From ef521e9919652f4b483e98cf420b2d098e27c431 Mon Sep 17 00:00:00 2001
From: Dominick Grift <domg472@gmail.com>
Date: Wed, 22 Sep 2010 11:23:25 +0200
Subject: [PATCH] Tunable, optional and if(n)def blocks go below.

Tunable, optional and if(n)def blocks go below.

Tunable, optional and if(n)def blocks go below.

Tunable, optional and if(n)def blocks go below.

Tunable, optional and if(n)def blocks go below.
---
 policy/modules/services/abrt.te   |  9 ++++-----
 policy/modules/services/afs.te    |  8 ++++----
 policy/modules/services/clamav.te |  8 ++++----
 policy/modules/services/cron.te   | 16 ++++++++--------
 policy/modules/services/cups.te   |  8 ++++----
 5 files changed, 24 insertions(+), 25 deletions(-)

diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
index d595020f..5be7dc8e 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -252,16 +252,15 @@ ifdef(`hide_broken_symptoms',`
 	domain_dontaudit_leaks(abrt_helper_t)
 	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
 	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
-
-	optional_policy(`
-		rpm_dontaudit_leaks(abrt_helper_t)
-	')
-
 	dev_dontaudit_read_all_blk_files(abrt_helper_t)
 	dev_dontaudit_read_all_chr_files(abrt_helper_t)
 	dev_dontaudit_write_all_chr_files(abrt_helper_t)
 	dev_dontaudit_write_all_blk_files(abrt_helper_t)
 	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
+
+	optional_policy(`
+		rpm_dontaudit_leaks(abrt_helper_t)
+	')
 ')
 
 ifdef(`hide_broken_symptoms',`
diff --git a/policy/modules/services/afs.te b/policy/modules/services/afs.te
index a9879a59..7e2cdf20 100644
--- a/policy/modules/services/afs.te
+++ b/policy/modules/services/afs.te
@@ -82,10 +82,6 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir })
 
 kernel_rw_afs_state(afs_t)
 
-ifdef(`hide_broken_symptoms',`
-	kernel_rw_unlabeled_files(afs_t)
-')
-
 corenet_all_recvfrom_unlabeled(afs_t)
 corenet_all_recvfrom_netlabel(afs_t)
 corenet_tcp_sendrecv_generic_if(afs_t)
@@ -111,6 +107,10 @@ miscfiles_read_localization(afs_t)
 
 sysnet_dns_name_resolve(afs_t)
 
+ifdef(`hide_broken_symptoms',`
+	kernel_rw_unlabeled_files(afs_t)
+')
+
 ########################################
 #
 # AFS bossserver local policy
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index bf47a163..f9af97c2 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -220,16 +220,16 @@ clamav_stream_connect(freshclam_t)
 
 userdom_stream_connect(freshclam_t)
 
-optional_policy(`
-	cron_system_entry(freshclam_t, freshclam_exec_t)
-')
-
 tunable_policy(`clamd_use_jit',`
 	allow freshclam_t self:process execmem;
 ',`
 	dontaudit freshclam_t self:process execmem;
 ')
 
+optional_policy(`
+	cron_system_entry(freshclam_t, freshclam_exec_t)
+')
+
 ########################################
 #
 # clamscam local policy
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 6dfdc3f6..2a7f7f42 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -99,10 +99,6 @@ files_lock_file(system_cronjob_lock_t)
 type system_cronjob_tmp_t alias system_crond_tmp_t;
 files_tmp_file(system_cronjob_tmp_t)
 
-ifdef(`enable_mcs',`
-	init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
-')
-
 type unconfined_cronjob_t;
 domain_type(unconfined_cronjob_t)
 domain_cron_exemption_target(unconfined_cronjob_t)
@@ -122,6 +118,10 @@ typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
 type system_cronjob_var_run_t;
 files_pid_file(system_cronjob_var_run_t)
 
+ifdef(`enable_mcs',`
+	init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
+')
+
 ########################################
 #
 # Admin crontab local policy
@@ -263,6 +263,10 @@ tunable_policy(`allow_polyinstantiation',`
 	files_polyinstantiate_all(crond_t)
 ')
 
+tunable_policy(`fcron_crond',`
+	allow crond_t system_cron_spool_t:file manage_file_perms;
+')
+
 optional_policy(`
 	apache_search_sys_content(crond_t)
 ')
@@ -287,10 +291,6 @@ optional_policy(`
 	mono_domtrans(crond_t)
 ')
 
-tunable_policy(`fcron_crond',`
-	allow crond_t system_cron_spool_t:file manage_file_perms;
-')
-
 optional_policy(`
 	amanda_search_var_lib(crond_t)
 ')
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
index 4dd87b81..b3ab30f4 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -609,10 +609,6 @@ userdom_dontaudit_search_admin_dir(cups_pdf_t)
 
 lpd_manage_spool(cups_pdf_t)
 
-optional_policy(`
-	gnome_read_config(cups_pdf_t)
-')
-
 tunable_policy(`use_nfs_home_dirs',`
 	fs_search_auto_mountpoints(cups_pdf_t)
 	fs_manage_nfs_dirs(cups_pdf_t)
@@ -624,6 +620,10 @@ tunable_policy(`use_samba_home_dirs',`
 	fs_manage_cifs_files(cups_pdf_t)
 ')
 
+optional_policy(`
+	gnome_read_config(cups_pdf_t)
+')
+
 ########################################
 #
 # HPLIP local policy