rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

trunk: massive whitespace cleanup from dominick grift.

This commit is contained in:
Chris PeBenito 2008-07-23 21:38:39 +00:00
parent 2b592aa495
commit 0bfccda4e8
357 changed files with 3462 additions and 3475 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Changelog
View File

@ -1,3 +1,4 @@
- Large whitespace fix from Dominick Grift.
- Pam_mount fix for local login from Stefan Schulze Frielinghaus.
- Issuing commands to upstart is over a datagram socket, not the initctl
named pipe. Updated init_telinit() to match.

10
policy/modules/admin/acct.if
View File

@ -16,7 +16,7 @@ interface(`acct_domtrans',`
')
corecmd_search_bin($1)
domtrans_pattern($1,acct_exec_t,acct_t)
domtrans_pattern($1, acct_exec_t, acct_t)
')
########################################
@ -35,7 +35,7 @@ interface(`acct_exec',`
')
corecmd_search_bin($1)
can_exec($1,acct_exec_t)
can_exec($1, acct_exec_t)
')
########################################
@ -56,7 +56,7 @@ interface(`acct_exec_data',`
')
files_search_var($1)
can_exec($1,acct_data_t)
can_exec($1, acct_data_t)
')
########################################
@ -75,6 +75,6 @@ interface(`acct_manage_data',`
')
files_search_var($1)
manage_files_pattern($1,acct_data_t,acct_data_t)
manage_lnk_files_pattern($1,acct_data_t,acct_data_t)
manage_files_pattern($1, acct_data_t, acct_data_t)
manage_lnk_files_pattern($1, acct_data_t, acct_data_t)
')

10
policy/modules/admin/acct.te
View File

@ -8,7 +8,7 @@ policy_module(acct, 1.2.0)
type acct_t;
type acct_exec_t;
init_system_domain(acct_t,acct_exec_t)
init_system_domain(acct_t, acct_exec_t)
type acct_data_t;
logging_log_file(acct_data_t)
@ -26,10 +26,10 @@ dontaudit acct_t self:capability { kill sys_tty_config };
allow acct_t self:fifo_file { read write getattr };
allow acct_t self:process signal_perms;
manage_files_pattern(acct_t,acct_data_t,acct_data_t)
manage_lnk_files_pattern(acct_t,acct_data_t,acct_data_t)
manage_files_pattern(acct_t, acct_data_t, acct_data_t)
manage_lnk_files_pattern(acct_t, acct_data_t, acct_data_t)
can_exec(acct_t,acct_exec_t)
can_exec(acct_t, acct_exec_t)
kernel_list_proc(acct_t)
kernel_read_system_state(acct_t)
@ -77,7 +77,7 @@ optional_policy(`
auth_manage_login_records(acct_t)
')
cron_system_entry(acct_t,acct_exec_t)
cron_system_entry(acct_t, acct_exec_t)
')
optional_policy(`

7
policy/modules/admin/alsa.if
View File

@ -12,8 +12,7 @@
#
interface(`alsa_domtrans',`
gen_require(`
type alsa_t;
type alsa_exec_t;
type alsa_t, alsa_exec_t;
')
domtrans_pattern($1, alsa_exec_t, alsa_t)
@ -71,8 +70,8 @@ interface(`alsa_read_rw_config',`
')
allow $1 alsa_etc_rw_t:dir list_dir_perms;
read_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t)
read_lnk_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t)
read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
')
########################################

2
policy/modules/admin/amanda.if
View File

@ -15,7 +15,7 @@ interface(`amanda_domtrans_recover',`
type amanda_recover_t, amanda_recover_exec_t;
')
domtrans_pattern($1,amanda_recover_exec_t,amanda_recover_t)
domtrans_pattern($1, amanda_recover_exec_t, amanda_recover_t)
')
########################################

48
policy/modules/admin/amanda.te
View File

@ -8,11 +8,11 @@ policy_module(amanda, 1.9.0)
type amanda_t;
type amanda_inetd_exec_t;
inetd_service_domain(amanda_t,amanda_inetd_exec_t)
inetd_service_domain(amanda_t, amanda_inetd_exec_t)
role system_r types amanda_t;
type amanda_exec_t;
domain_entry_file(amanda_t,amanda_exec_t)
domain_entry_file(amanda_t, amanda_exec_t)
type amanda_log_t;
logging_log_file(amanda_log_t)
@ -51,7 +51,7 @@ files_type(amanda_data_t)
# type for amrecover
type amanda_recover_t;
type amanda_recover_exec_t;
application_domain(amanda_recover_t,amanda_recover_exec_t)
application_domain(amanda_recover_t, amanda_recover_exec_t)
role system_r types amanda_recover_t;
# type for recover files ( restored data )
@ -88,8 +88,8 @@ allow amanda_t amanda_data_t:file manage_file_perms;
# access to amanda_dumpdates_t
allow amanda_t amanda_dumpdates_t:file { getattr lock read write };
can_exec(amanda_t,amanda_exec_t)
can_exec(amanda_t,amanda_inetd_exec_t)
can_exec(amanda_t, amanda_exec_t)
can_exec(amanda_t, amanda_inetd_exec_t)
# access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists)
allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms;
@ -99,12 +99,12 @@ allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms;
manage_dirs_pattern(amanda_t,amanda_var_lib_t,amanda_var_lib_t)
manage_files_pattern(amanda_t,amanda_var_lib_t,amanda_var_lib_t)
manage_files_pattern(amanda_t,amanda_log_t,amanda_log_t)
manage_dirs_pattern(amanda_t,amanda_log_t,amanda_log_t)
logging_log_filetrans(amanda_t,amanda_log_t,{ file dir })
manage_files_pattern(amanda_t, amanda_log_t, amanda_log_t)
manage_dirs_pattern(amanda_t, amanda_log_t, amanda_log_t)
logging_log_filetrans(amanda_t, amanda_log_t, { file dir })
manage_files_pattern(amanda_t,amanda_tmp_t,amanda_tmp_t)
manage_dirs_pattern(amanda_t,amanda_tmp_t,amanda_tmp_t)
manage_files_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t)
manage_dirs_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t)
files_tmp_filetrans(amanda_t, amanda_tmp_t, { file dir })
kernel_read_system_state(amanda_t)
@ -172,23 +172,23 @@ allow amanda_recover_t self:unix_stream_socket { connect create read write };
allow amanda_recover_t self:tcp_socket create_stream_socket_perms;
allow amanda_recover_t self:udp_socket create_socket_perms;
manage_files_pattern(amanda_recover_t,amanda_log_t,amanda_log_t)
manage_lnk_files_pattern(amanda_recover_t,amanda_log_t,amanda_log_t)
manage_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t)
manage_lnk_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t)
# access to amanda_recover_dir_t
manage_dirs_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t)
manage_files_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t)
manage_lnk_files_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t)
manage_fifo_files_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t)
manage_sock_files_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t)
sysadm_home_dir_filetrans(amanda_recover_t,amanda_recover_dir_t,{ dir file lnk_file sock_file fifo_file })
manage_dirs_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
manage_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
manage_lnk_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
manage_fifo_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
manage_sock_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
sysadm_home_dir_filetrans(amanda_recover_t, amanda_recover_dir_t, { dir file lnk_file sock_file fifo_file })
manage_dirs_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t)
manage_files_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t)
manage_lnk_files_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t)
manage_fifo_files_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t)
manage_sock_files_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t)
files_tmp_filetrans(amanda_recover_t,amanda_tmp_t,{ dir file lnk_file sock_file fifo_file })
manage_dirs_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
manage_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
manage_lnk_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
manage_fifo_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
manage_sock_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
files_tmp_filetrans(amanda_recover_t, amanda_tmp_t, { dir file lnk_file sock_file fifo_file })
kernel_read_system_state(amanda_recover_t)
kernel_read_kernel_sysctls(amanda_recover_t)

2
policy/modules/admin/amtu.if
View File

@ -16,7 +16,7 @@ interface(`amtu_domtrans',`
')
corecmd_search_bin($1)
domtrans_pattern($1,amtu_exec_t,amtu_t)
domtrans_pattern($1, amtu_exec_t, amtu_t)
')
########################################

4
policy/modules/admin/anaconda.te
View File

@ -19,7 +19,7 @@ role system_r types anaconda_t;
allow anaconda_t self:process execmem;
kernel_domtrans_to(anaconda_t,anaconda_exec_t)
kernel_domtrans_to(anaconda_t, anaconda_exec_t)
# Run other rc scripts in the anaconda_t domain.
init_domtrans_script(anaconda_t)
@ -34,7 +34,7 @@ seutil_domtrans_semanage(anaconda_t)
unconfined_domain(anaconda_t)
unprivuser_home_dir_filetrans_home_content(anaconda_t,{ dir file lnk_file fifo_file sock_file })
unprivuser_home_dir_filetrans_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
optional_policy(`
dmesg_domtrans(anaconda_t)

12
policy/modules/admin/apt.if
View File

@ -17,7 +17,7 @@ interface(`apt_domtrans',`
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1,apt_exec_t,apt_t)
domtrans_pattern($1, apt_exec_t, apt_t)
')
########################################
@ -144,8 +144,8 @@ interface(`apt_read_db',`
files_search_var_lib($1)
allow $1 apt_var_lib_t:dir list_dir_perms;
read_files_pattern($1,apt_var_lib_t,apt_var_lib_t)
read_lnk_files_pattern($1,apt_var_lib_t,apt_var_lib_t)
read_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
read_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
')
########################################
@ -164,10 +164,10 @@ interface(`apt_manage_db',`
')
files_search_var_lib($1)
manage_files_pattern($1,apt_var_lib_t,apt_var_lib_t)
manage_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
# cjp: shouldnt this be manage_lnk_files?
rw_lnk_files_pattern($1,apt_var_lib_t,apt_var_lib_t)
delete_lnk_files_pattern($1,apt_var_lib_t,apt_var_lib_t)
rw_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
delete_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
')
########################################

28
policy/modules/admin/apt.te
View File

@ -1,5 +1,5 @@
policy_module(apt,1.4.0)
policy_module(apt, 1.4.0)
########################################
#
@ -8,7 +8,7 @@ policy_module(apt,1.4.0)
type apt_t;
type apt_exec_t;
init_system_domain(apt_t,apt_exec_t)
init_system_domain(apt_t, apt_exec_t)
domain_system_change_exemption(apt_t)
role system_r types apt_t;
@ -54,23 +54,23 @@ allow apt_t self:msgq create_msgq_perms;
allow apt_t self:msg { send receive };
# Access /var/cache/apt files
manage_files_pattern(apt_t,apt_var_cache_t,apt_var_cache_t)
files_var_filetrans(apt_t,apt_var_cache_t,dir)
manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
files_var_filetrans(apt_t, apt_var_cache_t, dir)
manage_dirs_pattern(apt_t,apt_tmp_t,apt_tmp_t)
manage_files_pattern(apt_t,apt_tmp_t,apt_tmp_t)
manage_dirs_pattern(apt_t, apt_tmp_t, apt_tmp_t)
manage_files_pattern(apt_t, apt_tmp_t, apt_tmp_t)
files_tmp_filetrans(apt_t, apt_tmp_t, { file dir })
manage_dirs_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t)
manage_files_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t)
manage_lnk_files_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t)
manage_fifo_files_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t)
manage_sock_files_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t)
fs_tmpfs_filetrans(apt_t,apt_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
manage_dirs_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
manage_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
manage_lnk_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
manage_fifo_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
manage_sock_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file })
# Access /var/lib/apt files
manage_files_pattern(apt_t,apt_var_lib_t,apt_var_lib_t)
files_var_lib_filetrans(apt_t,apt_var_lib_t,dir)
manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
kernel_read_system_state(apt_t)
kernel_read_kernel_sysctls(apt_t)

2
policy/modules/admin/backup.if
View File

@ -15,7 +15,7 @@ interface(`backup_domtrans',`
type backup_t, backup_exec_t;
')
domtrans_pattern($1,backup_exec_t,backup_t)
domtrans_pattern($1, backup_exec_t, backup_t)
')
########################################

12
policy/modules/admin/backup.te
View File

@ -1,5 +1,5 @@
policy_module(backup,1.3.0)
policy_module(backup, 1.3.0)
########################################
#
@ -9,7 +9,7 @@ policy_module(backup,1.3.0)
type backup_t;
type backup_exec_t;
domain_type(backup_t)
domain_entry_file(backup_t,backup_exec_t)
domain_entry_file(backup_t, backup_exec_t)
role system_r types backup_t;
type backup_store_t;
@ -27,9 +27,9 @@ allow backup_t self:tcp_socket create_socket_perms;
allow backup_t self:udp_socket create_socket_perms;
allow backup_t backup_store_t:file setattr;
manage_files_pattern(backup_t,backup_store_t,backup_store_t)
rw_files_pattern(backup_t,backup_store_t,backup_store_t)
read_lnk_files_pattern(backup_t,backup_store_t,backup_store_t)
manage_files_pattern(backup_t, backup_store_t, backup_store_t)
rw_files_pattern(backup_t, backup_store_t, backup_store_t)
read_lnk_files_pattern(backup_t, backup_store_t, backup_store_t)
kernel_read_system_state(backup_t)
kernel_read_kernel_sysctls(backup_t)
@ -75,7 +75,7 @@ logging_send_syslog_msg(backup_t)
sysnet_read_config(backup_t)
optional_policy(`
cron_system_entry(backup_t,backup_exec_t)
cron_system_entry(backup_t, backup_exec_t)
')
optional_policy(`

2
policy/modules/admin/bootloader.if
View File

@ -126,5 +126,5 @@ interface(`bootloader_create_runtime_file',`
')
allow $1 boot_runtime_t:file { create_file_perms rw_file_perms };
files_boot_filetrans($1,boot_runtime_t,file)
files_boot_filetrans($1, boot_runtime_t, file)
')

18
policy/modules/admin/bootloader.te
View File

@ -16,7 +16,7 @@ files_type(boot_runtime_t)
type bootloader_t;
type bootloader_exec_t;
application_domain(bootloader_t,bootloader_exec_t)
application_domain(bootloader_t, bootloader_exec_t)
role system_r types bootloader_t;
#
@ -55,14 +55,14 @@ allow bootloader_t bootloader_etc_t:file read_file_perms;
#allow bootloader_t bootloader_etc_t:file manage_file_perms;
#files_etc_filetrans(bootloader_t,bootloader_etc_t,file)
manage_dirs_pattern(bootloader_t,bootloader_tmp_t,bootloader_tmp_t)
manage_files_pattern(bootloader_t,bootloader_tmp_t,bootloader_tmp_t)
manage_lnk_files_pattern(bootloader_t,bootloader_tmp_t,bootloader_tmp_t)
manage_blk_files_pattern(bootloader_t,bootloader_tmp_t,bootloader_tmp_t)
manage_chr_files_pattern(bootloader_t,bootloader_tmp_t,bootloader_tmp_t)
files_tmp_filetrans(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file })
manage_dirs_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
manage_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
manage_lnk_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
manage_blk_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
manage_chr_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file blk_file })
# for tune2fs (cjp: ?)
files_root_filetrans(bootloader_t,bootloader_tmp_t,file)
files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
kernel_getattr_core_if(bootloader_t)
kernel_read_network_state(bootloader_t)
@ -114,7 +114,7 @@ files_read_kernel_modules(bootloader_t)
files_dontaudit_search_pids(bootloader_t)
# for blkid.tab
files_manage_etc_runtime_files(bootloader_t)
files_etc_filetrans_etc_runtime(bootloader_t,file)
files_etc_filetrans_etc_runtime(bootloader_t, file)
files_dontaudit_search_home(bootloader_t)
init_getattr_initctl(bootloader_t)

2
policy/modules/admin/brctl.if
View File

@ -15,5 +15,5 @@ interface(`brctl_domtrans',`
type brctl_t, brctl_exec_t;
')
domtrans_pattern($1,brctl_exec_t,brctl_t)
domtrans_pattern($1, brctl_exec_t, brctl_t)
')

2
policy/modules/admin/brctl.te
View File

@ -1,4 +1,4 @@
policy_module(brctl,1.2.0)
policy_module(brctl, 1.2.0)
########################################
#

2
policy/modules/admin/certwatch.if
View File

@ -17,7 +17,7 @@ interface(`certwatch_domtrans',`
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1,certwatch_exec_t,certwatch_t)
domtrans_pattern($1, certwatch_exec_t, certwatch_t)
')
########################################

6
policy/modules/admin/certwatch.te
View File

@ -1,5 +1,5 @@
policy_module(certwatch,1.0)
policy_module(certwatch, 1.0)
########################################
#
@ -8,7 +8,7 @@ policy_module(certwatch,1.0)
type certwatch_t;
type certwatch_exec_t;
application_domain(certwatch_t,certwatch_exec_t)
application_domain(certwatch_t, certwatch_exec_t)
role system_r types certwatch_t;
########################################
@ -29,5 +29,5 @@ miscfiles_read_localization(certwatch_t)
apache_exec_modules(certwatch_t)
optional_policy(`
cron_system_entry(certwatch_t,certwatch_exec_t)
cron_system_entry(certwatch_t, certwatch_exec_t)
')

4
policy/modules/admin/consoletype.if
View File

@ -18,7 +18,7 @@ interface(`consoletype_domtrans',`
')
corecmd_search_bin($1)
domtrans_pattern($1,consoletype_exec_t,consoletype_t)
domtrans_pattern($1, consoletype_exec_t, consoletype_t)
')
########################################
@ -69,5 +69,5 @@ interface(`consoletype_exec',`
')
corecmd_search_bin($1)
can_exec($1,consoletype_exec_t)
can_exec($1, consoletype_exec_t)
')

6
policy/modules/admin/consoletype.te
View File

@ -1,5 +1,5 @@
policy_module(consoletype,1.6.0)
policy_module(consoletype, 1.6.0)
########################################
#
@ -9,8 +9,8 @@ policy_module(consoletype,1.6.0)
type consoletype_t;
type consoletype_exec_t;
application_executable_file(consoletype_exec_t)
init_domain(consoletype_t,consoletype_exec_t)
init_system_domain(consoletype_t,consoletype_exec_t)
init_domain(consoletype_t, consoletype_exec_t)
init_system_domain(consoletype_t, consoletype_exec_t)
role system_r types consoletype_t;
########################################

2
policy/modules/admin/ddcprobe.if
View File

@ -15,7 +15,7 @@ interface(`ddcprobe_domtrans',`
type ddcprobe_t, ddcprobe_exec_t;
')
domtrans_pattern($1,ddcprobe_exec_t,ddcprobe_t)
domtrans_pattern($1, ddcprobe_exec_t, ddcprobe_t)
')
########################################

4
policy/modules/admin/ddcprobe.te
View File

@ -1,5 +1,5 @@
policy_module(ddcprobe,1.1.0)
policy_module(ddcprobe, 1.1.0)
########################################
#
@ -8,7 +8,7 @@ policy_module(ddcprobe,1.1.0)
type ddcprobe_t;
type ddcprobe_exec_t;
application_domain(ddcprobe_t,ddcprobe_exec_t)
application_domain(ddcprobe_t, ddcprobe_exec_t)
role system_r types ddcprobe_t;
########################################

2
policy/modules/admin/dmesg.if
View File

@ -36,5 +36,5 @@ interface(`dmesg_exec',`
')
corecmd_search_bin($1)
can_exec($1,dmesg_exec_t)
can_exec($1, dmesg_exec_t)
')

2
policy/modules/admin/dmesg.te
View File

@ -8,7 +8,7 @@ policy_module(dmesg, 1.2.0)
type dmesg_t;
type dmesg_exec_t;
init_system_domain(dmesg_t,dmesg_exec_t)
init_system_domain(dmesg_t, dmesg_exec_t)
########################################
#

2
policy/modules/admin/dmidecode.if
View File

@ -15,7 +15,7 @@ interface(`dmidecode_domtrans',`
type dmidecode_t, dmidecode_exec_t;
')
domain_auto_trans($1,dmidecode_exec_t,dmidecode_t)
domain_auto_trans($1, dmidecode_exec_t, dmidecode_t)
allow $1 dmidecode_t:fd use;
allow dmidecode_t $1:fd use;

4
policy/modules/admin/dmidecode.te
View File

@ -1,5 +1,5 @@
policy_module(dmidecode,1.3.0)
policy_module(dmidecode, 1.3.0)
########################################
#
@ -8,7 +8,7 @@ policy_module(dmidecode,1.3.0)
type dmidecode_t;
type dmidecode_exec_t;
application_domain(dmidecode_t,dmidecode_exec_t)
application_domain(dmidecode_t, dmidecode_exec_t)
role system_r types dmidecode_t;
########################################

12
policy/modules/admin/dpkg.if
View File

@ -19,7 +19,7 @@ interface(`dpkg_domtrans',`
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1,dpkg_exec_t,dpkg_t)
domtrans_pattern($1, dpkg_exec_t, dpkg_t)
')
########################################
@ -73,7 +73,7 @@ interface(`dpkg_run',`
dpkg_domtrans($1)
role $2 types dpkg_t;
role $2 types dpkg_script_t;
seutil_run_loadpolicy(dpkg_script_t,$2,$3)
seutil_run_loadpolicy(dpkg_script_t, $2, $3)
allow dpkg_t $3:chr_file rw_term_perms;
')
@ -166,8 +166,8 @@ interface(`dpkg_read_db',`
files_search_var_lib($1)
allow $1 dpkg_var_lib_t:dir list_dir_perms;
read_files_pattern($1,dpkg_var_lib_t,dpkg_var_lib_t)
read_lnk_files_pattern($1,dpkg_var_lib_t,dpkg_var_lib_t)
read_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t)
read_lnk_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t)
')
########################################
@ -186,8 +186,8 @@ interface(`dpkg_manage_db',`
')
files_search_var_lib($1)
manage_files_pattern($1,dpkg_var_lib_t,dpkg_var_lib_t)
manage_lnk_files_pattern($1,dpkg_var_lib_t,dpkg_var_lib_t)
manage_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t)
manage_lnk_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t)
')
########################################

26
policy/modules/admin/dpkg.te
View File

@ -1,5 +1,5 @@
policy_module(dpkg,1.5.0)
policy_module(dpkg, 1.5.0)
########################################
#
@ -9,7 +9,7 @@ policy_module(dpkg,1.5.0)
type dpkg_t;
type dpkg_exec_t;
# dpkg can start/stop services
init_system_domain(dpkg_t,dpkg_exec_t)
init_system_domain(dpkg_t, dpkg_exec_t)
# dpkg can change file labels, roles, IO
domain_obj_id_change_exemption(dpkg_t)
domain_role_change_exemption(dpkg_t)
@ -69,20 +69,20 @@ allow dpkg_t self:msg { send receive };
allow dpkg_t dpkg_lock_t:file manage_file_perms;
manage_dirs_pattern(dpkg_t,dpkg_tmp_t,dpkg_tmp_t)
manage_files_pattern(dpkg_t,dpkg_tmp_t,dpkg_tmp_t)
manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir })
manage_dirs_pattern(dpkg_t,dpkg_tmpfs_t,dpkg_tmpfs_t)
manage_files_pattern(dpkg_t,dpkg_tmpfs_t,dpkg_tmpfs_t)
manage_lnk_files_pattern(dpkg_t,dpkg_tmpfs_t,dpkg_tmpfs_t)
manage_sock_files_pattern(dpkg_t,dpkg_tmpfs_t,dpkg_tmpfs_t)
manage_fifo_files_pattern(dpkg_t,dpkg_tmpfs_t,dpkg_tmpfs_t)
fs_tmpfs_filetrans(dpkg_t,dpkg_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
manage_dirs_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
manage_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
manage_lnk_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
manage_sock_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
manage_fifo_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
fs_tmpfs_filetrans(dpkg_t, dpkg_tmpfs_t, { dir file lnk_file sock_file fifo_file })
# Access /var/lib/dpkg files
manage_files_pattern(dpkg_t,dpkg_var_lib_t,dpkg_var_lib_t)
files_var_lib_filetrans(dpkg_t,dpkg_var_lib_t,dir)
manage_files_pattern(dpkg_t, dpkg_var_lib_t, dpkg_var_lib_t)
files_var_lib_filetrans(dpkg_t, dpkg_var_lib_t, dir)
kernel_read_system_state(dpkg_t)
kernel_read_kernel_sysctls(dpkg_t)
@ -240,7 +240,7 @@ allow dpkg_script_t dpkg_script_tmpfs_t:file manage_file_perms;
allow dpkg_script_t dpkg_script_tmpfs_t:lnk_file manage_lnk_file_perms;
allow dpkg_script_t dpkg_script_tmpfs_t:sock_file manage_sock_file_perms;
allow dpkg_script_t dpkg_script_tmpfs_t:fifo_file manage_fifo_file_perms;
fs_tmpfs_filetrans(dpkg_script_t,dpkg_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
fs_tmpfs_filetrans(dpkg_script_t, dpkg_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
kernel_read_kernel_sysctls(dpkg_script_t)
kernel_read_system_state(dpkg_script_t)

2
policy/modules/admin/firstboot.if
View File

@ -18,7 +18,7 @@ interface(`firstboot_domtrans',`
type firstboot_t, firstboot_exec_t;
')
domtrans_pattern($1,firstboot_exec_t,firstboot_t)
domtrans_pattern($1, firstboot_exec_t, firstboot_t)
')
########################################

2
policy/modules/admin/firstboot.te
View File

@ -12,7 +12,7 @@ gen_require(`
type firstboot_t;
type firstboot_exec_t;
init_system_domain(firstboot_t,firstboot_exec_t)
init_system_domain(firstboot_t, firstboot_exec_t)
domain_obj_id_change_exemption(firstboot_t)
domain_subj_id_change_exemption(firstboot_t)
role system_r types firstboot_t;

2
policy/modules/admin/kudzu.if
View File

@ -15,7 +15,7 @@ interface(`kudzu_domtrans',`
type kudzu_t, kudzu_exec_t;
')
domtrans_pattern($1,kudzu_exec_t,kudzu_t)
domtrans_pattern($1, kudzu_exec_t, kudzu_t)
')
########################################

14
policy/modules/admin/kudzu.te
View File

@ -8,7 +8,7 @@ policy_module(kudzu, 1.6.0)
type kudzu_t;
type kudzu_exec_t;
init_system_domain(kudzu_t,kudzu_exec_t)
init_system_domain(kudzu_t, kudzu_exec_t)
type kudzu_tmp_t;
files_tmp_file(kudzu_tmp_t)
@ -29,14 +29,14 @@ allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow kudzu_t self:unix_dgram_socket create_socket_perms;
allow kudzu_t self:udp_socket { create ioctl };
manage_dirs_pattern(kudzu_t,kudzu_tmp_t,kudzu_tmp_t)
manage_files_pattern(kudzu_t,kudzu_tmp_t,kudzu_tmp_t)
manage_chr_files_pattern(kudzu_t,kudzu_tmp_t,kudzu_tmp_t)
manage_dirs_pattern(kudzu_t, kudzu_tmp_t, kudzu_tmp_t)
manage_files_pattern(kudzu_t, kudzu_tmp_t, kudzu_tmp_t)
manage_chr_files_pattern(kudzu_t, kudzu_tmp_t, kudzu_tmp_t)
files_tmp_filetrans(kudzu_t, kudzu_tmp_t, { file dir chr_file })
manage_dirs_pattern(kudzu_t,kudzu_var_run_t,kudzu_var_run_t)
manage_files_pattern(kudzu_t,kudzu_var_run_t,kudzu_var_run_t)
files_pid_filetrans(kudzu_t,kudzu_var_run_t,file)
manage_dirs_pattern(kudzu_t, kudzu_var_run_t, kudzu_var_run_t)
manage_files_pattern(kudzu_t, kudzu_var_run_t, kudzu_var_run_t)
files_pid_filetrans(kudzu_t, kudzu_var_run_t, file)
kernel_change_ring_buffer_level(kudzu_t)
kernel_list_proc(kudzu_t)

4
policy/modules/admin/logrotate.if
View File

@ -15,7 +15,7 @@ interface(`logrotate_domtrans',`
type logrotate_t, logrotate_exec_t;
')
domtrans_pattern($1,logrotate_exec_t,logrotate_t)
domtrans_pattern($1, logrotate_exec_t, logrotate_t)
')
########################################
@ -65,7 +65,7 @@ interface(`logrotate_exec',`
type logrotate_exec_t;
')
can_exec($1,logrotate_exec_t)
can_exec($1, logrotate_exec_t)
')
########################################

12
policy/modules/admin/logrotate.te
View File

@ -13,7 +13,7 @@ domain_system_change_exemption(logrotate_t)
role system_r types logrotate_t;
type logrotate_exec_t;
domain_entry_file(logrotate_t,logrotate_exec_t)
domain_entry_file(logrotate_t, logrotate_exec_t)
type logrotate_lock_t;
files_lock_file(logrotate_lock_t)
@ -51,17 +51,17 @@ allow logrotate_t self:msgq create_msgq_perms;
allow logrotate_t self:msg { send receive };
allow logrotate_t logrotate_lock_t:file manage_file_perms;
files_lock_filetrans(logrotate_t,logrotate_lock_t,file)
files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
can_exec(logrotate_t, logrotate_tmp_t)
manage_dirs_pattern(logrotate_t,logrotate_tmp_t,logrotate_tmp_t)
manage_files_pattern(logrotate_t,logrotate_tmp_t,logrotate_tmp_t)
manage_dirs_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t)
manage_files_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t)
files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
# for /var/lib/logrotate.status and /var/lib/logcheck
create_dirs_pattern(logrotate_t,logrotate_var_lib_t,logrotate_var_lib_t)
manage_files_pattern(logrotate_t,logrotate_var_lib_t,logrotate_var_lib_t)
create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
kernel_read_system_state(logrotate_t)

10
policy/modules/admin/logwatch.te
View File

@ -8,7 +8,7 @@ policy_module(logwatch, 1.8.0)
type logwatch_t;
type logwatch_exec_t;
application_domain(logwatch_t,logwatch_exec_t)
application_domain(logwatch_t, logwatch_exec_t)
role system_r types logwatch_t;
type logwatch_cache_t;
@ -30,14 +30,14 @@ allow logwatch_t self:process signal;
allow logwatch_t self:fifo_file rw_file_perms;
allow logwatch_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(logwatch_t,logwatch_cache_t,logwatch_cache_t)
manage_files_pattern(logwatch_t,logwatch_cache_t,logwatch_cache_t)
manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
allow logwatch_t logwatch_lock_t:file manage_file_perms;
files_lock_filetrans(logwatch_t,logwatch_lock_t,file)
manage_dirs_pattern(logwatch_t,logwatch_tmp_t,logwatch_tmp_t)
manage_files_pattern(logwatch_t,logwatch_tmp_t,logwatch_tmp_t)
manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
manage_files_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir })
kernel_read_fs_sysctls(logwatch_t)

4
policy/modules/admin/mrtg.if
View File

@ -15,6 +15,6 @@ interface(`mrtg_append_create_logs',`
type mrtg_log_t;
')
append_files_pattern($1,mrtg_log_t,mrtg_log_t)
create_files_pattern($1,mrtg_log_t,mrtg_log_t)
append_files_pattern($1, mrtg_log_t, mrtg_log_t)
create_files_pattern($1, mrtg_log_t, mrtg_log_t)
')

22
policy/modules/admin/mrtg.te
View File

@ -8,7 +8,7 @@ policy_module(mrtg, 1.4.0)
type mrtg_t;
type mrtg_exec_t;
init_system_domain(mrtg_t,mrtg_exec_t)
init_system_domain(mrtg_t, mrtg_exec_t)
type mrtg_etc_t;
files_config_file(mrtg_etc_t)
@ -39,19 +39,19 @@ allow mrtg_t self:tcp_socket create_socket_perms;
allow mrtg_t self:udp_socket create_socket_perms;
allow mrtg_t mrtg_etc_t:dir list_dir_perms;
read_files_pattern(mrtg_t,mrtg_etc_t,mrtg_etc_t)
read_lnk_files_pattern(mrtg_t,mrtg_etc_t,mrtg_etc_t)
read_files_pattern(mrtg_t, mrtg_etc_t, mrtg_etc_t)
read_lnk_files_pattern(mrtg_t, mrtg_etc_t, mrtg_etc_t)
dontaudit mrtg_t mrtg_etc_t:dir write;
dontaudit mrtg_t mrtg_etc_t:file { write ioctl };
manage_files_pattern(mrtg_t,mrtg_lock_t,mrtg_lock_t)
manage_lnk_files_pattern(mrtg_t,mrtg_lock_t,mrtg_lock_t)
manage_files_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t)
manage_lnk_files_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t)
manage_files_pattern(mrtg_t,mrtg_log_t,mrtg_log_t)
logging_log_filetrans(mrtg_t,mrtg_log_t,{ file dir })
manage_files_pattern(mrtg_t, mrtg_log_t, mrtg_log_t)
logging_log_filetrans(mrtg_t, mrtg_log_t, { file dir })
manage_files_pattern(mrtg_t,mrtg_var_lib_t,mrtg_var_lib_t)
manage_lnk_files_pattern(mrtg_t,mrtg_var_lib_t,mrtg_var_lib_t)
manage_files_pattern(mrtg_t, mrtg_var_lib_t, mrtg_var_lib_t)
manage_lnk_files_pattern(mrtg_t, mrtg_var_lib_t, mrtg_var_lib_t)
allow mrtg_t mrtg_var_run_t:file manage_file_perms;
files_pid_filetrans(mrtg_t,mrtg_var_run_t,file)
@ -124,7 +124,7 @@ ifdef(`enable_mls',`
ifdef(`distro_redhat',`
allow mrtg_t mrtg_lock_t:file manage_file_perms;
filetrans_pattern(mrtg_t,mrtg_etc_t,mrtg_lock_t,file)
filetrans_pattern(mrtg_t, mrtg_etc_t, mrtg_lock_t, file)
')
optional_policy(`
@ -132,7 +132,7 @@ optional_policy(`
')
optional_policy(`
cron_system_entry(mrtg_t,mrtg_exec_t)
cron_system_entry(mrtg_t, mrtg_exec_t)
')
optional_policy(`

12
policy/modules/admin/netutils.if
View File

@ -15,7 +15,7 @@ interface(`netutils_domtrans',`
type netutils_t, netutils_exec_t;
')
domtrans_pattern($1,netutils_exec_t,netutils_t)
domtrans_pattern($1, netutils_exec_t, netutils_t)
')
########################################
@ -65,7 +65,7 @@ interface(`netutils_exec',`
type netutils_exec_t;
')
can_exec($1,netutils_exec_t)
can_exec($1, netutils_exec_t)
')
########################################
@ -83,7 +83,7 @@ interface(`netutils_domtrans_ping',`
type ping_t, ping_exec_t;
')
domtrans_pattern($1,ping_exec_t,ping_t)
domtrans_pattern($1, ping_exec_t, ping_t)
')
########################################
@ -205,7 +205,7 @@ interface(`netutils_exec_ping',`
type ping_exec_t;
')
can_exec($1,ping_exec_t)
can_exec($1, ping_exec_t)
')
########################################
@ -223,7 +223,7 @@ interface(`netutils_domtrans_traceroute',`
type traceroute_t, traceroute_exec_t;
')
domtrans_pattern($1,traceroute_exec_t,traceroute_t)
domtrans_pattern($1, traceroute_exec_t, traceroute_t)
')
########################################
@ -309,5 +309,5 @@ interface(`netutils_exec_traceroute',`
type traceroute_exec_t;
')
can_exec($1,traceroute_exec_t)
can_exec($1, traceroute_exec_t)
')

14
policy/modules/admin/netutils.te
View File

@ -1,5 +1,5 @@
policy_module(netutils,1.6.0)
policy_module(netutils, 1.6.0)
########################################
#
@ -11,11 +11,11 @@ policy_module(netutils,1.6.0)
## Control users use of ping and traceroute
## </p>
## </desc>
gen_tunable(user_ping,false)
gen_tunable(user_ping, false)
type netutils_t;
type netutils_exec_t;
init_system_domain(netutils_t,netutils_exec_t)
init_system_domain(netutils_t, netutils_exec_t)
role system_r types netutils_t;
type netutils_tmp_t;
@ -23,12 +23,12 @@ files_tmp_file(netutils_tmp_t)
type ping_t;
type ping_exec_t;
init_system_domain(ping_t,ping_exec_t)
init_system_domain(ping_t, ping_exec_t)
role system_r types ping_t;
type traceroute_t;
type traceroute_exec_t;
init_system_domain(traceroute_t,traceroute_exec_t)
init_system_domain(traceroute_t, traceroute_exec_t)
role system_r types traceroute_t;
########################################
@ -45,8 +45,8 @@ allow netutils_t self:packet_socket create_socket_perms;
allow netutils_t self:udp_socket create_socket_perms;
allow netutils_t self:tcp_socket create_stream_socket_perms;
manage_dirs_pattern(netutils_t,netutils_tmp_t,netutils_tmp_t)
manage_files_pattern(netutils_t,netutils_tmp_t,netutils_tmp_t)
manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
kernel_search_proc(netutils_t)

42
policy/modules/admin/portage.if
View File

@ -28,7 +28,7 @@ interface(`portage_domtrans',`
allow portage_t $1:process sigchld;
# transition to portage
domtrans_pattern($1,portage_exec_t,portage_t.merge)
domtrans_pattern($1, portage_exec_t, portage_t.merge)
')
########################################
@ -127,20 +127,20 @@ interface(`portage_compile_domain',`
allow $1 portage_log_t:file { append write setattr };
# run scripts out of the build directory
can_exec(portage_sandbox_t,portage_tmp_t)
can_exec(portage_sandbox_t, portage_tmp_t)
manage_dirs_pattern($1,portage_tmp_t,portage_tmp_t)
manage_files_pattern($1,portage_tmp_t,portage_tmp_t)
manage_lnk_files_pattern($1,portage_tmp_t,portage_tmp_t)
manage_fifo_files_pattern($1,portage_tmp_t,portage_tmp_t)
manage_sock_files_pattern($1,portage_tmp_t,portage_tmp_t)
files_tmp_filetrans($1,portage_tmp_t,{ dir file lnk_file sock_file fifo_file })
manage_dirs_pattern($1, portage_tmp_t, portage_tmp_t)
manage_files_pattern($1, portage_tmp_t, portage_tmp_t)
manage_lnk_files_pattern($1, portage_tmp_t, portage_tmp_t)
manage_fifo_files_pattern($1, portage_tmp_t, portage_tmp_t)
manage_sock_files_pattern($1, portage_tmp_t, portage_tmp_t)
files_tmp_filetrans($1, portage_tmp_t, { dir file lnk_file sock_file fifo_file })
manage_files_pattern($1,portage_tmpfs_t,portage_tmpfs_t)
manage_lnk_files_pattern($1,portage_tmpfs_t,portage_tmpfs_t)
manage_fifo_files_pattern($1,portage_tmpfs_t,portage_tmpfs_t)
manage_sock_files_pattern($1,portage_tmpfs_t,portage_tmpfs_t)
fs_tmpfs_filetrans($1,portage_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
manage_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
manage_lnk_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
manage_fifo_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
manage_sock_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
fs_tmpfs_filetrans($1, portage_tmpfs_t, { dir file lnk_file sock_file fifo_file })
kernel_read_system_state($1)
kernel_read_network_state($1)
@ -232,13 +232,13 @@ interface(`portage_fetch_domain',`
allow $1 self:tcp_socket create_stream_socket_perms;
allow $1 portage_conf_t:dir list_dir_perms;
read_files_pattern($1,portage_conf_t,portage_conf_t)
read_files_pattern($1, portage_conf_t, portage_conf_t)
manage_dirs_pattern($1,portage_ebuild_t,portage_ebuild_t)
manage_files_pattern($1,portage_ebuild_t,portage_ebuild_t)
manage_dirs_pattern($1, portage_ebuild_t, portage_ebuild_t)
manage_files_pattern($1, portage_ebuild_t, portage_ebuild_t)
manage_dirs_pattern($1,portage_fetch_tmp_t,portage_fetch_tmp_t)
manage_files_pattern($1,portage_fetch_tmp_t,portage_fetch_tmp_t)
manage_dirs_pattern($1, portage_fetch_tmp_t, portage_fetch_tmp_t)
manage_files_pattern($1, portage_fetch_tmp_t, portage_fetch_tmp_t)
# portage makes home dir the portage tmp dir, so
# wget looks for .wgetrc there
@ -309,10 +309,10 @@ interface(`portage_main_domain',`
portage_compile_domain($1)
allow $1 portage_log_t:file manage_file_perms;
logging_log_filetrans($1,portage_log_t,file)
logging_log_filetrans($1, portage_log_t, file)
# run scripts out of the build directory
can_exec($1,portage_tmp_t)
can_exec($1, portage_tmp_t)
# merging baselayout will need this:
kernel_write_proc_files($1)
@ -378,7 +378,7 @@ interface(`portage_domtrans_gcc_config',`
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1,gcc_config_exec_t,gcc_config_t)
domtrans_pattern($1, gcc_config_exec_t, gcc_config_t)
')
########################################

22
policy/modules/admin/portage.te
View File

@ -8,18 +8,18 @@ policy_module(portage, 1.6.0)
type gcc_config_t;
type gcc_config_exec_t;
application_domain(gcc_config_t,gcc_config_exec_t)
application_domain(gcc_config_t, gcc_config_exec_t)
# constraining type
type portage_t;
type portage_exec_t;
application_domain(portage_t,portage_exec_t)
application_domain(portage_t, portage_exec_t)
rsync_entry_type(portage_t)
corecmd_shell_entry_type(portage_t)
# portage domain for merging packages to the live fs
type portage_t.merge;
application_domain(portage_t.merge,portage_exec_t)
application_domain(portage_t.merge, portage_exec_t)
domain_obj_id_change_exemption(portage_t.merge)
# portage compile sandbox domain
@ -70,12 +70,12 @@ files_tmpfs_file(portage_tmpfs_t)
allow gcc_config_t self:capability { chown fsetid };
allow gcc_config_t self:fifo_file rw_file_perms;
manage_files_pattern(gcc_config_t,portage_cache_t,portage_cache_t)
manage_files_pattern(gcc_config_t, portage_cache_t, portage_cache_t)
read_files_pattern(gcc_config_t,portage_conf_t,portage_conf_t)
read_files_pattern(gcc_config_t, portage_conf_t, portage_conf_t)
allow gcc_config_t portage_ebuild_t:dir list_dir_perms;
read_files_pattern(gcc_config_t,portage_ebuild_t,portage_ebuild_t)
read_files_pattern(gcc_config_t, portage_ebuild_t, portage_ebuild_t)
allow gcc_config_t portage_exec_t:file { execute getattr };
@ -127,8 +127,8 @@ portage_compile_domain(portage_t)
portage_fetch_domain(portage_t)
# transition between child domains on shells and rsync
corecmd_shell_spec_domtrans(portage_t,portage_t)
rsync_entry_spec_domtrans(portage_t,portage_t)
corecmd_shell_spec_domtrans(portage_t, portage_t)
rsync_entry_spec_domtrans(portage_t, portage_t)
########################################
#
@ -144,14 +144,14 @@ allow portage_t.merge { portage_t.fetch portage_t.sandbox }:process signal;
# transition for rsync and wget
corecmd_shell_spec_domtrans(portage_t.merge,portage_t.fetch)
rsync_entry_domtrans(portage_t.merge,portage_t.fetch)
rsync_entry_domtrans(portage_t.merge, portage_t.fetch)
allow portage_t.fetch portage_t.merge:fd use;
allow portage_t.fetch portage_t.merge:fifo_file rw_file_perms;
allow portage_t.fetch portage_t.merge:process sigchld;
# transition to sandbox for compiling
domain_trans(portage_t.merge,portage_exec_t,portage_t.sandbox)
corecmd_shell_spec_domtrans(portage_t.merge,portage_t.sandbox)
domain_trans(portage_t.merge, portage_exec_t, portage_t.sandbox)
corecmd_shell_spec_domtrans(portage_t.merge, portage_t.sandbox)
allow portage_t.sandbox portage_t.merge:fd use;
allow portage_t.sandbox portage_t.merge:fifo_file rw_file_perms;
allow portage_t.sandbox portage_t.merge:process sigchld;

2
policy/modules/admin/prelink.if
View File

@ -124,5 +124,5 @@ interface(`prelink_manage_log',`
')
logging_search_logs($1)
manage_files_pattern($1,prelink_log_t,prelink_log_t)
manage_files_pattern($1, prelink_log_t, prelink_log_t)
')

10
policy/modules/admin/prelink.te
View File

@ -1,5 +1,5 @@
policy_module(prelink,1.5.0)
policy_module(prelink, 1.5.0)
########################################
#
@ -9,7 +9,7 @@ attribute prelink_object;
type prelink_t;
type prelink_exec_t;
init_system_domain(prelink_t,prelink_exec_t)
init_system_domain(prelink_t, prelink_exec_t)
domain_obj_id_change_exemption(prelink_t)
type prelink_cache_t;
@ -35,9 +35,9 @@ files_etc_filetrans(prelink_t, prelink_cache_t, file)
files_var_lib_filetrans(prelink_t, prelink_cache_t, file)
allow prelink_t prelink_log_t:dir setattr;
create_files_pattern(prelink_t,prelink_log_t,prelink_log_t)
append_files_pattern(prelink_t,prelink_log_t,prelink_log_t)
read_lnk_files_pattern(prelink_t,prelink_log_t,prelink_log_t)
create_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
append_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
logging_log_filetrans(prelink_t, prelink_log_t, file)
allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom };

4
policy/modules/admin/quota.if
View File

@ -15,7 +15,7 @@ interface(`quota_domtrans',`
type quota_t, quota_exec_t;
')
domtrans_pattern($1,quota_exec_t,quota_t)
domtrans_pattern($1, quota_exec_t, quota_t)
')
########################################
@ -86,5 +86,5 @@ interface(`quota_manage_flags',`
')
files_search_var_lib($1)
manage_files_pattern($1,quota_flag_t,quota_flag_t)
manage_files_pattern($1, quota_flag_t, quota_flag_t)
')

4
policy/modules/admin/quota.te
View File

@ -1,5 +1,5 @@
policy_module(quota,1.3.0)
policy_module(quota, 1.3.0)
########################################
#
@ -8,7 +8,7 @@ policy_module(quota,1.3.0)
type quota_t;
type quota_exec_t;
init_system_domain(quota_t,quota_exec_t)
init_system_domain(quota_t, quota_exec_t)
type quota_db_t;
files_type(quota_db_t)

10
policy/modules/admin/readahead.te
View File

@ -8,8 +8,8 @@ policy_module(readahead, 1.6.0)
type readahead_t;
type readahead_exec_t;
init_daemon_domain(readahead_t,readahead_exec_t)
application_domain(readahead_t,readahead_exec_t)
init_daemon_domain(readahead_t, readahead_exec_t)
application_domain(readahead_t, readahead_exec_t)
type readahead_etc_rw_t;
files_pid_file(readahead_etc_rw_t)
@ -26,10 +26,10 @@ allow readahead_t self:capability { dac_override dac_read_search };
dontaudit readahead_t self:capability sys_tty_config;
allow readahead_t self:process signal_perms;
manage_files_pattern(readahead_t,readahead_etc_rw_t,readahead_etc_rw_t)
manage_files_pattern(readahead_t, readahead_etc_rw_t, readahead_etc_rw_t)
manage_files_pattern(readahead_t,readahead_var_run_t,readahead_var_run_t)
files_pid_filetrans(readahead_t,readahead_var_run_t,file)
manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
files_pid_filetrans(readahead_t, readahead_var_run_t, file)
kernel_read_kernel_sysctls(readahead_t)
kernel_read_system_state(readahead_t)

20
policy/modules/admin/rpm.if
View File

@ -17,7 +17,7 @@ interface(`rpm_domtrans',`
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1,rpm_exec_t,rpm_t)
domtrans_pattern($1, rpm_exec_t, rpm_t)
')
########################################
@ -71,9 +71,9 @@ interface(`rpm_run',`
rpm_domtrans($1)
role $2 types rpm_t;
role $2 types rpm_script_t;
seutil_run_loadpolicy(rpm_script_t,$2,$3)
seutil_run_semanage(rpm_script_t,$2,$3)
seutil_run_setfiles(rpm_script_t,$2,$3)
seutil_run_loadpolicy(rpm_script_t, $2, $3)
seutil_run_semanage(rpm_script_t, $2, $3)
seutil_run_setfiles(rpm_script_t, $2, $3)
allow rpm_t $3:chr_file rw_term_perms;
')
@ -93,7 +93,7 @@ interface(`rpm_exec',`
')
corecmd_search_bin($1)
can_exec($1,rpm_exec_t)
can_exec($1, rpm_exec_t)
')
########################################
@ -225,7 +225,7 @@ interface(`rpm_manage_script_tmp_files',`
')
files_search_tmp($1)
manage_files_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t)
manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
')
########################################
@ -245,8 +245,8 @@ interface(`rpm_read_db',`
files_search_var_lib($1)
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1,rpm_var_lib_t,rpm_var_lib_t)
read_lnk_files_pattern($1,rpm_var_lib_t,rpm_var_lib_t)
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
')
########################################
@ -265,8 +265,8 @@ interface(`rpm_manage_db',`
')
files_search_var_lib($1)
manage_files_pattern($1,rpm_var_lib_t,rpm_var_lib_t)
manage_lnk_files_pattern($1,rpm_var_lib_t,rpm_var_lib_t)
manage_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
manage_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
')
########################################

46
policy/modules/admin/rpm.te
View File

@ -1,5 +1,5 @@
policy_module(rpm,1.8.0)
policy_module(rpm, 1.8.0)
########################################
#
@ -8,7 +8,7 @@ policy_module(rpm,1.8.0)
type rpm_t;
type rpm_exec_t;
init_system_domain(rpm_t,rpm_exec_t)
init_system_domain(rpm_t, rpm_exec_t)
domain_obj_id_change_exemption(rpm_t)
domain_role_change_exemption(rpm_t)
domain_system_change_exemption(rpm_t)
@ -37,7 +37,7 @@ domain_obj_id_change_exemption(rpm_script_t)
domain_system_change_exemption(rpm_script_t)
corecmd_shell_entry_type(rpm_script_t)
domain_type(rpm_script_t)
domain_entry_file(rpm_t,rpm_script_exec_t)
domain_entry_file(rpm_t, rpm_script_exec_t)
domain_interactive_fd(rpm_script_t)
role system_r types rpm_script_t;
@ -72,22 +72,22 @@ allow rpm_t self:dir search;
allow rpm_t self:file rw_file_perms;;
allow rpm_t rpm_log_t:file manage_file_perms;
logging_log_filetrans(rpm_t,rpm_log_t,file)
logging_log_filetrans(rpm_t, rpm_log_t, file)
manage_dirs_pattern(rpm_t,rpm_tmp_t,rpm_tmp_t)
manage_files_pattern(rpm_t,rpm_tmp_t,rpm_tmp_t)
manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir })
manage_dirs_pattern(rpm_t,rpm_tmpfs_t,rpm_tmpfs_t)
manage_files_pattern(rpm_t,rpm_tmpfs_t,rpm_tmpfs_t)
manage_lnk_files_pattern(rpm_t,rpm_tmpfs_t,rpm_tmpfs_t)
manage_fifo_files_pattern(rpm_t,rpm_tmpfs_t,rpm_tmpfs_t)
manage_sock_files_pattern(rpm_t,rpm_tmpfs_t,rpm_tmpfs_t)
fs_tmpfs_filetrans(rpm_t,rpm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
# Access /var/lib/rpm files
manage_files_pattern(rpm_t,rpm_var_lib_t,rpm_var_lib_t)
files_var_lib_filetrans(rpm_t,rpm_var_lib_t,dir)
manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
kernel_read_system_state(rpm_t)
kernel_read_kernel_sysctls(rpm_t)
@ -175,7 +175,7 @@ seutil_manage_bin_policy(rpm_t)
userdom_use_unpriv_users_fds(rpm_t)
optional_policy(`
cron_system_entry(rpm_t,rpm_exec_t)
cron_system_entry(rpm_t, rpm_exec_t)
')
optional_policy(`
@ -231,16 +231,16 @@ allow rpm_script_t self:msg { send receive };
allow rpm_script_t rpm_tmp_t:file read_file_perms;
allow rpm_script_t rpm_script_tmp_t:dir mounton;
manage_dirs_pattern(rpm_script_t,rpm_script_tmp_t,rpm_script_tmp_t)
manage_files_pattern(rpm_script_t,rpm_script_tmp_t,rpm_script_tmp_t)
manage_dirs_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
manage_dirs_pattern(rpm_script_t,rpm_script_tmpfs_t,rpm_script_tmpfs_t)
manage_files_pattern(rpm_script_t,rpm_script_tmpfs_t,rpm_script_tmpfs_t)
manage_lnk_files_pattern(rpm_script_t,rpm_script_tmpfs_t,rpm_script_tmpfs_t)
manage_fifo_files_pattern(rpm_script_t,rpm_script_tmpfs_t,rpm_script_tmpfs_t)
manage_sock_files_pattern(rpm_script_t,rpm_script_tmpfs_t,rpm_script_tmpfs_t)
fs_tmpfs_filetrans(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
manage_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
kernel_read_kernel_sysctls(rpm_script_t)
kernel_read_system_state(rpm_script_t)

12
policy/modules/admin/su.if
View File

@ -34,7 +34,7 @@ template(`su_restricted_domain_template', `
')
type $1_su_t;
domain_entry_file($1_su_t,su_exec_t)
domain_entry_file($1_su_t, su_exec_t)
domain_type($1_su_t)
domain_interactive_fd($1_su_t)
role $3 types $1_su_t;
@ -185,7 +185,7 @@ template(`su_per_role_template',`
domtrans_pattern($2, su_exec_t, $1_su_t)
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_su_t,$2)
corecmd_shell_domtrans($1_su_t, $2)
allow $2 $1_su_t:fd use;
allow $2 $1_su_t:fifo_file rw_file_perms;
allow $2 $1_su_t:process sigchld;
@ -203,7 +203,7 @@ template(`su_per_role_template',`
# needed for pam_rootok
selinux_compute_access_vector($1_su_t)
auth_domtrans_user_chk_passwd($1,$1_su_t)
auth_domtrans_user_chk_passwd($1, $1_su_t)
auth_dontaudit_read_shadow($1_su_t)
auth_use_nsswitch($1_su_t)
auth_rw_faillog($1_su_t)
@ -230,8 +230,8 @@ template(`su_per_role_template',`
miscfiles_read_localization($1_su_t)
userdom_use_user_terminals($1,$1_su_t)
userdom_search_user_home_dirs($1,$1_su_t)
userdom_use_user_terminals($1, $1_su_t)
userdom_search_user_home_dirs($1, $1_su_t)
ifdef(`distro_rhel4',`
domain_role_change_exemption($1_su_t)
@ -319,5 +319,5 @@ interface(`su_exec',`
type su_exec_t;
')
can_exec($1,su_exec_t)
can_exec($1, su_exec_t)
')

2
policy/modules/admin/su.te
View File

@ -1,5 +1,5 @@
policy_module(su,1.8.0)
policy_module(su, 1.8.0)
########################################
#

14
policy/modules/admin/sudo.if
View File

@ -45,7 +45,7 @@ template(`sudo_per_role_template',`
#
type $1_sudo_t;
application_domain($1_sudo_t,sudo_exec_t)
application_domain($1_sudo_t, sudo_exec_t)
domain_interactive_fd($1_sudo_t)
role $3 types $1_sudo_t;
@ -74,7 +74,7 @@ template(`sudo_per_role_template',`
domtrans_pattern($2, sudo_exec_t, $1_sudo_t)
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_sudo_t,$2)
corecmd_shell_domtrans($1_sudo_t, $2)
allow $2 $1_sudo_t:fd use;
allow $2 $1_sudo_t:fifo_file rw_file_perms;
allow $2 $1_sudo_t:process sigchld;
@ -116,11 +116,11 @@ template(`sudo_per_role_template',`
miscfiles_read_localization($1_sudo_t)
userdom_manage_user_home_content_files($1,$1_sudo_t)
userdom_manage_user_home_content_symlinks($1,$1_sudo_t)
userdom_manage_user_tmp_files($1,$1_sudo_t)
userdom_manage_user_tmp_symlinks($1,$1_sudo_t)
userdom_use_user_terminals($1,$1_sudo_t)
userdom_manage_user_home_content_files($1, $1_sudo_t)
userdom_manage_user_home_content_symlinks($1, $1_sudo_t)
userdom_manage_user_tmp_files($1, $1_sudo_t)
userdom_manage_user_tmp_symlinks($1, $1_sudo_t)
userdom_use_user_terminals($1, $1_sudo_t)
userdom_use_unpriv_users_fds($1_sudo_t)
# for some PAM modules and for cwd
userdom_dontaudit_search_all_users_home_content($1_sudo_t)

2
policy/modules/admin/sudo.te
View File

@ -1,5 +1,5 @@
policy_module(sudo,1.3.0)
policy_module(sudo, 1.3.0)
########################################
#

10
policy/modules/admin/sxid.te
View File

@ -1,5 +1,5 @@
policy_module(sxid,1.4.0)
policy_module(sxid, 1.4.0)
########################################
#
@ -8,7 +8,7 @@ policy_module(sxid,1.4.0)
type sxid_t;
type sxid_exec_t;
application_domain(sxid_t,sxid_exec_t)
application_domain(sxid_t, sxid_exec_t)
type sxid_log_t;
logging_log_file(sxid_log_t)
@ -31,8 +31,8 @@ allow sxid_t self:udp_socket create_socket_perms;
allow sxid_t sxid_log_t:file manage_file_perms;
logging_log_filetrans(sxid_t,sxid_log_t,file)
manage_dirs_pattern(sxid_t,sxid_tmp_t,sxid_tmp_t)
manage_files_pattern(sxid_t,sxid_tmp_t,sxid_tmp_t)
manage_dirs_pattern(sxid_t, sxid_tmp_t, sxid_tmp_t)
manage_files_pattern(sxid_t, sxid_tmp_t, sxid_tmp_t)
files_tmp_filetrans(sxid_t, sxid_tmp_t, { file dir })
kernel_read_system_state(sxid_t)
@ -86,7 +86,7 @@ sysnet_read_config(sxid_t)
userdom_dontaudit_use_unpriv_user_fds(sxid_t)
cron_system_entry(sxid_t,sxid_exec_t)
cron_system_entry(sxid_t, sxid_exec_t)
optional_policy(`
mta_send_mail(sxid_t)

2
policy/modules/admin/tmpreaper.if
View File

@ -17,5 +17,5 @@ interface(`tmpreaper_exec',`
files_search_usr($1)
corecmd_search_bin($1)
can_exec($1,tmpreaper_exec_t)
can_exec($1, tmpreaper_exec_t)
')

6
policy/modules/admin/tmpreaper.te
View File

@ -1,5 +1,5 @@
policy_module(tmpreaper,1.3.0)
policy_module(tmpreaper, 1.3.0)
########################################
#
@ -8,7 +8,7 @@ policy_module(tmpreaper,1.3.0)
type tmpreaper_t;
type tmpreaper_exec_t;
application_domain(tmpreaper_t,tmpreaper_exec_t)
application_domain(tmpreaper_t, tmpreaper_exec_t)
role system_r types tmpreaper_t;
########################################
@ -40,7 +40,7 @@ logging_send_syslog_msg(tmpreaper_t)
miscfiles_read_localization(tmpreaper_t)
miscfiles_delete_man_pages(tmpreaper_t)
cron_system_entry(tmpreaper_t,tmpreaper_exec_t)
cron_system_entry(tmpreaper_t, tmpreaper_exec_t)
optional_policy(`
lpd_manage_spool(tmpreaper_t)

8
policy/modules/admin/tripwire.if
View File

@ -28,7 +28,7 @@ interface(`tripwire_domtrans_tripwire',`
type tripwire_t, tripwire_exec_t;
')
domtrans_pattern($1,tripwire_exec_t,tripwire_t)
domtrans_pattern($1, tripwire_exec_t, tripwire_t)
')
########################################
@ -78,7 +78,7 @@ interface(`tripwire_domtrans_twadmin',`
type twadmin_t, twadmin_exec_t;
')
domtrans_pattern($1,twadmin_exec_t,twadmin_t)
domtrans_pattern($1, twadmin_exec_t, twadmin_t)
')
########################################
@ -128,7 +128,7 @@ interface(`tripwire_domtrans_twprint',`
type twprint_t, twprint_exec_t;
')
domtrans_pattern($1,twprint_exec_t,twprint_t)
domtrans_pattern($1, twprint_exec_t, twprint_t)
')
########################################
@ -178,7 +178,7 @@ interface(`tripwire_domtrans_siggen',`
type siggen_t, siggen_exec_t;
')
domtrans_pattern($1,siggen_exec_t,siggen_t)
domtrans_pattern($1, siggen_exec_t, siggen_t)
')
########################################

56
policy/modules/admin/tripwire.te
View File

@ -1,5 +1,5 @@
policy_module(tripwire,1.1.0)
policy_module(tripwire, 1.1.0)
########################################
#
@ -8,11 +8,11 @@ policy_module(tripwire,1.1.0)
type siggen_t;
type siggen_exec_t;
application_domain(siggen_t,siggen_exec_t)
application_domain(siggen_t, siggen_exec_t)
type tripwire_t;
type tripwire_exec_t;
application_domain(tripwire_t,tripwire_exec_t)
application_domain(tripwire_t, tripwire_exec_t)
role system_r types tripwire_t;
type tripwire_etc_t;
@ -29,11 +29,11 @@ files_type(tripwire_var_lib_t)
type twadmin_t;
type twadmin_exec_t;
application_domain(twadmin_t,twadmin_exec_t)
application_domain(twadmin_t, twadmin_exec_t)
type twprint_t;
type twprint_exec_t;
application_domain(twprint_t,twprint_exec_t)
application_domain(twprint_t, twprint_exec_t)
########################################
#
@ -43,24 +43,24 @@ application_domain(twprint_t,twprint_exec_t)
allow tripwire_t self:capability { setgid setuid dac_override };
allow tripwire_t tripwire_etc_t:dir list_dir_perms;
read_files_pattern(tripwire_t,tripwire_etc_t,tripwire_etc_t)
read_lnk_files_pattern(tripwire_t,tripwire_etc_t,tripwire_etc_t)
read_files_pattern(tripwire_t, tripwire_etc_t, tripwire_etc_t)
read_lnk_files_pattern(tripwire_t, tripwire_etc_t, tripwire_etc_t)
files_search_etc(tripwire_t)
# Tripwire report files
manage_dirs_pattern(tripwire_t,tripwire_report_t,tripwire_report_t)
manage_files_pattern(tripwire_t,tripwire_report_t,tripwire_report_t)
manage_lnk_files_pattern(tripwire_t,tripwire_report_t,tripwire_report_t)
manage_dirs_pattern(tripwire_t, tripwire_report_t, tripwire_report_t)
manage_files_pattern(tripwire_t, tripwire_report_t, tripwire_report_t)
manage_lnk_files_pattern(tripwire_t, tripwire_report_t, tripwire_report_t)
manage_dirs_pattern(tripwire_t,tripwire_tmp_t,tripwire_tmp_t)
manage_files_pattern(tripwire_t,tripwire_tmp_t,tripwire_tmp_t)
manage_lnk_files_pattern(tripwire_t,tripwire_tmp_t,tripwire_tmp_t)
manage_fifo_files_pattern(tripwire_t,tripwire_tmp_t,tripwire_tmp_t)
manage_sock_files_pattern(tripwire_t,tripwire_tmp_t,tripwire_tmp_t)
files_tmp_filetrans(tripwire_t,tripwire_tmp_t,{ dir file lnk_file sock_file fifo_file })
manage_dirs_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t)
manage_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t)
manage_lnk_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t)
manage_fifo_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t)
manage_sock_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t)
files_tmp_filetrans(tripwire_t, tripwire_tmp_t,{ dir file lnk_file sock_file fifo_file })
manage_files_pattern(tripwire_t,tripwire_var_lib_t,tripwire_var_lib_t)
files_var_lib_filetrans(tripwire_t,tripwire_var_lib_t,file)
manage_files_pattern(tripwire_t, tripwire_var_lib_t, tripwire_var_lib_t)
files_var_lib_filetrans(tripwire_t, tripwire_var_lib_t, file)
kernel_read_system_state(tripwire_t)
kernel_read_network_state(tripwire_t)
@ -85,7 +85,7 @@ libs_use_shared_libs(tripwire_t)
logging_send_syslog_msg(tripwire_t)
optional_policy(`
cron_system_entry(tripwire_t,tripwire_exec_t)
cron_system_entry(tripwire_t, tripwire_exec_t)
')
########################################
@ -93,9 +93,9 @@ optional_policy(`
# Twadmin local policy
#
manage_dirs_pattern(twadmin_t,tripwire_etc_t,tripwire_etc_t)
manage_files_pattern(twadmin_t,tripwire_etc_t,tripwire_etc_t)
manage_lnk_files_pattern(twadmin_t,tripwire_etc_t,tripwire_etc_t)
manage_dirs_pattern(twadmin_t, tripwire_etc_t, tripwire_etc_t)
manage_files_pattern(twadmin_t, tripwire_etc_t, tripwire_etc_t)
manage_lnk_files_pattern(twadmin_t, tripwire_etc_t, tripwire_etc_t)
domain_use_interactive_fds(twadmin_t)
@ -112,16 +112,16 @@ miscfiles_read_localization(twadmin_t)
#
allow twprint_t tripwire_etc_t:dir list_dir_perms;
read_files_pattern(twprint_t,tripwire_etc_t,tripwire_etc_t)
read_lnk_files_pattern(twprint_t,tripwire_etc_t,tripwire_etc_t)
read_files_pattern(twprint_t, tripwire_etc_t, tripwire_etc_t)
read_lnk_files_pattern(twprint_t, tripwire_etc_t, tripwire_etc_t)
allow twprint_t tripwire_report_t:dir list_dir_perms;
read_files_pattern(twprint_t,tripwire_report_t,tripwire_report_t)
read_lnk_files_pattern(twprint_t,tripwire_report_t,tripwire_report_t)
read_files_pattern(twprint_t, tripwire_report_t, tripwire_report_t)
read_lnk_files_pattern(twprint_t, tripwire_report_t, tripwire_report_t)
allow twprint_t tripwire_var_lib_t:dir list_dir_perms;
read_files_pattern(twprint_t,tripwire_var_lib_t,tripwire_var_lib_t)
read_lnk_files_pattern(twprint_t,tripwire_var_lib_t,tripwire_var_lib_t)
read_files_pattern(twprint_t, tripwire_var_lib_t, tripwire_var_lib_t)
read_lnk_files_pattern(twprint_t, tripwire_var_lib_t, tripwire_var_lib_t)
files_search_var_lib(twprint_t)
domain_use_interactive_fds(twprint_t)

2
policy/modules/admin/tzdata.if
View File

@ -15,7 +15,7 @@ interface(`tzdata_domtrans',`
type tzdata_t, tzdata_exec_t;
')
domtrans_pattern($1,tzdata_exec_t,tzdata_t)
domtrans_pattern($1, tzdata_exec_t, tzdata_t)
')
########################################

2
policy/modules/admin/tzdata.te
View File

@ -1,5 +1,5 @@
policy_module(tzdata,1.2.0)
policy_module(tzdata, 1.2.0)
########################################
#

2
policy/modules/admin/updfstab.if
View File

@ -17,5 +17,5 @@ interface(`updfstab_domtrans',`
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1,updfstab_exec_t,updfstab_t)
domtrans_pattern($1, updfstab_exec_t, updfstab_t)
')

6
policy/modules/admin/updfstab.te
View File

@ -1,5 +1,5 @@
policy_module(updfstab,1.4.0)
policy_module(updfstab, 1.4.0)
########################################
#
@ -8,7 +8,7 @@ policy_module(updfstab,1.4.0)
type updfstab_t;
type updfstab_exec_t;
init_system_domain(updfstab_t,updfstab_exec_t)
init_system_domain(updfstab_t, updfstab_exec_t)
########################################
#
@ -89,7 +89,7 @@ optional_policy(`
optional_policy(`
init_dbus_chat_script(updfstab_t)
dbus_system_bus_client_template(updfstab,updfstab_t)
dbus_system_bus_client_template(updfstab, updfstab_t)
')
optional_policy(`

4
policy/modules/admin/usbmodules.te
View File

@ -1,5 +1,5 @@
policy_module(usbmodules,1.1.0)
policy_module(usbmodules, 1.1.0)
########################################
#
@ -8,7 +8,7 @@ policy_module(usbmodules,1.1.0)
type usbmodules_t;
type usbmodules_exec_t;
init_system_domain(usbmodules_t,usbmodules_exec_t)
init_system_domain(usbmodules_t, usbmodules_exec_t)
role system_r types usbmodules_t;
########################################

12
policy/modules/admin/usermanage.if
View File

@ -17,7 +17,7 @@ interface(`usermanage_domtrans_chfn',`
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1,chfn_exec_t,chfn_t)
domtrans_pattern($1, chfn_exec_t, chfn_t)
')
########################################
@ -68,7 +68,7 @@ interface(`usermanage_domtrans_groupadd',`
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1,groupadd_exec_t,groupadd_t)
domtrans_pattern($1, groupadd_exec_t, groupadd_t)
')
########################################
@ -124,7 +124,7 @@ interface(`usermanage_domtrans_passwd',`
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1,passwd_exec_t,passwd_t)
domtrans_pattern($1, passwd_exec_t, passwd_t)
')
########################################
@ -176,7 +176,7 @@ interface(`usermanage_domtrans_admin_passwd',`
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1,admin_passwd_exec_t,sysadm_passwd_t)
domtrans_pattern($1, admin_passwd_exec_t, sysadm_passwd_t)
')
########################################
@ -251,7 +251,7 @@ interface(`usermanage_domtrans_useradd',`
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1,useradd_exec_t,useradd_t)
domtrans_pattern($1, useradd_exec_t, useradd_t)
')
########################################
@ -305,5 +305,5 @@ interface(`usermanage_read_crack_db',`
type crack_db_t;
')
read_files_pattern($1,crack_db_t,crack_db_t)
read_files_pattern($1, crack_db_t, crack_db_t)
')

28
policy/modules/admin/usermanage.te
View File

@ -12,12 +12,12 @@ files_type(admin_passwd_exec_t)
type chfn_t;
type chfn_exec_t;
domain_obj_id_change_exemption(chfn_t)
application_domain(chfn_t,chfn_exec_t)
application_domain(chfn_t, chfn_exec_t)
role system_r types chfn_t;
type crack_t;
type crack_exec_t;
application_domain(crack_t,crack_exec_t)
application_domain(crack_t, crack_exec_t)
role system_r types crack_t;
type crack_db_t;
@ -29,18 +29,18 @@ files_tmp_file(crack_tmp_t)
type groupadd_t;
type groupadd_exec_t;
domain_obj_id_change_exemption(groupadd_t)
init_system_domain(groupadd_t,groupadd_exec_t)
init_system_domain(groupadd_t, groupadd_exec_t)
role system_r types groupadd_t;
type passwd_t;
type passwd_exec_t;
domain_obj_id_change_exemption(passwd_t)
application_domain(passwd_t,passwd_exec_t)
application_domain(passwd_t, passwd_exec_t)
role system_r types passwd_t;
type sysadm_passwd_t;
domain_obj_id_change_exemption(sysadm_passwd_t)
application_domain(sysadm_passwd_t,admin_passwd_exec_t)
application_domain(sysadm_passwd_t, admin_passwd_exec_t)
role system_r types sysadm_passwd_t;
type sysadm_passwd_tmp_t;
@ -132,12 +132,12 @@ userdom_dontaudit_search_all_users_home_content(chfn_t)
allow crack_t self:process { sigkill sigstop signull signal };
allow crack_t self:fifo_file rw_fifo_file_perms;
manage_files_pattern(crack_t,crack_db_t,crack_db_t)
manage_lnk_files_pattern(crack_t,crack_db_t,crack_db_t)
manage_files_pattern(crack_t, crack_db_t, crack_db_t)
manage_lnk_files_pattern(crack_t, crack_db_t, crack_db_t)
files_search_var(crack_t)
manage_dirs_pattern(crack_t,crack_tmp_t,crack_tmp_t)
manage_files_pattern(crack_t,crack_tmp_t,crack_tmp_t)
manage_dirs_pattern(crack_t, crack_tmp_t, crack_tmp_t)
manage_files_pattern(crack_t, crack_tmp_t, crack_tmp_t)
files_tmp_filetrans(crack_t, crack_tmp_t, { file dir })
kernel_read_system_state(crack_t)
@ -169,7 +169,7 @@ ifdef(`distro_debian',`
')
optional_policy(`
cron_system_entry(crack_t,crack_exec_t)
cron_system_entry(crack_t, crack_exec_t)
')
########################################
@ -275,7 +275,7 @@ allow passwd_t self:msgq create_msgq_perms;
allow passwd_t self:msg { send receive };
allow passwd_t crack_db_t:dir list_dir_perms;
read_files_pattern(passwd_t,crack_db_t,crack_db_t)
read_files_pattern(passwd_t, crack_db_t, crack_db_t)
kernel_read_kernel_sysctls(passwd_t)
@ -361,8 +361,8 @@ allow sysadm_passwd_t self:msgq create_msgq_perms;
allow sysadm_passwd_t self:msg { send receive };
# allow vipw to create temporary files under /var/tmp/vi.recover
manage_dirs_pattern(sysadm_passwd_t,sysadm_passwd_tmp_t,sysadm_passwd_tmp_t)
manage_files_pattern(sysadm_passwd_t,sysadm_passwd_tmp_t,sysadm_passwd_tmp_t)
manage_dirs_pattern(sysadm_passwd_t, sysadm_passwd_tmp_t, sysadm_passwd_tmp_t)
manage_files_pattern(sysadm_passwd_t, sysadm_passwd_tmp_t, sysadm_passwd_tmp_t)
files_tmp_filetrans(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
files_search_var(sysadm_passwd_t)
files_dontaudit_search_home(sysadm_passwd_t)
@ -506,7 +506,7 @@ userdom_use_unpriv_users_fds(useradd_t)
userdom_manage_all_users_home_content_dirs(useradd_t)
userdom_manage_all_users_home_content_files(useradd_t)
unprivuser_home_filetrans_home_dir(useradd_t)
unprivuser_home_dir_filetrans_home_content(useradd_t,notdevfile_class_set)
unprivuser_home_dir_filetrans_home_content(useradd_t, notdevfile_class_set)
mta_manage_spool(useradd_t)

2
policy/modules/admin/vbetool.if
View File

@ -16,5 +16,5 @@ interface(`vbetool_domtrans',`
')
corecmd_search_bin($1)
domtrans_pattern($1,vbetool_exec_t,vbetool_t)
domtrans_pattern($1, vbetool_exec_t, vbetool_t)
')

4
policy/modules/admin/vbetool.te
View File

@ -1,5 +1,5 @@
policy_module(vbetool,1.3.0)
policy_module(vbetool, 1.3.0)
########################################
#
@ -8,7 +8,7 @@ policy_module(vbetool,1.3.0)
type vbetool_t;
type vbetool_exec_t;
init_system_domain(vbetool_t,vbetool_exec_t)
init_system_domain(vbetool_t, vbetool_exec_t)
########################################
#

2
policy/modules/admin/vpn.if
View File

@ -15,7 +15,7 @@ interface(`vpn_domtrans',`
type vpnc_t, vpnc_exec_t;
')
domtrans_pattern($1, vpnc_exec_t,vpnc_t)
domtrans_pattern($1, vpnc_exec_t, vpnc_t)
')
########################################

2
policy/modules/admin/vpn.te
View File

@ -1,5 +1,5 @@
policy_module(vpn,1.8.0)
policy_module(vpn, 1.8.0)
########################################
#

4
policy/modules/apps/ada.te
View File

@ -1,5 +1,5 @@
policy_module(ada,1.2.0)
policy_module(ada, 1.2.0)
########################################
#
@ -8,7 +8,7 @@ policy_module(ada,1.2.0)
type ada_t;
type ada_exec_t;
application_domain(ada_t,ada_exec_t)
application_domain(ada_t, ada_exec_t)
role system_r types ada_t;
########################################

2
policy/modules/apps/authbind.if
View File

@ -15,6 +15,6 @@ interface(`authbind_domtrans',`
type authbind_t, authbind_exec_t;
')
domtrans_pattern($1,authbind_exec_t,authbind_t)
domtrans_pattern($1, authbind_exec_t, authbind_t)
allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms;
')

8
policy/modules/apps/authbind.te
View File

@ -1,5 +1,5 @@
policy_module(authbind,1.1.0)
policy_module(authbind, 1.1.0)
########################################
#
@ -8,7 +8,7 @@ policy_module(authbind,1.1.0)
type authbind_t;
type authbind_exec_t;
application_domain(authbind_t,authbind_exec_t)
application_domain(authbind_t, authbind_exec_t)
role system_r types authbind_t;
type authbind_etc_t;
@ -22,8 +22,8 @@ files_config_file(authbind_etc_t)
allow authbind_t self:capability net_bind_service;
allow authbind_t authbind_etc_t:dir list_dir_perms;
exec_files_pattern(authbind_t,authbind_etc_t,authbind_etc_t)
read_lnk_files_pattern(authbind_t,authbind_etc_t,authbind_etc_t)
exec_files_pattern(authbind_t, authbind_etc_t, authbind_etc_t)
read_lnk_files_pattern(authbind_t, authbind_etc_t, authbind_etc_t)
files_list_etc(authbind_t)

5
policy/modules/apps/awstats.if
View File

@ -33,11 +33,10 @@ interface(`awstats_rw_pipes',`
#
interface(`awstats_cgi_exec',`
gen_require(`
type httpd_awstats_script_exec_t;
type httpd_awstats_content_t;
type httpd_awstats_script_exec_t, httpd_awstats_content_t;
')
allow $1 httpd_awstats_content_t:dir search_dir_perms;
allow $1 httpd_awstats_script_exec_t:dir search_dir_perms;
can_exec($1,httpd_awstats_script_exec_t)
can_exec($1, httpd_awstats_script_exec_t)
')

2
policy/modules/apps/awstats.te
View File

@ -1,5 +1,5 @@
policy_module(awstats,1.0.0)
policy_module(awstats, 1.0.0)
########################################
#

4
policy/modules/apps/calamaris.if
View File

@ -16,6 +16,6 @@ interface(`calamaris_read_www_files',`
')
allow $1 calamaris_www_t:dir list_dir_perms;
read_files_pattern($1,calamaris_www_t,calamaris_www_t)
read_lnk_files_pattern($1,calamaris_www_t,calamaris_www_t)
read_files_pattern($1, calamaris_www_t, calamaris_www_t)
read_lnk_files_pattern($1, calamaris_www_t, calamaris_www_t)
')

12
policy/modules/apps/calamaris.te
View File

@ -8,7 +8,7 @@ policy_module(calamaris, 1.3.0)
type calamaris_t;
type calamaris_exec_t;
init_system_domain(calamaris_t,calamaris_exec_t)
init_system_domain(calamaris_t, calamaris_exec_t)
type calamaris_www_t;
files_type(calamaris_www_t)
@ -29,11 +29,11 @@ allow calamaris_t self:unix_stream_socket create_stream_socket_perms;
allow calamaris_t self:tcp_socket create_stream_socket_perms;
allow calamaris_t self:udp_socket create_socket_perms;
manage_files_pattern(calamaris_t,calamaris_www_t,calamaris_www_t)
manage_lnk_files_pattern(calamaris_t,calamaris_www_t,calamaris_www_t)
manage_files_pattern(calamaris_t, calamaris_www_t, calamaris_www_t)
manage_lnk_files_pattern(calamaris_t, calamaris_www_t, calamaris_www_t)
manage_files_pattern(calamaris_t,calamaris_log_t,calamaris_log_t)
logging_log_filetrans(calamaris_t,calamaris_log_t,{ file dir })
manage_files_pattern(calamaris_t, calamaris_log_t, calamaris_log_t)
logging_log_filetrans(calamaris_t, calamaris_log_t, { file dir })
kernel_read_all_sysctls(calamaris_t)
kernel_read_system_state(calamaris_t)
@ -76,7 +76,7 @@ optional_policy(`
')
optional_policy(`
cron_system_entry(calamaris_t,calamaris_exec_t)
cron_system_entry(calamaris_t, calamaris_exec_t)
')
optional_policy(`

54
policy/modules/apps/cdrecord.if
View File

@ -44,7 +44,7 @@ template(`cdrecord_per_role_template', `
#
type $1_cdrecord_t;
application_domain($1_cdrecord_t,cdrecord_exec_t)
application_domain($1_cdrecord_t, cdrecord_exec_t)
role $3 types $1_cdrecord_t;
########################################
@ -64,7 +64,7 @@ template(`cdrecord_per_role_template', `
allow $2 $1_cdrecord_t:process signal;
# Transition from the user domain to the derived domain.
domtrans_pattern($2,cdrecord_exec_t,$1_cdrecord_t)
domtrans_pattern($2, cdrecord_exec_t, $1_cdrecord_t)
# allow searching for cdrom-drive
dev_list_all_dev_nodes($1_cdrecord_t)
@ -89,10 +89,10 @@ template(`cdrecord_per_role_template', `
miscfiles_read_localization($1_cdrecord_t)
# write to the user domain tty.
userdom_use_user_terminals($1,$1_cdrecord_t)
userdom_use_user_terminals($1,$2)
userdom_use_user_terminals($1, $1_cdrecord_t)
userdom_use_user_terminals($1, $2)
userdom_read_user_home_content_files($1,$1_cdrecord_t)
userdom_read_user_home_content_files($1, $1_cdrecord_t)
# Handle nfs home dirs
tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',`
@ -122,12 +122,12 @@ template(`cdrecord_per_role_template', `
# Handle removable media, /tmp, and /home
tunable_policy(`cdrecord_read_content',`
userdom_list_user_tmp($1,$1_cdrecord_t)
userdom_read_user_tmp_files($1,$1_cdrecord_t)
userdom_read_user_tmp_symlinks($1,$1_cdrecord_t)
userdom_search_user_home_dirs($1,$1_cdrecord_t)
userdom_read_user_home_content_files($1,$1_cdrecord_t)
userdom_read_user_home_content_symlinks($1,$1_cdrecord_t)
userdom_list_user_tmp($1, $1_cdrecord_t)
userdom_read_user_tmp_files($1, $1_cdrecord_t)
userdom_read_user_tmp_symlinks($1, $1_cdrecord_t)
userdom_search_user_home_dirs($1, $1_cdrecord_t)
userdom_read_user_home_content_files($1, $1_cdrecord_t)
userdom_read_user_home_content_symlinks($1, $1_cdrecord_t)
ifdef(`enable_mls',`
',`
@ -140,10 +140,10 @@ template(`cdrecord_per_role_template', `
files_dontaudit_list_home($1_cdrecord_t)
fs_dontaudit_list_removable($1_cdrecord_t)
fs_dontaudit_read_removable_files($1_cdrecord_t)
userdom_dontaudit_list_user_tmp($1,$1_cdrecord_t)
userdom_dontaudit_read_user_tmp_files($1,$1_cdrecord_t)
userdom_dontaudit_list_user_home_dirs($1,$1_cdrecord_t)
userdom_dontaudit_read_user_home_content_files($1,$1_cdrecord_t)
userdom_dontaudit_list_user_tmp($1, $1_cdrecord_t)
userdom_dontaudit_read_user_tmp_files($1, $1_cdrecord_t)
userdom_dontaudit_list_user_home_dirs($1, $1_cdrecord_t)
userdom_dontaudit_read_user_home_content_files($1, $1_cdrecord_t)
')
# Handle default_t content
@ -160,22 +160,22 @@ template(`cdrecord_per_role_template', `
tunable_policy(`cdrecord_read_content && read_untrusted_content',`
files_list_tmp($1_cdrecord_t)
files_list_home($1_cdrecord_t)
userdom_search_user_home_dirs($1,$1_cdrecord_t)
userdom_search_user_home_dirs($1, $1_cdrecord_t)
userdom_list_user_untrusted_content($1,$1_cdrecord_t)
userdom_read_user_untrusted_content_files($1,$1_cdrecord_t)
userdom_read_user_untrusted_content_symlinks($1,$1_cdrecord_t)
userdom_list_user_tmp_untrusted_content($1,$1_cdrecord_t)
userdom_read_user_tmp_untrusted_content_files($1,$1_cdrecord_t)
userdom_read_user_tmp_untrusted_content_symlinks($1,$1_cdrecord_t)
userdom_list_user_untrusted_content($1, $1_cdrecord_t)
userdom_read_user_untrusted_content_files($1, $1_cdrecord_t)
userdom_read_user_untrusted_content_symlinks($1, $1_cdrecord_t)
userdom_list_user_tmp_untrusted_content($1, $1_cdrecord_t)
userdom_read_user_tmp_untrusted_content_files($1, $1_cdrecord_t)
userdom_read_user_tmp_untrusted_content_symlinks($1, $1_cdrecord_t)
',`
files_dontaudit_list_tmp($1_cdrecord_t)
files_dontaudit_list_home($1_cdrecord_t)
userdom_dontaudit_list_user_home_dirs($1,$1_cdrecord_t)
userdom_dontaudit_list_user_untrusted_content($1,$1_cdrecord_t)
userdom_dontaudit_read_user_untrusted_content_files($1,$1_cdrecord_t)
userdom_dontaudit_list_user_tmp_untrusted_content($1,$1_cdrecord_t)
userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_cdrecord_t)
userdom_dontaudit_list_user_home_dirs($1, $1_cdrecord_t)
userdom_dontaudit_list_user_untrusted_content($1, $1_cdrecord_t)
userdom_dontaudit_read_user_untrusted_content_files($1, $1_cdrecord_t)
userdom_dontaudit_list_user_tmp_untrusted_content($1, $1_cdrecord_t)
userdom_dontaudit_read_user_tmp_untrusted_content_files($1, $1_cdrecord_t)
')
tunable_policy(`use_nfs_home_dirs',`

4
policy/modules/apps/cdrecord.te
View File

@ -1,5 +1,5 @@
policy_module(cdrecord,1.4.0)
policy_module(cdrecord, 1.4.0)
########################################
#
@ -13,7 +13,7 @@ policy_module(cdrecord,1.4.0)
## and untrusted content files
## </p>
## </desc>
gen_tunable(cdrecord_read_content,false)
gen_tunable(cdrecord_read_content, false)
type cdrecord_exec_t;
application_executable_file(cdrecord_exec_t)

56
policy/modules/apps/ethereal.if
View File

@ -45,12 +45,12 @@ template(`ethereal_per_role_template',`
# Type for program
type $1_ethereal_t;
application_domain($1_ethereal_t,ethereal_exec_t)
application_domain($1_ethereal_t, ethereal_exec_t)
role $3 types $1_ethereal_t;
type $1_ethereal_home_t alias $1_ethereal_rw_t;
files_poly_member($1_ethereal_home_t)
userdom_user_home_content($1,$1_ethereal_home_t)
userdom_user_home_content($1, $1_ethereal_home_t)
type $1_ethereal_tmp_t;
files_tmp_file($1_ethereal_tmp_t)
@ -78,33 +78,33 @@ template(`ethereal_per_role_template',`
corecmd_search_bin($1_ethereal_t)
# /home/.ethereal
manage_dirs_pattern($1_ethereal_t,$1_ethereal_home_t,$1_ethereal_home_t)
manage_files_pattern($1_ethereal_t,$1_ethereal_home_t,$1_ethereal_home_t)
manage_lnk_files_pattern($1_ethereal_t,$1_ethereal_home_t,$1_ethereal_home_t)
userdom_user_home_dir_filetrans($1,$1_ethereal_t,$1_ethereal_home_t,dir)
manage_dirs_pattern($1_ethereal_t, $1_ethereal_home_t, $1_ethereal_home_t)
manage_files_pattern($1_ethereal_t, $1_ethereal_home_t, $1_ethereal_home_t)
manage_lnk_files_pattern($1_ethereal_t, $1_ethereal_home_t, $1_ethereal_home_t)
userdom_user_home_dir_filetrans($1, $1_ethereal_t, $1_ethereal_home_t, dir)
# Store temporary files
manage_dirs_pattern($1_ethereal_t,$1_ethereal_tmp_t,$1_ethereal_tmp_t)
manage_files_pattern($1_ethereal_t,$1_ethereal_tmp_t,$1_ethereal_tmp_t)
manage_dirs_pattern($1_ethereal_t, $1_ethereal_tmp_t, $1_ethereal_tmp_t)
manage_files_pattern($1_ethereal_t, $1_ethereal_tmp_t, $1_ethereal_tmp_t)
files_tmp_filetrans($1_ethereal_t, $1_ethereal_tmp_t, { dir file })
manage_dirs_pattern($1_ethereal_t,$1_ethereal_tmpfs_t,$1_ethereal_tmpfs_t)
manage_files_pattern($1_ethereal_t,$1_ethereal_tmpfs_t,$1_ethereal_tmpfs_t)
manage_lnk_files_pattern($1_ethereal_t,$1_ethereal_tmpfs_t,$1_ethereal_tmpfs_t)
manage_sock_files_pattern($1_ethereal_t,$1_ethereal_tmpfs_t,$1_ethereal_tmpfs_t)
manage_fifo_files_pattern($1_ethereal_t,$1_ethereal_tmpfs_t,$1_ethereal_tmpfs_t)
fs_tmpfs_filetrans($1_ethereal_t,$1_ethereal_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
manage_dirs_pattern($1_ethereal_t, $1_ethereal_tmpfs_t, $1_ethereal_tmpfs_t)
manage_files_pattern($1_ethereal_t, $1_ethereal_tmpfs_t, $1_ethereal_tmpfs_t)
manage_lnk_files_pattern($1_ethereal_t, $1_ethereal_tmpfs_t, $1_ethereal_tmpfs_t)
manage_sock_files_pattern($1_ethereal_t, $1_ethereal_tmpfs_t, $1_ethereal_tmpfs_t)
manage_fifo_files_pattern($1_ethereal_t, $1_ethereal_tmpfs_t, $1_ethereal_tmpfs_t)
fs_tmpfs_filetrans($1_ethereal_t, $1_ethereal_tmpfs_t, { dir file lnk_file sock_file fifo_file })
domain_auto_trans($2, ethereal_exec_t, $1_ethereal_t)
allow $1_ethereal_t $2:fd use;
allow $1_ethereal_t $2:process sigchld;
manage_dirs_pattern($2,$1_ethereal_home_t,$1_ethereal_home_t)
manage_files_pattern($2,$1_ethereal_home_t,$1_ethereal_home_t)
manage_lnk_files_pattern($2,$1_ethereal_home_t,$1_ethereal_home_t)
relabel_dirs_pattern($2,$1_ethereal_home_t,$1_ethereal_home_t)
relabel_files_pattern($2,$1_ethereal_home_t,$1_ethereal_home_t)
relabel_lnk_files_pattern($2,$1_ethereal_home_t,$1_ethereal_home_t)
manage_dirs_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t)
manage_files_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t)
manage_lnk_files_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t)
relabel_dirs_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t)
relabel_files_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t)
relabel_lnk_files_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t)
kernel_read_kernel_sysctls($1_ethereal_t)
kernel_read_system_state($1_ethereal_t)
@ -134,7 +134,7 @@ template(`ethereal_per_role_template',`
sysnet_read_config($1_ethereal_t)
userdom_manage_user_home_content_files($1,$1_ethereal_t)
userdom_manage_user_home_content_files($1, $1_ethereal_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_ethereal_t)
@ -154,12 +154,12 @@ template(`ethereal_per_role_template',`
# Manual transition from userhelper
optional_policy(`
userhelper_use_user_fd($1,$1_ethereal_t)
userhelper_sigchld_user($1,$1_ethereal_t)
userhelper_use_user_fd($1, $1_ethereal_t)
userhelper_sigchld_user($1, $1_ethereal_t)
')
optional_policy(`
xserver_user_x_domain_template($1,$1_ethereal,$1_ethereal_t,$1_ethereal_tmpfs_t)
xserver_user_x_domain_template($1, $1_ethereal, $1_ethereal_t, $1_ethereal_tmpfs_t)
xserver_create_xdm_tmp_sockets($1_ethereal_t)
')
@ -205,9 +205,9 @@ template(`ethereal_admin_template',`
allow $1_ethereal_t self:unix_stream_socket create_stream_socket_perms;
allow $1_ethereal_t self:tcp_socket create_socket_perms;
userdom_use_user_terminals($1,$1_ethereal_t)
userdom_use_user_terminals($1, $1_ethereal_t)
# Ethereal tries to write to user terminal
userdom_dontaudit_use_user_terminals($1,$1_ethereal_t)
userdom_dontaudit_use_user_terminals($1, $1_ethereal_t)
')
########################################
@ -240,7 +240,7 @@ template(`ethereal_domtrans_user_ethereal',`
type $1_ethereal_t, ethereal_exec_t;
')
domtrans_pattern($2,ethereal_exec_t,$1_ethereal_t)
domtrans_pattern($2, ethereal_exec_t, $1_ethereal_t)
')
########################################
@ -258,7 +258,7 @@ template(`ethereal_domtrans_tethereal',`
type tethereal_t, tethereal_exec_t;
')
domtrans_pattern($1,tethereal_exec_t,tethereal_t)
domtrans_pattern($1, tethereal_exec_t, tethereal_t)
')
########################################

8
policy/modules/apps/ethereal.te
View File

@ -1,5 +1,5 @@
policy_module(ethereal,1.5.0)
policy_module(ethereal, 1.5.0)
########################################
#
@ -11,7 +11,7 @@ application_executable_file(ethereal_exec_t)
type tethereal_t;
type tethereal_exec_t;
application_domain(tethereal_t,tethereal_exec_t)
application_domain(tethereal_t, tethereal_exec_t)
type tethereal_tmp_t;
files_tmp_file(tethereal_tmp_t)
@ -29,8 +29,8 @@ allow tethereal_t self:tcp_socket create_socket_perms;
allow tethereal_t self:udp_socket create_socket_perms;
# Store temporary files
manage_dirs_pattern(tethereal_t,tethereal_tmp_t,tethereal_tmp_t)
manage_files_pattern(tethereal_t,tethereal_tmp_t,tethereal_tmp_t)
manage_dirs_pattern(tethereal_t, tethereal_tmp_t, tethereal_tmp_t)
manage_files_pattern(tethereal_t, tethereal_tmp_t, tethereal_tmp_t)
files_tmp_filetrans(tethereal_t, tethereal_tmp_t, { dir file })
# /proc

118
policy/modules/apps/evolution.if
View File

@ -41,7 +41,7 @@ template(`evolution_per_role_template',`
#
type $1_evolution_t;
application_domain($1_evolution_t,evolution_exec_t)
application_domain($1_evolution_t, evolution_exec_t)
role $3 types $1_evolution_t;
type $1_evolution_tmpfs_t;
@ -49,13 +49,13 @@ template(`evolution_per_role_template',`
type $1_evolution_home_t alias $1_evolution_rw_t;
files_poly_member($1_evolution_home_t)
userdom_user_home_content($1,$1_evolution_home_t)
userdom_user_home_content($1, $1_evolution_home_t)
type $1_evolution_orbit_tmp_t;
files_tmp_file($1_evolution_orbit_tmp_t)
type $1_evolution_alarm_t;
application_domain($1_evolution_alarm_t,evolution_alarm_exec_t)
application_domain($1_evolution_alarm_t, evolution_alarm_exec_t)
role $3 types $1_evolution_alarm_t;
type $1_evolution_alarm_tmpfs_t;
@ -65,7 +65,7 @@ template(`evolution_per_role_template',`
files_tmp_file($1_evolution_alarm_orbit_tmp_t)
type $1_evolution_exchange_t;
application_domain($1_evolution_exchange_t,evolution_exchange_exec_t)
application_domain($1_evolution_exchange_t, evolution_exchange_exec_t)
role $3 types $1_evolution_exchange_t;
type $1_evolution_exchange_tmpfs_t;
@ -78,14 +78,14 @@ template(`evolution_per_role_template',`
files_tmp_file($1_evolution_exchange_orbit_tmp_t)
type $1_evolution_server_t;
application_domain($1_evolution_server_t,evolution_server_exec_t)
application_domain($1_evolution_server_t, evolution_server_exec_t)
role $3 types $1_evolution_server_t;
type $1_evolution_server_orbit_tmp_t;
files_tmp_file($1_evolution_server_orbit_tmp_t)
type $1_evolution_webcal_t;
application_domain($1_evolution_webcal_t,evolution_webcal_exec_t)
application_domain($1_evolution_webcal_t, evolution_webcal_exec_t)
role $3 types $1_evolution_webcal_t;
type $1_evolution_webcal_tmpfs_t;
@ -111,7 +111,7 @@ template(`evolution_per_role_template',`
allow $1_evolution_t $1_evolution_alarm_t:unix_stream_socket connectto;
allow $1_evolution_t $1_evolution_alarm_orbit_tmp_t:sock_file write;
can_exec($1_evolution_t,evolution_alarm_exec_t)
can_exec($1_evolution_t, evolution_alarm_exec_t)
allow $1_evolution_t $1_evolution_exchange_t:unix_stream_socket connectto;
allow $1_evolution_t $1_evolution_exchange_orbit_tmp_t:sock_file write;
@ -122,11 +122,11 @@ template(`evolution_per_role_template',`
allow $1_evolution_t $1_evolution_orbit_tmp_t:dir manage_dir_perms;
allow $1_evolution_t $1_evolution_orbit_tmp_t:file manage_file_perms;
files_tmp_filetrans($1_evolution_t,$1_evolution_orbit_tmp_t,{ dir file })
files_tmp_filetrans($1_evolution_t, $1_evolution_orbit_tmp_t, { dir file })
allow $1_evolution_server_t $1_evolution_orbit_tmp_t:dir manage_dir_perms;
allow $1_evolution_server_t $1_evolution_orbit_tmp_t:file manage_file_perms;
files_tmp_filetrans($1_evolution_server_t,$1_evolution_orbit_tmp_t,{ dir file })
files_tmp_filetrans($1_evolution_server_t, $1_evolution_orbit_tmp_t, { dir file })
allow $1_evolution_t $1_evolution_server_t:dir search_dir_perms;
allow $1_evolution_t $1_evolution_server_t:file read;
@ -134,14 +134,14 @@ template(`evolution_per_role_template',`
allow $1_evolution_t $1_evolution_server_t:unix_stream_socket connectto;
allow $1_evolution_t $1_evolution_server_orbit_tmp_t:sock_file write;
can_exec($1_evolution_t,evolution_server_exec_t)
can_exec($1_evolution_t, evolution_server_exec_t)
allow $1_evolution_t $1_evolution_tmpfs_t:dir rw_dir_perms;
allow $1_evolution_t $1_evolution_tmpfs_t:file manage_file_perms;
allow $1_evolution_t $1_evolution_tmpfs_t:lnk_file manage_lnk_file_perms;
allow $1_evolution_t $1_evolution_tmpfs_t:sock_file manage_sock_file_perms;
allow $1_evolution_t $1_evolution_tmpfs_t:fifo_file manage_fifo_file_perms;
fs_tmpfs_filetrans($1_evolution_t,$1_evolution_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
fs_tmpfs_filetrans($1_evolution_t, $1_evolution_tmpfs_t, { dir file lnk_file sock_file fifo_file })
allow $1_evolution_t $2:dir search;
allow $1_evolution_t $2:fd use;
@ -163,7 +163,7 @@ template(`evolution_per_role_template',`
allow $2 $1_evolution_home_t:file manage_file_perms;
allow $2 $1_evolution_home_t:lnk_file manage_lnk_file_perms;
allow $2 $1_evolution_home_t:{ dir file lnk_file } { relabelfrom relabelto };
userdom_search_user_home_dirs($1,$1_evolution_t)
userdom_search_user_home_dirs($1, $1_evolution_t)
# Allow the user domain to signal/ps.
allow $2 $1_evolution_t:dir { search getattr read };
@ -235,19 +235,19 @@ template(`evolution_per_role_template',`
udev_read_state($1_evolution_t)
userdom_rw_user_tmp_files($1,$1_evolution_t)
userdom_manage_user_tmp_dirs($1,$1_evolution_t)
userdom_manage_user_tmp_sockets($1,$1_evolution_t)
userdom_manage_user_tmp_files($1,$1_evolution_t)
userdom_rw_user_tmp_files($1, $1_evolution_t)
userdom_manage_user_tmp_dirs($1, $1_evolution_t)
userdom_manage_user_tmp_sockets($1, $1_evolution_t)
userdom_manage_user_tmp_files($1, $1_evolution_t)
userdom_use_user_terminals($1, $1_evolution_t)
# FIXME: suppress access to .local/.icons/.themes until properly implemented
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
# until properly implemented
userdom_dontaudit_read_user_home_content_files($1,$1_evolution_t)
userdom_dontaudit_read_user_home_content_files($1, $1_evolution_t)
mta_read_config($1_evolution_t)
xserver_user_x_domain_template($1,$1_evolution,$1_evolution_t,$1_evolution_tmpfs_t)
xserver_user_x_domain_template($1, $1_evolution, $1_evolution_t, $1_evolution_tmpfs_t)
xserver_read_xdm_tmp_files($1_evolution_t)
tunable_policy(`use_nfs_home_dirs',`
@ -288,12 +288,12 @@ template(`evolution_per_role_template',`
')
tunable_policy(`mail_read_content',`
userdom_list_user_tmp($1,$1_evolution_t)
userdom_read_user_tmp_files($1,$1_evolution_t)
userdom_read_user_tmp_symlinks($1,$1_evolution_t)
userdom_search_user_home_dirs($1,$1_evolution_t)
userdom_read_user_home_content_files($1,$1_evolution_t)
userdom_read_user_home_content_symlinks($1,$1_evolution_t)
userdom_list_user_tmp($1, $1_evolution_t)
userdom_read_user_tmp_files($1, $1_evolution_t)
userdom_read_user_tmp_symlinks($1, $1_evolution_t)
userdom_search_user_home_dirs($1, $1_evolution_t)
userdom_read_user_home_content_files($1, $1_evolution_t)
userdom_read_user_home_content_symlinks($1, $1_evolution_t)
ifndef(`enable_mls',`
fs_search_removable($1_evolution_t)
@ -325,20 +325,20 @@ template(`evolution_per_role_template',`
files_list_home($1_evolution_t)
userdom_search_user_home_dirs($1,$1_evolution_t)
userdom_list_user_untrusted_content($1,$1_evolution_t)
userdom_read_user_untrusted_content_files($1,$1_evolution_t)
userdom_read_user_untrusted_content_symlinks($1,$1_evolution_t)
userdom_list_user_tmp_untrusted_content($1,$1_evolution_t)
userdom_read_user_tmp_untrusted_content_files($1,$1_evolution_t)
userdom_read_user_tmp_untrusted_content_symlinks($1,$1_evolution_t)
userdom_list_user_untrusted_content($1, $1_evolution_t)
userdom_read_user_untrusted_content_files($1, $1_evolution_t)
userdom_read_user_untrusted_content_symlinks($1, $1_evolution_t)
userdom_list_user_tmp_untrusted_content($1, $1_evolution_t)
userdom_read_user_tmp_untrusted_content_files($1, $1_evolution_t)
userdom_read_user_tmp_untrusted_content_symlinks($1, $1_evolution_t)
',`
files_dontaudit_list_tmp($1_evolution_t)
files_dontaudit_list_home($1_evolution_t)
userdom_dontaudit_list_user_home_dirs($1,$1_evolution_t)
userdom_dontaudit_list_user_untrusted_content($1,$1_evolution_t)
userdom_dontaudit_read_user_untrusted_content_files($1,$1_evolution_t)
userdom_dontaudit_list_user_tmp_untrusted_content($1,$1_evolution_t)
userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_evolution_t)
userdom_dontaudit_list_user_home_dirs($1, $1_evolution_t)
userdom_dontaudit_list_user_untrusted_content($1, $1_evolution_t)
userdom_dontaudit_read_user_untrusted_content_files($1, $1_evolution_t)
userdom_dontaudit_list_user_tmp_untrusted_content($1, $1_evolution_t)
userdom_dontaudit_read_user_tmp_untrusted_content_files($1, $1_evolution_t)
')
tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`
@ -370,15 +370,15 @@ template(`evolution_per_role_template',`
tunable_policy(`write_untrusted_content',`
files_search_home($1_evolution_t)
userdom_manage_user_untrusted_content_files($1,$1_evolution_t)
userdom_user_home_dir_filetrans($1,$1_evolution_t,$1_untrusted_content_tmp_t, { file dir })
userdom_user_home_content_filetrans($1,$1_evolution_t,$1_untrusted_content_tmp_t, { file dir })
userdom_manage_user_untrusted_content_files($1, $1_evolution_t)
userdom_user_home_dir_filetrans($1, $1_evolution_t, $1_untrusted_content_tmp_t, { file dir })
userdom_user_home_content_filetrans($1, $1_evolution_t, $1_untrusted_content_tmp_t, { file dir })
',`
files_dontaudit_list_home($1_evolution_t)
files_dontaudit_list_tmp($1_evolution_t)
userdom_dontaudit_list_user_home_dirs($1,$1_evolution_t)
userdom_dontaudit_list_user_home_dirs($1, $1_evolution_t)
#userdom_dontaudit_manage_user_tmp($1,$1_evolution_t)
#userdom_dontaudit_manage_user_tmp_files($1,$1_evolution_t)
#userdom_dontaudit_manage_user_home_subdirs($1,$1_evolution_t)
@ -394,8 +394,8 @@ template(`evolution_per_role_template',`
')
optional_policy(`
dbus_system_bus_client_template($1_evolution,$1_evolution_t)
dbus_user_bus_client_template($1,$1_evolution,$1_evolution_t)
dbus_system_bus_client_template($1_evolution, $1_evolution_t)
dbus_user_bus_client_template($1, $1_evolution, $1_evolution_t)
')
optional_policy(`
@ -404,12 +404,12 @@ template(`evolution_per_role_template',`
# Encrypt mail
optional_policy(`
gpg_domtrans_user_gpg($1,$1_evolution_t)
gpg_signal_user_gpg($1,$1_evolution_t)
gpg_domtrans_user_gpg($1, $1_evolution_t)
gpg_signal_user_gpg($1, $1_evolution_t)
')
optional_policy(`
lpd_domtrans_user_lpr($1,$1_evolution_t)
lpd_domtrans_user_lpr($1, $1_evolution_t)
')
optional_policy(`
@ -429,8 +429,8 @@ template(`evolution_per_role_template',`
### Junk mail filtering (start spamd)
optional_policy(`
spamassassin_exec_spamd($1_evolution_t)
spamassassin_domtrans_user_client($1,$1_evolution_t)
spamassassin_domtrans_user_local_client($1,$1_evolution_t)
spamassassin_domtrans_user_client($1, $1_evolution_t)
spamassassin_domtrans_user_local_client($1, $1_evolution_t)
# Allow evolution to signal the daemon
# FIXME: Now evolution can read spamd temp files
spamassassin_read_spamd_tmp_files($1_evolution_t)
@ -511,9 +511,9 @@ template(`evolution_per_role_template',`
# FIXME: suppress access to .local/.icons/.themes until properly implemented
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
# until properly implemented
userdom_dontaudit_read_user_home_content_files($1,$1_evolution_alarm_t)
userdom_dontaudit_read_user_home_content_files($1, $1_evolution_alarm_t)
xserver_user_x_domain_template($1,$1_evolution_alarm,$1_evolution_alarm_t,$1_evolution_alarm_tmpfs_t)
xserver_user_x_domain_template($1, $1_evolution_alarm, $1_evolution_alarm_t, $1_evolution_alarm_tmpfs_t)
# Access evolution home
tunable_policy(`use_nfs_home_dirs',`
@ -525,7 +525,7 @@ template(`evolution_per_role_template',`
')
optional_policy(`
dbus_user_bus_client_template($1,$1_evolution_alarm,$1_evolution_alarm_t)
dbus_user_bus_client_template($1, $1_evolution_alarm, $1_evolution_alarm_t)
')
optional_policy(`
@ -576,7 +576,7 @@ template(`evolution_per_role_template',`
allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:lnk_file manage_lnk_file_perms;
allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:sock_file manage_sock_file_perms;
allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:fifo_file manage_fifo_file_perms;
fs_tmpfs_filetrans($1_evolution_exchange_t,$1_evolution_exchange_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
fs_tmpfs_filetrans($1_evolution_exchange_t, $1_evolution_exchange_tmpfs_t, { dir file lnk_file sock_file fifo_file })
allow $1_evolution_exchange_t $2:unix_stream_socket connectto;
#FIXME, who should own this. I dont think this module should
@ -609,13 +609,13 @@ template(`evolution_per_role_template',`
miscfiles_read_localization($1_evolution_exchange_t)
# Access evolution home
userdom_search_user_home_dirs($1,$1_evolution_exchange_t)
userdom_search_user_home_dirs($1, $1_evolution_exchange_t)
# FIXME: suppress access to .local/.icons/.themes until properly implemented
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
# until properly implemented
userdom_dontaudit_read_user_home_content_files($1,$1_evolution_exchange_t)
userdom_dontaudit_read_user_home_content_files($1, $1_evolution_exchange_t)
xserver_user_x_domain_template($1,$1_evolution_exchange,$1_evolution_exchange_t,$1_evolution_exchange_tmpfs_t)
xserver_user_x_domain_template($1, $1_evolution_exchange, $1_evolution_exchange_t, $1_evolution_exchange_tmpfs_t)
# Access evolution home
tunable_policy(`use_nfs_home_dirs',`
@ -706,11 +706,11 @@ template(`evolution_per_role_template',`
sysnet_use_ldap($1_evolution_server_t)
# Access evolution home
userdom_search_user_home_dirs($1,$1_evolution_server_t)
userdom_search_user_home_dirs($1, $1_evolution_server_t)
# FIXME: suppress access to .local/.icons/.themes until properly implemented
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
# until properly implemented
userdom_dontaudit_read_user_home_content_files($1,$1_evolution_server_t)
userdom_dontaudit_read_user_home_content_files($1, $1_evolution_server_t)
# Access evolution home
tunable_policy(`use_nfs_home_dirs',`
@ -747,7 +747,7 @@ template(`evolution_per_role_template',`
allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:lnk_file manage_lnk_file_perms;
allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:sock_file manage_sock_file_perms;
allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:fifo_file manage_fifo_file_perms;
fs_tmpfs_filetrans($1_evolution_webcal_t,$1_evolution_webcal_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
fs_tmpfs_filetrans($1_evolution_webcal_t, $1_evolution_webcal_tmpfs_t, { dir file lnk_file sock_file fifo_file })
# Transition from user type
domain_auto_trans($2, evolution_webcal_exec_t, $1_evolution_webcal_t)
@ -770,13 +770,13 @@ template(`evolution_per_role_template',`
sysnet_dns_name_resolve($1_evolution_webcal_t)
# Search home directory (?)
userdom_search_user_home_dirs($1,$1_evolution_webcal_t)
userdom_search_user_home_dirs($1, $1_evolution_webcal_t)
# FIXME: suppress access to .local/.icons/.themes until properly implemented
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
# until properly implemented
userdom_dontaudit_read_user_home_content_files($1,$1_evolution_webcal_t)
userdom_dontaudit_read_user_home_content_files($1, $1_evolution_webcal_t)
xserver_user_x_domain_template($1,$1_evolution_webcal,$1_evolution_webcal_t,$1_evolution_webcal_tmpfs_t)
xserver_user_x_domain_template($1, $1_evolution_webcal, $1_evolution_webcal_t, $1_evolution_webcal_tmpfs_t)
optional_policy(`
nscd_socket_use($1_evolution_webcal_t)

2
policy/modules/apps/evolution.te
View File

@ -1,5 +1,5 @@
policy_module(evolution,1.6.0)
policy_module(evolution, 1.6.0)
########################################
#

22
policy/modules/apps/games.if
View File

@ -44,7 +44,7 @@ template(`games_per_role_template',`
#
type $1_games_t;
application_domain($1_games_t,games_exec_t)
application_domain($1_games_t, games_exec_t)
role $3 types $1_games_t;
type $1_games_devpts_t;
@ -65,21 +65,21 @@ template(`games_per_role_template',`
allow $1_games_t self:tcp_socket create_stream_socket_perms;
allow $1_games_t self:udp_socket create_socket_perms;
manage_files_pattern($1_games_t,games_data_t,games_data_t)
manage_lnk_files_pattern($1_games_t,games_data_t,games_data_t)
manage_files_pattern($1_games_t, games_data_t, games_data_t)
manage_lnk_files_pattern($1_games_t, games_data_t, games_data_t)
allow $1_games_t $1_games_devpts_t:chr_file { rw_chr_file_perms setattr };
term_create_pty($1_games_t,$1_games_devpts_t)
manage_dirs_pattern($1_games_t,$1_games_tmp_t,$1_games_tmp_t)
manage_files_pattern($1_games_t,$1_games_tmp_t,$1_games_tmp_t)
manage_dirs_pattern($1_games_t, $1_games_tmp_t, $1_games_tmp_t)
manage_files_pattern($1_games_t, $1_games_tmp_t, $1_games_tmp_t)
files_tmp_filetrans($1_games_t, $1_games_tmp_t, { file dir })
manage_files_pattern($1_games_t,$1_games_tmpfs_t,$1_games_tmpfs_t)
manage_lnk_files_pattern($1_games_t,$1_games_tmpfs_t,$1_games_tmpfs_t)
manage_fifo_files_pattern($1_games_t,$1_games_tmpfs_t,$1_games_tmpfs_t)
manage_sock_files_pattern($1_games_t,$1_games_tmpfs_t,$1_games_tmpfs_t)
fs_tmpfs_filetrans($1_games_t,$1_games_tmpfs_t,{ file lnk_file sock_file fifo_file })
manage_files_pattern($1_games_t, $1_games_tmpfs_t, $1_games_tmpfs_t)
manage_lnk_files_pattern($1_games_t, $1_games_tmpfs_t, $1_games_tmpfs_t)
manage_fifo_files_pattern($1_games_t, $1_games_tmpfs_t, $1_games_tmpfs_t)
manage_sock_files_pattern($1_games_t, $1_games_tmpfs_t, $1_games_tmpfs_t)
fs_tmpfs_filetrans($1_games_t, $1_games_tmpfs_t, { file lnk_file sock_file fifo_file })
can_exec($1_games_t, games_exec_t)
@ -146,7 +146,7 @@ template(`games_per_role_template',`
')
optional_policy(`
xserver_user_x_domain_template($1,$1_games,$1_games_t,$1_games_tmpfs_t)
xserver_user_x_domain_template($1, $1_games, $1_games_t, $1_games_tmpfs_t)
xserver_create_xdm_tmp_sockets($1_games_t)
xserver_read_xdm_lib_files($1_games_t)
')

10
policy/modules/apps/games.te
View File

@ -13,7 +13,7 @@ files_type(games_data_t)
# games recovery scripts
type games_t;
type games_exec_t;
init_system_domain(games_t,games_exec_t)
init_system_domain(games_t, games_exec_t)
type games_var_run_t;
files_pid_file(games_var_run_t)
@ -26,11 +26,11 @@ files_pid_file(games_var_run_t)
dontaudit games_t self:capability sys_tty_config;
allow games_t self:process signal_perms;
manage_files_pattern(games_t,games_data_t,games_data_t)
manage_lnk_files_pattern(games_t,games_data_t,games_data_t)
manage_files_pattern(games_t, games_data_t, games_data_t)
manage_lnk_files_pattern(games_t, games_data_t, games_data_t)
manage_files_pattern(games_t,games_var_run_t,games_var_run_t)
files_pid_filetrans(games_t,games_var_run_t,file)
manage_files_pattern(games_t, games_var_run_t, games_var_run_t)
files_pid_filetrans(games_t, games_var_run_t, file)
can_exec(games_t,games_exec_t)

50
policy/modules/apps/gift.if
View File

@ -40,18 +40,18 @@ template(`gift_per_role_template',`
#
type $1_gift_t;
application_domain($1_gift_t,gift_exec_t)
application_domain($1_gift_t, gift_exec_t)
role $3 types $1_gift_t;
type $1_gift_home_t alias $1_gift_rw_t;
files_poly_member($1_gift_home_t)
userdom_user_home_content($1,$1_gift_home_t)
userdom_user_home_content($1, $1_gift_home_t)
type $1_gift_tmpfs_t;
files_tmpfs_file($1_gift_tmpfs_t)
type $1_giftd_t;
application_domain($1_giftd_t,giftd_exec_t)
application_domain($1_giftd_t, giftd_exec_t)
role $3 types $1_giftd_t;
##############################
@ -61,16 +61,16 @@ template(`gift_per_role_template',`
allow $1_gift_t self:tcp_socket create_socket_perms;
manage_files_pattern($1_gift_t,$1_gift_tmpfs_t,$1_gift_tmpfs_t)
manage_lnk_files_pattern($1_gift_t,$1_gift_tmpfs_t,$1_gift_tmpfs_t)
manage_fifo_files_pattern($1_gift_t,$1_gift_tmpfs_t,$1_gift_tmpfs_t)
manage_sock_files_pattern($1_gift_t,$1_gift_tmpfs_t,$1_gift_tmpfs_t)
fs_tmpfs_filetrans($1_gift_t,$1_gift_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
manage_files_pattern($1_gift_t, $1_gift_tmpfs_t, $1_gift_tmpfs_t)
manage_lnk_files_pattern($1_gift_t, $1_gift_tmpfs_t, $1_gift_tmpfs_t)
manage_fifo_files_pattern($1_gift_t, $1_gift_tmpfs_t, $1_gift_tmpfs_t)
manage_sock_files_pattern($1_gift_t, $1_gift_tmpfs_t, $1_gift_tmpfs_t)
fs_tmpfs_filetrans($1_gift_t, $1_gift_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
manage_dirs_pattern($1_gift_t,$1_gift_home_t,$1_gift_home_t)
manage_files_pattern($1_gift_t,$1_gift_home_t,$1_gift_home_t)
manage_lnk_files_pattern($1_gift_t,$1_gift_home_t,$1_gift_home_t)
userdom_user_home_dir_filetrans($1,$1_gift_t,$1_gift_home_t,dir)
manage_dirs_pattern($1_gift_t, $1_gift_home_t, $1_gift_home_t)
manage_files_pattern($1_gift_t, $1_gift_home_t, $1_gift_home_t)
manage_lnk_files_pattern($1_gift_t, $1_gift_home_t, $1_gift_home_t)
userdom_user_home_dir_filetrans($1, $1_gift_t, $1_gift_home_t,dir)
# Launch gift daemon
domtrans_pattern($1_gift_t, giftd_exec_t, $1_giftd_t)
@ -79,15 +79,15 @@ template(`gift_per_role_template',`
domtrans_pattern($2, gift_exec_t, $1_gift_t)
# user managed content
manage_dirs_pattern($2,$1_gift_home_t,$1_gift_home_t)
manage_files_pattern($2,$1_gift_home_t,$1_gift_home_t)
manage_lnk_files_pattern($2,$1_gift_home_t,$1_gift_home_t)
relabel_dirs_pattern($2,$1_gift_home_t,$1_gift_home_t)
relabel_files_pattern($2,$1_gift_home_t,$1_gift_home_t)
relabel_lnk_files_pattern($2,$1_gift_home_t,$1_gift_home_t)
manage_dirs_pattern($2, $1_gift_home_t, $1_gift_home_t)
manage_files_pattern($2, $1_gift_home_t, $1_gift_home_t)
manage_lnk_files_pattern($2, $1_gift_home_t, $1_gift_home_t)
relabel_dirs_pattern($2, $1_gift_home_t, $1_gift_home_t)
relabel_files_pattern($2, $1_gift_home_t, $1_gift_home_t)
relabel_lnk_files_pattern($2, $1_gift_home_t, $1_gift_home_t)
# Allow the user domain to signal/ps.
ps_process_pattern($2,$1_gift_t)
ps_process_pattern($2, $1_gift_t)
allow $2 $1_gift_t:process signal_perms;
# Read /proc/meminfo
@ -107,7 +107,7 @@ template(`gift_per_role_template',`
sysnet_read_config($1_gift_t)
# giftui looks in .icons, .themes.
userdom_dontaudit_read_user_home_content_files($1,$1_gift_t)
userdom_dontaudit_read_user_home_content_files($1, $1_gift_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_gift_t)
@ -130,7 +130,7 @@ template(`gift_per_role_template',`
')
optional_policy(`
xserver_user_x_domain_template($1,$1_gift,$1_gift_t,$1_gift_tmpfs_t)
xserver_user_x_domain_template($1, $1_gift, $1_gift_t, $1_gift_tmpfs_t)
')
##############################
@ -143,10 +143,10 @@ template(`gift_per_role_template',`
allow $1_giftd_t self:tcp_socket create_stream_socket_perms;
allow $1_giftd_t self:udp_socket create_socket_perms;
manage_dirs_pattern($1_giftd_t,$1_gift_home_t,$1_gift_home_t)
manage_files_pattern($1_giftd_t,$1_gift_home_t,$1_gift_home_t)
manage_lnk_files_pattern($1_giftd_t,$1_gift_home_t,$1_gift_home_t)
userdom_user_home_dir_filetrans($1,$1_giftd_t,$1_gift_home_t,dir)
manage_dirs_pattern($1_giftd_t, $1_gift_home_t, $1_gift_home_t)
manage_files_pattern($1_giftd_t, $1_gift_home_t, $1_gift_home_t)
manage_lnk_files_pattern($1_giftd_t, $1_gift_home_t, $1_gift_home_t)
userdom_user_home_dir_filetrans($1, $1_giftd_t, $1_gift_home_t, dir)
domtrans_pattern($2, giftd_exec_t, $1_giftd_t)

2
policy/modules/apps/gift.te
View File

@ -1,5 +1,5 @@
policy_module(gift,1.4.0)
policy_module(gift, 1.4.0)
########################################
#

27
policy/modules/apps/gnome.if
View File

@ -64,13 +64,13 @@ template(`gnome_per_role_template',`
allow $1_gconfd_t self:process getsched;
allow $1_gconfd_t self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern($1_gconfd_t,$1_gconf_home_t,$1_gconf_home_t)
manage_files_pattern($1_gconfd_t,$1_gconf_home_t,$1_gconf_home_t)
manage_dirs_pattern($1_gconfd_t, $1_gconf_home_t, $1_gconf_home_t)
manage_files_pattern($1_gconfd_t, $1_gconf_home_t, $1_gconf_home_t)
userdom_user_home_dir_filetrans($1, $1_gconfd_t, $1_gconf_home_t, dir)
manage_dirs_pattern($1_gconfd_t,$1_gconf_tmp_t,$1_gconf_tmp_t)
manage_files_pattern($1_gconfd_t,$1_gconf_tmp_t,$1_gconf_tmp_t)
userdom_user_tmp_filetrans($1,$1_gconfd_t,$1_gconf_tmp_t,{ dir file })
manage_dirs_pattern($1_gconfd_t, $1_gconf_tmp_t, $1_gconf_tmp_t)
manage_files_pattern($1_gconfd_t, $1_gconf_tmp_t, $1_gconf_tmp_t)
userdom_user_tmp_filetrans($1, $1_gconfd_t, $1_gconf_tmp_t, { dir file })
domain_auto_trans($2, gconfd_exec_t, $1_gconfd_t)
allow $1_gconfd_t $2:fd use;
@ -78,9 +78,9 @@ template(`gnome_per_role_template',`
allow $1_gconfd_t $2:unix_stream_socket connectto;
allow $1_gconfd_t gconf_etc_t:dir list_dir_perms;
read_files_pattern($1_gconfd_t,gconf_etc_t,gconf_etc_t)
read_files_pattern($1_gconfd_t, gconf_etc_t, gconf_etc_t)
ps_process_pattern($2,$1_gconfd_t)
ps_process_pattern($2, $1_gconfd_t)
dev_read_urand($1_gconfd_t)
@ -94,10 +94,10 @@ template(`gnome_per_role_template',`
logging_send_syslog_msg($1_gconfd_t)
userdom_manage_user_tmp_sockets($1, $1_gconfd_t)
userdom_manage_user_tmp_dirs($1,$1_gconfd_t)
userdom_tmp_filetrans_user_tmp($1,$1_gconfd_t,dir)
userdom_manage_user_tmp_dirs($1, $1_gconfd_t)
userdom_tmp_filetrans_user_tmp($1, $1_gconfd_t,dir)
gnome_stream_connect_gconf_template($1,$2)
gnome_stream_connect_gconf_template($1, $2)
optional_policy(`
nscd_dontaudit_search_pid($1_gconfd_t)
@ -127,11 +127,10 @@ template(`gnome_per_role_template',`
#
template(`gnome_stream_connect_gconf_template',`
gen_require(`
type $1_gconfd_t;
type $1_gconf_tmp_t;
type $1_gconfd_t, $1_gconf_tmp_t;
')
read_files_pattern($2,$1_gconf_tmp_t,$1_gconf_tmp_t)
read_files_pattern($2, $1_gconf_tmp_t, $1_gconf_tmp_t)
allow $2 $1_gconfd_t:unix_stream_socket connectto;
')
@ -165,7 +164,7 @@ template(`gnome_domtrans_user_gconf',`
type $1_gconfd_t, gconfd_exec_t;
')
domtrans_pattern($2,gconfd_exec_t,$1_gconfd_t)
domtrans_pattern($2, gconfd_exec_t, $1_gconfd_t)
')
########################################

2
policy/modules/apps/gnome.te
View File

@ -1,5 +1,5 @@
policy_module(gnome,1.3.0)
policy_module(gnome, 1.3.0)
##############################
#

61
policy/modules/apps/gpg.if
View File

@ -36,8 +36,7 @@
#
template(`gpg_per_role_template',`
gen_require(`
type gpg_exec_t, gpg_helper_exec_t;
type gpg_agent_exec_t, pinentry_exec_t;
type gpg_exec_t, gpg_helper_exec_t, gpg_agent_exec_t, pinentry_exec_t;
')
########################################
@ -46,25 +45,25 @@ template(`gpg_per_role_template',`
#
type $1_gpg_t;
application_domain($1_gpg_t,gpg_exec_t)
application_domain($1_gpg_t, gpg_exec_t)
role $3 types $1_gpg_t;
type $1_gpg_agent_t;
application_domain($1_gpg_agent_t,gpg_agent_exec_t)
application_domain($1_gpg_agent_t, gpg_agent_exec_t)
role $3 types $1_gpg_agent_t;
type $1_gpg_agent_tmp_t;
files_tmp_file($1_gpg_agent_tmp_t)
type $1_gpg_secret_t;
userdom_user_home_content($1,$1_gpg_secret_t)
userdom_user_home_content($1, $1_gpg_secret_t)
type $1_gpg_helper_t;
application_domain($1_gpg_helper_t,gpg_helper_exec_t)
application_domain($1_gpg_helper_t, gpg_helper_exec_t)
role $3 types $1_gpg_helper_t;
type $1_gpg_pinentry_t;
application_domain($1_gpg_pinentry_t,pinentry_exec_t)
application_domain($1_gpg_pinentry_t, pinentry_exec_t)
role $3 types $1_gpg_pinentry_t;
########################################
@ -81,18 +80,18 @@ template(`gpg_per_role_template',`
allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
# transition from the gpg domain to the helper domain
domtrans_pattern($1_gpg_t,gpg_helper_exec_t,$1_gpg_helper_t)
domtrans_pattern($1_gpg_t, gpg_helper_exec_t, $1_gpg_helper_t)
manage_files_pattern($1_gpg_t,$1_gpg_secret_t,$1_gpg_secret_t)
manage_lnk_files_pattern($1_gpg_t,$1_gpg_secret_t,$1_gpg_secret_t)
manage_files_pattern($1_gpg_t, $1_gpg_secret_t, $1_gpg_secret_t)
manage_lnk_files_pattern($1_gpg_t, $1_gpg_secret_t, $1_gpg_secret_t)
allow $1_gpg_t $1_gpg_secret_t:dir create_dir_perms;
userdom_user_home_dir_filetrans($1, $1_gpg_t, $1_gpg_secret_t, dir)
# transition from the userdomain to the derived domain
domtrans_pattern($2,gpg_exec_t,$1_gpg_t)
domtrans_pattern($2, gpg_exec_t, $1_gpg_t)
# allow ps to show gpg
ps_process_pattern($2,$1_gpg_t)
ps_process_pattern($2, $1_gpg_t)
corenet_all_recvfrom_unlabeled($1_gpg_t)
corenet_all_recvfrom_netlabel($1_gpg_t)
@ -125,7 +124,7 @@ template(`gpg_per_role_template',`
sysnet_read_config($1_gpg_t)
userdom_use_user_terminals($1,$1_gpg_t)
userdom_use_user_terminals($1, $1_gpg_t)
optional_policy(`
nis_use_ypbind($1_gpg_t)
@ -208,29 +207,29 @@ template(`gpg_per_role_template',`
allow $1_gpg_agent_t self:fifo_file rw_fifo_file_perms;
# Allow the gpg-agent to manage its tmp files (socket)
manage_dirs_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
manage_files_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
manage_sock_files_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
manage_dirs_pattern($1_gpg_agent_t, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t)
manage_files_pattern($1_gpg_agent_t, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t)
manage_sock_files_pattern($1_gpg_agent_t, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t)
files_tmp_filetrans($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
manage_dirs_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
manage_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
manage_lnk_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
manage_dirs_pattern($1_gpg_agent_t, $1_gpg_secret_t, $1_gpg_secret_t)
manage_files_pattern($1_gpg_agent_t, $1_gpg_secret_t, $1_gpg_secret_t)
manage_lnk_files_pattern($1_gpg_agent_t, $1_gpg_secret_t, $1_gpg_secret_t)
# allow gpg to connect to the gpg agent
stream_connect_pattern($1_gpg_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t,$1_gpg_agent_t)
stream_connect_pattern($1_gpg_t, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t, $1_gpg_agent_t)
# allow ps to show gpg-agent
ps_process_pattern($2,$1_gpg_agent_t)
ps_process_pattern($2, $1_gpg_agent_t)
# Allow the user shell to signal the gpg-agent program.
allow $2 $1_gpg_agent_t:process { signal sigkill signull };
# Allow the user to manage gpg-agent tmp files (socket)
manage_dirs_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
manage_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
manage_sock_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
manage_dirs_pattern($2, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t)
manage_files_pattern($2, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t)
manage_sock_files_pattern($2, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t)
# Transition from the user domain to the derived domain.
domtrans_pattern($2, gpg_agent_exec_t, $1_gpg_agent_t)
@ -245,17 +244,17 @@ template(`gpg_per_role_template',`
miscfiles_read_localization($1_gpg_agent_t)
# Write to the user domain tty.
userdom_use_user_terminals($1,$1_gpg_agent_t)
userdom_use_user_terminals($1, $1_gpg_agent_t)
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
userdom_search_user_home_dirs($1,$1_gpg_agent_t)
userdom_search_user_home_dirs($1, $1_gpg_agent_t)
tunable_policy(`gpg_agent_env_file',`
# write ~/.gpg-agent-info or a similar to the users home dir
# or subdir (gpg-agent --write-env-file option)
#
userdom_user_home_dir_filetrans_user_home_content($1,$1_gpg_agent_t,file)
userdom_manage_user_home_content_dirs($1,$1_gpg_agent_t)
userdom_manage_user_home_content_files($1,$1_gpg_agent_t)
userdom_user_home_dir_filetrans_user_home_content($1, $1_gpg_agent_t, file)
userdom_manage_user_home_content_dirs($1, $1_gpg_agent_t)
userdom_manage_user_home_content_files($1, $1_gpg_agent_t)
')
tunable_policy(`use_nfs_home_dirs',`
@ -280,7 +279,7 @@ template(`gpg_per_role_template',`
# we need to allow gpg-agent to call pinentry so it can get the passphrase
# from the user.
domtrans_pattern($1_gpg_agent_t,pinentry_exec_t,$1_gpg_pinentry_t)
domtrans_pattern($1_gpg_agent_t, pinentry_exec_t, $1_gpg_pinentry_t)
# read /proc/meminfo
kernel_read_system_state($1_gpg_pinentry_t)
@ -296,7 +295,7 @@ template(`gpg_per_role_template',`
miscfiles_read_localization($1_gpg_pinentry_t)
# for .Xauthority
userdom_read_user_home_content_files($1,$1_gpg_pinentry_t)
userdom_read_user_home_content_files($1, $1_gpg_pinentry_t)
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files($1_gpg_pinentry_t)

36
policy/modules/apps/irc.if
View File

@ -43,18 +43,18 @@ template(`irc_per_role_template',`
#
type $1_irc_t;
application_domain($1_irc_t,irc_exec_t)
application_domain($1_irc_t, irc_exec_t)
role $3 types $1_irc_t;
type $1_irc_exec_t;
userdom_user_home_content($1,$1_irc_exec_t)
application_domain($1_irc_t,$1_irc_exec_t)
userdom_user_home_content($1, $1_irc_exec_t)
application_domain($1_irc_t, $1_irc_exec_t)
type $1_irc_home_t;
userdom_user_home_content($1,$1_irc_home_t)
userdom_user_home_content($1, $1_irc_home_t)
type $1_irc_tmp_t;
userdom_user_home_content($1,$1_irc_tmp_t)
userdom_user_home_content($1, $1_irc_tmp_t)
########################################
#
@ -65,26 +65,26 @@ template(`irc_per_role_template',`
allow $1_irc_t self:tcp_socket create_socket_perms;
allow $1_irc_t self:udp_socket create_socket_perms;
manage_dirs_pattern($1_irc_t,$1_irc_home_t,$1_irc_home_t)
manage_files_pattern($1_irc_t,$1_irc_home_t,$1_irc_home_t)
manage_lnk_files_pattern($1_irc_t,$1_irc_home_t,$1_irc_home_t)
userdom_user_home_dir_filetrans($1,$1_irc_t,$1_irc_home_t,{ dir file lnk_file })
manage_dirs_pattern($1_irc_t, $1_irc_home_t, $1_irc_home_t)
manage_files_pattern($1_irc_t, $1_irc_home_t, $1_irc_home_t)
manage_lnk_files_pattern($1_irc_t, $1_irc_home_t, $1_irc_home_t)
userdom_user_home_dir_filetrans($1, $1_irc_t, $1_irc_home_t,{ dir file lnk_file })
# access files under /tmp
manage_dirs_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t)
manage_files_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t)
manage_lnk_files_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t)
manage_fifo_files_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t)
manage_sock_files_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t)
files_tmp_filetrans($1_irc_t,$1_irc_tmp_t,{ file dir lnk_file sock_file fifo_file })
manage_dirs_pattern($1_irc_t, $1_irc_tmp_t, $1_irc_tmp_t)
manage_files_pattern($1_irc_t, $1_irc_tmp_t, $1_irc_tmp_t)
manage_lnk_files_pattern($1_irc_t, $1_irc_tmp_t, $1_irc_tmp_t)
manage_fifo_files_pattern($1_irc_t, $1_irc_tmp_t, $1_irc_tmp_t)
manage_sock_files_pattern($1_irc_t, $1_irc_tmp_t, $1_irc_tmp_t)
files_tmp_filetrans($1_irc_t, $1_irc_tmp_t, { file dir lnk_file sock_file fifo_file })
# Transition from the user domain to the derived domain.
domtrans_pattern($2,irc_exec_t,$1_irc_t)
domtrans_pattern($2, irc_exec_t, $1_irc_t)
allow $2 $1_irc_exec_t:file { relabelfrom relabelto manage_file_perms };
# allow ps to show irc
ps_process_pattern($2,$1_irc_t)
ps_process_pattern($2, $1_irc_t)
allow $2 $1_irc_t:process signal;
kernel_read_proc_symlinks($1_irc_t)
@ -130,7 +130,7 @@ template(`irc_per_role_template',`
sysnet_read_config($1_irc_t)
# Write to the user domain tty.
userdom_use_user_terminals($1,$1_irc_t)
userdom_use_user_terminals($1, $1_irc_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_irc_t)

2
policy/modules/apps/irc.te
View File

@ -1,5 +1,5 @@
policy_module(irc,1.4.0)
policy_module(irc, 1.4.0)
########################################
#

46
policy/modules/apps/java.if
View File

@ -43,7 +43,7 @@ template(`java_per_role_template',`
#
type $1_javaplugin_t;
application_domain($1_javaplugin_t,java_exec_t)
application_domain($1_javaplugin_t, java_exec_t)
role $3 types $1_javaplugin_t;
type $1_javaplugin_tmp_t;
@ -64,20 +64,20 @@ template(`java_per_role_template',`
allow $1_javaplugin_t $2:unix_stream_socket connectto;
allow $1_javaplugin_t $2:unix_stream_socket { read write };
userdom_write_user_tmp_sockets($1,$1_javaplugin_t)
userdom_write_user_tmp_sockets($1, $1_javaplugin_t)
manage_dirs_pattern($1_javaplugin_t,$1_javaplugin_tmp_t,$1_javaplugin_tmp_t)
manage_files_pattern($1_javaplugin_t,$1_javaplugin_tmp_t,$1_javaplugin_tmp_t)
files_tmp_filetrans($1_javaplugin_t,$1_javaplugin_tmp_t,{ file dir })
manage_dirs_pattern($1_javaplugin_t, $1_javaplugin_tmp_t, $1_javaplugin_tmp_t)
manage_files_pattern($1_javaplugin_t, $1_javaplugin_tmp_t, $1_javaplugin_tmp_t)
files_tmp_filetrans($1_javaplugin_t, $1_javaplugin_tmp_t, { file dir })
manage_files_pattern($1_javaplugin_t,$1_javaplugin_tmpfs_t,$1_javaplugin_tmpfs_t)
manage_lnk_files_pattern($1_javaplugin_t,$1_javaplugin_tmpfs_t,$1_javaplugin_tmpfs_t)
manage_fifo_files_pattern($1_javaplugin_t,$1_javaplugin_tmpfs_t,$1_javaplugin_tmpfs_t)
manage_sock_files_pattern($1_javaplugin_t,$1_javaplugin_tmpfs_t,$1_javaplugin_tmpfs_t)
fs_tmpfs_filetrans($1_javaplugin_t,$1_javaplugin_tmpfs_t,{ file lnk_file sock_file fifo_file })
manage_files_pattern($1_javaplugin_t, $1_javaplugin_tmpfs_t, $1_javaplugin_tmpfs_t)
manage_lnk_files_pattern($1_javaplugin_t, $1_javaplugin_tmpfs_t, $1_javaplugin_tmpfs_t)
manage_fifo_files_pattern($1_javaplugin_t, $1_javaplugin_tmpfs_t, $1_javaplugin_tmpfs_t)
manage_sock_files_pattern($1_javaplugin_t, $1_javaplugin_tmpfs_t, $1_javaplugin_tmpfs_t)
fs_tmpfs_filetrans($1_javaplugin_t, $1_javaplugin_tmpfs_t, { file lnk_file sock_file fifo_file })
rw_files_pattern($1_javaplugin_t,$1_home_t,$1_home_t)
read_files_pattern($1_javaplugin_t,$1_home_t,$1_home_t)
rw_files_pattern($1_javaplugin_t, $1_home_t, $1_home_t)
read_files_pattern($1_javaplugin_t, $1_home_t, $1_home_t)
can_exec($1_javaplugin_t, java_exec_t)
@ -134,15 +134,15 @@ template(`java_per_role_template',`
sysnet_read_config($1_javaplugin_t)
userdom_dontaudit_use_user_terminals($1,$1_javaplugin_t)
userdom_dontaudit_setattr_user_home_content_files($1,$1_javaplugin_t)
userdom_dontaudit_exec_user_home_content_files($1,$1_javaplugin_t)
userdom_manage_user_home_content_dirs($1,$1_javaplugin_t)
userdom_manage_user_home_content_files($1,$1_javaplugin_t)
userdom_manage_user_home_content_symlinks($1,$1_javaplugin_t)
userdom_manage_user_home_content_pipes($1,$1_javaplugin_t)
userdom_manage_user_home_content_sockets($1,$1_javaplugin_t)
userdom_user_home_dir_filetrans_user_home_content($1,$1_javaplugin_t,{ file lnk_file sock_file fifo_file })
userdom_dontaudit_use_user_terminals($1, $1_javaplugin_t)
userdom_dontaudit_setattr_user_home_content_files($1, $1_javaplugin_t)
userdom_dontaudit_exec_user_home_content_files($1, $1_javaplugin_t)
userdom_manage_user_home_content_dirs($1, $1_javaplugin_t)
userdom_manage_user_home_content_files($1, $1_javaplugin_t)
userdom_manage_user_home_content_symlinks($1, $1_javaplugin_t)
userdom_manage_user_home_content_pipes($1, $1_javaplugin_t)
userdom_manage_user_home_content_sockets($1, $1_javaplugin_t)
userdom_user_home_dir_filetrans_user_home_content($1, $1_javaplugin_t, { file lnk_file sock_file fifo_file })
tunable_policy(`allow_java_execstack',`
allow $1_javaplugin_t self:process execstack;
@ -164,7 +164,7 @@ template(`java_per_role_template',`
')
optional_policy(`
xserver_user_x_domain_template($1,$1_javaplugin,$1_javaplugin_t,$1_javaplugin_tmpfs_t)
xserver_user_x_domain_template($1, $1_javaplugin, $1_javaplugin_t, $1_javaplugin_tmpfs_t)
')
')
@ -198,7 +198,7 @@ template(`java_domtrans_user_javaplugin',`
type $1_javaplugin_t, java_exec_t;
')
domtrans_pattern($2,java_exec_t,$1_javaplugin_t)
domtrans_pattern($2, java_exec_t, $1_javaplugin_t)
')
########################################

6
policy/modules/apps/java.te
View File

@ -1,5 +1,5 @@
policy_module(java,1.8.0)
policy_module(java, 1.8.0)
########################################
#
@ -11,11 +11,11 @@ policy_module(java,1.8.0)
## Allow java executable stack
## </p>
## </desc>
gen_tunable(allow_java_execstack,false)
gen_tunable(allow_java_execstack, false)
type java_t;
type java_exec_t;
init_system_domain(java_t,java_exec_t)
init_system_domain(java_t, java_exec_t)
########################################
#

2
policy/modules/apps/loadkeys.if
View File

@ -65,5 +65,5 @@ interface(`loadkeys_exec',`
type loadkeys_exec_t;
')
can_exec($1,loadkeys_exec_t)
can_exec($1, loadkeys_exec_t)
')

4
policy/modules/apps/loadkeys.te
View File

@ -1,5 +1,5 @@
policy_module(loadkeys,1.4.0)
policy_module(loadkeys, 1.4.0)
########################################
#
@ -11,7 +11,7 @@ policy_module(loadkeys,1.4.0)
# all user domain ttys
type loadkeys_t;
type loadkeys_exec_t;
init_system_domain(loadkeys_t,loadkeys_exec_t)
init_system_domain(loadkeys_t, loadkeys_exec_t)
########################################
#

4
policy/modules/apps/lockdev.if
View File

@ -44,7 +44,7 @@ template(`lockdev_per_role_template',`
#
type $1_lockdev_t;
application_domain($1_lockdev_t,lockdev_exec_t)
application_domain($1_lockdev_t, lockdev_exec_t)
role $3 types $1_lockdev_t;
type $1_lockdev_lock_t;
@ -63,7 +63,7 @@ template(`lockdev_per_role_template',`
domtrans_pattern($2, lockdev_exec_t, $1_lockdev_t)
allow $1_lockdev_t $1_lockdev_lock_t:file manage_file_perms;
files_lock_filetrans($1_lockdev_t,$1_lockdev_lock_t,file)
files_lock_filetrans($1_lockdev_t, $1_lockdev_lock_t, file)
files_read_all_locks($1_lockdev_t)

2
policy/modules/apps/lockdev.te
View File

@ -1,5 +1,5 @@
policy_module(lockdev,1.2.0)
policy_module(lockdev, 1.2.0)
########################################
#

2
policy/modules/apps/mono.te
View File

@ -8,7 +8,7 @@ policy_module(mono, 1.5.0)
type mono_t;
type mono_exec_t;
init_system_domain(mono_t,mono_exec_t)
init_system_domain(mono_t, mono_exec_t)
########################################
#

126
policy/modules/apps/mozilla.if
View File

@ -42,12 +42,12 @@ template(`mozilla_per_role_template',`
# Declarations
#
type $1_mozilla_t;
application_domain($1_mozilla_t,mozilla_exec_t)
application_domain($1_mozilla_t, mozilla_exec_t)
role $3 types $1_mozilla_t;
type $1_mozilla_home_t alias $1_mozilla_rw_t;
files_poly_member($1_mozilla_home_t)
userdom_user_home_content($1,$1_mozilla_home_t)
userdom_user_home_content($1, $1_mozilla_home_t)
type $1_mozilla_tmpfs_t;
files_tmpfs_file($1_mozilla_tmpfs_t)
@ -72,10 +72,10 @@ template(`mozilla_per_role_template',`
can_exec($1_mozilla_t, mozilla_exec_t)
# X access, Home files
manage_dirs_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t)
manage_files_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t)
manage_lnk_files_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t)
userdom_search_user_home_dirs($1,$1_mozilla_t)
manage_dirs_pattern($1_mozilla_t, $1_mozilla_home_t, $1_mozilla_home_t)
manage_files_pattern($1_mozilla_t, $1_mozilla_home_t, $1_mozilla_home_t)
manage_lnk_files_pattern($1_mozilla_t, $1_mozilla_home_t, $1_mozilla_home_t)
userdom_search_user_home_dirs($1, $1_mozilla_t)
# Mozpluggerrc
allow $1_mozilla_t mozilla_conf_t:file read_file_perms;
@ -89,18 +89,18 @@ template(`mozilla_per_role_template',`
allow $2 $1_mozilla_t:unix_stream_socket connectto;
# X access, Home files
manage_dirs_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
manage_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
manage_lnk_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
relabel_dirs_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
relabel_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
relabel_lnk_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
manage_dirs_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t)
manage_files_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t)
manage_lnk_files_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t)
relabel_dirs_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t)
relabel_files_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t)
relabel_lnk_files_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t)
manage_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t)
manage_lnk_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t)
manage_fifo_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t)
manage_sock_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t)
fs_tmpfs_filetrans($1_mozilla_t,$1_mozilla_tmpfs_t,{ file lnk_file sock_file fifo_file })
manage_files_pattern($1_mozilla_t, $1_mozilla_tmpfs_t, $1_mozilla_tmpfs_t)
manage_lnk_files_pattern($1_mozilla_t, $1_mozilla_tmpfs_t, $1_mozilla_tmpfs_t)
manage_fifo_files_pattern($1_mozilla_t, $1_mozilla_tmpfs_t, $1_mozilla_tmpfs_t)
manage_sock_files_pattern($1_mozilla_t, $1_mozilla_tmpfs_t, $1_mozilla_tmpfs_t)
fs_tmpfs_filetrans($1_mozilla_t, $1_mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
allow $1_mozilla_t $2:process signull;
@ -109,7 +109,7 @@ template(`mozilla_per_role_template',`
allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
# Allow the user domain to signal/ps.
ps_process_pattern($2,$1_mozilla_t)
ps_process_pattern($2, $1_mozilla_t)
allow $2 $1_mozilla_t:process signal_perms;
kernel_read_kernel_sysctls($1_mozilla_t)
@ -184,14 +184,14 @@ template(`mozilla_per_role_template',`
sysnet_dns_name_resolve($1_mozilla_t)
sysnet_read_config($1_mozilla_t)
userdom_manage_user_home_content_dirs($1,$1_mozilla_t)
userdom_manage_user_home_content_files($1,$1_mozilla_t)
userdom_manage_user_home_content_symlinks($1,$1_mozilla_t)
userdom_manage_user_tmp_dirs($1,$1_mozilla_t)
userdom_manage_user_tmp_files($1,$1_mozilla_t)
userdom_manage_user_tmp_sockets($1,$1_mozilla_t)
userdom_manage_user_home_content_dirs($1, $1_mozilla_t)
userdom_manage_user_home_content_files($1, $1_mozilla_t)
userdom_manage_user_home_content_symlinks($1, $1_mozilla_t)
userdom_manage_user_tmp_dirs($1, $1_mozilla_t)
userdom_manage_user_tmp_files($1, $1_mozilla_t)
userdom_manage_user_tmp_sockets($1, $1_mozilla_t)
xserver_user_x_domain_template($1,$1_mozilla,$1_mozilla_t,$1_mozilla_tmpfs_t)
xserver_user_x_domain_template($1, $1_mozilla, $1_mozilla_t, $1_mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t)
xserver_dontaudit_getattr_xdm_tmp_sockets($1_mozilla_t)
@ -238,12 +238,12 @@ template(`mozilla_per_role_template',`
')
tunable_policy(`mozilla_read_content',`
userdom_list_user_tmp($1,$1_mozilla_t)
userdom_read_user_tmp_files($1,$1_mozilla_t)
userdom_read_user_tmp_symlinks($1,$1_mozilla_t)
userdom_search_user_home_dirs($1,$1_mozilla_t)
userdom_read_user_home_content_files($1,$1_mozilla_t)
userdom_read_user_home_content_symlinks($1,$1_mozilla_t)
userdom_list_user_tmp($1, $1_mozilla_t)
userdom_read_user_tmp_files($1, $1_mozilla_t)
userdom_read_user_tmp_symlinks($1, $1_mozilla_t)
userdom_search_user_home_dirs($1, $1_mozilla_t)
userdom_read_user_home_content_files($1, $1_mozilla_t)
userdom_read_user_home_content_symlinks($1, $1_mozilla_t)
ifdef(`enable_mls',`',`
fs_search_removable($1_mozilla_t)
@ -255,10 +255,10 @@ template(`mozilla_per_role_template',`
files_dontaudit_list_home($1_mozilla_t)
fs_dontaudit_list_removable($1_mozilla_t)
fs_dontaudit_read_removable_files($1_mozilla_t)
userdom_dontaudit_list_user_tmp($1,$1_mozilla_t)
userdom_dontaudit_read_user_tmp_files($1,$1_mozilla_t)
userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t)
userdom_dontaudit_read_user_home_content_files($1,$1_mozilla_t)
userdom_dontaudit_list_user_tmp($1, $1_mozilla_t)
userdom_dontaudit_read_user_tmp_files($1, $1_mozilla_t)
userdom_dontaudit_list_user_home_dirs($1, $1_mozilla_t)
userdom_dontaudit_read_user_home_content_files($1, $1_mozilla_t)
')
tunable_policy(`mozilla_read_content && read_default_t',`
@ -273,22 +273,22 @@ template(`mozilla_per_role_template',`
tunable_policy(`mozilla_read_content && read_untrusted_content',`
files_list_tmp($1_mozilla_t)
files_list_home($1_mozilla_t)
userdom_search_user_home_dirs($1,$1_mozilla_t)
userdom_search_user_home_dirs($1, $1_mozilla_t)
userdom_list_user_untrusted_content($1,$1_mozilla_t)
userdom_read_user_untrusted_content_files($1,$1_mozilla_t)
userdom_read_user_untrusted_content_symlinks($1,$1_mozilla_t)
userdom_list_user_tmp_untrusted_content($1,$1_mozilla_t)
userdom_read_user_tmp_untrusted_content_files($1,$1_mozilla_t)
userdom_read_user_tmp_untrusted_content_symlinks($1,$1_mozilla_t)
userdom_list_user_untrusted_content($1, $1_mozilla_t)
userdom_read_user_untrusted_content_files($1, $1_mozilla_t)
userdom_read_user_untrusted_content_symlinks($1, $1_mozilla_t)
userdom_list_user_tmp_untrusted_content($1, $1_mozilla_t)
userdom_read_user_tmp_untrusted_content_files($1, $1_mozilla_t)
userdom_read_user_tmp_untrusted_content_symlinks($1, $1_mozilla_t)
',`
files_dontaudit_list_tmp($1_mozilla_t)
files_dontaudit_list_home($1_mozilla_t)
userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t)
userdom_dontaudit_list_user_untrusted_content($1,$1_mozilla_t)
userdom_dontaudit_read_user_untrusted_content_files($1,$1_mozilla_t)
userdom_dontaudit_list_user_tmp_untrusted_content($1,$1_mozilla_t)
userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_mozilla_t)
userdom_dontaudit_list_user_home_dirs($1, $1_mozilla_t)
userdom_dontaudit_list_user_untrusted_content($1, $1_mozilla_t)
userdom_dontaudit_read_user_untrusted_content_files($1, $1_mozilla_t)
userdom_dontaudit_list_user_tmp_untrusted_content($1, $1_mozilla_t)
userdom_dontaudit_read_user_tmp_untrusted_content_files($1, $1_mozilla_t)
')
# Save web pages
@ -321,26 +321,26 @@ template(`mozilla_per_role_template',`
tunable_policy(`write_untrusted_content',`
files_search_home($1_mozilla_t)
userdom_manage_user_untrusted_content_tmp_files($1, $1_mozilla_t)
files_tmp_filetrans($1_mozilla_t,$1_untrusted_content_tmp_t,file)
files_tmp_filetrans($1_mozilla_t,$1_untrusted_content_tmp_t,dir)
files_tmp_filetrans($1_mozilla_t, $1_untrusted_content_tmp_t, file)
files_tmp_filetrans($1_mozilla_t, $1_untrusted_content_tmp_t, dir)
userdom_manage_user_untrusted_content_files($1,$1_mozilla_t)
userdom_user_home_dir_filetrans($1,$1_mozilla_t,$1_untrusted_content_tmp_t, { file dir })
userdom_user_home_content_filetrans($1,$1_mozilla_t,$1_untrusted_content_tmp_t, { file dir })
userdom_manage_user_untrusted_content_files($1, $1_mozilla_t)
userdom_user_home_dir_filetrans($1, $1_mozilla_t, $1_untrusted_content_tmp_t, { file dir })
userdom_user_home_content_filetrans($1, $1_mozilla_t, $1_untrusted_content_tmp_t, { file dir })
',`
files_dontaudit_list_home($1_mozilla_t)
files_dontaudit_list_tmp($1_mozilla_t)
userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t)
userdom_dontaudit_manage_user_tmp_dirs($1,$1_mozilla_t)
userdom_dontaudit_manage_user_tmp_files($1,$1_mozilla_t)
userdom_dontaudit_manage_user_home_content_dirs($1,$1_mozilla_t)
userdom_dontaudit_list_user_home_dirs($1, $1_mozilla_t)
userdom_dontaudit_manage_user_tmp_dirs($1, $1_mozilla_t)
userdom_dontaudit_manage_user_tmp_files($1, $1_mozilla_t)
userdom_dontaudit_manage_user_home_content_dirs($1, $1_mozilla_t)
')
optional_policy(`
apache_read_user_scripts($1,$1_mozilla_t)
apache_read_user_content($1,$1_mozilla_t)
apache_read_user_scripts($1, $1_mozilla_t)
apache_read_user_content($1, $1_mozilla_t)
')
optional_policy(`
@ -353,12 +353,12 @@ template(`mozilla_per_role_template',`
')
optional_policy(`
dbus_system_bus_client_template($1_mozilla,$1_mozilla_t)
dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t)
dbus_system_bus_client_template($1_mozilla, $1_mozilla_t)
dbus_user_bus_client_template($1, $1_mozilla, $1_mozilla_t)
')
optional_policy(`
gnome_stream_connect_gconf_template($1,$1_mozilla_t)
gnome_stream_connect_gconf_template($1, $1_mozilla_t)
')
optional_policy(`
@ -366,7 +366,7 @@ template(`mozilla_per_role_template',`
')
optional_policy(`
lpd_domtrans_user_lpr($1,$1_mozilla_t)
lpd_domtrans_user_lpr($1, $1_mozilla_t)
')
optional_policy(`
@ -501,7 +501,7 @@ template(`mozilla_domtrans_user_mozilla',`
type $1_mozilla_t, mozilla_exec_t;
')
domtrans_pattern($2, mozilla_exec_t,$1_mozilla_t)
domtrans_pattern($2, mozilla_exec_t, $1_mozilla_t)
')
########################################

4
policy/modules/apps/mozilla.te
View File

@ -1,5 +1,5 @@
policy_module(mozilla,1.6.0)
policy_module(mozilla, 1.6.0)
########################################
#
@ -11,7 +11,7 @@ policy_module(mozilla,1.6.0)
## Control mozilla content access
## </p>
## </desc>
gen_tunable(mozilla_read_content,false)
gen_tunable(mozilla_read_content, false)
type mozilla_conf_t;
files_config_file(mozilla_conf_t)

124
policy/modules/apps/mplayer.if
View File

@ -43,11 +43,11 @@ template(`mplayer_per_role_template',`
#
type $1_mencoder_t;
application_domain($1_mencoder_t,mencoder_exec_t)
application_domain($1_mencoder_t, mencoder_exec_t)
role $3 types $1_mencoder_t;
type $1_mplayer_t;
application_domain($1_mplayer_t,mplayer_exec_t)
application_domain($1_mplayer_t, mplayer_exec_t)
role $3 types $1_mplayer_t;
type $1_mplayer_home_t alias $1_mplayer_rw_t;
@ -62,14 +62,14 @@ template(`mplayer_per_role_template',`
# mencoder local policy
#
manage_dirs_pattern($1_mencoder_t,$1_mplayer_home_t,$1_mplayer_home_t)
manage_files_pattern($1_mencoder_t,$1_mplayer_home_t,$1_mplayer_home_t)
manage_lnk_files_pattern($1_mencoder_t,$1_mplayer_home_t,$1_mplayer_home_t)
manage_dirs_pattern($1_mencoder_t, $1_mplayer_home_t, $1_mplayer_home_t)
manage_files_pattern($1_mencoder_t, $1_mplayer_home_t, $1_mplayer_home_t)
manage_lnk_files_pattern($1_mencoder_t, $1_mplayer_home_t, $1_mplayer_home_t)
# Read global config
allow $1_mencoder_t mplayer_etc_t:dir list_dir_perms;
read_files_pattern($1_mencoder_t,mplayer_etc_t,mplayer_etc_t)
read_lnk_files_pattern($1_mencoder_t,mplayer_etc_t,mplayer_etc_t)
read_files_pattern($1_mencoder_t, mplayer_etc_t, mplayer_etc_t)
read_lnk_files_pattern($1_mencoder_t, mplayer_etc_t, mplayer_etc_t)
# domain transition
domtrans_pattern($2, mencoder_exec_t, $1_mencoder_t)
@ -183,20 +183,20 @@ template(`mplayer_per_role_template',`
files_list_tmp($1_mencoder_t)
files_list_home($1_mencoder_t)
userdom_list_user_untrusted_content($1,$1_mencoder_t)
userdom_read_user_untrusted_content_files($1,$1_mencoder_t)
userdom_read_user_untrusted_content_symlinks($1,$1_mencoder_t)
userdom_list_user_tmp_untrusted_content($1,$1_mencoder_t)
userdom_read_user_tmp_untrusted_content_files($1,$1_mencoder_t)
userdom_read_user_tmp_untrusted_content_symlinks($1,$1_mencoder_t)
userdom_list_user_untrusted_content($1, $1_mencoder_t)
userdom_read_user_untrusted_content_files($1, $1_mencoder_t)
userdom_read_user_untrusted_content_symlinks($1, $1_mencoder_t)
userdom_list_user_tmp_untrusted_content($1, $1_mencoder_t)
userdom_read_user_tmp_untrusted_content_files($1, $1_mencoder_t)
userdom_read_user_tmp_untrusted_content_symlinks($1, $1_mencoder_t)
',`
files_dontaudit_list_tmp($1_mencoder_t)
files_dontaudit_list_home($1_mencoder_t)
userdom_dontaudit_list_user_home_dirs($1,$1_mencoder_t)
userdom_dontaudit_list_user_untrusted_content($1,$1_mencoder_t)
userdom_dontaudit_read_user_untrusted_content_files($1,$1_mencoder_t)
userdom_dontaudit_list_user_tmp_untrusted_content($1,$1_mencoder_t)
userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_mencoder_t)
userdom_dontaudit_list_user_home_dirs($1, $1_mencoder_t)
userdom_dontaudit_list_user_untrusted_content($1, $1_mencoder_t)
userdom_dontaudit_read_user_untrusted_content_files($1, $1_mencoder_t)
userdom_dontaudit_list_user_tmp_untrusted_content($1, $1_mencoder_t)
userdom_dontaudit_read_user_tmp_untrusted_content_files($1, $1_mencoder_t)
')
tunable_policy(`write_untrusted_content',`
@ -232,18 +232,18 @@ template(`mplayer_per_role_template',`
tunable_policy(`write_untrusted_content',`
files_search_home($1_mencoder_t)
files_tmp_filetrans($1_mencoder_t,$1_untrusted_content_tmp_t,file)
files_tmp_filetrans($1_mencoder_t,$1_untrusted_content_tmp_t,dir)
files_tmp_filetrans($1_mencoder_t, $1_untrusted_content_tmp_t, file)
files_tmp_filetrans($1_mencoder_t, $1_untrusted_content_tmp_t ,dir)
userdom_manage_user_untrusted_content_dirs($1,$1_mencoder_t)
userdom_manage_user_untrusted_content_files($1,$1_mencoder_t)
userdom_manage_user_untrusted_content_dirs($1, $1_mencoder_t)
userdom_manage_user_untrusted_content_files($1, $1_mencoder_t)
',`
files_dontaudit_list_home($1_mencoder_t)
files_dontaudit_list_tmp($1_mencoder_t)
userdom_dontaudit_list_user_home_dirs($1,$1_mencoder_t)
userdom_dontaudit_manage_user_tmp_files($1,$1_mencoder_t)
userdom_dontaudit_manage_user_home_content_dirs($1,$1_mencoder_t)
userdom_dontaudit_list_user_home_dirs($1, $1_mencoder_t)
userdom_dontaudit_manage_user_tmp_files($1, $1_mencoder_t)
userdom_dontaudit_manage_user_home_content_dirs($1, $1_mencoder_t)
')
########################################
@ -255,29 +255,29 @@ template(`mplayer_per_role_template',`
allow $1_mplayer_t self:fifo_file rw_fifo_file_perms;
allow $1_mplayer_t self:sem create_sem_perms;
manage_dirs_pattern($1_mplayer_t,$1_mplayer_home_t,$1_mplayer_home_t)
manage_files_pattern($1_mplayer_t,$1_mplayer_home_t,$1_mplayer_home_t)
manage_lnk_files_pattern($1_mplayer_t,$1_mplayer_home_t,$1_mplayer_home_t)
userdom_search_user_home_dirs($1,$1_mplayer_t)
manage_dirs_pattern($1_mplayer_t, $1_mplayer_home_t, $1_mplayer_home_t)
manage_files_pattern($1_mplayer_t, $1_mplayer_home_t, $1_mplayer_home_t)
manage_lnk_files_pattern($1_mplayer_t, $1_mplayer_home_t, $1_mplayer_home_t)
userdom_search_user_home_dirs($1, $1_mplayer_t)
manage_files_pattern($1_mplayer_t,$1_mplayer_tmpfs_t,$1_mplayer_tmpfs_t)
manage_lnk_files_pattern($1_mplayer_t,$1_mplayer_tmpfs_t,$1_mplayer_tmpfs_t)
manage_fifo_files_pattern($1_mplayer_t,$1_mplayer_tmpfs_t,$1_mplayer_tmpfs_t)
manage_sock_files_pattern($1_mplayer_t,$1_mplayer_tmpfs_t,$1_mplayer_tmpfs_t)
fs_tmpfs_filetrans($1_mplayer_t,$1_mplayer_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
manage_files_pattern($1_mplayer_t, $1_mplayer_tmpfs_t, $1_mplayer_tmpfs_t)
manage_lnk_files_pattern($1_mplayer_t, $1_mplayer_tmpfs_t, $1_mplayer_tmpfs_t)
manage_fifo_files_pattern($1_mplayer_t, $1_mplayer_tmpfs_t, $1_mplayer_tmpfs_t)
manage_sock_files_pattern($1_mplayer_t, $1_mplayer_tmpfs_t, $1_mplayer_tmpfs_t)
fs_tmpfs_filetrans($1_mplayer_t, $1_mplayer_tmpfs_t, { dir file lnk_file sock_file fifo_file })
# Read global config
allow $1_mplayer_t mplayer_etc_t:dir list_dir_perms;
read_files_pattern($1_mplayer_t,mplayer_etc_t,mplayer_etc_t)
read_lnk_files_pattern($1_mplayer_t,mplayer_etc_t,mplayer_etc_t)
read_files_pattern($1_mplayer_t, mplayer_etc_t, mplayer_etc_t)
read_lnk_files_pattern($1_mplayer_t, mplayer_etc_t, mplayer_etc_t)
# Home access
manage_dirs_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t)
manage_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t)
manage_lnk_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t)
relabel_dirs_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t)
relabel_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t)
relabel_lnk_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t)
manage_dirs_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t)
manage_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t)
manage_lnk_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t)
relabel_dirs_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t)
relabel_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t)
relabel_lnk_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t)
# domain transition
domtrans_pattern($2, mplayer_exec_t, $1_mplayer_t)
@ -333,15 +333,15 @@ template(`mplayer_per_role_template',`
miscfiles_read_localization($1_mplayer_t)
miscfiles_read_fonts($1_mplayer_t)
userdom_use_user_terminals($1,$1_mplayer_t)
userdom_use_user_terminals($1, $1_mplayer_t)
# Read media files
userdom_list_user_tmp($1,$1_mplayer_t)
userdom_read_user_tmp_files($1,$1_mplayer_t)
userdom_read_user_tmp_symlinks($1,$1_mplayer_t)
userdom_read_user_home_content_files($1,$1_mplayer_t)
userdom_read_user_home_content_symlinks($1,$1_mplayer_t)
userdom_list_user_tmp($1, $1_mplayer_t)
userdom_read_user_tmp_files($1, $1_mplayer_t)
userdom_read_user_tmp_symlinks($1, $1_mplayer_t)
userdom_read_user_home_content_files($1, $1_mplayer_t)
userdom_read_user_home_content_symlinks($1, $1_mplayer_t)
xserver_user_x_domain_template($1,$1_mplayer,$1_mplayer_t,$1_mplayer_tmpfs_t)
xserver_user_x_domain_template($1, $1_mplayer, $1_mplayer_t, $1_mplayer_tmpfs_t)
# Read songs
ifdef(`enable_mls',`',`
@ -417,20 +417,20 @@ template(`mplayer_per_role_template',`
files_list_tmp($1_mplayer_t)
files_list_home($1_mplayer_t)
userdom_list_user_untrusted_content($1,$1_mplayer_t)
userdom_read_user_untrusted_content_files($1,$1_mplayer_t)
userdom_read_user_untrusted_content_symlinks($1,$1_mplayer_t)
userdom_list_user_tmp_untrusted_content($1,$1_mplayer_t)
userdom_read_user_tmp_untrusted_content_files($1,$1_mplayer_t)
userdom_read_user_tmp_untrusted_content_symlinks($1,$1_mplayer_t)
userdom_list_user_untrusted_content($1, $1_mplayer_t)
userdom_read_user_untrusted_content_files($1, $1_mplayer_t)
userdom_read_user_untrusted_content_symlinks($1, $1_mplayer_t)
userdom_list_user_tmp_untrusted_content($1, $1_mplayer_t)
userdom_read_user_tmp_untrusted_content_files($1, $1_mplayer_t)
userdom_read_user_tmp_untrusted_content_symlinks($1, $1_mplayer_t)
',`
files_dontaudit_list_tmp($1_mplayer_t)
files_dontaudit_list_home($1_mplayer_t)
userdom_dontaudit_list_user_home_dirs($1,$1_mplayer_t)
userdom_dontaudit_list_user_untrusted_content($1,$1_mplayer_t)
userdom_dontaudit_read_user_untrusted_content_files($1,$1_mplayer_t)
userdom_dontaudit_list_user_tmp_untrusted_content($1,$1_mplayer_t)
userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_mplayer_t)
userdom_dontaudit_list_user_home_dirs($1, $1_mplayer_t)
userdom_dontaudit_list_user_untrusted_content($1, $1_mplayer_t)
userdom_dontaudit_read_user_untrusted_content_files($1, $1_mplayer_t)
userdom_dontaudit_list_user_tmp_untrusted_content($1, $1_mplayer_t)
userdom_dontaudit_read_user_tmp_untrusted_content_files($1, $1_mplayer_t)
')
optional_policy(`
@ -472,7 +472,7 @@ template(`mplayer_domtrans_user_mplayer',`
type $1_mplayer_t, mplayer_exec_t;
')
domtrans_pattern($2, mplayer_exec_t,$1_mplayer_t)
domtrans_pattern($2, mplayer_exec_t, $1_mplayer_t)
')
########################################
@ -505,5 +505,5 @@ template(`mplayer_read_user_home_files',`
type $1_mplayer_home_t;
')
read_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t)
read_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t)
')

Some files were not shown because too many files have changed in this diff Show More