Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy

policy/modules/admin/shorewall.if

@@ -185,18 +185,18 @@ interface(`shorewall_admin',`
 	role_transition $2 shorewall_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_etc($1)
+	files_list_etc($1)
 	admin_pattern($1, shorewall_etc_t)
 
-	files_search_locks($1)
+	files_list_locks($1)
 	admin_pattern($1, shorewall_lock_t)
 
-	files_search_var_lib($1)
+	files_list_var_lib($1)
 	admin_pattern($1, shorewall_var_lib_t)
 
-	logging_search_logs($1)
+	logging_list_logs($1)
 	admin_pattern($1, shorewall_log_t)
 
-	files_search_tmp($1)
+	files_list_tmp($1)
 	admin_pattern($1, shorewall_tmp_t)
 ')

policy/modules/apps/gnome.if

@@ -320,7 +320,7 @@ interface(`gnome_admin_home_gconf_filetrans',`
 ##	</summary>
 ## </param>
 #
-template(`gnome_read_gconf_config',`
+interface(`gnome_read_gconf_config',`
 	gen_require(`
 		type gconf_etc_t;
 	')
@@ -498,7 +498,7 @@ interface(`gnome_stream_connect',`
 ##	</summary>
 ## </param>
 #
-template(`gnome_list_home_config',`
+interface(`gnome_list_home_config',`
 	gen_require(`
 		type config_home_t;
 	')
@@ -535,7 +535,7 @@ template(`gnome_setattr_home_config',`
 ##	</summary>
 ## </param>
 #
-template(`gnome_read_home_config',`
+interface(`gnome_read_home_config',`
 	gen_require(`
 		type config_home_t;
 	')

policy/modules/kernel/files.if

@@ -5286,6 +5286,24 @@ interface(`files_manage_mounttab',`
 	manage_files_pattern($1, var_lib_t, var_lib_t)
 ')
 
+########################################
+## <summary>
+##	List generic lock directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_list_locks',`
+	gen_require(`
+		type var_t, var_lock_t;
+	')
+
+	list_dirs_pattern($1, var_t, var_lock_t)
+')
+
 ########################################
 ## <summary>
 ##	Search the locks directory (/var/lock).

policy/modules/services/abrt.if

@@ -326,18 +326,18 @@ interface(`abrt_admin',`
 	role_transition $2 abrt_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_etc($1)
+	files_list_etc($1)
 	admin_pattern($1, abrt_etc_t)
 
-	logging_search_logs($1)
+	logging_list_logs($1)
 	admin_pattern($1, abrt_var_log_t)
 
-	files_search_var($1)
+	files_list_var($1)
 	admin_pattern($1, abrt_var_cache_t)
 
-	files_search_pids($1)
+	files_list_pids($1)
 	admin_pattern($1, abrt_var_run_t)
 
-	files_search_tmp($1)
+	files_list_tmp($1)
 	admin_pattern($1, abrt_tmp_t)
 ')

policy/modules/services/abrt.te

@@ -6,10 +6,10 @@ policy_module(abrt, 1.1.1)
 #
 
 ## <desc>
-## <p>
+##	<p>
-## Allow ABRT to modify public files
+##	Allow ABRT to modify public files
-## used for public file transfer services.
+##	used for public file transfer services.
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(abrt_anon_write, false)
 
@@ -154,7 +154,7 @@ userdom_dontaudit_read_user_home_content_files(abrt_t)
 userdom_dontaudit_read_admin_home_files(abrt_t)
 
 tunable_policy(`abrt_anon_write',`
-        miscfiles_manage_public_files(abrt_t)
+	miscfiles_manage_public_files(abrt_t)
 ')
 
 optional_policy(`
@@ -175,7 +175,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-        policykit_dbus_chat(abrt_t)
+	policykit_dbus_chat(abrt_t)
 	policykit_domtrans_auth(abrt_t)
 	policykit_read_lib(abrt_t)
 	policykit_read_reload(abrt_t)
@@ -214,7 +214,7 @@ optional_policy(`
 
 ########################################
 #
-# abrt--helper local policy
+# abrt-helper local policy
 #
 
 allow abrt_helper_t self:capability { chown setgid sys_nice };
@@ -248,27 +248,27 @@ miscfiles_read_localization(abrt_helper_t)
 term_dontaudit_use_all_ttys(abrt_helper_t)
 term_dontaudit_use_all_ptys(abrt_helper_t)
 
-ifdef(`hide_broken_symptoms', `
+ifdef(`hide_broken_symptoms',`
 	domain_dontaudit_leaks(abrt_helper_t)
 	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
 	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
-	optional_policy(`
-		rpm_dontaudit_leaks(abrt_helper_t)
-	')
 	dev_dontaudit_read_all_blk_files(abrt_helper_t)
 	dev_dontaudit_read_all_chr_files(abrt_helper_t)
 	dev_dontaudit_write_all_chr_files(abrt_helper_t)
 	dev_dontaudit_write_all_blk_files(abrt_helper_t)
 	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
+
+	optional_policy(`
+		rpm_dontaudit_leaks(abrt_helper_t)
+	')
 ')
 
-
+ifdef(`hide_broken_symptoms',`
-ifdef(`hide_broken_symptoms', `
 	gen_require(`
-        attribute domain;
+		attribute domain;
 	')
 
-	allow abrt_t self:capability sys_resource;    
+	allow abrt_t self:capability sys_resource;
 	allow abrt_t domain:file write;
 	allow abrt_t domain:process setrlimit;
 ')

policy/modules/services/accountsd.if

@@ -5,9 +5,9 @@
 ##	Execute a domain transition to run accountsd.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed access.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`accountsd_domtrans',`

policy/modules/services/afs.te

@@ -82,10 +82,6 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir })
 
 kernel_rw_afs_state(afs_t)
 
-ifdef(`hide_broken_symptoms', `
-	kernel_rw_unlabeled_files(afs_t)
-')
-
 corenet_all_recvfrom_unlabeled(afs_t)
 corenet_all_recvfrom_netlabel(afs_t)
 corenet_tcp_sendrecv_generic_if(afs_t)
@@ -111,6 +107,10 @@ miscfiles_read_localization(afs_t)
 
 sysnet_dns_name_resolve(afs_t)
 
+ifdef(`hide_broken_symptoms',`
+	kernel_rw_unlabeled_files(afs_t)
+')
+
 ########################################
 #
 # AFS bossserver local policy

policy/modules/services/aiccu.if

@@ -5,9 +5,9 @@
 ##	Execute a domain transition to run aiccu.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed to transition.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`aiccu_domtrans',`
@@ -19,7 +19,6 @@ interface(`aiccu_domtrans',`
 	corecmd_search_bin($1)
 ')
 
-
 ########################################
 ## <summary>
 ##	Execute aiccu server in the aiccu domain.
@@ -78,7 +77,6 @@ interface(`aiccu_manage_var_run',`
 	files_search_pids($1)
 ')
 
-
 ########################################
 ## <summary>
 ##	All of the rules required to administrate 
@@ -111,8 +109,8 @@ interface(`aiccu_admin',`
 	allow $2 system_r;
 
 	admin_pattern($1, aiccu_etc_t)
-	files_search_etc($1)
+	files_list_etc($1)
 
 	admin_pattern($1, aiccu_var_run_t)
-	files_search_pids($1)
+	files_list_pids($1)
 ')

policy/modules/services/aiccu.te

@@ -35,8 +35,8 @@ allow aiccu_t self:unix_stream_socket create_stream_socket_perms;
 
 allow aiccu_t aiccu_etc_t:file read_file_perms;
 
-manage_dirs_pattern(aiccu_t, aiccu_var_run_t,  aiccu_var_run_t)
+manage_dirs_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
-manage_files_pattern(aiccu_t, aiccu_var_run_t,  aiccu_var_run_t)
+manage_files_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
 files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir })
 
 kernel_read_system_state(aiccu_t)

policy/modules/services/aide.if

@@ -33,6 +33,7 @@ interface(`aide_domtrans',`
 ##	The role to allow the AIDE domain.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`aide_run',`
 	gen_require(`

policy/modules/services/aisexec.if

@@ -5,9 +5,9 @@
 ##	Execute a domain transition to run aisexec.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed to transition.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`aisexec_domtrans',`

policy/modules/services/ajaxterm.if

@@ -1,4 +1,3 @@
-
 ## <summary>policy for ajaxterm</summary>
 
 ########################################
@@ -6,9 +5,9 @@
 ##	Execute a domain transition to run ajaxterm.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed access.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`ajaxterm_domtrans',`
@@ -19,14 +18,13 @@ interface(`ajaxterm_domtrans',`
 	domtrans_pattern($1, ajaxterm_exec_t, ajaxterm_t)
 ')
 
-
 ########################################
 ## <summary>
 ##	Execute ajaxterm server in the ajaxterm domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
 #
@@ -57,8 +55,7 @@ interface(`ajaxterm_initrc_domtrans',`
 #
 interface(`ajaxterm_admin',`
 	gen_require(`
-		type ajaxterm_t;
+		type ajaxterm_t, ajaxterm_initrc_exec_t;
-		type ajaxterm_initrc_exec_t;
 	')
 
 	allow $1 ajaxterm_t:process { ptrace signal_perms };
@@ -68,5 +65,4 @@ interface(`ajaxterm_admin',`
 	domain_system_change_exemption($1)
 	role_transition $2 ajaxterm_initrc_exec_t system_r;
 	allow $2 system_r;
-
 ')

policy/modules/services/ajaxterm.te

@@ -1,4 +1,4 @@
-policy_module(ajaxterm,1.0.0)
+policy_module(ajaxterm, 1.0.0)
 
 ########################################
 #
@@ -30,7 +30,7 @@ allow ajaxterm_t self:fifo_file rw_fifo_file_perms;
 allow ajaxterm_t self:unix_stream_socket create_stream_socket_perms;
 allow ajaxterm_t self:tcp_socket create_stream_socket_perms;
 
-allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
+allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms relabelfrom };
 term_create_pty(ajaxterm_t, ajaxterm_devpts_t)
 
 manage_dirs_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)

policy/modules/services/amavis.if

@@ -183,7 +183,7 @@ interface(`amavis_setattr_pid_files',`
 		type amavis_var_run_t;
 	')
 
-	allow $1 amavis_var_run_t:file setattr;
+	allow $1 amavis_var_run_t:file setattr_file_perms;
 	files_search_pids($1)
 ')
 

policy/modules/services/amavis.te

@@ -76,7 +76,7 @@ files_search_spool(amavis_t)
 
 # tmp files
 manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
-allow amavis_t amavis_tmp_t:dir setattr;
+allow amavis_t amavis_tmp_t:dir setattr_dir_perms;
 files_tmp_filetrans(amavis_t, amavis_tmp_t, file)
 
 # var/lib files for amavis
@@ -86,7 +86,7 @@ manage_sock_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
 files_search_var_lib(amavis_t)
 
 # log files
-allow amavis_t amavis_var_log_t:dir setattr;
+allow amavis_t amavis_var_log_t:dir setattr_dir_perms;
 manage_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
 manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
 logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir })

policy/modules/services/apache.if

@@ -13,8 +13,7 @@
 #
 template(`apache_content_template',`
 	gen_require(`
-		attribute httpd_exec_scripts;
+		attribute httpd_exec_scripts, httpd_script_exec_type;
-		attribute httpd_script_exec_type;
 		type httpd_t, httpd_suexec_t, httpd_log_t;
 		type httpd_sys_content_t;
 	')
@@ -50,8 +49,6 @@ template(`apache_content_template',`
 
 	read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)
 
-	domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
-
 	allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
 	allow httpd_suexec_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
 
@@ -132,6 +129,8 @@ template(`apache_content_template',`
 	tunable_policy(`httpd_enable_cgi',`
 		allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
 
+		domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+
 		# privileged users run the script:
 		domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
 
@@ -152,6 +151,8 @@ template(`apache_content_template',`
 		allow httpd_$1_script_t httpd_t:fd use;
 		allow httpd_$1_script_t httpd_t:process sigchld;
 
+		dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write };
+
 		kernel_read_system_state(httpd_$1_script_t)
 
 		dev_read_urand(httpd_$1_script_t)
@@ -180,8 +181,6 @@ template(`apache_content_template',`
 	optional_policy(`
 		nscd_socket_use(httpd_$1_script_t)
 	')
-
-	dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write };
 ')
 
 ########################################
@@ -202,16 +201,15 @@ template(`apache_content_template',`
 interface(`apache_role',`
 	gen_require(`
 		attribute httpdcontent;
-		type httpd_user_content_t, httpd_user_htaccess_t;
+		type httpd_user_content_t, httpd_user_htaccess_t, httpd_user_script_t;
-		type httpd_user_script_t, httpd_user_script_exec_t;
+		type httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t;
-		type httpd_user_ra_content_t, httpd_user_rw_content_t;
 	')
 
 	role $1 types httpd_user_script_t;
 
 	allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom };
 
-	allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
+	allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms };
 
 	manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
 	manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
@@ -314,21 +312,21 @@ interface(`apache_domtrans',`
 
 ######################################
 ## <summary>
-##  Allow the specified domain to execute apache
+##	Allow the specified domain to execute apache
-##  in the caller domain.
+##	in the caller domain.
 ## </summary>
 ## <param name="domain">
-##  <summary>
+##	<summary>
-##  Domain allowed access.
+##	Domain allowed access.
-##  </summary>
+##	</summary>
 ## </param>
 #
 interface(`apache_exec',`
-    gen_require(`
+	gen_require(`
-        type httpd_exec_t;
+		type httpd_exec_t;
-    ')
+	')
 
-    can_exec($1, httpd_exec_t)
+	can_exec($1, httpd_exec_t)
 ')
 
 #######################################
@@ -501,7 +499,7 @@ interface(`apache_setattr_cache_dirs',`
 		type httpd_cache_t;
 	')
 
-	allow $1 httpd_cache_t:dir setattr;
+	allow $1 httpd_cache_t:dir setattr_dir_perms;
 ')
 
 ########################################
@@ -732,7 +730,7 @@ interface(`apache_dontaudit_append_log',`
 		type httpd_log_t;
 	')
 
-	dontaudit $1 httpd_log_t:file { getattr append };
+	dontaudit $1 httpd_log_t:file append_file_perms;
 ')
 
 ########################################
@@ -895,7 +893,6 @@ interface(`apache_manage_sys_content',`
 	')
 
 	files_search_var($1)
-	apache_search_sys_content($1)
 	manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
 	manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
 	manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -903,45 +900,45 @@ interface(`apache_manage_sys_content',`
 
 ######################################
 ## <summary>
-##  Allow the specified domain to read
+##	Allow the specified domain to read
-##  apache system content rw files.
+##	apache system content rw files.
 ## </summary>
 ## <param name="domain">
-##  <summary>
+##	<summary>
-##  Domain allowed access.
+##	Domain allowed access.
-##  </summary>
+##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`apache_read_sys_content_rw_files',`
-    gen_require(`
+	gen_require(`
 		type httpd_sys_rw_content_t;
 	')
 
-    read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+	read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
 ')
 
 ######################################
 ## <summary>
-##  Allow the specified domain to manage
+##	Allow the specified domain to manage
-##  apache system content rw files.
+##	apache system content rw files.
 ## </summary>
 ## <param name="domain">
-##  <summary>
+##	<summary>
-##  Domain allowed access.
+##	Domain allowed access.
-##  </summary>
+##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`apache_manage_sys_content_rw',`
-    gen_require(`
+	gen_require(`
 		type httpd_sys_rw_content_t;
 	')
 
-    files_search_var($1)
+	files_search_var($1)
-    manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+	manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-    manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+	manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-    manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+	manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
 ')
 
 ########################################
@@ -985,8 +982,7 @@ interface(`apache_delete_sys_content_rw',`
 interface(`apache_domtrans_sys_script',`
 	gen_require(`
 		attribute httpdcontent;
-		type httpd_sys_script_t;
+		type httpd_sys_script_t, httpd_sys_content_t;
-		type httpd_sys_content_t;
 	')
 
 	tunable_policy(`httpd_enable_cgi',`
@@ -1049,9 +1045,10 @@ interface(`apache_domtrans_all_scripts',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access..
+##	Role allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`apache_run_all_scripts',`
 	gen_require(`
@@ -1221,21 +1218,21 @@ interface(`apache_read_tmp_files',`
 
 ######################################
 ## <summary>
-##  Dontaudit attempts to read and write
+##	Dontaudit attempts to read and write
-##  apache tmp files.
+##	apache tmp files.
 ## </summary>
 ## <param name="domain">
-##  <summary>
+##	<summary>
-##  Domain allowed access.
+##	Domain to not audit.
-##  </summary>
+##	</summary>
 ## </param>
 #
 interface(`apache_dontaudit_rw_tmp_files',`
-    gen_require(`
+	gen_require(`
-        type httpd_tmp_t;
+		type httpd_tmp_t;
-    ')
+	')
 
-    dontaudit $1 httpd_tmp_t:file { read write };
+	dontaudit $1 httpd_tmp_t:file { read write };
 ')
 
 ########################################
@@ -1317,17 +1314,14 @@ interface(`apache_cgi_domain',`
 #
 interface(`apache_admin',`
 	gen_require(`
-		attribute httpdcontent;
+		attribute httpdcontent, httpd_script_exec_type;
-		attribute httpd_script_exec_type;
-
 		type httpd_t, httpd_config_t, httpd_log_t;
-		type httpd_modules_t, httpd_lock_t;
+		type httpd_modules_t, httpd_lock_t, httpd_bool_t;
-		type httpd_var_run_t, httpd_php_tmp_t;
+		type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t;
 		type httpd_suexec_tmp_t, httpd_tmp_t;
-		type httpd_initrc_exec_t, httpd_bool_t;
 	')
 
-	allow $1 httpd_t:process { getattr ptrace signal_perms };
+	allow $1 httpd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, httpd_t)
 
 	init_labeled_script_domtrans($1, httpd_initrc_exec_t)
@@ -1338,10 +1332,10 @@ interface(`apache_admin',`
 	apache_manage_all_content($1)
 	miscfiles_manage_public_files($1)
 
-	files_search_etc($1)
+	files_list_etc($1)
 	admin_pattern($1, httpd_config_t)
 
-	logging_search_logs($1)
+	logging_list_logs($1)
 	admin_pattern($1, httpd_log_t)
 
 	admin_pattern($1, httpd_modules_t)
@@ -1352,26 +1346,22 @@ interface(`apache_admin',`
 	admin_pattern($1, httpd_var_run_t)
 	files_pid_filetrans($1, httpd_var_run_t, file)
 
-	kernel_search_proc($1)
-	allow $1 httpd_t:dir list_dir_perms;
-	ps_process_pattern($1, httpd_t)
-	read_lnk_files_pattern($1, httpd_t, httpd_t)
-
 	admin_pattern($1, httpdcontent)
 	admin_pattern($1, httpd_script_exec_type)
 
 	seutil_domtrans_setfiles($1)
 
+	files_list_tmp($1)
 	admin_pattern($1, httpd_tmp_t)
 	admin_pattern($1, httpd_php_tmp_t)
 	admin_pattern($1, httpd_suexec_tmp_t)
 
-ifdef(`TODO',`
+	ifdef(`TODO',`
-	apache_set_booleans($1, $2, $3, httpd_bool_t )
+		apache_set_booleans($1, $2, $3, httpd_bool_t)
-	seutil_setsebool_role_template($1, $3, $2)
+		seutil_setsebool_role_template($1, $3, $2)
-	allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms;
+		allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms;
-	allow httpd_setsebool_t httpd_bool_t:file rw_file_perms;
+		allow httpd_setsebool_t httpd_bool_t:file rw_file_perms;
-')
+	')
 ')
 
 ########################################
@@ -1380,7 +1370,7 @@ ifdef(`TODO',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -1390,7 +1380,7 @@ interface(`apache_dontaudit_leaks',`
 	')
 
 	dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
- 	dontaudit $1 httpd_t:tcp_socket { read write };
+	dontaudit $1 httpd_t:tcp_socket { read write };
 	dontaudit $1 httpd_t:unix_dgram_socket { read write };
 	dontaudit $1 httpd_t:unix_stream_socket { read write };
 ')

policy/modules/services/apache.te

@@ -21,182 +21,189 @@ policy_module(apache, 2.2.0)
 selinux_genbool(httpd_bool_t)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow Apache to modify public files
+##	Allow Apache to modify public files
-## used for public file transfer services. Directories/Files must
+##	used for public file transfer services. Directories/Files must
-## be labeled public_content_rw_t.
+##	be labeled public_content_rw_t.
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(allow_httpd_anon_write, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow Apache to use mod_auth_pam
+##	Allow Apache to use mod_auth_pam
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(allow_httpd_mod_auth_pam, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow httpd scripts and modules execmem/execstack
+##	Allow Apache to use mod_auth_pam
-## </p>
+##	</p>
+## </desc>
+gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
+
+## <desc>
+##	<p>
+##	Allow httpd scripts and modules execmem/execstack
+##	</p>
 ## </desc>
 gen_tunable(httpd_execmem, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow httpd daemon to change system limits
+##	Allow httpd daemon to change system limits
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(httpd_setrlimit, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow httpd to use built in scripting (usually php)
+##	Allow httpd to use built in scripting (usually php)
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(httpd_builtin_scripting, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow HTTPD scripts and modules to connect to the network using any TCP port.
+##	Allow HTTPD scripts and modules to connect to the network using any TCP port.
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(httpd_can_network_connect, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow HTTPD scripts and modules to connect to cobbler over the network.
+##	Allow HTTPD scripts and modules to connect to cobbler over the network.
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(httpd_can_network_connect_cobbler, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow HTTPD scripts and modules to connect to databases over the network.
+##	Allow HTTPD scripts and modules to connect to databases over the network.
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(httpd_can_network_connect_db, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow httpd to connect to memcache server
+##	Allow httpd to connect to memcache server
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(httpd_can_network_memcache, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow httpd to act as a relay
+##	Allow httpd to act as a relay
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(httpd_can_network_relay, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow http daemon to send mail
+##	Allow http daemon to send mail
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(httpd_can_sendmail, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow http daemon to check spam
+##	Allow http daemon to check spam
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(httpd_can_check_spam, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow Apache to communicate with avahi service via dbus
+##	Allow Apache to communicate with avahi service via dbus
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(httpd_dbus_avahi, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow httpd to execute cgi scripts
+##	Allow httpd to execute cgi scripts
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(httpd_enable_cgi, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow httpd to act as a FTP server by
+##	Allow httpd to act as a FTP server by
-## listening on the ftp port.
+##	listening on the ftp port.
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(httpd_enable_ftp_server, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow httpd to read home directories
+##	Allow httpd to read home directories
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(httpd_enable_homedirs, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow httpd to read user content 
+##	Allow httpd to read user content 
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(httpd_read_user_content, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
+##	Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(httpd_ssi_exec, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow Apache to execute tmp content.
+##	Allow Apache to execute tmp content.
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(httpd_tmp_exec, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Unify HTTPD to communicate with the terminal.
+##	Unify HTTPD to communicate with the terminal.
-## Needed for entering the passphrase for certificates at
+##	Needed for entering the passphrase for certificates at
-## the terminal.
+##	the terminal.
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(httpd_tty_comm, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Unify HTTPD handling of all content files.
+##	Unify HTTPD handling of all content files.
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(httpd_unified, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow httpd to access cifs file systems
+##	Allow httpd to access cifs file systems
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(httpd_use_cifs, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow httpd to run gpg in gpg-web domain
+##	Allow httpd to run gpg in gpg-web domain
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(httpd_use_gpg, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow httpd to access nfs file systems
+##	Allow httpd to access nfs file systems
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(httpd_use_nfs, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow apache scripts to write to public content.  Directories/Files must be labeled public_rw_content_t.
+##	Allow apache scripts to write to public content.  Directories/Files must be labeled public_rw_content_t.
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(allow_httpd_sys_script_anon_write, false)
 
@@ -279,6 +286,13 @@ typeattribute httpd_sys_content_t httpdcontent; # customizable
 typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
 typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
 
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
+typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
+typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
+typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
+
 type httpd_tmp_t;
 files_tmp_file(httpd_tmp_t)
 
@@ -320,6 +334,9 @@ files_type(httpd_var_lib_t)
 type httpd_var_run_t;
 files_pid_file(httpd_var_run_t)
 
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
+
 # File Type of squirrelmail attachments
 type squirrelmail_spool_t;
 files_tmp_file(squirrelmail_spool_t)
@@ -506,22 +523,21 @@ tunable_policy(`allow_httpd_mod_auth_pam',`
 	logging_send_audit_msgs(httpd_t)
 ')
 
-## <desc>
-## <p>
-## Allow Apache to use mod_auth_pam
-## </p>
-## </desc>
-gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
 optional_policy(`
-tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',`
+	tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',`
 		samba_domtrans_winbind_helper(httpd_t)
-')
+	')
 ')
 
 tunable_policy(`httpd_can_network_connect',`
 	corenet_tcp_connect_all_ports(httpd_t)
 ')
 
+tunable_policy(`httpd_can_network_connect_db',`
+	corenet_tcp_connect_mssql_port(httpd_t)
+	corenet_sendrecv_mssql_client_packets(httpd_t)
+')
+
 tunable_policy(`httpd_can_network_memcache',`
 	corenet_tcp_connect_memcache_port(httpd_t)
 ')
@@ -541,6 +557,12 @@ tunable_policy(`httpd_can_network_relay',`
 	corenet_sendrecv_squid_client_packets(httpd_t)
 ')
 
+tunable_policy(`httpd_execmem',`
+	allow httpd_t self:process { execmem execstack };
+	allow httpd_sys_script_t self:process { execmem execstack };
+	allow httpd_suexec_t self:process { execmem execstack };
+')
+
 tunable_policy(`httpd_enable_cgi && httpd_unified',`
 	allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
 	filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
@@ -549,7 +571,7 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',`
 
 tunable_policy(`allow_httpd_sys_script_anon_write',`
 	miscfiles_manage_public_files(httpd_sys_script_t)
-') 
+')
 
 tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
 	fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
@@ -575,16 +597,12 @@ tunable_policy(`httpd_enable_ftp_server',`
 	corenet_tcp_bind_ftp_port(httpd_t)
 ')
 
-tunable_policy(`httpd_enable_homedirs',`
-	userdom_read_user_home_content_files(httpd_t)
-')
-
 tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
-        can_exec(httpd_t, httpd_tmp_t)
+	can_exec(httpd_t, httpd_tmp_t)
 ')
 
 tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
-        can_exec(httpd_sys_script_t, httpd_tmp_t)
+	can_exec(httpd_sys_script_t, httpd_tmp_t)
 ')
 
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -723,21 +741,15 @@ optional_policy(`
 ')
 
 optional_policy(`
-        passenger_domtrans(httpd_t)
+	passenger_domtrans(httpd_t)
-        passenger_manage_pid_content(httpd_t)
+	passenger_manage_pid_content(httpd_t)
-        passenger_read_lib_files(httpd_t)
+	passenger_read_lib_files(httpd_t)
 ')
 
 optional_policy(`
 	rpc_search_nfs_state_data(httpd_t)
 ')
 
-tunable_policy(`httpd_execmem',`
-	allow httpd_t self:process { execmem execstack };
-	allow httpd_sys_script_t self:process { execmem execstack };
-	allow httpd_suexec_t self:process { execmem execstack };
-') 
-
 optional_policy(`
 	# Allow httpd to work with postgresql
 	postgresql_stream_connect(httpd_t)
@@ -745,7 +757,6 @@ optional_policy(`
 
 	tunable_policy(`httpd_can_network_connect_db',`
 		postgresql_tcp_connect(httpd_t)
-		postgresql_tcp_connect(httpd_sys_script_t)
 	')
 ')
 
@@ -830,28 +841,27 @@ libs_exec_lib_files(httpd_php_t)
 userdom_use_unpriv_users_fds(httpd_php_t)
 
 tunable_policy(`httpd_can_network_connect_db',`
-	corenet_tcp_connect_mysqld_port(httpd_t)
+	corenet_tcp_connect_mssql_port(httpd_php_t)
-	corenet_sendrecv_mysqld_client_packets(httpd_t)
+	corenet_sendrecv_mssql_client_packets(httpd_php_t)
-	corenet_tcp_connect_mysqld_port(httpd_sys_script_t)
-	corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t)
-	corenet_tcp_connect_mysqld_port(httpd_suexec_t)
-	corenet_sendrecv_mysqld_client_packets(httpd_suexec_t)
-
-	corenet_tcp_connect_mssql_port(httpd_t)
-	corenet_sendrecv_mssql_client_packets(httpd_t)
-	corenet_tcp_connect_mssql_port(httpd_sys_script_t)
-	corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
-	corenet_tcp_connect_mssql_port(httpd_suexec_t)
-	corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
 ')
 
 optional_policy(`
 	mysql_stream_connect(httpd_php_t)
+	mysql_rw_db_sockets(httpd_php_t)
 	mysql_read_config(httpd_php_t)
+
+	tunable_policy(`httpd_can_network_connect_db',`
+		mysql_tcp_connect(httpd_php_t)
+	')
 ')
 
 optional_policy(`
 	postgresql_stream_connect(httpd_php_t)
+	postgresql_unpriv_client(httpd_php_t)
+
+	tunable_policy(`httpd_can_network_connect_db',`
+		postgresql_tcp_connect(httpd_php_t)
+	')
 ')
 
 ########################################
@@ -877,6 +887,10 @@ files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
 
 can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
 
+read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+
 kernel_read_kernel_sysctls(httpd_suexec_t)
 kernel_list_proc(httpd_suexec_t)
 kernel_read_proc_symlinks(httpd_suexec_t)
@@ -917,11 +931,13 @@ tunable_policy(`httpd_can_network_connect',`
 	corenet_sendrecv_all_client_packets(httpd_suexec_t)
 ')
 
-read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
+tunable_policy(`httpd_can_network_connect_db',`
-read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
+	corenet_tcp_connect_mssql_port(httpd_suexec_t)
-read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+	corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
+')
 
 domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
+
 tunable_policy(`httpd_enable_cgi && httpd_unified',`
 	allow httpd_sys_script_t httpdcontent:file entrypoint;
 	domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
@@ -930,9 +946,6 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',`
 	manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
 	manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
 ')
-tunable_policy(`httpd_enable_cgi',`
-	domtrans_pattern(httpd_suexec_t, httpd_user_script_t, httpd_user_script_t)
-')
 
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
 	fs_read_nfs_files(httpd_suexec_t)
@@ -961,6 +974,19 @@ optional_policy(`
 	mysql_stream_connect(httpd_suexec_t)
 	mysql_rw_db_sockets(httpd_suexec_t)
 	mysql_read_config(httpd_suexec_t)
+
+	tunable_policy(`httpd_can_network_connect_db',`
+		mysql_tcp_connect(httpd_suexec_t)
+	')
+')
+
+optional_policy(`
+	postgresql_stream_connect(httpd_suexec_t)
+	postgresql_unpriv_client(httpd_suexec_t)
+
+	tunable_policy(`httpd_can_network_connect_db',`
+		postgresql_tcp_connect(httpd_suexec_t)
+	')
 ')
 
 ########################################
@@ -1002,9 +1028,14 @@ tunable_policy(`httpd_can_sendmail',`
 ')
 
 optional_policy(`
- tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
+	tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
-  spamassassin_domtrans_client(httpd_t)
+		spamassassin_domtrans_client(httpd_t)
- ')
+	')
+')
+
+tunable_policy(`httpd_can_network_connect_db',`
+	corenet_tcp_connect_mssql_port(httpd_sys_script_t)
+	corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
 ')
 
 fs_cifs_entry_type(httpd_sys_script_t)
@@ -1042,7 +1073,7 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
 ')
 
 tunable_policy(`httpd_enable_homedirs',`
-	userdom_read_user_home_content_files(httpd_sys_script_t)
+	userdom_search_user_home_dirs(httpd_sys_script_t)
 ')
 
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -1050,6 +1081,10 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
 	fs_read_nfs_symlinks(httpd_sys_script_t)
 ')
 
+tunable_policy(`httpd_read_user_content',`
+	userdom_read_user_home_content_files(httpd_sys_script_t)
+')
+
 tunable_policy(`httpd_use_cifs',`
 	fs_manage_cifs_dirs(httpd_sys_script_t)
 	fs_manage_cifs_files(httpd_sys_script_t)
@@ -1073,10 +1108,19 @@ optional_policy(`
 	mysql_stream_connect(httpd_sys_script_t)
 	mysql_rw_db_sockets(httpd_sys_script_t)
 	mysql_read_config(httpd_sys_script_t)
+
+	tunable_policy(`httpd_can_network_connect_db',`
+		mysql_tcp_connect(httpd_sys_script_t)
+	')
 ')
 
 optional_policy(`
 	postgresql_stream_connect(httpd_sys_script_t)
+	postgresql_unpriv_client(httpd_sys_script_t)
+
+	tunable_policy(`httpd_can_network_connect_db',`
+		postgresql_tcp_connect(httpd_sys_script_t)
+	')
 ')
 
 ########################################
@@ -1136,19 +1180,7 @@ tunable_policy(`httpd_enable_homedirs',`
 ')
 
 tunable_policy(`httpd_read_user_content',`
-	userdom_read_user_home_content_files(httpd_user_script_t)
-	userdom_read_user_home_content_files(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_read_user_content && httpd_builtin_scripting',`
 	userdom_read_user_home_content_files(httpd_t)
+	userdom_read_user_home_content_files(httpd_suexec_t)
+	userdom_read_user_home_content_files(httpd_user_script_t)
 ')
-
-# Removal of fastcgi, will cause problems without the following
-typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
-typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
-typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
-typealias httpd_sys_ra_content_t   alias httpd_fastcgi_script_ra_t;
-typealias httpd_sys_script_t      alias httpd_fastcgi_script_t;
-typealias httpd_var_run_t         alias httpd_fastcgi_var_run_t;
-

policy/modules/services/apcupsd.if

@@ -5,9 +5,9 @@
 ##	Execute a domain transition to run apcupsd.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed to transition.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`apcupsd_domtrans',`
@@ -83,9 +83,9 @@ interface(`apcupsd_read_log',`
 ##	apcupsd log files.
 ## </summary>
 ## <param name="domain">
-## 	<summary>
+##	<summary>
 ##	Domain allowed access.
-## 	</summary>
+##	</summary>
 ## </param>
 #
 interface(`apcupsd_append_log',`
@@ -103,9 +103,9 @@ interface(`apcupsd_append_log',`
 ##	Execute a domain transition to run httpd_apcupsd_cgi_script.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed to transition.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`apcupsd_cgi_script_domtrans',`
@@ -140,10 +140,8 @@ interface(`apcupsd_cgi_script_domtrans',`
 #
 interface(`apcupsd_admin',`
 	gen_require(`
-		type apcupsd_t, apcupsd_tmp_t;
+		type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t;
-		type apcupsd_log_t, apcupsd_lock_t;
+		type apcupsd_lock_t, apcupsd_var_run_t, apcupsd_initrc_exec_t;
-		type apcupsd_var_run_t;
-		type apcupsd_initrc_exec_t;
 	')
 
 	allow $1 apcupsd_t:process { ptrace signal_perms };

policy/modules/services/apm.if

@@ -52,7 +52,7 @@ interface(`apm_write_pipes',`
 		type apmd_t;
 	')
 
-	allow $1 apmd_t:fifo_file write; 
+	allow $1 apmd_t:fifo_file write_fifo_file_perms; 
 ')
 
 ########################################
@@ -89,7 +89,7 @@ interface(`apm_append_log',`
 	')
 
 	logging_search_logs($1)
-	allow $1 apmd_log_t:file append;
+	allow $1 apmd_log_t:file append_file_perms;
 ')
 
 ########################################
@@ -108,6 +108,5 @@ interface(`apm_stream_connect',`
 	')
 
 	files_search_pids($1)
-	allow $1 apmd_var_run_t:sock_file write;
+	stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
-	allow $1 apmd_t:unix_stream_socket connectto;
 ')

policy/modules/services/apm.te

@@ -4,6 +4,7 @@ policy_module(apm, 1.11.0)
 #
 # Declarations
 #
+
 type apmd_t;
 type apmd_exec_t;
 init_daemon_domain(apmd_t, apmd_exec_t)

policy/modules/services/automount.if

@@ -29,7 +29,6 @@ interface(`automount_domtrans',`
 ##	</summary>
 ## </param>
 #
-#
 interface(`automount_signal',`
 	gen_require(`
 		type automount_t;
@@ -124,7 +123,7 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
 		type automount_tmp_t;
 	')
 
-	dontaudit $1 automount_tmp_t:dir getattr;
+	dontaudit $1 automount_tmp_t:dir getattr_dir_perms;
 ')
 
 ########################################

policy/modules/services/avahi.if

@@ -151,8 +151,7 @@ interface(`avahi_dontaudit_search_pid',`
 #
 interface(`avahi_admin',`
 	gen_require(`
-		type avahi_t, avahi_var_run_t;
+		type avahi_t, avahi_var_run_t, avahi_initrc_exec_t;
-		type avahi_initrc_exec_t;
 	')
 
 	allow $1 avahi_t:process { ptrace signal_perms };

policy/modules/services/avahi.te

@@ -40,7 +40,7 @@ files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file })
 manage_dirs_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
 manage_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
 manage_sock_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
-allow avahi_t avahi_var_run_t:dir setattr;
+allow avahi_t avahi_var_run_t:dir setattr_dir_perms;
 files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file })
 
 kernel_read_system_state(avahi_t)

policy/modules/services/bind.if

@@ -186,7 +186,7 @@ interface(`bind_write_config',`
 	')
 
 	write_files_pattern($1, named_conf_t, named_conf_t)
-	allow $1 named_conf_t:file setattr;
+	allow $1 named_conf_t:file setattr_file_perms;
 ')
 
 ########################################
@@ -266,7 +266,7 @@ interface(`bind_setattr_pid_dirs',`
 		type named_var_run_t;
 	')
 
-	allow $1 named_var_run_t:dir setattr;
+	allow $1 named_var_run_t:dir setattr_dir_perms;
 ')
 
 ########################################
@@ -284,7 +284,7 @@ interface(`bind_setattr_zone_dirs',`
 		type named_zone_t;
 	')
 
-	allow $1 named_zone_t:dir setattr;
+	allow $1 named_zone_t:dir setattr_dir_perms;
 ')
 
 ########################################
@@ -380,10 +380,9 @@ interface(`bind_udp_chat_named',`
 interface(`bind_admin',`
 	gen_require(`
 		type named_t, named_tmp_t, named_log_t;
-		type named_conf_t, named_var_run_t;
+		type named_conf_t, named_var_run_t, named_cache_t;
-		type named_cache_t, named_zone_t;
+		type named_zone_t, named_initrc_exec_t;
 		type dnssec_t, ndc_t, named_keytab_t;
-		type named_initrc_exec_t;
 	')
 
 	allow $1 named_t:process { ptrace signal_perms };

policy/modules/services/bind.te

@@ -6,10 +6,10 @@ policy_module(bind, 1.11.0)
 #
 
 ## <desc>
-## <p>
+##	<p>
-## Allow BIND to write the master zone files.
+##	Allow BIND to write the master zone files.
-## Generally this is used for dynamic DNS or zone transfers.
+##	Generally this is used for dynamic DNS or zone transfers.
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(named_write_master_zones, false)
 
@@ -202,12 +202,12 @@ allow ndc_t self:tcp_socket create_socket_perms;
 allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
 
 allow ndc_t dnssec_t:file read_file_perms;
-allow ndc_t dnssec_t:lnk_file { getattr read };
+allow ndc_t dnssec_t:lnk_file read_lnk_file_perms;
 
 stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t)
 
 allow ndc_t named_conf_t:file read_file_perms;
-allow ndc_t named_conf_t:lnk_file { getattr read };
+allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
 
 allow ndc_t named_zone_t:dir search_dir_perms;
 
@@ -245,7 +245,7 @@ term_dontaudit_use_console(ndc_t)
 
 # for /etc/rndc.key
 ifdef(`distro_redhat',`
-	allow ndc_t named_conf_t:dir search;
+	allow ndc_t named_conf_t:dir search_dir_perms;
 ')
 
 optional_policy(`

policy/modules/services/bitlbee.if

@@ -6,7 +6,7 @@
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	 Domain allowed accesss.
+##	Domain allowed accesss.
 ##	</summary>
 ## </param>
 #

policy/modules/services/bitlbee.te

@@ -26,7 +26,7 @@ files_type(bitlbee_var_t)
 #
 # Local policy
 #
-#
+
 allow bitlbee_t self:capability { setgid setuid };
 
 allow bitlbee_t self:udp_socket create_socket_perms;

policy/modules/services/bluetooth.if

@@ -14,6 +14,7 @@
 ##	User domain for the role
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`bluetooth_role',`
 	gen_require(`
@@ -27,7 +28,7 @@ interface(`bluetooth_role',`
 
 	# allow ps to show cdrecord and allow the user to kill it
 	ps_process_pattern($2, bluetooth_helper_t)
-	allow $2 bluetooth_helper_t:process signal;
+	allow $2 bluetooth_helper_t:process { ptrace signal_perms };
 
 	manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
 	manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
@@ -91,7 +92,7 @@ interface(`bluetooth_read_config',`
 		type bluetooth_conf_t;
 	')
 
-	allow $1 bluetooth_conf_t:file { getattr read ioctl };
+	allow $1 bluetooth_conf_t:file read_file_perms;
 ')
 
 ########################################
@@ -178,7 +179,7 @@ interface(`bluetooth_run_helper',`
 
 ########################################
 ## <summary>
-##	Read bluetooth helper state files.
+##	Do not audit attempts to read bluetooth helper state files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -191,8 +192,8 @@ interface(`bluetooth_dontaudit_read_helper_state',`
 		type bluetooth_helper_t;
 	')
 
-	dontaudit $1 bluetooth_helper_t:dir search;
+	dontaudit $1 bluetooth_helper_t:dir search_dir_perms;
-	dontaudit $1 bluetooth_helper_t:file { read getattr };
+	dontaudit $1 bluetooth_helper_t:file read_file_perms;
 ')
 
 ########################################
@@ -215,9 +216,8 @@ interface(`bluetooth_dontaudit_read_helper_state',`
 interface(`bluetooth_admin',`
 	gen_require(`
 		type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
-		type bluetooth_var_lib_t, bluetooth_var_run_t;
+		type bluetooth_var_lib_t, bluetooth_var_run_t, bluetooth_initrc_exec_t;
 		type bluetooth_conf_t, bluetooth_conf_rw_t;
-		type bluetooth_initrc_exec_t;
 	')
 
 	allow $1 bluetooth_t:process { ptrace signal_perms };

policy/modules/services/bluetooth.te

@@ -4,6 +4,7 @@ policy_module(bluetooth, 3.3.0)
 #
 # Declarations
 #
+
 type bluetooth_t;
 type bluetooth_exec_t;
 init_daemon_domain(bluetooth_t, bluetooth_exec_t)

policy/modules/services/boinc.if

@@ -1,4 +1,3 @@
-
 ## <summary>policy for boinc</summary>
 
 ########################################
@@ -6,9 +5,9 @@
 ##	Execute a domain transition to run boinc.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed to transition.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`boinc_domtrans',`
@@ -21,20 +20,20 @@ interface(`boinc_domtrans',`
 
 #######################################
 ## <summary>
-##  Execute boinc server in the boinc domain.
+##	Execute boinc server in the boinc domain.
 ## </summary>
 ## <param name="domain">
-##  <summary>
+##	<summary>
-##  Domain allowed access.
+##	Domain allowed access.
-##  </summary>
+##	</summary>
 ## </param>
 #
 interface(`boinc_initrc_domtrans',`
-    gen_require(`
+	gen_require(`
-        type boinc_initrc_exec_t;
+		type boinc_initrc_exec_t;
-    ')
+	')
 
-    init_labeled_script_domtrans($1, boinc_initrc_exec_t)
+	init_labeled_script_domtrans($1, boinc_initrc_exec_t)
 ')
 
 ########################################
@@ -72,7 +71,7 @@ interface(`boinc_read_lib_files',`
 	')
 
 	files_search_var_lib($1)
-        read_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+	read_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
 ')
 
 ########################################
@@ -92,7 +91,7 @@ interface(`boinc_manage_lib_files',`
 	')
 
 	files_search_var_lib($1)
-        manage_files_pattern($1, boinc_var_lib_t,  boinc_var_lib_t)
+	manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
 ')
 
 ########################################
@@ -110,9 +109,10 @@ interface(`boinc_manage_var_lib',`
 		type boinc_var_lib_t;
 	')
 
-         manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+	files_search_var_lib($1)
-         manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+	manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
-         manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+	manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+	manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
 ')
 
 ########################################
@@ -134,8 +134,7 @@ interface(`boinc_manage_var_lib',`
 #
 interface(`boinc_admin',`
 	gen_require(`
-		type boinc_t, boinc_initrc_exec_t;
+		type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t;
-		type boinc_var_lib_t;
 	')
 
 	allow $1 boinc_t:process { ptrace signal_perms };
@@ -145,7 +144,7 @@ interface(`boinc_admin',`
 	domain_system_change_exemption($1)
 	role_transition $2 boinc_initrc_exec_t system_r;
 	allow $2 system_r;
-	        
+
 	files_list_var_lib($1)
 	admin_pattern($1, boinc_var_lib_t)
 ')

policy/modules/services/boinc.te

@@ -1,4 +1,4 @@
-policy_module(boinc,1.0.0)
+policy_module(boinc, 1.0.0)
 
 ########################################
 #
@@ -27,6 +27,9 @@ role system_r types boinc_project_t;
 
 permissive boinc_project_t;
 
+type boinc_project_tmp_t;
+files_tmp_file(boinc_project_tmp_t)
+
 type boinc_project_var_lib_t;
 files_type(boinc_project_var_lib_t)
 
@@ -49,15 +52,15 @@ manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
 files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
 
 manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
-fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t,file)
+fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
 
-exec_files_pattern(boinc_t, boinc_var_lib_t,  boinc_var_lib_t)
+exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-manage_dirs_pattern(boinc_t, boinc_var_lib_t,  boinc_var_lib_t)
+manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-manage_files_pattern(boinc_t, boinc_var_lib_t,  boinc_var_lib_t)
+manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, { dir })
+filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir)
 
-manage_dirs_pattern(boinc_t, boinc_project_var_lib_t,  boinc_project_var_lib_t)
+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-manage_files_pattern(boinc_t, boinc_project_var_lib_t,  boinc_project_var_lib_t)
+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
 
 kernel_read_system_state(boinc_t)
 
@@ -120,16 +123,20 @@ allow boinc_project_t self:process { execmem execstack };
 
 allow boinc_project_t self:fifo_file rw_fifo_file_perms;
 
+manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
+manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
+files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file })
+
 allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
-exec_files_pattern(boinc_project_t, boinc_project_var_lib_t,  boinc_project_var_lib_t)
+exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t,  boinc_project_var_lib_t)
+manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-manage_files_pattern(boinc_project_t, boinc_project_var_lib_t,  boinc_project_var_lib_t)
+manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
 files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, { file dir })
 
 allow boinc_project_t boinc_project_var_lib_t:file execmod;
 
 allow boinc_project_t boinc_t:shm rw_shm_perms;
-allow boinc_project_t boinc_tmpfs_t:file { read write };
+allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms;
 
 list_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
 rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
@@ -144,10 +151,16 @@ corecmd_exec_shell(boinc_project_t)
 
 corenet_tcp_connect_boinc_port(boinc_project_t)
 
+dev_read_rand(boinc_project_t)
 dev_read_urand(boinc_project_t)
+dev_read_sysfs(boinc_project_t)
 dev_rw_xserver_misc(boinc_project_t)
 
 files_read_etc_files(boinc_project_t)
 
+miscfiles_read_fonts(boinc_project_t)
 miscfiles_read_localization(boinc_project_t)
 
+optional_policy(`
+	java_exec(boinc_project_t)
+')

policy/modules/services/bugzilla.if

@@ -57,10 +57,9 @@ interface(`bugzilla_dontaudit_rw_script_stream_sockets',`
 #
 interface(`bugzilla_admin',`
 	gen_require(`
-		type httpd_bugzilla_script_t;
+		type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
-		type httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
+		type httpd_bugzilla_rw_content_t, httpd_bugzilla_tmp_t, httpd_bugzilla_script_exec_t;
-		type httpd_bugzilla_rw_content_t, httpd_bugzilla_tmp_t;
+		type httpd_bugzilla_htaccess_t;
-		type httpd_bugzilla_script_exec_t, httpd_bugzilla_htaccess_t;
 	')
 
 	allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
@@ -69,9 +68,9 @@ interface(`bugzilla_admin',`
 	files_list_tmp($1)
 	admin_pattern($1, httpd_bugzilla_tmp_t)
 
-	files_search_var_lib(httpd_bugzilla_script_t)
+	files_list_var_lib(httpd_bugzilla_script_t)
 
-	apache_search_sys_content($1)
+	apache_list_sys_content($1)
 	admin_pattern($1, httpd_bugzilla_script_exec_t)
 	admin_pattern($1, httpd_bugzilla_script_t)
 	admin_pattern($1, httpd_bugzilla_content_t)

policy/modules/services/bugzilla.te

@@ -53,4 +53,3 @@ optional_policy(`
 optional_policy(`
 	postgresql_stream_connect(httpd_bugzilla_script_t)
 ')
-

policy/modules/services/cachefilesd.if

@@ -14,7 +14,6 @@
 #
 # Define the policy interface for the CacheFiles userspace management daemon.
 #
-
 ## <summary>policy for cachefilesd</summary>
 
 ########################################
@@ -22,9 +21,9 @@
 ##	Execute a domain transition to run cachefilesd.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed to transition.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`cachefilesd_domtrans',`
@@ -32,10 +31,5 @@ interface(`cachefilesd_domtrans',`
 		type cachefilesd_t, cachefilesd_exec_t;
 	')
 
-	domain_auto_trans($1,cachefilesd_exec_t,cachefilesd_t)
+	domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t)
-
-	allow $1 cachefilesd_t:fd use;
-	allow cachefilesd_t $1:fd use;
-	allow cachefilesd_t $1:fifo_file rw_file_perms;
-	allow cachefilesd_t $1:process sigchld;
 ')

policy/modules/services/cachefilesd.te

@@ -17,7 +17,7 @@
 # cache, on behalf of the processes accessing the cache through a network
 # filesystem such as NFS
 #
-policy_module(cachefilesd,1.0.17)
+policy_module(cachefilesd, 1.0.17)
 
 ###############################################################################
 #
@@ -42,7 +42,6 @@ dev_node(cachefiles_dev_t)
 #
 type cachefilesd_t;
 type cachefilesd_exec_t;
-domain_type(cachefilesd_t)
 init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)
 
 #
@@ -78,36 +77,33 @@ rpm_use_script_fds(cachefilesd_t)
 # Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
 # rules.
 #
-allow cachefilesd_t self : capability { setuid setgid sys_admin dac_override };
+allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
+
+# Allow manipulation of pid file
+allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
+manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
+manage_dirs_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
+files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file)
+files_create_as_is_all_files(cachefilesd_t)
+
+# Allow access to cachefiles device file
+allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms;
+
+# Allow access to cache superstructure
+allow cachefilesd_t cachefiles_var_t:dir { rw_dir_perms delete_dir_perms };
+allow cachefilesd_t cachefiles_var_t:file { rename delete_file_perms };
+
+# Permit statfs on the backing filesystem
+fs_getattr_xattr_fs(cachefilesd_t)
 
 # Basic access
 files_read_etc_files(cachefilesd_t)
-libs_use_ld_so(cachefilesd_t)
-libs_use_shared_libs(cachefilesd_t)
 miscfiles_read_localization(cachefilesd_t)
 logging_send_syslog_msg(cachefilesd_t)
 init_dontaudit_use_script_ptys(cachefilesd_t)
 term_dontaudit_use_generic_ptys(cachefilesd_t)
 term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
 
-# Allow manipulation of pid file
-allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
-manage_files_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t)
-manage_dirs_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t)
-files_pid_file(cachefilesd_var_run_t)
-files_pid_filetrans(cachefilesd_t,cachefilesd_var_run_t,file)
-files_create_as_is_all_files(cachefilesd_t)
-
-# Allow access to cachefiles device file
-allow cachefilesd_t cachefiles_dev_t : chr_file rw_file_perms;
-
-# Allow access to cache superstructure
-allow cachefilesd_t cachefiles_var_t : dir { rw_dir_perms rmdir };
-allow cachefilesd_t cachefiles_var_t : file { getattr rename unlink };
-
-# Permit statfs on the backing filesystem
-fs_getattr_xattr_fs(cachefilesd_t)
-
 ###############################################################################
 #
 # When cachefilesd invokes the kernel module to begin caching, it has to tell
@@ -119,14 +115,14 @@ fs_getattr_xattr_fs(cachefilesd_t)
 #   (1) the security context used by the module to access files in the cache,
 #       as set by the 'secctx' command in /etc/cachefilesd.conf, and
 #
-allow cachefilesd_t cachefiles_kernel_t : kernel_service { use_as_override };
+allow cachefilesd_t cachefiles_kernel_t:kernel_service { use_as_override };
 
 #
 #   (2) the label that will be assigned to new files and directories created in
 #       the cache by the module, which will be the same as the label on the
 #       directory pointed to by the 'dir' command.
 #
-allow cachefilesd_t cachefiles_var_t : kernel_service { create_files_as };
+allow cachefilesd_t cachefiles_var_t:kernel_service { create_files_as };
 
 ###############################################################################
 #
@@ -136,11 +132,12 @@ allow cachefilesd_t cachefiles_var_t : kernel_service { create_files_as };
 # cache.
 #
 allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
-allow cachefiles_kernel_t initrc_t:process sigchld;
 
-manage_dirs_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t)
+manage_dirs_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
-manage_files_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t)
+manage_files_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
 
 fs_getattr_xattr_fs(cachefiles_kernel_t)
 
 dev_search_sysfs(cachefiles_kernel_t)
+
+init_sigchld_script(cachefiles_kernel_t)

policy/modules/services/canna.te

@@ -34,7 +34,7 @@ allow canna_t self:unix_dgram_socket create_stream_socket_perms;
 allow canna_t self:tcp_socket create_stream_socket_perms;
 
 manage_files_pattern(canna_t, canna_log_t, canna_log_t)
-allow canna_t canna_log_t:dir setattr;
+allow canna_t canna_log_t:dir setattr_dir_perms;
 logging_log_filetrans(canna_t, canna_log_t, { file dir })
 
 manage_dirs_pattern(canna_t, canna_var_lib_t, canna_var_lib_t)

policy/modules/services/ccs.if

@@ -5,9 +5,9 @@
 ##	Execute a domain transition to run ccs.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed to transition.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`ccs_domtrans',`

policy/modules/services/ccs.te

@@ -61,7 +61,7 @@ manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
 manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
 files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir })
 
-allow ccs_t ccs_var_log_t:dir setattr;
+allow ccs_t ccs_var_log_t:dir setattr_dir_perms;
 manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
 manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
 logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir })
@@ -107,7 +107,7 @@ sysnet_dns_name_resolve(ccs_t)
 userdom_manage_unpriv_user_shared_mem(ccs_t)
 userdom_manage_unpriv_user_semaphores(ccs_t)
 
-ifdef(`hide_broken_symptoms', `
+ifdef(`hide_broken_symptoms',`
 	corecmd_dontaudit_write_bin_dirs(ccs_t)
 	files_manage_isid_type_files(ccs_t)
 ')

policy/modules/services/certmaster.if

@@ -5,9 +5,9 @@
 ##	Execute a domain transition to run certmaster.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed to transition.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`certmaster_domtrans',`
@@ -108,7 +108,7 @@ interface(`certmaster_manage_log',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	The role to be allowed to manage the syslog domain.
+##	Role allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
@@ -116,8 +116,7 @@ interface(`certmaster_manage_log',`
 interface(`certmaster_admin',`
 	gen_require(`
 		type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
-		type certmaster_etc_rw_t, certmaster_var_log_t;
+		type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t;
-		type certmaster_initrc_exec_t;
 	')
 
 	allow $1 certmaster_t:process { ptrace signal_perms };
@@ -129,8 +128,8 @@ interface(`certmaster_admin',`
 	allow $2 system_r;
 
 	files_list_etc($1)
-	miscfiles_manage_generic_cert_dirs($1)	
+	miscfiles_manage_generic_cert_dirs($1)
-	miscfiles_manage_generic_cert_files($1)	
+	miscfiles_manage_generic_cert_files($1)
 
 	admin_pattern($1, certmaster_etc_rw_t)
 

policy/modules/services/certmaster.te

@@ -43,12 +43,12 @@ files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir })
 
 # log files
 manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t)
-logging_log_filetrans(certmaster_t, certmaster_var_log_t, file )
+logging_log_filetrans(certmaster_t, certmaster_var_log_t, file)
 
 # pid file
 manage_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t)
 manage_sock_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t)
-files_pid_filetrans(certmaster_t ,certmaster_var_run_t, { file sock_file })
+files_pid_filetrans(certmaster_t, certmaster_var_run_t, { file sock_file })
 
 # read meminfo
 kernel_read_system_state(certmaster_t)

policy/modules/services/certmonger.if

@@ -5,9 +5,9 @@
 ##	Execute a domain transition to run certmonger.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed to transition.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`certmonger_domtrans',`
@@ -166,9 +166,9 @@ interface(`certmonger_admin',`
 	role_transition $2 certmonger_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_var_lib($1)
+	files_list_var_lib($1)
 	admin_pattern($1, certmonger_var_lib_t)
 
-	files_search_pids($1)
+	files_list_pids($1)
 	admin_pattern($1, certmonger_var_run_t)
 ')

policy/modules/services/certmonger.te

@@ -32,7 +32,7 @@ allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
 
 manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
 manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
-files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir } )
+files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir })
 
 manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
 manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)

policy/modules/services/cgroup.if

@@ -6,9 +6,9 @@
 ##	CG Clear.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed to transition.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`cgroup_domtrans_cgclear',`
@@ -26,9 +26,9 @@ interface(`cgroup_domtrans_cgclear',`
 ##	CG config parser.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed to transition.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`cgroup_domtrans_cgconfig',`
@@ -65,9 +65,9 @@ interface(`cgroup_initrc_domtrans_cgconfig',`
 ##	CG rules engine daemon.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed to transition.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`cgroup_domtrans_cgred',`
@@ -182,10 +182,10 @@ interface(`cgroup_admin',`
 
 	admin_pattern($1, cgconfig_etc_t)
 	admin_pattern($1, cgrules_etc_t)
-	files_search_etc($1)
+	files_list_etc($1)
 
 	admin_pattern($1, cgred_var_run_t)
-	files_search_pids($1)
+	files_list_pids($1)
 
 	cgroup_initrc_domtrans_cgconfig($1)
 	domain_system_change_exemption($1)

policy/modules/services/chronyd.if

@@ -25,7 +25,7 @@ interface(`chronyd_domtrans',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
 #
@@ -151,10 +151,9 @@ interface(`chronyd_append_keys',`
 #
 interface(`chronyd_admin',`
 	gen_require(`
-		type chronyd_t, chronyd_var_log_t;
+		type chronyd_t, chronyd_var_log_t, chronyd_var_run_t;
-		type chronyd_var_run_t, chronyd_var_lib_t;
+		type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t;
-		type chronyd_tmpfs_t;
+		type chronyd_keys_t;
-		type chronyd_initrc_exec_t, chronyd_keys_t;
 	')
 
 	allow $1 chronyd_t:process { ptrace signal_perms };
@@ -165,16 +164,16 @@ interface(`chronyd_admin',`
 	role_transition $2 chronyd_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_etc($1)
+	files_list_etc($1)
 	admin_pattern($1, chronyd_keys_t)
 
-	logging_search_logs($1)
+	logging_list_logs($1)
 	admin_pattern($1, chronyd_var_log_t)
 
-	files_search_var_lib($1)
+	files_list_var_lib($1)
 	admin_pattern($1, chronyd_var_lib_t)
 
-	files_search_pids($1)
+	files_list_pids($1)
 	admin_pattern($1, chronyd_var_run_t)
 
 	admin_pattern($1, chronyd_tmpfs_t)

policy/modules/services/clamav.if

@@ -33,6 +33,7 @@ interface(`clamav_stream_connect',`
 		type clamd_t, clamd_var_run_t;
 	')
 
+	files_search_pids($1)
 	stream_connect_pattern($1, clamd_var_run_t, clamd_var_run_t, clamd_t)
 ')
 
@@ -151,9 +152,8 @@ interface(`clamav_exec_clamscan',`
 interface(`clamav_admin',`
 	gen_require(`
 		type clamd_t, clamd_etc_t, clamd_tmp_t;
-		type clamd_var_log_t, clamd_var_lib_t;
+		type clamd_var_log_t, clamd_var_lib_t, clamd_var_run_t;
-		type clamd_var_run_t, clamscan_t, clamscan_tmp_t;
+		type clamscan_t, clamscan_tmp_t, clamd_initrc_exec_t;
-		type clamd_initrc_exec_t;
 		type freshclam_t, freshclam_var_log_t;
 	')
 

policy/modules/services/clamav.te

@@ -1,9 +1,9 @@
 policy_module(clamav, 1.8.1)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow clamd to use JIT compiler
+##	Allow clamd to use JIT compiler
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(clamd_use_jit, false)
 
@@ -150,7 +150,7 @@ optional_policy(`
 tunable_policy(`clamd_use_jit',`
 	allow clamd_t self:process execmem;
 	allow clamscan_t self:process execmem;
-', `
+',`
 	dontaudit clamd_t self:process execmem;
 	dontaudit clamscan_t self:process execmem;
 ')
@@ -182,7 +182,7 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
 
 # log files (own logfiles only)
 manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
-allow freshclam_t freshclam_var_log_t:dir setattr;
+allow freshclam_t freshclam_var_log_t:dir setattr_dir_perms;
 read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t)
 logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
 
@@ -220,16 +220,16 @@ clamav_stream_connect(freshclam_t)
 
 userdom_stream_connect(freshclam_t)
 
-optional_policy(`
-	cron_system_entry(freshclam_t, freshclam_exec_t)
-')
-
 tunable_policy(`clamd_use_jit',`
 	allow freshclam_t self:process execmem;
-', `
+',`
 	dontaudit freshclam_t self:process execmem;
 ')
 
+optional_policy(`
+	cron_system_entry(freshclam_t, freshclam_exec_t)
+')
+
 ########################################
 #
 # clamscam local policy

policy/modules/services/clogd.if

@@ -5,9 +5,9 @@
 ##	Execute a domain transition to run clogd.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed to transition.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`clogd_domtrans',`

policy/modules/services/clogd.te

@@ -23,7 +23,6 @@ files_pid_file(clogd_var_run_t)
 
 allow clogd_t self:capability { net_admin mknod };
 allow clogd_t self:process signal;
-
 allow clogd_t self:sem create_sem_perms;
 allow clogd_t self:shm create_shm_perms;
 allow clogd_t self:netlink_socket create_socket_perms;
@@ -36,7 +35,7 @@ fs_tmpfs_filetrans(clogd_t, clogd_tmpfs_t, { dir file })
 # pid files
 manage_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t)
 manage_sock_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t)
-files_pid_filetrans(clogd_t, clogd_var_run_t, { file })
+files_pid_filetrans(clogd_t, clogd_var_run_t, file)
 
 dev_read_lvm_control(clogd_t)
 dev_manage_generic_blk_files(clogd_t)

policy/modules/services/cmirrord.if

@@ -1,4 +1,3 @@
-
 ## <summary>policy for cmirrord</summary>
 
 ########################################
@@ -6,9 +5,9 @@
 ##	Execute a domain transition to run cmirrord.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed to transition.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`cmirrord_domtrans',`
@@ -58,26 +57,25 @@ interface(`cmirrord_read_pid_files',`
 
 #######################################
 ## <summary>
-##      Read and write to cmirrord shared memory.
+##	Read and write to cmirrord shared memory.
 ## </summary>
 ## <param name="domain">
-##      <summary>
+##	<summary>
 ##	Domain allowed access.
-##      </summary>
+##	</summary>
 ## </param>
 #
 interface(`cmirrord_rw_shm',`
-        gen_require(`
+	gen_require(`
-                type cmirrord_t;
+		type cmirrord_t, cmirrord_tmpfs_t;
-		type cmirrord_tmpfs_t;
+	')
-        ')
 
-        allow $1 cmirrord_t:shm { rw_shm_perms destroy };
+	allow $1 cmirrord_t:shm { rw_shm_perms destroy };
-        allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
+	allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
-        rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+	rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
 	delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
 	read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
-        fs_search_tmpfs($1)
+	fs_search_tmpfs($1)
 ')
 
 ########################################
@@ -99,9 +97,7 @@ interface(`cmirrord_rw_shm',`
 #
 interface(`cmirrord_admin',`
 	gen_require(`
-		type cmirrord_t;
+		type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t;
-		type cmirrord_initrc_exec_t;
-                type cmirrord_var_run_t;
 	')
 
 	allow $1 cmirrord_t:process { ptrace signal_perms };
@@ -112,7 +108,6 @@ interface(`cmirrord_admin',`
 	role_transition $2 cmirrord_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_pids($1)
+	files_list_pids($1)
 	admin_pattern($1, cmirrord_var_run_t)
-
 ')

policy/modules/services/cmirrord.te

@@ -1,4 +1,4 @@
-policy_module(cmirrord,1.0.0)
+policy_module(cmirrord, 1.0.0)
 
 ########################################
 #
@@ -26,9 +26,7 @@ files_pid_file(cmirrord_var_run_t)
 allow cmirrord_t self:capability { net_admin kill };
 dontaudit cmirrord_t self:capability sys_tty_config;
 allow cmirrord_t self:process signal;
-
 allow cmirrord_t self:fifo_file rw_fifo_file_perms;
-
 allow cmirrord_t self:sem create_sem_perms;
 allow cmirrord_t self:shm create_shm_perms;
 allow cmirrord_t self:netlink_socket create_socket_perms;
@@ -40,7 +38,7 @@ fs_tmpfs_filetrans(cmirrord_t, cmirrord_tmpfs_t, { dir file })
 
 manage_dirs_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t)
 manage_files_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t)
-files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, { file })
+files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
 
 domain_use_interactive_fds(cmirrord_t)
 
@@ -51,5 +49,5 @@ logging_send_syslog_msg(cmirrord_t)
 miscfiles_read_localization(cmirrord_t)
 
 optional_policy(`
-        corosync_stream_connect(cmirrord_t)
+	corosync_stream_connect(cmirrord_t)
 ')

policy/modules/services/cobbler.if

@@ -1,12 +1,12 @@
 ## <summary>Cobbler installation server.</summary>
 ## <desc>
 ##	<p>
-##		Cobbler is a Linux installation server that allows for
+##	Cobbler is a Linux installation server that allows for
-##		rapid setup of network installation environments. It
+##	rapid setup of network installation environments. It
-##		glues together and automates many associated Linux
+##	glues together and automates many associated Linux
-##		tasks so you do not have to hop between lots of various
+##	tasks so you do not have to hop between lots of various
-##		commands and applications when rolling out new systems,
+##	commands and applications when rolling out new systems,
-##		and, in some cases, changing existing ones.
+##	and, in some cases, changing existing ones.
 ##	</p>
 ## </desc>
 
@@ -15,9 +15,9 @@
 ##	Execute a domain transition to run cobblerd.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed to transition.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`cobblerd_domtrans',`
@@ -153,7 +153,7 @@ interface(`cobbler_manage_lib_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -185,25 +185,23 @@ interface(`cobbler_dontaudit_rw_log',`
 interface(`cobblerd_admin',`
 	gen_require(`
 		type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
-		type cobbler_etc_t, cobblerd_initrc_exec_t;
+		type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t;
-		type httpd_cobbler_content_t;
+		type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t;
-		type httpd_cobbler_content_ra_t;
-		type httpd_cobbler_content_rw_t;
 	')
 
 	allow $1 cobblerd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, cobblerd_t)
 
-	files_search_etc($1)
+	files_list_etc($1)
 	admin_pattern($1, cobbler_etc_t)
 
 	files_list_var_lib($1)
 	admin_pattern($1, cobbler_var_lib_t)
 
-	logging_search_logs($1)
+	logging_list_logs($1)
 	admin_pattern($1, cobbler_var_log_t)
 
-	apache_search_sys_content($1)
+	apache_list_sys_content($1)
 	admin_pattern($1, httpd_cobbler_content_t)
 	admin_pattern($1, httpd_cobbler_content_ra_t)
 	admin_pattern($1, httpd_cobbler_content_rw_t)

policy/modules/services/cobbler.te

@@ -6,32 +6,32 @@ policy_module(cobbler, 1.1.0)
 #
 
 ## <desc>
-## <p>
+##	<p>
-## Allow Cobbler to modify public files
+##	Allow Cobbler to modify public files
-## used for public file transfer services.
+##	used for public file transfer services.
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(cobbler_anon_write, false)
-  
+
 ## <desc>
-## <p>
+##	<p>
-##     Allow Cobbler to connect to the
+##	Allow Cobbler to connect to the
-##     network using TCP.
+##	network using TCP.
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(cobbler_can_network_connect, false)
 
 ## <desc>
-## <p>
+##	<p>
-##     Allow Cobbler to access cifs file systems.
+##	Allow Cobbler to access cifs file systems.
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(cobbler_use_cifs, false)
 
 ## <desc>
-## <p>
+##	<p>
-##     Allow Cobbler to access nfs file systems.
+##	Allow Cobbler to access nfs file systems.
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(cobbler_use_nfs, false)
 

policy/modules/services/consolekit.if

@@ -5,9 +5,9 @@
 ##	Execute a domain transition to run consolekit.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed to transition.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`consolekit_domtrans',`

policy/modules/services/consolekit.te

@@ -113,7 +113,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-        policykit_dbus_chat(consolekit_t)
+	policykit_dbus_chat(consolekit_t)
 	policykit_domtrans_auth(consolekit_t)
 	policykit_read_lib(consolekit_t)
 	policykit_read_reload(consolekit_t)

policy/modules/services/corosync.if

@@ -20,21 +20,21 @@ interface(`corosync_domtrans',`
 
 ######################################
 ## <summary>
-##      Execute corosync in the caller domain.
+##	Execute corosync in the caller domain.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
-##      Domain allowed to transition.
+##	Domain allowed access.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`corosync_exec',`
-        gen_require(`
+	gen_require(`
-                type corosync_exec_t;
+		type corosync_exec_t;
-        ')
+	')
 
-        corecmd_search_bin($1)
+	corecmd_search_bin($1)
-        can_exec($1, corosync_exec_t)
+	can_exec($1, corosync_exec_t)
 ')
 
 #######################################

policy/modules/services/corosync.te

@@ -92,10 +92,6 @@ userdom_delete_user_tmpfs_files(corosync_t)
 userdom_rw_user_tmpfs_files(corosync_t)
 
 optional_policy(`
-	gen_require(`
-		attribute unconfined_services;
-	')	
-
 	fs_manage_tmpfs_files(corosync_t)
 	init_manage_script_status_files(corosync_t)
 ')

policy/modules/services/courier.if

@@ -138,6 +138,7 @@ interface(`courier_read_config',`
 		type courier_etc_t;
 	')
 
+	files_search_etc($1)
 	read_files_pattern($1, courier_etc_t, courier_etc_t)
 ')
 
@@ -157,6 +158,7 @@ interface(`courier_manage_spool_dirs',`
 		type courier_spool_t;
 	')
 
+	files_search_spool($1)
 	manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
 ')
 
@@ -176,6 +178,7 @@ interface(`courier_manage_spool_files',`
 		type courier_spool_t;
 	')
 
+	files_search_spool($1)
 	manage_files_pattern($1, courier_spool_t, courier_spool_t)
 ')
 
@@ -194,6 +197,7 @@ interface(`courier_read_spool',`
 		type courier_spool_t;
 	')
 
+	files_search_spool($1)
 	read_files_pattern($1, courier_spool_t, courier_spool_t)
 ')
 

policy/modules/services/courier.te

@@ -93,7 +93,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld;
 allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
 
 # inherits file handle - should it?
-allow courier_pop_t courier_var_lib_t:file { read write };
+allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
 
 miscfiles_read_localization(courier_pop_t)
 

policy/modules/services/cron.if

@@ -52,7 +52,7 @@ template(`cron_common_crontab_template',`
 	files_list_spool($1_t)
 
 	# crontab signals crond by updating the mtime on the spooldir
-	allow $1_t cron_spool_t:dir setattr;
+	allow $1_t cron_spool_t:dir setattr_dir_perms;
 
 	kernel_read_system_state($1_t)
 
@@ -113,12 +113,12 @@ template(`cron_common_crontab_template',`
 ##	User domain for the role
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`cron_role',`
 	gen_require(`
 		type cronjob_t, crontab_t, crontab_exec_t;
-		type user_cron_spool_t;
+		type user_cron_spool_t, crond_t;
-		type crond_t;
 	')
 
 	role $1 types { cronjob_t crontab_t };
@@ -138,7 +138,7 @@ interface(`cron_role',`
 
 	# crontab shows up in user ps
 	ps_process_pattern($2, crontab_t)
-	allow $2 crontab_t:process signal;
+	allow $2 crontab_t:process { ptrace signal_perms };
 
 	# Run helper programs as the user domain
 	#corecmd_bin_domtrans(crontab_t, $2)
@@ -152,9 +152,8 @@ interface(`cron_role',`
 		')
 
 		dbus_stub(cronjob_t)
-
 		allow cronjob_t $2:dbus send_msg;
-	')		
+	')
 ')
 
 ########################################
@@ -171,6 +170,7 @@ interface(`cron_role',`
 ##	User domain for the role
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`cron_unconfined_role',`
 	gen_require(`
@@ -181,6 +181,7 @@ interface(`cron_unconfined_role',`
 
 	# cronjob shows up in user ps
 	ps_process_pattern($2, unconfined_cronjob_t)
+	allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
 
 	optional_policy(`
 		gen_require(`
@@ -188,9 +189,8 @@ interface(`cron_unconfined_role',`
 		')
 
 		dbus_stub(unconfined_cronjob_t)
-
 		allow unconfined_cronjob_t $2:dbus send_msg;
-	')		
+	')
 ')
 
 ########################################
@@ -207,6 +207,7 @@ interface(`cron_unconfined_role',`
 ##	User domain for the role
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`cron_admin_role',`
 	gen_require(`
@@ -227,7 +228,7 @@ interface(`cron_admin_role',`
 
 	# crontab shows up in user ps
 	ps_process_pattern($2, admin_crontab_t)
-	allow $2 admin_crontab_t:process signal;
+	allow $2 admin_crontab_t:process { ptrace signal_perms };
 
 	# Run helper programs as the user domain
 	#corecmd_bin_domtrans(admin_crontab_t, $2)
@@ -241,9 +242,8 @@ interface(`cron_admin_role',`
 		')
 
 		dbus_stub(admin_cronjob_t)
-
 		allow cronjob_t $2:dbus send_msg;
-	')		
+	')
 ')
 
 ########################################
@@ -311,7 +311,7 @@ interface(`cron_exec',`
 
 ########################################
 ## <summary>
-##	Execute crond server in the nscd domain.
+##	Execute crond server in the crond domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -524,6 +524,7 @@ interface(`cron_manage_pid_files',`
 		type crond_var_run_t;
 	')
 
+	files_search_pids($1)
 	manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
 ')
 
@@ -579,7 +580,7 @@ interface(`cron_write_system_job_pipes',`
 		type system_cronjob_t;
 	')
 
-	allow $1 system_cronjob_t:file write;
+	allow $1 system_cronjob_t:fifo_file write;
 ')
 
 ########################################
@@ -695,8 +696,8 @@ interface(`cron_read_system_job_lib_files',`
 		type system_cronjob_var_lib_t;
 	')
 
-
+	files_search_var_lib($1)
-	read_files_pattern($1, system_cronjob_var_lib_t,  system_cronjob_var_lib_t)
+	read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
 ')
 
 ########################################
@@ -714,6 +715,6 @@ interface(`cron_manage_system_job_lib_files',`
 		type system_cronjob_var_lib_t;
 	')
 
-
+	files_search_var_lib($1)
-	manage_files_pattern($1, system_cronjob_var_lib_t,  system_cronjob_var_lib_t)
+	manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
 ')

policy/modules/services/cron.te

@@ -10,18 +10,18 @@ gen_require(`
 #
 
 ## <desc>
-## <p>
+##	<p>
-## Allow system cron jobs to relabel filesystem
+##	Allow system cron jobs to relabel filesystem
-## for restoring file contexts.
+##	for restoring file contexts.
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(cron_can_relabel, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Enable extra rules in the cron domain
+##	Enable extra rules in the cron domain
-## to support fcron.
+##	to support fcron.
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(fcron_crond, false)
 
@@ -99,10 +99,6 @@ files_lock_file(system_cronjob_lock_t)
 type system_cronjob_tmp_t alias system_crond_tmp_t;
 files_tmp_file(system_cronjob_tmp_t)
 
-ifdef(`enable_mcs',`
-	init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
-')
-
 type unconfined_cronjob_t;
 domain_type(unconfined_cronjob_t)
 domain_cron_exemption_target(unconfined_cronjob_t)
@@ -122,13 +118,17 @@ typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
 type system_cronjob_var_run_t;
 files_pid_file(system_cronjob_var_run_t)
 
+ifdef(`enable_mcs',`
+	init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
+')
+
 ########################################
 #
 # Admin crontab local policy
 #
 
 # Allow our crontab domain to unlink a user cron spool file.
-allow admin_crontab_t user_cron_spool_t:file { getattr read unlink };
+allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms };
 
 # Manipulate other users crontab.
 selinux_get_fs_mount(admin_crontab_t)
@@ -138,7 +138,7 @@ selinux_compute_create_context(admin_crontab_t)
 selinux_compute_relabel_context(admin_crontab_t)
 selinux_compute_user_contexts(admin_crontab_t)
 
-tunable_policy(`fcron_crond', `
+tunable_policy(`fcron_crond',`
 	# fcron wants an instant update of a crontab change for the administrator
 	# also crontab does a security check for crontab -u
 	allow admin_crontab_t self:process setfscreate;
@@ -251,7 +251,7 @@ ifdef(`distro_debian',`
 	')
 ')
 
-ifdef(`distro_redhat', `
+ifdef(`distro_redhat',`
 	# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
 	# via redirection of standard out.
 	optional_policy(`
@@ -263,13 +263,17 @@ tunable_policy(`allow_polyinstantiation',`
 	files_polyinstantiate_all(crond_t)
 ')
 
+tunable_policy(`fcron_crond',`
+	allow crond_t system_cron_spool_t:file manage_file_perms;
+')
+
 optional_policy(`
 	apache_search_sys_content(crond_t)
 ')
 
 optional_policy(`
-    djbdns_search_tinydns_keys(crond_t)
+	djbdns_search_tinydns_keys(crond_t)
-    djbdns_link_tinydns_keys(crond_t)
+	djbdns_link_tinydns_keys(crond_t)
 ')
 
 optional_policy(`
@@ -287,10 +291,6 @@ optional_policy(`
 	mono_domtrans(crond_t)
 ')
 
-tunable_policy(`fcron_crond', `
-	allow crond_t system_cron_spool_t:file manage_file_perms;
-')
-
 optional_policy(`
 	amanda_search_var_lib(crond_t)
 ')
@@ -351,7 +351,7 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
 
 # This is to handle /var/lib/misc directory.  Used currently
 # by prelink var/lib files for cron 
-allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabelfrom relabelto };
+allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
 files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
 
 allow system_cronjob_t cron_var_run_t:file manage_file_perms;
@@ -472,7 +472,7 @@ miscfiles_manage_man_pages(system_cronjob_t)
 
 seutil_read_config(system_cronjob_t)
 
-ifdef(`distro_redhat', `
+ifdef(`distro_redhat',`
 	# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
 	allow crond_t system_cron_spool_t:file manage_file_perms;
 
@@ -687,7 +687,7 @@ read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
 read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
 allow crond_t user_cron_spool_t:file manage_lnk_file_perms;
 
-tunable_policy(`fcron_crond', `
+tunable_policy(`fcron_crond',`
 	allow crond_t user_cron_spool_t:file manage_file_perms;
 ')
 

policy/modules/services/cups.if

@@ -316,12 +316,10 @@ interface(`cups_stream_connect_ptal',`
 interface(`cups_admin',`
 	gen_require(`
 		type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
-		type cupsd_etc_t, cupsd_log_t;
+		type cupsd_etc_t, cupsd_log_t, hplip_etc_t;
-		type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
+		type cupsd_config_var_run_t, cupsd_lpd_var_run_t, cupsd_initrc_exec_t;
-		type cupsd_var_run_t, ptal_etc_t;
+		type cupsd_var_run_t, ptal_etc_t, hplip_var_run_t;
-		type ptal_var_run_t, hplip_var_run_t;
+		type ptal_var_run_t;
-		type cupsd_initrc_exec_t;
-		type hplip_etc_t;
 	')
 
 	allow $1 cupsd_t:process { ptrace signal_perms };

policy/modules/services/cups.te

@@ -149,7 +149,7 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
 manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
 files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
 
-allow cupsd_t cupsd_var_run_t:dir setattr;
+allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms;
 manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
 manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
 manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
@@ -163,7 +163,7 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
 allow cupsd_t hplip_var_run_t:file read_file_perms;
 
 stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
-allow cupsd_t ptal_var_run_t : sock_file setattr;
+allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
 
 kernel_read_system_state(cupsd_t)
 kernel_read_network_state(cupsd_t)
@@ -609,10 +609,6 @@ userdom_dontaudit_search_admin_dir(cups_pdf_t)
 
 lpd_manage_spool(cups_pdf_t)
 
-optional_policy(`
-	gnome_read_config(cups_pdf_t)
-')
-
 tunable_policy(`use_nfs_home_dirs',`
 	fs_search_auto_mountpoints(cups_pdf_t)
 	fs_manage_nfs_dirs(cups_pdf_t)
@@ -624,6 +620,10 @@ tunable_policy(`use_samba_home_dirs',`
 	fs_manage_cifs_files(cups_pdf_t)
 ')
 
+optional_policy(`
+	gnome_read_config(cups_pdf_t)
+')
+
 ########################################
 #
 # HPLIP local policy
@@ -657,7 +657,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
 manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
 
 manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
-files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
+files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file)
 
 manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
 files_pid_filetrans(hplip_t, hplip_var_run_t, file)

policy/modules/services/cvs.if

@@ -58,9 +58,8 @@ interface(`cvs_exec',`
 #
 interface(`cvs_admin',`
 	gen_require(`
-		type cvs_t, cvs_tmp_t;
+		type cvs_t, cvs_tmp_t, cvs_initrc_exec_t;
 		type cvs_data_t, cvs_var_run_t;
-		type cvs_initrc_exec_t;
 	')
 
 	allow $1 cvs_t:process { ptrace signal_perms };

policy/modules/services/cvs.te

@@ -6,9 +6,9 @@ policy_module(cvs, 1.9.0)
 #
 
 ## <desc>
-## <p>
+##	<p>
-## Allow cvs daemon to read shadow
+##	Allow cvs daemon to read shadow
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(allow_cvs_read_shadow, false)
 
@@ -35,12 +35,12 @@ files_pid_file(cvs_var_run_t)
 # Local policy
 #
 
+allow cvs_t self:capability { setuid setgid };
 allow cvs_t self:process signal_perms;
 allow cvs_t self:fifo_file rw_fifo_file_perms;
 allow cvs_t self:tcp_socket connected_stream_socket_perms;
 # for identd; cjp: this should probably only be inetd_child rules?
 allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow cvs_t self:capability { setuid setgid };
 
 manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
 manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)

policy/modules/services/cyphesis.if

@@ -5,9 +5,9 @@
 ##	Execute a domain transition to run cyphesis.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed to transition.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`cyphesis_domtrans',`

policy/modules/services/dbus.if

@@ -41,9 +41,7 @@ interface(`dbus_stub',`
 template(`dbus_role_template',`
 	gen_require(`
 		class dbus { send_msg acquire_svc };
-
+		attribute dbusd_unconfined, session_bus_type;
-		attribute dbusd_unconfined;
-		attribute session_bus_type;
 		type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
 		type $1_t;
 	')
@@ -90,14 +88,15 @@ template(`dbus_role_template',`
 	files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
 
 	domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
-	allow $3 $1_dbusd_t:process { signull sigkill signal };
+
+	ps_process_pattern($3, $1_dbusd_t)
+	allow $3 $1_dbusd_t:process { ptrace signal_perms };
 
 	# cjp: this seems very broken
 	corecmd_bin_domtrans($1_dbusd_t, $1_t)
 	allow $1_dbusd_t $3:process sigkill;
 	allow $3 $1_dbusd_t:fd use;
 	allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
-	allow $3 $1_dbusd_t:process sigchld;
 
 	kernel_read_system_state($1_dbusd_t)
 	kernel_read_kernel_sysctls($1_dbusd_t)
@@ -118,7 +117,7 @@ template(`dbus_role_template',`
 
 	dev_read_urand($1_dbusd_t)
 
- 	domain_use_interactive_fds($1_dbusd_t)
+	domain_use_interactive_fds($1_dbusd_t)
 	domain_read_all_domains_state($1_dbusd_t)
 
 	files_read_etc_files($1_dbusd_t)
@@ -156,7 +155,7 @@ template(`dbus_role_template',`
 	userdom_manage_user_home_content_files($1_dbusd_t)
 	userdom_user_home_dir_filetrans_user_home_content($1_dbusd_t, { dir file })
 
-	ifdef(`hide_broken_symptoms', `
+	ifdef(`hide_broken_symptoms',`
 		dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
 	')
 
@@ -463,7 +462,7 @@ interface(`dbus_system_domain',`
 		unconfined_dbus_send($1)
 	')
 
-	ifdef(`hide_broken_symptoms', `
+	ifdef(`hide_broken_symptoms',`
 		dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
 	')
 ')
@@ -520,6 +519,6 @@ interface(`dbus_delete_pid_files',`
 		type system_dbusd_var_run_t;
 	')
 
+	files_search_pids($1)
 	delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
 ')
-

policy/modules/services/dbus.te

@@ -152,7 +152,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-        policykit_dbus_chat(system_dbusd_t)
+	policykit_dbus_chat(system_dbusd_t)
 	policykit_domtrans_auth(system_dbusd_t)
 	policykit_search_lib(system_dbusd_t)
 ')

policy/modules/services/dcc.if

@@ -168,6 +168,6 @@ interface(`dcc_stream_connect_dccifd',`
 		type dcc_var_t, dccifd_var_run_t, dccifd_t;
 	')
 
-	files_search_var($1)
+	files_search_pids($1)
 	stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t)
 ')

policy/modules/services/ddclient.if

@@ -64,8 +64,8 @@ interface(`ddclient_run',`
 interface(`ddclient_admin',`
 	gen_require(`
 		type ddclient_t, ddclient_etc_t, ddclient_log_t;
-		type ddclient_var_t, ddclient_var_lib_t;
+		type ddclient_var_t, ddclient_var_lib_t, ddclient_initrc_exec_t;
-		type ddclient_var_run_t, ddclient_initrc_exec_t;
+		type ddclient_var_run_t;
 	')
 
 	allow $1 ddclient_t:process { ptrace signal_perms };

policy/modules/services/denyhosts.if

@@ -13,12 +13,12 @@
 ##	Execute a domain transition to run denyhosts.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed to transition.
-## </summary>
+##	</summary>
 ## </param>
 #
-interface(`denyhosts_domtrans', `
+interface(`denyhosts_domtrans',`
 	gen_require(`
 		type denyhosts_t, denyhosts_exec_t;
 	')
@@ -36,7 +36,7 @@ interface(`denyhosts_domtrans', `
 ##	</summary>
 ## </param>
 #
-interface(`denyhosts_initrc_domtrans', `
+interface(`denyhosts_initrc_domtrans',`
 	gen_require(`
 		type denyhosts_initrc_exec_t;
 	')
@@ -59,8 +59,9 @@ interface(`denyhosts_initrc_domtrans', `
 ##	Role allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
-interface(`denyhosts_admin', `
+interface(`denyhosts_admin',`
 	gen_require(`
 		type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t;
 		type denyhosts_var_log_t, denyhosts_initrc_exec_t;
@@ -74,12 +75,12 @@ interface(`denyhosts_admin', `
 	role_transition $2 denyhosts_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_var_lib($1)
+	files_list_var_lib($1)
 	admin_pattern($1, denyhosts_var_lib_t)
 
-	logging_search_logs($1)
+	logging_list_logs($1)
 	admin_pattern($1, denyhosts_var_log_t)
 
-	files_search_locks($1)
+	files_list_locks($1)
 	admin_pattern($1, denyhosts_var_lock_t)
 ')

policy/modules/services/denyhosts.te

@@ -77,5 +77,5 @@ optional_policy(`
 ')
 
 optional_policy(`
-    gnome_dontaudit_search_config(denyhosts_t)
+	gnome_dontaudit_search_config(denyhosts_t)
 ')

policy/modules/services/devicekit.if

@@ -5,9 +5,9 @@
 ##	Execute a domain transition to run devicekit.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed to transition.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`devicekit_domtrans',`
@@ -147,16 +147,6 @@ interface(`devicekit_read_pid_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the devicekit domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`devicekit_admin',`
@@ -175,11 +165,11 @@ interface(`devicekit_admin',`
 	ps_process_pattern($1, devicekit_power_t)
 
 	admin_pattern($1, devicekit_tmp_t)
-	files_search_tmp($1)
+	files_list_tmp($1)
 
 	admin_pattern($1, devicekit_var_lib_t)
-	files_search_var_lib($1)
+	files_list_var_lib($1)
 
 	admin_pattern($1, devicekit_var_run_t)
-	files_search_pids($1)
+	files_list_pids($1)
 ')

policy/modules/services/devicekit.te

@@ -309,4 +309,3 @@ optional_policy(`
 optional_policy(`
 	vbetool_domtrans(devicekit_power_t)
 ')
-

policy/modules/services/dhcp.if

@@ -36,7 +36,7 @@ interface(`dhcpd_setattr_state_files',`
 	')
 
 	sysnet_search_dhcp_state($1)
-	allow $1 dhcpd_state_t:file setattr;
+	allow $1 dhcpd_state_t:file setattr_file_perms;
 ')
 
 ########################################

policy/modules/services/djbdns.te

@@ -23,11 +23,6 @@ djbdns_daemontools_domain_template(tinydns)
 # Local policy for axfrdns component
 #
 
-files_config_file(djbdns_axfrdns_conf_t)
-
-daemontools_ipc_domain(djbdns_axfrdns_t)
-daemontools_read_svc(djbdns_axfrdns_t)
-
 allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot };
 
 allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:dir list_dir_perms;
@@ -41,6 +36,9 @@ allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file read_file_perms;
 
 files_search_var(djbdns_axfrdns_t)
 
+daemontools_ipc_domain(djbdns_axfrdns_t)
+daemontools_read_svc(djbdns_axfrdns_t)
+
 ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
 
 ########################################

policy/modules/services/dnsmasq.if

@@ -101,9 +101,9 @@ interface(`dnsmasq_kill',`
 ##	Read dnsmasq config files.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed access.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`dnsmasq_read_config',`
@@ -120,9 +120,9 @@ interface(`dnsmasq_read_config',`
 ##	Write to dnsmasq config files.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed access.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`dnsmasq_write_config',`
@@ -144,12 +144,12 @@ interface(`dnsmasq_write_config',`
 ##	</summary>
 ## </param>
 #
-#
 interface(`dnsmasq_delete_pid_files',`
 	gen_require(`
 		type dnsmasq_var_run_t;
 	')
 
+	files_search_pids($1)
 	delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
 ')
 
@@ -169,6 +169,7 @@ interface(`dnsmasq_read_pid_files',`
 		type dnsmasq_var_run_t;
 	')
 
+	files_search_pids($1)
 	read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
 ')
 

policy/modules/services/dovecot.if

@@ -9,13 +9,13 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
 interface(`dovecot_stream_connect_auth',`
 	gen_require(`
 		type dovecot_auth_t, dovecot_var_run_t;
 	')
 
+	files_search_pids($1)
 	stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t)
 ')
 
@@ -52,6 +52,7 @@ interface(`dovecot_manage_spool',`
 		type dovecot_spool_t;
 	')
 
+	files_search_spool($1)
 	manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
 	manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
 ')
@@ -94,13 +95,9 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
 interface(`dovecot_admin',`
 	gen_require(`
 		type dovecot_t, dovecot_etc_t, dovecot_auth_tmp_t;
-		type dovecot_spool_t, dovecot_var_lib_t;
+		type dovecot_spool_t, dovecot_var_lib_t, dovecot_var_log_t;
-		type dovecot_var_run_t, dovecot_tmp_t;
+		type dovecot_var_run_t, dovecot_tmp_t, dovecot_keytab_t;
-		type dovecot_var_log_t;
+		type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t;
-
-		type dovecot_cert_t, dovecot_passwd_t;
-		type dovecot_initrc_exec_t;
-		type dovecot_keytab_t;
 	')
 
 	allow $1 dovecot_t:process { ptrace signal_perms };

policy/modules/services/dovecot.te

@@ -164,8 +164,8 @@ optional_policy(`
 ')
 
 optional_policy(`
-    postfix_manage_private_sockets(dovecot_t)
+	postfix_manage_private_sockets(dovecot_t)
-    postfix_search_spool(dovecot_t)
+	postfix_search_spool(dovecot_t)
 ')
 
 optional_policy(`

policy/modules/services/exim.if

@@ -5,9 +5,9 @@
 ##	Execute a domain transition to run exim.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed to transition.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`exim_domtrans',`
@@ -24,11 +24,11 @@ interface(`exim_domtrans',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
 #
-interface(`exim_initrc_domtrans', `
+interface(`exim_initrc_domtrans',`
 	gen_require(`
 		type exim_initrc_exec_t;
 	')
@@ -119,9 +119,9 @@ interface(`exim_read_log',`
 ##	exim log files.
 ## </summary>
 ## <param name="domain">
-## 	<summary>
+##	<summary>
 ##	Domain allowed access.
-## 	</summary>
+##	</summary>
 ## </param>
 #
 interface(`exim_append_log',`
@@ -229,10 +229,10 @@ interface(`exim_manage_spool_files',`
 ##	</summary>
 ## </param>
 #
-interface(`exim_admin', `
+interface(`exim_admin',`
 	gen_require(`
-		type exim_t, exim_initrc_exec_t, exim_log_t; 
+		type exim_t, exim_initrc_exec_t, exim_log_t;
-		type exim_tmp_t, exim_spool_t,  exim_var_run_t;
+		type exim_tmp_t, exim_spool_t, exim_var_run_t;
 	')
 
 	allow $1 exim_t:process { ptrace signal_perms };
@@ -243,15 +243,15 @@ interface(`exim_admin', `
 	role_transition $2 exim_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	logging_search_logs($1)
+	logging_list_logs($1)
 	admin_pattern($1, exim_log_t)
 
-	files_search_tmp($1)
+	files_list_tmp($1)
 	admin_pattern($1, exim_tmp_t)
 
-	files_search_spool($1)
+	files_list_spool($1)
 	admin_pattern($1, exim_spool_t)
 
-	files_search_pids($1)
+	files_list_pids($1)
 	admin_pattern($1, exim_var_run_t)
 ')

policy/modules/services/exim.te

@@ -6,24 +6,24 @@ policy_module(exim, 1.5.0)
 #
 
 ## <desc>
-## <p>
+##	<p>
-## Allow exim to connect to databases (postgres, mysql)
+##	Allow exim to connect to databases (postgres, mysql)
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(exim_can_connect_db, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow exim to read unprivileged user files.
+##	Allow exim to read unprivileged user files.
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(exim_read_user_files, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow exim to create, read, write, and delete
+##	Allow exim to create, read, write, and delete
-## unprivileged user files.
+##	unprivileged user files.
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(exim_manage_user_files, false)
 
@@ -174,7 +174,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-    nagios_search_spool(exim_t)
+	nagios_search_spool(exim_t)
 ')
 
 optional_policy(`

policy/modules/services/fail2ban.if

@@ -5,9 +5,9 @@
 ##	Execute a domain transition to run fail2ban.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed to transition.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`fail2ban_domtrans',`
@@ -102,9 +102,9 @@ interface(`fail2ban_read_log',`
 ##	fail2ban log files.
 ## </summary>
 ## <param name="domain">
-## 	<summary>
+##	<summary>
 ##	Domain allowed access.
-## 	</summary>
+##	</summary>
 ## </param>
 #
 interface(`fail2ban_append_log',`
@@ -175,8 +175,8 @@ interface(`fail2ban_dontaudit_leaks',`
 #
 interface(`fail2ban_admin',`
 	gen_require(`
-		type fail2ban_t, fail2ban_log_t;
+		type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t;
-		type fail2ban_var_run_t, fail2ban_initrc_exec_t;
+		type fail2ban_var_run_t;
 	')
 
 	allow $1 fail2ban_t:process { ptrace signal_perms };

policy/modules/services/fail2ban.te

@@ -36,7 +36,7 @@ allow fail2ban_t self:unix_dgram_socket create_socket_perms;
 allow fail2ban_t self:tcp_socket create_stream_socket_perms;
 
 # log files
-allow fail2ban_t fail2ban_log_t:dir setattr;
+allow fail2ban_t fail2ban_log_t:dir setattr_dir_perms;
 manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
 logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
 
@@ -94,7 +94,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-    gnome_dontaudit_search_config(fail2ban_t)
+	gnome_dontaudit_search_config(fail2ban_t)
 ')
 
 optional_policy(`

policy/modules/services/fprintd.if

@@ -5,9 +5,9 @@
 ##	Execute a domain transition to run fprintd.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed to transition.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`fprintd_domtrans',`
@@ -38,4 +38,3 @@ interface(`fprintd_dbus_chat',`
 	allow $1 fprintd_t:dbus send_msg;
 	allow fprintd_t $1:dbus send_msg;
 ')
-

policy/modules/services/ftp.if

@@ -51,25 +51,6 @@ interface(`ftp_read_config',`
 	allow $1 ftpd_etc_t:file read_file_perms;
 ')
 
-########################################
-## <summary>
-##	Execute FTP daemon entry point programs.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`ftp_check_exec',`
-	gen_require(`
-		type ftpd_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	allow $1 ftpd_exec_t:file { getattr execute };
-')
-
 ########################################
 ## <summary>
 ##	Read FTP transfer logs
@@ -171,9 +152,8 @@ interface(`ftp_dyntrans_sftpd',`
 interface(`ftp_admin',`
 	gen_require(`
 		type ftpd_t, ftpdctl_t, ftpd_tmp_t;
-		type ftpd_etc_t, ftpd_lock_t;
+		type ftpd_etc_t, ftpd_lock_t, ftpd_initrc_exec_t;
 		type ftpd_var_run_t, xferlog_t;
-		type ftpd_initrc_exec_t;
 	')
 
 	allow $1 ftpd_t:process { ptrace signal_perms };

policy/modules/services/ftp.te

@@ -6,82 +6,82 @@ policy_module(ftp, 1.12.0)
 #
 
 ## <desc>
-## <p>
+##	<p>
-## Allow ftp servers to upload files,  used for public file
+##	Allow ftp servers to upload files,  used for public file
-## transfer services. Directories must be labeled
+##	transfer services. Directories must be labeled
-## public_content_rw_t.
+##	public_content_rw_t.
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(allow_ftpd_anon_write, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow ftp servers to login to local users and
+##	Allow ftp servers to login to local users and
-## read/write all files on the system, governed by DAC.
+##	read/write all files on the system, governed by DAC.
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(allow_ftpd_full_access, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow ftp servers to use cifs
+##	Allow ftp servers to use cifs
-## used for public file transfer services.
+##	used for public file transfer services.
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(allow_ftpd_use_cifs, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow ftp servers to use nfs
+##	Allow ftp servers to use nfs
-## used for public file transfer services.
+##	used for public file transfer services.
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(allow_ftpd_use_nfs, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow ftp servers to use connect to mysql database
+##	Allow ftp servers to use connect to mysql database
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(ftpd_connect_db, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow ftp to read and write files in the user home directories
+##	Allow ftp to read and write files in the user home directories
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(ftp_home_dir, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow anon internal-sftp to upload files, used for
+##	Allow anon internal-sftp to upload files, used for
-## public file transfer services. Directories must be labeled
+##	public file transfer services. Directories must be labeled
-## public_content_rw_t.
+##	public_content_rw_t.
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(sftpd_anon_write, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow sftp-internal to read and write files
+##	Allow sftp-internal to read and write files
-## in the user home directories
+##	in the user home directories
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(sftpd_enable_homedirs, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow sftp-internal to login to local users and
+##	Allow sftp-internal to login to local users and
-## read/write all files on the system, governed by DAC.
+##	read/write all files on the system, governed by DAC.
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(sftpd_full_access, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow interlnal-sftp to read and write files 
+##	Allow interlnal-sftp to read and write files 
-## in the user ssh home directories.
+##	in the user ssh home directories.
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(sftpd_write_ssh_home, false)
 
@@ -181,13 +181,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
 manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
 manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
 manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
-files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} )
+files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
 
 # proftpd requires the client side to bind a socket so that
 # it can stat the socket to perform access control decisions,
 # since getsockopt with SO_PEERCRED is not available on all
 # proftpd-supported OSs
-allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
+allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms;
 
 # Create and modify /var/log/xferlog.
 manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
@@ -291,10 +291,10 @@ tunable_policy(`ftp_home_dir',`
 	userdom_manage_user_home_content(ftpd_t)
 	userdom_manage_user_tmp_files(ftpd_t)
 	userdom_tmp_filetrans_user_tmp(ftpd_t, file)
-', `
+',`
-   # Needed for permissive mode, to make sure everything gets labeled correctly
+	# Needed for permissive mode, to make sure everything gets labeled correctly
-   userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file })
+	userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file })
-   files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
+	files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
 ')
 
 tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
@@ -349,8 +349,8 @@ optional_policy(`
 ')
 
 tunable_policy(`ftpd_connect_db',`
-	corenet_tcp_connect_mysqld_port(ftpd_t)
+	mysql_tcp_connect(ftpd_t)
-	corenet_tcp_connect_postgresql_port(ftpd_t)
+	postgresql_tcp_connect(ftpd_t)
 ')
 
 optional_policy(`
@@ -385,10 +385,11 @@ optional_policy(`
 
 # Allow ftpdctl to talk to ftpd over a socket connection
 stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
+files_search_pids(ftpdctl_t)
 
 # ftpdctl creates a socket so that the daemon can perform
 # access control decisions (see comments in ftpd_t rules above)
-allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr };
+allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms;
 files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
 
 # Allow ftpdctl to read config files
@@ -400,6 +401,7 @@ userdom_use_user_terminals(ftpdctl_t)
 #
 # sftpd local policy
 #
+
 files_read_etc_files(sftpd_t)
 
 # allow read access to /home by default
@@ -408,13 +410,13 @@ userdom_read_user_home_content_symlinks(sftpd_t)
 userdom_dontaudit_list_admin_dir(sftpd_t)
 
 tunable_policy(`sftpd_full_access',`
-    allow sftpd_t self:capability { dac_override dac_read_search };
+	allow sftpd_t self:capability { dac_override dac_read_search };
-    fs_read_noxattr_fs_files(sftpd_t)
+	fs_read_noxattr_fs_files(sftpd_t)
-    auth_manage_all_files_except_shadow(sftpd_t)
+	auth_manage_all_files_except_shadow(sftpd_t)
 ')
 
 tunable_policy(`sftpd_write_ssh_home',`
-    ssh_manage_home_files(sftpd_t)
+	ssh_manage_home_files(sftpd_t)
 ')
 
 tunable_policy(`sftpd_enable_homedirs',`
@@ -424,9 +426,9 @@ tunable_policy(`sftpd_enable_homedirs',`
 	files_list_home(sftpd_t)
 	userdom_read_user_home_content_files(sftpd_t)
 	userdom_manage_user_home_content(sftpd_t)
-', `
+',`
-   # Needed for permissive mode, to make sure everything gets labeled correctly
+	# Needed for permissive mode, to make sure everything gets labeled correctly
-   userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
+	userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
 ')
 
 tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`

policy/modules/services/gatekeeper.te

@@ -33,7 +33,7 @@ allow gatekeeper_t self:fifo_file rw_fifo_file_perms;
 allow gatekeeper_t self:tcp_socket create_stream_socket_perms;
 allow gatekeeper_t self:udp_socket create_socket_perms;
 
-allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read };
+allow gatekeeper_t gatekeeper_etc_t:lnk_file read_lnk_file_perms;
 allow gatekeeper_t gatekeeper_etc_t:file read_file_perms;
 files_search_etc(gatekeeper_t)
 

policy/modules/services/git.fc

@@ -1,9 +1,10 @@
-HOME_DIR/public_git(/.*)?	gen_context(system_u:object_r:git_session_content_t, s0)
+HOME_DIR/public_git(/.*)?	gen_context(system_u:object_r:git_session_content_t,s0)
-HOME_DIR/\.gitconfig	--	gen_context(system_u:object_r:git_session_content_t, s0)
+HOME_DIR/\.gitaliases	--	gen_context(system_u:object_r:git_session_content_t,s0)
+HOME_DIR/\.gitconfig	--	gen_context(system_u:object_r:git_session_content_t,s0)
 
-/srv/git(/.*)?			gen_context(system_u:object_r:git_system_content_t, s0)
+/srv/git(/.*)?			gen_context(system_u:object_r:git_system_content_t,s0)
 
-/usr/libexec/git-core/git-daemon	--	gen_context(system_u:object_r:gitd_exec_t, s0)
+/usr/libexec/git-core/git-daemon	--	gen_context(system_u:object_r:gitd_exec_t,s0)
 
 /var/cache/cgit(/.*)?		gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
 /var/lib/git(/.*)?		gen_context(system_u:object_r:httpd_git_content_t,s0)

policy/modules/services/git.if

@@ -1,10 +1,10 @@
 ## <summary>Fast Version Control System.</summary>
 ## <desc>
 ##	<p>
-##		A really simple TCP git daemon that normally listens on
+##	A really simple TCP git daemon that normally listens on
-##		port DEFAULT_GIT_PORT aka 9418. It waits for a
+##	port DEFAULT_GIT_PORT aka 9418. It waits for a
-##		connection asking for a service, and will serve that
+##	connection asking for a service, and will serve that
-##		service if it is enabled.
+##	service if it is enabled.
 ##	</p>
 ## </desc>
 
@@ -25,8 +25,7 @@
 #
 interface(`git_session_role',`
 	gen_require(`
-		type git_session_t, gitd_exec_t;
+		type git_session_t, gitd_exec_t, git_session_content_t;
-		type git_session_content_t;
 	')
 
 	########################################
@@ -59,10 +58,8 @@ interface(`git_session_role',`
 ## </param>
 #
 template(`git_content_template',`
-
 	gen_require(`
-		attribute git_system_content;
+		attribute git_system_content, git_content;
-		attribute git_content;
 	')
 
 	########################################
@@ -86,7 +83,6 @@ template(`git_content_template',`
 ## </param>
 #
 template(`git_role_template',`
-
 	gen_require(`
 		class context contains;
 		role system_r;
@@ -522,4 +518,3 @@ interface(`git_relabel_session_content',`
 	relabel_files_pattern($1, git_session_content_t, git_session_content_t)
 	userdom_search_user_home_dirs($1)
 ')
-

policy/modules/services/git.te

@@ -1,23 +1,23 @@
 policy_module(git, 1.0.3)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow Git daemon system to search home directories.
+##	Allow Git daemon system to search home directories.
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(git_system_enable_homedirs, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow Git daemon system to access cifs file systems.
+##	Allow Git daemon system to access cifs file systems.
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(git_system_use_cifs, false)
 
 ## <desc>
-## <p>
+##	<p>
-## Allow Git daemon system to access nfs file systems.
+##	Allow Git daemon system to access nfs file systems.
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(git_system_use_nfs, false)
 
@@ -31,6 +31,7 @@ attribute git_system_content;
 attribute git_content;
 
 type gitd_exec_t;
+application_executable_file(gitd_exec_t)
 
 ########################################
 #
@@ -51,10 +52,10 @@ typealias git_system_content_t alias git_data_t;
 #
 
 ## <desc>
-## <p>
+##	<p>
-## Allow Git daemon session to bind
+##	Allow Git daemon session to bind
-## tcp sockets to all unreserved ports.
+##	tcp sockets to all unreserved ports.
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(git_session_bind_all_unreserved_ports, false)
 
@@ -119,26 +120,26 @@ list_dirs_pattern(git_system_t, git_content, git_content)
 read_files_pattern(git_system_t, git_content, git_content)
 files_search_var_lib(git_system_t)
 
-tunable_policy(`git_system_enable_homedirs', `
+tunable_policy(`git_system_enable_homedirs',`
 	userdom_search_user_home_dirs(git_system_t)
 ')
 
-tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs', `
+tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
 	fs_list_nfs(git_system_t)
 	fs_read_nfs_files(git_system_t)
 ')
 
-tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs', `
+tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',`
 	fs_list_cifs(git_system_t)
 	fs_read_cifs_files(git_system_t)
 ')
 
-tunable_policy(`git_system_use_cifs', `
+tunable_policy(`git_system_use_cifs',`
 	fs_list_cifs(git_system_t)
 	fs_read_cifs_files(git_system_t)
 ')
 
-tunable_policy(`git_system_use_nfs', `
+tunable_policy(`git_system_use_nfs',`
 	fs_list_nfs(git_system_t)
 	fs_read_nfs_files(git_system_t)
 ')
@@ -156,17 +157,17 @@ userdom_search_user_home_dirs(git_session_t)
 
 userdom_use_user_terminals(git_session_t)
 
-tunable_policy(`git_session_bind_all_unreserved_ports', `
+tunable_policy(`git_session_bind_all_unreserved_ports',`
 	corenet_tcp_bind_all_unreserved_ports(git_session_t)
 	corenet_sendrecv_generic_server_packets(git_session_t)
 ')
 
-tunable_policy(`use_nfs_home_dirs', `
+tunable_policy(`use_nfs_home_dirs',`
 	fs_list_nfs(git_session_t)
 	fs_read_nfs_files(git_session_t)
 ')
 
-tunable_policy(`use_samba_home_dirs', `
+tunable_policy(`use_samba_home_dirs',`
 	fs_list_cifs(git_session_t)
 	fs_read_cifs_files(git_session_t)
 ')
@@ -189,4 +190,3 @@ optional_policy(`
 
 git_role_template(git_shell)
 gen_user(git_shell_u, user, git_shell_r, s0, s0)
-

policy/modules/services/gnomeclock.if

@@ -5,9 +5,9 @@
 ##	Execute a domain transition to run gnomeclock.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed to transition.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`gnomeclock_domtrans',`
@@ -71,7 +71,7 @@ interface(`gnomeclock_dbus_chat',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #

policy/modules/services/gpm.if

@@ -16,8 +16,8 @@ interface(`gpm_stream_connect',`
 		type gpmctl_t, gpm_t;
 	')
 
-	allow $1 gpmctl_t:sock_file rw_sock_file_perms;
+	dev_list_all_dev_nodes($1)
-	allow $1 gpm_t:unix_stream_socket connectto;
+	stream_connect_pattern($1, gpmctl_t, gpmctl_t, gpm_t)
 ')
 
 ########################################
@@ -37,7 +37,7 @@ interface(`gpm_getattr_gpmctl',`
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 gpmctl_t:sock_file getattr;
+	allow $1 gpmctl_t:sock_file getattr_sock_file_perms;
 ')
 
 ########################################
@@ -57,7 +57,7 @@ interface(`gpm_dontaudit_getattr_gpmctl',`
 		type gpmctl_t;
 	')
 
-	dontaudit $1 gpmctl_t:sock_file getattr;
+	dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms;
 ')
 
 ########################################
@@ -77,5 +77,5 @@ interface(`gpm_setattr_gpmctl',`
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 gpmctl_t:sock_file setattr;
+	allow $1 gpmctl_t:sock_file setattr_sock_file_perms;
 ')

policy/modules/services/hal.if

@@ -18,24 +18,6 @@ interface(`hal_domtrans',`
 	domtrans_pattern($1, hald_exec_t, hald_t)
 ')
 
-########################################
-## <summary>
-##	Get the attributes of a hal process.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`hal_getattr',`
-	gen_require(`
-		type hald_t;
-	')
-
-	allow $1 hald_t:process getattr;
-')
-
 ########################################
 ## <summary>
 ##	Read hal system state
@@ -88,7 +70,7 @@ interface(`hal_use_fds',`
 		type hald_t;
 	')
 
-	allow $1 hald_t:fd use; 
+	allow $1 hald_t:fd use;
 ')
 
 ########################################
@@ -106,7 +88,7 @@ interface(`hal_dontaudit_use_fds',`
 		type hald_t;
 	')
 
-	dontaudit $1 hald_t:fd use; 
+	dontaudit $1 hald_t:fd use;
 ')
 
 ########################################
@@ -125,7 +107,7 @@ interface(`hal_rw_pipes',`
 		type hald_t;
 	')
 
-	allow $1 hald_t:fifo_file rw_fifo_file_perms; 
+	allow $1 hald_t:fifo_file rw_fifo_file_perms;
 ')
 
 ########################################
@@ -144,7 +126,7 @@ interface(`hal_dontaudit_rw_pipes',`
 		type hald_t;
 	')
 
-	dontaudit $1 hald_t:fifo_file rw_fifo_file_perms; 
+	dontaudit $1 hald_t:fifo_file rw_fifo_file_perms;
 ')
 
 ########################################
@@ -378,7 +360,7 @@ interface(`hal_read_pid_files',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read 
+##	Do not audit attempts to read
 ##	hald PID files.
 ## </summary>
 ## <param name="domain">
@@ -464,14 +446,12 @@ interface(`hal_manage_pid_files',`
 #
 interface(`hal_dontaudit_leaks',`
 	gen_require(`
-		type hald_log_t;
+		type hald_log_t, hald_t, hald_var_run_t;
-		type hald_t;
-		type hald_var_run_t;
 	')
 
-	dontaudit $1 hald_t:fd use; 
+	dontaudit $1 hald_t:fd use;
 	dontaudit $1 hald_log_t:file rw_inherited_file_perms;
-	dontaudit $1 hald_t:fifo_file rw_inherited_fifo_file_perms; 
+	dontaudit $1 hald_t:fifo_file rw_inherited_fifo_file_perms;
 	dontaudit hald_t $1:socket_class_set { read write };
 	dontaudit $1 hald_var_run_t:file read_inherited_file_perms;
 ')

policy/modules/services/hal.te

@@ -316,7 +316,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-        policykit_dbus_chat(hald_t)
+	policykit_dbus_chat(hald_t)
 	policykit_domtrans_auth(hald_t)
 	policykit_domtrans_resolve(hald_t)
 	policykit_read_lib(hald_t)
@@ -333,7 +333,7 @@ optional_policy(`
 
 optional_policy(`
 	shutdown_domtrans(hald_t)
-')    
+')
 
 optional_policy(`
 	udev_domtrans(hald_t)
@@ -411,7 +411,7 @@ logging_send_syslog_msg(hald_acl_t)
 miscfiles_read_localization(hald_acl_t)
 
 optional_policy(`
-        policykit_dbus_chat(hald_acl_t)
+	policykit_dbus_chat(hald_acl_t)
 	policykit_domtrans_auth(hald_acl_t)
 	policykit_read_lib(hald_acl_t)
 	policykit_read_reload(hald_acl_t)
@@ -493,7 +493,7 @@ files_read_usr_files(hald_keymap_t)
 
 miscfiles_read_localization(hald_keymap_t)
 
-# This is caused by a bug in hald and PolicyKit.  
+# This is caused by a bug in hald and PolicyKit.
 # Should be removed when this is fixed
 cron_read_system_job_lib_files(hald_t)
 

policy/modules/services/hddtemp.if

@@ -69,5 +69,5 @@ interface(`hddtemp_admin',`
 	allow $2 system_r;
 
 	admin_pattern($1, hddtemp_etc_t)
-	files_search_etc($1)
+	files_list_etc($1)
 ')

policy/modules/services/hddtemp.te

@@ -46,4 +46,3 @@ storage_raw_read_fixed_disk(hddtemp_t)
 logging_send_syslog_msg(hddtemp_t)
 
 miscfiles_read_localization(hddtemp_t)
-

policy/modules/services/icecast.if

@@ -5,9 +5,9 @@
 ##	Execute a domain transition to run icecast.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed to transition.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`icecast_domtrans',`
@@ -118,9 +118,9 @@ interface(`icecast_read_log',`
 ##	icecast log files.
 ## </summary>
 ## <param name="domain">
-## 	<summary>
+##	<summary>
 ##	Domain allowed access.
-## 	</summary>
+##	</summary>
 ## </param>
 #
 interface(`icecast_append_log',`
@@ -183,7 +183,5 @@ interface(`icecast_admin',`
 	allow $2 system_r;
 
 	icecast_manage_pid_files($1)
-
 	icecast_manage_log($1)
-
 ')

policy/modules/services/icecast.te

@@ -6,10 +6,10 @@ policy_module(icecast, 1.0.1)
 #
 
 ## <desc>
-## <p>
+##	<p>
-## Allow icecast to connect to all ports, not just
+##	Allow icecast to connect to all ports, not just
-## sound ports.
+##	sound ports.
-## </p>
+##	</p>
 ## </desc>
 gen_tunable(icecast_connect_any, false)
 
@@ -39,7 +39,7 @@ allow icecast_t self:tcp_socket create_stream_socket_perms;
 
 manage_dirs_pattern(icecast_t, icecast_log_t, icecast_log_t)
 manage_files_pattern(icecast_t, icecast_log_t, icecast_log_t)
-logging_log_filetrans(icecast_t, icecast_log_t, { file dir } )
+logging_log_filetrans(icecast_t, icecast_log_t, { file dir })
 
 manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
 manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)

policy/modules/services/ifplugd.if

@@ -5,9 +5,9 @@
 ##	Execute a domain transition to run ifplugd.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed to transition.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`ifplugd_domtrans',`
@@ -113,8 +113,8 @@ interface(`ifplugd_read_pid_files',`
 #
 interface(`ifplugd_admin',`
 	gen_require(`
-		type ifplugd_t, ifplugd_etc_t;
+		type ifplugd_t, ifplugd_etc_t, ifplugd_var_run_t;
-		type ifplugd_var_run_t, ifplugd_initrc_exec_t;
+		type ifplugd_initrc_exec_t;
 	')
 
 	allow $1 ifplugd_t:process { ptrace signal_perms };

policy/modules/services/inetd.if

@@ -55,7 +55,6 @@ interface(`inetd_core_service_domain',`
 ## </param>
 #
 interface(`inetd_tcp_service_domain',`
-
 	gen_require(`
 		type inetd_t;
 	')

policy/modules/services/inn.if

@@ -93,6 +93,7 @@ interface(`inn_read_config',`
 		type innd_etc_t;
 	')
 
+	files_search_etc($1)
 	allow $1 innd_etc_t:dir list_dir_perms;
 	allow $1 innd_etc_t:file read_file_perms;
 	allow $1 innd_etc_t:lnk_file read_lnk_file_perms;
@@ -113,6 +114,7 @@ interface(`inn_read_news_lib',`
 		type innd_var_lib_t;
 	')
 
+	files_search_var_lib($1)
 	allow $1 innd_var_lib_t:dir list_dir_perms;
 	allow $1 innd_var_lib_t:file read_file_perms;
 	allow $1 innd_var_lib_t:lnk_file read_lnk_file_perms;
@@ -133,6 +135,7 @@ interface(`inn_read_news_spool',`
 		type news_spool_t;
 	')
 
+	files_search_spool($1)
 	allow $1 news_spool_t:dir list_dir_perms;
 	allow $1 news_spool_t:file read_file_perms;
 	allow $1 news_spool_t:lnk_file read_lnk_file_perms;
@@ -195,8 +198,8 @@ interface(`inn_domtrans',`
 interface(`inn_admin',`
 	gen_require(`
 		type innd_t, innd_etc_t, innd_log_t;
-		type news_spool_t, innd_var_lib_t;
+		type news_spool_t, innd_var_lib_t, innd_var_run_t;
-		type innd_var_run_t, innd_initrc_exec_t;
+		type innd_initrc_exec_t;
 	')
 
 	allow $1 innd_t:process { ptrace signal_perms };