add fstools, and more cleanup

refpolicy/policy/modules/kernel/bootloader.te

@@ -126,6 +126,7 @@ files_read_generic_etc_files(bootloader_t)
 files_read_etc_runtime_files(bootloader_t)
 files_read_usr_src(bootloader_t)
 files_read_usr_files(bootloader_t)
+files_read_var_file(bootloader_t)
 # for nscd
 files_dontaudit_search_pids(bootloader_t)
 
@@ -141,13 +142,16 @@ miscfiles_read_localization(bootloader_t)
 seutil_read_binary_pol(bootloader_t)
 seutil_read_loadpol(bootloader_t)
 
-ifdef(`distro_debian', `
-allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
-allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
-allow bootloader_t boot_t:file relabelfrom;
+ifdef(`distro_debian',`
+	allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
+	allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
+	allow bootloader_t boot_t:file relabelfrom;
+
+	# for /usr/share/initrd-tools/scripts
+	files_exec_usr_files(bootloader_t)
 ')
 
-ifdef(`distro_redhat', `
+ifdef(`distro_redhat',`
 	# for memlock
 	allow bootloader_t self:capability ipc_lock;
 
@@ -157,17 +161,22 @@ ifdef(`distro_redhat', `
 	# mkinitrd mount initrd on bootloader temp dir
 	files_mountpoint(bootloader_tmp_t)
 
+	# new file system defaults to file_t, granting file_t access is still bad.
+	files_manage_isid_type_dir(bootloader_t)
+	files_manage_isid_type_file(bootloader_t)
+	files_manage_isid_type_symlink(bootloader_t)
+	files_manage_isid_type_blk_node(bootloader_t)
+	files_manage_isid_type_chr_node(bootloader_t)
+
 	# for mke2fs
 	mount_domtrans(bootloader_t)
 ')
 
-optional_policy(`filesystemtools.te', `
+optional_policy(`filesystemtools.te',`
 	filesystemtools_execute(bootloader_t)
 ')
 
-# LVM2 / Device Mapper's /dev/mapper/control
-# maybe we should change the labeling for this
-optional_policy(`lvm.te', `
+optional_policy(`lvm.te',`
 	dev_rw_lvm_control(bootloader_t)
 
 	lvm_domtrans(bootloader_t)
@@ -185,8 +194,9 @@ optional_policy(`modutils.te',`
 
 ifdef(`TODO',`
 
-allow bootloader_t var_t:dir search;
-allow bootloader_t var_t:file { getattr read };
+dontaudit bootloader_t selinux_config_t:dir search;
+dontaudit bootloader_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
+dontaudit bootloader_t devpts_t:dir create_dir_perms;
 
 ifdef(`distro_debian', `
 	allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
@@ -197,18 +207,6 @@ ifdef(`distro_debian', `
 	allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;
 	allow bootloader_t dpkg_var_lib_t:file { getattr read };
 
-	# for /usr/share/initrd-tools/scripts
-	can_exec(bootloader_t, usr_t)
 ')
 
-ifdef(`distro_redhat', `
-	# new file system defaults to file_t, granting file_t access is still bad.
-	allow bootloader_t file_t:dir create_dir_perms;
-	allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms;
-	allow bootloader_t file_t:lnk_file create_lnk_perms;
-')
-
-dontaudit bootloader_t selinux_config_t:dir search;
-dontaudit bootloader_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
-dontaudit bootloader_t devpts_t:dir create_dir_perms;
 ') dnl end TODO

refpolicy/policy/modules/kernel/kernel.if

@@ -172,11 +172,11 @@ interface(`kernel_dontaudit_read_ring_buffer',`
 ')
 
 ########################################
-## <desc>
-##	
-## </desc>
+## <summary>
+##	Change the level of kernel messages logged to the console.
+## </summary>
 ## <param name="domain">
-##	
+##	The type of the process performing this action.
 ## </param>
 #
 interface(`kernel_change_ring_buffer_level',`

refpolicy/policy/modules/services/inetd.te

@@ -88,6 +88,10 @@ fs_search_auto_mountpoints(inetd_t)
 
 term_dontaudit_use_console(inetd_t)
 
+# Run other daemons in the inetd_child_t domain.
+corecmd_search_bin(inetd_t)
+corecmd_read_sbin_symlink(inetd_t)
+
 domain_use_wide_inherit_fd(inetd_t)
 
 files_read_generic_etc_files(inetd_t)
@@ -112,8 +116,8 @@ ifdef(`targeted_policy', `
 	files_dontaudit_read_root_file(inetd_t)
 ')
 
-optional_policy(`rhgb.te',`
-	rhgb_domain(inetd_t)
+optional_policy(`mount.te',`
+	mount_send_nfs_client_request(inetd_t)
 ')
 
 optional_policy(`selinux.te',`
@@ -129,17 +133,13 @@ allow inetd_t proc_t:dir r_dir_perms;
 allow inetd_t proc_t:lnk_file read;
 dontaudit inetd_t sysadm_home_dir_t:dir search;
 
-ifdef(`mount.te', `
-allow inetd_t mount_t:udp_socket rw_socket_perms;
+optional_policy(`rhgb.te',`
+	rhgb_domain(inetd_t)
 ')
 
 # allow any domain to connect to inetd
 can_tcp_connect(userdomain, inetd_t)
 
-# Run other daemons in the inetd_child_t domain.
-allow inetd_t { bin_t sbin_t }:dir search;
-allow inetd_t sbin_t:lnk_file read;
-
 # Bind to the telnet, ftp, rlogin and rsh ports.
 ifdef(`talk.te', `
 allow inetd_t talk_port_t:tcp_socket name_bind;

refpolicy/policy/modules/system/clock.if

@@ -51,7 +51,7 @@ interface(`clock_run',`
 
 ########################################
 ##     <desc>
-##             Execute hwclock
+##             Execute hwclock in the caller domain.
 ##     </desc>
 ##     <param name="domain">
 ##             The type of the process performing this action.

refpolicy/policy/modules/system/corecommands.if

@@ -43,6 +43,7 @@ interface(`corecmd_list_bin',`
 	allow $1 bin_t:dir r_dir_perms;
 ')
 
+########################################
 ## <summary>
 ##	Get the attributes of files in bin directories.
 ## </summary>
@@ -58,6 +59,7 @@ interface(`corecmd_getattr_bin_file',`
 	allow $1 bin_t:file getattr;
 ')
 
+########################################
 ## <summary>
 ##	Read symbolic links in bin directories.
 ## </summary>
@@ -144,6 +146,24 @@ interface(`corecmd_dontaudit_getattr_sbin_file',`
 	dontaudit $1 sbin_t:file getattr;
 ')
 
+########################################
+## <summary>
+##	Read symbolic links in sbin directories.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+interface(`corecmd_read_sbin_symlink',`
+	gen_require(`
+		type sbin_t;
+		class dir search;
+		class lnk_file read;
+	')
+
+	allow $1 sbin_t:dir search;
+	allow $1 sbin_t:lnk_file read;
+')
+
 ########################################
 #
 # corecmd_exec_sbin(domain)

refpolicy/policy/modules/system/files.if

@@ -591,9 +591,33 @@ interface(`files_create_etc_config',`
 	')
 ')
 
+
 ########################################
+## <summary>
+##	Do not audit attempts to search directories on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
-# files_rw_isid_type_dir(domain)
+interface(`files_dontaudit_search_isid_type_dir',`
+	gen_require(`
+		type file_t;
+		class dir search;
+	')
+
+	dontaudit $1 file_t:dir search;
+')
+
+########################################
+## <summary>
+##	Read and write directories on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`files_rw_isid_type_dir',`
 	gen_require(`
@@ -605,29 +629,121 @@ interface(`files_rw_isid_type_dir',`
 ')
 
 ########################################
+## <summary>
+##	Create, read, write, and delete directories
+##	on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
-# files_dontaudit_getattr_isid_type_dir(domain)
-#
-interface(`files_dontaudit_getattr_isid_type_dir',`
+interface(`files_manage_isid_type_dir',`
 	gen_require(`
 		type file_t;
-		class dir search;
+		class dir create_dir_perms;
 	')
 
-	dontaudit $1 file_t:dir search;
+	allow $1 file_t:dir create_dir_perms;
 ')
 
 ########################################
+## <summary>
+##	Create, read, write, and delete files
+##	on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
-# files_dontaudit_search_isid_type_dir(domain)
+interface(`files_manage_isid_type_file',`
+	gen_require(`
+		type file_t;
+		class dir rw_dir_perms;
+		class file create_file_perms;
+	')
+
+	allow $1 file_t:dir rw_dir_perms;
+	allow $1 file_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete symbolic links
+##	on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
-interface(`files_dontaudit_search_isid_type_dir',`
+interface(`files_manage_isid_type_symlink',`
+	gen_require(`
+		type file_t;
+		class dir rw_dir_perms;
+		class lnk_file create_lnk_perms;
+	')
+
+	allow $1 file_t:dir rw_dir_perms;
+	allow $1 file_t:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
+##	Read and write block device nodes on new filesystems 
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_rw_isid_type_blk_node',`
 	gen_require(`
 		type file_t;
 		class dir search;
+		class blk_file rw_file_perms;
 	')
 
-	dontaudit $1 file_t:dir search;
+	allow $1 file_t:dir search;
+	allow $1 file_t:blk_file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete block device nodes
+##	on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_manage_isid_type_blk_node',`
+	gen_require(`
+		type file_t;
+		class dir rw_dir_perms;
+		class blk_file create_file_perms;
+	')
+
+	allow $1 file_t:dir rw_dir_perms;
+	allow $1 file_t:blk_file create_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete character device nodes
+##	on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_manage_isid_type_chr_node',`
+	gen_require(`
+		type file_t;
+		class dir rw_dir_perms;
+		class chr_file create_file_perms;
+	')
+
+	allow $1 file_t:dir rw_dir_perms;
+	allow $1 file_t:chr_file create_file_perms;
 ')
 
 ########################################
@@ -807,6 +923,25 @@ interface(`files_dontaudit_search_var',`
 	dontaudit $1 var_t:dir search;
 ')
 
+########################################
+## <summary>
+##	Read files in the /var directory.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_read_var_file',`
+	gen_require(`
+		type var_t;
+		class dir search;
+		class file r_file_perms;
+	')
+
+	allow $1 var_t:dir search;
+	allow $1 var_t:file r_file_perms;
+')
+
 ########################################
 ## <desc>
 ##	Search the /var/lib directory.

refpolicy/policy/modules/system/fstools.fc

@@ -0,0 +1,36 @@
+/sbin/blockdev		--	system_u:object_r:fsadm_exec_t
+/sbin/cfdisk		--	system_u:object_r:fsadm_exec_t
+/sbin/dosfsck		--	system_u:object_r:fsadm_exec_t
+/sbin/dumpe2fs		--	system_u:object_r:fsadm_exec_t
+/sbin/e2fsck		--	system_u:object_r:fsadm_exec_t
+/sbin/e2label		--	system_u:object_r:fsadm_exec_t
+/sbin/fdisk		--	system_u:object_r:fsadm_exec_t
+/sbin/findfs		--	system_u:object_r:fsadm_exec_t
+/sbin/fsck.*		--	system_u:object_r:fsadm_exec_t
+/sbin/hdparm		--	system_u:object_r:fsadm_exec_t
+/sbin/install-mbr	--	system_u:object_r:fsadm_exec_t
+/sbin/jfs_.*		--	system_u:object_r:fsadm_exec_t
+/sbin/losetup.*		--	system_u:object_r:fsadm_exec_t
+/sbin/lsraid		--	system_u:object_r:fsadm_exec_t
+/sbin/mkdosfs		--	system_u:object_r:fsadm_exec_t
+/sbin/mke2fs		--	system_u:object_r:fsadm_exec_t
+/sbin/mkfs.*		--	system_u:object_r:fsadm_exec_t
+/sbin/mkraid		--	system_u:object_r:fsadm_exec_t
+/sbin/mkreiserfs	--	system_u:object_r:fsadm_exec_t
+/sbin/mkswap		--	system_u:object_r:fsadm_exec_t
+/sbin/parted		--	system_u:object_r:fsadm_exec_t
+/sbin/partprobe		--	system_u:object_r:fsadm_exec_t
+/sbin/partx		--	system_u:object_r:fsadm_exec_t
+/sbin/raidstart		--	system_u:object_r:fsadm_exec_t
+/sbin/reiserfs(ck|tune)	--	system_u:object_r:fsadm_exec_t
+/sbin/resize.*fs	--	system_u:object_r:fsadm_exec_t
+/sbin/scsi_info		--	system_u:object_r:fsadm_exec_t
+/sbin/sfdisk		--	system_u:object_r:fsadm_exec_t
+/sbin/swapon.*		--	system_u:object_r:fsadm_exec_t
+/sbin/tune2fs		--	system_u:object_r:fsadm_exec_t
+
+/usr/bin/partition_uuid	--	system_u:object_r:fsadm_exec_t
+/usr/bin/raw		--	system_u:object_r:fsadm_exec_t
+/usr/bin/scsi_unique_id	--	system_u:object_r:fsadm_exec_t
+
+/usr/sbin/smartctl	--	system_u:object_r:fsadm_exec_t

refpolicy/policy/modules/system/fstools.if

@@ -0,0 +1,66 @@
+## <summary>Tools for filesystem management, such as mkfs and fsck.</summary>
+
+########################################
+## <desc>
+##	Execute fs tools in the fstools domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`fstools_domtrans',`
+	gen_require(`
+		type fsadm_t, fsadm_exec_t;
+		class fd use;
+		class fifo_file rw_file_perms;
+	')
+
+	domain_auto_trans($1,fsadm_exec_t,fsadm_t)
+
+	allow $1 fsadm_t:fd use;
+	allow fsadm_t $1:fd use;
+	allow fsadm_t $1:fifo_file rw_file_perms;
+	allow fsadm_t $1:process sigchld;
+')
+
+########################################
+## <desc>
+##	Execute fs tools in the fstools domain, and
+##	allow the specified role the fs tools domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the fs tools domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the fs tools domain to use.
+## </param>
+#
+interface(`fstools_run',`
+	gen_require(`
+		type fsadm_t;
+		class chr_file { getattr read write ioctl };
+	')
+
+	fstools_domtrans($1)
+	role $2 types fsadm_t;
+	allow fsadm_t $3:chr_file { getattr read write ioctl };
+')
+
+########################################
+##     <desc>
+##             Execute fsadm in the caller domain.
+##     </desc>
+##     <param name="domain">
+##             The type of the process performing this action.
+##     </param>
+#
+interface(`fstools_exec',`
+	gen_require(`
+		type fsadm_exec_t;
+	')
+
+	can_exec($1,fsadm_exec_t)
+')

refpolicy/policy/modules/system/fstools.te

@@ -0,0 +1,143 @@
+
+policy_module(fstools,1.0)
+
+########################################
+#
+# Declarations
+#
+type fsadm_t;
+type fsadm_exec_t;
+init_system_domain(fsadm_t,fsadm_exec_t)
+role system_r types fsadm_t;
+
+type fsadm_tmp_t;
+files_tmp_file(fsadm_tmp_t)
+
+type swapfile_t;
+files_file_type(swapfile_t)
+
+########################################
+
+# ipc_lock is for losetup
+allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config };
+allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow fsadm_t self:fd use;
+allow fsadm_t self:fifo_file rw_file_perms;
+allow fsadm_t self:unix_dgram_socket create_socket_perms;
+allow fsadm_t self:unix_stream_socket create_stream_socket_perms;
+allow fsadm_t self:unix_dgram_socket sendto;
+allow fsadm_t self:unix_stream_socket connectto;
+allow fsadm_t self:shm create_shm_perms;
+allow fsadm_t self:sem create_sem_perms;
+allow fsadm_t self:msgq create_msgq_perms;
+allow fsadm_t self:msg { send receive };
+
+can_exec(fsadm_t, fsadm_exec_t)
+
+allow fsadm_t fsadm_tmp_t:dir create_dir_perms;
+allow fsadm_t fsadm_tmp_t:file create_file_perms;
+files_create_tmp_files(fsadm_t, fsadm_tmp_t, { file dir })
+
+# Enable swapping to files
+allow fsadm_t swapfile_t:file { getattr swapon };
+
+kernel_read_system_state(fsadm_t)
+kernel_read_kernel_sysctl(fsadm_t)
+# Allow console log change (updfstab)
+kernel_change_ring_buffer_level(fsadm_t)
+
+# mkreiserfs and other programs need this for UUID
+dev_read_rand(fsadm_t)
+dev_read_urand(fsadm_t)
+# Recreate /dev/cdrom.
+dev_manage_generic_symlinks(fsadm_t)
+# Access to /initrd devices
+dev_search_usbfs(fsadm_t)
+
+fs_search_auto_mountpoints(fsadm_t)
+fs_getattr_xattr_fs(fsadm_t)
+# remount file system to apply changes
+fs_remount_xattr_fs(fsadm_t)
+
+storage_raw_read_fixed_disk(fsadm_t)
+storage_raw_write_fixed_disk(fsadm_t)
+storage_raw_read_removable_device(fsadm_t)
+storage_raw_write_removable_device(fsadm_t)
+storage_read_scsi_generic(fsadm_t)
+
+domain_use_wide_inherit_fd(fsadm_t)
+
+files_list_home(fsadm_t)
+files_read_usr_files(fsadm_t)
+files_read_generic_etc_files(fsadm_t)
+files_list_mnt(fsadm_t)
+# Write to /etc/mtab.
+files_manage_etc_runtime_files(fsadm_t)
+# Access to /initrd devices
+files_rw_isid_type_dir(fsadm_t)
+files_rw_isid_type_blk_node(fsadm_t)
+
+init_use_fd(fsadm_t)
+init_use_script_pty(fsadm_t)
+
+libs_use_ld_so(fsadm_t)
+libs_use_shared_libs(fsadm_t)
+
+logging_send_syslog_msg(fsadm_t)
+
+miscfiles_read_localization(fsadm_t)
+
+modutils_read_module_conf(fsadm_t)
+
+seutil_read_config(fsadm_t)
+
+userdom_use_unpriv_users_fd(fsadm_t)
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(fsadm_t)
+')
+
+ifdef(`TODO',`
+# for swapon
+allow fsadm_t sysfs_t:dir { search getattr };
+
+# for /dev/shm
+allow fsadm_t tmpfs_t:dir { getattr search };
+
+allow fsadm_t bin_t:dir r_dir_perms;
+allow fsadm_t bin_t:notdevfile_class_set r_file_perms;
+allow fsadm_t sbin_t:dir r_dir_perms;
+allow fsadm_t sbin_t:notdevfile_class_set r_file_perms;
+if (read_default_t) {
+allow fsadm_t default_t:dir r_dir_perms;
+allow fsadm_t default_t:notdevfile_class_set r_file_perms;
+}
+
+# mkreiserfs needs this
+allow fsadm_t proc_t:filesystem getattr;
+
+# Access lost+found.
+allow fsadm_t lost_found_t:dir create_dir_perms;
+allow fsadm_t lost_found_t:{ file sock_file fifo_file } create_file_perms;
+allow fsadm_t lost_found_t:lnk_file create_lnk_perms;
+
+allow fsadm_t file_t:dir { search read getattr rmdir create };
+
+# Recreate /mnt/cdrom.
+allow fsadm_t mnt_t:dir { rmdir create };
+
+# Enable swapping to devices and files
+allow fsadm_t fixed_disk_device_t:blk_file { getattr swapon };
+
+# Access terminals.
+ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
+
+# for smartctl cron jobs
+system_crond_entry(fsadm_exec_t, fsadm_t)
+
+# Access to /initrd devices
+allow fsadm_t unlabeled_t:dir rw_dir_perms;
+allow fsadm_t unlabeled_t:blk_file rw_file_perms;
+allow fsadm_t usbfs_t:dir getattr;
+
+') dnl end TODO

refpolicy/policy/modules/system/hotplug.te

@@ -131,6 +131,10 @@ optional_policy(`consoletype.te',`
 	consoletype_domtrans(hotplug_t)
 ')
 
+optional_policy(`fstools.te',`
+	fstools_domtrans(hotplug_t)
+')
+
 optional_policy(`hostname.te',`
 	hostname_exec(hotplug_t)
 ')
@@ -188,10 +192,6 @@ optional_policy(`hotplug.te',`
 	allow hald_t hotplug_etc_t:file { getattr read };
 ')
 
-optional_policy(`fsadm.te', `
-	domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t)
-')
-
 optional_policy(`lpd.te', `
 	allow hotplug_t printer_device_t:chr_file setattr;
 ')

refpolicy/policy/modules/system/modutils.te

@@ -138,12 +138,15 @@ fs_getattr_xattr_fs(depmod_t)
 
 term_use_console(depmod_t)
 
+corecmd_search_bin(depmod_t)
+corecmd_search_sbin(depmod_t)
+
+domain_use_wide_inherit_fd(depmod_t)
+
 init_use_fd(depmod_t)
 init_use_script_fd(depmod_t)
 init_use_script_pty(depmod_t)
 
-domain_use_wide_inherit_fd(depmod_t)
-
 files_read_etc_runtime_files(depmod_t)
 files_read_generic_etc_files(depmod_t)
 files_read_usr_src(depmod_t)
@@ -153,8 +156,6 @@ libs_use_shared_libs(depmod_t)
 
 ifdef(`TODO',`
 
-allow depmod_t { bin_t sbin_t }:dir search;
-
 ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
 
 # Read System.map from home directories.

refpolicy/policy/modules/system/userdomain.te

@@ -84,6 +84,10 @@ optional_policy(`clock.te',`
 	clock_run(sysadm_t,sysadm_r,admin_terminal)
 ')
 
+optional_policy(`fstools.te',`
+	fstools_run(sysadm_t,sysadm_r,admin_terminal)
+')
+
 optional_policy(`hostname.te',`
 	hostname_run(sysadm_t,sysadm_r,admin_terminal)
 ')