diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te index 115741f..3bd8c13 100644 --- a/policy/modules/services/apm.te +++ b/policy/modules/services/apm.te @@ -92,10 +92,10 @@ dev_dontaudit_getattr_all_blk_files(apmd_t) # Excessive? fs_dontaudit_list_tmpfs(apmd_t) fs_getattr_all_fs(apmd_t) fs_search_auto_mountpoints(apmd_t) -fs_dontaudit_getattr_all_files(apmd_t); # Excessive? -fs_dontaudit_getattr_all_symlinks(apmd_t); # Excessive? -fs_dontaudit_getattr_all_pipes(apmd_t); # Excessive? -fs_dontaudit_getattr_all_sockets(apmd_t); # Excessive? +fs_dontaudit_getattr_all_files(apmd_t) # Excessive? +fs_dontaudit_getattr_all_symlinks(apmd_t) # Excessive? +fs_dontaudit_getattr_all_pipes(apmd_t) # Excessive? +fs_dontaudit_getattr_all_sockets(apmd_t) # Excessive? selinux_search_fs(apmd_t) diff --git a/policy/modules/services/milter.if b/policy/modules/services/milter.if index 55d25cd..69ae746 100644 --- a/policy/modules/services/milter.if +++ b/policy/modules/services/milter.if @@ -24,7 +24,7 @@ template(`milter_template',` # Type for the milter data (e.g. the socket used to communicate with the MTA) type $1_milter_data_t, milter_data_type; - files_type($1_milter_data_t); + files_type($1_milter_data_t) allow $1_milter_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/services/milter.te b/policy/modules/services/milter.te index 755da96..fc3f758 100644 --- a/policy/modules/services/milter.te +++ b/policy/modules/services/milter.te @@ -42,7 +42,7 @@ kernel_read_kernel_sysctls(greylist_milter_t) # Allow the milter to read a GeoIP database in /usr/share files_read_usr_files(greylist_milter_t) # The milter runs from /var/lib/milter-greylist and maintains files there -files_search_var_lib(greylist_milter_t); +files_search_var_lib(greylist_milter_t) # Look up username for dropping privs auth_use_nsswitch(greylist_milter_t) diff --git a/policy/modules/services/pingd.te b/policy/modules/services/pingd.te index 251b2ac..4020ec7 100644 --- a/policy/modules/services/pingd.te +++ b/policy/modules/services/pingd.te @@ -12,7 +12,7 @@ init_daemon_domain(pingd_t, pingd_exec_t) # type for config type pingd_etc_t; -files_type(pingd_etc_t); +files_type(pingd_etc_t) type pingd_initrc_exec_t; init_script_file(pingd_initrc_exec_t) diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te index 0de9043..ce78db3 100644 --- a/policy/modules/services/tftp.te +++ b/policy/modules/services/tftp.te @@ -74,8 +74,8 @@ fs_search_auto_mountpoints(tftpd_t) domain_use_interactive_fds(tftpd_t) -files_read_etc_files(tftpd_t); -files_read_etc_runtime_files(tftpd_t); +files_read_etc_files(tftpd_t) +files_read_etc_runtime_files(tftpd_t) files_read_var_files(tftpd_t) files_read_var_symlinks(tftpd_t) files_search_var(tftpd_t) diff --git a/policy/modules/services/zosremote.te b/policy/modules/services/zosremote.te index a93d638..adb4b49 100644 --- a/policy/modules/services/zosremote.te +++ b/policy/modules/services/zosremote.te @@ -21,7 +21,7 @@ allow zos_remote_t self:unix_stream_socket create_stream_socket_perms; files_read_etc_files(zos_remote_t) -auth_use_nsswitch(zos_remote_t); +auth_use_nsswitch(zos_remote_t) miscfiles_read_localization(zos_remote_t) diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te index 92103db..4f9df30 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -76,7 +76,7 @@ files_pid_filetrans(ipsec_t, ipsec_var_run_t, { file sock_file }) can_exec(ipsec_t, ipsec_mgmt_exec_t) -# pluto runs an updown script (by calling popen()!); as this is by default +# pluto runs an updown script (by calling popen()!) as this is by default # a shell script, we need to find a way to make things work without # letting all sorts of stuff possibly be run... # so try flipping back into the ipsec_mgmt_t domain diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index 09b9a9b..1fcc896 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -259,7 +259,7 @@ allow ifconfig_t self:packet_socket create_socket_perms; allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read }; allow ifconfig_t self:tcp_socket { create ioctl }; -files_read_etc_files(ifconfig_t); +files_read_etc_files(ifconfig_t) kernel_use_fds(ifconfig_t) kernel_read_system_state(ifconfig_t) diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te index 161f298..1de4131 100644 --- a/policy/modules/system/xen.te +++ b/policy/modules/system/xen.te @@ -8,8 +8,8 @@ policy_module(xen, 1.8.2) # console ptys type xen_devpts_t; -term_pty(xen_devpts_t); -files_type(xen_devpts_t); +term_pty(xen_devpts_t) +files_type(xen_devpts_t) # Xen Image files type xen_image_t; # customizable @@ -239,7 +239,7 @@ domain_dontaudit_ptrace_all_domains(xenconsoled_t) files_read_usr_files(xenconsoled_t) -term_create_pty(xenconsoled_t,xen_devpts_t); +term_create_pty(xenconsoled_t,xen_devpts_t) term_use_generic_ptys(xenconsoled_t) term_use_console(xenconsoled_t)