change over to some perm set macros. add indentation

2005-06-03 12:25:14 +00:00 · 2005-06-03 12:25:14 +00:00 · 0c73cd2526
commit 0c73cd2526
parent 36e54b81f7
58 changed files with 6523 additions and 5316 deletions
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@ -302,7 +302,7 @@ tmp/policy.xml: $(ALL_INTERFACES) tmp/generated_definitions.conf
 		$(XMLLINT) --noout --dtdvalid $(XMLDTD) $@ ;\
 	fi

-$(JAVABYTE) doctool: $(JAVASRC)
+$(JAVABYTE): $(JAVASRC)
 	javac $(JAVASRC)

 html: tmp/policy.xml $(JAVABYTE) $(HTMLHEAD) $(HTMLFOOT)
--- a/refpolicy/policy/modules/admin/consoletype.if
+++ b/refpolicy/policy/modules/admin/consoletype.if
@ -4,23 +4,26 @@
 # consoletype_transition(domain)
 #
 define(`consoletype_transition',`
-requires_block_template(`$0'_depend)
-allow $1 consoletype_exec_t:file { getattr read execute };
-allow $1 consoletype_t:process transition;
-type_transition $1 consoletype_exec_t:process consoletype_t;
-dontaudit $1 consoletype_t:process { noatsecure siginh rlimitinh };
-allow $1 consoletype_t:fd use;
-allow consoletype_t $1:fd use;
-allow consoletype_t $1:fifo_file rw_file_perms;
-allow consoletype_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 consoletype_exec_t:file { getattr read execute };
+	allow $1 consoletype_t:process transition;
+	type_transition $1 consoletype_exec_t:process consoletype_t;
+	dontaudit $1 consoletype_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 consoletype_t:fd use;
+	allow consoletype_t $1:fd use;
+	allow consoletype_t $1:fifo_file rw_file_perms;
+	allow consoletype_t $1:process sigchld;
 ')

 define(`consoletype_transition_depend',`
-type consoletype_t, consoletype_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type consoletype_t, consoletype_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 #######################################
@ -28,11 +31,13 @@ class fifo_file rw_file_perms;
 # consoletype_execute(domain)
 #
 define(`consoletype_execute',`
-requires_block_template(`$0'_depend)
-allow $1 consoletype_exec_t:file { getattr read execute execute_no_trans };
+	requires_block_template(`$0'_depend)
+
+	allow $1 consoletype_exec_t:file { getattr read execute execute_no_trans };
 ')

 define(`consoletype_execute_depend',`
-type consoletype_exec_t;
-class file { getattr read execute execute_no_trans };
+	type consoletype_exec_t;
+
+	class file { getattr read execute execute_no_trans };
 ')
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ b/refpolicy/policy/modules/admin/consoletype.te
@ -51,15 +51,15 @@ libraries_use_dynamic_loader(consoletype_t)
 libraries_use_shared_libraries(consoletype_t)

 tunable_policy(`distro_redhat', `
-filesystem_use_tmpfs_character_devices(consoletype_t)
+	filesystem_use_tmpfs_character_devices(consoletype_t)
 ')

 optional_policy(`authlogin.te', `
-authlogin_pam_read_runtime_data(consoletype_t)
+	authlogin_pam_read_runtime_data(consoletype_t)
 ')

 optional_policy(`userdomain.te',`
-userdomain_use_all_unprivileged_users_file_descriptors(consoletype_t)
+	userdomain_use_all_unprivileged_users_file_descriptors(consoletype_t)
 ')

 ifdef(`TODO',`
--- a/refpolicy/policy/modules/admin/dmesg.if
+++ b/refpolicy/policy/modules/admin/dmesg.if
@ -13,23 +13,26 @@
 ## </interface>
 #
 define(`dmesg_transition',`
-requires_block_template(`$0'_depend)
-allow $1 dmesg_exec_t:file { getattr read execute };
-allow $1 dmesg_t:process transition;
-type_transition $1 dmesg_exec_t:process dmesg_t;
-dontaudit $1 dmesg_t:process { noatsecure siginh rlimitinh };
-allow $1 dmesg_t:fd use;
-allow dmesg_t $1:fd use;
-allow dmesg_t $1:fifo_file rw_file_perms;
-allow dmesg_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 dmesg_exec_t:file { getattr read execute };
+	allow $1 dmesg_t:process transition;
+	type_transition $1 dmesg_exec_t:process dmesg_t;
+	dontaudit $1 dmesg_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 dmesg_t:fd use;
+	allow dmesg_t $1:fd use;
+	allow dmesg_t $1:fifo_file rw_file_perms;
+	allow dmesg_t $1:process sigchld;
 ')

 define(`dmesg_transition_depend',`
-type dmesg_t, dmesg_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type dmesg_t, dmesg_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 ########################################
@ -44,13 +47,15 @@ class fifo_file rw_file_perms;
 ## </interface>
 #
 define(`dmesg_execute',`
-requires_block_template(`$0'_depend)
-allow $1 dmesg_exec_t:file { getattr read execute execute_no_trans };
+	requires_block_template(`$0'_depend)
+
+	allow $1 dmesg_exec_t:file { getattr read execute execute_no_trans };
 ')

 define(`dmesg_execute_depend',`
-type dmesg_exec_t;
-class file { getattr read execute execute_no_trans };
+	type dmesg_exec_t;
+
+	class file { getattr read execute execute_no_trans };
 ')

 ## </module>
--- a/refpolicy/policy/modules/admin/dmesg.te
+++ b/refpolicy/policy/modules/admin/dmesg.te
@ -50,17 +50,17 @@ userdomain_use_admin_terminals(dmesg_t)
 userdomain_ignore_use_all_unprivileged_users_file_descriptors(dmesg_t)

 tunable_policy(`targeted_policy', `
-terminal_ignore_use_general_physical_terminal(dmesg_t)
-terminal_ignore_use_general_pseudoterminal(dmesg_t)
-files_ignore_read_rootfs_file(dmesg_t)
+	terminal_ignore_use_general_physical_terminal(dmesg_t)
+	terminal_ignore_use_general_pseudoterminal(dmesg_t)
+	files_ignore_read_rootfs_file(dmesg_t)
 ')

 optional_policy(`selinux.te',`
-selinux_newrole_sigchld(dmesg_t)
+	selinux_newrole_sigchld(dmesg_t)
 ')

 optional_policy(`udev.te', `
-udev_read_database(dmesg_t)
+	udev_read_database(dmesg_t)
 ')

 ifdef(`TODO',`
--- a/refpolicy/policy/modules/admin/netutils.if
+++ b/refpolicy/policy/modules/admin/netutils.if
@ -4,23 +4,26 @@
 # netutils_transition(domain)
 #
 define(`netutils_transition',`
-requires_block_template(`$0'_depend)
-allow $1 netutils_exec_t:file { getattr read execute };
-allow $1 netutils_t:process transition;
-type_transition $1 netutils_exec_t:process netutils_t;
-dontaudit $1 netutils_t:process { noatsecure siginh rlimitinh };
-allow $1 netutils_t:fd use;
-allow netutils_t $1:fd use;
-allow netutils_t $1:fifo_file rw_file_perms;
-allow netutils_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 netutils_exec_t:file { getattr read execute };
+	allow $1 netutils_t:process transition;
+	type_transition $1 netutils_exec_t:process netutils_t;
+	dontaudit $1 netutils_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 netutils_t:fd use;
+	allow netutils_t $1:fd use;
+	allow netutils_t $1:fifo_file rw_file_perms;
+	allow netutils_t $1:process sigchld;
 ')

 define(`netutils_transition_depend',`
-type netutils_t, netutils_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type netutils_t, netutils_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 #######################################
@ -28,11 +31,13 @@ class fifo_file rw_file_perms;
 # netutils_execute(domain)
 #
 define(`netutils_execute',`
-requires_block_template(`$0'_depend)
-allow $1 netutils_exec_t:file { getattr read execute execute_no_trans };
+	requires_block_template(`$0'_depend)
+
+	allow $1 netutils_exec_t:file { getattr read execute execute_no_trans };
 ')

 define(`netutils_execute_depend',`
-type netutils_exec_t;
-class file { getattr read execute execute_no_trans };
+	type netutils_exec_t;
+
+	class file { getattr read execute execute_no_trans };
 ')
--- a/refpolicy/policy/modules/admin/rpm.if
+++ b/refpolicy/policy/modules/admin/rpm.if
@ -13,23 +13,26 @@
 ## </interface>
 #
 define(`rpm_transition',`
-requires_block_template(`$0'_depend)
-allow $1 rpm_exec_t:file { getattr read execute };
-allow $1 rpm_t:process transition;
-type_transition $1 rpm_exec_t:process rpm_t;
-dontaudit $1 rpm_t:process { noatsecure siginh rlimitinh };
-allow $1 rpm_t:fd use;
-allow rpm_t $1:fd use;
-allow rpm_t $1:fifo_file rw_file_perms;
-allow rpm_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 rpm_exec_t:file { getattr read execute };
+	allow $1 rpm_t:process transition;
+	type_transition $1 rpm_exec_t:process rpm_t;
+	dontaudit $1 rpm_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 rpm_t:fd use;
+	allow rpm_t $1:fd use;
+	allow rpm_t $1:fifo_file rw_file_perms;
+	allow rpm_t $1:process sigchld;
 ')

 define(`rpm_transition_depend',`
-type rpm_t, rpm_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type rpm_t, rpm_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 ########################################
@ -50,16 +53,18 @@ class fifo_file rw_file_perms;
 ## </interface>
 #
 define(`rpm_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-rpm_transition($1)
-role $2 types rpm_t;
-role $2 types rpm_script_t;
-allow rpm_t $3:chr_file { getattr read write ioctl };
+	requires_block_template(`$0'_depend)
+
+	rpm_transition($1)
+	role $2 types rpm_t;
+	role $2 types rpm_script_t;
+	allow rpm_t $3:chr_file { getattr read write ioctl };
 ')

 define(`rpm_transition_add_role_use_terminal_depend',`
-type rpm_t, rpm_script_t;
-class chr_file { getattr read write ioctl };
+	type rpm_t, rpm_script_t;
+
+	class chr_file { getattr read write ioctl };
 ')

 ########################################
@ -74,13 +79,15 @@ class chr_file { getattr read write ioctl };
 ## </interface>
 #
 define(`rpm_use_file_descriptors',`
-requires_block_template(`$0'_depend)
-allow $1 rpm_t:fd use;
+	requires_block_template(`$0'_depend)
+
+	allow $1 rpm_t:fd use;
 ')

 define(`rpm_use_file_descriptors_depend',`
-type rpm_t;
-class fd use;
+	type rpm_t;
+
+	class fd use;
 ')

 ########################################
@ -95,13 +102,15 @@ class fd use;
 ## </interface>
 #
 define(`rpm_read_pipe',`
-requires_block_template(`$0'_depend)
-allow $1 rpm_t:fifo_file { getattr read };
+	requires_block_template(`$0'_depend)
+
+	allow $1 rpm_t:fifo_file { getattr read };
 ')

 define(`rpm_read_pipe_depend',`
-type rpm_t;
-class fifo_file { getattr read };
+	type rpm_t;
+
+	class fifo_file { getattr read };
 ')

 ########################################
@ -116,17 +125,19 @@ class fifo_file { getattr read };
 ## </interface>
 #
 define(`rpm_read_package_database',`
-requires_block_template(`$0'_depend)
-allow $1 rpm_var_lib_t:dir { getattr read search };
-allow $1 rpm_var_lib_t:file { read getattr };
-allow $1 rpm_var_lib_t:lnk_file { getattr read };
+	requires_block_template(`$0'_depend)
+
+	allow $1 rpm_var_lib_t:dir { getattr read search };
+	allow $1 rpm_var_lib_t:file { read getattr };
+	allow $1 rpm_var_lib_t:lnk_file { getattr read };
 ')

 define(`rpm_read_package_database_depend',`
-type rpm_var_lib_t_t;
-class dir { search getattr read };
-class lnk_file { getattr read };
-class file { getattr read };
+	type rpm_var_lib_t_t;
+
+	class dir { search getattr read };
+	class lnk_file { getattr read };
+	class file { getattr read };
 ')

 ########################################
@ -134,17 +145,19 @@ class file { getattr read };
 # rpm_manage_package_database(domain)
 #
 define(`rpm_manage_package_database',`
-requires_block_template(`$0'_depend)
-allow $1 rpm_var_lib_t:dir { getattr search read write add_name remove_name };
-allow $1 rpm_var_lib_t:file { getattr create read write append unlink };
-allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink };
+	requires_block_template(`$0'_depend)
+
+	allow $1 rpm_var_lib_t:dir { getattr search read write add_name remove_name };
+	allow $1 rpm_var_lib_t:file { getattr create read write append unlink };
+	allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink };
 ')

 define(`rpm_manage_package_database_depend',`
-type rpm_var_lib_t_t;
-class dir { search getattr read };
-class lnk_file { getattr read };
-class file { getattr read };
+	type rpm_var_lib_t_t;
+
+	class dir { search getattr read };
+	class lnk_file { getattr read };
+	class file { getattr read };
 ')

 ## </module>
--- a/refpolicy/policy/modules/admin/usermanage.if
+++ b/refpolicy/policy/modules/admin/usermanage.if
@ -13,23 +13,26 @@
 ## </interface>
 #
 define(`usermanage_chfn_transition',`
-requires_block_template(`$0'_depend)
-allow $1 chfn_exec_t:file { getattr read execute };
-allow $1 chfn_t:process transition;
-type_transition $1 chfn_exec_t:process chfn_t;
-dontaudit $1 chfn_t:process { noatsecure siginh rlimitinh };
-allow $1 chfn_t:fd use;
-allow chfn_t $1:fd use;
-allow chfn_t $1:fifo_file rw_file_perms;
-allow chfn_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 chfn_exec_t:file { getattr read execute };
+	allow $1 chfn_t:process transition;
+	type_transition $1 chfn_exec_t:process chfn_t;
+	dontaudit $1 chfn_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 chfn_t:fd use;
+	allow chfn_t $1:fd use;
+	allow chfn_t $1:fifo_file rw_file_perms;
+	allow chfn_t $1:process sigchld;
 ')

 define(`usermanage_chfn_transition_depend',`
-type chfn_t, chfn_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type chfn_t, chfn_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 ########################################
@ -51,15 +54,17 @@ class fifo_file rw_file_perms;
 ## </interface>
 #
 define(`usermanage_chfn_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-usermanage_chfn_transition($1)
-role $2 types chfn_t;
-allow chfn_t $3:chr_file { getattr read write ioctl };
+	requires_block_template(`$0'_depend)
+
+	usermanage_chfn_transition($1)
+	role $2 types chfn_t;
+	allow chfn_t $3:chr_file { getattr read write ioctl };
 ')

 define(`usermanage_chfn_transition_add_role_use_terminal_depend',`
-type chfn_t;
-class chr_file { getattr read write ioctl };
+	type chfn_t;
+
+	class chr_file { getattr read write ioctl };
 ')

 ########################################
@ -74,23 +79,26 @@ class chr_file { getattr read write ioctl };
 ## </interface>
 #
 define(`usermanage_groupadd_transition',`
-requires_block_template(`$0'_depend)
-allow $1 groupadd_exec_t:file { getattr read execute };
-allow $1 groupadd_t:process transition;
-type_transition $1 groupadd_exec_t:process groupadd_t;
-dontaudit $1 groupadd_t:process { noatsecure siginh rlimitinh };
-allow $1 groupadd_t:fd use;
-allow groupadd_t $1:fd use;
-allow groupadd_t $1:fifo_file rw_file_perms;
-allow groupadd_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 groupadd_exec_t:file { getattr read execute };
+	allow $1 groupadd_t:process transition;
+	type_transition $1 groupadd_exec_t:process groupadd_t;
+	dontaudit $1 groupadd_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 groupadd_t:fd use;
+	allow groupadd_t $1:fd use;
+	allow groupadd_t $1:fifo_file rw_file_perms;
+	allow groupadd_t $1:process sigchld;
 ')

 define(`usermanage_groupadd_transition_depend',`
-type groupadd_t, groupadd_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type groupadd_t, groupadd_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 ########################################
@ -112,15 +120,17 @@ class fifo_file rw_file_perms;
 ## </interface>
 #
 define(`usermanage_groupadd_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-usermanage_groupadd_transition($1)
-role $2 types groupadd_t;
-allow groupadd_t $3:chr_file { getattr read write ioctl };
+	requires_block_template(`$0'_depend)
+
+	usermanage_groupadd_transition($1)
+	role $2 types groupadd_t;
+	allow groupadd_t $3:chr_file { getattr read write ioctl };
 ')

 define(`usermanage_groupadd_transition_add_role_use_terminal_depend',`
-type groupadd_t;
-class chr_file { getattr read write ioctl };
+	type groupadd_t;
+
+	class chr_file { getattr read write ioctl };
 ')

 ########################################
@ -135,23 +145,26 @@ class chr_file { getattr read write ioctl };
 ## </interface>
 #
 define(`usermanage_passwd_transition',`
-requires_block_template(`$0'_depend)
-allow $1 passwd_exec_t:file { getattr read execute };
-allow $1 passwd_t:process transition;
-type_transition $1 passwd_exec_t:process passwd_t;
-dontaudit $1 passwd_t:process { noatsecure siginh rlimitinh };
-allow $1 passwd_t:fd use;
-allow passwd_t $1:fd use;
-allow passwd_t $1:fifo_file rw_file_perms;
-allow passwd_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 passwd_exec_t:file { getattr read execute };
+	allow $1 passwd_t:process transition;
+	type_transition $1 passwd_exec_t:process passwd_t;
+	dontaudit $1 passwd_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 passwd_t:fd use;
+	allow passwd_t $1:fd use;
+	allow passwd_t $1:fifo_file rw_file_perms;
+	allow passwd_t $1:process sigchld;
 ')

 define(`usermanage_passwd_transition_depend',`
-type passwd_t, passwd_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type passwd_t, passwd_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 ########################################
@ -173,15 +186,17 @@ class fifo_file rw_file_perms;
 ## </interface>
 #
 define(`usermanage_passwd_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-usermanage_passwd_transition($1)
-role $2 types passwd_t;
-allow passwd_t $3:chr_file { getattr read write ioctl };
+	requires_block_template(`$0'_depend)
+
+	usermanage_passwd_transition($1)
+	role $2 types passwd_t;
+	allow passwd_t $3:chr_file { getattr read write ioctl };
 ')

 define(`usermanage_passwd_transition_add_role_use_terminal_depend',`
-type passwd_t;
-class chr_file { getattr read write ioctl };
+	type passwd_t;
+
+	class chr_file { getattr read write ioctl };
 ')

 ########################################
@ -196,23 +211,26 @@ class chr_file { getattr read write ioctl };
 ## </interface>
 #
 define(`usermanage_useradd_transition',`
-requires_block_template(`$0'_depend)
-allow $1 useradd_exec_t:file { getattr read execute };
-allow $1 useradd_t:process transition;
-type_transition $1 useradd_exec_t:process useradd_t;
-dontaudit $1 useradd_t:process { noatsecure siginh rlimitinh };
-allow $1 useradd_t:fd use;
-allow useradd_t $1:fd use;
-allow useradd_t $1:fifo_file rw_file_perms;
-allow useradd_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 useradd_exec_t:file { getattr read execute };
+	allow $1 useradd_t:process transition;
+	type_transition $1 useradd_exec_t:process useradd_t;
+	dontaudit $1 useradd_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 useradd_t:fd use;
+	allow useradd_t $1:fd use;
+	allow useradd_t $1:fifo_file rw_file_perms;
+	allow useradd_t $1:process sigchld;
 ')

 define(`usermanage_useradd_transition_depend',`
-type useradd_t, useradd_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type useradd_t, useradd_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 ########################################
@ -234,15 +252,17 @@ class fifo_file rw_file_perms;
 ## </interface>
 #
 define(`usermanage_useradd_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-usermanage_useradd_transition($1)
-role $2 types useradd_t;
-allow useradd_t $3:chr_file { getattr read write ioctl };
+	requires_block_template(`$0'_depend)
+
+	usermanage_useradd_transition($1)
+	role $2 types useradd_t;
+	allow useradd_t $3:chr_file { getattr read write ioctl };
 ')

 define(`usermanage_useradd_transition_add_role_use_terminal_depend',`
-type useradd_t;
-class chr_file { getattr read write ioctl };
+	type useradd_t;
+
+	class chr_file { getattr read write ioctl };
 ')

 ## </module>
--- a/refpolicy/policy/modules/apps/gpg.if
+++ b/refpolicy/policy/modules/apps/gpg.if
@ -6,333 +6,342 @@
 # gpg_per_userdomain_template(userdomain_prefix)
 #
 define(`gpg_per_userdomain_template',`
-requires_block_template(`$0'_depend)
+	requires_block_template(`$0'_depend)

-########################################
-#
-# Declarations
-#
+	########################################
+	#
+	# Declarations
+	#

-type $1_gpg_t;
-domain_make_domain($1_gpg_t)
-domain_make_entrypoint_file($1_gpg_t,gpg_exec_t)
-role $1_r types $1_gpg_t;
+	type $1_gpg_t;
+	domain_make_domain($1_gpg_t)
+	domain_make_entrypoint_file($1_gpg_t,gpg_exec_t)
+	role $1_r types $1_gpg_t;

-type $1_gpg_agent_t;
-domain_make_domain($1_gpg_agent_t)
-domain_make_entrypoint_file($1_gpg_agent_t,gpg_agent_exec_t)
-role $1_r types $1_gpg_agent_t;
+	type $1_gpg_agent_t;
+	domain_make_domain($1_gpg_agent_t)
+	domain_make_entrypoint_file($1_gpg_agent_t,gpg_agent_exec_t)
+	role $1_r types $1_gpg_agent_t;

-type $1_gpg_agent_tmp_t;
-files_make_temporary_file($1_gpg_agent_tmp_t)
+	type $1_gpg_agent_tmp_t;
+	files_make_temporary_file($1_gpg_agent_tmp_t)

-type $1_gpg_secret_t; #, $1_file_type;
-files_make_file($1_gpg_secret_t)
+	type $1_gpg_secret_t; #, $1_file_type;
+	files_make_file($1_gpg_secret_t)

-type $1_gpg_helper_t;
-domain_make_domain($1_gpg_helper_t)
-role $1_r types $1_gpg_helper_t;
+	type $1_gpg_helper_t;
+	domain_make_domain($1_gpg_helper_t)
+	role $1_r types $1_gpg_helper_t;

-type $1_gpg_pinentry_t;
-domain_make_domain($1_gpg_pinentry_t)
-role $1_r types $1_gpg_pinentry_t;
+	type $1_gpg_pinentry_t;
+	domain_make_domain($1_gpg_pinentry_t)
+	role $1_r types $1_gpg_pinentry_t;

-########################################
-#
-# GPG local policy
-#
+	########################################
+	#
+	# GPG local policy
+	#

-# transition from the userdomain to the derived domain
-allow $1_t $1_gpg_t:process transition;
-allow $1_t gpg_exec_t:file { getattr read execute };
-type_transition $1_t gpg_exec_t:process $1_gpg_t;
-allow $1_t $1_gpg_t:fd use;
-allow $1_gpg_t $1_t:fd use;
-allow $1_gpg_t $1_t:fifo_file rw_file_perms;
+	# transition from the userdomain to the derived domain
+	allow $1_t $1_gpg_t:process transition;
+	allow $1_t gpg_exec_t:file { getattr read execute };
+	type_transition $1_t gpg_exec_t:process $1_gpg_t;
+	dontaudit $1_t $1_gpg_t:process { noatsecure siginh rlimitinh };

-allow $1_gpg_t self:capability { ipc_lock setuid };
-allow { $1_t $1_gpg_t } $1_gpg_t:process signal;
-# setrlimit is for ulimit -c 0
-allow $1_gpg_t self:process { setrlimit setcap };
+	allow $1_t $1_gpg_t:fd use;
+	allow $1_gpg_t $1_t:fd use;
+	allow $1_gpg_t $1_t:fifo_file rw_file_perms;
+	allow $1_gpg_t $1_t:process sigchld;

-allow $1_gpg_t self:fifo_file { getattr read write };
-allow $1_gpg_t self:tcp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+	allow $1_gpg_t self:capability { ipc_lock setuid };
+	allow { $1_t $1_gpg_t } $1_gpg_t:process signal;
+	# setrlimit is for ulimit -c 0
+	allow $1_gpg_t self:process { setrlimit setcap };

-allow $1_gpg_t $1_gpg_secret_t:dir { read getattr lock search ioctl add_name remove_name write };
-allow $1_gpg_t $1_gpg_secret_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-allow $1_gpg_t $1_gpg_secret_t:lnk_file { create read getattr setattr link unlink rename };
+	allow $1_gpg_t self:fifo_file { getattr read write };
+	allow $1_gpg_t self:tcp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };

-corenetwork_sendrecv_tcp_on_all_interfaces($1_gpg_t)
-corenetwork_sendrecv_raw_on_all_interfaces($1_gpg_t)
-corenetwork_sendrecv_udp_on_all_interfaces($1_gpg_t)
-corenetwork_sendrecv_tcp_on_all_nodes($1_gpg_t)
-corenetwork_sendrecv_raw_on_all_nodes($1_gpg_t)
-corenetwork_sendrecv_udp_on_all_nodes($1_gpg_t)
-corenetwork_sendrecv_tcp_on_all_ports($1_gpg_t)
-corenetwork_sendrecv_udp_on_all_ports($1_gpg_t)
-corenetwork_bind_tcp_on_all_nodes($1_gpg_t)
-corenetwork_bind_udp_on_all_nodes($1_gpg_t)
+	allow $1_gpg_t $1_gpg_secret_t:dir { read getattr lock search ioctl add_name remove_name write };
+	allow $1_gpg_t $1_gpg_secret_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow $1_gpg_t $1_gpg_secret_t:lnk_file { create read getattr setattr link unlink rename };

-devices_get_random_data($1_gpg_t)
-devices_get_pseudorandom_data($1_gpg_t)
+	corenetwork_sendrecv_tcp_on_all_interfaces($1_gpg_t)
+	corenetwork_sendrecv_raw_on_all_interfaces($1_gpg_t)
+	corenetwork_sendrecv_udp_on_all_interfaces($1_gpg_t)
+	corenetwork_sendrecv_tcp_on_all_nodes($1_gpg_t)
+	corenetwork_sendrecv_raw_on_all_nodes($1_gpg_t)
+	corenetwork_sendrecv_udp_on_all_nodes($1_gpg_t)
+	corenetwork_sendrecv_tcp_on_all_ports($1_gpg_t)
+	corenetwork_sendrecv_udp_on_all_ports($1_gpg_t)
+	corenetwork_bind_tcp_on_all_nodes($1_gpg_t)
+	corenetwork_bind_udp_on_all_nodes($1_gpg_t)

-filesystem_get_persistent_filesystem_attributes($1_gpg_t)
+	devices_get_random_data($1_gpg_t)
+	devices_get_pseudorandom_data($1_gpg_t)

-files_read_general_system_config($1_gpg_t)
-files_read_general_application_resources($1_gpg_t)
+	filesystem_get_persistent_filesystem_attributes($1_gpg_t)

-libraries_use_shared_libraries($1_gpg_t)
-libraries_use_dynamic_loader($1_gpg_t)
+	files_read_general_system_config($1_gpg_t)
+	files_read_general_application_resources($1_gpg_t)

-miscfiles_read_localization($1_gpg_t)
+	libraries_use_shared_libraries($1_gpg_t)
+	libraries_use_dynamic_loader($1_gpg_t)

-logging_send_system_log_message($1_gpg_t)
+	miscfiles_read_localization($1_gpg_t)

-sysnetwork_read_network_config($1_gpg_t)
+	logging_send_system_log_message($1_gpg_t)

-# Legacy
-if (allow_gpg_execstack) {
-allow $1_gpg_t self:process execmem;
-libraries_legacy_use_shared_libraries($1_gpg_t)
-libraries_legacy_use_dynamic_loader($1_gpg_t)
-miscfiles_legacy_read_localization($1_gpg_t)
-# Not quite sure why this is needed... 
-allow $1_gpg_t gpg_exec_t:file execmod;
-}
+	sysnetwork_read_network_config($1_gpg_t)

-ifdef(`TODO',`
+	# Legacy
+	if (allow_gpg_execstack) {
+		allow $1_gpg_t self:process execmem;
+		libraries_legacy_use_shared_libraries($1_gpg_t)
+		libraries_legacy_use_dynamic_loader($1_gpg_t)
+		miscfiles_legacy_read_localization($1_gpg_t)
+		# Not quite sure why this is needed... 
+		allow $1_gpg_t gpg_exec_t:file execmod;
+	}

-can_ypbind($1_gpg_t)
+	ifdef(`TODO',`

-allow $1_t $1_gpg_secret_t:file getattr;
+	can_ypbind($1_gpg_t)

-access_terminal($1_gpg_t, $1)
-ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;')
+	allow $1_t $1_gpg_secret_t:file getattr;

-# Inherit and use descriptors
-allow $1_gpg_t { privfd $1_t }:fd use;
+	access_terminal($1_gpg_t, $1)
+	ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;')

-# allow ps to show gpg
-can_ps($1_t, $1_gpg_t)
+	# Inherit and use descriptors
+	allow $1_gpg_t { privfd $1_t }:fd use;

-# should not need read access...
-allow $1_gpg_t home_root_t:dir { read search };
+	# allow ps to show gpg
+	can_ps($1_t, $1_gpg_t)

-# use $1_gpg_secret_t for files it creates
-# NB we are doing the type transition for directory creation only!
-# so ~/.gnupg will be of $1_gpg_secret_t, then files created under it such as
-# secring.gpg will be of $1_gpg_secret_t too.  But when you use gpg to decrypt
-# a file and write output to your home directory it will use user_home_t.
-file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_gpg_secret_t, dir)
+	# should not need read access...
+	allow $1_gpg_t home_root_t:dir { read search };

-file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_home_t, file)
-create_dir_file($1_gpg_t, $1_home_t)
+	# use $1_gpg_secret_t for files it creates
+	# NB we are doing the type transition for directory creation only!
+	# so ~/.gnupg will be of $1_gpg_secret_t, then files created under it such as
+	# secring.gpg will be of $1_gpg_secret_t too.  But when you use gpg to decrypt
+	# a file and write output to your home directory it will use user_home_t.
+	file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_gpg_secret_t, dir)

-# allow the usual access to /tmp
-file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t)
+	file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_home_t, file)
+	create_dir_file($1_gpg_t, $1_home_t)

-if (use_nfs_home_dirs) {
-create_dir_file($1_gpg_t, nfs_t)
-}
-if (use_samba_home_dirs) {
-create_dir_file($1_gpg_t, cifs_t)
-}
+	# allow the usual access to /tmp
+	file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t)

-rw_dir_create_file($1_gpg_t, $1_file_type)
+	if (use_nfs_home_dirs) {
+		create_dir_file($1_gpg_t, nfs_t)
+	}
+	if (use_samba_home_dirs) {
+		create_dir_file($1_gpg_t, cifs_t)
+	}

-allow $1_t $1_gpg_secret_t:dir rw_dir_perms;
+	rw_dir_create_file($1_gpg_t, $1_file_type)

-dontaudit $1_gpg_t var_t:dir search;
-') dnl end TODO
+	allow $1_t $1_gpg_secret_t:dir rw_dir_perms;

-########################################
-#
-# GPG helper local policy
-#
+	dontaudit $1_gpg_t var_t:dir search;
+	') dnl end TODO

-# for helper programs (which automatically fetch keys)
-# Note: this is only tested with the hkp interface. If you use eg the 
-# mail interface you will likely need additional permissions.
+	########################################
+	#
+	# GPG helper local policy
+	#

-# transition from the gpg domain to the helper domain
-allow $1_gpg_t $1_gpg_helper_t:process transition;
-allow $1_gpg_t gpg_helper_exec_t:file { getattr read execute };
-type_transition $1_gpg_t gpg_helper_exec_t:process $1_gpg_helper_t;
-allow $1_gpg_t $1_gpg_helper_t:fd use;
-allow $1_gpg_helper_t $1_t:fd use;
-allow $1_gpg_helper_t $1_t:fifo_file rw_file_perms;
+	# for helper programs (which automatically fetch keys)
+	# Note: this is only tested with the hkp interface. If you use eg the 
+	# mail interface you will likely need additional permissions.

-allow $1_gpg_helper_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+	# transition from the gpg domain to the helper domain
+	allow $1_gpg_t $1_gpg_helper_t:process transition;
+	allow $1_gpg_t gpg_helper_exec_t:file { getattr read execute };
+	type_transition $1_gpg_t gpg_helper_exec_t:process $1_gpg_helper_t;
+	dontaudit $1_gpg_helper_t $1_gpg_t:process { noatsecure siginh rlimitinh };

-allow $1_gpg_helper_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
-allow $1_gpg_helper_t self:udp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
+	allow $1_gpg_t $1_gpg_helper_t:fd use;
+	allow $1_gpg_helper_t $1_gpg_t:fd use;
+	allow $1_gpg_helper_t $1_gpg_t:fifo_file rw_file_perms;
+	allow $1_gpg_helper_t $1_gpg_t:process sigchld;

-dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
+	allow $1_gpg_helper_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };

-corenetwork_sendrecv_tcp_on_all_interfaces($1_gpg_helper_t)
-corenetwork_sendrecv_raw_on_all_interfaces($1_gpg_helper_t)
-corenetwork_sendrecv_udp_on_all_interfaces($1_gpg_helper_t)
-corenetwork_sendrecv_tcp_on_all_nodes($1_gpg_helper_t)
-corenetwork_sendrecv_udp_on_all_nodes($1_gpg_helper_t)
-corenetwork_sendrecv_raw_on_all_nodes($1_gpg_helper_t)
-corenetwork_sendrecv_tcp_on_all_ports($1_gpg_helper_t)
-corenetwork_sendrecv_udp_on_all_ports($1_gpg_helper_t)
-corenetwork_bind_tcp_on_all_nodes($1_gpg_helper_t)
-corenetwork_bind_udp_on_all_nodes($1_gpg_helper_t)
+	allow $1_gpg_helper_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
+	allow $1_gpg_helper_t self:udp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };

-devices_get_pseudorandom_data($1_gpg_helper_t)
+	dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;

-files_read_general_system_config($1_gpg_helper_t)
-# for nscd
-files_ignore_search_system_state_data_directory($1_gpg_helper_t)
+	corenetwork_sendrecv_tcp_on_all_interfaces($1_gpg_helper_t)
+	corenetwork_sendrecv_raw_on_all_interfaces($1_gpg_helper_t)
+	corenetwork_sendrecv_udp_on_all_interfaces($1_gpg_helper_t)
+	corenetwork_sendrecv_tcp_on_all_nodes($1_gpg_helper_t)
+	corenetwork_sendrecv_udp_on_all_nodes($1_gpg_helper_t)
+	corenetwork_sendrecv_raw_on_all_nodes($1_gpg_helper_t)
+	corenetwork_sendrecv_tcp_on_all_ports($1_gpg_helper_t)
+	corenetwork_sendrecv_udp_on_all_ports($1_gpg_helper_t)
+	corenetwork_bind_tcp_on_all_nodes($1_gpg_helper_t)
+	corenetwork_bind_udp_on_all_nodes($1_gpg_helper_t)

-libraries_use_dynamic_loader($1_gpg_helper_t)
-libraries_use_shared_libraries($1_gpg_helper_t)
+	devices_get_pseudorandom_data($1_gpg_helper_t)

-sysnetwork_read_network_config($1_gpg_helper_t)
+	files_read_general_system_config($1_gpg_helper_t)
+	# for nscd
+	files_ignore_search_system_state_data_directory($1_gpg_helper_t)

-ifdef(`TODO',`
+	libraries_use_dynamic_loader($1_gpg_helper_t)
+	libraries_use_shared_libraries($1_gpg_helper_t)

-if (use_nfs_home_dirs) {
-dontaudit $1_gpg_helper_t nfs_t:file { read write };
-}
-if (use_samba_home_dirs) {
-dontaudit $1_gpg_helper_t cifs_t:file { read write };
-}
+	sysnetwork_read_network_config($1_gpg_helper_t)

-# communicate with the user 
-allow $1_gpg_helper_t $1_t:fd use;
-allow $1_gpg_helper_t $1_t:fifo_file write;
+	ifdef(`TODO',`

-ifdef(`xdm.te', `
-dontaudit $1_gpg_t xdm_t:fd use;
-dontaudit $1_gpg_t xdm_t:fifo_file read;
+	if (use_nfs_home_dirs) {
+		dontaudit $1_gpg_helper_t nfs_t:file { read write };
+	}
+	if (use_samba_home_dirs) {
+		dontaudit $1_gpg_helper_t cifs_t:file { read write };
+	}
+
+	# communicate with the user 
+	allow $1_gpg_helper_t $1_t:fd use;
+	allow $1_gpg_helper_t $1_t:fifo_file write;
+
+	ifdef(`xdm.te', `
+		dontaudit $1_gpg_t xdm_t:fd use;
+		dontaudit $1_gpg_t xdm_t:fifo_file read;
+	')
+	') dnl end TODO
+
+	########################################
+	#
+	# GPG agent local policy
+	#
+
+	# rlimit: gpg-agent wants to prevent coredumps
+	allow $1_gpg_agent_t self:process setrlimit;
+
+	allow $1_gpg_agent_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+	allow $1_gpg_agent_t self:fifo_file { getattr read write };
+
+	allow $1_t $1_gpg_agent_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+	allow $1_t $1_gpg_agent_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow $1_t $1_gpg_agent_tmp_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+	files_create_private_tmp_data($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
+
+	domain_use_widely_inheritable_file_descriptors($1_gpg_agent_t)
+
+	libraries_use_dynamic_loader($1_gpg_agent_t)
+	libraries_use_shared_libraries($1_gpg_agent_t)
+
+	miscfiles_read_localization($1_gpg_agent_t)
+
+	ifdef(`TODO',`
+	# Transition from the user domain to the derived domain.
+	domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t)
+
+	allow $1_gpg_agent_t xdm_t:fd use;
+
+	# Write to the user domain tty.
+	access_terminal($1_gpg_agent_t, $1)
+
+	# Allow the user shell to signal the gpg-agent program.
+	allow $1_t $1_gpg_agent_t:process { signal sigkill };
+	# allow ps to show gpg-agent
+	can_ps($1_t, $1_gpg_agent_t)
+
+	allow $1_gpg_agent_t proc_t:dir search;
+	allow $1_gpg_agent_t proc_t:lnk_file read;
+
+	allow $1_gpg_agent_t device_t:dir { getattr read };
+
+	# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
+	allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search;
+	create_dir_file($1_gpg_agent_t, $1_gpg_secret_t)
+	if (use_nfs_home_dirs) {
+		create_dir_file($1_gpg_agent_t, nfs_t)
+	}
+	if (use_samba_home_dirs) {
+		create_dir_file($1_gpg_agent_t, cifs_t)
+	}
+
+	# gpg connect
+	allow $1_gpg_t $1_gpg_agent_tmp_t:dir search;
+	allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write;
+	can_unix_connect($1_gpg_t, $1_gpg_agent_t)
+	') dnl endif TODO
+
+	##############################
+	#
+	# Pinentry local policy
+	#
+
+	# we need to allow gpg-agent to call pinentry so it can get the passphrase 
+	# from the user.
+	allow $1_gpg_agent_t $1_gpg_pinentry_t:process transition;
+	allow $1_gpg_agent_t pinentry_exec_t:file { getattr read execute };
+	type_transition $1_gpg_agent_t pinentry_exec_t:process $1_gpg_pinentry_t;
+	dontaudit $1_gpg_agent_t $1_gpg_pinentry_t:process { noatsecure siginh rlimitinh };
+
+	allow $1_gpg_pinentry_t $1_gpg_agent_t:fd use;
+	allow $1_gpg_agent_t $1_gpg_pinentry_t:fd use;
+	allow $1_gpg_agent_t $1_gpg_pinentry_t:fifo_file rw_file_perms;
+	allow $1_gpg_agent_t $1_gpg_pinentry_t:process sigchld;
+
+	allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
+	allow $1_gpg_pinentry_t self:fifo_file { getattr read write };
+
+	# read /proc/meminfo
+	kernel_read_system_state($1_gpg_pinentry_t)
+
+	files_read_general_application_resources($1_gpg_pinentry_t)
+	# read /etc/X11/qtrc
+	files_read_general_system_config($1_gpg_pinentry_t)
+
+	libraries_use_dynamic_loader($1_gpg_pinentry_t)
+	libraries_use_shared_libraries($1_gpg_pinentry_t)
+
+	miscfiles_read_fonts($1_gpg_pinentry_t)
+	miscfiles_read_localization($1_gpg_pinentry_t)
+
+	ifdef(`TODO',`
+
+	allow $1_gpg_agent_t bin_t:dir search;
+
+	ifdef(`xdm.te', `
+		allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search;
+		allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write };
+		can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t)
+		allow $1_gpg_pinentry_t xdm_t:fd use;
+	')
+
+	allow $1_gpg_pinentry_t { tmp_t home_root_t }:dir { getattr search };
+
+	# for .Xauthority
+	allow $1_gpg_pinentry_t $1_home_dir_t:dir { getattr search };
+	allow $1_gpg_pinentry_t $1_home_t:file { getattr read };
+	# wants to put some lock files into the user home dir, seems to work fine without
+	dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write };
+	dontaudit $1_gpg_pinentry_t $1_home_t:file write;
+
+	if (use_nfs_home_dirs) {
+		allow $1_gpg_pinentry_t nfs_t:dir { getattr search };
+		allow $1_gpg_pinentry_t nfs_t:file { getattr read };
+		dontaudit $1_gpg_pinentry_t nfs_t:dir { read write };
+		dontaudit $1_gpg_pinentry_t nfs_t:file write;
+	}
+
+	if (use_samba_home_dirs) {
+		allow $1_gpg_pinentry_t cifs_t:dir { getattr search };
+		allow $1_gpg_pinentry_t cifs_t:file { getattr read };
+		dontaudit $1_gpg_pinentry_t cifs_t:dir { read write };
+		dontaudit $1_gpg_pinentry_t cifs_t:file write;
+	}
+
+	dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search };
+	') dnl end TODO
 ')
-') dnl end TODO
-
-########################################
-#
-# GPG agent local policy
-#
-
-# rlimit: gpg-agent wants to prevent coredumps
-allow $1_gpg_agent_t self:process setrlimit;
-
-allow $1_gpg_agent_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
-allow $1_gpg_agent_t self:fifo_file { getattr read write };
-
-allow $1_t $1_gpg_agent_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-allow $1_t $1_gpg_agent_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-allow $1_t $1_gpg_agent_tmp_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
-files_create_private_tmp_data($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
-
-domain_use_widely_inheritable_file_descriptors($1_gpg_agent_t)
-
-libraries_use_dynamic_loader($1_gpg_agent_t)
-libraries_use_shared_libraries($1_gpg_agent_t)
-
-miscfiles_read_localization($1_gpg_agent_t)
-
-ifdef(`TODO',`
-# Transition from the user domain to the derived domain.
-domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t)
-
-allow $1_gpg_agent_t xdm_t:fd use;
-
-# Write to the user domain tty.
-access_terminal($1_gpg_agent_t, $1)
-
-# Allow the user shell to signal the gpg-agent program.
-allow $1_t $1_gpg_agent_t:process { signal sigkill };
-# allow ps to show gpg-agent
-can_ps($1_t, $1_gpg_agent_t)
-
-allow $1_gpg_agent_t proc_t:dir search;
-allow $1_gpg_agent_t proc_t:lnk_file read;
-
-allow $1_gpg_agent_t device_t:dir { getattr read };
-
-# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
-allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search;
-create_dir_file($1_gpg_agent_t, $1_gpg_secret_t)
-if (use_nfs_home_dirs) {
-create_dir_file($1_gpg_agent_t, nfs_t)
-}
-if (use_samba_home_dirs) {
-create_dir_file($1_gpg_agent_t, cifs_t)
-}
-
-# gpg connect
-allow $1_gpg_t $1_gpg_agent_tmp_t:dir search;
-allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write;
-can_unix_connect($1_gpg_t, $1_gpg_agent_t)
-') dnl endif TODO
-
-##############################
-#
-# Pinentry local policy
-#
-
-# we need to allow gpg-agent to call pinentry so it can get the passphrase 
-# from the user.
-allow $1_gpg_agent_t $1_gpg_pinentry_t:process transition;
-allow $1_gpg_agent_t pinentry_exec_t:file { getattr read execute };
-type_transition $1_gpg_agent_t pinentry_exec_t:process $1_gpg_pinentry_t;
-allow $1_gpg_pinentry_t $1_gpg_agent_t:fd use;
-allow $1_gpg_agent_t $1_gpg_pinentry_t:fd use;
-allow $1_gpg_agent_t $1_gpg_pinentry_t:fifo_file rw_file_perms;
-
-allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
-allow $1_gpg_pinentry_t self:fifo_file { getattr read write };
-
-# read /proc/meminfo
-kernel_read_system_state($1_gpg_pinentry_t)
-
-files_read_general_application_resources($1_gpg_pinentry_t)
-# read /etc/X11/qtrc
-files_read_general_system_config($1_gpg_pinentry_t)
-
-libraries_use_dynamic_loader($1_gpg_pinentry_t)
-libraries_use_shared_libraries($1_gpg_pinentry_t)
-
-miscfiles_read_fonts($1_gpg_pinentry_t)
-miscfiles_read_localization($1_gpg_pinentry_t)
-
-ifdef(`TODO',`
-
-allow $1_gpg_agent_t bin_t:dir search;
-
-ifdef(`xdm.te', `
-allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search;
-allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write };
-can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t)
-allow $1_gpg_pinentry_t xdm_t:fd use;
-')dnl end ig xdm.te
-
-allow $1_gpg_pinentry_t { tmp_t home_root_t }:dir { getattr search };
-
-# for .Xauthority
-allow $1_gpg_pinentry_t $1_home_dir_t:dir { getattr search };
-allow $1_gpg_pinentry_t $1_home_t:file { getattr read };
-# wants to put some lock files into the user home dir, seems to work fine without
-dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write };
-dontaudit $1_gpg_pinentry_t $1_home_t:file write;
-
-if (use_nfs_home_dirs) {
-allow $1_gpg_pinentry_t nfs_t:dir { getattr search };
-allow $1_gpg_pinentry_t nfs_t:file { getattr read };
-dontaudit $1_gpg_pinentry_t nfs_t:dir { read write };
-dontaudit $1_gpg_pinentry_t nfs_t:file write;
-}
-
-if (use_samba_home_dirs) {
-allow $1_gpg_pinentry_t cifs_t:dir { getattr search };
-allow $1_gpg_pinentry_t cifs_t:file { getattr read };
-dontaudit $1_gpg_pinentry_t cifs_t:dir { read write };
-dontaudit $1_gpg_pinentry_t cifs_t:file write;
-}
-
-dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search };
-') dnl end TODO
-') dnl end gpg_per_userdomain_template

--- a/refpolicy/policy/modules/kernel/bootloader.te
+++ b/refpolicy/policy/modules/kernel/bootloader.te
@ -146,35 +146,39 @@ allow bootloader_t boot_t:file relabelfrom;
 ')

 tunable_policy(`distro_redhat', `
-# for memlock
-allow bootloader_t self:capability ipc_lock;
-# new file system defaults to file_t, granting file_t access is still bad.
-allow bootloader_t boot_runtime_t:file { read getattr unlink };
-# mkinitrd mount initrd on bootloader temp dir
-files_make_mountpoint(bootloader_tmp_t)
-# for mke2fs
-mount_transition(bootloader_t)
+	# for memlock
+	allow bootloader_t self:capability ipc_lock;
+
+	# new file system defaults to file_t, granting file_t access is still bad.
+	allow bootloader_t boot_runtime_t:file { read getattr unlink };
+
+	# mkinitrd mount initrd on bootloader temp dir
+	files_make_mountpoint(bootloader_tmp_t)
+
+	# for mke2fs
+	mount_transition(bootloader_t)
 ')

 optional_policy(`filesystemtools.te', `
-filesystemtools_execute(bootloader_t)
+	filesystemtools_execute(bootloader_t)
 ')

 # LVM2 / Device Mapper's /dev/mapper/control
 # maybe we should change the labeling for this
 optional_policy(`lvm.te', `
-devices_use_lvm_control_channel(bootloader_t)
-lvm_transition(bootloader_t)
-lvm_read_config(bootloader_t)
+	devices_use_lvm_control_channel(bootloader_t)
+
+	lvm_transition(bootloader_t)
+	lvm_read_config(bootloader_t)
 ')

 optional_policy(`modutils.te',`
-modutils_insmod_execute(insmod_t)
-modutils_read_kernel_module_dependencies(bootloader_t)
-modutils_read_kernel_module_loading_config(bootloader_t)
-modutils_insmod_execute(bootloader_t)
-modutils_depmod_execute(bootloader_t)
-modutils_update_modules_execute(bootloader_t)
+	modutils_insmod_execute(insmod_t)
+	modutils_read_kernel_module_dependencies(bootloader_t)
+	modutils_read_kernel_module_loading_config(bootloader_t)
+	modutils_insmod_execute(bootloader_t)
+	modutils_depmod_execute(bootloader_t)
+	modutils_update_modules_execute(bootloader_t)
 ')

 ifdef(`TODO',`
@ -187,22 +191,23 @@ allow bootloader_t var_t:dir search;
 allow bootloader_t var_t:file { getattr read };

 tunable_policy(`distro_debian', `
-allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
-allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms;
-allow bootloader_t tmpfs_t:dir r_dir_perms;
-allow bootloader_t initrc_var_run_t:dir r_dir_perms;
-allow bootloader_t var_lib_t:dir search;
-allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;
-allow bootloader_t dpkg_var_lib_t:file { getattr read };
-# for /usr/share/initrd-tools/scripts
-can_exec(bootloader_t, usr_t)
+	allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
+	allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms;
+	allow bootloader_t tmpfs_t:dir r_dir_perms;
+	allow bootloader_t initrc_var_run_t:dir r_dir_perms;
+	allow bootloader_t var_lib_t:dir search;
+	allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;
+	allow bootloader_t dpkg_var_lib_t:file { getattr read };
+
+	# for /usr/share/initrd-tools/scripts
+	can_exec(bootloader_t, usr_t)
 ')

 tunable_policy(`distro_redhat', `
-# new file system defaults to file_t, granting file_t access is still bad.
-allow bootloader_t file_t:dir create_dir_perms;
-allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms;
-allow bootloader_t file_t:lnk_file create_lnk_perms;
+	# new file system defaults to file_t, granting file_t access is still bad.
+	allow bootloader_t file_t:dir create_dir_perms;
+	allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms;
+	allow bootloader_t file_t:lnk_file create_lnk_perms;
 ')

 dontaudit bootloader_t selinux_config_t:dir search;
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
--- a/refpolicy/policy/modules/kernel/storage.if
+++ b/refpolicy/policy/modules/kernel/storage.if
@ -14,14 +14,16 @@
 ## </interface>
 #
 define(`storage_get_fixed_disk_attributes',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 fixed_disk_device_t:blk_file getattr;
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 fixed_disk_device_t:blk_file getattr;
 ')

 define(`storage_get_fixed_disk_attributes_depend',`
-type fixed_disk_device_t;
-class blk_file getattr;
+	type fixed_disk_device_t;
+
+	class blk_file getattr;
 ')

 ########################################
@ -37,13 +39,15 @@ class blk_file getattr;
 ## </interface>
 #
 define(`storage_ignore_get_fixed_disk_attributes',`
-requires_block_template(`$0'_depend)
-dontaudit $1 fixed_disk_device_t:blk_file getattr;
+	requires_block_template(`$0'_depend)
+
+	dontaudit $1 fixed_disk_device_t:blk_file getattr;
 ')

 define(`storage_ignore_get_fixed_disk_attributes_depend',`
-type fixed_disk_device_t;
-class blk_file getattr;
+	type fixed_disk_device_t;
+
+	class blk_file getattr;
 ')

 ########################################
@ -59,14 +63,16 @@ class blk_file getattr;
 ## </interface>
 #
 define(`storage_set_fixed_disk_attributes',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 fixed_disk_device_t:blk_file setattr;
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 fixed_disk_device_t:blk_file setattr;
 ')

 define(`storage_set_fixed_disk_attributes_depend',`
-type fixed_disk_device_t;
-class blk_file setattr;
+	type fixed_disk_device_t;
+
+	class blk_file setattr;
 ')

 ########################################
@ -84,16 +90,19 @@ class blk_file setattr;
 ## </interface>
 #
 define(`storage_raw_read_fixed_disk',`
-requires_block_template(`$0'_depend)
-typeattribute $1 fixed_disk_raw_read;
-devices_list_device_nodes($1)
-allow $1 fixed_disk_device_t:blk_file { getattr read ioctl };
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 fixed_disk_device_t:blk_file r_file_perms;
+	typeattribute $1 fixed_disk_raw_read;
 ')

 define(`storage_raw_read_fixed_disk_depend',`
-type fixed_disk_device_t;
-attribute fixed_disk_raw_read;
-class blk_file { getattr read ioctl };
+	attribute fixed_disk_raw_read;
+
+	type fixed_disk_device_t;
+
+	class blk_file r_file_perms;
 ')

 ########################################
@ -111,16 +120,19 @@ class blk_file { getattr read ioctl };
 ## </interface>
 #
 define(`storage_raw_write_fixed_disk',`
-requires_block_template(`$0'_depend)
-typeattribute $1 fixed_disk_raw_write;
-devices_list_device_nodes($1)
-allow $1 fixed_disk_device_t:blk_file { getattr write ioctl };
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 fixed_disk_device_t:blk_file { getattr write ioctl };
+	typeattribute $1 fixed_disk_raw_write;
 ')

 define(`storage_raw_write_fixed_disk_depend',`
-type fixed_disk_device_t;
-attribute fixed_disk_raw_write;
-class blk_file { getattr write ioctl };
+	attribute fixed_disk_raw_write;
+
+	type fixed_disk_device_t;
+
+	class blk_file { getattr write ioctl };
 ')

 ########################################
@ -135,12 +147,17 @@ class blk_file { getattr write ioctl };
 ## </interface>
 #
 define(`storage_create_fixed_disk_dev_entry',`
-requires_block_template(`$0'_depend)
-devices_create_dev_entry($1,fixed_disk_device_t,blk_file)
+	requires_block_template(`$0'_depend)
+
+	allow $1 fixed_disk_device_t:blk_file create_file_perms;
+	devices_create_dev_entry($1,fixed_disk_device_t,blk_file)
+	typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
 ')

 define(`storage_create_fixed_disk_dev_entry_depend',`
-type fixed_disk_device_t;
+	type fixed_disk_device_t;
+
+	class blk_file create_file_perms;
 ')

 ########################################
@ -155,17 +172,19 @@ type fixed_disk_device_t;
 ## </interface>
 #
 define(`storage_manage_fixed_disk',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 fixed_disk_device_t:blk_file { create ioctl read getattr lock write setattr append link unlink rename };
-typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 fixed_disk_device_t:blk_file create_file_perms;
+	typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
 ')

 define(`storage_manage_fixed_disk_depend',`
-attribute fixed_disk_raw_read;
-attribute fixed_disk_raw_write;
-type fixed_disk_device_t;
-class blk_file { create ioctl read getattr lock write setattr append link unlink rename };
+	attribute fixed_disk_raw_read, fixed_disk_raw_write;
+
+	type fixed_disk_device_t;
+
+	class blk_file create_file_perms;
 ')

 ########################################
@ -183,16 +202,19 @@ class blk_file { create ioctl read getattr lock write setattr append link unlink
 ## </interface>
 #
 define(`storage_raw_read_lvm_volume',`
-requires_block_template(`$0'_depend)
-typeattribute $1 fixed_disk_raw_read;
-devices_list_device_nodes($1)
-allow $1 lvm_vg_t:blk_file { getattr read ioctl };
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 lvm_vg_t:blk_file r_file_perms;
+	typeattribute $1 fixed_disk_raw_read;
 ')

 define(`storage_raw_read_lvm_volume_depend',`
-type lvm_vg_t;
-attribute fixed_disk_raw_read;
-class blk_file { getattr read ioctl };
+	attribute fixed_disk_raw_read;
+
+	type lvm_vg_t;
+
+	class blk_file r_file_perms;
 ')

 ########################################
@ -210,16 +232,19 @@ class blk_file { getattr read ioctl };
 ## </interface>
 #
 define(`storage_raw_write_lvm_volume',`
-requires_block_template(`$0'_depend)
-typeattribute $1 fixed_disk_raw_write;
-devices_list_device_nodes($1)
-allow $1 lvm_vg_t:blk_file { getattr write ioctl };
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 lvm_vg_t:blk_file { getattr write ioctl };
+	typeattribute $1 fixed_disk_raw_write;
 ')

 define(`storage_raw_write_lvm_volume_depend',`
-type lvm_vg_t;
-attribute fixed_disk_raw_write;
-class blk_file { getattr write ioctl };
+	attribute fixed_disk_raw_write;
+
+	type lvm_vg_t;
+
+	class blk_file { getattr write ioctl };
 ')

 ########################################
@ -238,16 +263,19 @@ class blk_file { getattr write ioctl };
 ## </interface>
 #
 define(`storage_read_scsi_generic',`
-requires_block_template(`$0'_depend)
-typeattribute $1 scsi_generic_read;
-devices_list_device_nodes($1)
-allow $1 scsi_generic_device_t:blk_file { getattr read ioctl };
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 scsi_generic_device_t:blk_file r_file_perms;
+	typeattribute $1 scsi_generic_read;
 ')

 define(`storage_read_scsi_generic_depend',`
-type scsi_generic_device_t;
-attribute scsi_generic_read;
-class blk_file { getattr read ioctl };
+	attribute scsi_generic_read;
+
+	type scsi_generic_device_t;
+
+	class blk_file r_file_perms;
 ')

 ########################################
@ -266,16 +294,19 @@ class blk_file { getattr read ioctl };
 ## </interface>
 #
 define(`storage_write_scsi_generic',`
-requires_block_template(`$0'_depend)
-typeattribute $1 scsi_generic_write;
-devices_list_device_nodes($1)
-allow $1 scsi_generic_device_t:blk_file { getattr write ioctl };
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 scsi_generic_device_t:blk_file { getattr write ioctl };
+	typeattribute $1 scsi_generic_write;
 ')

 define(`storage_write_scsi_generic_depend',`
-type scsi_generic_device_t;
-attribute scsi_generic_write;
-class blk_file { getattr write ioctl };
+	attribute scsi_generic_write;
+
+	type scsi_generic_device_t;
+
+	class blk_file { getattr write ioctl };
 ')

 ########################################
@ -283,14 +314,16 @@ class blk_file { getattr write ioctl };
 # storage_get_scsi_generic_attributes(domain)
 #
 define(`storage_get_scsi_generic_attributes',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 scsi_generic_device_t:blk_file getattr;
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 scsi_generic_device_t:blk_file getattr;
 ')

 define(`storage_get_scsi_generic_attributes_depend',`
-type scsi_generic_device_t;
-class blk_file getattr;
+	type scsi_generic_device_t;
+
+	class blk_file getattr;
 ')

 ########################################
@ -298,14 +331,16 @@ class blk_file getattr;
 # storage_set_scsi_generic_attributes(domain)
 #
 define(`storage_set_scsi_generic_attributes',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 scsi_generic_device_t:blk_file setattr;
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 scsi_generic_device_t:blk_file setattr;
 ')

 define(`storage_set_scsi_generic_attributes_depend',`
-type scsi_generic_device_t;
-class blk_file setattr;
+	type scsi_generic_device_t;
+
+	class blk_file setattr;
 ')

 ########################################
@ -321,14 +356,16 @@ class blk_file setattr;
 ## </interface>
 #
 define(`storage_get_removable_device_attributes',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 removable_device_t:blk_file getattr;
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 removable_device_t:blk_file getattr;
 ')

 define(`storage_get_removable_device_attributes_depend',`
-type removable_device_t;
-class blk_file getattr;
+	type removable_device_t;
+
+	class blk_file getattr;
 ')

 ########################################
@ -344,13 +381,15 @@ class blk_file getattr;
 ## </interface>
 #
 define(`storage_ignore_get_removable_device_attributes',`
-requires_block_template(`$0'_depend)
-dontaudit $1 removable_device_t:blk_file getattr;
+	requires_block_template(`$0'_depend)
+
+	dontaudit $1 removable_device_t:blk_file getattr;
 ')

 define(`storage_ignore_get_removable_device_attributes_depend',`
-type removable_device_t;
-class blk_file getattr;
+	type removable_device_t;
+
+	class blk_file getattr;
 ')

 ########################################
@ -358,14 +397,16 @@ class blk_file getattr;
 # storage_set_removable_device_attributes(domain)
 #
 define(`storage_set_removable_device_attributes',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 removable_device_t:blk_file setattr;
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 removable_device_t:blk_file setattr;
 ')

 define(`storage_set_removable_device_attributes_depend',`
-type removable_device_t;
-class blk_file setattr;
+	type removable_device_t;
+
+	class blk_file setattr;
 ')

 ########################################
@ -373,14 +414,16 @@ class blk_file setattr;
 # storage_raw_read_removable_device(domain)
 #
 define(`storage_raw_read_removable_device',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 removable_device_t:blk_file { getattr read ioctl };
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 removable_device_t:blk_file r_file_perms;
 ')

 define(`storage_raw_read_removable_device_depend',`
-type removable_device_t;
-class blk_file { getattr read ioctl };
+	type removable_device_t;
+
+	class blk_file r_file_perms;
 ')

 ########################################
@ -388,14 +431,16 @@ class blk_file { getattr read ioctl };
 # storage_raw_write_removable_device(domain)
 #
 define(`storage_raw_write_removable_device',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 removable_device_t:blk_file { getattr write ioctl };
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 removable_device_t:blk_file { getattr write ioctl };
 ')

 define(`storage_raw_write_removable_device_depend',`
-type removable_device_t;
-class blk_file { getattr write ioctl };
+	type removable_device_t;
+
+	class blk_file { getattr write ioctl };
 ')

 ########################################
@ -403,14 +448,16 @@ class blk_file { getattr write ioctl };
 # storage_read_tape_device(domain)
 #
 define(`storage_read_tape_device',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 tape_device_t:blk_file { getattr read ioctl };
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 tape_device_t:blk_file r_file_perms;
 ')

 define(`storage_read_tape_device_depend',`
-type tape_device_t;
-class blk_file { getattr read ioctl };
+	type tape_device_t;
+
+	class blk_file r_file_perms;
 ')

 ########################################
@ -418,14 +465,16 @@ class blk_file { getattr read ioctl };
 # storage_write_tape_device(domain)
 #
 define(`storage_write_tape_device',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 tape_device_t:blk_file { getattr write ioctl };
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 tape_device_t:blk_file { getattr write ioctl };
 ')

 define(`storage_write_tape_device_depend',`
-type tape_device_t;
-class blk_file { getattr write ioctl };
+	type tape_device_t;
+
+	class blk_file { getattr write ioctl };
 ')

 ########################################
@ -433,14 +482,16 @@ class blk_file { getattr write ioctl };
 # storage_get_tape_device_attributes(domain)
 #
 define(`storage_get_tape_device_attributes',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 tape_device_t:blk_file getattr;
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 tape_device_t:blk_file getattr;
 ')

 define(`storage_get_tape_device_attributes_depend',`
-type tape_device_t;
-class blk_file getattr;
+	type tape_device_t;
+
+	class blk_file getattr;
 ')

 ########################################
@ -448,14 +499,15 @@ class blk_file getattr;
 # storage_set_tape_device_attributes(domain)
 #
 define(`storage_set_tape_device_attributes',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 tape_device_t:blk_file setattr;
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 tape_device_t:blk_file setattr;
 ')

 define(`storage_set_tape_device_attributes_depend',`
-type tape_device_t;
-class blk_file setattr;
+	type tape_device_t;
+	class blk_file setattr;
 ')

 ## </module>
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@ -6,15 +6,18 @@
 # terminal_make_pseudoterminal(type)
 #
 define(`terminal_make_pseudoterminal',`
-requires_block_template(`$0'_depend)
-allow $1 devpts_t:filesystem associate;
-typeattribute $1 ptynode;
+	requires_block_template(`$0'_depend)
+
+	allow $1 devpts_t:filesystem associate;
+	typeattribute $1 ptynode;
 ')

 define(`terminal_make_pseudoterminal_depend',`
-attribute ptynode;
-type devpts_t;
-class filesystem associate;
+	attribute ptynode;
+
+	type devpts_t;
+
+	class filesystem associate;
 ')

 ########################################
@ -22,13 +25,14 @@ class filesystem associate;
 # terminal_make_user_pseudoterminal(domain,type)
 #
 define(`terminal_make_user_pseudoterminal',`
-requires_block_template(`$0'_depend)
-terminal_make_pseudoterminal($1)
-type_change $1 server_ptynode:chr_file $2;
+	requires_block_template(`$0'_depend)
+
+	terminal_make_pseudoterminal($1)
+	type_change $1 server_ptynode:chr_file $2;
 ')

 define(`terminal_make_user_pseudoterminal_depend',`
-attribute server_ptynode;
+	attribute server_ptynode;
 ')

 ########################################
@ -36,13 +40,14 @@ attribute server_ptynode;
 # terminal_make_service_pseudoterminal(type)
 #
 define(`terminal_make_service_pseudoterminal',`
-requires_block_template(`$0'_depend)
-terminal_make_pseudoterminal($1)
-typeattribute $1 server_ptynode;
+	requires_block_template(`$0'_depend)
+
+	terminal_make_pseudoterminal($1)
+	typeattribute $1 server_ptynode;
 ')

 define(`terminal_make_service_pseudoterminal_depend',`
-attribute server_ptynode;
+	attribute server_ptynode;
 ')

 ########################################
@ -50,22 +55,26 @@ attribute server_ptynode;
 # terminal_make_physical_terminal(domain,type)
 #
 define(`terminal_make_physical_terminal',`
-requires_block_template(`$0'_depend)
-typeattribute $2 ttynode;
-type_change $1 tty_device_t:chr_file $2;
-# Debian login is from shadow utils and does not allow resetting the perms.
-# have to fix this!
-tunable_policy(`distro_debian',`
-type_change $1 ttyfile:chr_file $2;
-')
-tunable_policy(`distro_redhat',`
-filesystem_tmpfs_associate($2)
-')
+	requires_block_template(`$0'_depend)
+
+	typeattribute $2 ttynode;
+	type_change $1 tty_device_t:chr_file $2;
+
+	# Debian login is from shadow utils and does not allow resetting the perms.
+	# have to fix this!
+	tunable_policy(`distro_debian',`
+		type_change $1 ttyfile:chr_file $2;
+	')
+
+	tunable_policy(`distro_redhat',`
+		filesystem_tmpfs_associate($2)
+	')
 ')

 define(`terminal_make_physical_terminal_depend',`
-attribute ttynode;
-type tty_device_t;
+	attribute ttynode;
+
+	type tty_device_t;
 ')

 ########################################
@ -73,20 +82,22 @@ type tty_device_t;
 # terminal_create_private_pseudoterminal(domain,ptytype)
 #
 define(`terminal_create_private_pseudoterminal',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 ptmx_t:chr_file { getattr read write };
-allow $1 devpts_t:dir { getattr search read };
-allow $1 devpts_t:filesystem getattr;
-dontaudit $1 bsdpty_device_t:chr_file { getattr read write };
-type_transition $1 devpts_t:chr_file $2;
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 ptmx_t:chr_file { getattr read write };
+	allow $1 devpts_t:dir r_dir_perms;
+	allow $1 devpts_t:filesystem getattr;
+	dontaudit $1 bsdpty_device_t:chr_file { getattr read write };
+	type_transition $1 devpts_t:chr_file $2;
 ')

 define(`terminal_create_pseudoterminal_depend',`
-type ptmx_t, devpts_t;
-class filesystem getattr;
-class dir { getattr search read };
-class chr_file { getattr read write };
+	type ptmx_t, devpts_t;
+
+	class filesystem getattr;
+	class dir r_dir_perms;
+	class chr_file { getattr read write };
 ')

 ########################################
@ -94,17 +105,20 @@ class chr_file { getattr read write };
 # terminal_use_all_terminals(domain)
 #
 define(`terminal_use_all_terminals',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 devpts_t:dir r_dir_perms;
-allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perms;
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 devpts_t:dir r_dir_perms;
+	allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perms;
 ')

 define(`terminal_use_all_terminals_depend',`
-attribute ttynode, ptynode;
-type console_device_t, devpts_t, tty_device_t;
-class dir r_dir_perms;
-class chr_file rw_file_perms;
+	attribute ttynode, ptynode;
+
+	type console_device_t, devpts_t, tty_device_t;
+
+	class dir r_dir_perms;
+	class chr_file rw_file_perms;
 ')

 ########################################
@ -142,14 +156,16 @@ define(`terminal_use_console_depend',`
 ## </interface>
 #
 define(`terminal_use_console',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 console_device_t:chr_file rw_file_perms;
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 console_device_t:chr_file rw_file_perms;
 ')

 define(`terminal_use_console_depend',`
-type console_device_t;
-class chr_file rw_file_perms;
+	type console_device_t;
+
+	class chr_file rw_file_perms;
 ')

 ########################################
@ -164,13 +180,15 @@ class chr_file rw_file_perms;
 ## </interface>
 #
 define(`terminal_ignore_use_console',`
-requires_block_template(`$0'_depend)
-dontaudit $1 console_device_t:chr_file { read write };
+	requires_block_template(`$0'_depend)
+
+	dontaudit $1 console_device_t:chr_file { read write };
 ')

 define(`terminal_ignore_use_console_depend',`
-type console_device_t;
-class chr_file { read write };
+	type console_device_t;
+
+	class chr_file { read write };
 ')

 ########################################
@ -178,15 +196,16 @@ class chr_file { read write };
 # terminal_set_console_attributes(domain)
 #
 define(`terminal_set_console_attributes',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1,optional)
-allow $1 console_device_t:chr_file setattr;
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 console_device_t:chr_file setattr;
 ')

 define(`terminal_set_console_attributes_depend',`
-type console_device_t;
-class chr_file setattr;
-devices_list_device_nodes_depend
+	type console_device_t;
+
+	class chr_file setattr;
 ')

 ########################################
@ -194,15 +213,16 @@ devices_list_device_nodes_depend
 # terminal_list_pseudoterminals(domain)
 #
 define(`terminal_list_pseudoterminals',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 devpts_t:dir { getattr search read };
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 devpts_t:dir r_dir_perms;
 ')

 define(`terminal_list_pseudoterminals_depend',`
-type devpts_t;
-class dir { getattr search read };
-devices_list_device_nodes_depend
+	type devpts_t;
+
+	class dir r_dir_perms;
 ')

 ########################################
@ -210,13 +230,15 @@ devices_list_device_nodes_depend
 # terminal_ignore_list_pseudoterminals(domain)
 #
 define(`terminal_ignore_list_pseudoterminals',`
-requires_block_template(`$0'_depend)
-dontaudit $1 devpts_t:dir { getattr search read };
+	requires_block_template(`$0'_depend)
+
+	dontaudit $1 devpts_t:dir { getattr search read };
 ')

 define(`terminal_ignore_list_pseudoterminals_depend',`
-type devpts_t;
-class dir { getattr search read };
+	type devpts_t;
+
+	class dir { getattr search read };
 ')

 ########################################
@ -224,14 +246,16 @@ class dir { getattr search read };
 # terminal_use_general_pseudoterminal(domain)
 #
 define(`terminal_use_general_pseudoterminal',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 devpts_t:chr_file { read write };
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 devpts_t:chr_file { read write };
 ')

 define(`terminal_use_general_pseudoterminal_depend',`
-type devpts_t;
-class chr_file { read write };
+	type devpts_t;
+
+	class chr_file { read write };
 ')

 ########################################
@ -239,13 +263,15 @@ class chr_file { read write };
 # terminal_ignore_use_general_pseudoterminal(domain)
 #
 define(`terminal_ignore_use_general_pseudoterminal',`
-requires_block_template(`$0'_depend)
-dontaudit $1 devpts_t:chr_file { read write };
+	requires_block_template(`$0'_depend)
+
+	dontaudit $1 devpts_t:chr_file { read write };
 ')

 define(`terminal_ignore_use_general_pseudoterminal_depend',`
-type devpts_t;
-class chr_file { read write };
+	type devpts_t;
+
+	class chr_file { read write };
 ')

 ########################################
@ -253,14 +279,16 @@ class chr_file { read write };
 # terminal_use_controlling_terminal(domain)
 #
 define(`terminal_use_controlling_terminal',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 devtty_t:chr_file { getattr read write ioctl };
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 devtty_t:chr_file { getattr read write ioctl };
 ')

 define(`terminal_use_controlling_terminal_depend',`
-type devtty_t;
-class chr_file { getattr read write ioctl };
+	type devtty_t;
+
+	class chr_file { getattr read write ioctl };
 ')

 ########################################
@ -268,13 +296,15 @@ class chr_file { getattr read write ioctl };
 # terminal_ignore_use_pseudoterminal_multiplexer(domain)
 #
 define(`terminal_ignore_use_pseudoterminal_multiplexer',`
-requires_block_template(`$0'_depend)
-dontaudit $1 ptmx_t:chr_file { getattr read write };
+	requires_block_template(`$0'_depend)
+
+	dontaudit $1 ptmx_t:chr_file { getattr read write };
 ')

 define(`terminal_ignore_use_pseudoterminal_multiplexer_depend',`
-type ptmx_t;
-class chr_file { getattr read write };
+	type ptmx_t;
+
+	class chr_file { getattr read write };
 ')

 ########################################
@ -282,16 +312,18 @@ class chr_file { getattr read write };
 # terminal_get_all_private_pseudoterminal_attributes(domain)
 #
 define(`terminal_get_all_private_pseudoterminal_attributes',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 devpts_t:dir { getattr search read };
-allow $1 ptynode:chr_file getattr;
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 devpts_t:dir r_dir_perms;
+	allow $1 ptynode:chr_file getattr;
 ')

 define(`terminal_get_all_private_pseudoterminal_attributes_depend',`
-attribute ptynode;
-class dir { getattr search read };
-class chr_file getattr;
+	attribute ptynode;
+
+	class dir r_dir_perms;
+	class chr_file getattr;
 ')

 ########################################
@ -299,16 +331,18 @@ class chr_file getattr;
 # terminal_use_all_private_pseudoterminals(domain)
 #
 define(`terminal_use_all_private_pseudoterminals',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 devpts_t:dir { getattr read search };
-allow $1 ptynode:chr_file { getattr read write ioctl };
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 devpts_t:dir r_dir_perms;
+	allow $1 ptynode:chr_file { getattr read write ioctl };
 ')

 define(`terminal_use_all_private_pseudoterminals_depend',`
-attribute ptynode;
-class dir { getattr search read };
-class chr_file { getattr read write ioctl };
+	attribute ptynode;
+
+	class dir r_dir_perms;
+	class chr_file { getattr read write ioctl };
 ')

 ########################################
@ -316,13 +350,15 @@ class chr_file { getattr read write ioctl };
 # terminal_ignore_use_all_private_pseudoterminals(domain)
 #
 define(`terminal_ignore_use_all_private_pseudoterminals',`
-requires_block_template(`$0'_depend)
-dontaudit $1 ptynode:chr_file { read write };
+	requires_block_template(`$0'_depend)
+
+	dontaudit $1 ptynode:chr_file { read write };
 ')

 define(`terminal_ignore_use_all_private_pseudoterminals_depend',`
-attribute ptynode;
-class chr_file { read write };
+	attribute ptynode;
+
+	class chr_file { read write };
 ')

 ########################################
@ -330,14 +366,16 @@ class chr_file { read write };
 # terminal_get_general_physical_terminal_attributes(domain)
 #
 define(`terminal_get_general_physical_terminal_attributes',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 tty_device_t:chr_file getattr;
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 tty_device_t:chr_file getattr;
 ')

 define(`terminal_get_general_physical_terminal_attributes_depend',`
-type tty_device_t;
-class chr_file getattr;
+	type tty_device_t;
+
+	class chr_file getattr;
 ')

 ########################################
@ -345,14 +383,16 @@ class chr_file getattr;
 # terminal_set_general_physical_terminal_attributes(domain)
 #
 define(`terminal_set_general_physical_terminal_attributes',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 tty_device_t:chr_file setattr;
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 tty_device_t:chr_file setattr;
 ')

 define(`terminal_set_general_physical_terminal_attributes_depend',`
-type tty_device_t;
-class chr_file setattr;
+	type tty_device_t;
+
+	class chr_file setattr;
 ')

 ########################################
@ -360,14 +400,16 @@ class chr_file setattr;
 # terminal_relabel_general_physical_terminal(domain)
 #
 define(`terminal_relabel_general_physical_terminal',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 tty_device_t:chr_file { relabelfrom relabelto };
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 tty_device_t:chr_file { relabelfrom relabelto };
 ')

 define(`terminal_relabel_general_physical_terminal_depend',`
-type tty_device_t;
-class chr_file { relabelfrom relabelto };
+	type tty_device_t;
+
+	class chr_file { relabelfrom relabelto };
 ')

 ########################################
@ -375,16 +417,18 @@ class chr_file { relabelfrom relabelto };
 # terminal_reset_physical_terminal_labels(domain)
 #
 define(`terminal_reset_physical_terminal_labels',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 ttynode:chr_file relabelfrom;
-allow $1 tty_device_t:chr_file relabelto;
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 ttynode:chr_file relabelfrom;
+	allow $1 tty_device_t:chr_file relabelto;
 ')

 define(`terminal_reset_physical_terminal_labels_depend',`
-attribute ttynode;
-type tty_device_t;
-class chr_file { relabelfrom relabelto };
+	attribute ttynode;
+
+	type tty_device_t;
+	class chr_file { relabelfrom relabelto };
 ')

 ########################################
@ -400,14 +444,16 @@ class chr_file { relabelfrom relabelto };
 ## </interface>
 #
 define(`terminal_write_general_physical_terminal',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 tty_device_t:chr_file { getattr write };
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 tty_device_t:chr_file { getattr write };
 ')

 define(`terminal_write_general_physical_terminal_depend',`
-type tty_device_t;
-class chr_file { read write };
+	type tty_device_t;
+
+	class chr_file { getattr write };
 ')

 ########################################
@ -415,14 +461,16 @@ class chr_file { read write };
 # terminal_use_general_physical_terminal(domain)
 #
 define(`terminal_use_general_physical_terminal',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 tty_device_t:chr_file { getattr read write ioctl };
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 tty_device_t:chr_file { getattr read write ioctl };
 ')

 define(`terminal_use_general_physical_terminal_depend',`
-type tty_device_t;
-class chr_file { getattr read write ioctl };
+	type tty_device_t;
+
+	class chr_file { getattr read write ioctl };
 ')

 ########################################
@ -430,13 +478,15 @@ class chr_file { getattr read write ioctl };
 # terminal_ignore_use_general_physical_terminal(domain)
 #
 define(`terminal_ignore_use_general_physical_terminal',`
-requires_block_template(`$0'_depend)
-dontaudit $1 tty_device_t:chr_file { read write };
+	requires_block_template(`$0'_depend)
+
+	dontaudit $1 tty_device_t:chr_file { read write };
 ')

 define(`terminal_ignore_use_general_physical_terminal_depend',`
-type tty_device_t;
-class chr_file { read write };
+	type tty_device_t;
+
+	class chr_file { read write };
 ')

 ########################################
@ -444,14 +494,16 @@ class chr_file { read write };
 # terminal_get_all_private_physical_terminal_attributes(domain)
 #
 define(`terminal_get_all_private_physical_terminal_attributes',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 ttynode:chr_file getattr;
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 ttynode:chr_file getattr;
 ')

 define(`terminal_get_all_private_physical_terminal_attributes_depend',`
-attribute ttynode;
-class chr_file getattr;
+	attribute ttynode;
+
+	class chr_file getattr;
 ')

 ########################################
@ -459,14 +511,16 @@ class chr_file getattr;
 # terminal_set_all_private_physical_terminal_attributes(domain)
 #
 define(`terminal_set_all_private_physical_terminal_attributes',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 ttynode:chr_file setattr;
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 ttynode:chr_file setattr;
 ')

 define(`terminal_set_all_private_physical_terminal_attributes_depend',`
-attribute ttynode;
-class chr_file setattr;
+	attribute ttynode;
+
+	class chr_file setattr;
 ')

 ########################################
@ -474,13 +528,15 @@ class chr_file setattr;
 # terminal_ignore_get_all_private_physical_terminal_attributes(domain)
 #
 define(`terminal_ignore_get_all_private_physical_terminal_attributes',`
-requires_block_template(`$0'_depend)
-dontaudit $1 ttynode:chr_file getattr;
+	requires_block_template(`$0'_depend)
+
+	dontaudit $1 ttynode:chr_file getattr;
 ')

 define(`terminal_ignore_get_all_private_physical_terminal_attributes_depend',`
-attribute ttynode;
-class chr_file getattr;
+	attribute ttynode;
+
+	class chr_file getattr;
 ')

 ########################################
@ -488,14 +544,16 @@ class chr_file getattr;
 # terminal_relabel_all_private_physical_terminals(domain)
 #
 define(`terminal_relabel_all_private_physical_terminals',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 ttynode:chr_file { relabelfrom relabelto };
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 ttynode:chr_file { relabelfrom relabelto };
 ')

 define(`terminal_relabel_all_private_physical_terminals_depend',`
-attribute ttynode;
-class chr_file { relabelfrom relabelto };
+	attribute ttynode;
+
+	class chr_file { relabelfrom relabelto };
 ')

 ########################################
@ -511,14 +569,16 @@ class chr_file { relabelfrom relabelto };
 ## </interface>
 #
 define(`terminal_write_all_private_physical_terminals',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 ttynode:chr_file { getattr write };
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 ttynode:chr_file { getattr write };
 ')

 define(`terminal_write_all_private_physical_terminals_depend',`
-attribute ttynode;
-class chr_file { getattr write };
+	attribute ttynode;
+
+	class chr_file { getattr write };
 ')

 ########################################
@ -526,14 +586,16 @@ class chr_file { getattr write };
 # terminal_use_all_private_physical_terminals(domain)
 #
 define(`terminal_use_all_private_physical_terminals',`
-requires_block_template(`$0'_depend)
-devices_list_device_nodes($1)
-allow $1 ttynode:chr_file { getattr read write ioctl };
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 ttynode:chr_file { getattr read write ioctl };
 ')

 define(`terminal_use_all_private_physical_terminals_depend',`
-attribute ttynode;
-class chr_file { getattr read write ioctl };
+	attribute ttynode;
+
+	class chr_file { getattr read write ioctl };
 ')

 ########################################
@ -541,13 +603,15 @@ class chr_file { getattr read write ioctl };
 # terminal_ignore_use_all_private_physical_terminals(domain)
 #
 define(`terminal_ignore_use_all_private_physical_terminals',`
-requires_block_template(`$0'_depend)
-dontaudit $1 ttynode:chr_file { read write };
+	requires_block_template(`$0'_depend)
+
+	dontaudit $1 ttynode:chr_file { read write };
 ')

 define(`terminal_ignore_use_all_private_physical_terminals_depend',`
-attribute ttynode;
-class chr_file { read write };
+	attribute ttynode;
+
+	class chr_file { read write };
 ')

 ## </module>
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@ -6,215 +6,210 @@

 define(`cron_per_userdomain_template',`

-# Type of user crontabs once moved to cron spool.
-type $1_cron_spool_t;
-files_make_file($1_cron_spool_t)
+	# Type of user crontabs once moved to cron spool.
+	type $1_cron_spool_t;
+	files_make_file($1_cron_spool_t)

-type $1_crond_t; # user_crond_domain;
-domain_make_domain($1_crond_t);
-corecommands_make_shell_entrypoint($1_crond_t)
-role $1_r types $1_crond_t;
+	type $1_crond_t; # user_crond_domain;
+	domain_make_domain($1_crond_t);
+	corecommands_make_shell_entrypoint($1_crond_t)
+	role $1_r types $1_crond_t;

-type $1_crontab_t;
-domain_make_domain($1_crontab_t)
-domain_make_entrypoint_file($1_crontab_t,crontab_exec_t)
-role $1_r types $1_crontab_t;
+	type $1_crontab_t;
+	domain_make_domain($1_crontab_t)
+	domain_make_entrypoint_file($1_crontab_t,crontab_exec_t)
+	role $1_r types $1_crontab_t;

-##############################
-#
-# $1_crond_t local policy
-#
+	##############################
+	#
+	# $1_crond_t local policy
+	#

-allow $1_crond_t self:capability dac_override;
-allow $1_crond_t self:process { sigkill sigstop signull signal setsched };
-allow $1_crond_t self:fifo_file { read getattr write append };
-allow $1_crond_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
-allow $1_crond_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+	allow $1_crond_t self:capability dac_override;
+	allow $1_crond_t self:process { sigkill sigstop signull signal setsched };
+	allow $1_crond_t self:fifo_file { read getattr write append };
+	allow $1_crond_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+	allow $1_crond_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };

-# The entrypoint interface is not used as this is not
-# a regular entrypoint.  Since crontab files are
-# not directly executed, crond must ensure that
-# the crontab file has a type that is appropriate
-# for the domain of the user cron job.  It
-# performs an entrypoint permission check
-# for this purpose.
-allow $1_crond_t $1_cron_spool_t:file entrypoint;
+	# The entrypoint interface is not used as this is not
+	# a regular entrypoint.  Since crontab files are
+	# not directly executed, crond must ensure that
+	# the crontab file has a type that is appropriate
+	# for the domain of the user cron job.  It
+	# performs an entrypoint permission check
+	# for this purpose.
+	allow $1_crond_t $1_cron_spool_t:file entrypoint;

-# Permit a transition from the crond_t domain to this domain.
-# The transition is requested explicitly by the modified crond 
-# via setexeccon.  There is no way to set up an automatic
-# transition, since crontabs are configuration files, not executables.
-allow crond_t $1_crond_t:process transition;
-dontaudit crond_t $1_crond_t:process { noatsecure siginh rlimitinh };
-allow crond_t $1_crond_t:fd use;
-allow $1_crond_t crond_t:fd use;
-allow $1_crond_t crond_t:fifo_file rw_file_perms;
-allow $1_crond_t crond_t:process sigchld;
+	# Permit a transition from the crond_t domain to this domain.
+	# The transition is requested explicitly by the modified crond 
+	# via setexeccon.  There is no way to set up an automatic
+	# transition, since crontabs are configuration files, not executables.
+	allow crond_t $1_crond_t:process transition;
+	dontaudit crond_t $1_crond_t:process { noatsecure siginh rlimitinh };
+	allow crond_t $1_crond_t:fd use;
+	allow $1_crond_t crond_t:fd use;
+	allow $1_crond_t crond_t:fifo_file rw_file_perms;
+	allow $1_crond_t crond_t:process sigchld;

-kernel_read_system_state($1_crond_t)
-kernel_read_kernel_sysctl($1_crond_t)
+	kernel_read_system_state($1_crond_t)
+	kernel_read_kernel_sysctl($1_crond_t)

-# ps does not need to access /boot when run from cron
-bootloader_ignore_search_bootloader_data_directory($1_crond_t)
+	# ps does not need to access /boot when run from cron
+	bootloader_ignore_search_bootloader_data_directory($1_crond_t)

-corenetwork_sendrecv_tcp_on_all_interfaces($1_crond_t)
-corenetwork_sendrecv_raw_on_all_interfaces($1_crond_t)
-corenetwork_sendrecv_udp_on_all_interfaces($1_crond_t)
-corenetwork_sendrecv_tcp_on_all_nodes($1_crond_t)
-corenetwork_sendrecv_raw_on_all_nodes($1_crond_t)
-corenetwork_sendrecv_udp_on_all_nodes($1_crond_t)
-corenetwork_sendrecv_tcp_on_all_ports($1_crond_t)
-corenetwork_sendrecv_udp_on_all_ports($1_crond_t)
-corenetwork_bind_tcp_on_all_nodes($1_crond_t)
-corenetwork_bind_udp_on_all_nodes($1_crond_t)
+	corenetwork_sendrecv_tcp_on_all_interfaces($1_crond_t)
+	corenetwork_sendrecv_raw_on_all_interfaces($1_crond_t)
+	corenetwork_sendrecv_udp_on_all_interfaces($1_crond_t)
+	corenetwork_sendrecv_tcp_on_all_nodes($1_crond_t)
+	corenetwork_sendrecv_raw_on_all_nodes($1_crond_t)
+	corenetwork_sendrecv_udp_on_all_nodes($1_crond_t)
+	corenetwork_sendrecv_tcp_on_all_ports($1_crond_t)
+	corenetwork_sendrecv_udp_on_all_ports($1_crond_t)
+	corenetwork_bind_tcp_on_all_nodes($1_crond_t)
+	corenetwork_bind_udp_on_all_nodes($1_crond_t)

-devices_get_pseudorandom_data($1_crond_t)
+	devices_get_pseudorandom_data($1_crond_t)

-filesystem_get_all_filesystems_attributes($1_crond_t)
+	filesystem_get_all_filesystems_attributes($1_crond_t)

-domain_execute_all_entrypoint_programs($1_crond_t)
+	domain_execute_all_entrypoint_programs($1_crond_t)

-files_read_general_application_resources($1_crond_t)
-files_execute_system_config_script($1_crond_t)
-# for nscd:
-files_ignore_search_runtime_data_directory($1_crond_t)
+	files_read_general_application_resources($1_crond_t)
+	files_execute_system_config_script($1_crond_t)
+	# for nscd:
+	files_ignore_search_runtime_data_directory($1_crond_t)

-corecommands_execute_general_programs($1_crond_t)
-corecommands_execute_system_programs($1_crond_t)
+	corecommands_execute_general_programs($1_crond_t)
+	corecommands_execute_system_programs($1_crond_t)

-libraries_use_dynamic_loader($1_crond_t)
-libraries_use_shared_libraries($1_crond_t)
-libraries_execute_library_scripts($1_crond_t)
-libraries_execute_dynamic_loader($1_crond_t)
+	libraries_use_dynamic_loader($1_crond_t)
+	libraries_use_shared_libraries($1_crond_t)
+	libraries_execute_library_scripts($1_crond_t)
+	libraries_execute_dynamic_loader($1_crond_t)

-files_read_runtime_system_config($1_crond_t)
+	files_read_runtime_system_config($1_crond_t)

-logging_search_system_log_directory($1_crond_t)
+	logging_search_system_log_directory($1_crond_t)

-selinux_read_config($1_crond_t)
+	selinux_read_config($1_crond_t)

-miscfiles_read_localization($1_crond_t)
+	miscfiles_read_localization($1_crond_t)

-tunable_policy(`fcron_crond', `
-allow crond_t $1_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-')
+	tunable_policy(`fcron_crond', `
+		allow crond_t $1_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+	')

-ifdef(`TODO',`
-# Access user files and dirs.
-allow $1_crond_t home_root_t:dir search;
-file_type_auto_trans($1_crond_t, $1_home_dir_t, $1_home_t)
+	ifdef(`TODO',`
+	# Access user files and dirs.
+	allow $1_crond_t home_root_t:dir search;
+	file_type_auto_trans($1_crond_t, $1_home_dir_t, $1_home_t)

-# Run scripts in user home directory and access shared libs.
-can_exec($1_crond_t, $1_home_t)
+	# Run scripts in user home directory and access shared libs.
+	can_exec($1_crond_t, $1_home_t)

-file_type_auto_trans($1_crond_t, tmp_t, $1_tmp_t)
+	file_type_auto_trans($1_crond_t, tmp_t, $1_tmp_t)

-ifdef(`mta.te', `
-domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t)
-allow $1_crond_t sendmail_exec_t:lnk_file { getattr read };
+	ifdef(`mta.te', `
+		domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t)
+		allow $1_crond_t sendmail_exec_t:lnk_file { getattr read };

-# $1_mail_t should only be reading from the cron fifo not needing to write
-dontaudit $1_mail_t crond_t:fifo_file write;
-allow mta_user_agent $1_crond_t:fd use;
-')
+		# $1_mail_t should only be reading from the cron fifo not needing to write
+		dontaudit $1_mail_t crond_t:fifo_file write;
+		allow mta_user_agent $1_crond_t:fd use;
+	')

-# This domain is granted permissions common to most domains.
-can_ypbind($1_crond_t)
-allow $1_crond_t var_spool_t:dir search;
-allow $1_crond_t var_t:dir r_dir_perms;
-allow $1_crond_t var_t:file { getattr read ioctl };
+	# This domain is granted permissions common to most domains.
+	can_ypbind($1_crond_t)
+	allow $1_crond_t var_spool_t:dir search;
+	allow $1_crond_t var_t:dir r_dir_perms;
+	allow $1_crond_t var_t:file { getattr read ioctl };

-# quiet other ps operations
-dontaudit $1_crond_t domain:dir { getattr search };
-') dnl endif TODO
+	# quiet other ps operations
+	dontaudit $1_crond_t domain:dir { getattr search };
+	') dnl endif TODO

-##############################
-#
-# $1_crontab_t local policy
-#
+	##############################
+	#
+	# $1_crontab_t local policy
+	#

-# for ^Z
-allow $1_t $1_crontab_t:process signal;
+	# for ^Z
+	allow $1_t $1_crontab_t:process signal;

-# Allow crond to read those crontabs in cron spool.
-allow crond_t $1_cron_spool_t:file { getattr read };
+	# Allow crond to read those crontabs in cron spool.
+	allow crond_t $1_cron_spool_t:file { getattr read };

-# dac_override is to create the file in the directory under /tmp
-allow $1_crontab_t self:capability { setuid setgid chown dac_override };
-allow $1_crontab_t self:process { sigkill sigstop signull signal };
+	# dac_override is to create the file in the directory under /tmp
+	allow $1_crontab_t self:capability { setuid setgid chown dac_override };
+	allow $1_crontab_t self:process { sigkill sigstop signull signal };

-# create files in /var/spool/cron
-allow $1_crontab_t $1_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-allow $1_crontab_t cron_spool_t:dir { getattr search read write add_name remove_name };
-type_transition $1_crontab_t $1_cron_spool_t:file system_crond_tmp_t;
+	# create files in /var/spool/cron
+	allow $1_crontab_t $1_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow $1_crontab_t cron_spool_t:dir { getattr search read write add_name remove_name };
+	type_transition $1_crontab_t $1_cron_spool_t:file system_crond_tmp_t;

-# crontab signals crond by updating the mtime on the spooldir
-allow $1_crontab_t cron_spool_t:dir setattr;
+	# crontab signals crond by updating the mtime on the spooldir
+	allow $1_crontab_t cron_spool_t:dir setattr;

-allow $1_crontab_t crond_log_t:file { getattr read append };
+	allow $1_crontab_t crond_log_t:file { getattr read append };

-filesystem_get_persistent_filesystem_attributes($1_crontab_t)
+	filesystem_get_persistent_filesystem_attributes($1_crontab_t)

-domain_use_widely_inheritable_file_descriptors($1_crontab_t)
+	domain_use_widely_inheritable_file_descriptors($1_crontab_t)

-files_read_general_system_config($1_crontab_t)
+	files_read_general_system_config($1_crontab_t)

-libraries_use_dynamic_loader($1_crontab_t)
-libraries_use_shared_libraries($1_crontab_t)
+	libraries_use_dynamic_loader($1_crontab_t)
+	libraries_use_shared_libraries($1_crontab_t)

-logging_send_system_log_message($1_crontab_t)
+	logging_send_system_log_message($1_crontab_t)

-miscfiles_read_localization($1_crontab_t)
+	miscfiles_read_localization($1_crontab_t)

-ifdef(`TODO',`
+	tunable_policy(`fcron_crond', `
+		# fcron wants an instant update of a crontab change for the administrator
+		# also crontab does a security check for crontab -u
+		dontaudit $1_crontab_t crond_t:process signal;
+	')

-# Transition from the user domain to the derived domain.
-domain_auto_trans($1_t, crontab_exec_t, $1_crontab_t)
+	ifdef(`TODO',`

-can_ps($1_t, $1_crontab_t)
+	# Transition from the user domain to the derived domain.
+	domain_auto_trans($1_t, crontab_exec_t, $1_crontab_t)

-dontaudit $1_crontab_t proc_t:dir search;
-dontaudit $1_crontab_t selinux_config_t:dir search;
-# for the checks used by crontab -u
-dontaudit $1_crontab_t security_t:dir search;
+	can_ps($1_t, $1_crontab_t)

-# Type for temporary files.
-file_type_auto_trans($1_crontab_t, tmp_t, $1_tmp_t, { dir file })
+	dontaudit $1_crontab_t proc_t:dir search;
+	dontaudit $1_crontab_t selinux_config_t:dir search;
+	# for the checks used by crontab -u
+	dontaudit $1_crontab_t security_t:dir search;

-# Use the type when creating files in /var/spool/cron.
-allow sysadm_crontab_t $1_cron_spool_t:file { getattr read };
+	# Type for temporary files.
+	file_type_auto_trans($1_crontab_t, tmp_t, $1_tmp_t, { dir file })

-tunable_policy(`fcron_crond', `
-# fcron wants an instant update of a crontab change for the administrator
-# also crontab does a security check for crontab -u
-ifelse(`$1', `sysadm', `
-allow $1_crontab_t self:process setfscreate;
-kernel_get_selinuxfs_mount_point($1_crontab_t)
-', `
-dontaudit $1_crontab_t crond_t:process signal;
-')dnl end ifelse
-')dnl end ifdef fcron
+	# Use the type when creating files in /var/spool/cron.
+	allow sysadm_crontab_t $1_cron_spool_t:file { getattr read };

-# Run helper programs as $1_t
-allow $1_crontab_t { bin_t sbin_t }:dir search;
-allow $1_crontab_t bin_t:lnk_file read;
-domain_auto_trans($1_crontab_t, { bin_t sbin_t shell_exec_t }, $1_t)
+	# Run helper programs as $1_t
+	allow $1_crontab_t { bin_t sbin_t }:dir search;
+	allow $1_crontab_t bin_t:lnk_file read;
+	domain_auto_trans($1_crontab_t, { bin_t sbin_t shell_exec_t }, $1_t)

-# Read user crontabs 
-allow $1_crontab_t { $1_home_t $1_home_dir_t }:dir r_dir_perms;  
-allow $1_crontab_t $1_home_t:file r_file_perms;  
-dontaudit $1_crontab_t $1_home_dir_t:dir write;
+	# Read user crontabs 
+	allow $1_crontab_t { $1_home_t $1_home_dir_t }:dir r_dir_perms;  
+	allow $1_crontab_t $1_home_t:file r_file_perms;  
+	dontaudit $1_crontab_t $1_home_dir_t:dir write;

-# Access terminals.
-allow $1_crontab_t devpts_t:dir { read search getattr };
-allow $1_crontab_t $1_tty_device_t:chr_file { read write getattr ioctl };
-allow $1_crontab_t $1_devpts_t:chr_file { read write getattr ioctl };
+	# Access terminals.
+	allow $1_crontab_t devpts_t:dir { read search getattr };
+	allow $1_crontab_t $1_tty_device_t:chr_file { read write getattr ioctl };
+	allow $1_crontab_t $1_devpts_t:chr_file { read write getattr ioctl };

-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;')
+	# Inherit and use descriptors from gnome-pty-helper.
+	ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;')

-dontaudit $1_crontab_t var_run_t:dir search;
-') dnl endif TODO
+	dontaudit $1_crontab_t var_run_t:dir search;
+	') dnl endif TODO
 ')

 ########################################
@ -223,19 +218,25 @@ dontaudit $1_crontab_t var_run_t:dir search;
 #

 define(`cron_admin_template',`
+	logging_read_system_logs($1_crond_t)

-logging_read_system_logs($1_crond_t)
+	# Allow our crontab domain to unlink a user cron spool file.
+	#allow $1_crontab_t user_cron_spool_t:file unlink;

-# Allow our crontab domain to unlink a user cron spool file.
-#allow $1_crontab_t user_cron_spool_t:file unlink;
+	# Manipulate other users crontab.
+	kernel_get_selinuxfs_mount_point($1_crontab_t)
+	kernel_validate_selinux_context($1_crontab_t)
+	kernel_compute_selinux_access_vector($1_crontab_t)
+	kernel_compute_selinux_create_context($1_crontab_t)
+	kernel_compute_selinux_relabel_context($1_crontab_t)
+	kernel_compute_selinux_reachable_user_contexts($1_crontab_t)

-# Manipulate other users crontab.
-kernel_get_selinuxfs_mount_point($1_crontab_t)
-kernel_validate_selinux_context($1_crontab_t)
-kernel_compute_selinux_access_vector($1_crontab_t)
-kernel_compute_selinux_create_context($1_crontab_t)
-kernel_compute_selinux_relabel_context($1_crontab_t)
-kernel_compute_selinux_reachable_user_contexts($1_crontab_t)
+	tunable_policy(`fcron_crond', `
+		# fcron wants an instant update of a crontab change for the administrator
+		# also crontab does a security check for crontab -u
+		allow $1_crontab_t self:process setfscreate;
+		kernel_get_selinuxfs_mount_point($1_crontab_t)
+	')
 ')

 ########################################
@ -243,11 +244,13 @@ kernel_compute_selinux_reachable_user_contexts($1_crontab_t)
 # cron_modify_log(domain)
 #
 define(`cron_modify_log',`
-requires_block_template(`$0'_depend)
-allow $1 crond_log_t:file { getattr read write ioctl lock append };
+	requires_block_template(`$0'_depend)
+
+	allow $1 crond_log_t:file { getattr read write ioctl lock append };
 ')

 define(`cron_modify_log_depend',`
-type crond_log_t;
-class file rw_file_perms;
+	type crond_log_t;
+
+	class file rw_file_perms;
 ')
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@ -121,17 +121,17 @@ miscfiles_read_localization(crond_t)
 userdomain_use_all_unprivileged_users_file_descriptors(crond_t)

 tunable_policy(`fcron_crond', `
-allow crond_t system_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow crond_t system_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
 ')

 tunable_policy(`targeted_policy', `
-terminal_ignore_use_general_physical_terminal(crond_t)
-terminal_ignore_use_general_pseudoterminal(crond_t)
-files_ignore_read_rootfs_file(crond_t)
+	terminal_ignore_use_general_physical_terminal(crond_t)
+	terminal_ignore_use_general_pseudoterminal(crond_t)
+	files_ignore_read_rootfs_file(crond_t)
 ')

 optional_policy(`udev.te', `
-udev_read_database(crond_t)
+	udev_read_database(crond_t)
 ')

 ifdef(`TODO',`
@ -293,15 +293,15 @@ miscfiles_manage_man_page_cache(system_crond_t)
 selinux_read_config(system_crond_t)

 if (cron_can_relabel) {
-selinux_setfiles_transition(system_crond_t)
+	selinux_setfiles_transition(system_crond_t)
 } else {
-kernel_get_selinuxfs_mount_point(system_crond_t)
-kernel_validate_selinux_context(system_crond_t)
-kernel_compute_selinux_access_vector(system_crond_t)
-kernel_compute_selinux_create_context(system_crond_t)
-kernel_compute_selinux_relabel_context(system_crond_t)
-kernel_compute_selinux_reachable_user_contexts(system_crond_t)
-selinux_read_file_contexts(system_crond_t)
+	kernel_get_selinuxfs_mount_point(system_crond_t)
+	kernel_validate_selinux_context(system_crond_t)
+	kernel_compute_selinux_access_vector(system_crond_t)
+	kernel_compute_selinux_create_context(system_crond_t)
+	kernel_compute_selinux_relabel_context(system_crond_t)
+	kernel_compute_selinux_reachable_user_contexts(system_crond_t)
+	selinux_read_file_contexts(system_crond_t)
 }

 ifdef(`TODO',`
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@ -8,133 +8,135 @@
 # mta_per_userdomain_template(userdomain_prefix)
 #
 define(`mta_per_userdomain_template',`
-requires_block_template(`$0'_depend)
+	requires_block_template(`$0'_depend)

-type $1_mail_t; # , user_mail_domain, nscd_client_domain;
-domain_make_domain($1_mail_t)
-role $1_r types $1_mail_t;
+	type $1_mail_t; # , user_mail_domain, nscd_client_domain;
+	domain_make_domain($1_mail_t)
+	role $1_r types $1_mail_t;

-type $1_mail_tmp_t;
-files_make_temporary_file($1_mail_tmp_t)
+	type $1_mail_tmp_t;
+	files_make_temporary_file($1_mail_tmp_t)

-##############################
-#
-# $1_mail_t local policy
-#
+	##############################
+	#
+	# $1_mail_t local policy
+	#

-allow $1_mail_t self:capability { setuid setgid chown };
-allow $1_mail_t self:process { sigkill sigstop signull signal setrlimit };
+	allow $1_mail_t self:capability { setuid setgid chown };
+	allow $1_mail_t self:process { sigkill sigstop signull signal setrlimit };

-# tcp networking
-allow $1_mail_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
+	# tcp networking
+	allow $1_mail_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };

-# re-exec itself
-allow $1_mail_t sendmail_exec_t:file { getattr read execute execute_no_trans };
-allow $1_mail_t sendmail_exec_t:lnk_file { getattr read };
+	# re-exec itself
+	allow $1_mail_t sendmail_exec_t:file { getattr read execute execute_no_trans };
+	allow $1_mail_t sendmail_exec_t:lnk_file { getattr read };

-# Transition from the user domain to the derived domain.
-allow $1_t sendmail_exec_t:file { getattr read execute execute_no_trans };
-allow $1_t sendmail_exec_t:lnk_file { getattr read };
-allow $1_t $1_mail_t:process transition;
-type_transition $1_t sendmail_exec_t:process $1_mail_t;
-allow $1_t $1_mail_t:fd use;
-allow $1_mail_t $1_t:fd use;
-allow $1_mail_t $1_t:fifo_file rw_file_perms;
-allow $1_mail_t $1_t:process sigchld;
+	# Transition from the user domain to the derived domain.
+	allow $1_t sendmail_exec_t:file { getattr read execute execute_no_trans };
+	allow $1_t sendmail_exec_t:lnk_file { getattr read };
+	allow $1_t $1_mail_t:process transition;
+	type_transition $1_t sendmail_exec_t:process $1_mail_t;
+	dontaudit $1_t $1_mail_t:process { noatsecure siginh rlimitinh };

-kernel_read_kernel_sysctl($1_mail_t)
+	allow $1_t $1_mail_t:fd use;
+	allow $1_mail_t $1_t:fd use;
+	allow $1_mail_t $1_t:fifo_file rw_file_perms;
+	allow $1_mail_t $1_t:process sigchld;

-corenetwork_sendrecv_tcp_on_all_interfaces($1_mail_t)
-corenetwork_sendrecv_raw_on_all_interfaces($1_mail_t)
-corenetwork_sendrecv_tcp_on_all_nodes($1_mail_t)
-corenetwork_sendrecv_raw_on_all_nodes($1_mail_t)
-corenetwork_sendrecv_tcp_on_all_ports($1_mail_t)
-corenetwork_bind_tcp_on_all_nodes($1_mail_t)
+	kernel_read_kernel_sysctl($1_mail_t)

-domain_use_widely_inheritable_file_descriptors($1_mail_t)
+	corenetwork_sendrecv_tcp_on_all_interfaces($1_mail_t)
+	corenetwork_sendrecv_raw_on_all_interfaces($1_mail_t)
+	corenetwork_sendrecv_tcp_on_all_nodes($1_mail_t)
+	corenetwork_sendrecv_raw_on_all_nodes($1_mail_t)
+	corenetwork_sendrecv_tcp_on_all_ports($1_mail_t)
+	corenetwork_bind_tcp_on_all_nodes($1_mail_t)

-libraries_use_dynamic_loader($1_mail_t)
-libraries_use_shared_libraries($1_mail_t)
+	domain_use_widely_inheritable_file_descriptors($1_mail_t)

-corecommands_execute_general_programs($1_mail_t)
+	libraries_use_dynamic_loader($1_mail_t)
+	libraries_use_shared_libraries($1_mail_t)

-files_read_general_system_config($1_mail_t)
+	corecommands_execute_general_programs($1_mail_t)

-logging_send_system_log_message($1_mail_t)
+	files_read_general_system_config($1_mail_t)

-miscfiles_read_localization($1_mail_t)
+	logging_send_system_log_message($1_mail_t)

-sysnetwork_read_network_config($1_mail_t)
+	miscfiles_read_localization($1_mail_t)

-tunable_policy(`use_dns',`
-allow $1_mail_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
-corenetwork_sendrecv_udp_on_all_interfaces($1_mail_t)
-corenetwork_sendrecv_udp_on_all_nodes($1_mail_t)
-corenetwork_bind_udp_on_all_nodes($1_mail_t)
-corenetwork_sendrecv_udp_on_dns_port($1_mail_t)
-')
+	sysnetwork_read_network_config($1_mail_t)

-optional_policy(`procmail.te',`
-procmail_execute($1_mail_t)
-')
+	tunable_policy(`use_dns',`
+		allow $1_mail_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+		corenetwork_sendrecv_udp_on_all_interfaces($1_mail_t)
+		corenetwork_sendrecv_udp_on_all_nodes($1_mail_t)
+		corenetwork_bind_udp_on_all_nodes($1_mail_t)
+		corenetwork_sendrecv_udp_on_dns_port($1_mail_t)
+	')

-ifdef(`TODO',`
+	optional_policy(`procmail.te',`
+		procmail_execute($1_mail_t)
+	')

-can_ypbind($1_mail_t)
+	ifdef(`TODO',`

-allow $1_mail_t device_t:dir search;
-allow $1_mail_t { var_t var_spool_t }:dir search;
-allow $1_mail_t sbin_t:dir search;
+	can_ypbind($1_mail_t)

-# It wants to check for nscd
-dontaudit $1_mail_t var_run_t:dir search;
+	allow $1_mail_t device_t:dir search;
+	allow $1_mail_t { var_t var_spool_t }:dir search;
+	allow $1_mail_t sbin_t:dir search;

-# For when the user wants to send mail via port 25 localhost
-can_tcp_connect($1_t, mail_server_domain)
+	# It wants to check for nscd
+	dontaudit $1_mail_t var_run_t:dir search;

-# Read user temporary files.
-allow $1_mail_t $1_tmp_t:file r_file_perms;
-dontaudit $1_mail_t $1_tmp_t:file append;
-ifdef(`postfix.te', `
-# postfix seems to need write access if the file handle is opened read/write
-allow $1_mail_t $1_tmp_t:file write;
-')dnl end if postfix
+	# For when the user wants to send mail via port 25 localhost
+	can_tcp_connect($1_t, mail_server_domain)

-allow mta_user_agent $1_tmp_t:file { read getattr };
+	# Read user temporary files.
+	allow $1_mail_t $1_tmp_t:file r_file_perms;
+	dontaudit $1_mail_t $1_tmp_t:file append;
+	ifdef(`postfix.te', `
+		# postfix seems to need write access if the file handle is opened read/write
+		allow $1_mail_t $1_tmp_t:file write;
+	')

-# Write to the user domain tty.
-allow mta_user_agent $1_tty_device_t:chr_file { read write getattr ioctl };
-allow mta_user_agent devpts_t:dir { read search getattr };
-allow mta_user_agent $1_devpts_t:chr_file { read write getattr ioctl };
+	allow mta_user_agent $1_tmp_t:file { read getattr };

-allow $1_mail_t $1_tty_device_t:chr_file { read write getattr ioctl };
-allow $1_mail_t devpts_t:dir { read search getattr };
-allow $1_mail_t $1_devpts_t:chr_file { read write getattr ioctl };
+	# Write to the user domain tty.
+	allow mta_user_agent $1_tty_device_t:chr_file { read write getattr ioctl };
+	allow mta_user_agent devpts_t:dir { read search getattr };
+	allow mta_user_agent $1_devpts_t:chr_file { read write getattr ioctl };

-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;')
+	allow $1_mail_t $1_tty_device_t:chr_file { read write getattr ioctl };
+	allow $1_mail_t devpts_t:dir { read search getattr };
+	allow $1_mail_t $1_devpts_t:chr_file { read write getattr ioctl };

-# Create dead.letter in user home directories.
-file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file)
+	# Inherit and use descriptors from gnome-pty-helper.
+	ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;')

-if (use_samba_home_dirs) {
-rw_dir_create_file($1_mail_t, cifs_t)
-}
+	# Create dead.letter in user home directories.
+	file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file)

-# if you do not want to allow dead.letter then use the following instead
-#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;
-#allow $1_mail_t $1_home_t:file r_file_perms;
+	if (use_samba_home_dirs) {
+		rw_dir_create_file($1_mail_t, cifs_t)
+	}

-# for reading .forward - maybe we need a new type for it?
-# also for delivering mail to maildir
-file_type_auto_trans(mta_delivery_agent, $1_home_dir_t, $1_home_t)
+	# if you do not want to allow dead.letter then use the following instead
+	#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;
+	#allow $1_mail_t $1_home_t:file r_file_perms;

-ifdef(`qmail.te', `
-allow $1_mail_t qmail_etc_t:dir search;
-allow $1_mail_t qmail_etc_t:{ file lnk_file } read;
-')dnl end if qmail
+	# for reading .forward - maybe we need a new type for it?
+	# also for delivering mail to maildir
+	file_type_auto_trans(mta_delivery_agent, $1_home_dir_t, $1_home_t)

-') dnl end TODO
+	ifdef(`qmail.te', `
+		allow $1_mail_t qmail_etc_t:dir search;
+		allow $1_mail_t qmail_etc_t:{ file lnk_file } read;
+	')
+
+	') dnl end TODO
 ')

 define(`mta_per_userdomain_template_depend',`
@ -146,13 +148,14 @@ define(`mta_per_userdomain_template_depend',`
 # mta_make_mailserver_domain(domain,entrypointtype)
 #
 define(`mta_make_mailserver_domain',`
-requires_block_template(`$0'_depend)
-init_make_daemon_domain($1,$2)
-typeattribute $1 mailserver_domain;
+	requires_block_template(`$0'_depend)
+
+	init_make_daemon_domain($1,$2)
+	typeattribute $1 mailserver_domain;
 ')

 define(`mta_make_mailserver_domain_depend',`
-attribute mailserver_domain;
+	attribute mailserver_domain;
 ')

 #######################################
@ -160,12 +163,13 @@ attribute mailserver_domain;
 # mta_make_sendmail_mailserver_domain(domain,entrypointtype)
 #
 define(`mta_make_sendmail_mailserver_domain',`
-requires_block_template(`$0'_depend)
-mta_make_mailserver_domain($1,sendmail_exec_t)
+	requires_block_template(`$0'_depend)
+
+	mta_make_mailserver_domain($1,sendmail_exec_t)
 ')

 define(`mta_make_sendmail_mailserver_domain_depend',`
-type sendmail_exec_t;
+	type sendmail_exec_t;
 ')

 #######################################
@ -173,25 +177,28 @@ type sendmail_exec_t;
 # mta_send_mail(domain)
 #
 define(`mta_send_mail',`
-requires_block_template(`$0'_depend)
-allow $1 sendmail_exec_t:lnk_file { getattr read };
-allow $1 sendmail_exec_t:file { getattr read execute };
-allow $1 system_mail_t:process transition;
-type_transition $1 sendmail_exec_t:process system_mail_t;
-dontaudit $1 system_mail_t:process { noatsecure siginh rlimitinh };
-allow $1 system_mail_t:fd use;
-allow system_mail_t $1:fd use;
-allow system_mail_t $1:fifo_file rw_file_perms;
-allow system_mail_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 sendmail_exec_t:lnk_file { getattr read };
+	allow $1 sendmail_exec_t:file { getattr read execute };
+	allow $1 system_mail_t:process transition;
+	type_transition $1 sendmail_exec_t:process system_mail_t;
+	dontaudit $1 system_mail_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 system_mail_t:fd use;
+	allow system_mail_t $1:fd use;
+	allow system_mail_t $1:fifo_file rw_file_perms;
+	allow system_mail_t $1:process sigchld;
 ')

 define(`mta_send_mail_depend',`
-type system_mail_t, sendmail_exec_t;
-class file { getattr read execute };
-class lnk_file { getattr read };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file { ioctl read getattr lock write append };
+	type system_mail_t, sendmail_exec_t;
+
+	class file { getattr read execute };
+	class lnk_file { getattr read };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 #######################################
@ -199,13 +206,15 @@ class fifo_file { ioctl read getattr lock write append };
 # mta_execute(domain)
 #
 define(`mta_execute',`
-requires_block_template(`$0'_depend)
-allow $1 sendmail_exec_t:file { getattr read execute execute_no_trans };
+	requires_block_template(`$0'_depend)
+
+	allow $1 sendmail_exec_t:file { getattr read execute execute_no_trans };
 ')

 define(`mta_execute_depend',`
-type sendmail_exec_t;
-class file { getattr read execute execute_no_trans };
+	type sendmail_exec_t;
+
+	class file { getattr read execute execute_no_trans };
 ')

 ########################################
@ -220,13 +229,15 @@ class file { getattr read execute execute_no_trans };
 ## </interface>
 #
 define(`mta_read_mail_aliases',`
-requires_block_template(`$0'_depend)
-allow $1 etc_aliases_t:file { getattr read };
+	requires_block_template(`$0'_depend)
+
+	allow $1 etc_aliases_t:file { getattr read };
 ')

 define(`mta_read_mail_aliases_depend',`
-type etc_aliases_t;
-class file { getattr read };
+	type etc_aliases_t;
+
+	class file { getattr read };
 ')

 #######################################
@ -234,13 +245,15 @@ class file { getattr read };
 # mta_modify_mail_aliases(domain)
 #
 define(`mta_modify_mail_aliases',`
-requires_block_template(`$0'_depend)
-allow sendmail_t etc_aliases_t:file { getattr read write append setattr };
+	requires_block_template(`$0'_depend)
+
+	allow sendmail_t etc_aliases_t:file { getattr read write append setattr };
 ')

 define(`mta_modify_mail_aliases_depend',`
-type etc_aliases_t;
-class file { getattr read write append setattr };
+	type etc_aliases_t;
+
+	class file { getattr read write append setattr };
 ')

 #######################################
@ -248,18 +261,20 @@ class file { getattr read write append setattr };
 # mta_get_mail_spool_attributes(domain)
 #
 define(`mta_get_mail_spool_attributes',`
-requires_block_template(`$0'_depend)
-files_search_system_spool_directory($1)
-allow $1 mail_spool_t:dir r_dir_perms;
-allow $1 mail_spool_t:lnk_file read;
-allow $1 mail_spool_t:file getattr;
+	requires_block_template(`$0'_depend)
+
+	files_search_system_spool_directory($1)
+	allow $1 mail_spool_t:dir r_dir_perms;
+	allow $1 mail_spool_t:lnk_file read;
+	allow $1 mail_spool_t:file getattr;
 ')

 define(`mta_get_mail_spool_attributes_depend',`
-type mail_spool_t;
-class dir r_dir_perms;
-class file getattr;
-class lnk_file read;
+	type mail_spool_t;
+
+	class dir r_dir_perms;
+	class file getattr;
+	class lnk_file read;
 ')

 #######################################
@ -267,16 +282,18 @@ class lnk_file read;
 # mta_modify_mail_spool(domain)
 #
 define(`mta_modify_mail_spool',`
-requires_block_template(`$0'_depend)
-files_search_system_spool_directory($1)
-allow $1 mail_spool_t:dir { read getattr lock search ioctl add_name remove_name write };
-allow $1 mail_spool_t:file { getattr read write append setattr };
+	requires_block_template(`$0'_depend)
+
+	files_search_system_spool_directory($1)
+	allow $1 mail_spool_t:dir { read getattr lock search ioctl add_name remove_name write };
+	allow $1 mail_spool_t:file { getattr read write append setattr };
 ')

 define(`mta_modify_mail_spool_depend',`
-type mail_spool_t;
-class dir { read getattr lock search ioctl add_name remove_name write };
-class file { create ioctl read getattr lock write setattr append link unlink rename };
+	type mail_spool_t;
+
+	class dir { read getattr lock search ioctl add_name remove_name write };
+	class file { create ioctl read getattr lock write setattr append link unlink rename };
 ')

 #######################################
@ -284,16 +301,18 @@ class file { create ioctl read getattr lock write setattr append link unlink ren
 # mta_manage_mail_spool(domain)
 #
 define(`mta_manage_mail_spool',`
-requires_block_template(`$0'_depend)
-files_search_system_spool_directory($1)
-allow $1 mail_spool_t:dir { read getattr lock search ioctl add_name remove_name write };
-allow $1 mail_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+	requires_block_template(`$0'_depend)
+
+	files_search_system_spool_directory($1)
+	allow $1 mail_spool_t:dir { read getattr lock search ioctl add_name remove_name write };
+	allow $1 mail_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
 ')

 define(`mta_manage_mail_spool_depend',`
-type mail_spool_t;
-class dir { read getattr lock search ioctl add_name remove_name write };
-class file { create ioctl read getattr lock write setattr append link unlink rename };
+	type mail_spool_t;
+
+	class dir { read getattr lock search ioctl add_name remove_name write };
+	class file { create ioctl read getattr lock write setattr append link unlink rename };
 ')

 #######################################
@ -301,15 +320,17 @@ class file { create ioctl read getattr lock write setattr append link unlink ren
 # mta_manage_mail_queue(domain)
 #
 define(`mta_manage_mail_queue',`
-requires_block_template(`$0'_depend)
-allow $1 mqueue_spool_t:dir { read getattr lock search ioctl add_name remove_name write };
-allow $1 mqueue_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+	requires_block_template(`$0'_depend)
+
+	allow $1 mqueue_spool_t:dir { read getattr lock search ioctl add_name remove_name write };
+	allow $1 mqueue_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
 ')

 define(`mta_manage_mail_queue_depend',`
-type mqueue_spool_t;
-class dir { read getattr lock search ioctl add_name remove_name write };
-class file { create ioctl read getattr lock write setattr append link unlink rename }
+	type mqueue_spool_t;
+
+	class dir { read getattr lock search ioctl add_name remove_name write };
+	class file { create ioctl read getattr lock write setattr append link unlink rename }
 ')

 ## </module>
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@ -83,15 +83,15 @@ miscfiles_read_localization(system_mail_t)
 sysnetwork_read_network_config(system_mail_t)

 tunable_policy(`use_dns',`
-allow system_mail_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
-corenetwork_sendrecv_udp_on_all_interfaces(system_mail_t)
-corenetwork_sendrecv_udp_on_all_nodes(system_mail_t)
-corenetwork_bind_udp_on_all_nodes(system_mail_t)
-corenetwork_sendrecv_udp_on_dns_port(system_mail_t)
+	allow system_mail_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+	corenetwork_sendrecv_udp_on_all_interfaces(system_mail_t)
+	corenetwork_sendrecv_udp_on_all_nodes(system_mail_t)
+	corenetwork_bind_udp_on_all_nodes(system_mail_t)
+	corenetwork_sendrecv_udp_on_dns_port(system_mail_t)
 ')

 optional_policy(`procmail.te',`
-procmail_execute(system_mail_t)
+	procmail_execute(system_mail_t)
 ')

 ifdef(`TODO',`
--- a/refpolicy/policy/modules/services/sendmail.te
+++ b/refpolicy/policy/modules/services/sendmail.te
@ -89,17 +89,17 @@ mta_manage_mail_spool(sendmail_t)
 sysnetwork_read_network_config(sendmail_t)

 tunable_policy(`targeted_policy', `
-terminal_ignore_use_general_physical_terminal(sendmail_t)
-terminal_ignore_use_general_pseudoterminal(sendmail_t)
-files_ignore_read_rootfs_file(sendmail_t)
+	terminal_ignore_use_general_physical_terminal(sendmail_t)
+	terminal_ignore_use_general_pseudoterminal(sendmail_t)
+	files_ignore_read_rootfs_file(sendmail_t)
 ')

 optional_policy(`selinux.te',`
-selinux_newrole_sigchld(sendmail_t)
+	selinux_newrole_sigchld(sendmail_t)
 ')

 optional_policy(`udev.te', `
-udev_read_database(sendmail_t)
+	udev_read_database(sendmail_t)
 ')

 ifdef(`TODO',`
--- a/refpolicy/policy/modules/system/audit.te
+++ b/refpolicy/policy/modules/system/audit.te
@ -52,17 +52,17 @@ libraries_use_shared_libraries(auditd_t)
 miscfiles_read_localization(auditd_t)

 tunable_policy(`targeted_policy', `
-terminal_ignore_use_general_physical_terminal(auditd_t)
-terminal_ignore_use_general_pseudoterminal(auditd_t)
-files_ignore_read_rootfs_file(auditd_t)
-')dnl end targeted_policy tunable
+	terminal_ignore_use_general_physical_terminal(auditd_t)
+	terminal_ignore_use_general_pseudoterminal(auditd_t)
+	files_ignore_read_rootfs_file(auditd_t)
+')

 optional_policy(`selinux.te',`
-selinux_newrole_sigchld(auditd_t)
+	selinux_newrole_sigchld(auditd_t)
 ')

 optional_policy(`udev.te', `
-udev_read_database(auditd_t)
+	udev_read_database(auditd_t)
 ')

 ifdef(`TODO',`
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@ -8,87 +8,91 @@
 # authlogin_per_userdomain_template(userdomain_prefix)
 #
 define(`authlogin_per_userdomain_template',`
-requires_block_template(`$0'_depend)
+	requires_block_template(`$0'_depend)

-type $1_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain;
-domain_make_domain($1_chkpwd_t)
-domain_make_entrypoint_file($1_chkpwd_t,chkpwd_exec_t)
-role $1_r types $1_chkpwd_t;
-role $1_r types system_chkpwd_t;
+	type $1_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain;
+	domain_make_domain($1_chkpwd_t)
+	domain_make_entrypoint_file($1_chkpwd_t,chkpwd_exec_t)
+	role $1_r types $1_chkpwd_t;
+	role $1_r types system_chkpwd_t;

-allow $1_chkpwd_t self:capability setuid;
-allow $1_chkpwd_t self:process getattr;
+	allow $1_chkpwd_t self:capability setuid;
+	allow $1_chkpwd_t self:process getattr;

-files_read_general_system_config_directory($1_chkpwd_t)
-allow $1_chkpwd_t shadow_t:file { getattr read };
+	files_read_general_system_config_directory($1_chkpwd_t)
+	allow $1_chkpwd_t shadow_t:file { getattr read };

-# is_selinux_enabled
-kernel_read_system_state($1_chkpwd_t)
+	# is_selinux_enabled
+	kernel_read_system_state($1_chkpwd_t)

-filesystem_ignore_get_persistent_filesystem_attributes($1_chkpwd_t)
+	filesystem_ignore_get_persistent_filesystem_attributes($1_chkpwd_t)

-domain_use_widely_inheritable_file_descriptors($1_chkpwd_t)
+	domain_use_widely_inheritable_file_descriptors($1_chkpwd_t)

-libraries_use_dynamic_loader($1_chkpwd_t)
-libraries_use_shared_libraries($1_chkpwd_t)
+	libraries_use_dynamic_loader($1_chkpwd_t)
+	libraries_use_shared_libraries($1_chkpwd_t)

-files_read_general_system_config($1_chkpwd_t)
-# for nscd
-files_ignore_search_system_state_data_directory($1_chkpwd_t)
+	files_read_general_system_config($1_chkpwd_t)
+	# for nscd
+	files_ignore_search_system_state_data_directory($1_chkpwd_t)

-logging_send_system_log_message($1_chkpwd_t)
+	logging_send_system_log_message($1_chkpwd_t)

-miscfiles_read_localization($1_chkpwd_t)
+	miscfiles_read_localization($1_chkpwd_t)

-selinux_read_config($1_chkpwd_t)
+	selinux_read_config($1_chkpwd_t)

-#can_ypbind($1_chkpwd_t)
-#can_kerberos($1_chkpwd_t)
-#can_ldap($1_chkpwd_t)
+	#can_ypbind($1_chkpwd_t)
+	#can_kerberos($1_chkpwd_t)
+	#can_ldap($1_chkpwd_t)

-# Transition from the user domain to this domain.
-allow $1_t chkpwd_exec_t:file { getattr read execute };
-allow $1_t $1_chkpwd_t:process transition;
-type_transition $1_t chkpwd_exec_t:process $1_chkpwd_t;
-allow $1_chkpwd_t $1_t:fd use;
-allow $1_t $1_chkpwd_t:fd use;
-allow $1_chkpwd_t $1_t:fifo_file rw_file_perms;
-allow $1_chkpwd_t $1_t:process sigchld;
+	# Transition from the user domain to this domain.
+	allow $1_t chkpwd_exec_t:file { getattr read execute };
+	allow $1_t $1_chkpwd_t:process transition;
+	type_transition $1_t chkpwd_exec_t:process $1_chkpwd_t;
+	dontaudit $1_t $1_chkpwd_t:process { noatsecure siginh rlimitinh };

-# Write to the user domain tty.
-#userdomain_use_$1_terminal($1_chkpwd_t)
-#userdomain_use_$1_pty($1_chkpwd_t)
+	allow $1_chkpwd_t $1_t:fd use;
+	allow $1_t $1_chkpwd_t:fd use;
+	allow $1_chkpwd_t $1_t:fifo_file rw_file_perms;
+	allow $1_chkpwd_t $1_t:process sigchld;

-# Inherit and use descriptors from gnome-pty-helper.
-#ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;')
+	# Write to the user domain tty.
+	#userdomain_use_$1_terminal($1_chkpwd_t)
+	#userdomain_use_$1_pty($1_chkpwd_t)

-tunable_policy(`use_dns',`
-allow $1_chkpwd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
-corenetwork_sendrecv_udp_on_all_interfaces($1_chkpwd_t)
-corenetwork_sendrecv_raw_on_all_interfaces($1_chkpwd_t)
-corenetwork_sendrecv_udp_on_all_nodes($1_chkpwd_t)
-corenetwork_sendrecv_raw_on_all_nodes($1_chkpwd_t)
-corenetwork_bind_udp_on_all_nodes($1_chkpwd_t)
-corenetwork_sendrecv_udp_on_dns_port($1_chkpwd_t)
-sysnetwork_read_network_config($1_chkpwd_t)
-')
+	# Inherit and use descriptors from gnome-pty-helper.
+	#ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;')

-optional_policy(`selinux.te',`
-selinux_newrole_use_file_descriptors($1_chkpwd_t)
-')
+	tunable_policy(`use_dns',`
+		allow $1_chkpwd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+		corenetwork_sendrecv_udp_on_all_interfaces($1_chkpwd_t)
+		corenetwork_sendrecv_raw_on_all_interfaces($1_chkpwd_t)
+		corenetwork_sendrecv_udp_on_all_nodes($1_chkpwd_t)
+		corenetwork_sendrecv_raw_on_all_nodes($1_chkpwd_t)
+		corenetwork_bind_udp_on_all_nodes($1_chkpwd_t)
+		corenetwork_sendrecv_udp_on_dns_port($1_chkpwd_t)
+		sysnetwork_read_network_config($1_chkpwd_t)
+	')
+
+	optional_policy(`selinux.te',`
+		selinux_newrole_use_file_descriptors($1_chkpwd_t)
+	')

 ') dnl end authlogin_per_userdomain_template

 define(`authlogin_per_userdomain_template_depend',`
-attribute can_read_shadow_passwords;
-type chkpwd_exec_t, system_chkpwd_t, shadow_t;
-class file { getattr read execute };
-class process { getattr transition sigchld };
-class capability setuid;
-class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
-class unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
-class fd use;
-class fifo_file rw_file_perms;
+	attribute can_read_shadow_passwords;
+
+	type chkpwd_exec_t, system_chkpwd_t, shadow_t;
+
+	class file { getattr read execute };
+	class process { getattr transition sigchld };
+	class capability setuid;
+	class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
+	class unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 #######################################
@ -96,13 +100,13 @@ class fifo_file rw_file_perms;
 # authlogin_make_login_program_entrypoint(domain)
 #
 define(`authlogin_make_login_program_entrypoint',`
-requires_block_template(`$0'_depend)
-domain_make_entrypoint_file($1,login_exec_t)
+	requires_block_template(`$0'_depend)
+
+	domain_make_entrypoint_file($1,login_exec_t)
 ')

 define(`authlogin_make_login_program_entrypoint_depend',`
-type login_exec_t;
-domain_make_entrypoint_file_depend
+	type login_exec_t;
 ')

 ########################################
@ -120,24 +124,27 @@ domain_make_entrypoint_file_depend
 ## </interface>
 #
 define(`authlogin_login_program_transition',`
-requires_block_template(`$0'_depend)
-# FIXME: search bin_t
-allow $1 login_exec_t:file { getattr read execute };
-allow $1 $2:process transition;
-type_transition $1 login_exec_t:process $2;
-dontaudit $1 $2:process { noatsecure siginh rlimitinh };
-allow $1 $2:fd use;
-allow $2 $1:fd use;
-allow $2 $1:fifo_file rw_file_perms;
-allow $2 $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	# FIXME: search bin_t
+	allow $1 login_exec_t:file { getattr read execute };
+	allow $1 $2:process transition;
+	type_transition $1 login_exec_t:process $2;
+	dontaudit $1 $2:process { noatsecure siginh rlimitinh };
+
+	allow $1 $2:fd use;
+	allow $2 $1:fd use;
+	allow $2 $1:fifo_file rw_file_perms;
+	allow $2 $1:process sigchld;
 ')

 define(`authlogin_login_program_transition_depend',`
-type login_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type login_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 #######################################
@ -145,41 +152,43 @@ class fifo_file rw_file_perms;
 # authlogin_check_password_transition(domain)
 #
 define(`authlogin_check_password_transition',`
-requires_block_template(`$0'_depend)
-allow $1 chkpwd_exec_t:file { getattr read execute };
-allow $1 system_chkpwd_t:process transition;
-type_transition $1 chkpwd_exec_t:process system_chkpwd_t;
-allow $1 system_chkpwd_t:fd use;
-allow system_chkpwd_t $1:fd use;
-allow system_chkpwd_t $1:fifo_file rw_file_perms;
-allow system_chkpwd_t $1:process sigchld;
+	requires_block_template(`$0'_depend)

-dontaudit $1 shadow_t:file { getattr read };
-#allow $1_t sbin_t:dir search;
-#can_ypbind($1_t)
-#can_kerberos($1_t)
-#can_ldap($1_t)
+	allow $1 chkpwd_exec_t:file { getattr read execute };
+	allow $1 system_chkpwd_t:process transition;
+	type_transition $1 chkpwd_exec_t:process system_chkpwd_t;

-tunable_policy(`use_dns',`
-allow $1 self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
-corenetwork_sendrecv_udp_on_all_interfaces($1)
-corenetwork_sendrecv_raw_on_all_interfaces($1)
-corenetwork_sendrecv_udp_on_all_nodes($1)
-corenetwork_sendrecv_raw_on_all_nodes($1)
-corenetwork_bind_udp_on_all_nodes($1)
-corenetwork_sendrecv_udp_on_dns_port($1)
-sysnetwork_read_network_config($1)
-') dnl end use_dns
+	allow $1 system_chkpwd_t:fd use;
+	allow system_chkpwd_t $1:fd use;
+	allow system_chkpwd_t $1:fifo_file rw_file_perms;
+	allow system_chkpwd_t $1:process sigchld;

-') dnl end check_password_transition
+	dontaudit $1 shadow_t:file { getattr read };
+	#allow $1_t sbin_t:dir search;
+	#can_ypbind($1_t)
+	#can_kerberos($1_t)
+	#can_ldap($1_t)
+
+	tunable_policy(`use_dns',`
+		allow $1 self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+		corenetwork_sendrecv_udp_on_all_interfaces($1)
+		corenetwork_sendrecv_raw_on_all_interfaces($1)
+		corenetwork_sendrecv_udp_on_all_nodes($1)
+		corenetwork_sendrecv_raw_on_all_nodes($1)
+		corenetwork_bind_udp_on_all_nodes($1)
+		corenetwork_sendrecv_udp_on_dns_port($1)
+		sysnetwork_read_network_config($1)
+	')
+')

 define(`authlogin_check_password_transition_depend',`
-type system_chkpwd_t, chkpwd_exec_t, shadow_t;
-class file { getattr read execute };
-class process { transition sigchld };
-class udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
-class fd use;
-class fifo_file rw_file_perms;
+	type system_chkpwd_t, chkpwd_exec_t, shadow_t;
+
+	class file { getattr read execute };
+	class process { transition sigchld };
+	class udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 #######################################
@ -187,13 +196,15 @@ class fifo_file rw_file_perms;
 # authlogin_ignore_get_shadow_passwords_attributes(domain)
 #
 define(`authlogin_ignore_get_shadow_passwords_attributes',`
-requires_block_template(`$0'_depend)
-dontaudit $1 shadow_t:file getattr;
+	requires_block_template(`$0'_depend)
+
+	dontaudit $1 shadow_t:file getattr;
 ')

 define(`authlogin_ignore_get_shadow_passwords_attributes_depend',`
-type shadow_t;
-class file getattr;
+	type shadow_t;
+
+	class file getattr;
 ')

 #######################################
@ -201,16 +212,19 @@ class file getattr;
 # authlogin_read_shadow_passwords(domain)
 #
 define(`authlogin_read_shadow_passwords',`
-requires_block_template(`$0'_depend)
-files_read_general_system_config_directory($1)
-allow $1 shadow_t:file { getattr read };
-typeattribute $1 can_read_shadow_passwords;
+	requires_block_template(`$0'_depend)
+
+	files_read_general_system_config_directory($1)
+	allow $1 shadow_t:file { getattr read };
+	typeattribute $1 can_read_shadow_passwords;
 ')

 define(`authlogin_read_shadow_passwords_depend',`
-attribute can_read_shadow_passwords;
-type shadow_t;
-class file { getattr read };
+	attribute can_read_shadow_passwords;
+
+	type shadow_t;
+
+	class file { getattr read };
 ')

 #######################################
@ -218,13 +232,15 @@ class file { getattr read };
 # authlogin_ignore_read_shadow_passwords(domain)
 #
 define(`authlogin_ignore_read_shadow_passwords',`
-requires_block_template(`$0'_depend)
-dontaudit $1 shadow_t:file { getattr read };
+	requires_block_template(`$0'_depend)
+
+	dontaudit $1 shadow_t:file { getattr read };
 ')

 define(`authlogin_ignore_read_shadow_passwords_depend',`
-type shadow_t;
-class file { getattr read };
+	type shadow_t;
+
+	class file { getattr read };
 ')

 #######################################
@ -232,18 +248,18 @@ class file { getattr read };
 # authlogin_modify_shadow_passwords(domain)
 #
 define(`authlogin_modify_shadow_passwords',`
-requires_block_template(`$0'_depend)
-files_read_general_system_config_directory($1)
-allow $1 shadow_t:file { getattr read write };
-typeattribute $1 can_read_shadow_passwords;
-typeattribute $1 can_write_shadow_passwords;
+	requires_block_template(`$0'_depend)
+
+	files_read_general_system_config_directory($1)
+	allow $1 shadow_t:file rw_file_perms;
+	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
 ')

 define(`authlogin_modify_shadow_passwords_depend',`
-attribute can_read_shadow_passwords;
-attribute can_write_shadow_passwords;
-type shadow_t;
-class file { getattr read write };
+	attribute can_read_shadow_passwords, can_write_shadow_passwords;
+
+	type shadow_t;
+	class file rw_file_perms;
 ')

 #######################################
@ -251,18 +267,20 @@ class file { getattr read write };
 # authlogin_manage_shadow_passwords(domain)
 #
 define(`authlogin_manage_shadow_passwords',`
-requires_block_template(`$0'_depend)
-files_create_private_config($1,shadow_t,file)
-allow $1 shadow_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-typeattribute $1 can_read_shadow_passwords;
-typeattribute $1 can_write_shadow_passwords;
+	requires_block_template(`$0'_depend)
+
+	allow $1 shadow_t:file create_file_perms;
+	files_create_private_config($1,shadow_t,file)
+
+	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
 ')

 define(`authlogin_manage_shadow_passwords_depend',`
-attribute can_read_shadow_passwords;
-attribute can_write_shadow_passwords;
-type shadow_t;
-class file { create ioctl read getattr lock write setattr append link unlink rename };
+	attribute can_read_shadow_passwords, can_write_shadow_passwords;
+
+	type shadow_t;
+
+	class file create_file_perms;
 ')

 #######################################
@ -270,16 +288,19 @@ class file { create ioctl read getattr lock write setattr append link unlink ren
 # authlogin_relabel_to_shadow_passwords(domain)
 #
 define(`authlogin_relabel_to_shadow_passwords',`
-requires_block_template(`$0'_depend)
-files_search_general_system_config_directory($1)
-allow $1 shadow_t:file relabelto;
-typeattribute $1 can_relabelto_shadow_passwords;
+	requires_block_template(`$0'_depend)
+
+	files_search_general_system_config_directory($1)
+	allow $1 shadow_t:file relabelto;
+	typeattribute $1 can_relabelto_shadow_passwords;
 ')

 define(`authlogin_relabel_to_shadow_passwords_depend',`
-attribute can_relabelto_shadow_passwords;
-type shadow_t;
-class file relabelto;
+	attribute can_relabelto_shadow_passwords;
+
+	type shadow_t;
+
+	class file relabelto;
 ')

 #######################################
@ -287,14 +308,16 @@ class file relabelto;
 # authlogin_modify_login_failure_records(domain)
 #
 define(`authlogin_modify_login_failure_records',`
-requires_block_template(`$0'_depend)
-logging_search_system_log_directory($1)
-allow $1 faillog_t:file { read write append };
+	requires_block_template(`$0'_depend)
+
+	allow $1 faillog_t:file rw_file_perms;
+	logging_search_system_log_directory($1)
 ')

 define(`authlogin_modify_login_failure_records_depend',`
-type faillog_t;
-class file { read write append };
+	type faillog_t;
+
+	class file rw_file_perms;
 ')

 #######################################
@ -302,14 +325,16 @@ class file { read write append };
 # authlogin_modify_last_login_log(domain)
 #
 define(`authlogin_modify_last_login_log',`
-requires_block_template(`$0'_depend)
-logging_search_system_log_directory($1)
-allow $1 lastlog_t:file { getattr read write setattr };
+	requires_block_template(`$0'_depend)
+
+	logging_search_system_log_directory($1)
+	allow $1 lastlog_t:file { getattr read write setattr };
 ')

 define(`authlogin_modify_last_login_log_depend',`
-type lastlog_t;
-class file { getattr read write setattr };
+	type lastlog_t;
+
+	class file { getattr read write setattr };
 ')

 ########################################
@ -324,23 +349,26 @@ class file { getattr read write setattr };
 ## </interface>
 #
 define(`authlogin_pam_transition',`
-requires_block_template(`$0'_depend)
-allow $1 pam_exec_t:file { getattr read execute };
-allow $1 pam_t:process transition;
-type_transition $1 pam_exec_t:process pam_t;
-dontaudit $1 pam_t:process { noatsecure siginh rlimitinh };
-allow $1 pam_t:fd use;
-allow pam_t $1:fd use;
-allow pam_t $1:fifo_file rw_file_perms;
-allow pam_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 pam_exec_t:file { getattr read execute };
+	allow $1 pam_t:process transition;
+	type_transition $1 pam_exec_t:process pam_t;
+	dontaudit $1 pam_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 pam_t:fd use;
+	allow pam_t $1:fd use;
+	allow pam_t $1:fifo_file rw_file_perms;
+	allow pam_t $1:process sigchld;
 ')

 define(`authlogin_pam_transition_depend',`
-type pam_t, pam_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd
-class fifo_file rw_file_perms;
+	type pam_t, pam_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd
+	class fifo_file rw_file_perms;
 ')

 ########################################
@ -361,15 +389,17 @@ class fifo_file rw_file_perms;
 ## </interface>
 #
 define(`authlogin_pam_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-authlogin_pam_transition($1)
-role $2 types pam_t;
-allow pam_t $3:chr_file { getattr read write ioctl };
+	requires_block_template(`$0'_depend)
+
+	authlogin_pam_transition($1)
+	role $2 types pam_t;
+	allow pam_t $3:chr_file { getattr read write ioctl };
 ')

 define(`authlogin_pam_transition_add_role_use_terminal_depend',`
-type pam_t;
-class chr_file { getattr read write ioctl };
+	type pam_t;
+
+	class chr_file { getattr read write ioctl };
 ')

 #######################################
@ -377,13 +407,15 @@ class chr_file { getattr read write ioctl };
 # authlogin_pam_execute(domain)
 #
 define(`authlogin_pam_execute',`
-requires_block_template(`$0'_depend)
-allow $1 pam_exec_t:file { getattr read execute execute_no_trans };
+	requires_block_template(`$0'_depend)
+
+	allow $1 pam_exec_t:file { getattr read execute execute_no_trans };
 ')

 define(`authlogin_pam_execute_depend',`
-type pam_exec_t;
-class file { getattr read execute execute_no_trans };
+	type pam_exec_t;
+
+	class file { getattr read execute execute_no_trans };
 ')

 #######################################
@ -391,17 +423,19 @@ class file { getattr read execute execute_no_trans };
 # authlogin_pam_read_runtime_data(domain)
 #
 define(`authlogin_pam_read_runtime_data',`
-requires_block_template(`$0'_depend)
-files_search_system_state_data_directory($1)
-files_search_runtime_data_directory($1)
-allow $1 pam_var_run_t:dir { getattr search read };
-allow $1 pam_var_run_t:file { getattr read };
+	requires_block_template(`$0'_depend)
+
+	files_search_system_state_data_directory($1)
+	files_search_runtime_data_directory($1)
+	allow $1 pam_var_run_t:dir { getattr search read };
+	allow $1 pam_var_run_t:file { getattr read };
 ')

 define(`authlogin_pam_read_runtime_data_depend',`
-type pam_var_run_t;
-class dir { getattr search read };
-class file { getattr read };
+	type pam_var_run_t;
+
+	class dir { getattr search read };
+	class file { getattr read };
 ')

 #######################################
@ -409,17 +443,19 @@ class file { getattr read };
 # authlogin_pam_remove_runtime_data(domain)
 #
 define(`authlogin_pam_remove_runtime_data',`
-requires_block_template(`$0'_depend)
-files_search_system_state_data_directory($1)
-files_search_runtime_data_directory($1)
-allow $1 pam_var_run_t:dir { getattr search read write remove_name };
-allow $1 pam_var_run_t:file { getattr unlink };
+	requires_block_template(`$0'_depend)
+
+	files_search_system_state_data_directory($1)
+	files_search_runtime_data_directory($1)
+	allow $1 pam_var_run_t:dir { getattr search read write remove_name };
+	allow $1 pam_var_run_t:file { getattr unlink };
 ')

 define(`authlogin_pam_remove_runtime_data_depend',`
-type pam_var_run_t;
-class dir { getattr search read write remove_name };
-class file { getattr unlink };
+	type pam_var_run_t;
+
+	class dir { getattr search read write remove_name };
+	class file { getattr unlink };
 ')

 #######################################
@ -427,23 +463,26 @@ class file { getattr unlink };
 # authlogin_pam_console_transition(domain)
 #
 define(`authlogin_pam_console_transition',`
-requires_block_template(`$0'_depend)
-allow $1 pam_console_exec_t:file { getattr read execute };
-allow $1 pam_console_t:process transition;
-type_transition $1 pam_console_exec_t:process pam_console_t;
-dontaudit $1 pam_console_t:process { noatsecure siginh rlimitinh };
-allow $1 pam_console_t:fd use;
-allow pam_console_t $1:fd use;
-allow pam_console_t $1:fifo_file rw_file_perms;
-allow pam_console_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 pam_console_exec_t:file { getattr read execute };
+	allow $1 pam_console_t:process transition;
+	type_transition $1 pam_console_exec_t:process pam_console_t;
+	dontaudit $1 pam_console_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 pam_console_t:fd use;
+	allow pam_console_t $1:fd use;
+	allow pam_console_t $1:fifo_file rw_file_perms;
+	allow pam_console_t $1:process sigchld;
 ')

 define(`authlogin_pam_console_transition_depend',`
-type pam_console_t, pam_console_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type pam_console_t, pam_console_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 #######################################
@ -451,15 +490,17 @@ class fifo_file rw_file_perms;
 # authlogin_pam_console_read_runtime_data_dir(domain)
 #
 define(`authlogin_pam_console_read_runtime_data_dir',`
-requires_block_template(`$0'_depend)
-files_search_system_state_data_directory($1)
-files_search_runtime_data_directory($1)
-allow $1 pam_var_console_t:dir { getattr search read };
+	requires_block_template(`$0'_depend)
+
+	files_search_system_state_data_directory($1)
+	files_search_runtime_data_directory($1)
+	allow $1 pam_var_console_t:dir r_dir_perms;
 ')

 define(`authlogin_pam_console_read_runtime_data_dir_depend',`
-type pam_var_console_t;
-class dir { getattr search read };
+	type pam_var_console_t;
+
+	class dir r_dir_perms;
 ')

 #######################################
@ -467,17 +508,19 @@ class dir { getattr search read };
 # authlogin_pam_console_read_runtime_data(domain)
 #
 define(`authlogin_pam_console_read_runtime_data',`
-requires_block_template(`$0'_depend)
-files_search_system_state_data_directory($1)
-files_search_runtime_data_directory($1)
-allow $1 pam_var_console_t:dir { getattr search read };
-allow $1 pam_var_console_t:file { getattr read };
+	requires_block_template(`$0'_depend)
+
+	files_search_system_state_data_directory($1)
+	files_search_runtime_data_directory($1)
+	allow $1 pam_var_console_t:dir r_dir_perms;
+	allow $1 pam_var_console_t:file r_file_perms;
 ')

 define(`authlogin_pam_console_read_runtime_data_depend',`
-type pam_var_console_t;
-class dir { getattr search read };
-class file { getattr read };
+	type pam_var_console_t;
+
+	class dir r_dir_perms;
+	class file r_file_perms;
 ')

 #######################################
@ -485,19 +528,21 @@ class file { getattr read };
 # authlogin_pam_console_manage_runtime_data(domain)
 #
 define(`authlogin_pam_console_manage_runtime_data',`
-requires_block_template(`$0'_depend)
-files_search_system_state_data_directory($1)
-files_search_runtime_data_directory($1)
-allow $1 pam_var_console_t:dir { read getattr lock search ioctl add_name remove_name write };
-allow $1 pam_var_console_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-allow $1 pam_var_console_t:lnk_file { create read getattr setattr link unlink rename };
+	requires_block_template(`$0'_depend)
+
+	files_search_system_state_data_directory($1)
+	files_search_runtime_data_directory($1)
+	allow $1 pam_var_console_t:dir { read getattr lock search ioctl add_name remove_name write };
+	allow $1 pam_var_console_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow $1 pam_var_console_t:lnk_file { create read getattr setattr link unlink rename };
 ')

 define(`authlogin_pam_console_manage_runtime_data_depend',`
-type pam_var_console_t;
-class dir { read getattr lock search ioctl add_name remove_name write };
-class file { create ioctl read getattr lock write setattr append link unlink rename };
-class lnk_file { create read getattr setattr link unlink rename };
+	type pam_var_console_t;
+
+	class dir { read getattr lock search ioctl add_name remove_name write };
+	class file { create ioctl read getattr lock write setattr append link unlink rename };
+	class lnk_file { create read getattr setattr link unlink rename };
 ')

 ########################################
@ -518,12 +563,13 @@ class lnk_file { create read getattr setattr link unlink rename };
 #

 define(`authlogin_relabel_all_files_except_shadow',`
-requires_block_template(`$0'_depend)
-files_relabel_all_files($1,$2 -shadow_t)
+	requires_block_template(`$0'_depend)
+
+	files_relabel_all_files($1,$2 -shadow_t)
 ')

 define(`authlogin_relabel_all_files_except_shadow_depend',`
-type shadow_t;
+	type shadow_t;
 ')

 ########################################
@ -544,12 +590,13 @@ type shadow_t;
 #

 define(`authlogin_manage_all_files_except_shadow',`
-requires_block_template(`$0'_depend)
-files_manage_all_files($1,$2 -shadow_t)
+	requires_block_template(`$0'_depend)
+
+	files_manage_all_files($1,$2 -shadow_t)
 ')

 define(`authlogin_manage_all_files_except_shadow_depend',`
-type shadow_t;
+	type shadow_t;
 ')

 ########################################
@ -564,23 +611,26 @@ type shadow_t;
 ## </interface>
 #
 define(`authlogin_utempter_transition',`
-requires_block_template(`$0'_depend)
-allow $1 utempter_exec_t:file { getattr read execute };
-allow $1 utempter_t:process transition;
-type_transition $1 utempter_exec_t:process utempter_t;
-dontaudit $1 utempter_t:process { noatsecure siginh rlimitinh };
-allow $1 utempter_t:fd use;
-allow utempter_t $1:fd use;
-allow utempter_t $1:fifo_file rw_file_perms;
-allow utempter_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 utempter_exec_t:file { getattr read execute };
+	allow $1 utempter_t:process transition;
+	type_transition $1 utempter_exec_t:process utempter_t;
+	dontaudit $1 utempter_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 utempter_t:fd use;
+	allow utempter_t $1:fd use;
+	allow utempter_t $1:fifo_file rw_file_perms;
+	allow utempter_t $1:process sigchld;
 ')

 define(`authlogin_utempter_transition_depend',`
-type utempter_t, utempter_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type utempter_t, utempter_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 ########################################
@ -601,15 +651,17 @@ class fifo_file rw_file_perms;
 ## </interface>
 #
 define(`authlogin_utempter_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-authlogin_utempter_transition($1)
-role $2 types utempter_t;
-allow utempter_t $3:chr_file { getattr read write ioctl };
+	requires_block_template(`$0'_depend)
+
+	authlogin_utempter_transition($1)
+	role $2 types utempter_t;
+	allow utempter_t $3:chr_file { getattr read write ioctl };
 ')

 define(`authlogin_utempter_transition_add_role_use_terminal_depend',`
-type utempter_t;
-class chr_file { getattr read write ioctl };
+	type utempter_t;
+
+	class chr_file { getattr read write ioctl };
 ')

 #######################################
@ -617,14 +669,16 @@ class chr_file { getattr read write ioctl };
 # authlogin_read_login_records(domain)
 #
 define(`authlogin_read_login_records',`
-requires_block_template(`$0'_depend)
-logging_search_system_log_directory($1)
-allow $1 wtmp_t:file { getattr read };
+	requires_block_template(`$0'_depend)
+
+	logging_search_system_log_directory($1)
+	allow $1 wtmp_t:file { getattr read };
 ')

 define(`authlogin_read_login_records_depend',`
-type wtmp_t;
-class file { getattr read };
+	type wtmp_t;
+
+	class file { getattr read };
 ')

 #######################################
@ -632,13 +686,15 @@ class file { getattr read };
 # authlogin_ignore_write_login_records(domain)
 #
 define(`authlogin_ignore_write_login_records',`
-requires_block_template(`$0'_depend)
-dontaudit $1 wtmp_t:file write;
+	requires_block_template(`$0'_depend)
+
+	dontaudit $1 wtmp_t:file write;
 ')

 define(`authlogin_read_login_records_depend',`
-type wtmp_t;
-class file write;
+	type wtmp_t;
+
+	class file write;
 ')

 #######################################
@ -646,14 +702,15 @@ class file write;
 # authlogin_modify_login_records(domain)
 #
 define(`authlogin_modify_login_records',`
-requires_block_template(`$0'_depend)
-logging_search_system_log_directory($1)
-allow $1 wtmp_t:file { getattr read write append setattr lock };
+	requires_block_template(`$0'_depend)
+
+	allow $1 wtmp_t:file rw_file_perms;
+	logging_search_system_log_directory($1)
 ')

 define(`authlogin_modify_login_records_depend',`
 type wtmp_t;
-class file { getattr read write append setattr lock };
+class file rw_file_perms;
 ')

 ## </module>
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@ -109,13 +109,13 @@ logging_send_system_log_message(pam_t)
 userdomain_use_all_unprivileged_users_file_descriptors(pam_t)

 optional_policy(`locallogin.te',`
-locallogin_use_file_descriptors(pam_t)
+	locallogin_use_file_descriptors(pam_t)
 ')

 ifdef(`TODO',`
 can_ypbind(pam_t)
 ifdef(`automount.te', `
-allow pam_t autofs_t:dir { search getattr };
+	allow pam_t autofs_t:dir { search getattr };
 ')

 ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;')
@ -171,18 +171,18 @@ selinux_read_file_contexts(pam_console_t)
 userdomain_ignore_use_all_unprivileged_users_file_descriptors(pam_console_t)

 tunable_policy(`direct_sysadm_daemon', `
-dontaudit pam_console_t admin_tty_type:chr_file rw_file_perms;
+	dontaudit pam_console_t admin_tty_type:chr_file rw_file_perms;
 ')

 tunable_policy(`targeted_policy', `
-terminal_ignore_use_general_physical_terminal(pam_console_t)
-terminal_ignore_use_general_pseudoterminal(pam_console_t)
-files_ignore_read_rootfs_file(pam_console_t)
+	terminal_ignore_use_general_physical_terminal(pam_console_t)
+	terminal_ignore_use_general_pseudoterminal(pam_console_t)
+	files_ignore_read_rootfs_file(pam_console_t)
 ')

 optional_policy(`hotplug.te', `
-hotplug_use_file_descriptors(pam_console_t)
-hotplug_ignore_search_config_directory(pam_console_t)
+	hotplug_use_file_descriptors(pam_console_t)
+	hotplug_ignore_search_config_directory(pam_console_t)
 ')

 optional_policy(`selinux.te',`
@ -190,14 +190,14 @@ selinux_newrole_sigchld(pam_console_t)
 ')

 optional_policy(`udev.te', `
-udev_read_database(pam_console_t)
+	udev_read_database(pam_console_t)
 ')

 ifdef(`TODO',`
 optional_policy(`rhgb.te', `
-allow pam_console_t rhgb_t:process sigchld;
-allow pam_console_t rhgb_t:fd use;
-allow pam_console_t rhgb_t:fifo_file { read write };
+	allow pam_console_t rhgb_t:process sigchld;
+	allow pam_console_t rhgb_t:fd use;
+	allow pam_console_t rhgb_t:fifo_file { read write };
 ')
 allow pam_console_t autofs_t:dir { search getattr };

@ -215,11 +215,11 @@ scsi_generic_device_t
 }:chr_file { getattr setattr };

 ifdef(`gpm.te', `
-allow pam_console_t gpmctl_t:sock_file { getattr setattr };
+	allow pam_console_t gpmctl_t:sock_file { getattr setattr };
 ')

 ifdef(`xdm.te', `
-allow pam_console_t xdm_var_run_t:file { getattr read };
+	allow pam_console_t xdm_var_run_t:file { getattr read };
 ')
 ') dnl endif TODO

@ -254,14 +254,14 @@ miscfiles_read_localization(system_chkpwd_t)
 selinux_read_config(system_chkpwd_t)

 tunable_policy(`use_dns',`
-allow system_chkpwd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
-corenetwork_sendrecv_udp_on_all_interfaces(system_chkpwd_t)
-corenetwork_sendrecv_raw_on_all_interfaces(system_chkpwd_t)
-corenetwork_sendrecv_udp_on_all_nodes(system_chkpwd_t)
-corenetwork_sendrecv_raw_on_all_nodes(system_chkpwd_t)
-corenetwork_bind_udp_on_all_nodes(system_chkpwd_t)
-corenetwork_sendrecv_udp_on_dns_port(system_chkpwd_t)
-sysnetwork_read_network_config(system_chkpwd_t)
+	allow system_chkpwd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+	corenetwork_sendrecv_udp_on_all_interfaces(system_chkpwd_t)
+	corenetwork_sendrecv_raw_on_all_interfaces(system_chkpwd_t)
+	corenetwork_sendrecv_udp_on_all_nodes(system_chkpwd_t)
+	corenetwork_sendrecv_raw_on_all_nodes(system_chkpwd_t)
+	corenetwork_bind_udp_on_all_nodes(system_chkpwd_t)
+	corenetwork_sendrecv_udp_on_dns_port(system_chkpwd_t)
+	sysnetwork_read_network_config(system_chkpwd_t)
 ')

 ifdef(`TODO',`
@ -270,7 +270,7 @@ can_kerberos(system_chkpwd_t)
 can_ldap(system_chkpwd_t)

 dontaudit system_chkpwd_t user_tty_type:chr_file rw_file_perms;
-')
+') dnl end TODO

 ########################################
 #
--- a/refpolicy/policy/modules/system/clock.if
+++ b/refpolicy/policy/modules/system/clock.if
@ -13,23 +13,26 @@
 ## </interface>
 #
 define(`clock_transition',`
-requires_block_template(`$0'_depend)
-allow $1 hwclock_exec_t:file { getattr read execute };
-allow $1 hwclock_t:process transition;
-type_transition $1 hwclock_exec_t:process hwclock_t;
-dontaudit $1 hwclock_t:process { noatsecure siginh rlimitinh };
-allow $1 hwclock_t:fd use;
-allow hwclock_t $1:fd use;
-allow hwclock_t $1:fifo_file rw_file_perms;
-allow hwclock_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 hwclock_exec_t:file { getattr read execute };
+	allow $1 hwclock_t:process transition;
+	type_transition $1 hwclock_exec_t:process hwclock_t;
+	dontaudit $1 hwclock_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 hwclock_t:fd use;
+	allow hwclock_t $1:fd use;
+	allow hwclock_t $1:fifo_file rw_file_perms;
+	allow hwclock_t $1:process sigchld;
 ')

 define(`clock_transition_depend',`
-type hwclock_t, hwclock_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type hwclock_t, hwclock_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 ########################################
@ -51,15 +54,17 @@ class fifo_file rw_file_perms;
 ## </interface>
 #
 define(`clock_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-clock_transition($1)
-role $2 types hwclock_t;
-allow hwclock_t $3:chr_file { getattr read write ioctl };
+	requires_block_template(`$0'_depend)
+
+	clock_transition($1)
+	role $2 types hwclock_t;
+	allow hwclock_t $3:chr_file { getattr read write ioctl };
 ')

 define(`clock_transition_add_role_use_terminal_depend',`
-type hwclock_t;
-class chr_file { getattr read write ioctl };
+	type hwclock_t;
+
+	class chr_file { getattr read write ioctl };
 ')

 #######################################
@ -67,13 +72,15 @@ class chr_file { getattr read write ioctl };
 # clock_execute(domain)
 #
 define(`clock_execute',`
-requires_block_template(`$0'_depend)
-allow $1 hwclock_exec_t:file { getattr read execute execute_no_trans };
+	requires_block_template(`$0'_depend)
+
+	allow $1 hwclock_exec_t:file { getattr read execute execute_no_trans };
 ')

 define(`clock_execute_depend',`
-type hwclock_exec_t;
-class file { getattr read execute execute_no_trans };
+	type hwclock_exec_t;
+
+	class file { getattr read execute execute_no_trans };
 ')

 #######################################
@ -81,14 +88,16 @@ class file { getattr read execute execute_no_trans };
 # clock_modify_drift_records(domain)
 #
 define(`clock_modify_drift_records',`
-requires_block_template(`$0'_depend)
-allow $1 adjtime_t:file { getattr read write ioctl lock append };
-files_read_general_system_config_directory($1)
+	requires_block_template(`$0'_depend)
+
+	allow $1 adjtime_t:file { getattr read write ioctl lock append };
+	files_read_general_system_config_directory($1)
 ')

 define(`clock_modify_drift_records_depend',`
-type adjtime_t;
-class file { getattr read write ioctl lock append };
+	type adjtime_t;
+
+	class file { getattr read write ioctl lock append };
 ')

 ## </module>
--- a/refpolicy/policy/modules/system/clock.te
+++ b/refpolicy/policy/modules/system/clock.te
@ -58,21 +58,21 @@ logging_send_system_log_message(hwclock_t)
 miscfiles_read_localization(hwclock_t)

 tunable_policy(`targeted_policy', `
-terminal_ignore_use_general_physical_terminal(hwclock_t)
-terminal_ignore_use_general_pseudoterminal(hwclock_t)
-files_ignore_read_rootfs_file(hwclock_t)
+	terminal_ignore_use_general_physical_terminal(hwclock_t)
+	terminal_ignore_use_general_pseudoterminal(hwclock_t)
+	files_ignore_read_rootfs_file(hwclock_t)
 ')

 optional_policy(`selinux.te',`
-selinux_newrole_sigchld(hwclock_t)
+	selinux_newrole_sigchld(hwclock_t)
 ')

 optional_policy(`udev.te', `
-udev_read_database(hwclock_t)
+	udev_read_database(hwclock_t)
 ')

 optional_policy(`userdomain.te',`
-userdomain_ignore_use_all_unprivileged_users_file_descriptors(hwclock_t)
+	userdomain_ignore_use_all_unprivileged_users_file_descriptors(hwclock_t)
 ')

 ifdef(`TODO',`
--- a/refpolicy/policy/modules/system/corecommands.if
+++ b/refpolicy/policy/modules/system/corecommands.if
@ -9,12 +9,13 @@
 # corecommands_make_shell_entrypoint(domain)
 #
 define(`corecommands_make_shell_entrypoint',`
-requires_block_template(`$0'_depend)
-domain_make_entrypoint_file($1,shell_exec_t)
+	requires_block_template(`$0'_depend)
+
+	domain_make_entrypoint_file($1,shell_exec_t)
 ')

 define(`corecommands_make_shell_entrypoint_depend',`
-type shell_exec_t;
+	type shell_exec_t;
 ')

 ########################################
@ -22,13 +23,15 @@ type shell_exec_t;
 # corecommands_search_general_programs_directory(domain)
 #
 define(`corecommands_search_general_programs_directory',`
-requires_block_template(`$0'_depend)
-allow $1 bin_t:dir search;
+	requires_block_template(`$0'_depend)
+
+	allow $1 bin_t:dir search;
 ')

 define(`corecommands_search_general_programs_directory_depend',`
-type bin_t;
-class dir search;
+	type bin_t;
+
+	class dir search;
 ')

 ########################################
@ -36,13 +39,15 @@ class dir search;
 # corecommands_read_general_programs_directory(domain)
 #
 define(`corecommands_read_general_programs_directory',`
-requires_block_template(`$0'_depend)
-allow $1 bin_t:dir { getattr search read };
+	requires_block_template(`$0'_depend)
+
+	allow $1 bin_t:dir { getattr search read };
 ')

 define(`corecommands_read_general_programs_directory_depend',`
-type bin_t;
-class dir { getattr search read };
+	type bin_t;
+
+	class dir { getattr search read };
 ')

 ########################################
@ -50,17 +55,19 @@ class dir { getattr search read };
 # corecommands_execute_general_programs(domain)
 #
 define(`corecommands_execute_general_programs',`
-requires_block_template(`$0'_depend)
-allow $1 bin_t:dir { getattr search read };
-allow $1 bin_t:lnk_file { getattr read };
-allow $1 bin_t:file { getattr read ioctl lock execute execute_no_trans };
+	requires_block_template(`$0'_depend)
+
+	allow $1 bin_t:dir { getattr search read };
+	allow $1 bin_t:lnk_file { getattr read };
+	allow $1 bin_t:file { getattr read ioctl lock execute execute_no_trans };
 ')

 define(`corecommands_execute_general_programs_depend',`
-type bin_t;
-class dir { getattr search read };
-class lnk_file { getattr read };
-class file { getattr read ioctl lock execute execute_no_trans };
+	type bin_t;
+
+	class dir { getattr search read };
+	class lnk_file { getattr read };
+	class file { getattr read ioctl lock execute execute_no_trans };
 ')

 ########################################
@ -68,13 +75,15 @@ class file { getattr read ioctl lock execute execute_no_trans };
 # corecommands_search_system_programs_directory(domain)
 #
 define(`corecommands_search_system_programs_directory',`
-requires_block_template(`$0'_depend)
-allow $1 sbin_t:dir search;
+	requires_block_template(`$0'_depend)
+
+	allow $1 sbin_t:dir search;
 ')

 define(`corecommands_search_system_programs_directory_depend',`
-type sbin_t;
-class dir search;
+	type sbin_t;
+
+	class dir search;
 ')

 ########################################
@ -82,13 +91,15 @@ class dir search;
 # corecommands_read_system_programs_directory(domain)
 #
 define(`corecommands_read_system_programs_directory',`
-requires_block_template(`$0'_depend)
-allow $1 sbin_t:dir r_dir_perms;
+	requires_block_template(`$0'_depend)
+
+	allow $1 sbin_t:dir r_dir_perms;
 ')

 define(`corecommands_read_system_programs_directory_depend',`
-type sbin_t;
-class dir r_dir_perms;
+	type sbin_t;
+
+	class dir r_dir_perms;
 ')

 ########################################
@ -96,13 +107,15 @@ class dir r_dir_perms;
 # corecommands_ignore_get_system_programs_attributes(domain)
 #
 define(`corecommands_ignore_get_system_programs_attributes',`
-requires_block_template(`$0'_depend)
-allow $1 sbin_t:file getattr;
+	requires_block_template(`$0'_depend)
+
+	allow $1 sbin_t:file getattr;
 ')

 define(`corecommands_ignore_get_system_programs_attributes_depend',`
-type sbin_t;
-class file getattr;
+	type sbin_t;
+
+	class file getattr;
 ')

 ########################################
@ -110,17 +123,19 @@ class file getattr;
 # corecommands_execute_system_programs(domain)
 #
 define(`corecommands_execute_system_programs',`
-requires_block_template(`$0'_depend)
-allow $1 sbin_t:dir { getattr search read };
-allow $1 sbin_t:lnk_file { getattr read };
-allow $1 sbin_t:file { getattr read ioctl lock execute execute_no_trans };
+	requires_block_template(`$0'_depend)
+
+	allow $1 sbin_t:dir { getattr search read };
+	allow $1 sbin_t:lnk_file { getattr read };
+	allow $1 sbin_t:file { getattr read ioctl lock execute execute_no_trans };
 ')

 define(`corecommands_execute_system_programs_depend',`
-type sbin_t;
-class dir { getattr search read };
-class lnk_file { getattr read };
-class file { getattr read ioctl lock execute execute_no_trans };
+	type sbin_t;
+
+	class dir { getattr search read };
+	class lnk_file { getattr read };
+	class file { getattr read ioctl lock execute execute_no_trans };
 ')

 ########################################
@ -128,17 +143,19 @@ class file { getattr read ioctl lock execute execute_no_trans };
 # corecommands_execute_shell(domain)
 #
 define(`corecommands_execute_shell',`
-requires_block_template(`$0'_depend)
-allow $1 bin_t:dir r_dir_perms;
-allow $1 bin_t:lnk_file { getattr read };
-allow $1 shell_exec_t:file { getattr read lock ioctl execute execute_no_trans };
+	requires_block_template(`$0'_depend)
+
+	allow $1 bin_t:dir r_dir_perms;
+	allow $1 bin_t:lnk_file { getattr read };
+	allow $1 shell_exec_t:file { getattr read lock ioctl execute execute_no_trans };
 ')

 define(`corecommands_execute_shell_depend',`
-type bin_t, shell_exec_t;
-class dir r_dir_perms;
-class lnk_file { getattr read };
-class file { getattr read lock ioctl execute execute_no_trans };
+	type bin_t, shell_exec_t;
+
+	class dir r_dir_perms;
+	class lnk_file { getattr read };
+	class file { getattr read lock ioctl execute execute_no_trans };
 ')

 ########################################
@ -146,17 +163,19 @@ class file { getattr read lock ioctl execute execute_no_trans };
 # corecommands_execute_ls(domain)
 #
 define(`corecommands_execute_ls',`
-requires_block_template(`$0'_depend)
-allow $1 bin_t:dir r_dir_perms;
-allow $1 bin_t:lnk_file { getattr read };
-allow $1 ls_exec_t:file { getattr read lock ioctl execute execute_no_trans };
+	requires_block_template(`$0'_depend)
+
+	allow $1 bin_t:dir r_dir_perms;
+	allow $1 bin_t:lnk_file { getattr read };
+	allow $1 ls_exec_t:file { getattr read lock ioctl execute execute_no_trans };
 ')

 define(`corecommands_execute_shell_depend',`
-type bin_t, ls_exec_t;
-class dir r_dir_perms;
-class lnk_file { getattr read };
-class file { getattr read lock ioctl execute execute_no_trans };
+	type bin_t, ls_exec_t;
+
+	class dir r_dir_perms;
+	class lnk_file { getattr read };
+	class file { getattr read lock ioctl execute execute_no_trans };
 ')

 ########################################
@ -176,26 +195,29 @@ class file { getattr read lock ioctl execute execute_no_trans };
 ## </interface>
 #
 define(`corecommands_shell_explicit_transition',`
-requires_block_template(`$0'_depend)
-allow $1 bin_t:dir { getattr search read };
-allow $1 bin_t:lnk_file { getattr read };
-allow $1 shell_exec_t:file { getattr read execute };
-allow $1 $2:process transition;
-dontaudit $1 $2:process { noatsecure siginh rlimitinh };
-allow $1 $2:fd use;
-allow $2 $1:fd use;
-allow $2 $1:fifo_file rw_file_perms;
-allow $2 $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 bin_t:dir { getattr search read };
+	allow $1 bin_t:lnk_file { getattr read };
+	allow $1 shell_exec_t:file { getattr read execute };
+	allow $1 $2:process transition;
+	dontaudit $1 $2:process { noatsecure siginh rlimitinh };
+
+	allow $1 $2:fd use;
+	allow $2 $1:fd use;
+	allow $2 $1:fifo_file rw_file_perms;
+	allow $2 $1:process sigchld;
 ')

 define(`corecommands_shell_explicit_transition_depend',`
-type bin_t, shell_exec_t;
-class dir { getattr search read };
-class lnk_file { getattr read };
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type bin_t, shell_exec_t;
+
+	class dir { getattr search read };
+	class lnk_file { getattr read };
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 ########################################
@ -213,13 +235,14 @@ class fifo_file rw_file_perms;
 ## </interface>
 #
 define(`corecommands_shell_transition',`
-requires_block_template(`$0'_depend)
-corecommands_shell_explicit_transition($1,$2)
-type_transition $1 shell_exec_t:process $2;
+	requires_block_template(`$0'_depend)
+
+	corecommands_shell_explicit_transition($1,$2)
+	type_transition $1 shell_exec_t:process $2;
 ')

 define(`corecommands_shell_transition_depend',`
-type shell_exec_t;
+	type shell_exec_t;
 ')

 ########################################
@ -227,16 +250,17 @@ type shell_exec_t;
 # corecommands_chroot(domain)
 #
 define(`corecommands_chroot',`
-requires_block_template(`$0'_depend)
-allow $1 chroot_exec_t:file { getattr read execute execute_no_trans };
-# could go to a generic chroot priv:
-allow $1 self:capability sys_chroot;
+	requires_block_template(`$0'_depend)
+
+	allow $1 chroot_exec_t:file { getattr read execute execute_no_trans };
+	allow $1 self:capability sys_chroot;
 ')

 define(`corecommands_chroot_depend',`
-type chroot_exec_t;
-class file { getattr read execute execute_no_trans };
-class capability sys_chroot;
+	type chroot_exec_t;
+
+	class file { getattr read execute execute_no_trans };
+	class capability sys_chroot;
 ')

 ## </module>
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@ -6,24 +6,25 @@
 # domain_make_base_domain(domain)
 #
 define(`domain_make_base_domain',`
-requires_block_template(`$0'_depend)
+	requires_block_template(`$0'_depend)

-# mark as a domain
-typeattribute $1 domain;
+	# mark as a domain
+	typeattribute $1 domain;

-# allow the domain to read its /proc/pid entries
-allow $1 self:dir { getattr search read };
-allow $1 self:{ file lnk_file } { getattr read write ioctl };
+	# allow the domain to read its /proc/pid entries
+	allow $1 self:dir { getattr search read };
+	allow $1 self:{ file lnk_file } { getattr read write ioctl };

-# allow $1 to create child processes in this domain
-allow $1 self:process { fork sigchld };
+	# allow $1 to create child processes in this domain
+	allow $1 self:process { fork sigchld };
 ')

 define(`domain_make_base_domain_depend',`
-attribute domain;
-class dir { getattr search read };
-class file { getattr read write ioctl };
-class lnk_file { getattr read };
+	attribute domain;
+
+	class dir { getattr search read };
+	class file { getattr read write ioctl };
+	class lnk_file { getattr read };
 ')

 ########################################
@ -31,26 +32,25 @@ class lnk_file { getattr read };
 # domain_make_domain(domain)
 #
 define(`domain_make_domain',`
+	# start with basic domain
+	domain_make_base_domain($1)

-# start with basic domain
-domain_make_base_domain($1)
+	# Use trusted objects in /dev
+	devices_use_dev_null($1)
+	devices_use_dev_zero($1)
+	terminal_use_controlling_terminal($1)

-# Use trusted objects in /dev
-devices_use_dev_null($1)
-devices_use_dev_zero($1)
-terminal_use_controlling_terminal($1)
+	# read the root directory
+	files_read_root_dir($1)

-# read the root directory
-files_read_root_dir($1)
+	# send init a sigchld
+	init_sigchld($1)

-# send init a sigchld
-init_sigchld($1)
-
-# this seems highly questionable:
-optional_policy(`rpm.te',`
-rpm_use_file_descriptors($1)
-rpm_read_pipe($1)
-')
+	# this seems highly questionable:
+	optional_policy(`rpm.te',`
+		rpm_use_file_descriptors($1)
+		rpm_read_pipe($1)
+	')
 ')

 ########################################
@ -58,15 +58,17 @@ rpm_read_pipe($1)
 # domain_make_entrypoint_file(domain,entrypointfile)
 #
 define(`domain_make_entrypoint_file',`
-requires_block_template(`$0'_depend)
-allow $1 $2:file entrypoint;
-files_make_file($2)
-typeattribute $2 entry_type;
+	requires_block_template(`$0'_depend)
+
+	files_make_file($2)
+	allow $1 $2:file entrypoint;
+	typeattribute $2 entry_type;
 ')

 define(`domain_make_entrypoint_file_depend',`
-attribute entry_type;
-class file entrypoint;
+	attribute entry_type;
+
+	class file entrypoint;
 ')

 ########################################
@ -74,12 +76,13 @@ class file entrypoint;
 # domain_make_file_descriptors_widely_inheritable(domain)
 #
 define(`domain_make_file_descriptors_widely_inheritable',`
-requires_block_template(`$0'_depend)
-typeattribute $1 privfd;
+	requires_block_template(`$0'_depend)
+
+	typeattribute $1 privfd;
 ')

 define(`domain_make_file_descriptors_widely_inheritable_depend',`
-attribute privfd;
+	attribute privfd;
 ')

 ########################################
@ -87,13 +90,15 @@ attribute privfd;
 # domain_use_widely_inheritable_file_descriptors(domain)
 #
 define(`domain_use_widely_inheritable_file_descriptors',`
-requires_block_template(`$0'_depend)
-allow $1 privfd:fd use;
+	requires_block_template(`$0'_depend)
+
+	allow $1 privfd:fd use;
 ')

 define(`domain_use_widely_inheritable_file_descriptors_depend',`
-attribute privfd;
-class fd use;
+	attribute privfd;
+
+	class fd use;
 ')

 ########################################
@ -101,13 +106,15 @@ class fd use;
 # domain_ignore_use_widely_inheritable_file_descriptors(domain)
 #
 define(`domain_ignore_use_widely_inheritable_file_descriptors',`
-requires_block_template(`$0'_depend)
-dontaudit $1 privfd:fd use;
+	requires_block_template(`$0'_depend)
+
+	dontaudit $1 privfd:fd use;
 ')

 define(`domain_ignore_use_widely_inheritable_file_descriptors_depend',`
-attribute privfd;
-class fd use;
+	attribute privfd;
+
+	class fd use;
 ')

 ########################################
@ -115,13 +122,15 @@ class fd use;
 # domain_set_all_domains_priorities(domain)
 #
 define(`domain_set_all_domains_priorities',`
-requires_block_template(`$0'_depend)
-allow $1 domain:process setsched;
+	requires_block_template(`$0'_depend)
+
+	allow $1 domain:process setsched;
 ')

 define(`domain_set_all_domains_priorities_depend',`
-attribute domain;
-class process setsched;
+	attribute domain;
+
+	class process setsched;
 ')

 ########################################
@ -136,13 +145,15 @@ class process setsched;
 ## </interface>
 #
 define(`domain_signal_all_domains',`
-requires_block_template(`$0'_depend)
-allow $1 domain:process signal;
+	requires_block_template(`$0'_depend)
+
+	allow $1 domain:process signal;
 ')

 define(`domain_signal_all_domains_depend',`
-attribute domain;
-class process signal;
+	attribute domain;
+
+	class process signal;
 ')

 ########################################
@ -157,13 +168,15 @@ class process signal;
 ## </interface>
 #
 define(`domain_signull_all_domains',`
-requires_block_template(`$0'_depend)
-allow $1 domain:process signull;
+	requires_block_template(`$0'_depend)
+
+	allow $1 domain:process signull;
 ')

 define(`domain_signull_all_domains_depend',`
-attribute domain;
-class process signull;
+	attribute domain;
+
+	class process signull;
 ')

 ########################################
@ -178,13 +191,15 @@ class process signull;
 ## </interface>
 #
 define(`domain_sigstop_all_domains',`
-requires_block_template(`$0'_depend)
-allow $1 domain:process sigstop;
+	requires_block_template(`$0'_depend)
+
+	allow $1 domain:process sigstop;
 ')

 define(`domain_sigstop_all_domains_depend',`
-attribute domain;
-class process sigstop;
+	attribute domain;
+
+	class process sigstop;
 ')

 ########################################
@ -199,13 +214,15 @@ class process sigstop;
 ## </interface>
 #
 define(`domain_sigchld_all_domains',`
-requires_block_template(`$0'_depend)
-allow $1 domain:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 domain:process sigchld;
 ')

 define(`domain_sigchld_all_domains_depend',`
-attribute domain;
-class process sigchld;
+	attribute domain;
+
+	class process sigchld;
 ')

 ########################################
@ -220,15 +237,17 @@ class process sigchld;
 ## </interface>
 #
 define(`domain_kill_all_domains',`
-requires_block_template(`$0'_depend)
-allow $1 domain:process sigkill;
-allow $1 self:capability kill;
+	requires_block_template(`$0'_depend)
+
+	allow $1 domain:process sigkill;
+	allow $1 self:capability kill;
 ')

 define(`domain_kill_all_domains_depend',`
-attribute domain;
-class process sigkill;
-class capability kill;
+	attribute domain;
+
+	class process sigkill;
+	class capability kill;
 ')

 ########################################
@ -243,24 +262,27 @@ class capability kill;
 ## </interface>
 #
 define(`domain_read_all_domains_process_state',`
-requires_block_template(`$0'_depend)
-allow $1 domain:dir { getattr search read };
-allow $1 domain:lnk_file { getattr read };
-allow $1 domain:file { getattr read };
-allow $1 domain:process getattr;
-# We need to suppress this denial because procps tries to access
-# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-# (2.4 and 2.6).  Might want to change procps to not do this, or only if
-# running in a privileged domain.
-dontaudit $1 domain:process ptrace;
+	requires_block_template(`$0'_depend)
+
+	allow $1 domain:dir { getattr search read };
+	allow $1 domain:lnk_file { getattr read };
+	allow $1 domain:file { getattr read };
+	allow $1 domain:process getattr;
+
+	# We need to suppress this denial because procps tries to access
+	# /proc/pid/environ and this now triggers a ptrace check in recent kernels
+	# (2.4 and 2.6).  Might want to change procps to not do this, or only if
+	# running in a privileged domain.
+	dontaudit $1 domain:process ptrace;
 ')

 define(`domain_read_all_domains_process_state_depend',`
-attribute domain;
-class dir { getattr search read };
-class lnk_file { getattr read };
-class file { getattr read };
-class process { getattr ptrace };
+	attribute domain;
+
+	class dir { getattr search read };
+	class lnk_file { getattr read };
+	class file { getattr read };
+	class process { getattr ptrace };
 ')

 ########################################
@ -276,13 +298,15 @@ class process { getattr ptrace };
 ## </interface>
 #
 define(`domain_ignore_read_all_domains_process_dirs',`
-requires_block_template(`$0'_depend)
-dontaudit $1 domain:dir r_dir_perms;
+	requires_block_template(`$0'_depend)
+
+	dontaudit $1 domain:dir r_dir_perms;
 ')

 define(`domain_ignore_read_all_domains_process_dirs_depend',`
-attribute domain;
-class dir r_dir_perms;
+	attribute domain;
+
+	class dir r_dir_perms;
 ')


@ -298,13 +322,15 @@ class dir r_dir_perms;
 ## </interface>
 #
 define(`domain_get_all_domains_session_id',`
-requires_block_template(`$0'_depend)
-allow $1 domain:process getsession;
+	requires_block_template(`$0'_depend)
+
+	allow $1 domain:process getsession;
 ')

 define(`domain_get_all_domains_session_id_depend',`
-attribute domain;
-class process getsession;
+	attribute domain;
+
+	class process getsession;
 ')

 ########################################
@ -320,13 +346,15 @@ class process getsession;
 ## </interface>
 #
 define(`domain_ignore_get_all_domains_udp_socket_attributes',`
-requires_block_template(`$0'_depend)
-dontaudit $1 domain:udp_socket getattr;
+	requires_block_template(`$0'_depend)
+
+	dontaudit $1 domain:udp_socket getattr;
 ')

 define(`domain_ignore_get_all_domains_udp_socket_attributes_depend',`
-attribute domain;
-class udp_socket getattr;
+	attribute domain;
+
+	class udp_socket getattr;
 ')

 ########################################
@ -342,13 +370,15 @@ class udp_socket getattr;
 ## </interface>
 #
 define(`domain_ignore_get_all_domains_tcp_socket_attributes',`
-requires_block_template(`$0'_depend)
-dontaudit $1 domain:tcp_socket getattr;
+	requires_block_template(`$0'_depend)
+
+	dontaudit $1 domain:tcp_socket getattr;
 ')

 define(`domain_ignore_get_all_domains_tcp_socket_attributes_depend',`
-attribute domain;
-class tcp_socket getattr;
+	attribute domain;
+
+	class tcp_socket getattr;
 ')

 ########################################
@ -364,13 +394,15 @@ class tcp_socket getattr;
 ## </interface>
 #
 define(`domain_ignore_get_all_domains_unix_dgram_socket_attributes',`
-requires_block_template(`$0'_depend)
-dontaudit $1 domain:unix_dgram_socket getattr;
+	requires_block_template(`$0'_depend)
+
+	dontaudit $1 domain:unix_dgram_socket getattr;
 ')

 define(`domain_ignore_get_all_domains_unix_dgram_socket_attributes_depend',`
-attribute domain;
-class unix_dgram_socket getattr;
+	attribute domain;
+
+	class unix_dgram_socket getattr;
 ')

 ########################################
@ -386,13 +418,15 @@ class unix_dgram_socket getattr;
 ## </interface>
 #
 define(`domain_ignore_get_all_domains_pipe_attributes',`
-requires_block_template(`$0'_depend)
-dontaudit $1 domain:fifo_file getattr;
+	requires_block_template(`$0'_depend)
+
+	dontaudit $1 domain:fifo_file getattr;
 ')

 define(`domain_ignore_get_all_domains_pipe_attributes_depend',`
-attribute domain;
-class fifo_file getattr;
+	attribute domain;
+
+	class fifo_file getattr;
 ')

 ########################################
@ -400,13 +434,15 @@ class fifo_file getattr;
 # domain_execute_all_entrypoint_programs(domain)
 #
 define(`domain_execute_all_entrypoint_programs',`
-requires_block_template(`$0'_depend)
-allow $1 entry_type:file { getattr read ioctl lock execute execute_no_trans };
+	requires_block_template(`$0'_depend)
+
+	allow $1 entry_type:file { getattr read ioctl lock execute execute_no_trans };
 ')

 define(`domain_execute_all_entrypoint_programs_depend',`
-attribute entry_type;
-class file { getattr read ioctl lock execute execute_no_trans };
+	attribute entry_type;
+
+	class file { getattr read ioctl lock execute execute_no_trans };
 ')

 ########################################
@ -414,15 +450,17 @@ class file { getattr read ioctl lock execute execute_no_trans };
 # domain_read_all_entrypoint_programs(domain)
 #
 define(`domain_read_all_entrypoint_programs',`
-requires_block_template(`$0'_depend)
-allow $1 entry_type:lnk_file { getattr read };
-allow $1 entry_type:file r_file_perms;
+	requires_block_template(`$0'_depend)
+
+	allow $1 entry_type:lnk_file { getattr read };
+	allow $1 entry_type:file r_file_perms;
 ')

 define(`domain_read_all_entrypoint_programs_depend',`
-attribute entry_type;
-class file r_file_perms;
-class lnk_file { getattr read };
+	attribute entry_type;
+
+	class file r_file_perms;
+	class lnk_file { getattr read };
 ')

 ## </module>
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
--- a/refpolicy/policy/modules/system/getty.if
+++ b/refpolicy/policy/modules/system/getty.if
@ -4,23 +4,26 @@
 # getty_transition(domain)
 #
 define(`getty_transition',`
-requires_block_template(`$0'_depend)
-allow $1 getty_exec_t:file { getattr read execute };
-allow $1 getty_t:process transition;
-type_transition $1 getty_exec_t:process getty_t;
-dontaudit $1 getty_t:process { noatsecure siginh rlimitinh };
-allow $1 getty_t:fd use;
-allow getty_t $1:fd use;
-allow getty_t $1:fifo_file rw_file_perms;
-allow getty_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 getty_exec_t:file { getattr read execute };
+	allow $1 getty_t:process transition;
+	type_transition $1 getty_exec_t:process getty_t;
+	dontaudit $1 getty_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 getty_t:fd use;
+	allow getty_t $1:fd use;
+	allow getty_t $1:fifo_file rw_file_perms;
+	allow getty_t $1:process sigchld;
 ')

 define(`getty_transition_depend',`
-type getty_t, getty_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type getty_t, getty_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 #######################################
@ -28,13 +31,15 @@ class fifo_file rw_file_perms;
 # getty_read_log_file(domain)
 #
 define(`getty_read_log_file',`
-requires_block_template(`$0'_depend)
-allow $1 getty_log_t:file { getattr read };
+	requires_block_template(`$0'_depend)
+
+	allow $1 getty_log_t:file { getattr read };
 ')

 define(`getty_read_log_file_depend',`
-type getty_log_t;
-class file { getattr read };
+	type getty_log_t;
+
+	class file { getattr read };
 ')

 #######################################
@ -42,13 +47,15 @@ class file { getattr read };
 # getty_read_config_file(domain)
 #
 define(`getty_read_config_file',`
-requires_block_template(`$0'_depend)
-allow $1 getty_etc_t:file { getattr read };
+	requires_block_template(`$0'_depend)
+
+	allow $1 getty_etc_t:file { getattr read };
 ')

 define(`getty_read_config_file_depend',`
-type getty_etc_t;
-class file { getattr read };
+	type getty_etc_t;
+
+	class file { getattr read };
 ')

 #######################################
@ -56,11 +63,13 @@ class file { getattr read };
 # getty_modify_config_file(domain)
 #
 define(`getty_modify_config_file',`
-requires_block_template(`$0'_depend)
-allow $1 getty_etc_t:file { getattr read write };
+	requires_block_template(`$0'_depend)
+
+	allow $1 getty_etc_t:file { getattr read write };
 ')

 define(`getty_modify_config_file_depend',`
-type getty_etc_t;
-class file { getattr read write };
+	type getty_etc_t;
+
+	class file { getattr read write };
 ')
--- a/refpolicy/policy/modules/system/hostname.if
+++ b/refpolicy/policy/modules/system/hostname.if
@ -14,23 +14,26 @@
 ## </interface>
 #
 define(`hostname_transition',`
-requires_block_template(`$0'_depend)
-allow $1 hostname_exec_t:file { getattr read execute };
-allow $1 hostname_t:process transition;
-type_transition $1 hostname_exec_t:process hostname_t;
-dontaudit $1 hostname_t:process { noatsecure siginh rlimitinh };
-allow $1 hostname_t:fd use;
-allow hostname_t $1:fd use;
-allow hostname_t $1:fifo_file rw_file_perms;
-allow hostname_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 hostname_exec_t:file { getattr read execute };
+	allow $1 hostname_t:process transition;
+	type_transition $1 hostname_exec_t:process hostname_t;
+	dontaudit $1 hostname_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 hostname_t:fd use;
+	allow hostname_t $1:fd use;
+	allow hostname_t $1:fifo_file rw_file_perms;
+	allow hostname_t $1:process sigchld;
 ')

 define(`hostname_transition_depend',`
-type hostname_t, hostname_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type hostname_t, hostname_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 ########################################
@ -53,15 +56,17 @@ class fifo_file rw_file_perms;
 ## </interface>
 #
 define(`hostname_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-hostname_transition($1)
-role $2 types hostname_t;
-allow hostname_t $3:chr_file { getattr read write ioctl };
+	requires_block_template(`$0'_depend)
+
+	hostname_transition($1)
+	role $2 types hostname_t;
+	allow hostname_t $3:chr_file { getattr read write ioctl };
 ')

 define(`hostname_transition_add_role_use_terminal_depend',`
-type hostname_t;
-class chr_file { getattr read write ioctl };
+	type hostname_t;
+
+	class chr_file { getattr read write ioctl };
 ')

 #######################################
@ -69,13 +74,15 @@ class chr_file { getattr read write ioctl };
 # hostname_execute(domain)
 #
 define(`hostname_execute',`
-requires_block_template(`$0'_depend)
-allow $1 hostname_exec_t:file { getattr read execute execute_no_trans };
+	requires_block_template(`$0'_depend)
+
+	allow $1 hostname_exec_t:file { getattr read execute execute_no_trans };
 ')

 define(`hostname_execute_depend',`
-type hostname_exec_t;
-class file { getattr read execute execute_no_trans };
+	type hostname_exec_t;
+
+	class file { getattr read execute execute_no_trans };
 ')

 ## </module>
--- a/refpolicy/policy/modules/system/hostname.te
+++ b/refpolicy/policy/modules/system/hostname.te
@ -55,36 +55,36 @@ miscfiles_read_localization(hostname_t)
 userdomain_use_all_users_file_descriptors(hostname_t)

 tunable_policy(`distro_redhat', `
-filesystem_use_tmpfs_character_devices(hostname_t)
+	filesystem_use_tmpfs_character_devices(hostname_t)
 ')

 tunable_policy(`targeted_policy', `
-terminal_ignore_use_general_physical_terminal(hostname_t)
-terminal_ignore_use_general_pseudoterminal(hostname_t)
-files_ignore_read_rootfs_file(hostname_t)
-')dnl end targeted_policy tunable
+	terminal_ignore_use_general_physical_terminal(hostname_t)
+	terminal_ignore_use_general_pseudoterminal(hostname_t)
+	files_ignore_read_rootfs_file(hostname_t)
+')

 tunable_policy(`use_dns',`
-allow hostname_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
-corenetwork_sendrecv_udp_on_all_interfaces(hostname_t)
-corenetwork_sendrecv_raw_on_all_interfaces(hostname_t)
-corenetwork_sendrecv_udp_on_all_nodes(hostname_t)
-corenetwork_sendrecv_raw_on_all_nodes(hostname_t)
-corenetwork_bind_udp_on_all_nodes(hostname_t)
-corenetwork_sendrecv_udp_on_dns_port(hostname_t)
-sysnetwork_read_network_config(hostname_t)
+	allow hostname_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+	corenetwork_sendrecv_udp_on_all_interfaces(hostname_t)
+	corenetwork_sendrecv_raw_on_all_interfaces(hostname_t)
+	corenetwork_sendrecv_udp_on_all_nodes(hostname_t)
+	corenetwork_sendrecv_raw_on_all_nodes(hostname_t)
+	corenetwork_bind_udp_on_all_nodes(hostname_t)
+	corenetwork_sendrecv_udp_on_dns_port(hostname_t)
+	sysnetwork_read_network_config(hostname_t)
 ')

 optional_policy(`hotplug.te',`
-hotplug_ignore_use_file_descriptors(hostname_t)
+	hotplug_ignore_use_file_descriptors(hostname_t)
 ')

 optional_policy(`selinux.te',`
-selinux_newrole_sigchld(hostname_t)
+	selinux_newrole_sigchld(hostname_t)
 ')

 optional_policy(`udev.te', `
-udev_read_database(hostname_t)
+	udev_read_database(hostname_t)
 ')

 ifdef(`TODO',`
--- a/refpolicy/policy/modules/system/hotplug.if
+++ b/refpolicy/policy/modules/system/hotplug.if
@ -9,23 +9,26 @@
 # hotplug_transition(domain)
 #
 define(`hotplug_transition',`
-requires_block_template(`$0'_depend)
-allow $1 hotplug_exec_t:file { getattr read execute };
-allow $1 hotplug_t:process transition;
-type_transition $1 hotplug_exec_t:process hotplug_t;
-dontaudit $1 hotplug_t:process { noatsecure siginh rlimitinh };
-allow $1 hotplug_t:fd use;
-allow hotplug_t $1:fd use;
-allow hotplug_t $1:fifo_file rw_file_perms;
-allow hotplug_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 hotplug_exec_t:file { getattr read execute };
+	allow $1 hotplug_t:process transition;
+	type_transition $1 hotplug_exec_t:process hotplug_t;
+	dontaudit $1 hotplug_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 hotplug_t:fd use;
+	allow hotplug_t $1:fd use;
+	allow hotplug_t $1:fifo_file rw_file_perms;
+	allow hotplug_t $1:process sigchld;
 ')

 define(`hotplug_transition_depend',`
-type hotplug_t, hotplug_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type hotplug_t, hotplug_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 #######################################
@ -33,13 +36,15 @@ class fifo_file rw_file_perms;
 # hotplug_execute(domain)
 #
 define(`hotplug_execute',`
-requires_block_template(`$0'_depend)
-allow $1 hotplug_exec_t:file { getattr read execute execute_no_trans };
+	requires_block_template(`$0'_depend)
+
+	allow $1 hotplug_exec_t:file { getattr read execute execute_no_trans };
 ')

 define(`hotplug_execute_depend',`
-type hotplug_t;
-class file { getattr read execute execute_no_trans };
+	type hotplug_t;
+
+	class file { getattr read execute execute_no_trans };
 ')

 #######################################
@ -47,13 +52,15 @@ class file { getattr read execute execute_no_trans };
 # hotplug_use_file_descriptors(domain)
 #
 define(`hotplug_use_file_descriptors',`
-requires_block_template(`$0'_depend)
-allow $1 hotplug_t:fd use;
+	requires_block_template(`$0'_depend)
+
+	allow $1 hotplug_t:fd use;
 ')

 define(`hotplug_use_file_descriptors_depend',`
-type hotplug_t;
-class fd use;
+	type hotplug_t;
+
+	class fd use;
 ')

 #######################################
@ -61,13 +68,15 @@ class fd use;
 # hotplug_ignore_use_file_descriptors(domain)
 #
 define(`hotplug_ignore_use_file_descriptors',`
-requires_block_template(`$0'_depend)
-dontaudit $1 hotplug_t:fd use;
+	requires_block_template(`$0'_depend)
+
+	dontaudit $1 hotplug_t:fd use;
 ')

 define(`hotplug_ignore_use_file_descriptors_depend',`
-type hotplug_t;
-class fd use;
+	type hotplug_t;
+
+	class fd use;
 ')

 ########################################
@ -75,13 +84,15 @@ class fd use;
 # hotplug_ignore_search_config_directory(domain)
 #
 define(`hotplug_ignore_search_config_directory',`
-requires_block_template(`$0'_depend)
-dontaudit $1 hotplug_etc_t:dir search;
+	requires_block_template(`$0'_depend)
+
+	dontaudit $1 hotplug_etc_t:dir search;
 ')

 define(`hotplug_ignore_search_config_directory_depend',`
-type hotplug_etc_t;
-class dir search;
+	type hotplug_etc_t;
+
+	class dir search;
 ')

 ########################################
@ -96,18 +107,20 @@ class dir search;
 ## </interface>
 #
 define(`hotplug_read_config',`
-requires_block_template(`$0'_depend)
-files_search_general_system_config_directory($1)
-allow $1 hotplug_etc_t:file { read getattr lock ioctl };
-allow $1 hotplug_etc_t:dir { read getattr lock search ioctl };
-allow $1 hotplug_etc_t:lnk_file { getattr read };
+	requires_block_template(`$0'_depend)
+
+	files_search_general_system_config_directory($1)
+	allow $1 hotplug_etc_t:file { read getattr lock ioctl };
+	allow $1 hotplug_etc_t:dir { read getattr lock search ioctl };
+	allow $1 hotplug_etc_t:lnk_file { getattr read };
 ')

 define(`hotplug_read_config_depend',`
-type hotplug_etc_t;
-class file { read getattr lock ioctl };
-class dir { read getattr lock search ioctl };
-class lnk_file { getattr read };
+	type hotplug_etc_t;
+
+	class file { read getattr lock ioctl };
+	class dir { read getattr lock search ioctl };
+	class lnk_file { getattr read };
 ')

 ## </module>
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@ -109,60 +109,60 @@ sysnetwork_read_network_config(hotplug_t)
 userdomain_ignore_use_all_unprivileged_users_file_descriptors(hotplug_t)

 tunable_policy(`distro_redhat', `
-optional_policy(`netutils.te', `
-# for arping used for static IP addresses on PCMCIA ethernet
-netutils_transition(hotplug_t)
-filesystem_use_tmpfs_character_devices(hotplug_t)
-') dnl endif netutils optional
-files_get_system_lock_file_attributes(hotplug_t)
-')dnl end distro_redhat tunable
+	optional_policy(`netutils.te', `
+		# for arping used for static IP addresses on PCMCIA ethernet
+		netutils_transition(hotplug_t)
+		filesystem_use_tmpfs_character_devices(hotplug_t)
+	')
+	files_get_system_lock_file_attributes(hotplug_t)
+')

 tunable_policy(`targeted_policy', `
-terminal_ignore_use_general_physical_terminal(hotplug_t)
-terminal_ignore_use_general_pseudoterminal(hotplug_t)
-files_ignore_read_rootfs_file(hotplug_t)
+	terminal_ignore_use_general_physical_terminal(hotplug_t)
+	terminal_ignore_use_general_pseudoterminal(hotplug_t)
+	files_ignore_read_rootfs_file(hotplug_t)
 ')

 optional_policy(`consoletype.te',`
-consoletype_transition(hotplug_t)
+	consoletype_transition(hotplug_t)
 ')

 optional_policy(`hostname.te',`
-hostname_execute(hotplug_t)
+	hostname_execute(hotplug_t)
 ')

 optional_policy(`iptables.te',`
-iptables_transition(hotplug_t)
+	iptables_transition(hotplug_t)
 ')

 optional_policy(`mta.te', `
-mta_send_mail(hotplug_t)
+	mta_send_mail(hotplug_t)
 ')

 optional_policy(`selinux.te',`
-selinux_newrole_sigchld(hotplug_t)
+	selinux_newrole_sigchld(hotplug_t)
 ')

 optional_policy(`sysnetwork.te',`
-sysnetwork_ifconfig_transition(hotplug_t)
+	sysnetwork_ifconfig_transition(hotplug_t)
 ')

 optional_policy(`udev.te', `
-udev_transition(hotplug_t)
-udev_read_database(hotplug_t)
+	udev_transition(hotplug_t)
+	udev_read_database(hotplug_t)
 ')

 optional_policy(`updfstab.te', `
-updfstab_transition(hotplug_t)
+	updfstab_transition(hotplug_t)
 ')

 ifdef(`TODO',`
 allow hotplug_t autofs_t:dir { search getattr };
 dontaudit hotplug_t sysadm_home_dir_t:dir search;
 optional_policy(`rhgb.te', `
-allow hotplug_t rhgb_t:process sigchld;
-allow hotplug_t rhgb_t:fd use;
-allow hotplug_t rhgb_t:fifo_file { read write };
+	allow hotplug_t rhgb_t:process sigchld;
+	allow hotplug_t rhgb_t:fd use;
+	allow hotplug_t rhgb_t:fifo_file { read write };
 ')

 allow kernel_t hotplug_etc_t:dir search;
@ -180,20 +180,20 @@ dontaudit hotplug_t domain:dir { getattr search };
 dontaudit hotplug_t { init_t kernel_t }:file read;

 optional_policy(`hald.te', `
-allow hotplug_t hald_t:unix_dgram_socket sendto;
+	allow hotplug_t hald_t:unix_dgram_socket sendto;
 ')

 # this goes to hald:
 optional_policy(`hotplug.te',`
-allow hald_t hotplug_etc_t:dir search;
-allow hald_t hotplug_etc_t:file { getattr read };
+	allow hald_t hotplug_etc_t:dir search;
+	allow hald_t hotplug_etc_t:file { getattr read };
 ')

 optional_policy(`fsadm.te', `
-domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t)
+	domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t)
 ')

 optional_policy(`lpd.te', `
-allow hotplug_t printer_device_t:chr_file setattr;
+	allow hotplug_t printer_device_t:chr_file setattr;
 ')
 ') dnl end TODO
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@ -126,23 +126,26 @@ define(`init_make_system_domain_depend',`
 # init_transition(domain)
 #
 define(`init_transition',`
-requires_block_template(`$0'_depend)
-allow $1 init_exec_t:file { getattr read execute };
-allow $1 init_t:process transition;
-type_transition $1 init_exec_t:process init_t;
-dontaudit $1 init_t:process { noatsecure siginh rlimitinh };
-allow $1 init_t:fd use;
-allow init_t $1:fd use;
-allow init_t $1:fifo_file rw_file_perms;
-allow init_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 init_exec_t:file { getattr read execute };
+	allow $1 init_t:process transition;
+	type_transition $1 init_exec_t:process init_t;
+	dontaudit $1 init_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 init_t:fd use;
+	allow init_t $1:fd use;
+	allow init_t $1:fifo_file rw_file_perms;
+	allow init_t $1:process sigchld;
 ')

 define(`init_transition_depend',`
-type init_t, init_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type init_t, init_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 ########################################
@ -150,13 +153,15 @@ class fifo_file rw_file_perms;
 # init_get_process_group(domain)
 #
 define(`init_get_process_group',`
-requires_block_template(`$0'_depend)
-allow $1 init_t:process getpgid;
+	requires_block_template(`$0'_depend)
+
+	allow $1 init_t:process getpgid;
 ')

 define(`init_get_process_group_depend',`
-type init_t;
-class process getpgid;
+	type init_t;
+
+	class process getpgid;
 ')

 ########################################
@ -164,13 +169,15 @@ class process getpgid;
 # init_get_control_channel_attributes(domain)
 #
 define(`init_get_control_channel_attributes',`
-requires_block_template(`$0'_depend)
-allow $1 initctl_t:fifo_file getattr;
+	requires_block_template(`$0'_depend)
+
+	allow $1 initctl_t:fifo_file getattr;
 ')

 define(`init_get_control_channel_attributes_depend',`
-type initctl_t;
-class fifo_file getattr;
+	type initctl_t;
+
+	class fifo_file getattr;
 ')

 ########################################
@ -178,13 +185,15 @@ class fifo_file getattr;
 # init_ignore_get_control_channel_attributes(domain)
 #
 define(`init_ignore_get_control_channel_attributes',`
-requires_block_template(`$0'_depend)
-dontaudit $1 initctl_t:fifo_file getattr;
+	requires_block_template(`$0'_depend)
+
+	dontaudit $1 initctl_t:fifo_file getattr;
 ')

 define(`init_get_control_channel_attributes_depend',`
-type initctl_t;
-class fifo_file getattr;
+	type initctl_t;
+
+	class fifo_file getattr;
 ')

 ########################################
@ -192,14 +201,16 @@ class fifo_file getattr;
 # init_use_control_channel(domain)
 #
 define(`init_use_control_channel',`
-requires_block_template(`$0'_depend)
-allow $1 initctl_t:fifo_file { getattr read write };
-devices_list_device_nodes($1)
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 initctl_t:fifo_file { getattr read write };
 ')

 define(`init_use_control_channel_depend',`
-type initctl_t;
-class fifo_file { getattr read write };
+	type initctl_t;
+
+	class fifo_file { getattr read write };
 ')

 ########################################
@ -207,13 +218,15 @@ class fifo_file { getattr read write };
 # init_ignore_use_control_channel(domain)
 #
 define(`init_ignore_use_control_channel',`
-requires_block_template(`$0'_depend)
-dontaudit $1 initctl_t:fifo_file { read write };
+	requires_block_template(`$0'_depend)
+
+	dontaudit $1 initctl_t:fifo_file { read write };
 ')

 define(`init_ignore_use_control_channel_depend',`
-type initctl_t;
-class fifo_file { read write };
+	type initctl_t;
+
+	class fifo_file { read write };
 ')

 ########################################
@ -221,13 +234,15 @@ class fifo_file { read write };
 # init_sigchld(domain)
 #
 define(`init_sigchld',`
-requires_block_template(`$0'_depend)
-allow $1 init_t:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 init_t:process sigchld;
 ')

 define(`init_sigchld_depend',`
-type init_t;
-class process sigchld;
+	type init_t;
+
+	class process sigchld;
 ')

 ########################################
@ -235,13 +250,15 @@ class process sigchld;
 # init_use_file_descriptors(domain)
 #
 define(`init_use_file_descriptors',`
-requires_block_template(`$0'_depend)
-allow $1 init_t:fd use;
+	requires_block_template(`$0'_depend)
+
+	allow $1 init_t:fd use;
 ')

 define(`init_use_file_descriptors_depend',`
-type init_t;
-class fd use;
+	type init_t;
+
+	class fd use;
 ')

 ########################################
@ -249,13 +266,15 @@ class fd use;
 # init_ignore_use_file_descriptors(domain)
 #
 define(`init_ignore_use_file_descriptors',`
-requires_block_template(`$0'_depend)
-dontaudit $1 init_t:fd use;
+	requires_block_template(`$0'_depend)
+
+	dontaudit $1 init_t:fd use;
 ')

 define(`init_ignore_use_file_descriptors_depend',`
-type init_t;
-class fd use;
+	type init_t;
+
+	class fd use;
 ')

 ########################################
@ -263,23 +282,26 @@ class fd use;
 # init_script_transition(domain)
 #
 define(`init_script_transition',`
-requires_block_template(`$0'_depend)
-allow $1 initrc_exec_t:file { getattr read execute };
-allow $1 initrc_t:process transition;
-type_transition $1 initrc_exec_t:process init_t;
-dontaudit $1 init_t:process { noatsecure siginh rlimitinh };
-allow $1 initrc_t:fd use;
-allow initrc_t $1:fd use;
-allow initrc_t $1:fifo_file rw_file_perms;
-allow initrc_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 initrc_exec_t:file { getattr read execute };
+	allow $1 initrc_t:process transition;
+	type_transition $1 initrc_exec_t:process init_t;
+	dontaudit $1 init_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 initrc_t:fd use;
+	allow initrc_t $1:fd use;
+	allow initrc_t $1:fifo_file rw_file_perms;
+	allow initrc_t $1:process sigchld;
 ')

 define(`init_script_transition_depend',`
-type initrc_t, initrc_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type initrc_t, initrc_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 ########################################
@ -287,13 +309,15 @@ class fifo_file rw_file_perms;
 # init_script_execute(domain)
 #
 define(`init_script_execute',`
-requires_block_template(`$0'_depend)
-allow $1 initrc_exec_t:file { getattr read execute execute_no_trans };
+	requires_block_template(`$0'_depend)
+
+	allow $1 initrc_exec_t:file { getattr read execute execute_no_trans };
 ')

 define(`init_script_execute_depend',`
-type initrc_exec_t;
-class file { getattr read execute execute_no_trans };
+	type initrc_exec_t;
+
+	class file { getattr read execute execute_no_trans };
 ')

 ########################################
@ -308,23 +332,26 @@ class file { getattr read execute execute_no_trans };
 ## </interface>
 #
 define(`init_script_read_process_state',`
-requires_block_template(`$0'_depend)
-allow $1 initrc_t:dir { search getattr read };
-allow $1 initrc_t:{ file lnk_file } { read getattr };
-allow $1 initrc_t:process getattr;
-# We need to suppress this denial because procps tries to access
-# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-# (2.4 and 2.6).  Might want to change procps to not do this, or only if
-# running in a privileged domain.
-dontaudit $1 initrc_t:process ptrace;
+	requires_block_template(`$0'_depend)
+
+	allow $1 initrc_t:dir { search getattr read };
+	allow $1 initrc_t:{ file lnk_file } { read getattr };
+	allow $1 initrc_t:process getattr;
+
+	# We need to suppress this denial because procps tries to access
+	# /proc/pid/environ and this now triggers a ptrace check in recent kernels
+	# (2.4 and 2.6).  Might want to change procps to not do this, or only if
+	# running in a privileged domain.
+	dontaudit $1 initrc_t:process ptrace;
 ')

 define(`init_script_read_process_state_depend',`
-type initrc_t;
-class dir { search getattr read };
-class file { read getattr };
-class lnk_file { read getattr };
-class process { getattr ptrace };
+	type initrc_t;
+
+	class dir { search getattr read };
+	class file { read getattr };
+	class lnk_file { read getattr };
+	class process { getattr ptrace };
 ')

 ########################################
@ -332,13 +359,15 @@ class process { getattr ptrace };
 # init_script_use_file_descriptors(domain)
 #
 define(`init_script_use_file_descriptors',`
-requires_block_template(`$0'_depend)
-allow $1 initrc_t:fd use;
+	requires_block_template(`$0'_depend)
+
+	allow $1 initrc_t:fd use;
 ')

 define(`init_script_use_file_descriptors_depend',`
-type initrc_t;
-class fd use;
+	type initrc_t;
+
+	class fd use;
 ')

 ########################################
@ -346,13 +375,15 @@ class fd use;
 # init_script_ignore_use_file_descriptors(domain)
 #
 define(`init_script_ignore_use_file_descriptors',`
-requires_block_template(`$0'_depend)
-dontaudit $1 initrc_t:fd use;
+	requires_block_template(`$0'_depend)
+
+	dontaudit $1 initrc_t:fd use;
 ')

 define(`init_script_ignore_use_file_descriptors_depend',`
-type initrc_t;
-class fd use;
+	type initrc_t;
+
+	class fd use;
 ')

 ########################################
@ -360,13 +391,15 @@ class fd use;
 # init_script_get_process_group(domain)
 #
 define(`init_script_get_process_group',`
-requires_block_template(`$0'_depend)
-allow $1 initrc_t:process getpgid;
+	requires_block_template(`$0'_depend)
+
+	allow $1 initrc_t:process getpgid;
 ')

 define(`init_script_get_process_group_depend',`
-type initrc_t;
-class process getpgid;
+	type initrc_t;
+
+	class process getpgid;
 ')

 ########################################
@ -374,14 +407,16 @@ class process getpgid;
 # init_script_use_pseudoterminal(domain)
 #
 define(`init_script_use_pseudoterminal',`
-requires_block_template(`$0'_depend)
-terminal_list_pseudoterminals($1)
-allow $1 initrc_devpts_t:chr_file { getattr read write ioctl };
+	requires_block_template(`$0'_depend)
+
+	terminal_list_pseudoterminals($1)
+	allow $1 initrc_devpts_t:chr_file { getattr read write ioctl };
 ')

 define(`init_script_use_pseudoterminal_depend',`
-type initrc_devpts_t;
-class chr_file { getattr read write ioctl };
+	type initrc_devpts_t;
+
+	class chr_file { getattr read write ioctl };
 ')

 ########################################
@ -389,13 +424,15 @@ class chr_file { getattr read write ioctl };
 # init_script_ignore_use_pseudoterminal(domain)
 #
 define(`init_script_ignore_use_pseudoterminal',`
-requires_block_template(`$0'_depend)
-allow $1 initrc_devpts_t:chr_file { read write ioctl };
+	requires_block_template(`$0'_depend)
+
+	allow $1 initrc_devpts_t:chr_file { read write ioctl };
 ')

 define(`init_script_ignore_use_pseudoterminal_depend',`
-type initrc_devpts_t;
-class chr_file { read write ioctl };
+	type initrc_devpts_t;
+
+	class chr_file { read write ioctl };
 ')

 ########################################
@ -410,14 +447,16 @@ class chr_file { read write ioctl };
 ## </interface>
 #
 define(`init_script_modify_temporary_data',`
-requires_block_template(`$0'_depend)
-# FIXME: read tmp_t
-allow $1 initrc_tmp_t:file { getattr read write };
+	requires_block_template(`$0'_depend)
+
+	# FIXME: read tmp_t
+	allow $1 initrc_tmp_t:file { getattr read write };
 ')

 define(`init_script_modify_temporary_data_depend',`
-type initrc_var_run_t;
-class file { getattr read write };
+	type initrc_var_run_t;
+
+	class file { getattr read write };
 ')

 ########################################
@ -425,14 +464,16 @@ class file { getattr read write };
 # init_script_read_runtime_data(domain)
 #
 define(`init_script_read_runtime_data',`
-requires_block_template(`$0'_depend)
-files_read_runtime_data_directory($1)
-allow $1 initrc_var_run_t:file { getattr read lock };
+	requires_block_template(`$0'_depend)
+
+	files_read_runtime_data_directory($1)
+	allow $1 initrc_var_run_t:file { getattr read lock };
 ')

 define(`init_script_read_runtime_data_depend',`
-type initrc_var_run_t;
-class file { getattr read lock };
+	type initrc_var_run_t;
+
+	class file { getattr read lock };
 ')

 ########################################
@ -440,13 +481,15 @@ class file { getattr read lock };
 # init_script_ignore_write_runtime_data(domain)
 #
 define(`init_script_ignore_write_runtime_data',`
-requires_block_template(`$0'_depend)
-dontaudit $1 initrc_var_run_t:file { write lock };
+	requires_block_template(`$0'_depend)
+
+	dontaudit $1 initrc_var_run_t:file { write lock };
 ')

 define(`init_script_ignore_write_runtime_data_depend',`
-type initrc_var_run_t;
-class file { write lock };
+	type initrc_var_run_t;
+
+	class file { write lock };
 ')

 ########################################
@ -454,14 +497,16 @@ class file { write lock };
 # init_script_modify_runtime_data(domain)
 #
 define(`init_script_modify_runtime_data',`
-requires_block_template(`$0'_depend)
-files_read_runtime_data_directory($1)
-allow $1 initrc_var_run_t:file { getattr read write append lock };
+	requires_block_template(`$0'_depend)
+
+	files_read_runtime_data_directory($1)
+	allow $1 initrc_var_run_t:file { getattr read write append lock };
 ')

 define(`init_script_modify_runtime_data_depend',`
-type initrc_var_run_t;
-class file { getattr read write append lock };
+	type initrc_var_run_t;
+
+	class file { getattr read write append lock };
 ')

 ########################################
@ -469,13 +514,15 @@ class file { getattr read write append lock };
 # init_script_ignore_modify_runtime_data(domain)
 #
 define(`init_script_ignore_modify_runtime_data',`
-requires_block_template(`$0'_depend)
-dontaudit $1 initrc_var_run_t:file { getattr read write append };
+	requires_block_template(`$0'_depend)
+
+	dontaudit $1 initrc_var_run_t:file { getattr read write append };
 ')

 define(`init_script_ignore_modify_runtime_data_depend',`
-type initrc_var_run_t;
-class file { getattr read write append };
+	type initrc_var_run_t;
+
+	class file { getattr read write append };
 ')

 ## </module>
--- a/refpolicy/policy/modules/system/iptables.if
+++ b/refpolicy/policy/modules/system/iptables.if
@ -13,23 +13,26 @@
 ## </interface>
 #
 define(`iptables_transition',`
-requires_block_template(`$0'_depend)
-allow $1 iptables_exec_t:file { getattr read execute };
-allow $1 iptables_t:process transition;
-type_transition $1 iptables_exec_t:process iptables_t;
-dontaudit $1 iptables_t:process { noatsecure siginh rlimitinh };
-allow $1 iptables_t:fd use;
-allow iptables_t $1:fd use;
-allow iptables_t $1:fifo_file rw_file_perms;
-allow iptables_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 iptables_exec_t:file { getattr read execute };
+	allow $1 iptables_t:process transition;
+	type_transition $1 iptables_exec_t:process iptables_t;
+	dontaudit $1 iptables_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 iptables_t:fd use;
+	allow iptables_t $1:fd use;
+	allow iptables_t $1:fifo_file rw_file_perms;
+	allow iptables_t $1:process sigchld;
 ')

 define(`iptables_transition_depend',`
-type iptables_t, iptables_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type iptables_t, iptables_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 ########################################
@ -51,15 +54,17 @@ class fifo_file rw_file_perms;
 ## </interface>
 #
 define(`iptables_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-iptables_transition($1)
-role $2 types iptables_t;
-allow iptables_t $3:chr_file { getattr read write ioctl };
+	requires_block_template(`$0'_depend)
+
+	iptables_transition($1)
+	role $2 types iptables_t;
+	allow iptables_t $3:chr_file { getattr read write ioctl };
 ')

 define(`iptables_transition_add_role_use_terminal_depend',`
-type iptables_t;
-class chr_file { getattr read write ioctl };
+	type iptables_t;
+
+	class chr_file { getattr read write ioctl };
 ')

 ########################################
@ -74,13 +79,15 @@ class chr_file { getattr read write ioctl };
 ## </interface>
 #
 define(`iptables_execute',`
-requires_block_template(`$0'_depend)
-allow $1 iptables_exec_t:file { getattr read execute execute_no_trans };
+	requires_block_template(`$0'_depend)
+
+	allow $1 iptables_exec_t:file { getattr read execute execute_no_trans };
 ')

 define(`iptables_execute_depend',`
-type iptables_t, iptables_exec_t;
-class file { getattr read execute execute_no_trans };
+	type iptables_t, iptables_exec_t;
+
+	class file { getattr read execute execute_no_trans };
 ')

 ## </module>
--- a/refpolicy/policy/modules/system/iptables.te
+++ b/refpolicy/policy/modules/system/iptables.te
@ -117,10 +117,10 @@ allow iptables_t autofs_t:dir { search getattr };
 can_ypbind(iptables_t)

 optional_policy(`gnome-pty-helper.te',`
-allow iptables_t sysadm_gph_t:fd use;
+	allow iptables_t sysadm_gph_t:fd use;
 ')

 optional_policy(`firstboot.te', `
-allow iptables_t firstboot_t:fifo_file write;
+	allow iptables_t firstboot_t:fifo_file write;
 ')
 ') dnl ifdef TODO
--- a/refpolicy/policy/modules/system/libraries.if
+++ b/refpolicy/policy/modules/system/libraries.if
@ -13,23 +13,26 @@
 ## </interface>
 #
 define(`libraries_ldconfig_transition',`
-requires_block_template(`$0'_depend)
-allow $1 ldconfig_exec_t:file { getattr read execute };
-allow $1 ldconfig_t:process transition;
-type_transition $1 ldconfig_exec_t:process ldconfig_t;
-dontaudit $1 ldconfig_t:process { noatsecure siginh rlimitinh };
-allow $1 ldconfig_t:fd use;
-allow ldconfig_t $1:fd use;
-allow ldconfig_t $1:fifo_file rw_file_perms;
-allow ldconfig_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 ldconfig_exec_t:file { getattr read execute };
+	allow $1 ldconfig_t:process transition;
+	type_transition $1 ldconfig_exec_t:process ldconfig_t;
+	dontaudit $1 ldconfig_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 ldconfig_t:fd use;
+	allow ldconfig_t $1:fd use;
+	allow ldconfig_t $1:fifo_file rw_file_perms;
+	allow ldconfig_t $1:process sigchld;
 ')

 define(`libraries_ldconfig_transition_depend',`
-type ldconfig_t, ldconfig_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type ldconfig_t, ldconfig_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 ########################################
@ -50,15 +53,17 @@ class fifo_file rw_file_perms;
 ## </interface>
 #
 define(`libraries_ldconfig_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-libraries_ldconfig_transition($1)
-role $2 types ldconfig_t;
-allow ldconfig_t $3:chr_file { getattr read write ioctl };
+	requires_block_template(`$0'_depend)
+
+	libraries_ldconfig_transition($1)
+	role $2 types ldconfig_t;
+	allow ldconfig_t $3:chr_file { getattr read write ioctl };
 ')

 define(`libraries_ldconfig_transition_add_role_use_terminal_depend',`
-type ldconfig_t;
-class chr_file { getattr read write ioctl };
+	type ldconfig_t;
+
+	class chr_file { getattr read write ioctl };
 ')

 ########################################
@ -74,20 +79,22 @@ class chr_file { getattr read write ioctl };
 ## </interface>
 #
 define(`libraries_use_dynamic_loader',`
-requires_block_template(`$0'_depend)
-files_read_general_system_config_directory($1)
-allow $1 lib_t:dir r_dir_perms;
-allow $1 lib_t:lnk_file r_file_perms;
-allow $1 ld_so_t:lnk_file r_file_perms;
-allow $1 ld_so_t:file rx_file_perms;
-allow $1 ld_so_cache_t:file r_file_perms;
+	requires_block_template(`$0'_depend)
+
+	files_read_general_system_config_directory($1)
+	allow $1 lib_t:dir r_dir_perms;
+	allow $1 lib_t:lnk_file r_file_perms;
+	allow $1 ld_so_t:lnk_file r_file_perms;
+	allow $1 ld_so_t:file rx_file_perms;
+	allow $1 ld_so_cache_t:file r_file_perms;
 ')

 define(`libraries_use_dynamic_loader_depend',`
-type lib_t, ld_so_t, ld_so_cache_t;
-class dir r_dir_perms;
-class lnk_file r_file_perms;
-class file rx_file_perms;
+	type lib_t, ld_so_t, ld_so_cache_t;
+
+	class dir r_dir_perms;
+	class lnk_file r_file_perms;
+	class file rx_file_perms;
 ')

 ########################################
@ -103,15 +110,17 @@ class file rx_file_perms;
 ## </interface>
 #
 define(`libraries_legacy_use_dynamic_loader',`
-requires_block_template(`$0'_depend)
-libraries_use_dynamic_loader($1)
-allow $1 ld_so_t:file execmod;
-allow $1 ld_so_cache_t:file execute;
+	requires_block_template(`$0'_depend)
+
+	libraries_use_dynamic_loader($1)
+	allow $1 ld_so_t:file execmod;
+	allow $1 ld_so_cache_t:file execute;
 ')

 define(`libraries_legacy_use_dynamic_loader_depend',`
-type ld_so_t, ld_so_cache_t;
-class file { execute execmod };
+	type ld_so_t, ld_so_cache_t;
+
+	class file { execute execmod };
 ')

 ########################################
@ -131,18 +140,20 @@ class file { execute execmod };
 ## </interface>
 #
 define(`libraries_execute_dynamic_loader',`
-requires_block_template(`$0'_depend)
-allow $1 lib_t:dir r_dir_perms;
-allow $1 lib_t:lnk_file r_file_perms;
-allow $1 ld_so_t:lnk_file r_file_perms;
-allow $1 ld_so_t:file { r_file_perms execute execute_no_trans };
+	requires_block_template(`$0'_depend)
+
+	allow $1 lib_t:dir r_dir_perms;
+	allow $1 lib_t:lnk_file r_file_perms;
+	allow $1 ld_so_t:lnk_file r_file_perms;
+	allow $1 ld_so_t:file { r_file_perms execute execute_no_trans };
 ')

 define(`libraries_execute_dynamic_loader_depend',`
-type lib_t, ld_so_t;
-class dir r_dir_perms;
-class lnk_file r_file_perms;
-class file { r_file_perms execute execute_no_trans };
+	type lib_t, ld_so_t;
+
+	class dir r_dir_perms;
+	class lnk_file r_file_perms;
+	class file { r_file_perms execute execute_no_trans };
 ')

 ########################################
@ -158,14 +169,16 @@ class file { r_file_perms execute execute_no_trans };
 ## </interface>
 #
 define(`libraries_modify_dynamic_loader_cache',`
-requires_block_template(`$0'_depend)
-files_read_general_system_config_directory($1)
-allow $1 ld_so_cache_t:file { getattr read write };
+	requires_block_template(`$0'_depend)
+
+	files_read_general_system_config_directory($1)
+	allow $1 ld_so_cache_t:file { getattr read write };
 ')

 define(`libraries_modify_dynamic_loader_cache_depend',`
-type ld_so_cache_t;
-class file { getattr read write };
+	type ld_so_cache_t;
+
+	class file { getattr read write };
 ')

 ########################################
@ -181,16 +194,18 @@ class file { getattr read write };
 ## </interface>
 #
 define(`libraries_read_library_resources',`
-requires_block_template(`$0'_depend)
-allow $1 lib_t:dir { getattr read search };
-allow $1 lib_t:{ file lnk_file } { getattr read };
+	requires_block_template(`$0'_depend)
+
+	allow $1 lib_t:dir { getattr read search };
+	allow $1 lib_t:{ file lnk_file } { getattr read };
 ')

 define(`libraries_read_library_resources_depend',`
-type lib_t;
-class dir { getattr read search };
-class lnk_file { getattr read };
-class file { getattr read };
+	type lib_t;
+
+	class dir { getattr read search };
+	class lnk_file { getattr read };
+	class file { getattr read };
 ')

 ########################################
@ -205,17 +220,19 @@ class file { getattr read };
 ## </interface>
 #
 define(`libraries_execute_library_scripts',`
-requires_block_template(`$0'_depend)
-allow $1 lib_t:dir { getattr read search };
-allow $1 lib_t:lnk_file { getattr read };
-allow $1 lib_t:file { getattr read execute execute_no_trans };
+	requires_block_template(`$0'_depend)
+
+	allow $1 lib_t:dir { getattr read search };
+	allow $1 lib_t:lnk_file { getattr read };
+	allow $1 lib_t:file { getattr read execute execute_no_trans };
 ')

 define(`libraries_execute_library_scripts_depend',`
-type lib_t;
-class dir { getattr read search };
-class lnk_file { getattr read };
-class file { getattr read execute execute_no_trans };
+	type lib_t;
+
+	class dir { getattr read search };
+	class lnk_file { getattr read };
+	class file { getattr read execute execute_no_trans };
 ')

 ########################################
@ -230,19 +247,21 @@ class file { getattr read execute execute_no_trans };
 ## </interface>
 #
 define(`libraries_use_shared_libraries',`
-requires_block_template(`$0'_depend)
-files_search_general_application_resources_dir($1)
-allow $1 lib_t:dir r_dir_perms;
-allow $1 lib_t:lnk_file r_file_perms;
-allow $1 { shlib_t texrel_shlib_t }:lnk_file r_file_perms;
-allow $1 { shlib_t texrel_shlib_t }:file rx_file_perms;
+	requires_block_template(`$0'_depend)
+
+	files_search_general_application_resources_dir($1)
+	allow $1 lib_t:dir r_dir_perms;
+	allow $1 lib_t:lnk_file r_file_perms;
+	allow $1 { shlib_t texrel_shlib_t }:lnk_file r_file_perms;
+	allow $1 { shlib_t texrel_shlib_t }:file rx_file_perms;
 ')

 define(`libraries_use_shared_libraries_depend',`
-type lib_t, shlib_t, texrel_shlib_t;
-class dir r_dir_perms;
-class lnk_file r_file_perms;
-class file rx_dir_perms;
+	type lib_t, shlib_t, texrel_shlib_t;
+
+	class dir r_dir_perms;
+	class lnk_file r_file_perms;
+	class file rx_dir_perms;
 ')

 ########################################
@ -258,14 +277,16 @@ class file rx_dir_perms;
 ## </interface>
 #
 define(`libraries_legacy_use_shared_libraries',`
-requires_block_template(`$0'_depend)
-libraries_use_shared_libraries($1)
-allow $1 { shlib_t texrel_shlib_t }:file execmod;
+	requires_block_template(`$0'_depend)
+
+	libraries_use_shared_libraries($1)
+	allow $1 { shlib_t texrel_shlib_t }:file execmod;
 ')

 define(`libraries_legacy_use_shared_libraries_depend',`
-type shlib_t, texrel_shlib_t;
-class file execmod;
+	type shlib_t, texrel_shlib_t;
+
+	class file execmod;
 ')

 ## </module>
--- a/refpolicy/policy/modules/system/libraries.te
+++ b/refpolicy/policy/modules/system/libraries.te
@ -80,21 +80,21 @@ ifdef(`TODO',`
 allow ldconfig_t tmp_t:dir search;

 ifdef(`apache.te', `
-# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
-dontaudit ldconfig_t httpd_modules_t:dir search;
+	# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
+	dontaudit ldconfig_t httpd_modules_t:dir search;
 ')

 allow ldconfig_t { var_t var_lib_t }:dir search;

 ifdef(`hide_broken_symptoms', `
-ifdef(`unconfined.te',`
-dontaudit ldconfig_t unconfined_t:tcp_socket { read write };
-')
+	ifdef(`unconfined.te',`
+		dontaudit ldconfig_t unconfined_t:tcp_socket { read write };
+	')
 ')

 ifdef(`targeted_policy', `
-allow ldconfig_t lib_t:file r_file_perms;
-unconfined_domain(ldconfig_t) 
+	allow ldconfig_t lib_t:file r_file_perms;
+	unconfined_domain(ldconfig_t) 
 ')

 ') dnl end TODO
--- a/refpolicy/policy/modules/system/locallogin.if
+++ b/refpolicy/policy/modules/system/locallogin.if
@ -4,12 +4,13 @@
 # locallogin_transition(domain)
 #
 define(`locallogin_transition',`
-requires_block_template(`$0'_depend)
-authlogin_login_program_transition($1,local_login_t)
+	requires_block_template(`$0'_depend)
+
+	authlogin_login_program_transition($1,local_login_t)
 ')

 define(`locallogin_transition_depend',`
-type local_login_t;
+	type local_login_t;
 ')

 ########################################
@ -17,11 +18,13 @@ type local_login_t;
 # locallogin_use_file_descriptors(domain)
 #
 define(`locallogin_use_file_descriptors',`
-requires_block_template(`$0'_depend)
-allow $1 local_login_t:fd use;
+	requires_block_template(`$0'_depend)
+
+	allow $1 local_login_t:fd use;
 ')

 define(`locallogin_use_file_descriptors_depend',`
-type local_login_t;
-class fd use;
+	type local_login_t;
+
+	class fd use;
 ')
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@ -117,7 +117,7 @@ ifdef(`TODO',`

 can_ypbind(local_login_t)
 ifdef(`automount.te', `
-allow local_login_t autofs_t:dir { search getattr };
+	allow local_login_t autofs_t:dir { search getattr };
 ')

 allow local_login_t bin_t:dir r_dir_perms;
@ -125,8 +125,8 @@ allow local_login_t bin_t:notdevfile_class_set r_file_perms;
 allow local_login_t sbin_t:dir r_dir_perms;
 allow local_login_t sbin_t:notdevfile_class_set r_file_perms;
 if (read_default_t) {
-allow local_login_t default_t:dir r_dir_perms;
-allow local_login_t default_t:notdevfile_class_set r_file_perms;
+	allow local_login_t default_t:dir r_dir_perms;
+	allow local_login_t default_t:notdevfile_class_set r_file_perms;
 }

 # Read directories and files with the readable_t type.
@ -144,18 +144,18 @@ allow local_login_t mnt_t:dir r_dir_perms;

 # FIXME: what is this for?
 optional_policy(`xdm.te', `
-allow xdm_t local_login_t:process signull;
+	allow xdm_t local_login_t:process signull;
 ')

 ifdef(`crack.te', `
-allow local_login_t crack_db_t:file r_file_perms;
+	allow local_login_t crack_db_t:file r_file_perms;
 ')

 allow local_login_t mouse_device_t:chr_file { getattr setattr };

 tunable_policy(`targeted_policy',`
-unconfined_domain(local_login_t)
-domain_auto_trans(local_login_t, shell_exec_t, unconfined_t)
+	unconfined_domain(local_login_t)
+	domain_auto_trans(local_login_t, shell_exec_t, unconfined_t)
 ')

 # Do not audit denied attempts to access devices.
@ -173,7 +173,7 @@ dontaudit local_login_t scanner_device_t:chr_file { getattr setattr };
 dontaudit local_login_t mnt_t:dir r_dir_perms;

 optional_policy(`gpm.te',`
-allow local_login_t gpmctl_t:sock_file { getattr setattr };
+	allow local_login_t gpmctl_t:sock_file { getattr setattr };
 ')

 # Allow setting of attributes on sound devices.
@ -231,21 +231,21 @@ userdomain_use_all_unprivileged_users_file_descriptors(sulogin_t)

 # suse and debian do not use pam with sulogin...
 ifdef(`monolithic_policy',`
-ifdef(`distro_suse', `define(`sulogin_no_pam')')
-ifdef(`distro_debian', `define(`sulogin_no_pam')')
+	ifdef(`distro_suse', `define(`sulogin_no_pam')')
+	ifdef(`distro_debian', `define(`sulogin_no_pam')')
 ') dnl end monolithic_policy

 tunable_policy(`sulogin_no_pam', `
-allow sulogin_t self:capability sys_tty_config;
-init_get_process_group(sulogin_t)
+	allow sulogin_t self:capability sys_tty_config;
+	init_get_process_group(sulogin_t)
 ', `
-allow sulogin_t self:process setexec;
-kernel_get_selinuxfs_mount_point(sulogin_t)
-kernel_validate_selinux_context(sulogin_t)
-kernel_compute_selinux_access_vector(sulogin_t)
-kernel_compute_selinux_create_context(sulogin_t)
-kernel_compute_selinux_relabel_context(sulogin_t)
-kernel_compute_selinux_reachable_user_contexts(sulogin_t)
+	allow sulogin_t self:process setexec;
+	kernel_get_selinuxfs_mount_point(sulogin_t)
+	kernel_validate_selinux_context(sulogin_t)
+	kernel_compute_selinux_access_vector(sulogin_t)
+	kernel_compute_selinux_create_context(sulogin_t)
+	kernel_compute_selinux_relabel_context(sulogin_t)
+	kernel_compute_selinux_reachable_user_contexts(sulogin_t)
 ')

 ifdef(`TODO',`
@ -254,7 +254,7 @@ allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write };

 can_ypbind(sulogin_t)
 ifdef(`automount.te', `
-allow sulogin_t autofs_t:dir { search getattr };
+	allow sulogin_t autofs_t:dir { search getattr };
 ')

 allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
--- a/refpolicy/policy/modules/system/logging.if
+++ b/refpolicy/policy/modules/system/logging.if
@ -6,13 +6,14 @@
 # logging_make_log_file(domain)
 #
 define(`logging_make_log_file',`
-requires_block_template(`$0'_depend)
-files_make_file($1)
-typeattribute $1 logfile;
+	requires_block_template(`$0'_depend)
+
+	files_make_file($1)
+	typeattribute $1 logfile;
 ')

 define(`logging_make_log_file_depend',`
-attribute logfile;
+	attribute logfile;
 ')

 ########################################
@ -20,18 +21,21 @@ attribute logfile;
 # logging_create_private_log(domain,privatetype,[class(es)])
 #
 define(`logging_create_private_log',`
-requires_block_template(`$0'_depend)
-allow $1 var_log_t:dir { getattr search read write add_name remove_name };
-ifelse(`$3',`',`
-type_transition $1 var_log_t:file $2;
-',`
-type_transition $1 var_log_t:$3 $2;
-') dnl end ifelse
+	requires_block_template(`$0'_depend)
+
+	allow $1 var_log_t:dir rw_dir_perms;
+
+	ifelse(`$3',`',`
+		type_transition $1 var_log_t:file $2;
+	',`
+		type_transition $1 var_log_t:$3 $2;
+	')
 ')

 define(`logging_create_private_log_depend',`
-type var_log_t;
-class dir { getattr search read write add_name remove_name };
+	type var_log_t;
+
+	class dir rw_dir_perms;
 ')

 #######################################
@ -39,23 +43,27 @@ class dir { getattr search read write add_name remove_name };
 # logging_send_system_log_message(domain)
 #
 define(`logging_send_system_log_message',`
-requires_block_template(`$0'_depend)
-allow $1 devlog_t:lnk_file read;
-allow $1 devlog_t:sock_file { ioctl read getattr lock write append };
-# the type of socket depends on the syslog daemon
-allow $1 syslogd_t:unix_dgram_socket sendto;
-allow $1 syslogd_t:unix_stream_socket connectto;
-allow $1 self:unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
-allow $1 self:unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
-# cjp: this should most likely be removed:
-terminal_use_console($1)
+	requires_block_template(`$0'_depend)
+
+	allow $1 devlog_t:lnk_file read;
+	allow $1 devlog_t:sock_file { ioctl read getattr lock write append };
+
+	# the type of socket depends on the syslog daemon
+	allow $1 syslogd_t:unix_dgram_socket sendto;
+	allow $1 syslogd_t:unix_stream_socket connectto;
+	allow $1 self:unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
+	allow $1 self:unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
+
+	# cjp: this should most likely be removed:
+	terminal_use_console($1)
 ')

 define(`logging_send_system_log_message_depend',`
-type syslogd_t, devlog_t;
-class sock_file { ioctl read getattr lock write append };
-class unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown sendto };
-class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown connectto };
+	type syslogd_t, devlog_t;
+
+	class sock_file { ioctl read getattr lock write append };
+	class unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown sendto };
+	class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown connectto };
 ')

 ########################################
@ -72,14 +80,16 @@ class unix_stream_socket { create read getattr write setattr append bind connect
 ## </interface>
 #
 define(`logging_search_system_log_directory',`
-requires_block_template(`$0'_depend)
-files_search_system_state_data_directory($1)
-allow $1 var_log_t:dir search;
+	requires_block_template(`$0'_depend)
+
+	files_search_system_state_data_directory($1)
+	allow $1 var_log_t:dir search;
 ')

 define(`logging_search_system_log_directory_depend',`
-type var_log_t;
-class dir search;
+	type var_log_t;
+
+	class dir search;
 ')

 #######################################
@ -87,13 +97,15 @@ class dir search;
 # logging_ignore_get_all_logs_attributes(domain)
 #
 define(`logging_ignore_get_all_logs_attributes',`
-requires_block_template(`$0'_depend)
-dontaudit $1 logfile:file getattr;
+	requires_block_template(`$0'_depend)
+
+	dontaudit $1 logfile:file getattr;
 ')

 define(`logging_ignore_get_all_logs_attributes_depend',`
-attribute logfile;
-class file getattr;
+	attribute logfile;
+
+	class file getattr;
 ')

 #######################################
@ -101,17 +113,20 @@ class file getattr;
 # logging_append_all_logs(domain)
 #
 define(`logging_append_all_logs',`
-requires_block_template(`$0'_depend)
-files_search_system_state_data_directory($1)
-allow $1 var_log_t:dir { getattr search read };
-allow $1 logfile:file { getattr append };
+	requires_block_template(`$0'_depend)
+
+	files_search_system_state_data_directory($1)
+	allow $1 var_log_t:dir { getattr search read };
+	allow $1 logfile:file { getattr append };
 ')

 define(`logging_append_all_logs_depend',`
-attribute logfile;
-type var_log_t;
-class dir { getattr search read };
-class file { getattr append };
+	attribute logfile;
+
+	type var_log_t;
+
+	class dir { getattr search read };
+	class file { getattr append };
 ')

 #######################################
@ -119,17 +134,20 @@ class file { getattr append };
 # logging_read_all_logs(domain)
 #
 define(`logging_read_all_logs',`
-requires_block_template(`$0'_depend)
-files_search_system_state_data_directory($1)
-allow $1 var_log_t:dir { getattr search read };
-allow $1 logfile:file { getattr read };
+	requires_block_template(`$0'_depend)
+
+	files_search_system_state_data_directory($1)
+	allow $1 var_log_t:dir { getattr search read };
+	allow $1 logfile:file { getattr read };
 ')

 define(`logging_read_all_logs_depend',`
-attribute logfile;
-type var_log_t;
-class dir { getattr search read };
-class file { getattr read };
+	attribute logfile;
+
+	type var_log_t;
+
+	class dir { getattr search read };
+	class file { getattr read };
 ')

 #######################################
@ -137,16 +155,18 @@ class file { getattr read };
 # logging_read_system_logs(domain)
 #
 define(`logging_read_system_logs',`
-requires_block_template(`$0'_depend)
-files_search_system_state_data_directory($1)
-allow $1 var_log_t:dir { getattr search read };
-allow $1 var_log_t:file { getattr read };
+	requires_block_template(`$0'_depend)
+
+	files_search_system_state_data_directory($1)
+	allow $1 var_log_t:dir { getattr search read };
+	allow $1 var_log_t:file { getattr read };
 ')

 define(`logging_read_system_logs_depend',`
-type var_log_t;
-class dir { getattr search read };
-class file { getattr read };
+	type var_log_t;
+
+	class dir { getattr search read };
+	class file { getattr read };
 ')

 #######################################
@ -154,16 +174,18 @@ class file { getattr read };
 # logging_write_system_logs(domain)
 #
 define(`logging_write_system_logs',`
-requires_block_template(`$0'_depend)
-files_search_system_state_data_directory($1)
-allow $1 var_log_t:dir { getattr search read };
-allow $1 var_log_t:file { getattr write };
+	requires_block_template(`$0'_depend)
+
+	files_search_system_state_data_directory($1)
+	allow $1 var_log_t:dir { getattr search read };
+	allow $1 var_log_t:file { getattr write };
 ')

 define(`logging_write_system_logs_depend',`
-type var_log_t;
-class dir { getattr search read };
-class file { getattr write };
+	type var_log_t;
+
+	class dir { getattr search read };
+	class file { getattr write };
 ')

 #######################################
@ -171,16 +193,18 @@ class file { getattr write };
 # logging_modify_system_logs(domain)
 #
 define(`logging_modify_system_logs',`
-requires_block_template(`$0'_depend)
-files_search_system_state_data_directory($1)
-allow $1 var_log_t:dir { getattr search read };
-allow $1 var_log_t:file { getattr read write append };
+	requires_block_template(`$0'_depend)
+
+	files_search_system_state_data_directory($1)
+	allow $1 var_log_t:dir { getattr search read };
+	allow $1 var_log_t:file { getattr read write append };
 ')

 define(`logging_modify_system_logs_depend',`
-type var_log_t;
-class dir { getattr search read };
-class file { getattr read write append };
+	type var_log_t;
+
+	class dir { getattr search read };
+	class file { getattr read write append };
 ')

 ## </module>
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@ -157,28 +157,28 @@ allow syslogd_t self:capability net_admin;
 allow syslogd_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read };

 ifdef(`klogd.te', `', `
-# Allow access to /proc/kmsg for syslog-ng
-kernel_read_messages(syslogd_t)
-kernel_clear_ring_buffer(syslogd_t)
-kernel_change_ring_buffer_level(syslogd_t)
+	# Allow access to /proc/kmsg for syslog-ng
+	kernel_read_messages(syslogd_t)
+	kernel_clear_ring_buffer(syslogd_t)
+	kernel_change_ring_buffer_level(syslogd_t)
 ')

 tunable_policy(`targeted_policy', `
-terminal_ignore_use_general_physical_terminal(syslogd_t)
-terminal_ignore_use_general_pseudoterminal(syslogd_t)
-files_ignore_read_rootfs_file(syslogd_t)
+	terminal_ignore_use_general_physical_terminal(syslogd_t)
+	terminal_ignore_use_general_pseudoterminal(syslogd_t)
+	files_ignore_read_rootfs_file(syslogd_t)
 ')

 optional_policy(`selinux.te',`
-selinux_newrole_sigchld(syslogd_t)
+	selinux_newrole_sigchld(syslogd_t)
 ')

 optional_policy(`udev.te', `
-udev_read_database(syslogd_t)
+	udev_read_database(syslogd_t)
 ')

 optional_policy(`cron.te',`
-cron_modify_log(syslogd_t)
+	cron_modify_log(syslogd_t)
 ')

 ifdef(`TODO',`
@ -186,17 +186,17 @@ allow syslogd_t proc_t:lnk_file read;
 allow syslogd_t autofs_t:dir { search getattr };
 dontaudit syslogd_t sysadm_home_dir_t:dir search;
 optional_policy(`rhgb.te', `
-allow syslogd_t rhgb_t:process sigchld;
-allow syslogd_t rhgb_t:fd use;
-allow syslogd_t rhgb_t:fifo_file { read write };
+	allow syslogd_t rhgb_t:process sigchld;
+	allow syslogd_t rhgb_t:fd use;
+	allow syslogd_t rhgb_t:fifo_file { read write };
 ')
 tunable_policy(`direct_sysadm_daemon',`
-dontaudit syslogd_t admin_tty_type:chr_file rw_file_perms;
+	dontaudit syslogd_t admin_tty_type:chr_file rw_file_perms;
 ')

 tunable_policy(`distro_suse', `
-# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
-file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file)
+	# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
+	file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file)
 ')

 # can_network is for the UDP socket
@ -206,12 +206,12 @@ can_ypbind(syslogd_t)
 allow syslogd_t xconsole_device_t:fifo_file { ioctl read write };

 ifdef(`crond.te', `
-# for daemon re-start
-allow system_crond_t syslogd_t:lnk_file read;
+	# for daemon re-start
+	allow system_crond_t syslogd_t:lnk_file read;
 ')

 ifdef(`logrotate.te', `
-allow logrotate_t syslogd_exec_t:file r_file_perms;
+	allow logrotate_t syslogd_exec_t:file r_file_perms;
 ')

 #
--- a/refpolicy/policy/modules/system/lvm.if
+++ b/refpolicy/policy/modules/system/lvm.if
@ -13,23 +13,26 @@
 ## </interface>
 #
 define(`lvm_transition',`
-requires_block_template(`$0'_depend)
-allow $1 lvm_exec_t:file { getattr read execute };
-allow $1 lvm_t:process transition;
-type_transition $1 lvm_exec_t:process lvm_t;
-dontaudit $1 lvm_t:process { noatsecure siginh rlimitinh };
-allow $1 lvm_t:fd use;
-allow lvm_t $1:fd use;
-allow lvm_t $1:fifo_file rw_file_perms;
-allow lvm_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 lvm_exec_t:file { getattr read execute };
+	allow $1 lvm_t:process transition;
+	type_transition $1 lvm_exec_t:process lvm_t;
+	dontaudit $1 lvm_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 lvm_t:fd use;
+	allow lvm_t $1:fd use;
+	allow lvm_t $1:fifo_file rw_file_perms;
+	allow lvm_t $1:process sigchld;
 ')

 define(`lvm_transition_depend',`
-type lvm_t, lvm_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type lvm_t, lvm_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 ########################################
@ -50,15 +53,17 @@ class fifo_file rw_file_perms;
 ## </interface>
 #
 define(`lvm_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-lvm_transition($1)
-role $2 types lvm_t;
-allow lvm_t $3:chr_file { getattr read write ioctl };
+	requires_block_template(`$0'_depend)
+
+	lvm_transition($1)
+	role $2 types lvm_t;
+	allow lvm_t $3:chr_file { getattr read write ioctl };
 ')

 define(`lvm_transition_add_role_use_terminal_depend',`
-type lvm_t;
-class chr_file { getattr read write ioctl };
+	type lvm_t;
+
+	class chr_file { getattr read write ioctl };
 ')

 ########################################
@ -73,14 +78,16 @@ class chr_file { getattr read write ioctl };
 ## </interface>
 #
 define(`lvm_read_config',`
-requires_block_template(`$0'_depend)
-allow $1 lvm_etc_t:dir { getattr search read };
-allow $1 lvm_etc_t:file { getattr read };
+	requires_block_template(`$0'_depend)
+
+	allow $1 lvm_etc_t:dir { getattr search read };
+	allow $1 lvm_etc_t:file { getattr read };
 ')

 define(`lvm_read_config_depend',`
-type lvm_t, lvm_exec_t;
-class file { getattr read };
+	type lvm_t, lvm_exec_t;
+
+	class file { getattr read };
 ')

 ## </module>
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@ -169,17 +169,17 @@ allow lvm_t device_t:lnk_file { relabelfrom relabelto };
 dontaudit lvm_t var_run_t:dir getattr;

 optional_policy(`gnome-pty-helper.te', `
-allow lvm_t sysadm_gph_t:fd use;
+	allow lvm_t sysadm_gph_t:fd use;
 ')

 optional_policy(`gpm.te', `
-dontaudit lvm_t gpmctl_t:sock_file getattr;
+	dontaudit lvm_t gpmctl_t:sock_file getattr;
 ')

 optional_policy(`rhgb.te', `
-allow $1_t rhgb_t:process sigchld;
-allow $1_t rhgb_t:fd use;
-allow $1_t rhgb_t:fifo_file { read write };
+	allow $1_t rhgb_t:process sigchld;
+	allow $1_t rhgb_t:fd use;
+	allow $1_t rhgb_t:fifo_file { read write };
 ')

 ') dnl end TODO
--- a/refpolicy/policy/modules/system/miscfiles.if
+++ b/refpolicy/policy/modules/system/miscfiles.if
@ -4,16 +4,18 @@
 # miscfiles_manage_man_page_cache(domain)
 #
 define(`miscfiles_manage_man_page_cache',`
-requires_block_template(`$0'_depend)
-# FIXME: search var_t dir
-allow $1 catman_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-allow $1 catman_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+	requires_block_template(`$0'_depend)
+
+	# FIXME: search var_t dir
+	allow $1 catman_t:dir create_dir_perms;
+	allow $1 catman_t:file create_file_perms;
 ')

 define(`miscfiles_manage_man_page_cache_depend',`
-type catman_t;
-class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-class file { create ioctl read getattr lock write setattr append link unlink rename };
+	type catman_t;
+
+	class dir create_dir_perms;
+	class file create_file_perms;
 ')

 ########################################
@ -21,18 +23,20 @@ class file { create ioctl read getattr lock write setattr append link unlink ren
 # miscfiles_read_fonts(domain)
 #
 define(`miscfiles_read_fonts',`
-requires_block_template(`$0'_depend)
-# FIXME: search usr_t dir
-# FIXME: search lib_t dir
-# cjp: fonts can be in either of the above dirs
-allow $1 fonts_t:dir { getattr read search };
-allow $1 fonts_t:file { getattr read };
+	requires_block_template(`$0'_depend)
+
+	# FIXME: search usr_t dir
+	# FIXME: search lib_t dir
+	# cjp: fonts can be in either of the above dirs
+	allow $1 fonts_t:dir { getattr read search };
+	allow $1 fonts_t:file { getattr read };
 ')

 define(`miscfiles_read_fonts_depend',`
-type fonts_t;
-class dir { getattr read search };
-class file { getattr read };
+	type fonts_t;
+
+	class dir { getattr read search };
+	class file { getattr read };
 ')

 ########################################
@ -40,23 +44,24 @@ class file { getattr read };
 # miscfiles_read_localization(domain)
 #
 define(`miscfiles_read_localization',`
-requires_block_template(`$0'_depend)
-# FIXME: $1 read etc_t:lnk_file here
-# FIXME: $1 search usr_t:dir here
+	requires_block_template(`$0'_depend)

-# why?
-libraries_read_library_resources($1)
+	# FIXME: $1 read etc_t:lnk_file here
+	# FIXME: $1 search usr_t:dir here
+	allow $1 locale_t:dir { getattr read search };
+	allow $1 locale_t:lnk_file { getattr read };
+	allow $1 locale_t:file { getattr read };

-allow $1 locale_t:dir { getattr read search };
-allow $1 locale_t:lnk_file { getattr read };
-allow $1 locale_t:file { getattr read };
+	# why?
+	libraries_read_library_resources($1)
 ')

 define(`miscfiles_read_localization_depend',`
-type locale_t;
-class dir { getattr read search };
-class lnk_file { getattr read };
-class file { getattr read };
+	type locale_t;
+
+	class dir { getattr read search };
+	class lnk_file { getattr read };
+	class file { getattr read };
 ')

 ########################################
@ -64,14 +69,16 @@ class file { getattr read };
 # miscfiles_legacy_read_localization(domain)
 #
 define(`miscfiles_legacy_read_localization',`
-requires_block_template(`$0'_depend)
-miscfiles_read_localization($1)
-allow $1 locale_t:file execute;
+	requires_block_template(`$0'_depend)
+
+	miscfiles_read_localization($1)
+	allow $1 locale_t:file execute;
 ')

 define(`miscfiles_read_localization_depend',`
-type locale_t;
-class file execute;
+	type locale_t;
+
+	class file execute;
 ')

 ########################################
@ -79,16 +86,18 @@ class file execute;
 # miscfiles_read_man_pages(domain)
 #
 define(`miscfiles_read_man_pages',`
-requires_block_template(`$0'_depend)
-# FIXME: search usr_t dir
-allow $1 man_t:dir { getattr read search };
-allow $1 man_t:file { getattr read };
-allow $1 man_t:lnk_file { getattr read };
+	requires_block_template(`$0'_depend)
+
+	# FIXME: search usr_t dir
+	allow $1 man_t:dir { getattr read search };
+	allow $1 man_t:file { getattr read };
+	allow $1 man_t:lnk_file { getattr read };
 ')

 define(`miscfiles_read_man_pages_depend',`
-type man_t;
-class dir { getattr read search };
-class file { getattr read };
-class lnk_file { getattr read };
+	type man_t;
+
+	class dir { getattr read search };
+	class file { getattr read };
+	class lnk_file { getattr read };
 ')
--- a/refpolicy/policy/modules/system/modutils.if
+++ b/refpolicy/policy/modules/system/modutils.if
@ -13,15 +13,17 @@
 ## </interface>
 #
 define(`modutils_read_kernel_module_dependencies',`
-requires_block_template(`$0'_depend)
-bootloader_list_kernel_modules($1)
-allow $1 modules_dep_t:file { getattr read };
+	requires_block_template(`$0'_depend)
+
+	bootloader_list_kernel_modules($1)
+	allow $1 modules_dep_t:file { getattr read };
 ')

 define(`modutils_read_kernel_module_dependencies_depend',`
-type modules_dep_t;
-class file { getattr create read write setattr unlink };
-class dir { search read write add_name remove_name };
+	type modules_dep_t;
+
+	class file { getattr create read write setattr unlink };
+	class dir { search read write add_name remove_name };
 ')

 ########################################
@ -37,13 +39,15 @@ class dir { search read write add_name remove_name };
 ## </interface>
 #
 define(`modutils_read_kernel_module_loading_config',`
-requires_block_template(`$0'_depend)
-allow $1 modules_conf_t:file { getattr read };
+	requires_block_template(`$0'_depend)
+
+	allow $1 modules_conf_t:file { getattr read };
 ')

 define(`modutils_read_kernel_module_loading_config_depend',`
-type modules_conf_t;
-class file { getattr create read write setattr unlink };
+	type modules_conf_t;
+
+	class file { getattr create read write setattr unlink };
 ')

 ########################################
@ -59,23 +63,26 @@ class file { getattr create read write setattr unlink };
 ## </interface>
 #
 define(`modutils_insmod_transition',`
-requires_block_template(`$0'_depend)
-allow $1 insmod_exec_t:file { getattr read execute };
-allow $1 insmod_t:process transition;
-type_transition $1 insmod_exec_t:process insmod_t;
-dontaudit $1 insmod_t:process { noatsecure siginh rlimitinh };
-allow $1 insmod_t:fd use;
-allow insmod_t $1:fd use;
-allow insmod_t $1:fifo_file rw_file_perms;
-allow insmod_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 insmod_exec_t:file { getattr read execute };
+	allow $1 insmod_t:process transition;
+	type_transition $1 insmod_exec_t:process insmod_t;
+	dontaudit $1 insmod_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 insmod_t:fd use;
+	allow insmod_t $1:fd use;
+	allow insmod_t $1:fifo_file rw_file_perms;
+	allow insmod_t $1:process sigchld;
 ')

 define(`modutils_insmod_transition_depend',`
-type insmod_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type insmod_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 ########################################
@ -99,15 +106,17 @@ class fifo_file rw_file_perms;
 ## </interface>
 #
 define(`modutils_insmod_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-modutils_insmod_transition($1)
-role $2 types insmod_t;
-allow insmod_t $3:chr_file { getattr read write ioctl };
+	requires_block_template(`$0'_depend)
+
+	modutils_insmod_transition($1)
+	role $2 types insmod_t;
+	allow insmod_t $3:chr_file { getattr read write ioctl };
 ')

 define(`modutils_insmod_transition_add_role_use_terminal_depend',`
-type insmod_t;
-class chr_file { getattr read write ioctl };
+	type insmod_t;
+
+	class chr_file { getattr read write ioctl };
 ')

 ########################################
@ -115,13 +124,15 @@ class chr_file { getattr read write ioctl };
 # modutils_insmod_execute(domain)
 #
 define(`modutils_insmod_execute',`
-requires_block_template(`$0'_depend)
-allow $1 insmod_exec_t:file { getattr read execute execute_no_trans };
+	requires_block_template(`$0'_depend)
+
+	allow $1 insmod_exec_t:file { getattr read execute execute_no_trans };
 ')

 define(`modutils_insmod_execute_depend',`
-type insmod_t;
-class file { getattr read execute execute_no_trans };
+	type insmod_t;
+
+	class file { getattr read execute execute_no_trans };
 ')

 ########################################
@ -136,23 +147,26 @@ class file { getattr read execute execute_no_trans };
 ## </interface>
 #
 define(`modutils_depmod_transition',`
-requires_block_template(`$0'_depend)
-allow $1 depmod_exec_t:file { getattr read execute };
-allow $1 depmod_t:process transition;
-type_transition $1 depmod_exec_t:process depmod_t;
-dontaudit $1 depmod_t:process { noatsecure siginh rlimitinh };
-allow $1 depmod_t:fd use;
-allow depmod_t $1:fd use;
-allow depmod_t $1:fifo_file rw_file_perms;
-allow depmod_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 depmod_exec_t:file { getattr read execute };
+	allow $1 depmod_t:process transition;
+	type_transition $1 depmod_exec_t:process depmod_t;
+	dontaudit $1 depmod_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 depmod_t:fd use;
+	allow depmod_t $1:fd use;
+	allow depmod_t $1:fifo_file rw_file_perms;
+	allow depmod_t $1:process sigchld;
 ')

 define(`modutils_depmod_transition_depend',`
-type depmod_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type depmod_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 ########################################
@ -173,15 +187,17 @@ class fifo_file rw_file_perms;
 ## </interface>
 #
 define(`modutils_depmod_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-modutils_depmod_transition($1)
-role $2 types insmod_t;
-allow insmod_t $3:chr_file { getattr read write ioctl };
+	requires_block_template(`$0'_depend)
+
+	modutils_depmod_transition($1)
+	role $2 types insmod_t;
+	allow insmod_t $3:chr_file { getattr read write ioctl };
 ')

 define(`modutils_depmod_transition_add_role_use_terminal_depend',`
-type depmod_t;
-class chr_file { getattr read write ioctl };
+	type depmod_t;
+
+	class chr_file { getattr read write ioctl };
 ')

 ########################################
@ -189,13 +205,15 @@ class chr_file { getattr read write ioctl };
 # modutils_depmod_execute(domain)
 #
 define(`modutils_depmod_execute',`
-requires_block_template(`$0'_depend)
-allow $1 depmod_exec_t:file { getattr read execute execute_no_trans };
+	requires_block_template(`$0'_depend)
+
+	allow $1 depmod_exec_t:file { getattr read execute execute_no_trans };
 ')

 define(`modutils_depmod_execute_depend',`
-type depmod_t;
-class file { getattr read execute execute_no_trans };
+	type depmod_t;
+
+	class file { getattr read execute execute_no_trans };
 ')

 ########################################
@ -210,23 +228,26 @@ class file { getattr read execute execute_no_trans };
 ## </interface>
 #
 define(`modutils_update_modules_transition',`
-requires_block_template(`$0'_depend)
-allow $1 update_modules_exec_t:file { getattr read execute };
-allow $1 update_modules_t:process transition;
-type_transition $1 update_modules_exec_t:process update_modules_t;
-dontaudit $1 update_modules_t:process { noatsecure siginh rlimitinh };
-allow $1 update_modules_t:fd use;
-allow update_modules_t $1:fd use;
-allow update_modules_t $1:fifo_file rw_file_perms;
-allow update_modules_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 update_modules_exec_t:file { getattr read execute };
+	allow $1 update_modules_t:process transition;
+	type_transition $1 update_modules_exec_t:process update_modules_t;
+	dontaudit $1 update_modules_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 update_modules_t:fd use;
+	allow update_modules_t $1:fd use;
+	allow update_modules_t $1:fifo_file rw_file_perms;
+	allow update_modules_t $1:process sigchld;
 ')

 define(`modutils_update_modules_transition_depend',`
-type update_modules_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh signal };
-class fd use;
-class fifo_file rw_file_perms;
+	type update_modules_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh signal };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 ########################################
@ -247,15 +268,17 @@ class fifo_file rw_file_perms;
 ## </interface>
 #
 define(`modutils_update_modules_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-modutils_update_modules_transition($1)
-role $2 types update_modules_t;
-allow update_modules_t $3:chr_file { getattr read write ioctl };
+	requires_block_template(`$0'_depend)
+
+	modutils_update_modules_transition($1)
+	role $2 types update_modules_t;
+	allow update_modules_t $3:chr_file { getattr read write ioctl };
 ')

 define(`modutils_update_modules_transition_add_role_use_terminal_depend',`
-type update_modules_t;
-class chr_file { getattr read write ioctl };
+	type update_modules_t;
+
+	class chr_file { getattr read write ioctl };
 ')

 ########################################
@ -263,13 +286,15 @@ class chr_file { getattr read write ioctl };
 # modutils_update_modules_execute(domain)
 #
 define(`modutils_update_modules_execute',`
-requires_block_template(`$0'_depend)
-allow $1 update_modules_exec_t:file { getattr read execute execute_no_trans };
+	requires_block_template(`$0'_depend)
+
+	allow $1 update_modules_exec_t:file { getattr read execute execute_no_trans };
 ')

 define(`modutils_update_modules_execute_depend',`
-type update_modules_t;
-class file { getattr read execute execute_no_trans };
+	type update_modules_t;
+
+	class file { getattr read execute execute_no_trans };
 ')

 ## </module>
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@ -98,7 +98,7 @@ logging_search_system_log_directory(insmod_t)
 miscfiles_read_localization(insmod_t)

 optional_policy(`mount.te',`
-mount_transition(insmod_t)
+	mount_transition(insmod_t)
 ')

 ifdef(`TODO',`
@ -108,7 +108,7 @@ allow insmod_t apm_bios_t:chr_file { read write };
 allow insmod_t sound_device_t:chr_file { read ioctl write };

 ifdef(`xserver.te', `
-allow insmod_t xserver_log_t:file getattr;
+	allow insmod_t xserver_log_t:file getattr;
 ')

 # why is this needed?  insmod cannot mounton any dir
--- a/refpolicy/policy/modules/system/mount.if
+++ b/refpolicy/policy/modules/system/mount.if
@ -13,23 +13,26 @@
 ## </interface>
 #
 define(`mount_transition',`
-requires_block_template(`$0'_depend)
-allow $1 mount_exec_t:file { getattr read execute };
-allow $1 mount_t:process transition;
-type_transition $1 mount_exec_t:process mount_t;
-dontaudit $1 mount_t:process { noatsecure siginh rlimitinh };
-allow $1 mount_t:fd use;
-allow mount_t $1:fd use;
-allow mount_t $1:fifo_file rw_file_perms;
-allow mount_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 mount_exec_t:file { getattr read execute };
+	allow $1 mount_t:process transition;
+	type_transition $1 mount_exec_t:process mount_t;
+	dontaudit $1 mount_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 mount_t:fd use;
+	allow mount_t $1:fd use;
+	allow mount_t $1:fifo_file rw_file_perms;
+	allow mount_t $1:process sigchld;
 ')

 define(`mount_transition_depend',`
-type mount_t, mount_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type mount_t, mount_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 ########################################
@ -52,15 +55,17 @@ class fifo_file rw_file_perms;
 ## </interface>
 #
 define(`mount_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-mount_transition($1)
-role $2 types mount_t;
-allow mount_t $3:chr_file { getattr read write ioctl };
+	requires_block_template(`$0'_depend)
+
+	mount_transition($1)
+	role $2 types mount_t;
+	allow mount_t $3:chr_file { getattr read write ioctl };
 ')

 define(`mount_transition_add_role_use_terminal_depend',`
-type mount_t;
-class chr_file { getattr read write ioctl };
+	type mount_t;
+
+	class chr_file { getattr read write ioctl };
 ')

 #######################################
@ -68,13 +73,15 @@ class chr_file { getattr read write ioctl };
 # mount_use_file_descriptors(domain)
 #
 define(`mount_use_file_descriptors',`
-requires_block_template(`$0'_depend)
-allow $1 mount_t:fd use; 
+	requires_block_template(`$0'_depend)
+
+	allow $1 mount_t:fd use; 
 ')

 define(`mount_use_file_descriptors_depend',`
-type mount_t;
-class fd use;
+	type mount_t;
+
+	class fd use;
 ')

 #######################################
@ -82,13 +89,15 @@ class fd use;
 # mount_send_nfs_client_request(domain)
 #
 define(`mount_send_nfs_client_request',`
-requires_block_template(`$0'_depend)
-allow $1 mount_t:udp_socket ioctl read getattr write setattr append bind connect getopt setopt shutdown;
+	requires_block_template(`$0'_depend)
+
+	allow $1 mount_t:udp_socket ioctl read getattr write setattr append bind connect getopt setopt shutdown;
 ')

 define(`mount_send_nfs_client_request_depend',`
-type mount_t;
-class udp_socket { ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+	type mount_t;
+
+	class udp_socket { ioctl read getattr write setattr append bind connect getopt setopt shutdown };
 ')

 ## </module>
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@ -69,37 +69,36 @@ miscfiles_read_localization(mount_t)
 userdomain_use_all_users_file_descriptors(mount_t)

 tunable_policy(`distro_redhat',`
-filesystem_use_tmpfs_character_devices(mount_t)
-allow mount_t tmpfs_t:dir mounton;
+	filesystem_use_tmpfs_character_devices(mount_t)
+	allow mount_t tmpfs_t:dir mounton;

-optional_policy(`authlogin.te',`
-authlogin_pam_console_read_runtime_data(mount_t)
-# mount config by default sets fscontext=removable_t
-filesystem_relabelfrom_dos_filesystem(mount_t)
-') dnl end authlogin
-
-') dnl end distro_redhat
+	optional_policy(`authlogin.te',`
+		authlogin_pam_console_read_runtime_data(mount_t)
+		# mount config by default sets fscontext=removable_t
+		filesystem_relabelfrom_dos_filesystem(mount_t)
+	')
+')

 optional_policy(`portmap.te', `
-# for nfs
-#can_ypbind(mount_t)
-#allow portmap_t mount_t:udp_socket { sendto recvfrom };
-#allow mount_t portmap_t:udp_socket { sendto recvfrom };
-#allow mount_t rpc_pipefs_t:dir search;
-corenetwork_sendrecv_tcp_on_all_interfaces(mount_t)
-corenetwork_sendrecv_raw_on_all_interfaces(mount_t)
-corenetwork_sendrecv_udp_on_all_interfaces(mount_t)
-corenetwork_sendrecv_tcp_on_all_nodes(mount_t)
-corenetwork_sendrecv_raw_on_all_nodes(mount_t)
-corenetwork_sendrecv_udp_on_all_nodes(mount_t)
-corenetwork_sendrecv_tcp_on_all_ports(mount_t)
-corenetwork_sendrecv_udp_on_all_ports(mount_t)
-corenetwork_bind_tcp_on_all_nodes(mount_t)
-corenetwork_bind_udp_on_all_nodes(mount_t)
-corenetwork_bind_tcp_on_general_port(mount_t)
-corenetwork_bind_udp_on_general_port(mount_t)
-corenetwork_bind_tcp_on_reserved_port(mount_t)
-corenetwork_bind_udp_on_reserved_port(mount_t)
+	# for nfs
+	#can_ypbind(mount_t)
+	#allow portmap_t mount_t:udp_socket { sendto recvfrom };
+	#allow mount_t portmap_t:udp_socket { sendto recvfrom };
+	#allow mount_t rpc_pipefs_t:dir search;
+	corenetwork_sendrecv_tcp_on_all_interfaces(mount_t)
+	corenetwork_sendrecv_raw_on_all_interfaces(mount_t)
+	corenetwork_sendrecv_udp_on_all_interfaces(mount_t)
+	corenetwork_sendrecv_tcp_on_all_nodes(mount_t)
+	corenetwork_sendrecv_raw_on_all_nodes(mount_t)
+	corenetwork_sendrecv_udp_on_all_nodes(mount_t)
+	corenetwork_sendrecv_tcp_on_all_ports(mount_t)
+	corenetwork_sendrecv_udp_on_all_ports(mount_t)
+	corenetwork_bind_tcp_on_all_nodes(mount_t)
+	corenetwork_bind_udp_on_all_nodes(mount_t)
+	corenetwork_bind_tcp_on_general_port(mount_t)
+	corenetwork_bind_udp_on_general_port(mount_t)
+	corenetwork_bind_tcp_on_reserved_port(mount_t)
+	corenetwork_bind_udp_on_reserved_port(mount_t)
 ')

 ifdef(`TODO',`
--- a/refpolicy/policy/modules/system/selinux.if
+++ b/refpolicy/policy/modules/system/selinux.if
@ -13,23 +13,26 @@
 ## </interface>
 #
 define(`selinux_checkpolicy_transition',`
-requires_block_template(`$0'_depend)
-allow $1 checkpolicy_exec_t:file { getattr read execute };
-allow $1 checkpolicy_t:process transition;
-type_transition $1 checkpolicy_exec_t:process checkpolicy_t;
-dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh };
-allow $1 checkpolicy_t:fd use;
-allow checkpolicy_t $1:fd use;
-allow checkpolicy_t $1:fifo_file rw_file_perms;
-allow checkpolicy_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 checkpolicy_exec_t:file { getattr read execute };
+	allow $1 checkpolicy_t:process transition;
+	type_transition $1 checkpolicy_exec_t:process checkpolicy_t;
+	dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 checkpolicy_t:fd use;
+	allow checkpolicy_t $1:fd use;
+	allow checkpolicy_t $1:fifo_file rw_file_perms;
+	allow checkpolicy_t $1:process sigchld;
 ')

 define(`selinux_checkpolicy_transition_depend',`
-type checkpolicy_t, checkpolicy_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type checkpolicy_t, checkpolicy_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 ########################################
@ -53,15 +56,17 @@ class fifo_file rw_file_perms;
 ## </interface>
 #
 define(`selinux_checkpolicy_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-selinux_checkpolicy_transition($1)
-role $2 types checkpolicy_t;
-allow checkpolicy_t $3:chr_file { getattr read write ioctl };
+	requires_block_template(`$0'_depend)
+
+	selinux_checkpolicy_transition($1)
+	role $2 types checkpolicy_t;
+	allow checkpolicy_t $3:chr_file { getattr read write ioctl };
 ')

 define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',`
-type checkpolicy_t;
-class chr_file { getattr read write ioctl };
+	type checkpolicy_t;
+
+	class chr_file { getattr read write ioctl };
 ')

 #######################################
@ -69,13 +74,15 @@ class chr_file { getattr read write ioctl };
 # selinux_checkpolicy_execute(domain)
 #
 define(`selinux_checkpolicy_execute',`
-requires_block_template(`$0'_depend)
-allow $1 checkpolicy_exec_t:file { getattr read execute execute_no_trans };
+	requires_block_template(`$0'_depend)
+
+	allow $1 checkpolicy_exec_t:file { getattr read execute execute_no_trans };
 ')

 define(`selinux_checkpolicy_execute_depend',`
-type checkpolicy_exec_t;
-class file { getattr read execute execute_no_trans };
+	type checkpolicy_exec_t;
+
+	class file { getattr read execute execute_no_trans };
 ')

 #######################################
@ -90,23 +97,26 @@ class file { getattr read execute execute_no_trans };
 ## </interface>
 #
 define(`selinux_load_policy_transition',`
-requires_block_template(`$0'_depend)
-allow $1 load_policy_exec_t:file { getattr read execute };
-allow $1 load_policy_t:process transition;
-type_transition $1 load_policy_exec_t:process load_policy_t;
-dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh };
-allow $1 load_policy_t:fd use;
-allow load_policy_t $1:fd use;
-allow load_policy_t $1:fifo_file rw_file_perms;
-allow load_policy_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 load_policy_exec_t:file { getattr read execute };
+	allow $1 load_policy_t:process transition;
+	type_transition $1 load_policy_exec_t:process load_policy_t;
+	dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 load_policy_t:fd use;
+	allow load_policy_t $1:fd use;
+	allow load_policy_t $1:fifo_file rw_file_perms;
+	allow load_policy_t $1:process sigchld;
 ')

 define(`selinux_load_policy_transition_depend',`
-type load_policy_t, load_policy_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type load_policy_t, load_policy_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 ########################################
@ -130,15 +140,17 @@ class fifo_file rw_file_perms;
 ## </interface>
 #
 define(`selinux_load_policy_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-selinux_load_policy_transition($1)
-role $2 types load_policy_t;
-allow load_policy_t $3:chr_file { getattr read write ioctl };
+	requires_block_template(`$0'_depend)
+
+	selinux_load_policy_transition($1)
+	role $2 types load_policy_t;
+	allow load_policy_t $3:chr_file { getattr read write ioctl };
 ')

 define(`selinux_load_policy_transition_add_role_use_terminal_depend',`
-type load_policy_t;
-class chr_file { getattr read write ioctl };
+	type load_policy_t;
+
+	class chr_file { getattr read write ioctl };
 ')

 #######################################
@ -146,13 +158,15 @@ class chr_file { getattr read write ioctl };
 # selinux_load_policy_execute(domain)
 #
 define(`selinux_load_policy_execute',`
-requires_block_template(`$0'_depend)
-allow $1 load_policy_exec_t:file { getattr read execute execute_no_trans };
+	requires_block_template(`$0'_depend)
+
+	allow $1 load_policy_exec_t:file { getattr read execute execute_no_trans };
 ')

 define(`selinux_load_policy_execute_depend',`
-type load_policy_exec_t;
-class file { getattr read execute execute_no_trans };
+	type load_policy_exec_t;
+
+	class file { getattr read execute execute_no_trans };
 ')

 #######################################
@ -160,13 +174,15 @@ class file { getattr read execute execute_no_trans };
 # selinux_read_load_policy_binary(domain)
 #
 define(`selinux_read_load_policy_binary',`
-requires_block_template(`$0'_depend)
-allow $1 load_policy_exec_t:file { getattr read };
+	requires_block_template(`$0'_depend)
+
+	allow $1 load_policy_exec_t:file { getattr read };
 ')

 define(`selinux_read_load_policy_binary_depend',`
-type load_policy_exec_t;
-class file { getattr read };
+	type load_policy_exec_t;
+
+	class file { getattr read };
 ')

 #######################################
@ -181,23 +197,26 @@ class file { getattr read };
 ## </interface>
 #
 define(`selinux_newrole_transition',`
-requires_block_template(`$0'_depend)
-allow $1 newrole_exec_t:file { getattr read execute };
-allow $1 newrole_t:process transition;
-type_transition $1 newrole_exec_t:process newrole_t;
-dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh };
-allow $1 newrole_t:fd use;
-allow newrole_t $1:fd use;
-allow newrole_t $1:fifo_file rw_file_perms;
-allow newrole_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 newrole_exec_t:file { getattr read execute };
+	allow $1 newrole_t:process transition;
+	type_transition $1 newrole_exec_t:process newrole_t;
+	dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 newrole_t:fd use;
+	allow newrole_t $1:fd use;
+	allow newrole_t $1:fifo_file rw_file_perms;
+	allow newrole_t $1:process sigchld;
 ')

 define(`selinux_newrole_transition_depend',`
-type newrole_t, newrole_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type newrole_t, newrole_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 ########################################
@ -220,15 +239,17 @@ class fifo_file rw_file_perms;
 ## </interface>
 #
 define(`selinux_newrole_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-selinux_newrole_transition($1)
-role $2 types newrole_t;
-allow newrole_t $3:chr_file { getattr read write ioctl };
+	requires_block_template(`$0'_depend)
+
+	selinux_newrole_transition($1)
+	role $2 types newrole_t;
+	allow newrole_t $3:chr_file { getattr read write ioctl };
 ')

 define(`selinux_newrole_transition_add_role_use_terminal_depend',`
-type newrole_t;
-class chr_file { getattr read write ioctl };
+	type newrole_t;
+
+	class chr_file { getattr read write ioctl };
 ')

 #######################################
@ -236,13 +257,15 @@ class chr_file { getattr read write ioctl };
 # selinux_newrole_execute(domain)
 #
 define(`selinux_newrole_execute',`
-requires_block_template(`$0'_depend)
-allow $1 newrole_exec_t:file { getattr read execute execute_no_trans };
+	requires_block_template(`$0'_depend)
+
+	allow $1 newrole_exec_t:file { getattr read execute execute_no_trans };
 ')

 define(`selinux_newrole_execute_depend',`
-type newrole_t, newrole_exec_t;
-class file { getattr read execute execute_no_trans };
+	type newrole_t, newrole_exec_t;
+
+	class file { getattr read execute execute_no_trans };
 ')

 ########################################
@ -258,13 +281,15 @@ class file { getattr read execute execute_no_trans };
 ## </interface>
 #
 define(`selinux_newrole_ignore_signal',`
-requires_block_template(`$0'_depend)
-dontaudit $1 newrole_t:process signal;
+	requires_block_template(`$0'_depend)
+
+	dontaudit $1 newrole_t:process signal;
 ')

 define(`selinux_newrole_ignore_signal_depend',`
-type newrole_t;
-class process signal;
+	type newrole_t;
+
+	class process signal;
 ')

 #######################################
@ -272,13 +297,15 @@ class process signal;
 # selinux_newrole_sigchld(domain)
 #
 define(`selinux_newrole_sigchld',`
-requires_block_template(`$0'_depend)
-allow $1 newrole_t:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 newrole_t:process sigchld;
 ')

 define(`selinux_newrole_sigchld_depend',`
-type newrole_t;
-class process sigchld;
+	type newrole_t;
+
+	class process sigchld;
 ')

 #######################################
@ -286,13 +313,15 @@ class process sigchld;
 # selinux_newrole_use_file_descriptors(domain)
 #
 define(`selinux_newrole_use_file_descriptors',`
-requires_block_template(`$0'_depend)
-allow $1 newrole_t:fd use;
+	requires_block_template(`$0'_depend)
+
+	allow $1 newrole_t:fd use;
 ')

 define(`selinux_newrole_use_file_descriptors_depend',`
-type newrole_t;
-class fd use;
+	type newrole_t;
+
+	class fd use;
 ')

 #######################################
@ -307,23 +336,26 @@ class fd use;
 ## </interface>
 #
 define(`selinux_restorecon_transition',`
-requires_block_template(`$0'_depend)
-allow $1 restorecon_exec_t:file { getattr read execute };
-allow $1 restorecon_t:process transition;
-type_transition $1 restorecon_exec_t:process restorecon_t;
-dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh };
-allow $1 restorecon_t:fd use;
-allow restorecon_t $1:fd use;
-allow restorecon_t $1:fifo_file rw_file_perms;
-allow restorecon_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 restorecon_exec_t:file { getattr read execute };
+	allow $1 restorecon_t:process transition;
+	type_transition $1 restorecon_exec_t:process restorecon_t;
+	dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 restorecon_t:fd use;
+	allow restorecon_t $1:fd use;
+	allow restorecon_t $1:fifo_file rw_file_perms;
+	allow restorecon_t $1:process sigchld;
 ')

 define(`selinux_restorecon_transition_depend',`
-type restorecon_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type restorecon_t, restorecon_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 ########################################
@ -346,15 +378,17 @@ class fifo_file rw_file_perms;
 ## </interface>
 #
 define(`selinux_restorecon_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-selinux_restorecon_transition($1)
-role $2 types restorecon_t;
-allow restorecon_t $3:chr_file { getattr read write ioctl };
+	requires_block_template(`$0'_depend)
+
+	selinux_restorecon_transition($1)
+	role $2 types restorecon_t;
+	allow restorecon_t $3:chr_file { getattr read write ioctl };
 ')

 define(`selinux_restorecon_transition_add_role_use_terminal_depend',`
-type restorecon_t;
-class chr_file { getattr read write ioctl };
+	type restorecon_t;
+
+	class chr_file { getattr read write ioctl };
 ')

 #######################################
@ -367,8 +401,9 @@ allow $1 restorecon_exec_t:file { getattr read execute execute_no_trans };
 ')

 define(`selinux_restorecon_execute_depend',`
-type restorecon_t, restorecon_exec_t;
-class file { getattr read execute execute_no_trans };
+	type restorecon_t, restorecon_exec_t;
+
+	class file { getattr read execute execute_no_trans };
 ')

 ########################################
@ -383,23 +418,26 @@ class file { getattr read execute execute_no_trans };
 ## </interface>
 #
 define(`selinux_run_init_transition',`
-requires_block_template(`$0'_depend)
-allow $1 run_init_exec_t:file { getattr read execute };
-allow $1 run_init_t:process transition;
-type_transition $1 run_init_exec_t:process run_init_t;
-dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
-allow $1 run_init_t:fd use;
-allow run_init_t $1:fd use;
-allow run_init_t $1:fifo_file rw_file_perms;
-allow run_init_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 run_init_exec_t:file { getattr read execute };
+	allow $1 run_init_t:process transition;
+	type_transition $1 run_init_exec_t:process run_init_t;
+	dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 run_init_t:fd use;
+	allow run_init_t $1:fd use;
+	allow run_init_t $1:fifo_file rw_file_perms;
+	allow run_init_t $1:process sigchld;
 ')

 define(`selinux_run_init_transition_depend',`
-type run_init_t, run_init_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type run_init_t, run_init_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 ########################################
@ -422,15 +460,17 @@ class fifo_file rw_file_perms;
 ## </interface>
 #
 define(`selinux_run_init_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-selinux_run_init_transition($1)
-role $2 types run_init_t;
-allow run_init_t $3:chr_file { getattr read write ioctl };
+	requires_block_template(`$0'_depend)
+
+	selinux_run_init_transition($1)
+	role $2 types run_init_t;
+	allow run_init_t $3:chr_file { getattr read write ioctl };
 ')

 define(`selinux_run_init_transition_add_role_use_terminal_depend',`
-type run_init_t;
-class chr_file { getattr read write ioctl };
+	type run_init_t;
+
+	class chr_file { getattr read write ioctl };
 ')

 ########################################
@ -438,13 +478,15 @@ class chr_file { getattr read write ioctl };
 # selinux_run_init_use_file_descriptors(domain)
 #
 define(`selinux_run_init_use_file_descriptors',`
-requires_block_template(`$0'_depend)
-allow $1 run_init_t:fd use;
+	requires_block_template(`$0'_depend)
+
+	allow $1 run_init_t:fd use;
 ')

 define(`selinux_run_init_use_file_descriptors_depend',`
-type run_init_t;
-class fd use;
+	type run_init_t;
+
+	class fd use;
 ')

 ########################################
@ -459,23 +501,26 @@ class fd use;
 ## </interface>
 #
 define(`selinux_setfiles_transition',`
-requires_block_template(`$0'_depend)
-allow $1 setfiles_exec_t:file { getattr read execute };
-allow $1 setfiles_t:process transition;
-type_transition $1 setfiles_exec_t:process setfiles_t;
-dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh };
-allow $1 setfiles_t:fd use;
-allow setfiles_t $1:fd use;
-allow setfiles_t $1:fifo_file rw_file_perms;
-allow setfiles_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 setfiles_exec_t:file { getattr read execute };
+	allow $1 setfiles_t:process transition;
+	type_transition $1 setfiles_exec_t:process setfiles_t;
+	dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 setfiles_t:fd use;
+	allow setfiles_t $1:fd use;
+	allow setfiles_t $1:fifo_file rw_file_perms;
+	allow setfiles_t $1:process sigchld;
 ')

 define(`selinux_setfiles_transition_depend',`
-type setfiles_t, setfiles_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type setfiles_t, setfiles_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 ########################################
@ -498,15 +543,17 @@ class fifo_file rw_file_perms;
 ## </interface>
 #
 define(`selinux_setfiles_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-selinux_setfiles_transition($1)
-role $2 types setfiles_t;
-allow setfiles_t $3:chr_file { getattr read write ioctl };
+	requires_block_template(`$0'_depend)
+
+	selinux_setfiles_transition($1)
+	role $2 types setfiles_t;
+	allow setfiles_t $3:chr_file { getattr read write ioctl };
 ')

 define(`selinux_setfiles_transition_add_role_use_terminal_depend',`
-type setfiles_t;
-class chr_file { getattr read write ioctl };
+	type setfiles_t;
+
+	class chr_file { getattr read write ioctl };
 ')

 #######################################
@ -514,13 +561,15 @@ class chr_file { getattr read write ioctl };
 # selinux_setfiles_execute(domain)
 #
 define(`selinux_setfiles_execute',`
-requires_block_template(`$0'_depend)
-allow $1 setfiles_exec_t:file { getattr read execute execute_no_trans };
+	requires_block_template(`$0'_depend)
+
+	allow $1 setfiles_exec_t:file { getattr read execute execute_no_trans };
 ')

 define(`selinux_setfiles_execute_depend',`
-type setfiles_exec_t;
-class file { getattr read execute execute_no_trans };
+	type setfiles_exec_t;
+
+	class file { getattr read execute execute_no_trans };
 ')

 ########################################
@ -528,15 +577,17 @@ class file { getattr read execute execute_no_trans };
 # selinux_read_config(domain)
 #
 define(`selinux_read_config',`
-requires_block_template(`$0'_depend)
-allow $1 selinux_config_t:dir { getattr search read };
-allow $1 selinux_config_t:file { getattr read };
+	requires_block_template(`$0'_depend)
+
+	allow $1 selinux_config_t:dir { getattr search read };
+	allow $1 selinux_config_t:file { getattr read };
 ')

 define(`selinux_read_config_depend',`
-type selinux_config_t;
-class dir { getattr search read };
-class file { getattr read };
+	type selinux_config_t;
+
+	class dir { getattr search read };
+	class file { getattr read };
 ')

 ########################################
@ -544,16 +595,18 @@ class file { getattr read };
 # selinux_read_default_contexts(domain)
 #
 define(`selinux_read_default_contexts',`
-requires_block_template(`$0'_depend)
-allow $1 selinux_config_t:dir search;
-allow $1 default_context_t:dir { getattr search read };
-allow $1 default_context_t:file { getattr read };
+	requires_block_template(`$0'_depend)
+
+	allow $1 selinux_config_t:dir search;
+	allow $1 default_context_t:dir { getattr search read };
+	allow $1 default_context_t:file { getattr read };
 ')

 define(`selinux_read_default_contexts_depend',`
-type selinux_config_t, default_context_t;
-class dir { getattr search read };
-class file { getattr read };
+	type selinux_config_t, default_context_t;
+
+	class dir { getattr search read };
+	class file { getattr read };
 ')

 ########################################
@ -561,16 +614,18 @@ class file { getattr read };
 # selinux_read_file_contexts(domain)
 #
 define(`selinux_read_file_contexts',`
-requires_block_template(`$0'_depend)
-allow $1 selinux_config_t:dir search;
-allow $1 file_context_t:dir { getattr search read };
-allow $1 file_context_t:file { getattr read };
+	requires_block_template(`$0'_depend)
+
+	allow $1 selinux_config_t:dir search;
+	allow $1 file_context_t:dir { getattr search read };
+	allow $1 file_context_t:file { getattr read };
 ')

 define(`selinux_read_file_contexts_depend',`
-type selinux_config_t, file_context_t;
-class dir { getattr search read };
-class file { getattr read };
+	type selinux_config_t, file_context_t;
+
+	class dir { getattr search read };
+	class file { getattr read };
 ')

 ########################################
@ -578,15 +633,17 @@ class file { getattr read };
 # selinux_read_binary_policy(domain)
 #
 define(`selinux_read_binary_policy',`
-requires_block_template(`$0'_depend)
-allow $1 policy_config_t:dir { getattr search read };
-allow $1 policy_config_t:file { getattr read };
+	requires_block_template(`$0'_depend)
+
+	allow $1 policy_config_t:dir { getattr search read };
+	allow $1 policy_config_t:file { getattr read };
 ')

 define(`selinux_read_binary_policy_depend',`
-type policy_config_t;
-class dir { getattr search read };
-class file { getattr read };
+	type policy_config_t;
+
+	class dir { getattr search read };
+	class file { getattr read };
 ')

 ########################################
@ -594,17 +651,20 @@ class file { getattr read };
 # selinux_write_binary_policy(domain)
 #
 define(`selinux_write_binary_policy',`
-requires_block_template(`$0'_depend)
-allow $1 policy_config_t:dir { getattr search read write add_name remove_name };
-allow $1 policy_config_t:file { getattr create write unlink };
-typeattribute $1 can_write_binary_policy;
+	requires_block_template(`$0'_depend)
+
+	allow $1 policy_config_t:dir { getattr search read write add_name remove_name };
+	allow $1 policy_config_t:file { getattr create write unlink };
+	typeattribute $1 can_write_binary_policy;
 ')

 define(`selinux_write_binary_policy_depend',`
-attribute can_write_binary_policy;
-type policy_config_t;
-class dir { getattr search read write add_name remove_name };
-class file { getattr create write unlink };
+	attribute can_write_binary_policy;
+
+	type policy_config_t;
+
+	class dir { getattr search read write add_name remove_name };
+	class file { getattr create write unlink };
 ')

 ########################################
@ -619,15 +679,18 @@ class file { getattr create write unlink };
 ## </interface>
 #
 define(`selinux_relabelto_binary_policy',`
-requires_block_template(`$0'_depend)
-allow $1 policy_config_t:file relabelto;
-typeattribute $1 can_relabelto_binary_policy;
+	requires_block_template(`$0'_depend)
+
+	allow $1 policy_config_t:file relabelto;
+	typeattribute $1 can_relabelto_binary_policy;
 ')

 define(`selinux_relabelto_binary_policy_depend',`
-attribute can_relabelto_binary_policy;
-type policy_config_t;
-class file relabelto;
+	attribute can_relabelto_binary_policy;
+
+	type policy_config_t;
+
+	class file relabelto;
 ')

 ########################################
@ -635,19 +698,21 @@ class file relabelto;
 # selinux_manage_binary_policy(domain)
 #
 define(`selinux_manage_binary_policy',`
-requires_block_template(`$0'_depend)
-# FIXME: search etc_t:dir
-allow $1 selinux_config_t:dir search;
-allow $1 policy_config_t:dir { getattr search read };
-allow $1 policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-typeattribute $1 can_write_binary_policy;
+	requires_block_template(`$0'_depend)
+
+	# FIXME: search etc_t:dir
+	allow $1 selinux_config_t:dir search;
+	allow $1 policy_config_t:dir { getattr search read };
+	allow $1 policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+	typeattribute $1 can_write_binary_policy;
 ')

 define(`selinux_manage_binary_policy_depend',`
-attribute can_write_binary_policy;
-type selinux_config_t, policy_config_t;
-class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-class file { create ioctl read getattr lock write setattr append link unlink rename };
+	attribute can_write_binary_policy;
+
+	type selinux_config_t, policy_config_t;
+	class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+	class file { create ioctl read getattr lock write setattr append link unlink rename };
 ')

 ########################################
@ -655,17 +720,19 @@ class file { create ioctl read getattr lock write setattr append link unlink ren
 # selinux_read_source_policy(domain)
 #
 define(`selinux_read_source_policy',`
-requires_block_template(`$0'_depend)
-# FIXME: search etc_t:dir
-allow $1 selinux_config_t:dir search;
-allow $1 policy_src_t:dir { getattr search read };
-allow $1 policy_src_t:file { getattr read };
+	requires_block_template(`$0'_depend)
+
+	# FIXME: search etc_t:dir
+	allow $1 selinux_config_t:dir search;
+	allow $1 policy_src_t:dir { getattr search read };
+	allow $1 policy_src_t:file { getattr read };
 ')

 define(`selinux_read_source_policy_depend',`
-type selinux_config_t, policy_src_t;
-class dir { getattr search read };
-class file { getattr read };
+	type selinux_config_t, policy_src_t;
+
+	class dir { getattr search read };
+	class file { getattr read };
 ')

 ########################################
@ -673,17 +740,19 @@ class file { getattr read };
 # selinux_manage_source_policy(domain)
 #
 define(`selinux_manage_source_policy',`
-requires_block_template(`$0'_depend)
-# FIXME: search etc_t:dir
-allow $1 selinux_config_t:dir search;
-allow $1 policy_src_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-allow $1 policy_src_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+	requires_block_template(`$0'_depend)
+
+	# FIXME: search etc_t:dir
+	allow $1 selinux_config_t:dir search;
+	allow $1 policy_src_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+	allow $1 policy_src_t:file { create ioctl read getattr lock write setattr append link unlink rename };
 ')

 define(`selinux_manage_source_policy_depend',`
-type selinux_config_t, policy_src_t;
-class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-class file { create ioctl read getattr lock write setattr append link unlink rename };
+	type selinux_config_t, policy_src_t;
+
+	class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+	class file { create ioctl read getattr lock write setattr append link unlink rename };
 ')

 ## </module>
--- a/refpolicy/policy/modules/system/selinux.te
+++ b/refpolicy/policy/modules/system/selinux.te
@ -307,7 +307,7 @@ logging_send_system_log_message(restorecon_t)
 userdomain_use_all_users_file_descriptors(restorecon_t)

 optional_policy(`hotplug.te',`
-hotplug_use_file_descriptors(restorecon_t)
+	hotplug_use_file_descriptors(restorecon_t)
 ')

 # relabeling rules
@ -350,54 +350,54 @@ kernel_compute_selinux_relabel_context(run_init_t)
 kernel_compute_selinux_reachable_user_contexts(run_init_t)

 tunable_policy(`targeted_policy',`',`
-allow run_init_t self:process setexec;
-allow run_init_t self:capability setuid;
+	allow run_init_t self:process setexec;
+	allow run_init_t self:capability setuid;

-allow run_init_t self:fifo_file { getattr read write };
+	allow run_init_t self:fifo_file { getattr read write };

-# often the administrator runs such programs from a directory that is owned
-# by a different user or has restrictive SE permissions, do not want to audit
-# the failed access to the current directory
-dontaudit run_init_t self:capability { dac_override dac_read_search };
+	# often the administrator runs such programs from a directory that is owned
+	# by a different user or has restrictive SE permissions, do not want to audit
+	# the failed access to the current directory
+	dontaudit run_init_t self:capability { dac_override dac_read_search };

-filesystem_get_persistent_filesystem_attributes(run_init_t)
+	filesystem_get_persistent_filesystem_attributes(run_init_t)

-devices_ignore_list_device_nodes(run_init_t)
+	devices_ignore_list_device_nodes(run_init_t)

-terminal_ignore_list_pseudoterminals(run_init_t)
+	terminal_ignore_list_pseudoterminals(run_init_t)

-authlogin_check_password_transition(run_init_t)
-authlogin_ignore_read_shadow_passwords(run_init_t)
+	authlogin_check_password_transition(run_init_t)
+	authlogin_ignore_read_shadow_passwords(run_init_t)

-corecommands_execute_general_programs(run_init_t)
-corecommands_execute_shell(run_init_t)
+	corecommands_execute_general_programs(run_init_t)
+	corecommands_execute_shell(run_init_t)

-domain_use_widely_inheritable_file_descriptors(run_init_t)
+	domain_use_widely_inheritable_file_descriptors(run_init_t)

-files_read_general_system_config(run_init_t)
-files_ignore_search_all_directories(run_init_t)
+	files_read_general_system_config(run_init_t)
+	files_ignore_search_all_directories(run_init_t)

-init_script_transition(run_init_t)
-# for utmp
-init_script_modify_runtime_data(run_init_t)
+	init_script_transition(run_init_t)
+	# for utmp
+	init_script_modify_runtime_data(run_init_t)

-libraries_use_dynamic_loader(run_init_t)
-libraries_use_shared_libraries(run_init_t)
+	libraries_use_dynamic_loader(run_init_t)
+	libraries_use_shared_libraries(run_init_t)

-selinux_read_config(run_init_t)
-selinux_read_default_contexts(run_init_t)
+	selinux_read_config(run_init_t)
+	selinux_read_default_contexts(run_init_t)

-miscfiles_read_localization(run_init_t)
+	miscfiles_read_localization(run_init_t)

-logging_send_system_log_message(run_init_t)
+	logging_send_system_log_message(run_init_t)
 ') dnl end ifdef targeted policy

 ifdef(`TODO',`

 tunable_policy(`distro_gentoo', `
-# Gentoo integrated run_init+open_init_pty-runscript:
-domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
-domain_make_entrypoint_file(run_init_t,initrc_exec_t)
+	# Gentoo integrated run_init+open_init_pty-runscript:
+	domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
+	domain_make_entrypoint_file(run_init_t,initrc_exec_t)
 ')
 ') dnl end TODO

--- a/refpolicy/policy/modules/system/selinuxutil.if
+++ b/refpolicy/policy/modules/system/selinuxutil.if
@ -13,23 +13,26 @@
 ## </interface>
 #
 define(`selinux_checkpolicy_transition',`
-requires_block_template(`$0'_depend)
-allow $1 checkpolicy_exec_t:file { getattr read execute };
-allow $1 checkpolicy_t:process transition;
-type_transition $1 checkpolicy_exec_t:process checkpolicy_t;
-dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh };
-allow $1 checkpolicy_t:fd use;
-allow checkpolicy_t $1:fd use;
-allow checkpolicy_t $1:fifo_file rw_file_perms;
-allow checkpolicy_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 checkpolicy_exec_t:file { getattr read execute };
+	allow $1 checkpolicy_t:process transition;
+	type_transition $1 checkpolicy_exec_t:process checkpolicy_t;
+	dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 checkpolicy_t:fd use;
+	allow checkpolicy_t $1:fd use;
+	allow checkpolicy_t $1:fifo_file rw_file_perms;
+	allow checkpolicy_t $1:process sigchld;
 ')

 define(`selinux_checkpolicy_transition_depend',`
-type checkpolicy_t, checkpolicy_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type checkpolicy_t, checkpolicy_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 ########################################
@ -53,15 +56,17 @@ class fifo_file rw_file_perms;
 ## </interface>
 #
 define(`selinux_checkpolicy_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-selinux_checkpolicy_transition($1)
-role $2 types checkpolicy_t;
-allow checkpolicy_t $3:chr_file { getattr read write ioctl };
+	requires_block_template(`$0'_depend)
+
+	selinux_checkpolicy_transition($1)
+	role $2 types checkpolicy_t;
+	allow checkpolicy_t $3:chr_file { getattr read write ioctl };
 ')

 define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',`
-type checkpolicy_t;
-class chr_file { getattr read write ioctl };
+	type checkpolicy_t;
+
+	class chr_file { getattr read write ioctl };
 ')

 #######################################
@ -69,13 +74,15 @@ class chr_file { getattr read write ioctl };
 # selinux_checkpolicy_execute(domain)
 #
 define(`selinux_checkpolicy_execute',`
-requires_block_template(`$0'_depend)
-allow $1 checkpolicy_exec_t:file { getattr read execute execute_no_trans };
+	requires_block_template(`$0'_depend)
+
+	allow $1 checkpolicy_exec_t:file { getattr read execute execute_no_trans };
 ')

 define(`selinux_checkpolicy_execute_depend',`
-type checkpolicy_exec_t;
-class file { getattr read execute execute_no_trans };
+	type checkpolicy_exec_t;
+
+	class file { getattr read execute execute_no_trans };
 ')

 #######################################
@ -90,23 +97,26 @@ class file { getattr read execute execute_no_trans };
 ## </interface>
 #
 define(`selinux_load_policy_transition',`
-requires_block_template(`$0'_depend)
-allow $1 load_policy_exec_t:file { getattr read execute };
-allow $1 load_policy_t:process transition;
-type_transition $1 load_policy_exec_t:process load_policy_t;
-dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh };
-allow $1 load_policy_t:fd use;
-allow load_policy_t $1:fd use;
-allow load_policy_t $1:fifo_file rw_file_perms;
-allow load_policy_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 load_policy_exec_t:file { getattr read execute };
+	allow $1 load_policy_t:process transition;
+	type_transition $1 load_policy_exec_t:process load_policy_t;
+	dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 load_policy_t:fd use;
+	allow load_policy_t $1:fd use;
+	allow load_policy_t $1:fifo_file rw_file_perms;
+	allow load_policy_t $1:process sigchld;
 ')

 define(`selinux_load_policy_transition_depend',`
-type load_policy_t, load_policy_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type load_policy_t, load_policy_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 ########################################
@ -130,15 +140,17 @@ class fifo_file rw_file_perms;
 ## </interface>
 #
 define(`selinux_load_policy_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-selinux_load_policy_transition($1)
-role $2 types load_policy_t;
-allow load_policy_t $3:chr_file { getattr read write ioctl };
+	requires_block_template(`$0'_depend)
+
+	selinux_load_policy_transition($1)
+	role $2 types load_policy_t;
+	allow load_policy_t $3:chr_file { getattr read write ioctl };
 ')

 define(`selinux_load_policy_transition_add_role_use_terminal_depend',`
-type load_policy_t;
-class chr_file { getattr read write ioctl };
+	type load_policy_t;
+
+	class chr_file { getattr read write ioctl };
 ')

 #######################################
@ -146,13 +158,15 @@ class chr_file { getattr read write ioctl };
 # selinux_load_policy_execute(domain)
 #
 define(`selinux_load_policy_execute',`
-requires_block_template(`$0'_depend)
-allow $1 load_policy_exec_t:file { getattr read execute execute_no_trans };
+	requires_block_template(`$0'_depend)
+
+	allow $1 load_policy_exec_t:file { getattr read execute execute_no_trans };
 ')

 define(`selinux_load_policy_execute_depend',`
-type load_policy_exec_t;
-class file { getattr read execute execute_no_trans };
+	type load_policy_exec_t;
+
+	class file { getattr read execute execute_no_trans };
 ')

 #######################################
@ -160,13 +174,15 @@ class file { getattr read execute execute_no_trans };
 # selinux_read_load_policy_binary(domain)
 #
 define(`selinux_read_load_policy_binary',`
-requires_block_template(`$0'_depend)
-allow $1 load_policy_exec_t:file { getattr read };
+	requires_block_template(`$0'_depend)
+
+	allow $1 load_policy_exec_t:file { getattr read };
 ')

 define(`selinux_read_load_policy_binary_depend',`
-type load_policy_exec_t;
-class file { getattr read };
+	type load_policy_exec_t;
+
+	class file { getattr read };
 ')

 #######################################
@ -181,23 +197,26 @@ class file { getattr read };
 ## </interface>
 #
 define(`selinux_newrole_transition',`
-requires_block_template(`$0'_depend)
-allow $1 newrole_exec_t:file { getattr read execute };
-allow $1 newrole_t:process transition;
-type_transition $1 newrole_exec_t:process newrole_t;
-dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh };
-allow $1 newrole_t:fd use;
-allow newrole_t $1:fd use;
-allow newrole_t $1:fifo_file rw_file_perms;
-allow newrole_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 newrole_exec_t:file { getattr read execute };
+	allow $1 newrole_t:process transition;
+	type_transition $1 newrole_exec_t:process newrole_t;
+	dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 newrole_t:fd use;
+	allow newrole_t $1:fd use;
+	allow newrole_t $1:fifo_file rw_file_perms;
+	allow newrole_t $1:process sigchld;
 ')

 define(`selinux_newrole_transition_depend',`
-type newrole_t, newrole_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type newrole_t, newrole_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 ########################################
@ -220,15 +239,17 @@ class fifo_file rw_file_perms;
 ## </interface>
 #
 define(`selinux_newrole_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-selinux_newrole_transition($1)
-role $2 types newrole_t;
-allow newrole_t $3:chr_file { getattr read write ioctl };
+	requires_block_template(`$0'_depend)
+
+	selinux_newrole_transition($1)
+	role $2 types newrole_t;
+	allow newrole_t $3:chr_file { getattr read write ioctl };
 ')

 define(`selinux_newrole_transition_add_role_use_terminal_depend',`
-type newrole_t;
-class chr_file { getattr read write ioctl };
+	type newrole_t;
+
+	class chr_file { getattr read write ioctl };
 ')

 #######################################
@ -236,13 +257,15 @@ class chr_file { getattr read write ioctl };
 # selinux_newrole_execute(domain)
 #
 define(`selinux_newrole_execute',`
-requires_block_template(`$0'_depend)
-allow $1 newrole_exec_t:file { getattr read execute execute_no_trans };
+	requires_block_template(`$0'_depend)
+
+	allow $1 newrole_exec_t:file { getattr read execute execute_no_trans };
 ')

 define(`selinux_newrole_execute_depend',`
-type newrole_t, newrole_exec_t;
-class file { getattr read execute execute_no_trans };
+	type newrole_t, newrole_exec_t;
+
+	class file { getattr read execute execute_no_trans };
 ')

 ########################################
@ -258,13 +281,15 @@ class file { getattr read execute execute_no_trans };
 ## </interface>
 #
 define(`selinux_newrole_ignore_signal',`
-requires_block_template(`$0'_depend)
-dontaudit $1 newrole_t:process signal;
+	requires_block_template(`$0'_depend)
+
+	dontaudit $1 newrole_t:process signal;
 ')

 define(`selinux_newrole_ignore_signal_depend',`
-type newrole_t;
-class process signal;
+	type newrole_t;
+
+	class process signal;
 ')

 #######################################
@ -272,13 +297,15 @@ class process signal;
 # selinux_newrole_sigchld(domain)
 #
 define(`selinux_newrole_sigchld',`
-requires_block_template(`$0'_depend)
-allow $1 newrole_t:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 newrole_t:process sigchld;
 ')

 define(`selinux_newrole_sigchld_depend',`
-type newrole_t;
-class process sigchld;
+	type newrole_t;
+
+	class process sigchld;
 ')

 #######################################
@ -286,13 +313,15 @@ class process sigchld;
 # selinux_newrole_use_file_descriptors(domain)
 #
 define(`selinux_newrole_use_file_descriptors',`
-requires_block_template(`$0'_depend)
-allow $1 newrole_t:fd use;
+	requires_block_template(`$0'_depend)
+
+	allow $1 newrole_t:fd use;
 ')

 define(`selinux_newrole_use_file_descriptors_depend',`
-type newrole_t;
-class fd use;
+	type newrole_t;
+
+	class fd use;
 ')

 #######################################
@ -307,23 +336,26 @@ class fd use;
 ## </interface>
 #
 define(`selinux_restorecon_transition',`
-requires_block_template(`$0'_depend)
-allow $1 restorecon_exec_t:file { getattr read execute };
-allow $1 restorecon_t:process transition;
-type_transition $1 restorecon_exec_t:process restorecon_t;
-dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh };
-allow $1 restorecon_t:fd use;
-allow restorecon_t $1:fd use;
-allow restorecon_t $1:fifo_file rw_file_perms;
-allow restorecon_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 restorecon_exec_t:file { getattr read execute };
+	allow $1 restorecon_t:process transition;
+	type_transition $1 restorecon_exec_t:process restorecon_t;
+	dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 restorecon_t:fd use;
+	allow restorecon_t $1:fd use;
+	allow restorecon_t $1:fifo_file rw_file_perms;
+	allow restorecon_t $1:process sigchld;
 ')

 define(`selinux_restorecon_transition_depend',`
-type restorecon_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type restorecon_t, restorecon_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 ########################################
@ -346,15 +378,17 @@ class fifo_file rw_file_perms;
 ## </interface>
 #
 define(`selinux_restorecon_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-selinux_restorecon_transition($1)
-role $2 types restorecon_t;
-allow restorecon_t $3:chr_file { getattr read write ioctl };
+	requires_block_template(`$0'_depend)
+
+	selinux_restorecon_transition($1)
+	role $2 types restorecon_t;
+	allow restorecon_t $3:chr_file { getattr read write ioctl };
 ')

 define(`selinux_restorecon_transition_add_role_use_terminal_depend',`
-type restorecon_t;
-class chr_file { getattr read write ioctl };
+	type restorecon_t;
+
+	class chr_file { getattr read write ioctl };
 ')

 #######################################
@ -367,8 +401,9 @@ allow $1 restorecon_exec_t:file { getattr read execute execute_no_trans };
 ')

 define(`selinux_restorecon_execute_depend',`
-type restorecon_t, restorecon_exec_t;
-class file { getattr read execute execute_no_trans };
+	type restorecon_t, restorecon_exec_t;
+
+	class file { getattr read execute execute_no_trans };
 ')

 ########################################
@ -383,23 +418,26 @@ class file { getattr read execute execute_no_trans };
 ## </interface>
 #
 define(`selinux_run_init_transition',`
-requires_block_template(`$0'_depend)
-allow $1 run_init_exec_t:file { getattr read execute };
-allow $1 run_init_t:process transition;
-type_transition $1 run_init_exec_t:process run_init_t;
-dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
-allow $1 run_init_t:fd use;
-allow run_init_t $1:fd use;
-allow run_init_t $1:fifo_file rw_file_perms;
-allow run_init_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 run_init_exec_t:file { getattr read execute };
+	allow $1 run_init_t:process transition;
+	type_transition $1 run_init_exec_t:process run_init_t;
+	dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 run_init_t:fd use;
+	allow run_init_t $1:fd use;
+	allow run_init_t $1:fifo_file rw_file_perms;
+	allow run_init_t $1:process sigchld;
 ')

 define(`selinux_run_init_transition_depend',`
-type run_init_t, run_init_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type run_init_t, run_init_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 ########################################
@ -422,15 +460,17 @@ class fifo_file rw_file_perms;
 ## </interface>
 #
 define(`selinux_run_init_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-selinux_run_init_transition($1)
-role $2 types run_init_t;
-allow run_init_t $3:chr_file { getattr read write ioctl };
+	requires_block_template(`$0'_depend)
+
+	selinux_run_init_transition($1)
+	role $2 types run_init_t;
+	allow run_init_t $3:chr_file { getattr read write ioctl };
 ')

 define(`selinux_run_init_transition_add_role_use_terminal_depend',`
-type run_init_t;
-class chr_file { getattr read write ioctl };
+	type run_init_t;
+
+	class chr_file { getattr read write ioctl };
 ')

 ########################################
@ -438,13 +478,15 @@ class chr_file { getattr read write ioctl };
 # selinux_run_init_use_file_descriptors(domain)
 #
 define(`selinux_run_init_use_file_descriptors',`
-requires_block_template(`$0'_depend)
-allow $1 run_init_t:fd use;
+	requires_block_template(`$0'_depend)
+
+	allow $1 run_init_t:fd use;
 ')

 define(`selinux_run_init_use_file_descriptors_depend',`
-type run_init_t;
-class fd use;
+	type run_init_t;
+
+	class fd use;
 ')

 ########################################
@ -459,23 +501,26 @@ class fd use;
 ## </interface>
 #
 define(`selinux_setfiles_transition',`
-requires_block_template(`$0'_depend)
-allow $1 setfiles_exec_t:file { getattr read execute };
-allow $1 setfiles_t:process transition;
-type_transition $1 setfiles_exec_t:process setfiles_t;
-dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh };
-allow $1 setfiles_t:fd use;
-allow setfiles_t $1:fd use;
-allow setfiles_t $1:fifo_file rw_file_perms;
-allow setfiles_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 setfiles_exec_t:file { getattr read execute };
+	allow $1 setfiles_t:process transition;
+	type_transition $1 setfiles_exec_t:process setfiles_t;
+	dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 setfiles_t:fd use;
+	allow setfiles_t $1:fd use;
+	allow setfiles_t $1:fifo_file rw_file_perms;
+	allow setfiles_t $1:process sigchld;
 ')

 define(`selinux_setfiles_transition_depend',`
-type setfiles_t, setfiles_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type setfiles_t, setfiles_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 ########################################
@ -498,15 +543,17 @@ class fifo_file rw_file_perms;
 ## </interface>
 #
 define(`selinux_setfiles_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-selinux_setfiles_transition($1)
-role $2 types setfiles_t;
-allow setfiles_t $3:chr_file { getattr read write ioctl };
+	requires_block_template(`$0'_depend)
+
+	selinux_setfiles_transition($1)
+	role $2 types setfiles_t;
+	allow setfiles_t $3:chr_file { getattr read write ioctl };
 ')

 define(`selinux_setfiles_transition_add_role_use_terminal_depend',`
-type setfiles_t;
-class chr_file { getattr read write ioctl };
+	type setfiles_t;
+
+	class chr_file { getattr read write ioctl };
 ')

 #######################################
@ -514,13 +561,15 @@ class chr_file { getattr read write ioctl };
 # selinux_setfiles_execute(domain)
 #
 define(`selinux_setfiles_execute',`
-requires_block_template(`$0'_depend)
-allow $1 setfiles_exec_t:file { getattr read execute execute_no_trans };
+	requires_block_template(`$0'_depend)
+
+	allow $1 setfiles_exec_t:file { getattr read execute execute_no_trans };
 ')

 define(`selinux_setfiles_execute_depend',`
-type setfiles_exec_t;
-class file { getattr read execute execute_no_trans };
+	type setfiles_exec_t;
+
+	class file { getattr read execute execute_no_trans };
 ')

 ########################################
@ -528,15 +577,17 @@ class file { getattr read execute execute_no_trans };
 # selinux_read_config(domain)
 #
 define(`selinux_read_config',`
-requires_block_template(`$0'_depend)
-allow $1 selinux_config_t:dir { getattr search read };
-allow $1 selinux_config_t:file { getattr read };
+	requires_block_template(`$0'_depend)
+
+	allow $1 selinux_config_t:dir { getattr search read };
+	allow $1 selinux_config_t:file { getattr read };
 ')

 define(`selinux_read_config_depend',`
-type selinux_config_t;
-class dir { getattr search read };
-class file { getattr read };
+	type selinux_config_t;
+
+	class dir { getattr search read };
+	class file { getattr read };
 ')

 ########################################
@ -544,16 +595,18 @@ class file { getattr read };
 # selinux_read_default_contexts(domain)
 #
 define(`selinux_read_default_contexts',`
-requires_block_template(`$0'_depend)
-allow $1 selinux_config_t:dir search;
-allow $1 default_context_t:dir { getattr search read };
-allow $1 default_context_t:file { getattr read };
+	requires_block_template(`$0'_depend)
+
+	allow $1 selinux_config_t:dir search;
+	allow $1 default_context_t:dir { getattr search read };
+	allow $1 default_context_t:file { getattr read };
 ')

 define(`selinux_read_default_contexts_depend',`
-type selinux_config_t, default_context_t;
-class dir { getattr search read };
-class file { getattr read };
+	type selinux_config_t, default_context_t;
+
+	class dir { getattr search read };
+	class file { getattr read };
 ')

 ########################################
@ -561,16 +614,18 @@ class file { getattr read };
 # selinux_read_file_contexts(domain)
 #
 define(`selinux_read_file_contexts',`
-requires_block_template(`$0'_depend)
-allow $1 selinux_config_t:dir search;
-allow $1 file_context_t:dir { getattr search read };
-allow $1 file_context_t:file { getattr read };
+	requires_block_template(`$0'_depend)
+
+	allow $1 selinux_config_t:dir search;
+	allow $1 file_context_t:dir { getattr search read };
+	allow $1 file_context_t:file { getattr read };
 ')

 define(`selinux_read_file_contexts_depend',`
-type selinux_config_t, file_context_t;
-class dir { getattr search read };
-class file { getattr read };
+	type selinux_config_t, file_context_t;
+
+	class dir { getattr search read };
+	class file { getattr read };
 ')

 ########################################
@ -578,15 +633,17 @@ class file { getattr read };
 # selinux_read_binary_policy(domain)
 #
 define(`selinux_read_binary_policy',`
-requires_block_template(`$0'_depend)
-allow $1 policy_config_t:dir { getattr search read };
-allow $1 policy_config_t:file { getattr read };
+	requires_block_template(`$0'_depend)
+
+	allow $1 policy_config_t:dir { getattr search read };
+	allow $1 policy_config_t:file { getattr read };
 ')

 define(`selinux_read_binary_policy_depend',`
-type policy_config_t;
-class dir { getattr search read };
-class file { getattr read };
+	type policy_config_t;
+
+	class dir { getattr search read };
+	class file { getattr read };
 ')

 ########################################
@ -594,17 +651,20 @@ class file { getattr read };
 # selinux_write_binary_policy(domain)
 #
 define(`selinux_write_binary_policy',`
-requires_block_template(`$0'_depend)
-allow $1 policy_config_t:dir { getattr search read write add_name remove_name };
-allow $1 policy_config_t:file { getattr create write unlink };
-typeattribute $1 can_write_binary_policy;
+	requires_block_template(`$0'_depend)
+
+	allow $1 policy_config_t:dir { getattr search read write add_name remove_name };
+	allow $1 policy_config_t:file { getattr create write unlink };
+	typeattribute $1 can_write_binary_policy;
 ')

 define(`selinux_write_binary_policy_depend',`
-attribute can_write_binary_policy;
-type policy_config_t;
-class dir { getattr search read write add_name remove_name };
-class file { getattr create write unlink };
+	attribute can_write_binary_policy;
+
+	type policy_config_t;
+
+	class dir { getattr search read write add_name remove_name };
+	class file { getattr create write unlink };
 ')

 ########################################
@ -619,15 +679,18 @@ class file { getattr create write unlink };
 ## </interface>
 #
 define(`selinux_relabelto_binary_policy',`
-requires_block_template(`$0'_depend)
-allow $1 policy_config_t:file relabelto;
-typeattribute $1 can_relabelto_binary_policy;
+	requires_block_template(`$0'_depend)
+
+	allow $1 policy_config_t:file relabelto;
+	typeattribute $1 can_relabelto_binary_policy;
 ')

 define(`selinux_relabelto_binary_policy_depend',`
-attribute can_relabelto_binary_policy;
-type policy_config_t;
-class file relabelto;
+	attribute can_relabelto_binary_policy;
+
+	type policy_config_t;
+
+	class file relabelto;
 ')

 ########################################
@ -635,19 +698,21 @@ class file relabelto;
 # selinux_manage_binary_policy(domain)
 #
 define(`selinux_manage_binary_policy',`
-requires_block_template(`$0'_depend)
-# FIXME: search etc_t:dir
-allow $1 selinux_config_t:dir search;
-allow $1 policy_config_t:dir { getattr search read };
-allow $1 policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-typeattribute $1 can_write_binary_policy;
+	requires_block_template(`$0'_depend)
+
+	# FIXME: search etc_t:dir
+	allow $1 selinux_config_t:dir search;
+	allow $1 policy_config_t:dir { getattr search read };
+	allow $1 policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+	typeattribute $1 can_write_binary_policy;
 ')

 define(`selinux_manage_binary_policy_depend',`
-attribute can_write_binary_policy;
-type selinux_config_t, policy_config_t;
-class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-class file { create ioctl read getattr lock write setattr append link unlink rename };
+	attribute can_write_binary_policy;
+
+	type selinux_config_t, policy_config_t;
+	class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+	class file { create ioctl read getattr lock write setattr append link unlink rename };
 ')

 ########################################
@ -655,17 +720,19 @@ class file { create ioctl read getattr lock write setattr append link unlink ren
 # selinux_read_source_policy(domain)
 #
 define(`selinux_read_source_policy',`
-requires_block_template(`$0'_depend)
-# FIXME: search etc_t:dir
-allow $1 selinux_config_t:dir search;
-allow $1 policy_src_t:dir { getattr search read };
-allow $1 policy_src_t:file { getattr read };
+	requires_block_template(`$0'_depend)
+
+	# FIXME: search etc_t:dir
+	allow $1 selinux_config_t:dir search;
+	allow $1 policy_src_t:dir { getattr search read };
+	allow $1 policy_src_t:file { getattr read };
 ')

 define(`selinux_read_source_policy_depend',`
-type selinux_config_t, policy_src_t;
-class dir { getattr search read };
-class file { getattr read };
+	type selinux_config_t, policy_src_t;
+
+	class dir { getattr search read };
+	class file { getattr read };
 ')

 ########################################
@ -673,17 +740,19 @@ class file { getattr read };
 # selinux_manage_source_policy(domain)
 #
 define(`selinux_manage_source_policy',`
-requires_block_template(`$0'_depend)
-# FIXME: search etc_t:dir
-allow $1 selinux_config_t:dir search;
-allow $1 policy_src_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-allow $1 policy_src_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+	requires_block_template(`$0'_depend)
+
+	# FIXME: search etc_t:dir
+	allow $1 selinux_config_t:dir search;
+	allow $1 policy_src_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+	allow $1 policy_src_t:file { create ioctl read getattr lock write setattr append link unlink rename };
 ')

 define(`selinux_manage_source_policy_depend',`
-type selinux_config_t, policy_src_t;
-class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-class file { create ioctl read getattr lock write setattr append link unlink rename };
+	type selinux_config_t, policy_src_t;
+
+	class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+	class file { create ioctl read getattr lock write setattr append link unlink rename };
 ')

 ## </module>
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@ -307,7 +307,7 @@ logging_send_system_log_message(restorecon_t)
 userdomain_use_all_users_file_descriptors(restorecon_t)

 optional_policy(`hotplug.te',`
-hotplug_use_file_descriptors(restorecon_t)
+	hotplug_use_file_descriptors(restorecon_t)
 ')

 # relabeling rules
@ -350,54 +350,54 @@ kernel_compute_selinux_relabel_context(run_init_t)
 kernel_compute_selinux_reachable_user_contexts(run_init_t)

 tunable_policy(`targeted_policy',`',`
-allow run_init_t self:process setexec;
-allow run_init_t self:capability setuid;
+	allow run_init_t self:process setexec;
+	allow run_init_t self:capability setuid;

-allow run_init_t self:fifo_file { getattr read write };
+	allow run_init_t self:fifo_file { getattr read write };

-# often the administrator runs such programs from a directory that is owned
-# by a different user or has restrictive SE permissions, do not want to audit
-# the failed access to the current directory
-dontaudit run_init_t self:capability { dac_override dac_read_search };
+	# often the administrator runs such programs from a directory that is owned
+	# by a different user or has restrictive SE permissions, do not want to audit
+	# the failed access to the current directory
+	dontaudit run_init_t self:capability { dac_override dac_read_search };

-filesystem_get_persistent_filesystem_attributes(run_init_t)
+	filesystem_get_persistent_filesystem_attributes(run_init_t)

-devices_ignore_list_device_nodes(run_init_t)
+	devices_ignore_list_device_nodes(run_init_t)

-terminal_ignore_list_pseudoterminals(run_init_t)
+	terminal_ignore_list_pseudoterminals(run_init_t)

-authlogin_check_password_transition(run_init_t)
-authlogin_ignore_read_shadow_passwords(run_init_t)
+	authlogin_check_password_transition(run_init_t)
+	authlogin_ignore_read_shadow_passwords(run_init_t)

-corecommands_execute_general_programs(run_init_t)
-corecommands_execute_shell(run_init_t)
+	corecommands_execute_general_programs(run_init_t)
+	corecommands_execute_shell(run_init_t)

-domain_use_widely_inheritable_file_descriptors(run_init_t)
+	domain_use_widely_inheritable_file_descriptors(run_init_t)

-files_read_general_system_config(run_init_t)
-files_ignore_search_all_directories(run_init_t)
+	files_read_general_system_config(run_init_t)
+	files_ignore_search_all_directories(run_init_t)

-init_script_transition(run_init_t)
-# for utmp
-init_script_modify_runtime_data(run_init_t)
+	init_script_transition(run_init_t)
+	# for utmp
+	init_script_modify_runtime_data(run_init_t)

-libraries_use_dynamic_loader(run_init_t)
-libraries_use_shared_libraries(run_init_t)
+	libraries_use_dynamic_loader(run_init_t)
+	libraries_use_shared_libraries(run_init_t)

-selinux_read_config(run_init_t)
-selinux_read_default_contexts(run_init_t)
+	selinux_read_config(run_init_t)
+	selinux_read_default_contexts(run_init_t)

-miscfiles_read_localization(run_init_t)
+	miscfiles_read_localization(run_init_t)

-logging_send_system_log_message(run_init_t)
+	logging_send_system_log_message(run_init_t)
 ') dnl end ifdef targeted policy

 ifdef(`TODO',`

 tunable_policy(`distro_gentoo', `
-# Gentoo integrated run_init+open_init_pty-runscript:
-domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
-domain_make_entrypoint_file(run_init_t,initrc_exec_t)
+	# Gentoo integrated run_init+open_init_pty-runscript:
+	domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
+	domain_make_entrypoint_file(run_init_t,initrc_exec_t)
 ')
 ') dnl end TODO

--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ b/refpolicy/policy/modules/system/sysnetwork.if
@ -6,23 +6,26 @@
 # sysnetwork_dhcpc_transition(domain)
 #
 define(`sysnetwork_dhcpc_transition',`
-requires_block_template(`$0'_depend)
-allow $1 dhcpc_exec_t:file { getattr read execute };
-allow $1 dhcpc_t:process transition;
-type_transition $1 dhcpc_exec_t:process dhcpc_t;
-dontaudit $1 dhcpc_t:process { noatsecure siginh rlimitinh };
-allow $1 dhcpc_t:fd use;
-allow dhcpc_t $1:fd use;
-allow dhcpc_t $1:fifo_file rw_file_perms;
-allow dhcpc_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 dhcpc_exec_t:file { getattr read execute };
+	allow $1 dhcpc_t:process transition;
+	type_transition $1 dhcpc_exec_t:process dhcpc_t;
+	dontaudit $1 dhcpc_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 dhcpc_t:fd use;
+	allow dhcpc_t $1:fd use;
+	allow dhcpc_t $1:fifo_file rw_file_perms;
+	allow dhcpc_t $1:process sigchld;
 ')

 define(`sysnetwork_dhcpc_transition_depend',`
-type dhcpc_t, dhcpc_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type dhcpc_t, dhcpc_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 #######################################
@ -37,23 +40,26 @@ class fifo_file rw_file_perms;
 ## </interface>
 #
 define(`sysnetwork_ifconfig_transition',`
-requires_block_template(`$0'_depend)
-allow $1 ifconfig_exec_t:file { getattr read execute };
-allow $1 ifconfig_t:process transition;
-type_transition $1 ifconfig_exec_t:process ifconfig_t;
-dontaudit $1 ifconfig_t:process { noatsecure siginh rlimitinh };
-allow $1 ifconfig_t:fd use;
-allow ifconfig_t $1:fd use;
-allow ifconfig_t $1:fifo_file rw_file_perms;
-allow ifconfig_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 ifconfig_exec_t:file { getattr read execute };
+	allow $1 ifconfig_t:process transition;
+	type_transition $1 ifconfig_exec_t:process ifconfig_t;
+	dontaudit $1 ifconfig_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 ifconfig_t:fd use;
+	allow ifconfig_t $1:fd use;
+	allow ifconfig_t $1:fifo_file rw_file_perms;
+	allow ifconfig_t $1:process sigchld;
 ')

 define(`sysnetwork_ifconfig_transition_depend',`
-type ifconfig_t, ifconfig_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type ifconfig_t, ifconfig_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 ########################################
@ -76,15 +82,17 @@ class fifo_file rw_file_perms;
 ## </interface>
 #
 define(`sysnetwork_ifconfig_transition_add_role_use_terminal',`
-requires_block_template(`$0'_depend)
-sysnetwork_ifconfig_transition($1)
-role $2 types ifconfig_t;
-allow ifconfig_t $3:chr_file { getattr read write ioctl };
+	requires_block_template(`$0'_depend)
+
+	sysnetwork_ifconfig_transition($1)
+	role $2 types ifconfig_t;
+	allow ifconfig_t $3:chr_file { getattr read write ioctl };
 ')

 define(`sysnetwork_ifconfig_transition_add_role_use_terminal_depend',`
-type ifconfig_t;
-class chr_file { getattr read write ioctl };
+	type ifconfig_t;
+
+	class chr_file { getattr read write ioctl };
 ')

 ########################################
@ -92,14 +100,16 @@ class chr_file { getattr read write ioctl };
 # sysnetwork_read_network_config(domain)
 #
 define(`sysnetwork_read_network_config',`
-requires_block_template(`$0'_depend)
-files_search_general_system_config_directory($1)
-allow $1 net_conf_t:file { getattr read };
+	requires_block_template(`$0'_depend)
+
+	files_search_general_system_config_directory($1)
+	allow $1 net_conf_t:file { getattr read };
 ')

 define(`sysnetwork_read_network_config_depend',`
-type net_conf_t;
-class file { getattr read };
+	type net_conf_t;
+
+	class file { getattr read };
 ')

 ## </module>
--- a/refpolicy/policy/modules/system/udev.if
+++ b/refpolicy/policy/modules/system/udev.if
@ -4,23 +4,26 @@
 # udev_transition(domain)
 #
 define(`udev_transition',`
-requires_block_template(`$0'_depend)
-allow $1 udev_exec_t:file { getattr read execute };
-allow $1 udev_t:process transition;
-type_transition $1 udev_exec_t:process udev_t;
-dontaudit $1 udev_t:process { noatsecure siginh rlimitinh };
-allow $1 udev_t:fd use;
-allow udev_t $1:fd use;
-allow udev_t $1:fifo_file rw_file_perms;
-allow udev_t $1:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	allow $1 udev_exec_t:file { getattr read execute };
+	allow $1 udev_t:process transition;
+	type_transition $1 udev_exec_t:process udev_t;
+	dontaudit $1 udev_t:process { noatsecure siginh rlimitinh };
+
+	allow $1 udev_t:fd use;
+	allow udev_t $1:fd use;
+	allow udev_t $1:fifo_file rw_file_perms;
+	allow udev_t $1:process sigchld;
 ')

 define(`udev_transition_depend',`
-type udev_t, udev_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh sigchld };
-class fd use;
-class fifo_file rw_file_perms;
+	type udev_t, udev_exec_t;
+
+	class file { getattr read execute };
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	class fd use;
+	class fifo_file rw_file_perms;
 ')

 ########################################
@ -28,13 +31,15 @@ class fifo_file rw_file_perms;
 # udev_read_database(domain)
 #
 define(`udev_read_database',`
-requires_block_template(`$0'_depend)
-allow $1 udev_tdb_t:file { getattr read };
+	requires_block_template(`$0'_depend)
+
+	allow $1 udev_tdb_t:file { getattr read };
 ')

 define(`udev_read_database_depend',`
-type udev_tdb_t;
-class file { getattr read };
+	type udev_tdb_t;
+
+	class file { getattr read };
 ')

 ########################################
@ -42,11 +47,13 @@ class file { getattr read };
 # udev_modify_database(domain)
 #
 define(`udev_modify_database',`
-requires_block_template(`$0'_depend)
-allow $1 udev_tdb_t:file { getattr read write append };
+	requires_block_template(`$0'_depend)
+
+	allow $1 udev_tdb_t:file { getattr read write append };
 ')

 define(`udev_modify_database_depend',`
-type udev_tdb_t;
-class file { getattr read write append };
+	type udev_tdb_t;
+
+	class file { getattr read write append };
 ')
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@ -114,28 +114,28 @@ selinux_restorecon_transition(udev_t)
 sysnetwork_ifconfig_transition(udev_t)

 tunable_policy(`distro_redhat',`
-filesystem_manage_tmpfs_block_devices(udev_t)
-filesystem_manage_tmpfs_character_devices(udev_t)
+	filesystem_manage_tmpfs_block_devices(udev_t)
+	filesystem_manage_tmpfs_character_devices(udev_t)

-# for arping used for static IP addresses on PCMCIA ethernet
-netutils_transition(udev_t)
+	# for arping used for static IP addresses on PCMCIA ethernet
+	netutils_transition(udev_t)
 ') dnl end ifdef distro_redhat

 optional_policy(`authlogin.te',`
-authlogin_pam_console_read_runtime_data(udev_t)
-authlogin_pam_console_transition(udev_t)
+	authlogin_pam_console_read_runtime_data(udev_t)
+	authlogin_pam_console_transition(udev_t)
 ')

 optional_policy(`consoletype.te',`
-consoletype_execute(udev_t)
+	consoletype_execute(udev_t)
 ')

 optional_policy(`hotplug.te',`
-hotplug_read_config(udev_t)
+	hotplug_read_config(udev_t)
 ')

 optional_policy(`sysnetwork.te',`
-sysnetwork_dhcpc_transition(udev_t)
+	sysnetwork_dhcpc_transition(udev_t)
 ')

 ifdef(`TODO',`
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@ -85,11 +85,11 @@ user_domain_template(user)

 # user role change rules:
 define(`role_change',`
-allow $1_r $2_r;
-type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
-type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
-# avoid annoying messages on terminal hangup
-dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
+	allow $1_r $2_r;
+	type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
+	type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
+	# avoid annoying messages on terminal hangup
+	dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
 ')

 # sysadm_r can change to user roles
@ -100,7 +100,7 @@ role_change(sysadm, staff)
 role_change(staff, sysadm)

 tunable_policy(`user_canbe_sysadm',`
-role_change(user,sysadm)
+	role_change(user,sysadm)
 ')

 ifdef(`TODO',`
@ -119,58 +119,58 @@ file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
 allow sysadm_t userdomain:fd use;

 optional_policy(`bootloader.te',`
-bootloader_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+	bootloader_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
 ')

 optional_policy(`clock.te',`
-clock_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+	clock_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
 ')

 optional_policy(`hostname.te',`
-hostname_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+	hostname_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
 ')

 optional_policy(`iptables.te',`
-iptables_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+	iptables_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
 ')

 optional_policy(`libraries.te',`
-libraries_ldconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+	libraries_ldconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
 ')

 optional_policy(`lvm.te',`
-lvm_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+	lvm_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
 ')

 optional_policy(`modutils.te',`
-modutils_depmod_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
-modutils_insmod_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
-modutils_update_modules_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+	modutils_depmod_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+	modutils_insmod_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+	modutils_update_modules_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
 ')

 optional_policy(`mount.te',`
-mount_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+	mount_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
 ')

 optional_policy(`rpm.te',`
-rpm_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+	rpm_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
 ')

 optional_policy(`selinux.te',`
-selinux_checkpolicy_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
-selinux_load_policy_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
-selinux_restorecon_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
-selinux_setfiles_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
-optional_policy(`targeted_policy',`',`
-selinux_run_init_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
-')
+	selinux_checkpolicy_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+	selinux_load_policy_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+	selinux_restorecon_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+	selinux_setfiles_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+	optional_policy(`targeted_policy',`',`
+		selinux_run_init_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+	')
 ')

 optional_policy(`sysnetwork.te',`
-sysnetwork_ifconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+	sysnetwork_ifconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
 ')

 optional_policy(`usermanage.te',`
-usermanage_groupadd_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
-usermanage_useradd_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+	usermanage_groupadd_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+	usermanage_useradd_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
 ')