diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te
index 3e4d47c4..8aef127c 100644
--- a/policy/modules/services/razor.te
+++ b/policy/modules/services/razor.te
@@ -6,7 +6,6 @@ policy_module(razor, 2.1.1)
#
ifdef(`distro_redhat',`
-
gen_require(`
type spamc_t, spamc_exec_t, spamd_log_t;
type spamd_spool_t, spamd_var_lib_t, spamd_etc_t;
@@ -23,126 +22,123 @@ ifdef(`distro_redhat',`
typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
-
',`
+ type razor_exec_t;
+ corecmd_executable_file(razor_exec_t)
-type razor_exec_t;
-corecmd_executable_file(razor_exec_t)
+ type razor_etc_t;
+ files_config_file(razor_etc_t)
-type razor_etc_t;
-files_config_file(razor_etc_t)
+ type razor_home_t;
+ typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
+ typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
+ files_poly_member(razor_home_t)
+ userdom_user_home_content(razor_home_t)
-type razor_home_t;
-typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
-typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
-files_poly_member(razor_home_t)
-userdom_user_home_content(razor_home_t)
+ type razor_log_t;
+ logging_log_file(razor_log_t)
-type razor_log_t;
-logging_log_file(razor_log_t)
+ type razor_tmp_t;
+ typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
+ typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
+ files_tmp_file(razor_tmp_t)
+ ubac_constrained(razor_tmp_t)
-type razor_tmp_t;
-typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
-typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
-files_tmp_file(razor_tmp_t)
-ubac_constrained(razor_tmp_t)
+ type razor_var_lib_t;
+ files_type(razor_var_lib_t)
-type razor_var_lib_t;
-files_type(razor_var_lib_t)
+ # these are here due to ordering issues:
+ razor_common_domain_template(razor)
+ typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t };
+ typealias razor_t alias { auditadm_razor_t secadm_razor_t };
+ ubac_constrained(razor_t)
-# these are here due to ordering issues:
-razor_common_domain_template(razor)
-typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t };
-typealias razor_t alias { auditadm_razor_t secadm_razor_t };
-ubac_constrained(razor_t)
+ razor_common_domain_template(system_razor)
+ role system_r types system_razor_t;
-razor_common_domain_template(system_razor)
-role system_r types system_razor_t;
+ ########################################
+ #
+ # System razor local policy
+ #
-########################################
-#
-# System razor local policy
-#
+ # this version of razor is invoked typically
+ # via the system spam filter
-# this version of razor is invoked typically
-# via the system spam filter
+ allow system_razor_t self:tcp_socket create_socket_perms;
-allow system_razor_t self:tcp_socket create_socket_perms;
+ manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+ manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+ manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+ files_search_etc(system_razor_t)
-manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t)
-manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
-manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
-files_search_etc(system_razor_t)
+ allow system_razor_t razor_log_t:file manage_file_perms;
+ logging_log_filetrans(system_razor_t, razor_log_t, file)
-allow system_razor_t razor_log_t:file manage_file_perms;
-logging_log_filetrans(system_razor_t, razor_log_t, file)
+ manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
+ files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file)
-manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
-files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file)
+ corenet_all_recvfrom_unlabeled(system_razor_t)
+ corenet_all_recvfrom_netlabel(system_razor_t)
+ corenet_tcp_sendrecv_generic_if(system_razor_t)
+ corenet_raw_sendrecv_generic_if(system_razor_t)
+ corenet_tcp_sendrecv_generic_node(system_razor_t)
+ corenet_raw_sendrecv_generic_node(system_razor_t)
+ corenet_tcp_sendrecv_razor_port(system_razor_t)
+ corenet_tcp_connect_razor_port(system_razor_t)
+ corenet_sendrecv_razor_client_packets(system_razor_t)
-corenet_all_recvfrom_unlabeled(system_razor_t)
-corenet_all_recvfrom_netlabel(system_razor_t)
-corenet_tcp_sendrecv_generic_if(system_razor_t)
-corenet_raw_sendrecv_generic_if(system_razor_t)
-corenet_tcp_sendrecv_generic_node(system_razor_t)
-corenet_raw_sendrecv_generic_node(system_razor_t)
-corenet_tcp_sendrecv_razor_port(system_razor_t)
-corenet_tcp_connect_razor_port(system_razor_t)
-corenet_sendrecv_razor_client_packets(system_razor_t)
+ sysnet_read_config(system_razor_t)
-sysnet_read_config(system_razor_t)
+ # cjp: this shouldn't be needed
+ userdom_use_unpriv_users_fds(system_razor_t)
-# cjp: this shouldn't be needed
-userdom_use_unpriv_users_fds(system_razor_t)
-
-optional_policy(`
- logging_send_syslog_msg(system_razor_t)
-')
-
-optional_policy(`
- nscd_socket_use(system_razor_t)
-')
-
-########################################
-#
-# User razor local policy
-#
-
-# Allow razor to be run by hand. Needed by any action other than
-# invocation from a spam filter.
-
-allow razor_t self:unix_stream_socket create_stream_socket_perms;
-
-manage_dirs_pattern(razor_t, razor_home_t, razor_home_t)
-manage_files_pattern(razor_t, razor_home_t, razor_home_t)
-manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t)
-userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir)
-
-manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t)
-manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
-files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
-
-auth_use_nsswitch(razor_t)
-
-logging_send_syslog_msg(razor_t)
-
-userdom_search_user_home_dirs(razor_t)
-userdom_use_user_terminals(razor_t)
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(razor_t)
- fs_manage_nfs_files(razor_t)
- fs_manage_nfs_symlinks(razor_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(razor_t)
- fs_manage_cifs_files(razor_t)
- fs_manage_cifs_symlinks(razor_t)
-')
-
-optional_policy(`
- milter_manage_spamass_state(razor_t)
-')
+ optional_policy(`
+ logging_send_syslog_msg(system_razor_t)
+ ')
+ optional_policy(`
+ nscd_socket_use(system_razor_t)
+ ')
+
+ ########################################
+ #
+ # User razor local policy
+ #
+
+ # Allow razor to be run by hand. Needed by any action other than
+ # invocation from a spam filter.
+
+ allow razor_t self:unix_stream_socket create_stream_socket_perms;
+
+ manage_dirs_pattern(razor_t, razor_home_t, razor_home_t)
+ manage_files_pattern(razor_t, razor_home_t, razor_home_t)
+ manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t)
+ userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir)
+
+ manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t)
+ manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
+ files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
+
+ auth_use_nsswitch(razor_t)
+
+ logging_send_syslog_msg(razor_t)
+
+ userdom_search_user_home_dirs(razor_t)
+ userdom_use_user_terminals(razor_t)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(razor_t)
+ fs_manage_nfs_files(razor_t)
+ fs_manage_nfs_symlinks(razor_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(razor_t)
+ fs_manage_cifs_files(razor_t)
+ fs_manage_cifs_symlinks(razor_t)
+ ')
+
+ optional_policy(`
+ milter_manage_spamass_state(razor_t)
+ ')
')
diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
index 9ab1d808..3b5909f9 100644
--- a/policy/modules/services/rgmanager.te
+++ b/policy/modules/services/rgmanager.te
@@ -6,9 +6,9 @@ policy_module(rgmanager, 1.0.0)
#
##
-##
-## Allow rgmanager domain to connect to the network using TCP.
-##
+##
+## Allow rgmanager domain to connect to the network using TCP.
+##
##
gen_tunable(rgmanager_can_network_connect, false)
diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te
index 1ebc84d9..89eb689c 100644
--- a/policy/modules/services/rhcs.te
+++ b/policy/modules/services/rhcs.te
@@ -6,9 +6,9 @@ policy_module(rhcs, 1.1.0)
#
##
-##
-## Allow fenced domain to connect to the network using TCP.
-##
+##
+## Allow fenced domain to connect to the network using TCP.
+##
##
gen_tunable(fenced_can_network_connect, false)
@@ -111,7 +111,7 @@ tunable_policy(`fenced_can_network_connect',`
# needed by fence_scsi
optional_policy(`
- corosync_exec(fenced_t)
+ corosync_exec(fenced_t)
')
optional_policy(`
@@ -129,7 +129,6 @@ optional_policy(`
#
allow gfs_controld_t self:capability { net_admin sys_resource };
-
allow gfs_controld_t self:shm create_shm_perms;
allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -159,7 +158,6 @@ optional_policy(`
allow groupd_t self:capability { sys_nice sys_resource };
allow groupd_t self:process setsched;
-
allow groupd_t self:shm create_shm_perms;
dev_list_sysfs(groupd_t)
@@ -174,7 +172,6 @@ init_rw_script_tmp_files(groupd_t)
#
allow qdiskd_t self:capability { ipc_lock sys_boot };
-
allow qdiskd_t self:tcp_socket create_stream_socket_perms;
allow qdiskd_t self:udp_socket create_socket_perms;
@@ -226,7 +223,6 @@ optional_policy(`
allow cluster_domain self:capability { sys_nice };
allow cluster_domain self:process setsched;
-
allow cluster_domain self:sem create_sem_perms;
allow cluster_domain self:fifo_file rw_fifo_file_perms;
allow cluster_domain self:unix_stream_socket create_stream_socket_perms;
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 9ae080e2..c5241712 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0)
#
##
-##
-## Allow gssd to read temp directory. For access to kerberos tgt.
-##
+##
+## Allow gssd to read temp directory. For access to kerberos tgt.
+##
##
gen_tunable(allow_gssd_read_tmp, true)
##
-##
-## Allow nfs servers to modify public files
-## used for public file transfer services. Files/Directories must be
-## labeled public_content_rw_t.
-##
+##
+## Allow nfs servers to modify public files
+## used for public file transfer services. Files/Directories must be
+## labeled public_content_rw_t.
+##
##
gen_tunable(allow_nfsd_anon_write, false)
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
index b5cd366e..0927db4c 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0)
#
# Declarations
#
+
type snmpd_t;
type snmpd_exec_t;
init_daemon_domain(snmpd_t, snmpd_exec_t)
@@ -24,6 +25,7 @@ files_type(snmpd_var_lib_t)
#
# Local policy
#
+
allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid sys_ptrace net_admin sys_nice sys_tty_config };
dontaudit snmpd_t self:capability { sys_module sys_tty_config };
allow snmpd_t self:process { signal_perms getsched setsched };
@@ -117,7 +119,7 @@ sysnet_read_config(snmpd_t)
userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
userdom_dontaudit_search_user_home_dirs(snmpd_t)
-ifdef(`distro_redhat', `
+ifdef(`distro_redhat',`
optional_policy(`
rpm_read_db(snmpd_t)
rpm_dontaudit_manage_db(snmpd_t)
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index f4738d36..74ab7d8b 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -6,79 +6,79 @@ policy_module(spamassassin, 2.3.1)
#
##
-##
-## Allow user spamassassin clients to use the network.
-##
+##
+## Allow user spamassassin clients to use the network.
+##
##
gen_tunable(spamassassin_can_network, false)
##
-##
-## Allow spamd to read/write user home directories.
-##
+##
+## Allow spamd to read/write user home directories.
+##
##
gen_tunable(spamd_enable_home_dirs, true)
ifdef(`distro_redhat',`
-# spamassassin client executable
-type spamc_t;
-type spamc_exec_t;
-application_domain(spamc_t, spamc_exec_t)
-role system_r types spamc_t;
+ # spamassassin client executable
+ type spamc_t;
+ type spamc_exec_t;
+ application_domain(spamc_t, spamc_exec_t)
+ role system_r types spamc_t;
-type spamd_etc_t;
-files_config_file(spamd_etc_t)
+ type spamd_etc_t;
+ files_config_file(spamd_etc_t)
-typealias spamc_exec_t alias spamassassin_exec_t;
-typealias spamc_t alias spamassassin_t;
+ typealias spamc_exec_t alias spamassassin_exec_t;
+ typealias spamc_t alias spamassassin_t;
-type spamc_home_t;
-userdom_user_home_content(spamc_home_t)
-typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
-typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
-typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t };
-typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t };
+ type spamc_home_t;
+ userdom_user_home_content(spamc_home_t)
+ typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
+ typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
+ typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t };
+ typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t };
-type spamc_tmp_t;
-files_tmp_file(spamc_tmp_t)
-typealias spamc_tmp_t alias spamassassin_tmp_t;
-typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
-typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
+ type spamc_tmp_t;
+ files_tmp_file(spamc_tmp_t)
+ typealias spamc_tmp_t alias spamassassin_tmp_t;
+ typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
+ typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
-typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
-typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
-', `
-type spamassassin_t;
-type spamassassin_exec_t;
-typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
-typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t };
-application_domain(spamassassin_t, spamassassin_exec_t)
-ubac_constrained(spamassassin_t)
+ typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
+ typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
+',`
+ type spamassassin_t;
+ type spamassassin_exec_t;
+ typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
+ typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t };
+ application_domain(spamassassin_t, spamassassin_exec_t)
+ ubac_constrained(spamassassin_t)
-type spamassassin_home_t;
-typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
-typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
-userdom_user_home_content(spamassassin_home_t)
-files_poly_member(spamassassin_home_t)
+ type spamassassin_home_t;
+ typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
+ typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
+ userdom_user_home_content(spamassassin_home_t)
+ files_poly_member(spamassassin_home_t)
-type spamassassin_tmp_t;
-typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
-typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
-files_tmp_file(spamassassin_tmp_t)
-ubac_constrained(spamassassin_tmp_t)
+ type spamassassin_tmp_t;
+ typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
+ typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
+ files_tmp_file(spamassassin_tmp_t)
+ ubac_constrained(spamassassin_tmp_t)
-type spamc_t;
-type spamc_exec_t;
-typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
-typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
-application_domain(spamc_t, spamc_exec_t)
-ubac_constrained(spamc_t)
+ type spamc_t;
+ type spamc_exec_t;
+ typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
+ typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
+ application_domain(spamc_t, spamc_exec_t)
+ ubac_constrained(spamc_t)
-type spamc_tmp_t;
-typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
-typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
-files_tmp_file(spamc_tmp_t)
-ubac_constrained(spamc_tmp_t)
+ type spamc_tmp_t;
+ typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
+ typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
+ files_tmp_file(spamc_tmp_t)
+ ubac_constrained(spamc_tmp_t)
')
type spamd_t;
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
index 4b2230e7..744b1723 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -6,17 +6,17 @@ policy_module(squid, 1.10.0)
#
##
-##
-## Allow squid to connect to all ports, not just
-## HTTP, FTP, and Gopher ports.
-##
+##
+## Allow squid to connect to all ports, not just
+## HTTP, FTP, and Gopher ports.
+##
##
gen_tunable(squid_connect_any, false)
##
-##
-## Allow squid to run as a transparent proxy (TPROXY)
-##
+##
+## Allow squid to run as a transparent proxy (TPROXY)
+##
##
gen_tunable(squid_use_tproxy, false)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 68c30574..5315f9b5 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,23 +6,23 @@ policy_module(ssh, 2.2.0)
#
##
-##
-## allow host key based authentication
-##
+##
+## allow host key based authentication
+##
##
gen_tunable(allow_ssh_keysign, false)
##
-##
-## Allow ssh logins as sysadm_r:sysadm_t
-##
+##
+## Allow ssh logins as sysadm_r:sysadm_t
+##
##
gen_tunable(ssh_sysadm_login, false)
##
-##
-## allow sshd to forward port connections
-##
+##
+## allow sshd to forward port connections
+##
##
gen_tunable(sshd_forward_ports, false)
@@ -217,7 +217,6 @@ optional_policy(`
dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
-
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
allow ssh_keygen_t sshd_key_t:file manage_file_perms;
@@ -287,7 +286,6 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
-
allow sshd_t self:process setcurrent;
kernel_search_key(sshd_t)
@@ -303,7 +301,7 @@ term_use_ptmx(sshd_t)
corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)
-tunable_policy(`sshd_forward_ports', `
+tunable_policy(`sshd_forward_ports',`
corenet_tcp_bind_all_unreserved_ports(sshd_t)
corenet_tcp_connect_all_ports(sshd_t)
')
@@ -373,26 +371,26 @@ optional_policy(`
')
ifdef(`TODO',`
-tunable_policy(`ssh_sysadm_login',`
- # Relabel and access ptys created by sshd
- # ioctl is necessary for logout() processing for utmp entry and for w to
- # display the tty.
- # some versions of sshd on the new SE Linux require setattr
- allow sshd_t ptyfile:chr_file relabelto;
+ tunable_policy(`ssh_sysadm_login',`
+ # Relabel and access ptys created by sshd
+ # ioctl is necessary for logout() processing for utmp entry and for w to
+ # display the tty.
+ # some versions of sshd on the new SE Linux require setattr
+ allow sshd_t ptyfile:chr_file relabelto;
- optional_policy(`
- domain_trans(sshd_t, xauth_exec_t, userdomain)
+ optional_policy(`
+ domain_trans(sshd_t, xauth_exec_t, userdomain)
+ ')
+ ',`
+ optional_policy(`
+ domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
+ ')
+ # Relabel and access ptys created by sshd
+ # ioctl is necessary for logout() processing for utmp entry and for w to
+ # display the tty.
+ # some versions of sshd on the new SE Linux require setattr
+ allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr };
')
-',`
- optional_policy(`
- domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
- ')
- # Relabel and access ptys created by sshd
- # ioctl is necessary for logout() processing for utmp entry and for w to
- # display the tty.
- # some versions of sshd on the new SE Linux require setattr
- allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr };
-')
') dnl endif TODO
########################################
@@ -405,7 +403,6 @@ tunable_policy(`ssh_sysadm_login',`
dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
-
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
allow ssh_keygen_t sshd_key_t:file manage_file_perms;
diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
index 07d6748f..be42115f 100644
--- a/policy/modules/services/sssd.te
+++ b/policy/modules/services/sssd.te
@@ -28,6 +28,7 @@ files_pid_file(sssd_var_run_t)
#
# sssd local policy
#
+
allow sssd_t self:capability { chown dac_read_search dac_override kill sys_nice setgid setuid };
allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
allow sssd_t self:fifo_file rw_file_perms;
@@ -40,7 +41,7 @@ manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
-files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } )
+files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir })
manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
logging_log_filetrans(sssd_t, sssd_var_log_t, file)
diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te
index 7ecb27b3..279efa6e 100644
--- a/policy/modules/services/stunnel.te
+++ b/policy/modules/services/stunnel.te
@@ -77,7 +77,7 @@ miscfiles_read_localization(stunnel_t)
sysnet_read_config(stunnel_t)
-ifdef(`distro_gentoo', `
+ifdef(`distro_gentoo',`
dontaudit stunnel_t self:capability sys_tty_config;
allow stunnel_t self:udp_socket create_socket_perms;
@@ -120,4 +120,5 @@ ifdef(`distro_gentoo', `
gen_require(`
type stunnel_port_t;
')
+
allow stunnel_t stunnel_port_t:tcp_socket name_bind;
diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te
index 111b041d..67607acc 100644
--- a/policy/modules/services/sysstat.te
+++ b/policy/modules/services/sysstat.te
@@ -71,4 +71,3 @@ optional_policy(`
optional_policy(`
nscd_socket_use(sysstat_t)
')
-
diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te
index 66bfd1ca..b928f29e 100644
--- a/policy/modules/services/tftp.te
+++ b/policy/modules/services/tftp.te
@@ -6,10 +6,10 @@ policy_module(tftp, 1.12.0)
#
##
-##
-## Allow tftp to modify public files
-## used for public file transfer services.
-##
+##
+## Allow tftp to modify public files
+## used for public file transfer services.
+##
##
gen_tunable(tftp_anon_write, false)
diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te
index 0a0074cb..7f0d9a96 100644
--- a/policy/modules/services/tor.te
+++ b/policy/modules/services/tor.te
@@ -6,10 +6,10 @@ policy_module(tor, 1.7.0)
#
##
-##
-## Allow tor daemon to bind
-## tcp sockets to all unreserved ports.
-##
+##
+## Allow tor daemon to bind
+## tcp sockets to all unreserved ports.
+##
##
gen_tunable(tor_bind_all_unreserved_ports, false)
@@ -43,7 +43,6 @@ files_pid_file(tor_var_run_t)
allow tor_t self:capability { setgid setuid sys_tty_config };
allow tor_t self:process signal;
-
allow tor_t self:fifo_file rw_fifo_file_perms;
allow tor_t self:unix_stream_socket create_stream_socket_perms;
allow tor_t self:netlink_route_socket r_netlink_socket_perms;
@@ -108,7 +107,7 @@ logging_send_syslog_msg(tor_t)
miscfiles_read_localization(tor_t)
-tunable_policy(`tor_bind_all_unreserved_ports', `
+tunable_policy(`tor_bind_all_unreserved_ports',`
corenet_tcp_bind_all_unreserved_ports(tor_t)
')
diff --git a/policy/modules/services/ulogd.te b/policy/modules/services/ulogd.te
index eb4d8d50..5ff5e927 100644
--- a/policy/modules/services/ulogd.te
+++ b/policy/modules/services/ulogd.te
@@ -54,10 +54,10 @@ miscfiles_read_localization(ulogd_t)
sysnet_dns_name_resolve(ulogd_t)
optional_policy(`
- mysql_stream_connect(ulogd_t)
+ mysql_stream_connect(ulogd_t)
')
optional_policy(`
- postgresql_stream_connect(ulogd_t)
+ postgresql_stream_connect(ulogd_t)
postgresql_tcp_connect(ulogd_t)
')