrv_var_lib_t)
-
-# log files
-type dirsrv_var_log_t;
-logging_log_file(dirsrv_var_log_t)
-
-# snmp log file
-type dirsrv_snmp_var_log_t;
-logging_log_file(dirsrv_snmp_var_log_t)
-
-# pid files
-type dirsrv_var_run_t;
-files_pid_file(dirsrv_var_run_t)
-
-# snmp pid file
-type dirsrv_snmp_var_run_t;
-files_pid_file(dirsrv_snmp_var_run_t)
-
-# lock files
-type dirsrv_var_lock_t;
-files_lock_file(dirsrv_var_lock_t)
-
-# config files
-type dirsrv_config_t;
-files_type(dirsrv_config_t)
-
-# tmp files
-type dirsrv_tmp_t;
-files_tmp_file(dirsrv_tmp_t)
-
-# semaphores
-type dirsrv_tmpfs_t;
-files_tmpfs_file(dirsrv_tmpfs_t)
-
-# shared files
-type dirsrv_share_t;
-files_type(dirsrv_share_t);
-
-########################################
-#
-# dirsrv local policy
-#
-
-# Some common macros
-files_read_etc_files(dirsrv_t)
-corecmd_search_sbin(dirsrv_t)
-files_read_usr_symlinks(dirsrv_t)
-miscfiles_read_localization(dirsrv_t)
-dev_read_urand(dirsrv_t)
-libs_use_ld_so(dirsrv_t)
-libs_use_shared_libs(dirsrv_t)
-allow dirsrv_t self:fifo_file { read write };
-
-# process stuff
-allow dirsrv_t self:process { getsched setsched setfscreate signal_perms};
-allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_override fowner };
-
-# semaphores
-allow dirsrv_t self:sem all_sem_perms;
-manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
-fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, file)
-
-# var/lib files for dirsrv
-manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
-manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
-files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file })
-
-# log files
-manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
-manage_fifo_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
-allow dirsrv_t dirsrv_var_log_t:dir { setattr };
-logging_log_filetrans(dirsrv_t,dirsrv_var_log_t,{ sock_file file dir })
-
-# pid files
-manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
-files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file sock_file })
-
-# ldapi socket
-manage_sock_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
-
-# lock files
-manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
-manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
-files_lock_filetrans(dirsrv_t, dirsrv_var_lock_t, { file })
-
-# config files
-manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
-manage_dirs_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
-
-# tmp files
-manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
-manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
-files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir })
-
-# system state
-fs_getattr_all_fs(dirsrv_t)
-kernel_read_system_state(dirsrv_t)
-
-# kerberos config for SASL GSSAPI
-kerberos_read_config(dirsrv_t)
-kerberos_dontaudit_write_config(dirsrv_t)
-
-# Networking basics
-sysnet_dns_name_resolve(dirsrv_t)
-corenet_all_recvfrom_unlabeled(dirsrv_t)
-corenet_all_recvfrom_netlabel(dirsrv_t)
-corenet_tcp_sendrecv_generic_if(dirsrv_t)
-corenet_tcp_sendrecv_generic_node(dirsrv_t)
-corenet_tcp_sendrecv_all_ports(dirsrv_t)
-corenet_tcp_bind_all_nodes(dirsrv_t)
-corenet_tcp_bind_ldap_port(dirsrv_t)
-corenet_tcp_bind_all_rpc_ports(dirsrv_t)
-corenet_udp_bind_all_rpc_ports(dirsrv_t)
-corenet_tcp_connect_all_ports(dirsrv_t)
-corenet_sendrecv_ldap_server_packets(dirsrv_t)
-corenet_sendrecv_all_client_packets(dirsrv_t)
-allow dirsrv_t self:tcp_socket { create_stream_socket_perms };
-
-# Init script handling
-init_use_fds(dirsrv_t)
-init_use_script_ptys(dirsrv_t)
-domain_use_interactive_fds(dirsrv_t)
-
-
-########################################
-#
-# dirsrv-snmp local policy
-#
-
-# Some common macros
-files_read_etc_files(dirsrv_snmp_t)
-miscfiles_read_localization(dirsrv_snmp_t)
-libs_use_ld_so(dirsrv_snmp_t)
-libs_use_shared_libs(dirsrv_snmp_t)
-dev_read_rand(dirsrv_snmp_t)
-dev_read_urand(dirsrv_snmp_t)
-files_read_usr_files(dirsrv_snmp_t)
-fs_getattr_tmpfs(dirsrv_snmp_t)
-fs_search_tmpfs(dirsrv_snmp_t)
-allow dirsrv_snmp_t self:fifo_file { read write };
-sysnet_read_config(dirsrv_snmp_t)
-sysnet_dns_name_resolve(dirsrv_snmp_t)
-
-# Net-SNMP /var/lib files (includes agentx unix domain socket)
-snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t)
-snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t)
-# NGK - there really should be a macro for this. (see bz 523771)
-allow dirsrv_snmp_t snmpd_var_lib_t:file append;
-# NGK - use snmp_stream_connect(dirsrv_snmp_t) when it is made
-# available on all platforms we build on (see bz 478629 and bz 523548)
-stream_connect_pattern(dirsrv_snmp_t, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)
-
-# Net-SNMP agentx tcp socket
-corenet_tcp_connect_agentx_port(dirsrv_snmp_t)
-
-# Net-SNMP persistent data file
-files_manage_var_files(dirsrv_snmp_t)
-
-# stats file semaphore
-rw_files_pattern(dirsrv_snmp_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
-
-# stats file
-read_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
-
-# process stuff
-allow dirsrv_snmp_t self:capability { dac_override dac_read_search };
-
-# config file
-read_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t)
-
-# pid file
-manage_files_pattern(dirsrv_snmp_t, dirsrv_snmp_var_run_t, dirsrv_snmp_var_run_t)
-files_pid_filetrans(dirsrv_snmp_t, dirsrv_snmp_var_run_t, { file sock_file })
-search_dirs_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
-
-# log file
-manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t);
-filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file)
-
-# Init script handling
-init_use_fds(dirsrv_snmp_t)
-init_use_script_ptys(dirsrv_snmp_t)
-domain_use_interactive_fds(dirsrv_snmp_t)