The capability IPC goes on top of the local policy.

The capability IPC goes on top of the local policy.

The capability IPC goes on top of the local policy.

The capability IPC goes on top of the local policy.

The capability IPC goes on top of the local policy.

policy/modules/services/cvs.te

@@ -35,12 +35,12 @@ files_pid_file(cvs_var_run_t)
 # Local policy
 #
 
+allow cvs_t self:capability { setuid setgid };
 allow cvs_t self:process signal_perms;
 allow cvs_t self:fifo_file rw_fifo_file_perms;
 allow cvs_t self:tcp_socket connected_stream_socket_perms;
 # for identd; cjp: this should probably only be inetd_child rules?
 allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow cvs_t self:capability { setuid setgid };
 
 manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
 manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)

policy/modules/services/djbdns.te

@@ -23,11 +23,11 @@ djbdns_daemontools_domain_template(tinydns)
 # Local policy for axfrdns component
 #
 
+allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot };
+
 daemontools_ipc_domain(djbdns_axfrdns_t)
 daemontools_read_svc(djbdns_axfrdns_t)
 
-allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot };
-
 allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:dir list_dir_perms;
 allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:file read_file_perms;
 

policy/modules/services/mailman.te

@@ -61,9 +61,9 @@ optional_policy(`
 # Mailman mail local policy
 #
 
-allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
-allow mailman_mail_t self:process { signal signull };
 allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config };
+allow mailman_mail_t self:process { signal signull };
+allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
 
 manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
 manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)

policy/modules/services/mysql.te

@@ -157,8 +157,8 @@ optional_policy(`
 
 allow mysqld_safe_t self:capability { chown dac_override fowner kill };
 dontaudit mysqld_safe_t self:capability sys_ptrace;
-allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
 allow mysqld_safe_t self:process { setsched getsched setrlimit };
+allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
 
 read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
 

policy/modules/services/nis.te

@@ -57,8 +57,8 @@ files_pid_file(ypxfr_var_run_t)
 # ypbind local policy
 
 dontaudit ypbind_t self:capability { net_admin sys_tty_config };
-allow ypbind_t self:fifo_file rw_fifo_file_perms;
 allow ypbind_t self:process signal_perms;
+allow ypbind_t self:fifo_file rw_fifo_file_perms;
 allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
 allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
 allow ypbind_t self:tcp_socket create_stream_socket_perms;
@@ -142,8 +142,8 @@ optional_policy(`
 
 allow yppasswdd_t self:capability dac_override;
 dontaudit yppasswdd_t self:capability sys_tty_config;
-allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
 allow yppasswdd_t self:process { getsched setfscreate signal_perms };
+allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
 allow yppasswdd_t self:unix_dgram_socket create_socket_perms;
 allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms;
 allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms;
@@ -224,8 +224,8 @@ optional_policy(`
 #
 
 dontaudit ypserv_t self:capability sys_tty_config;
-allow ypserv_t self:fifo_file rw_fifo_file_perms;
 allow ypserv_t self:process signal_perms;
+allow ypserv_t self:fifo_file rw_fifo_file_perms;
 allow ypserv_t self:unix_dgram_socket create_socket_perms;
 allow ypserv_t self:unix_stream_socket create_stream_socket_perms;
 allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;