From 68ac47d8c50b1e60a19782d1cb7a93211d2702be Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 22 Sep 2010 12:07:37 +0200 Subject: [PATCH] Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. --- policy/modules/services/cachefilesd.te | 2 +- policy/modules/services/ccs.te | 2 +- policy/modules/services/certmaster.te | 4 +- policy/modules/services/certmonger.te | 2 +- policy/modules/services/clamav.te | 10 +-- policy/modules/services/clogd.te | 1 - policy/modules/services/cmirrord.te | 6 +- policy/modules/services/cobbler.te | 30 +++---- policy/modules/services/consolekit.te | 2 +- policy/modules/services/cron.te | 30 +++---- policy/modules/services/cups.te | 4 +- policy/modules/services/cvs.te | 6 +- policy/modules/services/dbus.te | 2 +- policy/modules/services/denyhosts.te | 2 +- policy/modules/services/devicekit.te | 1 - policy/modules/services/dovecot.te | 4 +- policy/modules/services/exim.te | 22 +++--- policy/modules/services/fail2ban.te | 2 +- policy/modules/services/ftp.te | 105 +++++++++++++------------ policy/modules/services/git.te | 43 +++++----- policy/modules/services/hal.te | 8 +- policy/modules/services/hddtemp.te | 1 - policy/modules/services/icecast.te | 10 +-- policy/modules/services/inn.te | 2 + policy/modules/services/jabber.te | 3 +- policy/modules/services/kerberos.te | 6 +- policy/modules/services/ksmtuned.te | 1 - policy/modules/services/ldap.te | 2 +- policy/modules/services/lpd.te | 6 +- policy/modules/services/milter.te | 13 ++- policy/modules/services/mock.te | 5 +- policy/modules/services/mpd.te | 9 +-- policy/modules/services/mta.te | 6 +- policy/modules/services/munin.te | 2 +- policy/modules/services/mysql.te | 6 +- policy/modules/services/nagios.te | 3 +- policy/modules/services/nscd.te | 7 +- 37 files changed, 181 insertions(+), 189 deletions(-) diff --git a/policy/modules/services/cachefilesd.te b/policy/modules/services/cachefilesd.te index 33faf8bf..b3a05411 100644 --- a/policy/modules/services/cachefilesd.te +++ b/policy/modules/services/cachefilesd.te @@ -100,7 +100,7 @@ allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms; # Allow access to cache superstructure allow cachefilesd_t cachefiles_var_t:dir { rw_dir_perms delete_dir_perms }; -allow cachefilesd_t cachefiles_var_t:file { rename delete_file_perms}; +allow cachefilesd_t cachefiles_var_t:file { rename delete_file_perms }; # Permit statfs on the backing filesystem fs_getattr_xattr_fs(cachefilesd_t) diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te index 112dc778..8d7e14e0 100644 --- a/policy/modules/services/ccs.te +++ b/policy/modules/services/ccs.te @@ -107,7 +107,7 @@ sysnet_dns_name_resolve(ccs_t) userdom_manage_unpriv_user_shared_mem(ccs_t) userdom_manage_unpriv_user_semaphores(ccs_t) -ifdef(`hide_broken_symptoms', ` +ifdef(`hide_broken_symptoms',` corecmd_dontaudit_write_bin_dirs(ccs_t) files_manage_isid_type_files(ccs_t) ') diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te index 4aef8648..dbfd0a64 100644 --- a/policy/modules/services/certmaster.te +++ b/policy/modules/services/certmaster.te @@ -43,12 +43,12 @@ files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir }) # log files manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t) -logging_log_filetrans(certmaster_t, certmaster_var_log_t, file ) +logging_log_filetrans(certmaster_t, certmaster_var_log_t, file) # pid file manage_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t) manage_sock_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t) -files_pid_filetrans(certmaster_t ,certmaster_var_run_t, { file sock_file }) +files_pid_filetrans(certmaster_t, certmaster_var_run_t, { file sock_file }) # read meminfo kernel_read_system_state(certmaster_t) diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te index 1a65b5e4..1c87fb35 100644 --- a/policy/modules/services/certmonger.te +++ b/policy/modules/services/certmonger.te @@ -32,7 +32,7 @@ allow certmonger_t self:netlink_route_socket r_netlink_socket_perms; manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) -files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir } ) +files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir }) manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t) manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t) diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te index ae2656ad..bf47a163 100644 --- a/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te @@ -1,9 +1,9 @@ policy_module(clamav, 1.8.1) ## -##

-## Allow clamd to use JIT compiler -##

+##

+## Allow clamd to use JIT compiler +##

## gen_tunable(clamd_use_jit, false) @@ -150,7 +150,7 @@ optional_policy(` tunable_policy(`clamd_use_jit',` allow clamd_t self:process execmem; allow clamscan_t self:process execmem; -', ` +',` dontaudit clamd_t self:process execmem; dontaudit clamscan_t self:process execmem; ') @@ -226,7 +226,7 @@ optional_policy(` tunable_policy(`clamd_use_jit',` allow freshclam_t self:process execmem; -', ` +',` dontaudit freshclam_t self:process execmem; ') diff --git a/policy/modules/services/clogd.te b/policy/modules/services/clogd.te index 60773390..b1edc92f 100644 --- a/policy/modules/services/clogd.te +++ b/policy/modules/services/clogd.te @@ -23,7 +23,6 @@ files_pid_file(clogd_var_run_t) allow clogd_t self:capability { net_admin mknod }; allow clogd_t self:process signal; - allow clogd_t self:sem create_sem_perms; allow clogd_t self:shm create_shm_perms; allow clogd_t self:netlink_socket create_socket_perms; diff --git a/policy/modules/services/cmirrord.te b/policy/modules/services/cmirrord.te index bb7d429b..9b581ae6 100644 --- a/policy/modules/services/cmirrord.te +++ b/policy/modules/services/cmirrord.te @@ -1,4 +1,4 @@ -policy_module(cmirrord,1.0.0) +policy_module(cmirrord, 1.0.0) ######################################## # @@ -26,9 +26,7 @@ files_pid_file(cmirrord_var_run_t) allow cmirrord_t self:capability { net_admin kill }; dontaudit cmirrord_t self:capability sys_tty_config; allow cmirrord_t self:process signal; - allow cmirrord_t self:fifo_file rw_fifo_file_perms; - allow cmirrord_t self:sem create_sem_perms; allow cmirrord_t self:shm create_shm_perms; allow cmirrord_t self:netlink_socket create_socket_perms; @@ -51,5 +49,5 @@ logging_send_syslog_msg(cmirrord_t) miscfiles_read_localization(cmirrord_t) optional_policy(` - corosync_stream_connect(cmirrord_t) + corosync_stream_connect(cmirrord_t) ') diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te index 6a6d7d7d..c4d678b0 100644 --- a/policy/modules/services/cobbler.te +++ b/policy/modules/services/cobbler.te @@ -6,32 +6,32 @@ policy_module(cobbler, 1.1.0) # ## -##

-## Allow Cobbler to modify public files -## used for public file transfer services. -##

+##

+## Allow Cobbler to modify public files +## used for public file transfer services. +##

## gen_tunable(cobbler_anon_write, false) - + ## -##

-## Allow Cobbler to connect to the -## network using TCP. -##

+##

+## Allow Cobbler to connect to the +## network using TCP. +##

## gen_tunable(cobbler_can_network_connect, false) ## -##

-## Allow Cobbler to access cifs file systems. -##

+##

+## Allow Cobbler to access cifs file systems. +##

## gen_tunable(cobbler_use_cifs, false) ## -##

-## Allow Cobbler to access nfs file systems. -##

+##

+## Allow Cobbler to access nfs file systems. +##

## gen_tunable(cobbler_use_nfs, false) diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te index cc2058ba..16c0746f 100644 --- a/policy/modules/services/consolekit.te +++ b/policy/modules/services/consolekit.te @@ -113,7 +113,7 @@ optional_policy(` ') optional_policy(` - policykit_dbus_chat(consolekit_t) + policykit_dbus_chat(consolekit_t) policykit_domtrans_auth(consolekit_t) policykit_read_lib(consolekit_t) policykit_read_reload(consolekit_t) diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index eb079a27..6dfdc3f6 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -10,18 +10,18 @@ gen_require(` # ## -##

-## Allow system cron jobs to relabel filesystem -## for restoring file contexts. -##

+##

+## Allow system cron jobs to relabel filesystem +## for restoring file contexts. +##

## gen_tunable(cron_can_relabel, false) ## -##

-## Enable extra rules in the cron domain -## to support fcron. -##

+##

+## Enable extra rules in the cron domain +## to support fcron. +##

## gen_tunable(fcron_crond, false) @@ -138,7 +138,7 @@ selinux_compute_create_context(admin_crontab_t) selinux_compute_relabel_context(admin_crontab_t) selinux_compute_user_contexts(admin_crontab_t) -tunable_policy(`fcron_crond', ` +tunable_policy(`fcron_crond',` # fcron wants an instant update of a crontab change for the administrator # also crontab does a security check for crontab -u allow admin_crontab_t self:process setfscreate; @@ -251,7 +251,7 @@ ifdef(`distro_debian',` ') ') -ifdef(`distro_redhat', ` +ifdef(`distro_redhat',` # Run the rpm program in the rpm_t domain. Allow creation of RPM log files # via redirection of standard out. optional_policy(` @@ -268,8 +268,8 @@ optional_policy(` ') optional_policy(` - djbdns_search_tinydns_keys(crond_t) - djbdns_link_tinydns_keys(crond_t) + djbdns_search_tinydns_keys(crond_t) + djbdns_link_tinydns_keys(crond_t) ') optional_policy(` @@ -287,7 +287,7 @@ optional_policy(` mono_domtrans(crond_t) ') -tunable_policy(`fcron_crond', ` +tunable_policy(`fcron_crond',` allow crond_t system_cron_spool_t:file manage_file_perms; ') @@ -472,7 +472,7 @@ miscfiles_manage_man_pages(system_cronjob_t) seutil_read_config(system_cronjob_t) -ifdef(`distro_redhat', ` +ifdef(`distro_redhat',` # Run the rpm program in the rpm_t domain. Allow creation of RPM log files allow crond_t system_cron_spool_t:file manage_file_perms; @@ -687,7 +687,7 @@ read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) allow crond_t user_cron_spool_t:file manage_lnk_file_perms; -tunable_policy(`fcron_crond', ` +tunable_policy(`fcron_crond',` allow crond_t user_cron_spool_t:file manage_file_perms; ') diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te index 6160ceaa..4dd87b81 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -163,7 +163,7 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) allow cupsd_t hplip_var_run_t:file read_file_perms; stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) -allow cupsd_t ptal_var_run_t : sock_file setattr_sock_file_perms; +allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; kernel_read_system_state(cupsd_t) kernel_read_network_state(cupsd_t) @@ -657,7 +657,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) -files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file ) +files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file) manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) files_pid_filetrans(hplip_t, hplip_var_run_t, file) diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te index 9e8d14b3..0216eb4d 100644 --- a/policy/modules/services/cvs.te +++ b/policy/modules/services/cvs.te @@ -6,9 +6,9 @@ policy_module(cvs, 1.9.0) # ## -##

-## Allow cvs daemon to read shadow -##

+##

+## Allow cvs daemon to read shadow +##

## gen_tunable(allow_cvs_read_shadow, false) diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index c725caee..d9416fcf 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -152,7 +152,7 @@ optional_policy(` ') optional_policy(` - policykit_dbus_chat(system_dbusd_t) + policykit_dbus_chat(system_dbusd_t) policykit_domtrans_auth(system_dbusd_t) policykit_search_lib(system_dbusd_t) ') diff --git a/policy/modules/services/denyhosts.te b/policy/modules/services/denyhosts.te index d53ee7e3..b10da2c0 100644 --- a/policy/modules/services/denyhosts.te +++ b/policy/modules/services/denyhosts.te @@ -77,5 +77,5 @@ optional_policy(` ') optional_policy(` - gnome_dontaudit_search_config(denyhosts_t) + gnome_dontaudit_search_config(denyhosts_t) ') diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te index 6cee08fa..58416a02 100644 --- a/policy/modules/services/devicekit.te +++ b/policy/modules/services/devicekit.te @@ -309,4 +309,3 @@ optional_policy(` optional_policy(` vbetool_domtrans(devicekit_power_t) ') - diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te index 64bc566b..aff22962 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -164,8 +164,8 @@ optional_policy(` ') optional_policy(` - postfix_manage_private_sockets(dovecot_t) - postfix_search_spool(dovecot_t) + postfix_manage_private_sockets(dovecot_t) + postfix_search_spool(dovecot_t) ') optional_policy(` diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te index 6c819a37..18c3c336 100644 --- a/policy/modules/services/exim.te +++ b/policy/modules/services/exim.te @@ -6,24 +6,24 @@ policy_module(exim, 1.5.0) # ## -##

-## Allow exim to connect to databases (postgres, mysql) -##

+##

+## Allow exim to connect to databases (postgres, mysql) +##

## gen_tunable(exim_can_connect_db, false) ## -##

-## Allow exim to read unprivileged user files. -##

+##

+## Allow exim to read unprivileged user files. +##

## gen_tunable(exim_read_user_files, false) ## -##

-## Allow exim to create, read, write, and delete -## unprivileged user files. -##

+##

+## Allow exim to create, read, write, and delete +## unprivileged user files. +##

## gen_tunable(exim_manage_user_files, false) @@ -174,7 +174,7 @@ optional_policy(` ') optional_policy(` - nagios_search_spool(exim_t) + nagios_search_spool(exim_t) ') optional_policy(` diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te index e09b9dfe..7c5bf195 100644 --- a/policy/modules/services/fail2ban.te +++ b/policy/modules/services/fail2ban.te @@ -94,7 +94,7 @@ optional_policy(` ') optional_policy(` - gnome_dontaudit_search_config(fail2ban_t) + gnome_dontaudit_search_config(fail2ban_t) ') optional_policy(` diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te index 6033c3b6..37de4bec 100644 --- a/policy/modules/services/ftp.te +++ b/policy/modules/services/ftp.te @@ -6,82 +6,82 @@ policy_module(ftp, 1.12.0) # ## -##

-## Allow ftp servers to upload files, used for public file -## transfer services. Directories must be labeled -## public_content_rw_t. -##

+##

+## Allow ftp servers to upload files, used for public file +## transfer services. Directories must be labeled +## public_content_rw_t. +##

## gen_tunable(allow_ftpd_anon_write, false) ## -##

-## Allow ftp servers to login to local users and -## read/write all files on the system, governed by DAC. -##

+##

+## Allow ftp servers to login to local users and +## read/write all files on the system, governed by DAC. +##

## gen_tunable(allow_ftpd_full_access, false) ## -##

-## Allow ftp servers to use cifs -## used for public file transfer services. -##

+##

+## Allow ftp servers to use cifs +## used for public file transfer services. +##

## gen_tunable(allow_ftpd_use_cifs, false) ## -##

-## Allow ftp servers to use nfs -## used for public file transfer services. -##

+##

+## Allow ftp servers to use nfs +## used for public file transfer services. +##

## gen_tunable(allow_ftpd_use_nfs, false) ## -##

-## Allow ftp servers to use connect to mysql database -##

+##

+## Allow ftp servers to use connect to mysql database +##

## gen_tunable(ftpd_connect_db, false) ## -##

-## Allow ftp to read and write files in the user home directories -##

+##

+## Allow ftp to read and write files in the user home directories +##

## gen_tunable(ftp_home_dir, false) ## -##

-## Allow anon internal-sftp to upload files, used for -## public file transfer services. Directories must be labeled -## public_content_rw_t. -##

+##

+## Allow anon internal-sftp to upload files, used for +## public file transfer services. Directories must be labeled +## public_content_rw_t. +##

## gen_tunable(sftpd_anon_write, false) ## -##

-## Allow sftp-internal to read and write files -## in the user home directories -##

+##

+## Allow sftp-internal to read and write files +## in the user home directories +##

## gen_tunable(sftpd_enable_homedirs, false) ## -##

-## Allow sftp-internal to login to local users and -## read/write all files on the system, governed by DAC. -##

+##

+## Allow sftp-internal to login to local users and +## read/write all files on the system, governed by DAC. +##

## gen_tunable(sftpd_full_access, false) ## -##

-## Allow interlnal-sftp to read and write files -## in the user ssh home directories. -##

+##

+## Allow interlnal-sftp to read and write files +## in the user ssh home directories. +##

## gen_tunable(sftpd_write_ssh_home, false) @@ -181,7 +181,7 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) -files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} ) +files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir }) # proftpd requires the client side to bind a socket so that # it can stat the socket to perform access control decisions, @@ -291,10 +291,10 @@ tunable_policy(`ftp_home_dir',` userdom_manage_user_home_content(ftpd_t) userdom_manage_user_tmp_files(ftpd_t) userdom_tmp_filetrans_user_tmp(ftpd_t, file) -', ` - # Needed for permissive mode, to make sure everything gets labeled correctly - userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file }) - files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir }) +',` + # Needed for permissive mode, to make sure everything gets labeled correctly + userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file }) + files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir }) ') tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` @@ -400,6 +400,7 @@ userdom_use_user_terminals(ftpdctl_t) # # sftpd local policy # + files_read_etc_files(sftpd_t) # allow read access to /home by default @@ -408,13 +409,13 @@ userdom_read_user_home_content_symlinks(sftpd_t) userdom_dontaudit_list_admin_dir(sftpd_t) tunable_policy(`sftpd_full_access',` - allow sftpd_t self:capability { dac_override dac_read_search }; - fs_read_noxattr_fs_files(sftpd_t) - auth_manage_all_files_except_shadow(sftpd_t) + allow sftpd_t self:capability { dac_override dac_read_search }; + fs_read_noxattr_fs_files(sftpd_t) + auth_manage_all_files_except_shadow(sftpd_t) ') tunable_policy(`sftpd_write_ssh_home',` - ssh_manage_home_files(sftpd_t) + ssh_manage_home_files(sftpd_t) ') tunable_policy(`sftpd_enable_homedirs',` @@ -424,9 +425,9 @@ tunable_policy(`sftpd_enable_homedirs',` files_list_home(sftpd_t) userdom_read_user_home_content_files(sftpd_t) userdom_manage_user_home_content(sftpd_t) -', ` - # Needed for permissive mode, to make sure everything gets labeled correctly - userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file }) +',` + # Needed for permissive mode, to make sure everything gets labeled correctly + userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file }) ') tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te index cf170850..cebb1671 100644 --- a/policy/modules/services/git.te +++ b/policy/modules/services/git.te @@ -1,23 +1,23 @@ policy_module(git, 1.0.3) ## -##

-## Allow Git daemon system to search home directories. -##

+##

+## Allow Git daemon system to search home directories. +##

## gen_tunable(git_system_enable_homedirs, false) ## -##

-## Allow Git daemon system to access cifs file systems. -##

+##

+## Allow Git daemon system to access cifs file systems. +##

## gen_tunable(git_system_use_cifs, false) ## -##

-## Allow Git daemon system to access nfs file systems. -##

+##

+## Allow Git daemon system to access nfs file systems. +##

## gen_tunable(git_system_use_nfs, false) @@ -51,10 +51,10 @@ typealias git_system_content_t alias git_data_t; # ## -##

-## Allow Git daemon session to bind -## tcp sockets to all unreserved ports. -##

+##

+## Allow Git daemon session to bind +## tcp sockets to all unreserved ports. +##

## gen_tunable(git_session_bind_all_unreserved_ports, false) @@ -119,26 +119,26 @@ list_dirs_pattern(git_system_t, git_content, git_content) read_files_pattern(git_system_t, git_content, git_content) files_search_var_lib(git_system_t) -tunable_policy(`git_system_enable_homedirs', ` +tunable_policy(`git_system_enable_homedirs',` userdom_search_user_home_dirs(git_system_t) ') -tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs', ` +tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',` fs_list_nfs(git_system_t) fs_read_nfs_files(git_system_t) ') -tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs', ` +tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',` fs_list_cifs(git_system_t) fs_read_cifs_files(git_system_t) ') -tunable_policy(`git_system_use_cifs', ` +tunable_policy(`git_system_use_cifs',` fs_list_cifs(git_system_t) fs_read_cifs_files(git_system_t) ') -tunable_policy(`git_system_use_nfs', ` +tunable_policy(`git_system_use_nfs',` fs_list_nfs(git_system_t) fs_read_nfs_files(git_system_t) ') @@ -156,17 +156,17 @@ userdom_search_user_home_dirs(git_session_t) userdom_use_user_terminals(git_session_t) -tunable_policy(`git_session_bind_all_unreserved_ports', ` +tunable_policy(`git_session_bind_all_unreserved_ports',` corenet_tcp_bind_all_unreserved_ports(git_session_t) corenet_sendrecv_generic_server_packets(git_session_t) ') -tunable_policy(`use_nfs_home_dirs', ` +tunable_policy(`use_nfs_home_dirs',` fs_list_nfs(git_session_t) fs_read_nfs_files(git_session_t) ') -tunable_policy(`use_samba_home_dirs', ` +tunable_policy(`use_samba_home_dirs',` fs_list_cifs(git_session_t) fs_read_cifs_files(git_session_t) ') @@ -189,4 +189,3 @@ optional_policy(` git_role_template(git_shell) gen_user(git_shell_u, user, git_shell_r, s0, s0) - diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te index e72b0633..b3fdcd56 100644 --- a/policy/modules/services/hal.te +++ b/policy/modules/services/hal.te @@ -316,7 +316,7 @@ optional_policy(` ') optional_policy(` - policykit_dbus_chat(hald_t) + policykit_dbus_chat(hald_t) policykit_domtrans_auth(hald_t) policykit_domtrans_resolve(hald_t) policykit_read_lib(hald_t) @@ -333,7 +333,7 @@ optional_policy(` optional_policy(` shutdown_domtrans(hald_t) -') +') optional_policy(` udev_domtrans(hald_t) @@ -411,7 +411,7 @@ logging_send_syslog_msg(hald_acl_t) miscfiles_read_localization(hald_acl_t) optional_policy(` - policykit_dbus_chat(hald_acl_t) + policykit_dbus_chat(hald_acl_t) policykit_domtrans_auth(hald_acl_t) policykit_read_lib(hald_acl_t) policykit_read_reload(hald_acl_t) @@ -493,7 +493,7 @@ files_read_usr_files(hald_keymap_t) miscfiles_read_localization(hald_keymap_t) -# This is caused by a bug in hald and PolicyKit. +# This is caused by a bug in hald and PolicyKit. # Should be removed when this is fixed cron_read_system_job_lib_files(hald_t) diff --git a/policy/modules/services/hddtemp.te b/policy/modules/services/hddtemp.te index 267bb4ce..1647fc40 100644 --- a/policy/modules/services/hddtemp.te +++ b/policy/modules/services/hddtemp.te @@ -46,4 +46,3 @@ storage_raw_read_fixed_disk(hddtemp_t) logging_send_syslog_msg(hddtemp_t) miscfiles_read_localization(hddtemp_t) - diff --git a/policy/modules/services/icecast.te b/policy/modules/services/icecast.te index 80befb0f..6bf7cc3b 100644 --- a/policy/modules/services/icecast.te +++ b/policy/modules/services/icecast.te @@ -6,10 +6,10 @@ policy_module(icecast, 1.0.1) # ## -##

-## Allow icecast to connect to all ports, not just -## sound ports. -##

+##

+## Allow icecast to connect to all ports, not just +## sound ports. +##

## gen_tunable(icecast_connect_any, false) @@ -39,7 +39,7 @@ allow icecast_t self:tcp_socket create_stream_socket_perms; manage_dirs_pattern(icecast_t, icecast_log_t, icecast_log_t) manage_files_pattern(icecast_t, icecast_log_t, icecast_log_t) -logging_log_filetrans(icecast_t, icecast_log_t, { file dir } ) +logging_log_filetrans(icecast_t, icecast_log_t, { file dir }) manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t) manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t) diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te index 61ea05e7..dc7dd01e 100644 --- a/policy/modules/services/inn.te +++ b/policy/modules/services/inn.te @@ -4,6 +4,7 @@ policy_module(inn, 1.9.0) # # Declarations # + type innd_t; type innd_exec_t; init_daemon_domain(innd_t, innd_exec_t) @@ -30,6 +31,7 @@ files_mountpoint(news_spool_t) # # Local policy # + allow innd_t self:capability { dac_override kill setgid setuid }; dontaudit innd_t self:capability sys_tty_config; allow innd_t self:process { setsched signal_perms }; diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te index 975bbcde..5f8840f9 100644 --- a/policy/modules/services/jabber.te +++ b/policy/modules/services/jabber.te @@ -1,4 +1,3 @@ - policy_module(jabber, 1.8.0) ######################################## @@ -84,7 +83,7 @@ corenet_tcp_bind_jabber_router_port(jabberd_router_t) corenet_sendrecv_jabber_router_server_packets(jabberd_router_t) optional_policy(` - kerberos_use(jabberd_router_t) + kerberos_use(jabberd_router_t) ') ######################################## diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te index 4e397143..744e7d6d 100644 --- a/policy/modules/services/kerberos.te +++ b/policy/modules/services/kerberos.te @@ -6,9 +6,9 @@ policy_module(kerberos, 1.11.0) # ## -##

-## Allow confined applications to run with kerberos. -##

+##

+## Allow confined applications to run with kerberos. +##

## gen_tunable(allow_kerberos, false) diff --git a/policy/modules/services/ksmtuned.te b/policy/modules/services/ksmtuned.te index ffe035c1..01adbede 100644 --- a/policy/modules/services/ksmtuned.te +++ b/policy/modules/services/ksmtuned.te @@ -49,4 +49,3 @@ mls_file_read_to_clearance(ksmtuned_t) term_use_all_terms(ksmtuned_t) miscfiles_read_localization(ksmtuned_t) - diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te index ee5e3457..10c2d543 100644 --- a/policy/modules/services/ldap.te +++ b/policy/modules/services/ldap.te @@ -82,7 +82,7 @@ manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t) files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir }) manage_files_pattern(slapd_t, slapd_tmpfs_t, slapd_tmpfs_t) -fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t,file) +fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t, file) manage_dirs_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te index 27270206..1887c508 100644 --- a/policy/modules/services/lpd.te +++ b/policy/modules/services/lpd.te @@ -6,9 +6,9 @@ policy_module(lpd, 1.12.0) # ## -##

-## Use lpd server instead of cups -##

+##

+## Use lpd server instead of cups +##

## gen_tunable(use_lpd_server, false) diff --git a/policy/modules/services/milter.te b/policy/modules/services/milter.te index 6ba48ffe..f42a4895 100644 --- a/policy/modules/services/milter.te +++ b/policy/modules/services/milter.te @@ -33,7 +33,6 @@ files_type(spamass_milter_state_t) # allow dkim_milter_t self:capability { kill setgid setuid }; - allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms; read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t) @@ -47,8 +46,8 @@ mta_read_config(dkim_milter_t) ######################################## # # milter-greylist local policy -# ensure smtp clients retry mail like real MTAs and not spamware -# http://hcpnet.free.fr/milter-greylist/ +# ensure smtp clients retry mail like real MTAs and not spamware +# http://hcpnet.free.fr/milter-greylist/ # # It removes any existing socket (not owned by root) whilst running as root, @@ -76,8 +75,8 @@ mta_read_config(greylist_milter_t) ######################################## # # milter-regex local policy -# filter emails using regular expressions -# http://www.benzedrine.cx/milter-regex.html +# filter emails using regular expressions +# http://www.benzedrine.cx/milter-regex.html # # It removes any existing socket (not owned by root) whilst running as root @@ -96,8 +95,8 @@ mta_read_config(regex_milter_t) ######################################## # # spamass-milter local policy -# pipe emails through SpamAssassin -# http://savannah.nongnu.org/projects/spamass-milt/ +# pipe emails through SpamAssassin +# http://savannah.nongnu.org/projects/spamass-milt/ # # The milter runs from /var/lib/spamass-milter diff --git a/policy/modules/services/mock.te b/policy/modules/services/mock.te index 6f8fda5e..b05a9cdf 100644 --- a/policy/modules/services/mock.te +++ b/policy/modules/services/mock.te @@ -27,6 +27,7 @@ files_type(mock_var_lib_t) # # mock local policy # + allow mock_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner }; allow mock_t self:process { siginh noatsecure signull transition rlimitinh setsched setpgid sigkill }; dontaudit mock_t self:process { siginh noatsecure rlimitinh }; @@ -40,14 +41,14 @@ files_var_filetrans(mock_t, mock_cache_t, { dir file } ) manage_dirs_pattern(mock_t, mock_tmp_t, mock_tmp_t) manage_files_pattern(mock_t, mock_tmp_t, mock_tmp_t) -files_tmp_filetrans(mock_t, mock_tmp_t, { dir file } ) +files_tmp_filetrans(mock_t, mock_tmp_t, { dir file }) can_exec(mock_t, mock_tmp_t) manage_dirs_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) manage_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) manage_lnk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) manage_chr_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) -files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file } ) +files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file }) can_exec(mock_t, mock_var_lib_t) allow mock_t mock_var_lib_t:dir mounton; diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te index 71464f65..84bc8bb3 100644 --- a/policy/modules/services/mpd.te +++ b/policy/modules/services/mpd.te @@ -1,4 +1,4 @@ -policy_module(mpd,1.0.0) +policy_module(mpd, 1.0.0) ######################################## # @@ -41,7 +41,6 @@ files_type(mpd_var_lib_t) #cjp: dac_override bug in mpd relating to mpd.log file allow mpd_t self:capability { dac_override kill setgid setuid }; allow mpd_t self:process { getsched setsched setrlimit signal signull }; - allow mpd_t self:fifo_file rw_fifo_file_perms; allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow mpd_t self:tcp_socket create_stream_socket_perms; @@ -102,10 +101,10 @@ optional_policy(` optional_policy(` pulseaudio_exec(mpd_t) - pulseaudio_stream_connect(mpd_t) - pulseaudio_signull(mpd_t) + pulseaudio_stream_connect(mpd_t) + pulseaudio_signull(mpd_t) ') optional_policy(` - udev_read_db(mpd_t) + udev_read_db(mpd_t) ') diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te index f99b9fc4..36e64e92 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -93,7 +93,7 @@ optional_policy(` optional_policy(` arpwatch_manage_tmp_files(system_mail_t) - ifdef(`hide_broken_symptoms', ` + ifdef(`hide_broken_symptoms',` arpwatch_dontaudit_rw_packet_sockets(system_mail_t) ') ') @@ -194,7 +194,7 @@ optional_policy(` arpwatch_search_data(mailserver_delivery) arpwatch_manage_tmp_files(mta_user_agent) - ifdef(`hide_broken_symptoms', ` + ifdef(`hide_broken_symptoms',` arpwatch_dontaudit_rw_packet_sockets(mta_user_agent) ') @@ -314,8 +314,6 @@ kernel_read_system_state(user_mail_domain) kernel_read_network_state(user_mail_domain) kernel_request_load_module(user_mail_domain) - - optional_policy(` # postfix needs this for newaliases files_getattr_tmp_dirs(user_mail_domain) diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te index 13d365dd..6f8b0fdc 100644 --- a/policy/modules/services/munin.te +++ b/policy/modules/services/munin.te @@ -193,7 +193,7 @@ optional_policy(` # local policy for disk plugins # -allow munin_disk_plugin_t self:capability { sys_admin sys_rawio }; +allow munin_disk_plugin_t self:capability { sys_admin sys_rawio }; allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms; rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te index 5e96c0ab..ac63be99 100644 --- a/policy/modules/services/mysql.te +++ b/policy/modules/services/mysql.te @@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0) # ## -##

-## Allow mysqld to connect to all ports -##

+##

+## Allow mysqld to connect to all ports +##

## gen_tunable(mysql_connect_any, false) diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te index 10293892..61a3920f 100644 --- a/policy/modules/services/nagios.te +++ b/policy/modules/services/nagios.te @@ -141,6 +141,7 @@ optional_policy(` # # Nagios CGI local policy # + optional_policy(` apache_content_template(nagios) typealias httpd_nagios_script_t alias nagios_cgi_t; @@ -268,7 +269,6 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) # allow nagios_mail_plugin_t self:capability { setuid setgid dac_override }; - allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms; allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms; allow nagios_mail_plugin_t self:udp_socket create_socket_perms; @@ -321,7 +321,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) allow nagios_services_plugin_t self:capability { net_bind_service net_raw }; allow nagios_services_plugin_t self:process { signal sigkill }; - allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms; allow nagios_services_plugin_t self:udp_socket create_socket_perms; diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te index 6a174f5c..6b54db71 100644 --- a/policy/modules/services/nscd.te +++ b/policy/modules/services/nscd.te @@ -5,9 +5,9 @@ gen_require(` ') ## -##

-## Allow confined applications to use nscd shared memory. -##

+##

+## Allow confined applications to use nscd shared memory. +##

## gen_tunable(nscd_use_shm, false) @@ -146,6 +146,7 @@ optional_policy(` samba_append_log(nscd_t) samba_dontaudit_use_fds(nscd_t) ') + samba_read_config(nscd_t) samba_read_var_files(nscd_t) ')