I think these may have been adopted from the old Red Hat targeted policy (that model only had unconfined users) Some aspect to note: 1. The ssh_sysadm_login boolean now applies to unconfined_t as well 2. remotelogin only allows unpriv logins The rshd module also calls unconfined_shell_domtrans() but I ignored that one because that policy currently does not have support for manual transitions with pam_selinux. Signed-off-by: Dominick Grift <dac.override@xxxxxxxxx> --- policy/modules/services/remotelogin.te | 4 ---- policy/modules/services/ssh.te | 4 ---- policy/modules/system/locallogin.te | 4 ---- 3 files changed, 12 deletions(-) diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te index bc2292e3..c7c9c564 100644 --- a/policy/modules/services/remotelogin.te +++ b/policy/modules/services/remotelogin.te @@ -91,10 +91,6 @@ optional_policy(` telnet_use_ptys(remote_login_t) ') -optional_policy(` - unconfined_shell_domtrans(remote_login_t) -') - optional_policy(` usermanage_read_crack_db(remote_login_t) ') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 4e75b6e1..a99ad912 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -328,10 +328,6 @@ optional_policy(` systemd_dbus_chat_logind(sshd_t) ') -optional_policy(` - unconfined_shell_domtrans(sshd_t) -') - optional_policy(` xserver_domtrans_xauth(sshd_t) xserver_link_xdm_keys(sshd_t) diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index a56f3d1f..632d2542 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -200,10 +200,6 @@ optional_policy(` systemd_write_inherited_logind_sessions_pipes(local_login_t) ') -optional_policy(` - unconfined_shell_domtrans(local_login_t) -') - optional_policy(` usermanage_read_crack_db(local_login_t) ') -- 2.23.0
