Tunable, optional and if(n)def blocks go below.

Tunable, optional and if(n)def blocks go below.

Tunable, optional and if(n)def blocks go below.

Tunable, optional and if(n)def blocks go below.

Tunable, optional and if(n)def blocks go below.

policy/modules/services/abrt.te

@@ -252,16 +252,15 @@ ifdef(`hide_broken_symptoms',`
 	domain_dontaudit_leaks(abrt_helper_t)
 	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
 	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
-
-	optional_policy(`
-		rpm_dontaudit_leaks(abrt_helper_t)
-	')
-
 	dev_dontaudit_read_all_blk_files(abrt_helper_t)
 	dev_dontaudit_read_all_chr_files(abrt_helper_t)
 	dev_dontaudit_write_all_chr_files(abrt_helper_t)
 	dev_dontaudit_write_all_blk_files(abrt_helper_t)
 	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
+
+	optional_policy(`
+		rpm_dontaudit_leaks(abrt_helper_t)
+	')
 ')
 
 ifdef(`hide_broken_symptoms',`

policy/modules/services/afs.te

@@ -82,10 +82,6 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir })
 
 kernel_rw_afs_state(afs_t)
 
-ifdef(`hide_broken_symptoms',`
-	kernel_rw_unlabeled_files(afs_t)
-')
-
 corenet_all_recvfrom_unlabeled(afs_t)
 corenet_all_recvfrom_netlabel(afs_t)
 corenet_tcp_sendrecv_generic_if(afs_t)
@@ -111,6 +107,10 @@ miscfiles_read_localization(afs_t)
 
 sysnet_dns_name_resolve(afs_t)
 
+ifdef(`hide_broken_symptoms',`
+	kernel_rw_unlabeled_files(afs_t)
+')
+
 ########################################
 #
 # AFS bossserver local policy

policy/modules/services/clamav.te

@@ -220,16 +220,16 @@ clamav_stream_connect(freshclam_t)
 
 userdom_stream_connect(freshclam_t)
 
-optional_policy(`
-	cron_system_entry(freshclam_t, freshclam_exec_t)
-')
-
 tunable_policy(`clamd_use_jit',`
 	allow freshclam_t self:process execmem;
 ',`
 	dontaudit freshclam_t self:process execmem;
 ')
 
+optional_policy(`
+	cron_system_entry(freshclam_t, freshclam_exec_t)
+')
+
 ########################################
 #
 # clamscam local policy

policy/modules/services/cron.te

@@ -99,10 +99,6 @@ files_lock_file(system_cronjob_lock_t)
 type system_cronjob_tmp_t alias system_crond_tmp_t;
 files_tmp_file(system_cronjob_tmp_t)
 
-ifdef(`enable_mcs',`
-	init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
-')
-
 type unconfined_cronjob_t;
 domain_type(unconfined_cronjob_t)
 domain_cron_exemption_target(unconfined_cronjob_t)
@@ -122,6 +118,10 @@ typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
 type system_cronjob_var_run_t;
 files_pid_file(system_cronjob_var_run_t)
 
+ifdef(`enable_mcs',`
+	init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
+')
+
 ########################################
 #
 # Admin crontab local policy
@@ -263,6 +263,10 @@ tunable_policy(`allow_polyinstantiation',`
 	files_polyinstantiate_all(crond_t)
 ')
 
+tunable_policy(`fcron_crond',`
+	allow crond_t system_cron_spool_t:file manage_file_perms;
+')
+
 optional_policy(`
 	apache_search_sys_content(crond_t)
 ')
@@ -287,10 +291,6 @@ optional_policy(`
 	mono_domtrans(crond_t)
 ')
 
-tunable_policy(`fcron_crond',`
-	allow crond_t system_cron_spool_t:file manage_file_perms;
-')
-
 optional_policy(`
 	amanda_search_var_lib(crond_t)
 ')

policy/modules/services/cups.te

@@ -609,10 +609,6 @@ userdom_dontaudit_search_admin_dir(cups_pdf_t)
 
 lpd_manage_spool(cups_pdf_t)
 
-optional_policy(`
-	gnome_read_config(cups_pdf_t)
-')
-
 tunable_policy(`use_nfs_home_dirs',`
 	fs_search_auto_mountpoints(cups_pdf_t)
 	fs_manage_nfs_dirs(cups_pdf_t)
@@ -624,6 +620,10 @@ tunable_policy(`use_samba_home_dirs',`
 	fs_manage_cifs_files(cups_pdf_t)
 ')
 
+optional_policy(`
+	gnome_read_config(cups_pdf_t)
+')
+
 ########################################
 #
 # HPLIP local policy