diff --git a/policy/modules/apps/cdrecord.if b/policy/modules/apps/cdrecord.if
index b08ead7..1d6274a 100644
--- a/policy/modules/apps/cdrecord.if
+++ b/policy/modules/apps/cdrecord.if
@@ -68,7 +68,7 @@ template(`cdrecord_per_role_template', `
# allow searching for cdrom-drive
dev_list_all_dev_nodes($1_cdrecord_t)
-
+
domain_interactive_fd($1_cdrecord_t)
domain_use_interactive_fds($1_cdrecord_t)
@@ -80,7 +80,7 @@ template(`cdrecord_per_role_template', `
# allow cdrecord to write the CD
storage_raw_write_removable_device($1_cdrecord_t)
storage_write_scsi_generic($1_cdrecord_t)
-
+
libs_use_ld_so($1_cdrecord_t)
libs_use_shared_libs($1_cdrecord_t)
@@ -100,7 +100,7 @@ template(`cdrecord_per_role_template', `
files_list_home($1_cdrecord_t)
fs_read_nfs_files($1_cdrecord_t)
fs_read_nfs_symlinks($1_cdrecord_t)
-
+
',`
files_dontaudit_list_home($1_cdrecord_t)
fs_dontaudit_list_auto_mountpoints($1_cdrecord_t)
@@ -119,7 +119,7 @@ template(`cdrecord_per_role_template', `
fs_dontaudit_read_cifs_files($1_cdrecord_t)
fs_dontaudit_list_cifs($1_cdrecord_t)
')
-
+
# Handle removable media, /tmp, and /home
tunable_policy(`cdrecord_read_content',`
userdom_list_user_tmp($1, $1_cdrecord_t)
@@ -128,7 +128,7 @@ template(`cdrecord_per_role_template', `
userdom_search_user_home_dirs($1, $1_cdrecord_t)
userdom_read_user_home_content_files($1, $1_cdrecord_t)
userdom_read_user_home_content_symlinks($1, $1_cdrecord_t)
-
+
ifdef(`enable_mls',`
',`
fs_search_removable($1_cdrecord_t)
@@ -145,7 +145,7 @@ template(`cdrecord_per_role_template', `
userdom_dontaudit_list_user_home_dirs($1, $1_cdrecord_t)
userdom_dontaudit_read_user_home_content_files($1, $1_cdrecord_t)
')
-
+
# Handle default_t content
tunable_policy(`cdrecord_read_content && read_default_t',`
files_list_default($1_cdrecord_t)
@@ -155,7 +155,7 @@ template(`cdrecord_per_role_template', `
files_dontaudit_read_default_files($1_cdrecord_t)
files_dontaudit_list_default($1_cdrecord_t)
')
-
+
# Handle untrusted content
tunable_policy(`cdrecord_read_content && read_untrusted_content',`
files_list_tmp($1_cdrecord_t)
@@ -183,7 +183,7 @@ template(`cdrecord_per_role_template', `
fs_read_nfs_files($1_cdrecord_t)
fs_read_nfs_symlinks($1_cdrecord_t)
')
-
+
optional_policy(`
resmgr_stream_connect($1_cdrecord_t)
')
diff --git a/policy/modules/apps/ethereal.if b/policy/modules/apps/ethereal.if
index d5bf424..3464f5d 100644
--- a/policy/modules/apps/ethereal.if
+++ b/policy/modules/apps/ethereal.if
@@ -114,7 +114,7 @@ template(`ethereal_per_role_template',`
corenet_tcp_connect_generic_port($1_ethereal_t)
corenet_tcp_sendrecv_generic_if($1_ethereal_t)
-
+
dev_read_urand($1_ethereal_t)
files_read_etc_files($1_ethereal_t)
@@ -135,7 +135,7 @@ template(`ethereal_per_role_template',`
sysnet_read_config($1_ethereal_t)
userdom_manage_user_home_content_files($1, $1_ethereal_t)
-
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_ethereal_t)
fs_manage_nfs_files($1_ethereal_t)
@@ -162,7 +162,7 @@ template(`ethereal_per_role_template',`
xserver_user_x_domain_template($1, $1_ethereal, $1_ethereal_t, $1_ethereal_tmpfs_t)
xserver_create_xdm_tmp_sockets($1_ethereal_t)
')
-
+
ifdef(`TODO',`
# Why does it write this?
optional_policy(`
@@ -173,7 +173,7 @@ template(`ethereal_per_role_template',`
gnome_file_dialog($1_ethereal, $1)
# FIXME: policy is incomplete
')
-
+
')
#######################################
@@ -204,7 +204,7 @@ template(`ethereal_admin_template',`
allow $1_ethereal_t self:packet_socket create_socket_perms;
allow $1_ethereal_t self:unix_stream_socket create_stream_socket_perms;
allow $1_ethereal_t self:tcp_socket create_socket_perms;
-
+
userdom_use_user_terminals($1, $1_ethereal_t)
# Ethereal tries to write to user terminal
userdom_dontaudit_use_user_terminals($1, $1_ethereal_t)
diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if
index f790c67..da77447 100644
--- a/policy/modules/apps/evolution.if
+++ b/policy/modules/apps/evolution.if
@@ -53,7 +53,7 @@ template(`evolution_per_role_template',`
type $1_evolution_orbit_tmp_t;
files_tmp_file($1_evolution_orbit_tmp_t)
-
+
type $1_evolution_alarm_t;
application_domain($1_evolution_alarm_t, evolution_alarm_exec_t)
role $3 types $1_evolution_alarm_t;
@@ -153,7 +153,7 @@ template(`evolution_per_role_template',`
allow $1_evolution_t $2:file read;
domain_auto_trans($2, evolution_exec_t, $1_evolution_t)
-
+
allow $2 $1_evolution_t:unix_stream_socket connectto;
allow $2 $1_evolution_t:process noatsecure;
allow $2 $1_evolution_t:process signal_perms;
@@ -267,7 +267,7 @@ template(`evolution_per_role_template',`
files_list_home($1_evolution_t)
fs_read_nfs_files($1_evolution_t)
fs_read_nfs_symlinks($1_evolution_t)
-
+
',`
files_dontaudit_list_home($1_evolution_t)
fs_dontaudit_list_auto_mountpoints($1_evolution_t)
@@ -294,7 +294,7 @@ template(`evolution_per_role_template',`
userdom_search_user_home_dirs($1, $1_evolution_t)
userdom_read_user_home_content_files($1, $1_evolution_t)
userdom_read_user_home_content_symlinks($1, $1_evolution_t)
-
+
ifndef(`enable_mls',`
fs_search_removable($1_evolution_t)
fs_read_removable_files($1_evolution_t)
@@ -324,7 +324,7 @@ template(`evolution_per_role_template',`
files_list_tmp($1_evolution_t)
files_list_home($1_evolution_t)
userdom_search_user_home_dirs($1,$1_evolution_t)
-
+
userdom_list_user_untrusted_content($1, $1_evolution_t)
userdom_read_user_untrusted_content_files($1, $1_evolution_t)
userdom_read_user_untrusted_content_symlinks($1, $1_evolution_t)
@@ -343,7 +343,7 @@ template(`evolution_per_role_template',`
tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`
files_search_home($1_evolution_t)
-
+
fs_search_auto_mountpoints($1_evolution_t)
fs_manage_nfs_dirs($1_evolution_t)
fs_manage_nfs_files($1_evolution_t)
@@ -356,7 +356,7 @@ template(`evolution_per_role_template',`
tunable_policy(`write_untrusted_content && use_samba_home_dirs',`
files_search_home($1_evolution_t)
-
+
fs_search_auto_mountpoints($1_evolution_t)
fs_manage_cifs_dirs($1_evolution_t)
fs_manage_cifs_files($1_evolution_t)
@@ -369,7 +369,7 @@ template(`evolution_per_role_template',`
tunable_policy(`write_untrusted_content',`
files_search_home($1_evolution_t)
-
+
userdom_manage_user_untrusted_content_files($1, $1_evolution_t)
userdom_user_home_dir_filetrans($1, $1_evolution_t, $1_untrusted_content_tmp_t, { file dir })
userdom_user_home_content_filetrans($1, $1_evolution_t, $1_untrusted_content_tmp_t, { file dir })
@@ -377,7 +377,7 @@ template(`evolution_per_role_template',`
',`
files_dontaudit_list_home($1_evolution_t)
files_dontaudit_list_tmp($1_evolution_t)
-
+
userdom_dontaudit_list_user_home_dirs($1, $1_evolution_t)
#userdom_dontaudit_manage_user_tmp($1,$1_evolution_t)
#userdom_dontaudit_manage_user_tmp_files($1,$1_evolution_t)
@@ -449,12 +449,12 @@ template(`evolution_per_role_template',`
# (different from home, not directly accessible from ROLE_t)
type $1_evolutioin_secret_t;
userdom_user_home_content($1,$1_evolutioin_secret_t)
-
+
# Put secret files in .gnome2_private
allow $1_evolution_t $1_gnome_secret_t:dir rw_dir_perms;
allow $1_evolution_t $1_evolutioin_secret_t:file manage_file_perms;
type_transition $1_evolution_t $1_gnome_secret_t:file $1_evolutioin_secret_t;
-
+
allow $2 $1_evolution_secret_t:file unlink;
ifdef(`TODO',`
@@ -503,7 +503,7 @@ template(`evolution_per_role_template',`
libs_use_ld_so($1_evolution_alarm_t)
libs_use_shared_libs($1_evolution_alarm_t)
-
+
miscfiles_read_localization($1_evolution_alarm_t)
# Access evolution home
@@ -588,7 +588,7 @@ template(`evolution_per_role_template',`
# Transition from user domain
domain_auto_trans($2, evolution_exchange_exec_t, $1_evolution_exchange_t)
-
+
kernel_read_network_state($1_evolution_exchange_t)
kernel_read_net_sysctls($1_evolution_exchange_t)
@@ -607,7 +607,7 @@ template(`evolution_per_role_template',`
libs_use_shared_libs($1_evolution_exchange_t)
miscfiles_read_localization($1_evolution_exchange_t)
-
+
# Access evolution home
userdom_search_user_home_dirs($1, $1_evolution_exchange_t)
# FIXME: suppress access to .local/.icons/.themes until properly implemented
@@ -629,7 +629,7 @@ template(`evolution_per_role_template',`
optional_policy(`
gnome_stream_connect_gconf_template($1, $1_evolution_exchange_t)
')
-
+
optional_policy(`
nscd_socket_use($1_evolution_exchange_t)
')
@@ -740,7 +740,7 @@ template(`evolution_per_role_template',`
#
allow $1_evolution_webcal_t self:tcp_socket create_socket_perms;
-
+
# X/evolution common stuff
allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:dir rw_dir_perms;
allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:file manage_file_perms;
diff --git a/policy/modules/apps/games.if b/policy/modules/apps/games.if
index e7cbfee..4f810fb 100644
--- a/policy/modules/apps/games.if
+++ b/policy/modules/apps/games.if
@@ -55,7 +55,7 @@ template(`games_per_role_template',`
type $1_games_tmp_t;
files_tmp_file($1_games_tmp_t)
-
+
########################################
#
# Local policy
@@ -136,7 +136,7 @@ template(`games_per_role_template',`
userdom_manage_user_tmp_sockets($1,$1_games_t)
# Suppress .icons denial until properly implemented
userdom_dontaudit_read_user_home_content_files($1,$1_games_t)
-
+
tunable_policy(`allow_execmem',`
allow $1_games_t self:process execmem;
')
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
index 27ca9ad..e5dd078 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -108,7 +108,7 @@ template(`gnome_per_role_template',`
xserver_rw_xdm_pipes($1_gconfd_t)
')
')
-
+
########################################
## <summary>
## gconf connection template.
diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if
index c778244..a432984 100644
--- a/policy/modules/apps/irc.if
+++ b/policy/modules/apps/irc.if
@@ -55,7 +55,7 @@ template(`irc_per_role_template',`
type $1_irc_tmp_t;
userdom_user_home_content($1, $1_irc_tmp_t)
-
+
########################################
#
# Local policy
@@ -80,13 +80,13 @@ template(`irc_per_role_template',`
# Transition from the user domain to the derived domain.
domtrans_pattern($2, irc_exec_t, $1_irc_t)
-
+
allow $2 $1_irc_exec_t:file { relabelfrom relabelto manage_file_perms };
# allow ps to show irc
ps_process_pattern($2, $1_irc_t)
allow $2 $1_irc_t:process signal;
-
+
kernel_read_proc_symlinks($1_irc_t)
corenet_all_recvfrom_unlabeled($1_irc_t)
diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if
index 553db89..f59bba3 100644
--- a/policy/modules/apps/java.if
+++ b/policy/modules/apps/java.if
@@ -36,7 +36,7 @@ template(`java_per_role_template',`
gen_require(`
type java_exec_t;
')
-
+
########################################
#
# Declarations
@@ -45,13 +45,13 @@ template(`java_per_role_template',`
type $1_javaplugin_t;
application_domain($1_javaplugin_t, java_exec_t)
role $3 types $1_javaplugin_t;
-
+
type $1_javaplugin_tmp_t;
files_tmp_file($1_javaplugin_tmp_t)
type $1_javaplugin_tmpfs_t;
files_tmpfs_file($1_javaplugin_tmpfs_t)
-
+
########################################
#
# Local policy
@@ -61,7 +61,7 @@ template(`java_per_role_template',`
allow $1_javaplugin_t self:fifo_file rw_fifo_file_perms;
allow $1_javaplugin_t self:tcp_socket create_socket_perms;
allow $1_javaplugin_t self:udp_socket create_socket_perms;
-
+
allow $1_javaplugin_t $2:unix_stream_socket connectto;
allow $1_javaplugin_t $2:unix_stream_socket { read write };
userdom_write_user_tmp_sockets($1, $1_javaplugin_t)
@@ -80,14 +80,14 @@ template(`java_per_role_template',`
read_files_pattern($1_javaplugin_t, $1_home_t, $1_home_t)
can_exec($1_javaplugin_t, java_exec_t)
-
+
# The user role is authorized for this domain.
domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t)
allow $1_javaplugin_t $2:fd use;
# Unrestricted inheritance from the caller.
allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh };
allow $1_javaplugin_t $2:process signull;
-
+
kernel_read_all_sysctls($1_javaplugin_t)
kernel_search_vm_sysctl($1_javaplugin_t)
kernel_read_network_state($1_javaplugin_t)
diff --git a/policy/modules/apps/lockdev.if b/policy/modules/apps/lockdev.if
index fb7c4a7..6a3a994 100644
--- a/policy/modules/apps/lockdev.if
+++ b/policy/modules/apps/lockdev.if
@@ -68,14 +68,14 @@ template(`lockdev_per_role_template',`
files_read_all_locks($1_lockdev_t)
fs_getattr_xattr_fs($1_lockdev_t)
-
+
libs_use_ld_so($1_lockdev_t)
libs_use_shared_libs($1_lockdev_t)
logging_send_syslog_msg($1_lockdev_t)
userdom_use_user_terminals($1, $1_lockdev_t)
-
+
optional_policy(`
logging_send_syslog_msg($1_t)
')
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
index 92f7e89..5d9f74a 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -111,7 +111,7 @@ template(`mozilla_per_role_template',`
# Allow the user domain to signal/ps.
ps_process_pattern($2, $1_mozilla_t)
allow $2 $1_mozilla_t:process signal_perms;
-
+
kernel_read_kernel_sysctls($1_mozilla_t)
kernel_read_network_state($1_mozilla_t)
# Access /proc, sysctl
@@ -171,7 +171,7 @@ template(`mozilla_per_role_template',`
fs_rw_tmpfs_files($1_mozilla_t)
term_dontaudit_getattr_pty_dirs($1_mozilla_t)
-
+
libs_use_ld_so($1_mozilla_t)
libs_use_shared_libs($1_mozilla_t)
@@ -183,14 +183,14 @@ template(`mozilla_per_role_template',`
# Browse the web, connect to printer
sysnet_dns_name_resolve($1_mozilla_t)
sysnet_read_config($1_mozilla_t)
-
+
userdom_manage_user_home_content_dirs($1, $1_mozilla_t)
userdom_manage_user_home_content_files($1, $1_mozilla_t)
userdom_manage_user_home_content_symlinks($1, $1_mozilla_t)
userdom_manage_user_tmp_dirs($1, $1_mozilla_t)
userdom_manage_user_tmp_files($1, $1_mozilla_t)
userdom_manage_user_tmp_sockets($1, $1_mozilla_t)
-
+
xserver_user_x_domain_template($1, $1_mozilla, $1_mozilla_t, $1_mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t)
xserver_dontaudit_getattr_xdm_tmp_sockets($1_mozilla_t)
@@ -217,7 +217,7 @@ template(`mozilla_per_role_template',`
files_list_home($1_mozilla_t)
fs_read_nfs_files($1_mozilla_t)
fs_read_nfs_symlinks($1_mozilla_t)
-
+
',`
files_dontaudit_list_home($1_mozilla_t)
fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
@@ -244,7 +244,7 @@ template(`mozilla_per_role_template',`
userdom_search_user_home_dirs($1, $1_mozilla_t)
userdom_read_user_home_content_files($1, $1_mozilla_t)
userdom_read_user_home_content_symlinks($1, $1_mozilla_t)
-
+
ifdef(`enable_mls',`',`
fs_search_removable($1_mozilla_t)
fs_read_removable_files($1_mozilla_t)
@@ -274,7 +274,7 @@ template(`mozilla_per_role_template',`
files_list_tmp($1_mozilla_t)
files_list_home($1_mozilla_t)
userdom_search_user_home_dirs($1, $1_mozilla_t)
-
+
userdom_list_user_untrusted_content($1, $1_mozilla_t)
userdom_read_user_untrusted_content_files($1, $1_mozilla_t)
userdom_read_user_untrusted_content_symlinks($1, $1_mozilla_t)
@@ -389,7 +389,7 @@ template(`mozilla_per_role_template',`
#domain_auto_trans($1_mozilla_t, evolution_exec_t, $1_evolution_t)
#domain_auto_trans($1_mozilla_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
#')
-
+
# Macros for mozilla/mozilla (or other browser) domains.
# FIXME: Rules were removed to centralize policy in a gnome_app macro
# A similar thing might be necessary for mozilla compiled without GNOME
diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if
index d31f223..ffcbabe 100644
--- a/policy/modules/apps/mplayer.if
+++ b/policy/modules/apps/mplayer.if
@@ -70,7 +70,7 @@ template(`mplayer_per_role_template',`
allow $1_mencoder_t mplayer_etc_t:dir list_dir_perms;
read_files_pattern($1_mencoder_t, mplayer_etc_t, mplayer_etc_t)
read_lnk_files_pattern($1_mencoder_t, mplayer_etc_t, mplayer_etc_t)
-
+
# domain transition
domtrans_pattern($2, mencoder_exec_t, $1_mencoder_t)
@@ -150,7 +150,7 @@ template(`mplayer_per_role_template',`
files_list_home($1_mencoder_t)
fs_read_nfs_files($1_mencoder_t)
fs_read_nfs_symlinks($1_mencoder_t)
-
+
',`
files_dontaudit_list_home($1_mencoder_t)
fs_dontaudit_list_auto_mountpoints($1_mencoder_t)
@@ -182,7 +182,7 @@ template(`mplayer_per_role_template',`
tunable_policy(`read_untrusted_content',`
files_list_tmp($1_mencoder_t)
files_list_home($1_mencoder_t)
-
+
userdom_list_user_untrusted_content($1, $1_mencoder_t)
userdom_read_user_untrusted_content_files($1, $1_mencoder_t)
userdom_read_user_untrusted_content_symlinks($1, $1_mencoder_t)
@@ -342,7 +342,7 @@ template(`mplayer_per_role_template',`
userdom_read_user_home_content_symlinks($1, $1_mplayer_t)
xserver_user_x_domain_template($1, $1_mplayer, $1_mplayer_t, $1_mplayer_tmpfs_t)
-
+
# Read songs
ifdef(`enable_mls',`',`
fs_search_removable($1_mplayer_t)
@@ -384,7 +384,7 @@ template(`mplayer_per_role_template',`
files_list_home($1_mplayer_t)
fs_read_nfs_files($1_mplayer_t)
fs_read_nfs_symlinks($1_mplayer_t)
-
+
',`
files_dontaudit_list_home($1_mplayer_t)
fs_dontaudit_list_auto_mountpoints($1_mplayer_t)
@@ -416,7 +416,7 @@ template(`mplayer_per_role_template',`
tunable_policy(`read_untrusted_content',`
files_list_tmp($1_mplayer_t)
files_list_home($1_mplayer_t)
-
+
userdom_list_user_untrusted_content($1, $1_mplayer_t)
userdom_read_user_untrusted_content_files($1, $1_mplayer_t)
userdom_read_user_untrusted_content_symlinks($1, $1_mplayer_t)
diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
index ca876d5..46eb9bf 100644
--- a/policy/modules/apps/screen.if
+++ b/policy/modules/apps/screen.if
@@ -55,7 +55,7 @@ template(`screen_per_role_template',`
type $1_screen_var_run_t;
files_pid_file($1_screen_var_run_t)
-
+
########################################
#
# Local policy
@@ -97,7 +97,7 @@ template(`screen_per_role_template',`
relabel_dirs_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
relabel_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
relabel_lnk_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
-
+
kernel_read_system_state($1_screen_t)
kernel_read_kernel_sysctls($1_screen_t)
diff --git a/policy/modules/apps/thunderbird.if b/policy/modules/apps/thunderbird.if
index ec65807..168be3a 100644
--- a/policy/modules/apps/thunderbird.if
+++ b/policy/modules/apps/thunderbird.if
@@ -49,7 +49,7 @@ template(`thunderbird_per_role_template',`
type $1_thunderbird_tmpfs_t;
files_tmpfs_file($1_thunderbird_tmpfs_t)
-
+
########################################
#
# Local policy
@@ -94,12 +94,12 @@ template(`thunderbird_per_role_template',`
relabel_dirs_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
relabel_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
relabel_lnk_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
-
+
# Allow netstat
kernel_read_network_state($1_thunderbird_t)
kernel_read_net_sysctls($1_thunderbird_t)
kernel_read_system_state($1_thunderbird_t)
-
+
# Startup shellscript
corecmd_exec_shell($1_thunderbird_t)
@@ -144,7 +144,7 @@ template(`thunderbird_per_role_template',`
fs_list_inotifyfs($1_thunderbird_t)
# Access ~/.thunderbird
fs_search_auto_mountpoints($1_thunderbird_t)
-
+
auth_use_nsswitch($1_thunderbird_t)
libs_use_shared_libs($1_thunderbird_t)
@@ -204,14 +204,14 @@ template(`thunderbird_per_role_template',`
fs_dontaudit_read_cifs_files($1_thunderbird_t)
fs_dontaudit_list_cifs($1_thunderbird_t)
')
-
+
tunable_policy(`mail_read_content',`
userdom_list_user_tmp($1, $1_thunderbird_t)
userdom_read_user_tmp_files($1, $1_thunderbird_t)
userdom_read_user_tmp_symlinks($1, $1_thunderbird_t)
userdom_search_user_home_dirs($1, $1_thunderbird_t)
userdom_read_user_home_content_files($1, $1_thunderbird_t)
-
+
ifndef(`enable_mls',`
fs_search_removable($1_thunderbird_t)
fs_read_removable_files($1_thunderbird_t)
@@ -229,7 +229,7 @@ template(`thunderbird_per_role_template',`
userdom_dontaudit_list_user_home_dirs($1, $1_thunderbird_t)
userdom_dontaudit_read_user_home_content_files($1, $1_thunderbird_t)
')
-
+
tunable_policy(`mail_read_content && read_default_t',`
files_list_default($1_thunderbird_t)
files_read_default_files($1_thunderbird_t)
@@ -238,7 +238,7 @@ template(`thunderbird_per_role_template',`
files_dontaudit_read_default_files($1_thunderbird_t)
files_dontaudit_list_default($1_thunderbird_t)
')
-
+
tunable_policy(`mail_read_content && read_untrusted_content',`
files_list_tmp($1_thunderbird_t)
files_list_home($1_thunderbird_t)
@@ -274,7 +274,7 @@ template(`thunderbird_per_role_template',`
fs_dontaudit_manage_nfs_dirs($1_thunderbird_t)
fs_dontaudit_manage_nfs_files($1_thunderbird_t)
')
-
+
# Manage samba homedirs
tunable_policy(`write_untrusted_content && use_samba_home_dirs',`
files_search_home($1_thunderbird_t)
@@ -288,7 +288,7 @@ template(`thunderbird_per_role_template',`
fs_dontaudit_manage_cifs_dirs($1_thunderbird_t)
fs_dontaudit_manage_cifs_files($1_thunderbird_t)
')
-
+
# Manage /tmp and /home
tunable_policy(`write_untrusted_content',`
files_search_home($1_thunderbird_t)
diff --git a/policy/modules/apps/tvtime.if b/policy/modules/apps/tvtime.if
index a5e3ab7..ca1f399 100644
--- a/policy/modules/apps/tvtime.if
+++ b/policy/modules/apps/tvtime.if
@@ -55,7 +55,7 @@ template(`tvtime_per_role_template',`
type $1_tvtime_tmpfs_t;
files_tmpfs_file($1_tvtime_tmpfs_t)
-
+
########################################
#
# Local policy
@@ -96,7 +96,7 @@ template(`tvtime_per_role_template',`
# Allow the user domain to signal/ps.
ps_process_pattern($2,$1_tvtime_t)
allow $2 $1_tvtime_t:process signal_perms;
-
+
kernel_read_all_sysctls($1_tvtime_t)
kernel_get_sysvipc_info($1_tvtime_t)
@@ -111,7 +111,7 @@ template(`tvtime_per_role_template',`
# X access, Home files
fs_search_auto_mountpoints($1_tvtime_t)
-
+
libs_use_ld_so($1_tvtime_t)
libs_use_shared_libs($1_tvtime_t)
@@ -120,7 +120,7 @@ template(`tvtime_per_role_template',`
userdom_use_user_terminals($1, $1_tvtime_t)
userdom_read_user_home_content_files($1, $1_tvtime_t)
-
+
# X access, Home files
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_tvtime_t)
diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if
index 3ced452..b3e7a9e 100644
--- a/policy/modules/apps/uml.if
+++ b/policy/modules/apps/uml.if
@@ -1,5 +1,5 @@
## <summary>Policy for UML</summary>
-
+
#######################################
## <summary>
## The per role template for the uml module.
@@ -142,7 +142,7 @@ template(`uml_per_role_template',`
# for mconsole
allow { $2 $1_uml_t } $1_uml_t:unix_dgram_socket sendto;
allow $1_uml_t $2:unix_dgram_socket sendto;
-
+
kernel_read_system_state($1_uml_t)
# for SKAS - need something better
kernel_write_proc_files($1_uml_t)
@@ -161,7 +161,7 @@ template(`uml_per_role_template',`
corenet_tcp_connect_all_ports($1_uml_t)
corenet_sendrecv_all_client_packets($1_uml_t)
corenet_rw_tun_tap_dev($1_uml_t)
-
+
domain_use_interactive_fds($1_uml_t)
# for xterm
diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if
index 1444394..7a4f429 100644
--- a/policy/modules/apps/userhelper.if
+++ b/policy/modules/apps/userhelper.if
@@ -49,7 +49,7 @@ template(`userhelper_per_role_template',`
domain_interactive_fd($1_userhelper_t)
domain_subj_id_change_exemption($1_userhelper_t)
role $3 types $1_userhelper_t;
-
+
########################################
#
# Local policy
@@ -78,7 +78,7 @@ template(`userhelper_per_role_template',`
can_exec($1_userhelper_t, userhelper_exec_t)
dontaudit $2 $1_userhelper_t:process signal;
-
+
kernel_read_all_sysctls($1_userhelper_t)
kernel_getattr_debugfs($1_userhelper_t)
kernel_read_system_state($1_userhelper_t)
@@ -164,7 +164,7 @@ template(`userhelper_per_role_template',`
sysadm_bin_spec_domtrans($1_userhelper_t)
sysadm_entry_spec_domtrans($1_userhelper_t)
')
-
+
optional_policy(`
ethereal_domtrans_user_ethereal($1, $1_userhelper_t)
')
diff --git a/policy/modules/apps/wireshark.if b/policy/modules/apps/wireshark.if
index acc1f35..81320c3 100644
--- a/policy/modules/apps/wireshark.if
+++ b/policy/modules/apps/wireshark.if
@@ -114,7 +114,7 @@ template(`wireshark_per_role_template',`
corenet_tcp_connect_generic_port($1_wireshark_t)
corenet_tcp_sendrecv_generic_if($1_wireshark_t)
-
+
dev_read_urand($1_wireshark_t)
files_read_etc_files($1_wireshark_t)
@@ -135,7 +135,7 @@ template(`wireshark_per_role_template',`
sysnet_read_config($1_wireshark_t)
userdom_manage_user_home_content_files($1, $1_wireshark_t)
-
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_wireshark_t)
fs_manage_nfs_files($1_wireshark_t)
@@ -162,7 +162,7 @@ template(`wireshark_per_role_template',`
xserver_user_client_template($1, $1_wireshark_t, $1_wireshark_tmpfs_t)
xserver_create_xdm_tmp_sockets($1_wireshark_t)
')
-
+
ifdef(`TODO',`
# Why does it write this?
optional_policy(`
@@ -173,7 +173,7 @@ template(`wireshark_per_role_template',`
gnome_file_dialog($1_wireshark, $1)
# FIXME: policy is incomplete
')
-
+
')
#######################################
@@ -204,7 +204,7 @@ template(`wireshark_admin_template',`
allow $1_wireshark_t self:packet_socket create_socket_perms;
allow $1_wireshark_t self:unix_stream_socket create_stream_socket_perms;
allow $1_wireshark_t self:tcp_socket create_socket_perms;
-
+
userdom_use_user_terminals($1, $1_wireshark_t)
# wireshark tries to write to user terminal
userdom_dontaudit_use_user_terminals($1, $1_wireshark_t)
diff --git a/policy/modules/services/aide.if b/policy/modules/services/aide.if
index b652bd4..c656fa9 100644
--- a/policy/modules/services/aide.if
+++ b/policy/modules/services/aide.if
@@ -19,7 +19,6 @@ interface(`aide_domtrans',`
domtrans_pattern($1, aide_exec_t, aide_t)
')
-
########################################
## <summary>
## Execute aide programs in the AIDE domain.
diff --git a/policy/modules/services/apcupsd.if b/policy/modules/services/apcupsd.if
index c5cce45..4da96a5 100644
--- a/policy/modules/services/apcupsd.if
+++ b/policy/modules/services/apcupsd.if
@@ -37,7 +37,6 @@ interface(`apcupsd_read_pid_files',`
allow $1 apcupsd_var_run_t:file read_file_perms;
')
-
########################################
## <summary>
## Allow the specified domain to read apcupsd's log files.
diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te
index 42e4086..ab42eaa 100644
--- a/policy/modules/services/apcupsd.te
+++ b/policy/modules/services/apcupsd.te
@@ -110,10 +110,10 @@ optional_policy(`
optional_policy(`
apache_content_template(apcupsd_cgi)
-
+
allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
-
+
corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t)
corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t)
corenet_tcp_sendrecv_all_if(httpd_apcupsd_cgi_script_t)
@@ -123,6 +123,6 @@ optional_policy(`
corenet_udp_sendrecv_all_if(httpd_apcupsd_cgi_script_t)
corenet_udp_sendrecv_all_nodes(httpd_apcupsd_cgi_script_t)
corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
-
+
sysnet_dns_name_resolve(httpd_apcupsd_cgi_script_t)
')
diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
index 20b4aa5..0fc2e12 100644
--- a/policy/modules/services/apm.te
+++ b/policy/modules/services/apm.te
@@ -14,7 +14,6 @@ type apm_exec_t;
application_domain(apm_t, apm_exec_t)
role system_r types apm_t;
-
type apmd_log_t;
logging_log_file(apmd_log_t)
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
index 0c67198..d089eff 100644
--- a/policy/modules/services/bind.if
+++ b/policy/modules/services/bind.if
@@ -284,9 +284,9 @@ interface(`bind_admin',`
allow $1 named_t:process { ptrace signal_perms };
ps_process_pattern($1, named_t)
-
+
allow $1 ndc_t:process { ptrace signal_perms };
ps_process_pattern($1, ndc_t)
-
+
bind_run_ndc($1, $2, $3)
')
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
index be4719e..ec038c4 100644
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@@ -41,7 +41,7 @@ template(`bluetooth_per_role_template',`
type $1_bluetooth_t, bluetooth_helper_domain;
application_domain($1_bluetooth_t, bluetooth_helper_exec_t)
role $3 types $1_bluetooth_t;
-
+
type $1_bluetooth_tmp_t;
files_tmp_file($1_bluetooth_tmp_t)
diff --git a/policy/modules/services/cvs.if b/policy/modules/services/cvs.if
index 33b5d01..718d0aa 100644
--- a/policy/modules/services/cvs.if
+++ b/policy/modules/services/cvs.if
@@ -63,7 +63,7 @@ interface(`cvs_admin',`
allow $1 cvs_t:process { ptrace signal_perms };
ps_process_pattern($1, cvs_t)
-
+
# Allow cvs_t to restart the apache service
init_labeled_script_domtrans($1, cvs_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/cyrus.if b/policy/modules/services/cyrus.if
index 2bf2146..b4e232d 100644
--- a/policy/modules/services/cyrus.if
+++ b/policy/modules/services/cyrus.if
@@ -20,7 +20,6 @@ interface(`cyrus_manage_data',`
manage_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t)
')
-
########################################
## <summary>
## Connect to Cyrus using a unix domain stream socket.
@@ -81,4 +80,3 @@ interface(`cyrus_admin',`
admin_pattern($1, cyrus_var_run_t)
')
-
diff --git a/policy/modules/services/dovecot.fc b/policy/modules/services/dovecot.fc
index 0145445..a738f3e 100644
--- a/policy/modules/services/dovecot.fc
+++ b/policy/modules/services/dovecot.fc
@@ -34,6 +34,3 @@ ifdef(`distro_redhat', `
/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
-
-
-
diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if
index be8f7e2..e95a24c 100644
--- a/policy/modules/services/hal.if
+++ b/policy/modules/services/hal.if
@@ -283,7 +283,6 @@ interface(`hal_read_pid_files',`
allow $1 hald_var_run_t:file read_file_perms;
')
-
########################################
## <summary>
## Read/Write hald PID files.
diff --git a/policy/modules/services/inn.if b/policy/modules/services/inn.if
index c390f23..f3291e9 100644
--- a/policy/modules/services/inn.if
+++ b/policy/modules/services/inn.if
@@ -156,7 +156,6 @@ interface(`inn_dgram_send',`
allow $1 innd_t:unix_dgram_socket sendto;
')
-
########################################
## <summary>
## Execute inn in the inn domain.
diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if
index 23d1c3f..2d767ff 100644
--- a/policy/modules/services/ldap.if
+++ b/policy/modules/services/ldap.if
@@ -53,7 +53,6 @@ interface(`ldap_use',`
refpolicywarn(`$0($*) has been deprecated.')
')
-
########################################
## <summary>
## Connect to slapd over an unix stream socket.
diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if
index 5045eed..b447c02 100644
--- a/policy/modules/services/lpd.if
+++ b/policy/modules/services/lpd.if
@@ -62,7 +62,7 @@ template(`lpd_per_role_template',`
allow $1_lpr_t self:tcp_socket create_socket_perms;
allow $1_lpr_t self:udp_socket create_socket_perms;
allow $1_lpr_t self:netlink_route_socket r_netlink_socket_perms;
-
+
can_exec($1_lpr_t,lpr_exec_t)
tunable_policy(`use_lpd_server',`
@@ -133,7 +133,7 @@ template(`lpd_per_role_template',`
# Access the terminal.
term_use_controlling_term($1_lpr_t)
term_use_generic_ptys($1_lpr_t)
-
+
libs_use_ld_so($1_lpr_t)
libs_use_shared_libs($1_lpr_t)
diff --git a/policy/modules/services/oident.fc b/policy/modules/services/oident.fc
index c219f0e..9879ead 100644
--- a/policy/modules/services/oident.fc
+++ b/policy/modules/services/oident.fc
@@ -7,4 +7,3 @@ HOME_DIR/\.oidentd.conf gen_context(system_u:object_r:ROLE_oidentd_home_t, s0)
/usr/sbin/oidentd -- gen_context(system_u:object_r:oidentd_exec_t, s0)
-
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
index 6997c1a..5d98797 100644
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@@ -331,7 +331,7 @@ interface(`ppp_admin',`
allow $1 pppd_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, pppd_t)
-
+
files_list_tmp($1)
manage_files_pattern($1, pppd_tmp_t, pppd_tmp_t)
diff --git a/policy/modules/services/rpcbind.if b/policy/modules/services/rpcbind.if
index 9e9b334..df92a8f 100644
--- a/policy/modules/services/rpcbind.if
+++ b/policy/modules/services/rpcbind.if
@@ -37,7 +37,6 @@ interface(`rpcbind_read_pid_files',`
allow $1 rpcbind_var_run_t:file read_file_perms;
')
-
########################################
## <summary>
## Search rpcbind lib directories.
@@ -121,7 +120,7 @@ interface(`rpcbind_admin',`
allow $1 rpcbind_t:process { ptrace signal_perms };
ps_process_pattern($1, rpcbind_t)
-
+
init_labeled_script_domtrans($1, rbcbind_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 rpcbind_initrc_exec_t system_r;
diff --git a/policy/modules/services/rwho.if b/policy/modules/services/rwho.if
index 7da7060..9991f17 100644
--- a/policy/modules/services/rwho.if
+++ b/policy/modules/services/rwho.if
@@ -57,7 +57,6 @@ interface(`rwho_read_log_files',`
logging_search_logs($1)
')
-
########################################
## <summary>
## Search rwho spool directories.
diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
index e70d93f..dddbcd9 100644
--- a/policy/modules/services/samba.if
+++ b/policy/modules/services/samba.if
@@ -491,7 +491,7 @@ interface(`samba_stream_connect_winbind',`
files_search_pids($1)
allow $1 samba_var_t:dir search_dir_perms;
stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t)
-
+
ifndef(`distro_redhat',`
gen_require(`
type winbind_tmp_t;
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index c7d47a5..6d4b61d 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -650,7 +650,6 @@ optional_policy(`
# Winbind local policy
#
-
allow winbind_t self:capability { dac_override ipc_lock setuid };
dontaudit winbind_t self:capability sys_tty_config;
allow winbind_t self:process signal_perms;
diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if
index a36c74c..58eb4ee 100644
--- a/policy/modules/services/snmp.if
+++ b/policy/modules/services/snmp.if
@@ -105,7 +105,7 @@ interface(`snmp_admin',`
allow $1 snmpd_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, snmpd_t)
-
+
logging_list_logs($1)
manage_files_pattern($1, snmpd_log_t, snmpd_log_t)
diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if
index 5b012ce..e7ea606 100644
--- a/policy/modules/services/squid.if
+++ b/policy/modules/services/squid.if
@@ -195,7 +195,7 @@ interface(`squid_admin',`
allow $1 squid_t:process { ptrace signal_perms };
ps_process_pattern($1, squid_t)
-
+
init_labeled_script_domtrans($1, squid_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 squid_initrc_exec_t system_r;
diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if
index 150f5c0..9213db0 100644
--- a/policy/modules/services/tftp.if
+++ b/policy/modules/services/tftp.if
@@ -19,7 +19,7 @@ interface(`tftp_admin',`
allow $1 tftpd_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, tftpd_t)
-
+
admin_pattern($1, tftpdir_rw_t)
admin_pattern($1, tftpdir_t)
diff --git a/policy/modules/services/uucp.if b/policy/modules/services/uucp.if
index 7a9bb27..36b936a 100644
--- a/policy/modules/services/uucp.if
+++ b/policy/modules/services/uucp.if
@@ -82,7 +82,7 @@ interface(`uucp_admin',`
allow $1 uucpd_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, uucpd_t)
-
+
logging_list_logs($1)
admin_pattern($1, uucpd_log_t)
diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if
index c84cfe4..d77e631 100644
--- a/policy/modules/services/zabbix.if
+++ b/policy/modules/services/zabbix.if
@@ -102,12 +102,12 @@ interface(`zabbix_admin',`
allow $1 zabbix_t:process { ptrace signal_perms };
ps_process_pattern($1, zabbix_t)
-
+
init_labeled_script_domtrans($1, zabbix_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 zabbix_initrc_exec_t system_r;
allow $2 system_r;
-
+
logging_list_logs($1)
admin_pattern($1, zabbix_log_t)
diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if
index 0e19ff3..cc3eb84 100644
--- a/policy/modules/services/zebra.if
+++ b/policy/modules/services/zebra.if
@@ -48,7 +48,7 @@ interface(`zebra_admin',`
allow $1 zebra_t:process { ptrace signal_perms };
ps_process_pattern($1, zebra_t)
-
+
init_labeled_script_domtrans($1, zebra_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 zebra_initrc_exec_t system_r;
@@ -56,7 +56,7 @@ interface(`zebra_admin',`
files_list_etc($1)
admin_pattern($1, zebra_conf_t)
-
+
logging_list_logs($1)
admin_pattern($1, zebra_log_t)
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 15ad57c..bba323b 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -307,7 +307,7 @@ ifdef(`distro_ubuntu',`
unconfined_domain(ifconfig_t)
')
')
-
+
ifdef(`hide_broken_symptoms',`
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 00c165d..7d61601 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1272,7 +1272,7 @@ template(`userdom_admin_user_template',`
ifdef(`direct_sysadm_daemon',`
domain_system_change_exemption($1_t)
')
-
+
typeattribute $1_devpts_t admin_terminal;
typeattribute $1_tty_device_t admin_terminal;