From d542026b8686799587b652ef525292012cdb4a27 Mon Sep 17 00:00:00 2001
From: Dominick Grift <domg472@gmail.com>
Date: Wed, 22 Sep 2010 13:23:41 +0200
Subject: [PATCH] The capability IPC goes on top of the local policy.

The capability IPC goes on top of the local policy.

The capability IPC goes on top of the local policy.

The capability IPC goes on top of the local policy.

The capability IPC goes on top of the local policy.
---
 policy/modules/services/cvs.te     | 2 +-
 policy/modules/services/djbdns.te  | 4 ++--
 policy/modules/services/mailman.te | 4 ++--
 policy/modules/services/mysql.te   | 2 +-
 policy/modules/services/nis.te     | 6 +++---
 5 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te
index 0216eb4d..e18dc0b2 100644
--- a/policy/modules/services/cvs.te
+++ b/policy/modules/services/cvs.te
@@ -35,12 +35,12 @@ files_pid_file(cvs_var_run_t)
 # Local policy
 #
 
+allow cvs_t self:capability { setuid setgid };
 allow cvs_t self:process signal_perms;
 allow cvs_t self:fifo_file rw_fifo_file_perms;
 allow cvs_t self:tcp_socket connected_stream_socket_perms;
 # for identd; cjp: this should probably only be inetd_child rules?
 allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow cvs_t self:capability { setuid setgid };
 
 manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
 manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
diff --git a/policy/modules/services/djbdns.te b/policy/modules/services/djbdns.te
index 0c6a4736..5fd29a5c 100644
--- a/policy/modules/services/djbdns.te
+++ b/policy/modules/services/djbdns.te
@@ -23,11 +23,11 @@ djbdns_daemontools_domain_template(tinydns)
 # Local policy for axfrdns component
 #
 
+allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot };
+
 daemontools_ipc_domain(djbdns_axfrdns_t)
 daemontools_read_svc(djbdns_axfrdns_t)
 
-allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot };
-
 allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:dir list_dir_perms;
 allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:file read_file_perms;
 
diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te
index ac97ed9d..96e3c804 100644
--- a/policy/modules/services/mailman.te
+++ b/policy/modules/services/mailman.te
@@ -61,9 +61,9 @@ optional_policy(`
 # Mailman mail local policy
 #
 
-allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
-allow mailman_mail_t self:process { signal signull };
 allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config };
+allow mailman_mail_t self:process { signal signull };
+allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
 
 manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
 manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index ac63be99..13c0555e 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -157,8 +157,8 @@ optional_policy(`
 
 allow mysqld_safe_t self:capability { chown dac_override fowner kill };
 dontaudit mysqld_safe_t self:capability sys_ptrace;
-allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
 allow mysqld_safe_t self:process { setsched getsched setrlimit };
+allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
 
 read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
 
diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te
index 4876caec..3bd04d98 100644
--- a/policy/modules/services/nis.te
+++ b/policy/modules/services/nis.te
@@ -57,8 +57,8 @@ files_pid_file(ypxfr_var_run_t)
 # ypbind local policy
 
 dontaudit ypbind_t self:capability { net_admin sys_tty_config };
-allow ypbind_t self:fifo_file rw_fifo_file_perms;
 allow ypbind_t self:process signal_perms;
+allow ypbind_t self:fifo_file rw_fifo_file_perms;
 allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
 allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
 allow ypbind_t self:tcp_socket create_stream_socket_perms;
@@ -142,8 +142,8 @@ optional_policy(`
 
 allow yppasswdd_t self:capability dac_override;
 dontaudit yppasswdd_t self:capability sys_tty_config;
-allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
 allow yppasswdd_t self:process { getsched setfscreate signal_perms };
+allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
 allow yppasswdd_t self:unix_dgram_socket create_socket_perms;
 allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms;
 allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms;
@@ -224,8 +224,8 @@ optional_policy(`
 #
 
 dontaudit ypserv_t self:capability sys_tty_config;
-allow ypserv_t self:fifo_file rw_fifo_file_perms;
 allow ypserv_t self:process signal_perms;
+allow ypserv_t self:fifo_file rw_fifo_file_perms;
 allow ypserv_t self:unix_dgram_socket create_socket_perms;
 allow ypserv_t self:unix_stream_socket create_stream_socket_perms;
 allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;