Removed unnecessary comments

Removed 'SELinux policy for' from policy summaries
Removed rgmanager interface for semaphores (doesn't appear to be needed or used)
Removed redundant calls to libs_use_ld_so and libs_use_shared_libs
Fixed rhcs interface names to match naming rules
Merged tmpfs and semaphore/shm interfaces

policy/modules/services/aisexec.if

@@ -1,4 +1,4 @@
-## <summary>SELinux policy for Aisexec Cluster Engine</summary>
+## <summary>Aisexec Cluster Engine</summary>
 
 ########################################
 ## <summary>

policy/modules/services/aisexec.te

@@ -13,22 +13,18 @@ init_daemon_domain(aisexec_t, aisexec_exec_t)
 type aisexec_initrc_exec_t;
 init_script_file(aisexec_initrc_exec_t);
 
-# tmp files
 type aisexec_tmp_t;
 files_tmp_file(aisexec_tmp_t)
 
 type aisexec_tmpfs_t;
 files_tmpfs_file(aisexec_tmpfs_t)
 
-# var/lib files
 type aisexec_var_lib_t;
 files_type(aisexec_var_lib_t)
 
-# log files
 type aisexec_var_log_t;
 logging_log_file(aisexec_var_log_t)
 
-# pid files
 type aisexec_var_run_t;
 files_pid_file(aisexec_var_run_t)
 
@@ -45,7 +41,6 @@ allow aisexec_t self:unix_stream_socket { create_stream_socket_perms connectto }
 allow aisexec_t self:unix_dgram_socket create_socket_perms;
 allow aisexec_t self:udp_socket create_socket_perms;
 
-# tmp files
 manage_dirs_pattern(aisexec_t, aisexec_tmp_t, aisexec_tmp_t)
 manage_files_pattern(aisexec_t, aisexec_tmp_t, aisexec_tmp_t)
 files_tmp_filetrans(aisexec_t, aisexec_tmp_t, { file dir })
@@ -54,18 +49,15 @@ manage_dirs_pattern(aisexec_t, aisexec_tmpfs_t, aisexec_tmpfs_t)
 manage_files_pattern(aisexec_t, aisexec_tmpfs_t, aisexec_tmpfs_t)
 fs_tmpfs_filetrans(aisexec_t, aisexec_tmpfs_t, { dir file })
 
-# var/lib files
 manage_files_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t)
 manage_dirs_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t)
 manage_sock_files_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t)
 files_var_lib_filetrans(aisexec_t, aisexec_var_lib_t, { file dir sock_file })
 
-# log files
 manage_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t)
 manage_sock_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t)
 logging_log_filetrans(aisexec_t,aisexec_var_log_t,{ sock_file file })
 
-# pid file
 manage_files_pattern(aisexec_t, aisexec_var_run_t, aisexec_var_run_t)
 manage_sock_files_pattern(aisexec_t, aisexec_var_run_t, aisexec_var_run_t)
 files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file })
@@ -86,9 +78,6 @@ auth_use_nsswitch(aisexec_t)
 
 init_rw_script_tmp_files(aisexec_t)
 
-libs_use_ld_so(aisexec_t)
-libs_use_shared_libs(aisexec_t)
-
 logging_send_syslog_msg(aisexec_t)
 
 miscfiles_read_localization(aisexec_t)
@@ -99,17 +88,13 @@ optional_policy(`
 
 optional_policy(`
 	# to communication with RHCS
-	dlm_controld_manage_tmpfs_files(aisexec_t)
-	dlm_controld_rw_semaphores(aisexec_t)
+	rhcs_rw_dlm_controld_semaphores(aisexec_t)
 
-	fenced_manage_tmpfs_files(aisexec_t)
-	fenced_rw_semaphores(aisexec_t)
+	rhcs_rw_fenced_semaphores(aisexec_t)
 
-	gfs_controld_manage_tmpfs_files(aisexec_t)
-	gfs_controld_rw_semaphores(aisexec_t)
-	gfs_controld_t_rw_shm(aisexec_t)
+	rhcs_rw_gfs_controld_semaphores(aisexec_t)
+	rhcs_rw_gfs_controld_shm(aisexec_t)
 
-	groupd_manage_tmpfs_files(aisexec_t)
-	groupd_rw_semaphores(aisexec_t)
-	groupd_rw_shm(aisexec_t)
+	rhcs_rw_groupd_semaphores(aisexec_t)
+	rhcs_rw_groupd_shm(aisexec_t)
 ')

policy/modules/services/corosync.if

@@ -1,4 +1,4 @@
-## <summary>SELinux policy for Corosync Cluster Engine</summary>
+## <summary>Corosync Cluster Engine</summary>
 
 ########################################
 ## <summary>

policy/modules/services/corosync.te

@@ -13,22 +13,18 @@ init_daemon_domain(corosync_t, corosync_exec_t)
 type corosync_initrc_exec_t;
 init_script_file(corosync_initrc_exec_t);
 
-# tmp files
 type corosync_tmp_t;
 files_tmp_file(corosync_tmp_t)
 
 type corosync_tmpfs_t;
 files_tmpfs_file(corosync_tmpfs_t)
 
-# var/lib files
 type corosync_var_lib_t;
 files_type(corosync_var_lib_t)
 
-# log files
 type corosync_var_log_t;
 logging_log_file(corosync_var_log_t)
 
-# pid files
 type corosync_var_run_t;
 files_pid_file(corosync_var_run_t)
 
@@ -46,7 +42,6 @@ allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto
 allow corosync_t self:unix_dgram_socket create_socket_perms;
 allow corosync_t self:udp_socket create_socket_perms;
 
-# tmp files
 manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
 manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
 files_tmp_filetrans(corosync_t, corosync_tmp_t, { file dir })
@@ -55,18 +50,15 @@ manage_dirs_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
 manage_files_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
 fs_tmpfs_filetrans(corosync_t, corosync_tmpfs_t,{ dir file })
 
-# var/lib files
 manage_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)
 manage_dirs_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)
 manage_sock_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)
 files_var_lib_filetrans(corosync_t, corosync_var_lib_t, { file dir sock_file })
 
-# log files
 manage_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t)
 manage_sock_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t)
 logging_log_filetrans(corosync_t, corosync_var_log_t, { sock_file file })
 
-# pid file
 manage_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
 manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
 files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file })
@@ -100,14 +92,11 @@ optional_policy(`
 
 optional_policy(`
 	# to communication with RHCS
-	dlm_controld_manage_tmpfs_files(corosync_t)
-	dlm_controld_rw_semaphores(corosync_t)
+	rhcs_rw_dlm_controld_semaphores(corosync_t)
 
-	fenced_manage_tmpfs_files(corosync_t)
-	fenced_rw_semaphores(corosync_t)
+	rhcs_rw_fenced_semaphores(corosync_t)
 
-	gfs_controld_manage_tmpfs_files(corosync_t)
-	gfs_controld_rw_semaphores(corosync_t)
+	rhcs_rw_gfs_controld_semaphores(corosync_t)
 ')
 
 optional_policy(`

policy/modules/services/rgmanager.if

@@ -1,4 +1,4 @@
-## <summary>SELinux policy for rgmanager</summary>
+## <summary>rgmanager - Resource Group Manager</summary>
 
 #######################################
 ## <summary>
@@ -19,24 +19,6 @@ interface(`rgmanager_domtrans',`
 	domtrans_pattern($1, rgmanager_exec_t, rgmanager_t)
 ')
 
-#######################################
-## <summary>
-##	Allow read and write access to rgmanager semaphores.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`rgmanager_rw_semaphores',`
-	gen_require(`
-		type rgmanager_t;
-	')
-
-	allow $1 rgmanager_t:sem rw_sem_perms;
-')
-
 ########################################
 ## <summary>
 ##	Connect to rgmanager over an unix stream socket.

policy/modules/services/rgmanager.te

@@ -18,18 +18,15 @@ type rgmanager_exec_t;
 domain_type(rgmanager_t)
 init_daemon_domain(rgmanager_t, rgmanager_exec_t)
 
-# tmp files
 type rgmanager_tmp_t;
 files_tmp_file(rgmanager_tmp_t)
 
 type rgmanager_tmpfs_t;
 files_tmpfs_file(rgmanager_tmpfs_t)
 
-# log files
 type rgmanager_var_log_t;
 logging_log_file(rgmanager_var_log_t)
 
-# pid files
 type rgmanager_var_run_t;
 files_pid_file(rgmanager_var_run_t)
 
@@ -48,7 +45,6 @@ allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms };
 allow rgmanager_t self:unix_dgram_socket create_socket_perms;
 allow rgmanager_t self:tcp_socket create_stream_socket_perms;
 
-# tmp files
 manage_dirs_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
 manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
 files_tmp_filetrans(rgmanager_t, rgmanager_tmp_t, { file dir })
@@ -57,11 +53,9 @@ manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
 manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
 fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t,{ dir file })
 
-# log files
 manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t)
 logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file })
 
-# pid file
 manage_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
 manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
 files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file })
@@ -103,9 +97,6 @@ auth_read_all_files_except_shadow(rgmanager_t)
 auth_dontaudit_getattr_shadow(rgmanager_t)
 auth_use_nsswitch(rgmanager_t)
 
-libs_use_ld_so(rgmanager_t)
-libs_use_shared_libs(rgmanager_t)
-
 logging_send_syslog_msg(rgmanager_t)
 
 miscfiles_read_localization(rgmanager_t)
@@ -132,7 +123,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	groupd_stream_connect(rgmanager_t)
+	rhcs_stream_connect_groupd(rgmanager_t)
 ')
 
 optional_policy(`
@@ -142,7 +133,7 @@ optional_policy(`
 optional_policy(`
 	ccs_manage_config(rgmanager_t)
 	ccs_stream_connect(rgmanager_t)
-	gfs_controld_stream_connect(rgmanager_t)
+	rhcs_stream_connect_gfs_controld(rgmanager_t)
 ')
 
 optional_policy(`

policy/modules/services/rhcs.if

@@ -1,4 +1,4 @@
-## <summary>SELinux policy for RHCS - Red Hat Cluster Suite </summary>
+## <summary>RHCS - Red Hat Cluster Suite</summary>
 
 #######################################
 ## <summary>
@@ -18,7 +18,7 @@ template(`rhcs_domain_template',`
 
 	##############################
 	#
-	# $1_t declarations
+	# Declarations
 	#
 
 	type $1_t, cluster_domain;
@@ -28,17 +28,15 @@ template(`rhcs_domain_template',`
 	type $1_tmpfs_t;
 	files_tmpfs_file($1_tmpfs_t)
 
-	# log files
 	type $1_var_log_t;
 	logging_log_file($1_var_log_t)
 
-	# pid files
 	type $1_var_run_t;
 	files_pid_file($1_var_run_t)
 
 	##############################
 	#
-	# $1_t local policy
+	# Local policy
 	#
 
 	manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
@@ -66,7 +64,7 @@ template(`rhcs_domain_template',`
 ## </summary>
 ## </param>
 #
-interface(`dlm_controld_domtrans',`
+interface(`rhcs_domtrans_dlm_controld',`
 	gen_require(`
 	type dlm_controld_t, dlm_controld_exec_t;
 	')
@@ -86,7 +84,7 @@ interface(`dlm_controld_domtrans',`
 ##	</summary>
 ## </param>
 #
-interface(`dlm_controld_stream_connect',`
+interface(`rhcs_stream_connect_dlm_controld',`
 	gen_require(`
 		type dlm_controld_t, dlm_controld_var_run_t;
 	')
@@ -105,28 +103,12 @@ interface(`dlm_controld_stream_connect',`
 ##	</summary>
 ## </param>
 #
-interface(`dlm_controld_rw_semaphores',`
+interface(`rhcs_rw_dlm_controld_semaphores',`
 	gen_require(`
-		type dlm_controld_t;
+		type dlm_controld_t, dlm_controld_tmpfs_t;
 	')
 
 	allow $1 dlm_controld_t:sem { rw_sem_perms destroy };
-')
-
-#####################################
-## <summary>
-##	Manage dlm_controld tmpfs files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`dlm_controld_manage_tmpfs_files',`
-	gen_require(`
-		type dlm_controld_tmpfs_t;
-	')
 
 	fs_search_tmpfs($1)
 	manage_files_pattern($1, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t)
@@ -142,7 +124,7 @@ interface(`dlm_controld_manage_tmpfs_files',`
 ##	</summary>
 ## </param>
 #
-interface(`fenced_domtrans',`
+interface(`rhcs_domtrans_fenced',`
 	gen_require(`
 		type fenced_t, fenced_exec_t;
 	')
@@ -161,12 +143,15 @@ interface(`fenced_domtrans',`
 ##	</summary>
 ## </param>
 #
-interface(`fenced_rw_semaphores',`
+interface(`rhcs_rw_fenced_semaphores',`
 	gen_require(`
-		type fenced_t;
+		type fenced_t, fenced_tmpfs_t;
 	')
 
 	allow $1 fenced_t:sem { rw_sem_perms destroy };
+
+	fs_search_tmpfs($1)
+	manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t)
 ')
 
 ######################################
@@ -179,7 +164,7 @@ interface(`fenced_rw_semaphores',`
 ##	</summary>
 ## </param>
 #
-interface(`fenced_stream_connect',`
+interface(`rhcs_stream_connect_fenced',`
 	gen_require(`
 		type fenced_var_run_t, fenced_t;
 	')
@@ -189,25 +174,6 @@ interface(`fenced_stream_connect',`
 	files_search_pids($1)
 ')
 
-#####################################
-## <summary>
-##	Managed fenced tmpfs files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`fenced_manage_tmpfs_files',`
-	gen_require(`
-		type fenced_tmpfs_t;
-	')
-
-	fs_search_tmpfs($1)
-	manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t)
-')
-
 #####################################
 ## <summary>
 ##	Execute a domain transition to run gfs_controld.
@@ -218,7 +184,7 @@ interface(`fenced_manage_tmpfs_files',`
 ##	</summary>
 ## </param>
 #
-interface(`gfs_controld_domtrans',`
+interface(`rhcs_domtrans_gfs_controld',`
 	gen_require(`
 	type gfs_controld_t, gfs_controld_exec_t;
 	')
@@ -227,25 +193,6 @@ interface(`gfs_controld_domtrans',`
 	domtrans_pattern($1, gfs_controld_exec_t, gfs_controld_t)
 ')
 
-###################################
-## <summary>
-##	Manage gfs_controld tmpfs files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`gfs_controld_manage_tmpfs_files',`
-	gen_require(`
-	type gfs_controld_tmpfs_t;
-	')
-
-	fs_search_tmpfs($1)
-	manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
-')
-
 ####################################
 ## <summary>
 ##	Allow read and write access to gfs_controld semaphores.
@@ -256,12 +203,15 @@ interface(`gfs_controld_manage_tmpfs_files',`
 ##	</summary>
 ## </param>
 #
-interface(`gfs_controld_rw_semaphores',`
+interface(`rhcs_rw_gfs_controld_semaphores',`
 	gen_require(`
-		type gfs_controld_t;
+		type gfs_controld_t, gfs_controld_tmpfs_t;
 	')
 
 	allow $1 gfs_controld_t:sem { rw_sem_perms destroy };
+
+	fs_search_tmpfs($1)
+	manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
 ')
 
 ########################################
@@ -274,12 +224,15 @@ interface(`gfs_controld_rw_semaphores',`
 ##	</summary>
 ## </param>
 #
-interface(`gfs_controld_t_rw_shm',`
+interface(`rhcs_rw_gfs_controld_shm',`
 	gen_require(`
-		type gfs_controld_t;
+		type gfs_controld_t,  gfs_controld_tmpfs_t;
 	')
 
 	allow $1 gfs_controld_t:shm { rw_shm_perms destroy };
+
+	fs_search_tmpfs($1)
+	manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
 ')
 
 #####################################
@@ -292,7 +245,7 @@ interface(`gfs_controld_t_rw_shm',`
 ##	</summary>
 ## </param>
 #
-interface(`gfs_controld_stream_connect',`
+interface(`rhcs_stream_connect_gfs_controld',`
 	gen_require(`
 		type gfs_controld_t, gfs_controld_var_run_t;
 	')
@@ -311,7 +264,7 @@ interface(`gfs_controld_stream_connect',`
 ## </summary>
 ## </param>
 #
-interface(`groupd_domtrans',`
+interface(`rhcs_domtrans_groupd',`
 	gen_require(`
 		type groupd_t, groupd_exec_t;
 	')
@@ -331,7 +284,7 @@ interface(`groupd_domtrans',`
 ##	</summary>
 ## </param>
 #
-interface(`groupd_stream_connect',`
+interface(`rhcs_stream_connect_groupd',`
 	gen_require(`
 		type groupd_t, groupd_var_run_t;
 	')
@@ -350,12 +303,15 @@ interface(`groupd_stream_connect',`
 ##	</summary>
 ## </param>
 #
-interface(`groupd_rw_semaphores',`
+interface(`rhcs_rw_groupd_semaphores',`
 	gen_require(`
-		type groupd_t;
+		type groupd_t, groupd_tmpfs_t;
 	')
 
 	allow $1 groupd_t:sem { rw_sem_perms destroy };
+
+	fs_search_tmpfs($1)
+	manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
 ')
 
 ########################################
@@ -368,28 +324,12 @@ interface(`groupd_rw_semaphores',`
 ##	</summary>
 ## </param>
 #
-interface(`groupd_rw_shm',`
+interface(`rhcs_rw_groupd_shm',`
 	gen_require(`
-	type groupd_t;
+		type groupd_t, groupd_tmpfs_t;
 	')
 
 	allow $1 groupd_t:shm { rw_shm_perms destroy };
-')
-
-#####################################
-## <summary>
-##	Manage groupd tmpfs files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`groupd_manage_tmpfs_files',`
-	gen_require(`
-		type groupd_tmpfs_t;
-	')
 
 	fs_search_tmpfs($1)
 	manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
@@ -405,7 +345,7 @@ interface(`groupd_manage_tmpfs_files',`
 ##	</summary>
 ## </param>
 #
-interface(`qdiskd_domtrans',`
+interface(`rhcs_domtrans_qdiskd',`
 	gen_require(`
 		type qdiskd_t, qdiskd_exec_t;
 	')

policy/modules/services/rhcs.te

@@ -22,7 +22,6 @@ rhcs_domain_template(fenced)
 type fenced_lock_t;
 files_lock_file(fenced_lock_t)
 
-# tmp files
 type fenced_tmp_t;
 files_tmp_file(fenced_tmp_t)
 
@@ -32,7 +31,6 @@ rhcs_domain_template(groupd)
 
 rhcs_domain_template(qdiskd)
 
-# var/lib files
 type qdiskd_var_lib_t;
 files_type(qdiskd_var_lib_t)
 
@@ -78,7 +76,6 @@ can_exec(fenced_t, fenced_exec_t)
 manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
 files_lock_filetrans(fenced_t, fenced_lock_t, file)
 
-# tmp files
 manage_dirs_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
 manage_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
 manage_fifo_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
@@ -235,9 +232,6 @@ allow cluster_domain self:fifo_file rw_fifo_file_perms;
 allow cluster_domain self:unix_stream_socket create_stream_socket_perms;
 allow cluster_domain self:unix_dgram_socket create_socket_perms;
 
-libs_use_ld_so(cluster_domain)
-libs_use_shared_libs(cluster_domain)
-
 logging_send_syslog_msg(cluster_domain)
 
 miscfiles_read_localization(cluster_domain)

policy/modules/services/ricci.te

@@ -11,19 +11,15 @@ type ricci_exec_t;
 domain_type(ricci_t)
 init_daemon_domain(ricci_t, ricci_exec_t)
 
-# tmp files
 type ricci_tmp_t;
 files_tmp_file(ricci_tmp_t)
 
-# var/lib files
 type ricci_var_lib_t;
 files_type(ricci_var_lib_t)
 
-# log files
 type ricci_var_log_t;
 logging_log_file(ricci_var_log_t)
 
-# pid files
 type ricci_var_run_t;
 files_pid_file(ricci_var_run_t)
 
@@ -33,15 +29,12 @@ domain_type(ricci_modcluster_t)
 domain_entry_file(ricci_modcluster_t, ricci_modcluster_exec_t)
 role system_r types ricci_modcluster_t;
 
-# var/lib files
 type ricci_modcluster_var_lib_t;
 files_type(ricci_modcluster_var_lib_t)
 
-# log files
 type ricci_modcluster_var_log_t;
 logging_log_file(ricci_modcluster_var_log_t)
 
-# pid files
 type ricci_modcluster_var_run_t;
 files_pid_file(ricci_modcluster_var_run_t)
 
@@ -94,24 +87,20 @@ domain_auto_trans(ricci_t, ricci_modrpm_exec_t, ricci_modrpm_t)
 domain_auto_trans(ricci_t, ricci_modservice_exec_t, ricci_modservice_t)
 domain_auto_trans(ricci_t, ricci_modstorage_exec_t, ricci_modstorage_t)
 
-# tmp file
 manage_dirs_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t)
 manage_files_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t)
 files_tmp_filetrans(ricci_t, ricci_tmp_t, { file dir })
 
-# var/lib files for ricci
 manage_dirs_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
 manage_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
 manage_sock_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
 files_var_lib_filetrans(ricci_t, ricci_var_lib_t, { file dir sock_file })
 
-# log files
 allow ricci_t ricci_var_log_t:dir setattr;
 manage_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
 manage_sock_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
 logging_log_filetrans(ricci_t, ricci_var_log_t, { sock_file file dir })
 
-# pid file
 manage_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t)
 manage_sock_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t)
 files_pid_filetrans(ricci_t, ricci_var_run_t, { file sock_file })
@@ -277,13 +266,11 @@ allow ricci_modclusterd_t self:socket create_socket_perms;
 allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
 allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms;
 
-# log files
 allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
 manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
 manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
 logging_log_filetrans(ricci_modclusterd_t, ricci_modcluster_var_log_t, { sock_file file dir })
 
-# pid file
 manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t)
 manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t)
 files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock_file })