diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te index 668cc49..78eb5d4 100644 --- a/policy/modules/admin/amanda.te +++ b/policy/modules/admin/amanda.te @@ -97,8 +97,8 @@ allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms; allow amanda_t amanda_gnutarlists_t:file manage_file_perms; allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms; -manage_dirs_pattern(amanda_t,amanda_var_lib_t,amanda_var_lib_t) -manage_files_pattern(amanda_t,amanda_var_lib_t,amanda_var_lib_t) +manage_dirs_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t) +manage_files_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t) manage_files_pattern(amanda_t, amanda_log_t, amanda_log_t) manage_dirs_pattern(amanda_t, amanda_log_t, amanda_log_t) diff --git a/policy/modules/admin/dpkg.if b/policy/modules/admin/dpkg.if index 560d021..c9a03ff 100644 --- a/policy/modules/admin/dpkg.if +++ b/policy/modules/admin/dpkg.if @@ -38,7 +38,7 @@ interface(`dpkg_domtrans_script',` ') # transition to dpkg script: - corecmd_shell_domtrans($1,dpkg_script_t) + corecmd_shell_domtrans($1, dpkg_script_t) allow dpkg_script_t $1:fd use; allow dpkg_script_t $1:fifo_file rw_file_perms; allow dpkg_script_t $1:process sigchld; diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te index d393751..dfc2e4a 100644 --- a/policy/modules/admin/kudzu.te +++ b/policy/modules/admin/kudzu.te @@ -89,7 +89,7 @@ files_search_var(kudzu_t) files_search_locks(kudzu_t) files_manage_etc_files(kudzu_t) files_manage_etc_runtime_files(kudzu_t) -files_etc_filetrans_etc_runtime(kudzu_t,file) +files_etc_filetrans_etc_runtime(kudzu_t, file) files_manage_mnt_files(kudzu_t) files_manage_mnt_symlinks(kudzu_t) files_dontaudit_search_src(kudzu_t) diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te index fe696de..402cb7f 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te @@ -132,7 +132,7 @@ ifdef(`distro_debian', ` # for syslogd-listfiles logging_read_syslog_config(logrotate_t) - # for "test -x /sbin/syslogd" + # for "test -x /sbin/syslogd" logging_check_exec_syslog(logrotate_t) ') diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te index cb86035..ade2bb0 100644 --- a/policy/modules/admin/logwatch.te +++ b/policy/modules/admin/logwatch.te @@ -34,7 +34,7 @@ manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t) manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t) allow logwatch_t logwatch_lock_t:file manage_file_perms; -files_lock_filetrans(logwatch_t,logwatch_lock_t,file) +files_lock_filetrans(logwatch_t, logwatch_lock_t, file) manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t) manage_files_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t) diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te index bd7d518..46c1f52 100644 --- a/policy/modules/admin/mrtg.te +++ b/policy/modules/admin/mrtg.te @@ -54,7 +54,7 @@ manage_files_pattern(mrtg_t, mrtg_var_lib_t, mrtg_var_lib_t) manage_lnk_files_pattern(mrtg_t, mrtg_var_lib_t, mrtg_var_lib_t) allow mrtg_t mrtg_var_run_t:file manage_file_perms; -files_pid_filetrans(mrtg_t,mrtg_var_run_t,file) +files_pid_filetrans(mrtg_t, mrtg_var_run_t, file) kernel_read_system_state(mrtg_t) kernel_read_network_state(mrtg_t) diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if index b6547f3..83a36fc 100644 --- a/policy/modules/admin/portage.if +++ b/policy/modules/admin/portage.if @@ -99,7 +99,7 @@ interface(`portage_compile_domain',` allow $1 self:dbus send_msg; allow $1 portage_devpts_t:chr_file { rw_chr_file_perms setattr }; - term_create_pty($1,portage_devpts_t) + term_create_pty($1, portage_devpts_t) # write compile logs allow $1 portage_log_t:dir setattr; diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if index 36f9fa8..c7b136a 100644 --- a/policy/modules/admin/rpm.if +++ b/policy/modules/admin/rpm.if @@ -36,7 +36,7 @@ interface(`rpm_domtrans_script',` ') # transition to rpm script: - corecmd_shell_domtrans($1,rpm_script_t) + corecmd_shell_domtrans($1, rpm_script_t) allow rpm_script_t $1:fd use; allow rpm_script_t $1:fifo_file rw_file_perms; allow rpm_script_t $1:process sigchld; diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if index 6c82b49..6c779dc 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -166,7 +166,7 @@ template(`su_role_template',` ') type $1_su_t, su_domain_type; - domain_entry_file($1_su_t,su_exec_t) + domain_entry_file($1_su_t, su_exec_t) domain_type($1_su_t) domain_interactive_fd($1_su_t) ubac_constrained($1_su_t) diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te index a253e91..46f5394 100644 --- a/policy/modules/admin/sxid.te +++ b/policy/modules/admin/sxid.te @@ -29,7 +29,7 @@ allow sxid_t self:tcp_socket create_stream_socket_perms; allow sxid_t self:udp_socket create_socket_perms; allow sxid_t sxid_log_t:file manage_file_perms; -logging_log_filetrans(sxid_t,sxid_log_t,file) +logging_log_filetrans(sxid_t, sxid_log_t, file) manage_dirs_pattern(sxid_t, sxid_tmp_t, sxid_tmp_t) manage_files_pattern(sxid_t, sxid_tmp_t, sxid_tmp_t) diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index ac4e7ff..508014f 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -49,7 +49,7 @@ files_tmp_file(sysadm_passwd_tmp_t) type useradd_t; type useradd_exec_t; domain_obj_id_change_exemption(useradd_t) -init_system_domain(useradd_t,useradd_exec_t) +init_system_domain(useradd_t, useradd_exec_t) role system_r types useradd_t; ######################################## @@ -210,7 +210,7 @@ files_manage_etc_files(groupadd_t) files_relabel_etc_files(groupadd_t) files_read_etc_runtime_files(groupadd_t) -# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. +# Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}. corecmd_exec_bin(groupadd_t) logging_send_audit_msgs(groupadd_t) diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te index 8e56d61..0361144 100644 --- a/policy/modules/apps/evolution.te +++ b/policy/modules/apps/evolution.te @@ -480,7 +480,7 @@ userdom_search_user_home_dirs(evolution_exchange_t) # until properly implemented userdom_dontaudit_read_user_home_content_files(evolution_exchange_t) -xserver_user_x_domain_template(evolution_exchange,evolution_exchange_t, evolution_exchange_tmpfs_t) +xserver_user_x_domain_template(evolution_exchange, evolution_exchange_t, evolution_exchange_tmpfs_t) # Access evolution home tunable_policy(`use_nfs_home_dirs',` diff --git a/policy/modules/apps/mplayer.fc b/policy/modules/apps/mplayer.fc index e1fe850..5a37c50 100644 --- a/policy/modules/apps/mplayer.fc +++ b/policy/modules/apps/mplayer.fc @@ -11,4 +11,4 @@ /usr/bin/vlc -- gen_context(system_u:object_r:mplayer_exec_t,s0) /usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0) -HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:mplayer_home_t,s0) +HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:mplayer_home_t,s0) diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if index 1f9adca..c7ad0f5 100644 --- a/policy/modules/apps/mplayer.if +++ b/policy/modules/apps/mplayer.if @@ -67,12 +67,12 @@ interface(`mplayer_domtrans',` ######################################## ## -## Execute mplayer in the caller domain. +## Execute mplayer in the caller domain. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # # diff --git a/policy/modules/apps/slocate.if b/policy/modules/apps/slocate.if index d8aec96..b7505a0 100644 --- a/policy/modules/apps/slocate.if +++ b/policy/modules/apps/slocate.if @@ -35,7 +35,7 @@ interface(`locate_read_lib_files',` type locate_var_lib_t; ') - read_files_pattern($1,locate_var_lib_t,locate_var_lib_t) + read_files_pattern($1, locate_var_lib_t, locate_var_lib_t) allow $1 locate_var_lib_t:dir list_dir_perms; files_search_var_lib($1) ') diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te index 9a03cb6..0a1901a 100644 --- a/policy/modules/apps/wireshark.te +++ b/policy/modules/apps/wireshark.te @@ -54,7 +54,7 @@ corecmd_search_bin(wireshark_t) manage_dirs_pattern(wireshark_t, wireshark_home_t, wireshark_home_t) manage_files_pattern(wireshark_t, wireshark_home_t, wireshark_home_t) manage_lnk_files_pattern(wireshark_t, wireshark_home_t, wireshark_home_t) -userdom_user_home_dir_filetrans(wireshark_t, wireshark_home_t,dir) +userdom_user_home_dir_filetrans(wireshark_t, wireshark_home_t, dir) # Store temporary files manage_dirs_pattern(wireshark_t, wireshark_tmp_t, wireshark_tmp_t) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 07d0a84..5052a09 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -74,7 +74,7 @@ ifdef(`distro_redhat',` /etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) -/etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0) +/etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0) @@ -218,11 +218,11 @@ ifdef(`distro_gentoo',` /usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0) @@ -241,8 +241,8 @@ ifdef(`distro_redhat', ` /usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0) @@ -305,7 +305,7 @@ ifdef(`distro_suse', ` /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib64/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) -/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) +/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /var/qmail/rc -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if index 49f2e94..52bb593 100644 --- a/policy/modules/kernel/corecommands.if +++ b/policy/modules/kernel/corecommands.if @@ -70,7 +70,7 @@ interface(`corecmd_bin_entry_type',` type bin_t; ') - domain_entry_file($1,bin_t) + domain_entry_file($1, bin_t) ') ######################################## diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index 7e624f8..96887cf 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -230,7 +230,7 @@ type netif_t, netif_type; sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` -network_interface(lo, lo,s0 - mls_systemhigh) +network_interface(lo, lo, s0 - mls_systemhigh) ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 7ddb8e2..a4bb416 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -68,8 +68,8 @@ interface(`dev_relabel_all_dev_nodes',` relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node }) relabelfrom_fifo_files_pattern($1, device_t, device_node) relabelfrom_sock_files_pattern($1, device_t, device_node) - relabel_blk_files_pattern($1,device_t,{ device_t device_node }) - relabel_chr_files_pattern($1,device_t,{ device_t device_node }) + relabel_blk_files_pattern($1, device_t,{ device_t device_node }) + relabel_chr_files_pattern($1, device_t,{ device_t device_node }) ') ######################################## @@ -1247,7 +1247,7 @@ interface(`dev_create_cardmgr_dev',` create_chr_files_pattern($1, device_t, cardmgr_dev_t) create_blk_files_pattern($1, device_t, cardmgr_dev_t) - filetrans_pattern($1,device_t, cardmgr_dev_t, { chr_file blk_file }) + filetrans_pattern($1, device_t, cardmgr_dev_t, { chr_file blk_file }) ') ######################################## @@ -1709,11 +1709,11 @@ interface(`dev_read_kvm',` ######################################## ## -## Read and write to kvm devices. +## Read and write to kvm devices. ## ## ## -## Domain allowed access. +## Domain allowed access. ## ## # diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index d76b28b..87442ec 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -2138,7 +2138,7 @@ interface(`files_create_boot_flag',` ') allow $1 etc_runtime_t:file manage_file_perms; - filetrans_pattern($1,root_t,etc_runtime_t,file) + filetrans_pattern($1, root_t, etc_runtime_t, file) ') ######################################## @@ -4662,7 +4662,7 @@ interface(`files_rw_generic_pids',` type var_t, var_run_t; ') - list_dirs_pattern($1,var_t,var_run_t) + list_dirs_pattern($1, var_t, var_run_t) rw_files_pattern($1, var_run_t, var_run_t) ') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index b9b367a..b2c058a 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -103,7 +103,7 @@ interface(`fs_exec_noxattr',` attribute noxattrfs; ') - can_exec($1,noxattrfs) + can_exec($1, noxattrfs) ') ######################################## @@ -1455,7 +1455,7 @@ interface(`fs_read_fusefs_files',` type fusefs_t; ') - read_files_pattern($1,fusefs_t,fusefs_t) + read_files_pattern($1, fusefs_t, fusefs_t) ') ######################################## diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if index af86516..d178478 100644 --- a/policy/modules/kernel/mls.if +++ b/policy/modules/kernel/mls.if @@ -959,7 +959,7 @@ interface(`mls_dbus_send_all_levels',` attribute mlsdbussend; ') - typeattribute $1 mlsdbussend; + typeattribute $1 mlsdbussend; ') ######################################## @@ -980,5 +980,5 @@ interface(`mls_dbus_recv_all_levels',` attribute mlsdbusrecv; ') - typeattribute $1 mlsdbusrecv; + typeattribute $1 mlsdbusrecv; ') diff --git a/policy/modules/roles/guest.if b/policy/modules/roles/guest.if index ab01ad2..8906a32 100644 --- a/policy/modules/roles/guest.if +++ b/policy/modules/roles/guest.if @@ -6,7 +6,7 @@ ## ## ## -## Role allowed access. +## Role allowed access. ## ## ## diff --git a/policy/modules/roles/logadm.if b/policy/modules/roles/logadm.if index 6bd00f9..c9740e5 100644 --- a/policy/modules/roles/logadm.if +++ b/policy/modules/roles/logadm.if @@ -6,7 +6,7 @@ ## ## ## -## Role allowed access. +## Role allowed access. ## ## ## diff --git a/policy/modules/roles/xguest.if b/policy/modules/roles/xguest.if index 0f05b1c..d2234e3 100644 --- a/policy/modules/roles/xguest.if +++ b/policy/modules/roles/xguest.if @@ -6,7 +6,7 @@ ## ## ## -## Role allowed access. +## Role allowed access. ## ## ## diff --git a/policy/modules/services/afs.te b/policy/modules/services/afs.te index 2114d00..b7403e0 100644 --- a/policy/modules/services/afs.te +++ b/policy/modules/services/afs.te @@ -65,7 +65,7 @@ allow afs_bosserver_t self:process { setsched signal_perms }; allow afs_bosserver_t self:tcp_socket create_stream_socket_perms; allow afs_bosserver_t self:udp_socket create_socket_perms; -can_exec(afs_bosserver_t,afs_bosserver_exec_t) +can_exec(afs_bosserver_t, afs_bosserver_exec_t) manage_dirs_pattern(afs_bosserver_t, afs_config_t, afs_config_t) manage_files_pattern(afs_bosserver_t, afs_config_t, afs_config_t) @@ -236,7 +236,7 @@ allow afs_ptserver_t self:unix_stream_socket create_stream_socket_perms; allow afs_ptserver_t self:tcp_socket create_stream_socket_perms; allow afs_ptserver_t self:udp_socket create_socket_perms; -read_files_pattern(afs_ptserver_t,afs_config_t,afs_config_t) +read_files_pattern(afs_ptserver_t, afs_config_t, afs_config_t) allow afs_ptserver_t afs_config_t:dir list_dir_perms; manage_dirs_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t) @@ -274,14 +274,14 @@ allow afs_vlserver_t self:unix_stream_socket create_stream_socket_perms; allow afs_vlserver_t self:tcp_socket create_stream_socket_perms; allow afs_vlserver_t self:udp_socket create_socket_perms; -read_files_pattern(afs_vlserver_t,afs_config_t,afs_config_t) +read_files_pattern(afs_vlserver_t, afs_config_t, afs_config_t) allow afs_vlserver_t afs_config_t:dir list_dir_perms; manage_dirs_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t) manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t) manage_files_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t) -filetrans_pattern(afs_vlserver_t, afs_dbdir_t,afs_vl_db_t, file) +filetrans_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t, file) corenet_all_recvfrom_unlabeled(afs_vlserver_t) corenet_all_recvfrom_netlabel(afs_vlserver_t) diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te index 04d430a..294f4e0 100644 --- a/policy/modules/services/amavis.te +++ b/policy/modules/services/amavis.te @@ -78,7 +78,7 @@ files_search_spool(amavis_t) # tmp files manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t) allow amavis_t amavis_tmp_t:dir setattr; -files_tmp_filetrans(amavis_t,amavis_tmp_t,file) +files_tmp_filetrans(amavis_t, amavis_tmp_t, file) # var/lib files for amavis manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if index 6e42924..4b6be37 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -79,8 +79,8 @@ template(`apache_content_template',` read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) allow httpd_$1_script_t httpd_$1_script_ro_t:dir list_dir_perms; - read_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t) - read_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t) + read_files_pattern(httpd_$1_script_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t) + read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t) manage_dirs_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) manage_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) @@ -268,33 +268,33 @@ interface(`apache_role',` allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom }; - manage_dirs_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t) - manage_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t) - manage_lnk_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t) - relabel_dirs_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t) - relabel_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t) - relabel_lnk_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t) - - manage_dirs_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t) - manage_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t) - manage_lnk_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t) - relabel_dirs_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t) - relabel_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t) - relabel_lnk_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t) - - manage_dirs_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t) - manage_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t) - manage_lnk_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t) - relabel_dirs_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t) - relabel_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t) - relabel_lnk_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t) - - manage_dirs_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t) - manage_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t) - manage_lnk_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t) - relabel_dirs_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t) - relabel_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t) - relabel_lnk_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t) + manage_dirs_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t) + manage_files_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t) + manage_lnk_files_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t) + relabel_dirs_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t) + relabel_files_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t) + relabel_lnk_files_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t) + + manage_dirs_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t) + manage_files_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t) + manage_lnk_files_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t) + relabel_dirs_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t) + relabel_files_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t) + relabel_lnk_files_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t) + + manage_dirs_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t) + manage_files_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t) + manage_lnk_files_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t) + relabel_dirs_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t) + relabel_files_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t) + relabel_lnk_files_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t) + + manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) + manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) + manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) + relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) + relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) + relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) tunable_policy(`httpd_enable_cgi',` # If a user starts a script by hand it gets the proper context @@ -735,7 +735,7 @@ interface(`apache_exec_modules',` allow $1 httpd_modules_t:dir list_dir_perms; allow $1 httpd_modules_t:lnk_file read_lnk_file_perms; - can_exec($1,httpd_modules_t) + can_exec($1, httpd_modules_t) ') ######################################## diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index cf86f52..aa63901 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -430,7 +430,7 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` ') tunable_policy(`httpd_ssi_exec',` - corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) + corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms; allow httpd_sys_script_t httpd_t:process sigchld; diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te index ee8cf51..b037ba9 100644 --- a/policy/modules/services/apcupsd.te +++ b/policy/modules/services/apcupsd.te @@ -37,7 +37,7 @@ allow apcupsd_t self:unix_stream_socket create_stream_socket_perms; allow apcupsd_t self:tcp_socket create_stream_socket_perms; allow apcupsd_t apcupsd_lock_t:file manage_file_perms; -files_lock_filetrans(apcupsd_t,apcupsd_lock_t,file) +files_lock_filetrans(apcupsd_t, apcupsd_lock_t, file) allow apcupsd_t apcupsd_log_t:dir setattr; manage_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t) @@ -47,7 +47,7 @@ manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t) files_tmp_filetrans(apcupsd_t, apcupsd_tmp_t, file) manage_files_pattern(apcupsd_t, apcupsd_var_run_t, apcupsd_var_run_t) -files_pid_filetrans(apcupsd_t,apcupsd_var_run_t, file) +files_pid_filetrans(apcupsd_t, apcupsd_var_run_t, file) kernel_read_system_state(apcupsd_t) @@ -73,7 +73,7 @@ files_read_etc_files(apcupsd_t) files_search_locks(apcupsd_t) # Creates /etc/nologin files_manage_etc_runtime_files(apcupsd_t) -files_etc_filetrans_etc_runtime(apcupsd_t,file) +files_etc_filetrans_etc_runtime(apcupsd_t, file) # https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240805 term_use_unallocated_ttys(apcupsd_t) diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te index 5dd72f7..46cee51 100644 --- a/policy/modules/services/apm.te +++ b/policy/modules/services/apm.te @@ -67,7 +67,7 @@ allow apmd_t self:unix_dgram_socket create_socket_perms; allow apmd_t self:unix_stream_socket create_stream_socket_perms; allow apmd_t apmd_log_t:file manage_file_perms; -logging_log_filetrans(apmd_t,apmd_log_t,file) +logging_log_filetrans(apmd_t, apmd_log_t, file) manage_dirs_pattern(apmd_t, apmd_tmp_t, apmd_tmp_t) manage_files_pattern(apmd_t, apmd_tmp_t, apmd_tmp_t) @@ -139,7 +139,7 @@ userdom_dontaudit_search_user_home_content(apmd_t) # Excessive? ifdef(`distro_redhat',` allow apmd_t apmd_lock_t:file manage_file_perms; - files_lock_filetrans(apmd_t,apmd_lock_t,file) + files_lock_filetrans(apmd_t, apmd_lock_t, file) can_exec(apmd_t, apmd_var_run_t) diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te index d1c43f9..a03336e 100644 --- a/policy/modules/services/avahi.te +++ b/policy/modules/services/avahi.te @@ -40,7 +40,7 @@ files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file }) manage_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t) manage_sock_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t) allow avahi_t avahi_var_run_t:dir setattr; -files_pid_filetrans(avahi_t,avahi_var_run_t,file) +files_pid_filetrans(avahi_t, avahi_var_run_t, file) kernel_read_kernel_sysctls(avahi_t) kernel_list_proc(avahi_t) diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te index 2c43859..f5f80a8 100644 --- a/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te @@ -151,7 +151,7 @@ userdom_dontaudit_search_user_home_dirs(named_t) tunable_policy(`named_write_master_zones',` manage_dirs_pattern(named_t, named_zone_t, named_zone_t) - manage_files_pattern(named_t, named_zone_t,named_zone_t) + manage_files_pattern(named_t, named_zone_t, named_zone_t) manage_lnk_files_pattern(named_t, named_zone_t, named_zone_t) ') diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te index c5d67be..9b131e1 100644 --- a/policy/modules/services/bluetooth.te +++ b/policy/modules/services/bluetooth.te @@ -77,7 +77,7 @@ filetrans_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t, { dir file can_exec(bluetooth_t, bluetooth_helper_exec_t) allow bluetooth_t bluetooth_lock_t:file manage_file_perms; -files_lock_filetrans(bluetooth_t,bluetooth_lock_t,file) +files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file) manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t) manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t) diff --git a/policy/modules/services/canna.if b/policy/modules/services/canna.if index af2e6a0..4a26b0c 100644 --- a/policy/modules/services/canna.if +++ b/policy/modules/services/canna.if @@ -16,7 +16,7 @@ interface(`canna_stream_connect',` ') files_search_pids($1) - stream_connect_pattern($1, canna_var_run_t, canna_var_run_t,canna_t) + stream_connect_pattern($1, canna_var_run_t, canna_var_run_t, canna_t) ') ######################################## diff --git a/policy/modules/services/certmaster.fc b/policy/modules/services/certmaster.fc index 914a184..f27a584 100644 --- a/policy/modules/services/certmaster.fc +++ b/policy/modules/services/certmaster.fc @@ -1,7 +1,7 @@ /etc/certmaster(/.*)? gen_context(system_u:object_r:certmaster_etc_rw_t,s0) -/etc/rc\.d/init\.d/certmaster -- gen_context(system_u:object_r:certmaster_initrc_exec_t,s0) +/etc/rc\.d/init\.d/certmaster -- gen_context(system_u:object_r:certmaster_initrc_exec_t,s0) /usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0) -/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0) +/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0) /var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0) diff --git a/policy/modules/services/certmaster.if b/policy/modules/services/certmaster.if index b9dd5e3..27fe7ca 100644 --- a/policy/modules/services/certmaster.if +++ b/policy/modules/services/certmaster.if @@ -20,60 +20,60 @@ interface(`certmaster_domtrans',` ####################################### ## -## read certmaster logs. +## read certmaster logs. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # interface(`certmaster_read_log',` - gen_require(` - type certmaster_var_log_t; - ') + gen_require(` + type certmaster_var_log_t; + ') - read_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) + read_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) logging_search_logs($1) ') ####################################### ## -## Append to certmaster logs. +## Append to certmaster logs. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # interface(`certmaster_append_log',` - gen_require(` - type certmaster_var_log_t; - ') + gen_require(` + type certmaster_var_log_t; + ') - append_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) + append_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) logging_search_logs($1) ') ####################################### ## -## Create, read, write, and delete -## certmaster logs. +## Create, read, write, and delete +## certmaster logs. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # interface(`certmaster_manage_log',` - gen_require(` - type certmaster_var_log_t; - ') + gen_require(` + type certmaster_var_log_t; + ') - manage_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) - manage_lnk_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) + manage_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) + manage_lnk_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) logging_search_logs($1) ') diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te index 904098a..0ecdf66 100644 --- a/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te @@ -120,7 +120,7 @@ cron_rw_pipes(clamd_t) optional_policy(` amavis_read_lib_files(clamd_t) amavis_read_spool_files(clamd_t) - amavis_spool_filetrans(clamd_t,clamd_var_run_t,sock_file) + amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file) amavis_create_pid_files(clamd_t) ') diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if index 9354611..529c6d8 100644 --- a/policy/modules/services/courier.if +++ b/policy/modules/services/courier.if @@ -35,7 +35,7 @@ template(`courier_domain_template',` can_exec(courier_$1_t, courier_$1_exec_t) - read_files_pattern(courier_$1_t,courier_etc_t,courier_etc_t) + read_files_pattern(courier_$1_t, courier_etc_t, courier_etc_t) allow courier_$1_t courier_etc_t:dir list_dir_perms; manage_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t) diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if index e75526a..8933f6d 100644 --- a/policy/modules/services/cron.if +++ b/policy/modules/services/cron.if @@ -34,7 +34,7 @@ template(`cron_common_crontab_template',` allow $1_t self:process signal_perms; allow $1_t $1_tmp_t:file manage_file_perms; - files_tmp_filetrans($1_t,$1_tmp_t,file) + files_tmp_filetrans($1_t,$1_tmp_t, file) # create files in /var/spool/cron # cjp: change this to a role transition @@ -411,7 +411,7 @@ interface(`cron_anacron_domtrans_system_job',` type system_cronjob_t, anacron_exec_t; ') - domtrans_pattern($1,anacron_exec_t,system_cronjob_t) + domtrans_pattern($1, anacron_exec_t, system_cronjob_t) ') ######################################## diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index 9b0d6cc..7daabfb 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -90,7 +90,7 @@ type system_cronjob_tmp_t alias system_crond_tmp_t; files_tmp_file(system_cronjob_tmp_t) ifdef(`enable_mcs',` - init_ranged_daemon_domain(crond_t,crond_exec_t,s0 - mcs_systemhigh) + init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh) ') type unconfined_cronjob_t; @@ -147,7 +147,7 @@ allow crond_t self:msg { send receive }; allow crond_t self:key { search write link }; allow crond_t crond_var_run_t:file manage_file_perms; -files_pid_filetrans(crond_t,crond_var_run_t,file) +files_pid_filetrans(crond_t, crond_var_run_t, file) allow crond_t cron_spool_t:dir rw_dir_perms; allow crond_t cron_spool_t:file read_file_perms; @@ -306,7 +306,7 @@ allow system_cronjob_t crond_t:process sigchld; # Write /var/lock/makewhatis.lock. allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; -files_lock_filetrans(system_cronjob_t,system_cronjob_lock_t,file) +files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file) # write temporary files manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te index 96a0f04..ced61ac 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -66,11 +66,11 @@ type ptal_var_run_t; files_pid_file(ptal_var_run_t) ifdef(`enable_mcs',` - init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh) + init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, s0 - mcs_systemhigh) ') ifdef(`enable_mls',` - init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,mls_systemhigh) + init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh) ') ######################################## diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te index 60430a4..f19030a 100644 --- a/policy/modules/services/ddclient.te +++ b/policy/modules/services/ddclient.te @@ -42,7 +42,7 @@ allow ddclient_t self:udp_socket create_socket_perms; allow ddclient_t ddclient_etc_t:file read_file_perms; allow ddclient_t ddclient_log_t:file manage_file_perms; -logging_log_filetrans(ddclient_t,ddclient_log_t,file) +logging_log_filetrans(ddclient_t, ddclient_log_t, file) manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te index bb77a2f..3c3e624 100644 --- a/policy/modules/services/dnsmasq.te +++ b/policy/modules/services/dnsmasq.te @@ -36,7 +36,7 @@ allow dnsmasq_t self:rawip_socket create_socket_perms; # dhcp leases manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t) -files_var_lib_filetrans(dnsmasq_t,dnsmasq_lease_t,file) +files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file) manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t) files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file) diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te index d757887..b9525ce 100644 --- a/policy/modules/services/exim.te +++ b/policy/modules/services/exim.te @@ -53,14 +53,14 @@ files_pid_file(exim_var_run_t) # exim local policy # -allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource }; +allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource }; allow exim_t self:process { setrlimit setpgid }; allow exim_t self:fifo_file rw_fifo_file_perms; allow exim_t self:unix_stream_socket create_stream_socket_perms; allow exim_t self:tcp_socket create_stream_socket_perms; allow exim_t self:udp_socket create_socket_perms; -can_exec(exim_t,exim_exec_t) +can_exec(exim_t, exim_exec_t) manage_files_pattern(exim_t, exim_log_t, exim_log_t) logging_log_filetrans(exim_t, exim_log_t, { file dir }) @@ -132,8 +132,8 @@ mta_mailserver_delivery(exim_t) tunable_policy(`exim_can_connect_db',` corenet_tcp_connect_mysqld_port(exim_t) corenet_sendrecv_mysqld_client_packets(exim_t) - corenet_tcp_connect_postgresql_port(exim_t) - corenet_sendrecv_postgresql_client_packets(exim_t) + corenet_tcp_connect_postgresql_port(exim_t) + corenet_sendrecv_postgresql_client_packets(exim_t) ') tunable_policy(`exim_read_user_files',` diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te index a8b00fd..e86e9c6 100644 --- a/policy/modules/services/ftp.te +++ b/policy/modules/services/ftp.te @@ -246,7 +246,7 @@ optional_policy(` files_read_usr_files(ftpd_t) - cron_system_entry(ftpd_t, ftpd_exec_t) + cron_system_entry(ftpd_t, ftpd_exec_t) optional_policy(` logrotate_exec(ftpd_t) diff --git a/policy/modules/services/gpm.te b/policy/modules/services/gpm.te index 70ec2ab..24884e8 100644 --- a/policy/modules/services/gpm.te +++ b/policy/modules/services/gpm.te @@ -39,7 +39,7 @@ manage_files_pattern(gpm_t, gpm_tmp_t, gpm_tmp_t) files_tmp_filetrans(gpm_t, gpm_tmp_t, { file dir }) allow gpm_t gpm_var_run_t:file manage_file_perms; -files_pid_filetrans(gpm_t,gpm_var_run_t,file) +files_pid_filetrans(gpm_t, gpm_var_run_t, file) allow gpm_t gpmctl_t:sock_file manage_sock_file_perms; allow gpm_t gpmctl_t:fifo_file manage_fifo_file_perms; diff --git a/policy/modules/services/gpsd.fc b/policy/modules/services/gpsd.fc index 200f834..e7bbeb1 100644 --- a/policy/modules/services/gpsd.fc +++ b/policy/modules/services/gpsd.fc @@ -1 +1 @@ -/usr/sbin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0) +/usr/sbin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0) diff --git a/policy/modules/services/gpsd.if b/policy/modules/services/gpsd.if index 96018c7..7597332 100644 --- a/policy/modules/services/gpsd.if +++ b/policy/modules/services/gpsd.if @@ -2,71 +2,71 @@ ######################################## ## -## Execute a domain transition to run gpsd. +## Execute a domain transition to run gpsd. ## ## ## -## Domain allowed to transition. +## Domain allowed to transition. ## ## # interface(`gpsd_domtrans',` - gen_require(` - type gpsd_t, gpsd_exec_t; - ') + gen_require(` + type gpsd_t, gpsd_exec_t; + ') - domtrans_pattern($1, gpsd_exec_t, gpsd_t) + domtrans_pattern($1, gpsd_exec_t, gpsd_t) ') ######################################## ## -## Execute gpsd in the gpsd domain, and -## allow the specified role the gpsd domain. +## Execute gpsd in the gpsd domain, and +## allow the specified role the gpsd domain. ## ## -## -## Domain allowed access -## +## +## Domain allowed access +## ## ## -## -## The role to be allowed the gpsd domain. -## +## +## The role to be allowed the gpsd domain. +## ## ## -## -## The type of the role's terminal. -## +## +## The type of the role's terminal. +## ## # interface(`gpsd_run',` - gen_require(` - type gpsd_t; - ') + gen_require(` + type gpsd_t; + ') - gpsd_domtrans($1) - role $2 types gpsd_t; - allow gpsd_t $3:chr_file rw_term_perms; + gpsd_domtrans($1) + role $2 types gpsd_t; + allow gpsd_t $3:chr_file rw_term_perms; ') ######################################## ## -## Read and write gpsd shared memory. +## Read and write gpsd shared memory. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # interface(`gpsd_rw_shm',` - gen_require(` - type gpsd_t, gpsd_tmpfs_t; - ') + gen_require(` + type gpsd_t, gpsd_tmpfs_t; + ') - allow $1 gpsd_t:shm rw_shm_perms; - allow $1 gpsd_tmpfs_t:dir list_dir_perms; - rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) - read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) - fs_search_tmpfs($1) + allow $1 gpsd_t:shm rw_shm_perms; + allow $1 gpsd_tmpfs_t:dir list_dir_perms; + rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) + read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) + fs_search_tmpfs($1) ') diff --git a/policy/modules/services/gpsd.te b/policy/modules/services/gpsd.te index 2095e49..9cdc1f1 100644 --- a/policy/modules/services/gpsd.te +++ b/policy/modules/services/gpsd.te @@ -47,7 +47,7 @@ logging_send_syslog_msg(gpsd_t) miscfiles_read_localization(gpsd_t) optional_policy(` - dbus_system_bus_client(gpsd_t) + dbus_system_bus_client(gpsd_t) ') optional_policy(` diff --git a/policy/modules/services/ifplugd.fc b/policy/modules/services/ifplugd.fc index 8172803..2eda96f 100644 --- a/policy/modules/services/ifplugd.fc +++ b/policy/modules/services/ifplugd.fc @@ -1,6 +1,6 @@ -/etc/ifplugd(/.*)? gen_context(system_u:object_r:ifplugd_etc_t,s0) +/etc/ifplugd(/.*)? gen_context(system_u:object_r:ifplugd_etc_t,s0) -/etc/rc\.d/init\.d/ifplugd -- gen_context(system_u:object_r:ifplugd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/ifplugd -- gen_context(system_u:object_r:ifplugd_initrc_exec_t,s0) /usr/sbin/ifplugd -- gen_context(system_u:object_r:ifplugd_exec_t,s0) diff --git a/policy/modules/services/ifplugd.te b/policy/modules/services/ifplugd.te index b663169..2941443 100644 --- a/policy/modules/services/ifplugd.te +++ b/policy/modules/services/ifplugd.te @@ -73,5 +73,5 @@ sysnet_read_dhcpc_pid(ifplugd_t) sysnet_signal_dhcpc(ifplugd_t) optional_policy(` - consoletype_exec(ifplugd_t) + consoletype_exec(ifplugd_t) ') diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te index 60a34f1..b0d82ba 100644 --- a/policy/modules/services/inetd.te +++ b/policy/modules/services/inetd.te @@ -31,7 +31,7 @@ type inetd_child_var_run_t; files_pid_file(inetd_child_var_run_t) ifdef(`enable_mcs',` - init_ranged_daemon_domain(inetd_t, inetd_exec_t,s0 - mcs_systemhigh) + init_ranged_daemon_domain(inetd_t, inetd_exec_t, s0 - mcs_systemhigh) ') ######################################## diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if index 1433ed7..82b9929 100644 --- a/policy/modules/services/kerberos.if +++ b/policy/modules/services/kerberos.if @@ -281,7 +281,7 @@ interface(`kerberos_connect_524',` tunable_policy(`allow_kerberos',` allow $1 self:udp_socket create_socket_perms; - corenet_all_recvfrom_unlabeled($1) + corenet_all_recvfrom_unlabeled($1) corenet_udp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_node($1) corenet_udp_sendrecv_kerberos_master_port($1) diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te index a66fb18..da70318 100644 --- a/policy/modules/services/kerberos.te +++ b/policy/modules/services/kerberos.te @@ -84,7 +84,7 @@ allow kadmind_t self:tcp_socket connected_stream_socket_perms; allow kadmind_t self:udp_socket create_socket_perms; allow kadmind_t kadmind_log_t:file manage_file_perms; -logging_log_filetrans(kadmind_t,kadmind_log_t,file) +logging_log_filetrans(kadmind_t, kadmind_log_t, file) allow kadmind_t krb5_conf_t:file read_file_perms; dontaudit kadmind_t krb5_conf_t:file write; diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te index 4830af9..91c6746 100644 --- a/policy/modules/services/ldap.te +++ b/policy/modules/services/ldap.te @@ -61,7 +61,7 @@ manage_lnk_files_pattern(slapd_t, slapd_db_t, slapd_db_t) allow slapd_t slapd_etc_t:file read_file_perms; allow slapd_t slapd_lock_t:file manage_file_perms; -files_lock_filetrans(slapd_t,slapd_lock_t,file) +files_lock_filetrans(slapd_t, slapd_lock_t, file) # Allow access to write the replication log (should tighten this) manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t) diff --git a/policy/modules/services/lircd.if b/policy/modules/services/lircd.if index a24b7cd..2cd228a 100644 --- a/policy/modules/services/lircd.if +++ b/policy/modules/services/lircd.if @@ -21,39 +21,39 @@ interface(`lircd_domtrans',` ###################################### ## -## Connect to lircd over a unix domain -## stream socket. +## Connect to lircd over a unix domain +## stream socket. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # interface(`lircd_stream_connect',` - gen_require(` - type lircd_sock_t, lircd_t; - ') + gen_require(` + type lircd_sock_t, lircd_t; + ') - allow $1 lircd_t:unix_stream_socket connectto; - allow $1 lircd_sock_t:sock_file write_sock_file_perms; - files_search_pids($1) + allow $1 lircd_t:unix_stream_socket connectto; + allow $1 lircd_sock_t:sock_file write_sock_file_perms; + files_search_pids($1) ') ####################################### ## -## Read lircd etc file +## Read lircd etc file ## ## ## -## The type of the process performing this action. +## The type of the process performing this action. ## ## # interface(`lircd_read_config',` gen_require(` type lircd_etc_t; - ') + ') read_files_pattern($1, lircd_etc_t, lircd_etc_t) ') diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te index 9c6b9ce..39915eb 100644 --- a/policy/modules/services/lpd.te +++ b/policy/modules/services/lpd.te @@ -148,7 +148,7 @@ files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir }) manage_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t) manage_sock_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t) -files_pid_filetrans(lpd_t, lpd_var_run_t,file) +files_pid_filetrans(lpd_t, lpd_var_run_t, file) # Write to /var/spool/lpd. manage_files_pattern(lpd_t, print_spool_t, print_spool_t) @@ -304,14 +304,14 @@ tunable_policy(`use_lpd_server',` manage_files_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t) files_tmp_filetrans(lpr_t, lpr_tmp_t, { file dir }) - manage_files_pattern(lpr_t,print_spool_t,print_spool_t) - filetrans_pattern(lpr_t,print_spool_t,print_spool_t,file) + manage_files_pattern(lpr_t, print_spool_t, print_spool_t) + filetrans_pattern(lpr_t, print_spool_t, print_spool_t, file) # Read and write shared files in the spool directory. allow lpr_t print_spool_t:file rw_file_perms; allow lpr_t printconf_t:dir list_dir_perms; - read_files_pattern(lpr_t,printconf_t,printconf_t) - read_lnk_files_pattern(lpr_t,printconf_t,printconf_t) + read_files_pattern(lpr_t, printconf_t, printconf_t) + read_lnk_files_pattern(lpr_t, printconf_t, printconf_t) ') tunable_policy(`use_nfs_home_dirs',` diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if index 5b28237..db4fd6f 100644 --- a/policy/modules/services/memcached.if +++ b/policy/modules/services/memcached.if @@ -16,7 +16,7 @@ interface(`memcached_domtrans',` type memcached_exec_t; ') - domtrans_pattern($1,memcached_exec_t,memcached_t) + domtrans_pattern($1, memcached_exec_t, memcached_t) ') ######################################## diff --git a/policy/modules/services/memcached.te b/policy/modules/services/memcached.te index 0311b91..2222b76 100644 --- a/policy/modules/services/memcached.te +++ b/policy/modules/services/memcached.te @@ -40,7 +40,7 @@ corenet_udp_bind_memcache_port(memcached_t) manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) -files_pid_filetrans(memcached_t,memcached_var_run_t, { file dir }) +files_pid_filetrans(memcached_t, memcached_var_run_t, { file dir }) files_read_etc_files(memcached_t) diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if index a437f02..6641292 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -257,7 +257,7 @@ interface(`mta_sendmail_mailserver',` type sendmail_exec_t; ') - init_system_domain($1,sendmail_exec_t) + init_system_domain($1, sendmail_exec_t) typeattribute $1 mailserver_domain; ') diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te index f0aab75..80afc14 100644 --- a/policy/modules/services/munin.te +++ b/policy/modules/services/munin.te @@ -101,7 +101,7 @@ optional_policy(` ') optional_policy(` - cron_system_entry(munin_t,munin_exec_t) + cron_system_entry(munin_t, munin_exec_t) ') optional_policy(` diff --git a/policy/modules/services/mysql.fc b/policy/modules/services/mysql.fc index 4b567df..03db93a 100644 --- a/policy/modules/services/mysql.fc +++ b/policy/modules/services/mysql.fc @@ -10,7 +10,7 @@ # # /usr # -/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) +/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) /usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0) diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if index 51556e9..3f6833d 100644 --- a/policy/modules/services/mysql.if +++ b/policy/modules/services/mysql.if @@ -142,18 +142,18 @@ interface(`mysql_manage_db_dirs',` ####################################### ## -## Append to the MySQL database directory. +## Append to the MySQL database directory. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # interface(`mysql_append_db_files',` - gen_require(` - type mysqld_db_t; - ') + gen_require(` + type mysqld_db_t; + ') files_search_var_lib($1) append_files_pattern($1, mysqld_db_t, mysqld_db_t) @@ -161,40 +161,40 @@ interface(`mysql_append_db_files',` ####################################### ## -## Read and write to the MySQL database directory. +## Read and write to the MySQL database directory. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # interface(`mysql_rw_db_files',` - gen_require(` - type mysqld_db_t; - ') + gen_require(` + type mysqld_db_t; + ') - files_search_var_lib($1) + files_search_var_lib($1) rw_files_pattern($1, mysqld_db_t, mysqld_db_t) ') ####################################### ## -## Create, read, write, and delete MySQL database files. +## Create, read, write, and delete MySQL database files. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # interface(`mysql_manage_db_files',` - gen_require(` - type mysqld_db_t; - ') + gen_require(` + type mysqld_db_t; + ') - files_search_var_lib($1) - manage_files_pattern($1, mysqld_db_t, mysqld_db_t) + files_search_var_lib($1) + manage_files_pattern($1, mysqld_db_t, mysqld_db_t) ') ######################################## @@ -239,21 +239,21 @@ interface(`mysql_write_log',` ##################################### ## -## Search MySQL PID files. +## Search MySQL PID files. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## ## # interface(`mysql_search_pid_files',` - gen_require(` - type mysqld_var_run_t; - ') + gen_require(` + type mysqld_var_run_t; + ') - search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t) + search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t) ') ######################################## diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te index faf5bb2..0dee8b9 100644 --- a/policy/modules/services/mysql.te +++ b/policy/modules/services/mysql.te @@ -152,7 +152,7 @@ hostname_exec(mysqld_safe_t) miscfiles_read_localization(mysqld_safe_t) -mysql_append_db_files(mysqld_safe_t) +mysql_append_db_files(mysqld_safe_t) mysql_read_config(mysqld_safe_t) mysql_search_pid_files(mysqld_safe_t) mysql_write_log(mysqld_safe_t) diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te index d8c5912..704c68a 100644 --- a/policy/modules/services/networkmanager.te +++ b/policy/modules/services/networkmanager.te @@ -57,7 +57,7 @@ files_search_tmp(NetworkManager_t) manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) -files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file }) +files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file }) kernel_read_system_state(NetworkManager_t) kernel_read_network_state(NetworkManager_t) diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te index fbc6609..706b7a1 100644 --- a/policy/modules/services/nis.te +++ b/policy/modules/services/nis.te @@ -225,7 +225,7 @@ allow ypserv_t self:netlink_route_socket r_netlink_socket_perms; allow ypserv_t self:tcp_socket connected_stream_socket_perms; allow ypserv_t self:udp_socket create_socket_perms; -manage_files_pattern(ypserv_t,var_yp_t,var_yp_t) +manage_files_pattern(ypserv_t, var_yp_t, var_yp_t) allow ypserv_t ypserv_conf_t:file read_file_perms; diff --git a/policy/modules/services/nsd.fc b/policy/modules/services/nsd.fc index 3d261d1..53cc800 100644 --- a/policy/modules/services/nsd.fc +++ b/policy/modules/services/nsd.fc @@ -1,10 +1,10 @@ -/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0) +/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0) /etc/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0) /etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) /etc/nsd/secondary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) -/usr/sbin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0) +/usr/sbin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0) /usr/sbin/nsdc -- gen_context(system_u:object_r:nsd_exec_t,s0) /usr/sbin/nsd-notify -- gen_context(system_u:object_r:nsd_exec_t,s0) /usr/sbin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0) diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if index 3a546a8..bb0089e 100644 --- a/policy/modules/services/ntp.if +++ b/policy/modules/services/ntp.if @@ -56,24 +56,24 @@ interface(`ntp_domtrans_ntpdate',` ######################################## ## -## Read and write ntpd shared memory. +## Read and write ntpd shared memory. ## ## -## -## The type of the process performing this action. -## +## +## The type of the process performing this action. +## ## # interface(`ntpd_rw_shm',` - gen_require(` - type ntpd_t, ntpd_tmpfs_t; - ') + gen_require(` + type ntpd_t, ntpd_tmpfs_t; + ') - allow $1 ntpd_t:shm rw_shm_perms; - list_dirs_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) - rw_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) - read_lnk_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) - fs_search_tmpfs($1) + allow $1 ntpd_t:shm rw_shm_perms; + list_dirs_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) + rw_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) + read_lnk_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) + fs_search_tmpfs($1) ') ######################################## diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te index 5606670..f293779 100644 --- a/policy/modules/services/ntp.te +++ b/policy/modules/services/ntp.te @@ -52,13 +52,13 @@ allow ntpd_t self:udp_socket create_socket_perms; manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t) -can_exec(ntpd_t,ntpd_exec_t) +can_exec(ntpd_t, ntpd_exec_t) read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) allow ntpd_t ntpd_log_t:dir setattr; -manage_files_pattern(ntpd_t,ntpd_log_t,ntpd_log_t) -logging_log_filetrans(ntpd_t,ntpd_log_t,{ file dir }) +manage_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t) +logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir }) # for some reason it creates a file in /tmp manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t) diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te index 15f175d..449ed41 100644 --- a/policy/modules/services/nx.te +++ b/policy/modules/services/nx.te @@ -35,7 +35,7 @@ allow nx_server_t self:tcp_socket create_socket_perms; allow nx_server_t self:udp_socket create_socket_perms; allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr }; -term_create_pty(nx_server_t,nx_server_devpts_t) +term_create_pty(nx_server_t, nx_server_devpts_t) manage_dirs_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t) manage_files_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t) diff --git a/policy/modules/services/openca.if b/policy/modules/services/openca.if index 52c5acb..43bb38b 100644 --- a/policy/modules/services/openca.if +++ b/policy/modules/services/openca.if @@ -16,7 +16,7 @@ interface(`openca_domtrans',` type openca_ca_t, openca_ca_exec_t, openca_usr_share_t; ') - domtrans_pattern($1,openca_ca_exec_t,openca_ca_t) + domtrans_pattern($1, openca_ca_exec_t, openca_ca_t) allow $1 openca_usr_share_t:dir search_dir_perms; files_search_usr($1) ') diff --git a/policy/modules/services/pegasus.fc b/policy/modules/services/pegasus.fc index cd4c544..9515043 100644 --- a/policy/modules/services/pegasus.fc +++ b/policy/modules/services/pegasus.fc @@ -5,8 +5,8 @@ /usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) /usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0) -/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) +/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) -/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) +/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) -/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) +/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) diff --git a/policy/modules/services/pingd.if b/policy/modules/services/pingd.if index c79589d..8688aae 100644 --- a/policy/modules/services/pingd.if +++ b/policy/modules/services/pingd.if @@ -20,78 +20,78 @@ interface(`pingd_domtrans',` ####################################### ## -## Read pingd etc configuration files. +## Read pingd etc configuration files. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # interface(`pingd_read_config',` - gen_require(` - type pingd_etc_t; - ') + gen_require(` + type pingd_etc_t; + ') - files_search_etc($1) - read_files_pattern($1, pingd_etc_t, pingd_etc_t) + files_search_etc($1) + read_files_pattern($1, pingd_etc_t, pingd_etc_t) ') ####################################### ## -## Manage pingd etc configuration files. +## Manage pingd etc configuration files. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # interface(`pingd_manage_config',` - gen_require(` - type pingd_etc_t; - ') + gen_require(` + type pingd_etc_t; + ') - files_search_etc($1) - manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t) - manage_files_pattern($1, pingd_etc_t, pingd_etc_t) + files_search_etc($1) + manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t) + manage_files_pattern($1, pingd_etc_t, pingd_etc_t) ') ####################################### ## -## All of the rules required to administrate -## an pingd environment +## All of the rules required to administrate +## an pingd environment ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## ## -## -## The role to be allowed to manage the pingd domain. -## +## +## The role to be allowed to manage the pingd domain. +## ## ## # interface(`pingd_admin',` - gen_require(` - type pingd_t, pingd_etc_t; - type pingd_initrc_exec_t, pingd_modules_t; - ') + gen_require(` + type pingd_t, pingd_etc_t; + type pingd_initrc_exec_t, pingd_modules_t; + ') - allow $1 pingd_t:process { ptrace signal_perms }; - ps_process_pattern($1, pingd_t) + allow $1 pingd_t:process { ptrace signal_perms }; + ps_process_pattern($1, pingd_t) - init_labeled_script_domtrans($1, pingd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 pingd_initrc_exec_t system_r; - allow $2 system_r; + init_labeled_script_domtrans($1, pingd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 pingd_initrc_exec_t system_r; + allow $2 system_r; - files_list_etc($1) - admin_pattern($1, pingd_etc_t) + files_list_etc($1) + admin_pattern($1, pingd_etc_t) files_list_usr($1) - admin_pattern($1, pingd_modules_t) + admin_pattern($1, pingd_modules_t) ') diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if index 30a826c..988c9a7 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if @@ -365,7 +365,7 @@ interface(`postfix_exec_master',` type postfix_master_exec_t; ') - can_exec($1,postfix_master_exec_t) + can_exec($1, postfix_master_exec_t) ') ######################################## diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index 9527d12..12aed73 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -106,7 +106,7 @@ allow postfix_master_t self:udp_socket create_socket_perms; allow postfix_master_t postfix_etc_t:file rw_file_perms; -can_exec(postfix_master_t,postfix_exec_t) +can_exec(postfix_master_t, postfix_exec_t) allow postfix_master_t postfix_data_t:dir manage_dir_perms; allow postfix_master_t postfix_data_t:file manage_file_perms; @@ -363,7 +363,7 @@ optional_policy(` allow postfix_pickup_t self:tcp_socket create_socket_perms; -stream_connect_pattern(postfix_pickup_t,postfix_private_t,postfix_private_t,postfix_master_t) +stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t) rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) @@ -445,7 +445,7 @@ allow postfix_postqueue_t self:tcp_socket create; allow postfix_postqueue_t self:udp_socket { create ioctl }; # wants to write to /var/spool/postfix/public/showq -stream_connect_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t,postfix_master_t) +stream_connect_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t, postfix_master_t) # write to /var/spool/postfix/public/qmgr write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t) diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if index beb53fb..f74c731 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if @@ -53,7 +53,7 @@ interface(`postgresql_role',` allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr }; ') - allow $2 user_sepgsql_table_t:db_table { getattr use select update insert delete lock }; + allow $2 user_sepgsql_table_t:db_table { getattr use select update insert delete lock }; allow $2 user_sepgsql_table_t:db_column { getattr use select update insert }; allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete }; type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t; diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index bcd14cf..2603506 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -178,7 +178,7 @@ allow postgresql_t postgresql_exec_t:lnk_file { getattr read }; can_exec(postgresql_t, postgresql_exec_t ) allow postgresql_t postgresql_lock_t:file manage_file_perms; -files_lock_filetrans(postgresql_t,postgresql_lock_t,file) +files_lock_filetrans(postgresql_t, postgresql_lock_t, file) manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t) logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir }) @@ -268,7 +268,7 @@ optional_policy(` optional_policy(` cron_search_spool(postgresql_t) - cron_system_entry(postgresql_t,postgresql_exec_t) + cron_system_entry(postgresql_t, postgresql_exec_t) ') optional_policy(` diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te index 188bad5..81d4120 100644 --- a/policy/modules/services/procmail.te +++ b/policy/modules/services/procmail.te @@ -30,7 +30,7 @@ allow procmail_t self:unix_dgram_socket create_socket_perms; allow procmail_t self:tcp_socket create_stream_socket_perms; allow procmail_t self:udp_socket create_socket_perms; -can_exec(procmail_t,procmail_exec_t) +can_exec(procmail_t, procmail_exec_t) # Write log to /var/log/procmail.log or /var/log/procmail/.* allow procmail_t procmail_log_t:dir setattr; diff --git a/policy/modules/services/psad.if b/policy/modules/services/psad.if index 97ab7e3..bc329d1 100644 --- a/policy/modules/services/psad.if +++ b/policy/modules/services/psad.if @@ -84,13 +84,13 @@ interface(`psad_read_config',` ## # interface(`psad_manage_config',` - gen_require(` - type psad_etc_t; - ') + gen_require(` + type psad_etc_t; + ') files_search_etc($1) manage_dirs_pattern($1, psad_etc_t, psad_etc_t) - manage_files_pattern($1, psad_etc_t, psad_etc_t) + manage_files_pattern($1, psad_etc_t, psad_etc_t) ') diff --git a/policy/modules/services/psad.te b/policy/modules/services/psad.te index a59cef5..992419e 100644 --- a/policy/modules/services/psad.te +++ b/policy/modules/services/psad.te @@ -102,6 +102,6 @@ miscfiles_read_localization(psad_t) sysnet_exec_ifconfig(psad_t) optional_policy(` - mta_send_mail(psad_t) + mta_send_mail(psad_t) mta_read_queue(psad_t) ') diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te index 1293325..3951bec 100644 --- a/policy/modules/services/pyzor.te +++ b/policy/modules/services/pyzor.te @@ -36,7 +36,7 @@ ubac_constrained(pyzor_var_lib_t) type pyzord_t; type pyzord_exec_t; -init_daemon_domain(pyzord_t,pyzord_exec_t) +init_daemon_domain(pyzord_t, pyzord_exec_t) type pyzord_log_t; logging_log_file(pyzord_log_t) @@ -54,14 +54,14 @@ manage_lnk_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t) userdom_user_home_dir_filetrans(pyzor_t, pyzor_home_t, { dir file lnk_file }) allow pyzor_t pyzor_var_lib_t:dir list_dir_perms; -read_files_pattern(pyzor_t,pyzor_var_lib_t,pyzor_var_lib_t) +read_files_pattern(pyzor_t, pyzor_var_lib_t, pyzor_var_lib_t) files_search_var_lib(pyzor_t) manage_files_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t) manage_dirs_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t) files_tmp_filetrans(pyzor_t, pyzor_tmp_t, { file dir }) -kernel_read_kernel_sysctls(pyzor_t) +kernel_read_kernel_sysctls(pyzor_t) kernel_read_system_state(pyzor_t) corecmd_list_bin(pyzor_t) diff --git a/policy/modules/services/qmail.if b/policy/modules/services/qmail.if index 5112322..27fd19e 100644 --- a/policy/modules/services/qmail.if +++ b/policy/modules/services/qmail.if @@ -147,5 +147,5 @@ interface(`qmail_smtpd_service_domain',` type qmail_smtpd_t; ') - domtrans_pattern(qmail_smtpd_t, $2, $1) + domtrans_pattern(qmail_smtpd_t, $2, $1) ') diff --git a/policy/modules/services/radius.fc b/policy/modules/services/radius.fc index cdf6b55..09f7b50 100644 --- a/policy/modules/services/radius.fc +++ b/policy/modules/services/radius.fc @@ -3,7 +3,7 @@ /etc/cron\.(daily|weekly|monthly)/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0) /etc/rc\.d/init\.d/radiusd -- gen_context(system_u:object_r:radiusd_initrc_exec_t,s0) -/etc/raddb(/.*)? gen_context(system_u:object_r:radiusd_etc_t,s0) +/etc/raddb(/.*)? gen_context(system_u:object_r:radiusd_etc_t,s0) /etc/raddb/db\.daily -- gen_context(system_u:object_r:radiusd_etc_rw_t,s0) /usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0) diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te index ec3dfcf..4a200a3 100644 --- a/policy/modules/services/rhgb.te +++ b/policy/modules/services/rhgb.te @@ -32,7 +32,7 @@ allow rhgb_t self:udp_socket create_socket_perms; allow rhgb_t self:netlink_route_socket r_netlink_socket_perms; allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr }; -term_create_pty(rhgb_t,rhgb_devpts_t) +term_create_pty(rhgb_t, rhgb_devpts_t) manage_dirs_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t) manage_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t) diff --git a/policy/modules/services/ricci.if b/policy/modules/services/ricci.if index 9f3641b..c291ce3 100644 --- a/policy/modules/services/ricci.if +++ b/policy/modules/services/ricci.if @@ -71,7 +71,7 @@ interface(`ricci_dontaudit_rw_modcluster_pipes',` type ricci_modcluster_t; ') - dontaudit $1 ricci_modcluster_t:fifo_file { read write }; + dontaudit $1 ricci_modcluster_t:fifo_file { read write }; ') ######################################## diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if index 20b2e7b..2f879f0 100644 --- a/policy/modules/services/rpc.if +++ b/policy/modules/services/rpc.if @@ -206,11 +206,11 @@ interface(`rpc_domtrans_nfsd',` ######################################## ## -## Execute domain in nfsd domain. +## Execute domain in nfsd domain. ## ## ## -## The type of the process performing this action. +## The type of the process performing this action. ## ## # @@ -362,7 +362,7 @@ interface(`rpc_read_nfs_state_data',` ## ## ## -## Domain allowed access. +## Domain allowed access. ## ## # diff --git a/policy/modules/services/rsync.fc b/policy/modules/services/rsync.fc index 89e09a5..299f7a4 100644 --- a/policy/modules/services/rsync.fc +++ b/policy/modules/services/rsync.fc @@ -1,6 +1,6 @@ /usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0) -/var/log/rsync\.log -- gen_context(system_u:object_r:rsync_log_t,s0) +/var/log/rsync\.log -- gen_context(system_u:object_r:rsync_log_t,s0) -/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0) +/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0) diff --git a/policy/modules/services/rwho.if b/policy/modules/services/rwho.if index 9991f17..71ea0ea 100644 --- a/policy/modules/services/rwho.if +++ b/policy/modules/services/rwho.if @@ -111,7 +111,7 @@ interface(`rwho_manage_spool_files',` type rwho_spool_t; ') - manage_files_pattern($1,rwho_spool_t,rwho_spool_t) + manage_files_pattern($1, rwho_spool_t, rwho_spool_t) files_search_spool($1) ') diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te index 22dff5b..fd85b23 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -537,7 +537,7 @@ corecmd_list_bin(smbmount_t) files_list_mnt(smbmount_t) files_mounton_mnt(smbmount_t) files_manage_etc_runtime_files(smbmount_t) -files_etc_filetrans_etc_runtime(smbmount_t,file) +files_etc_filetrans_etc_runtime(smbmount_t, file) files_read_etc_files(smbmount_t) auth_use_nsswitch(smbmount_t) @@ -672,7 +672,7 @@ files_list_var_lib(winbind_t) rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) allow winbind_t winbind_log_t:file manage_file_perms; -logging_log_filetrans(winbind_t,winbind_log_t,file) +logging_log_filetrans(winbind_t, winbind_log_t, file) manage_dirs_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te index 6614dc8..ac3dfeb 100644 --- a/policy/modules/services/setroubleshoot.te +++ b/policy/modules/services/setroubleshoot.te @@ -48,7 +48,7 @@ logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir }) # pid file manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) -files_pid_filetrans(setroubleshootd_t,setroubleshoot_var_run_t, { file sock_file }) +files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file }) kernel_read_kernel_sysctls(setroubleshootd_t) kernel_read_system_state(setroubleshootd_t) diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te index 58e79fd..93eebbb 100644 --- a/policy/modules/services/snmp.te +++ b/policy/modules/services/snmp.te @@ -35,7 +35,7 @@ allow snmpd_t self:tcp_socket create_stream_socket_perms; allow snmpd_t self:udp_socket connected_stream_socket_perms; allow snmpd_t snmpd_log_t:file manage_file_perms; -logging_log_filetrans(snmpd_t,snmpd_log_t,file) +logging_log_filetrans(snmpd_t, snmpd_log_t, file) manage_dirs_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index d727a75..5e62ab4 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -42,7 +42,7 @@ files_tmp_file(sshd_tmp_t) files_poly_parent(sshd_tmp_t) ifdef(`enable_mcs',` - init_ranged_daemon_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh) + init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh) ') type ssh_t; @@ -112,8 +112,8 @@ manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_sock_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) -manage_dirs_pattern(ssh_t,home_ssh_t,home_ssh_t) -manage_sock_files_pattern(ssh_t,home_ssh_t,home_ssh_t) +manage_dirs_pattern(ssh_t, home_ssh_t, home_ssh_t) +manage_sock_files_pattern(ssh_t, home_ssh_t, home_ssh_t) userdom_user_home_dir_filetrans(ssh_t, home_ssh_t, { dir sock_file }) # Allow the ssh program to communicate with ssh-agent. @@ -122,13 +122,13 @@ stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type) allow ssh_t sshd_t:unix_stream_socket connectto; # ssh client can manage the keys and config -manage_files_pattern(ssh_t,home_ssh_t,home_ssh_t) -read_lnk_files_pattern(ssh_t,home_ssh_t,home_ssh_t) +manage_files_pattern(ssh_t, home_ssh_t, home_ssh_t) +read_lnk_files_pattern(ssh_t, home_ssh_t, home_ssh_t) # ssh servers can read the user keys and config allow ssh_server home_ssh_t:dir list_dir_perms; -read_files_pattern(ssh_server,home_ssh_t,home_ssh_t) -read_lnk_files_pattern(ssh_server,home_ssh_t,home_ssh_t) +read_files_pattern(ssh_server, home_ssh_t, home_ssh_t) +read_lnk_files_pattern(ssh_server, home_ssh_t, home_ssh_t) kernel_read_kernel_sysctls(ssh_t) diff --git a/policy/modules/services/stunnel.fc b/policy/modules/services/stunnel.fc index c3aec89..50e29aa 100644 --- a/policy/modules/services/stunnel.fc +++ b/policy/modules/services/stunnel.fc @@ -1,4 +1,4 @@ -/etc/stunnel(/.*)? gen_context(system_u:object_r:stunnel_etc_t,s0) +/etc/stunnel(/.*)? gen_context(system_u:object_r:stunnel_etc_t,s0) /usr/bin/stunnel -- gen_context(system_u:object_r:stunnel_exec_t,s0) diff --git a/policy/modules/services/sysstat.if b/policy/modules/services/sysstat.if index a5fad30..7a23b3b 100644 --- a/policy/modules/services/sysstat.if +++ b/policy/modules/services/sysstat.if @@ -16,6 +16,6 @@ interface(`sysstat_manage_log',` type sysstat_log_t; ') - logging_search_logs($1) + logging_search_logs($1) manage_files_pattern($1, sysstat_log_t, sysstat_log_t) ') diff --git a/policy/modules/services/ucspitcp.te b/policy/modules/services/ucspitcp.te index 920dc65..13a9d9b 100644 --- a/policy/modules/services/ucspitcp.te +++ b/policy/modules/services/ucspitcp.te @@ -89,6 +89,6 @@ files_read_etc_files(ucspitcp_t) sysnet_read_config(ucspitcp_t) optional_policy(` - daemontools_service_domain(ucspitcp_t,ucspitcp_exec_t) + daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t) daemontools_read_svc(ucspitcp_t) ') diff --git a/policy/modules/services/ulogd.if b/policy/modules/services/ulogd.if index 4a2118e..d04b833 100644 --- a/policy/modules/services/ulogd.if +++ b/policy/modules/services/ulogd.if @@ -62,21 +62,21 @@ interface(`ulogd_read_log',` ####################################### ## -## Allow the specified domain to search ulogd's log files. +## Allow the specified domain to search ulogd's log files. ## ## ## -## Domain allowed to transition. +## Domain allowed to transition. ## ## # interface(`ulogd_search_log',` - gen_require(` - type ulogd_var_log_t; - ') + gen_require(` + type ulogd_var_log_t; + ') - logging_search_logs($1) - allow $1 ulogd_var_log_t:dir search_dir_perms; + logging_search_logs($1) + allow $1 ulogd_var_log_t:dir search_dir_perms; ') ######################################## diff --git a/policy/modules/services/uptime.fc b/policy/modules/services/uptime.fc index 1f22545..e30d6fc 100644 --- a/policy/modules/services/uptime.fc +++ b/policy/modules/services/uptime.fc @@ -3,4 +3,4 @@ /usr/sbin/uptimed -- gen_context(system_u:object_r:uptimed_exec_t,s0) -/var/spool/uptimed(/.*)? gen_context(system_u:object_r:uptimed_spool_t,s0) +/var/spool/uptimed(/.*)? gen_context(system_u:object_r:uptimed_spool_t,s0) diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if index dfd0b0b..8dc8acf 100644 --- a/policy/modules/services/virt.if +++ b/policy/modules/services/virt.if @@ -135,7 +135,7 @@ interface(`virt_manage_pid_files',` type virt_var_run_t; ') - manage_files_pattern($1, virt_var_run_t, virt_var_run_t) + manage_files_pattern($1, virt_var_run_t, virt_var_run_t) ') ######################################## diff --git a/policy/modules/services/watchdog.te b/policy/modules/services/watchdog.te index 4ba63a4..8b0b463 100644 --- a/policy/modules/services/watchdog.te +++ b/policy/modules/services/watchdog.te @@ -71,7 +71,7 @@ domain_kill_all_domains(watchdog_t) files_read_etc_files(watchdog_t) # for updating mtab on umount files_manage_etc_runtime_files(watchdog_t) -files_etc_filetrans_etc_runtime(watchdog_t,file) +files_etc_filetrans_etc_runtime(watchdog_t, file) fs_unmount_xattr_fs(watchdog_t) fs_getattr_all_fs(watchdog_t) diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index 783a19b..208ea7a 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -85,7 +85,7 @@ interface(`xserver_role',` allow $2 xauth_t:process signal; # allow ps to show xauth - ps_process_pattern($2,xauth_t) + ps_process_pattern($2, xauth_t) allow $2 xauth_home_t:file manage_file_perms; allow $2 xauth_home_t:file { relabelfrom relabelto }; diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 260252d..c656d42 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -191,7 +191,7 @@ type xserver_exec_t; typealias xserver_t alias { user_xserver_t staff_xserver_t sysadm_xserver_t }; typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t }; xserver_object_types_template(xdm) -xserver_common_x_domain_template(xdm,xdm_t) +xserver_common_x_domain_template(xdm, xdm_t) init_system_domain(xserver_t, xserver_exec_t) ubac_constrained(xserver_t) @@ -215,8 +215,8 @@ type xserver_log_t; logging_log_file(xserver_log_t) ifdef(`enable_mcs',` - init_ranged_domain(xdm_t,xdm_exec_t,s0 - mcs_systemhigh) - init_ranged_daemon_domain(xdm_t,xdm_exec_t,s0 - mcs_systemhigh) + init_ranged_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh) + init_ranged_daemon_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh) ') optional_policy(` @@ -360,11 +360,11 @@ allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xserver_t:shm rw_shm_perms; # connect to xdm xserver over stream socket -stream_connect_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t,xserver_t) +stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) # Remove /tmp/.X11-unix/X0. -delete_files_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t) -delete_sock_files_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t) +delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) +delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) manage_dirs_pattern(xdm_t, xserver_log_t, xserver_log_t) manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t) @@ -473,7 +473,7 @@ userdom_read_user_home_content_files(xdm_t) userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) -xserver_rw_session(xdm_t,xdm_tmpfs_t) +xserver_rw_session(xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) tunable_policy(`use_nfs_home_dirs',` @@ -622,7 +622,7 @@ manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) -filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t,sock_file) +filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) @@ -637,7 +637,7 @@ files_search_var_lib(xserver_t) # Create files in /var/log with the xserver_log_t type. manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t) -logging_log_filetrans(xserver_t, xserver_log_t,file) +logging_log_filetrans(xserver_t, xserver_log_t, file) kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) diff --git a/policy/modules/services/zebra.fc b/policy/modules/services/zebra.fc index 73c2f74..e1b30b2 100644 --- a/policy/modules/services/zebra.fc +++ b/policy/modules/services/zebra.fc @@ -11,7 +11,7 @@ /etc/quagga(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0) /etc/zebra(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0) -/usr/sbin/ospf.* -- gen_context(system_u:object_r:zebra_exec_t,s0) +/usr/sbin/ospf.* -- gen_context(system_u:object_r:zebra_exec_t,s0) /usr/sbin/rip.* -- gen_context(system_u:object_r:zebra_exec_t,s0) /var/log/quagga(/.*)? gen_context(system_u:object_r:zebra_log_t,s0) diff --git a/policy/modules/services/zosremote.if b/policy/modules/services/zosremote.if index 84d4ddf..f2f2389 100644 --- a/policy/modules/services/zosremote.if +++ b/policy/modules/services/zosremote.if @@ -2,20 +2,20 @@ ######################################## ## -## Execute a domain transition to run audispd-zos-remote. +## Execute a domain transition to run audispd-zos-remote. ## ## ## -## Domain allowed to transition. +## Domain allowed to transition. ## ## # interface(`zosremote_domtrans',` - gen_require(` - type zos_remote_t, zos_remote_exec_t; - ') + gen_require(` + type zos_remote_t, zos_remote_exec_t; + ') - domtrans_pattern($1, zos_remote_exec_t, zos_remote_t) + domtrans_pattern($1, zos_remote_exec_t, zos_remote_t) ') ######################################## diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te index b14091c..c80f2ce 100644 --- a/policy/modules/system/application.te +++ b/policy/modules/system/application.te @@ -1,5 +1,5 @@ -policy_module(application,1.1.0) +policy_module(application, 1.1.0) # Attribute of user applications attribute application_domain_type; @@ -11,4 +11,3 @@ optional_policy(` ssh_sigchld(application_domain_type) ssh_rw_stream_sockets(application_domain_type) ') - diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index a18d1f2..8d1d529 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -125,7 +125,7 @@ interface(`auth_login_entry_type',` type login_exec_t; ') - domain_entry_file($1,login_exec_t) + domain_entry_file($1, login_exec_t) ') ######################################## @@ -149,7 +149,7 @@ interface(`auth_domtrans_login_program',` ') corecmd_search_bin($1) - domtrans_pattern($1,login_exec_t,$2) + domtrans_pattern($1, login_exec_t,$2) ') ######################################## @@ -204,7 +204,7 @@ interface(`auth_search_cache',` type auth_cache_t; ') - allow $1 auth_cache_t:dir search_dir_perms; + allow $1 auth_cache_t:dir search_dir_perms; ') ######################################## @@ -222,7 +222,7 @@ interface(`auth_read_cache',` type auth_cache_t; ') - read_files_pattern($1, auth_cache_t, auth_cache_t) + read_files_pattern($1, auth_cache_t, auth_cache_t) ') ######################################## @@ -240,7 +240,7 @@ interface(`auth_rw_cache',` type auth_cache_t; ') - rw_files_pattern($1, auth_cache_t, auth_cache_t) + rw_files_pattern($1, auth_cache_t, auth_cache_t) ') ######################################## @@ -258,7 +258,7 @@ interface(`auth_manage_cache',` type auth_cache_t; ') - manage_files_pattern($1, auth_cache_t, auth_cache_t) + manage_files_pattern($1, auth_cache_t, auth_cache_t) ') ####################################### @@ -276,7 +276,7 @@ interface(`auth_var_filetrans_cache',` type auth_cache_t; ') - files_var_filetrans($1,auth_cache_t,{ file dir } ) + files_var_filetrans($1, auth_cache_t, { file dir } ) ') ######################################## @@ -369,7 +369,7 @@ interface(`auth_domtrans_upd_passwd',` type updpwd_t, updpwd_exec_t; ') - domtrans_pattern($1,updpwd_exec_t,updpwd_t) + domtrans_pattern($1, updpwd_exec_t, updpwd_t) auth_dontaudit_read_shadow($1) ') @@ -585,7 +585,7 @@ interface(`auth_etc_filetrans_shadow',` type shadow_t; ') - files_etc_filetrans($1,shadow_t,file) + files_etc_filetrans($1, shadow_t, file) ') ####################################### @@ -743,7 +743,7 @@ interface(`auth_domtrans_pam',` type pam_t, pam_exec_t; ') - domtrans_pattern($1,pam_exec_t,pam_t) + domtrans_pattern($1, pam_exec_t, pam_t) ') ######################################## @@ -803,7 +803,7 @@ interface(`auth_exec_pam',` type pam_exec_t; ') - can_exec($1,pam_exec_t) + can_exec($1, pam_exec_t) ') ######################################## @@ -921,7 +921,7 @@ interface(`auth_domtrans_pam_console',` type pam_console_t, pam_console_exec_t; ') - domtrans_pattern($1,pam_console_exec_t,pam_console_t) + domtrans_pattern($1, pam_console_exec_t, pam_console_t) ') ######################################## @@ -1001,8 +1001,8 @@ interface(`auth_manage_pam_console_data',` ') files_search_pids($1) - manage_files_pattern($1,pam_var_console_t,pam_var_console_t) - manage_lnk_files_pattern($1,pam_var_console_t,pam_var_console_t) + manage_files_pattern($1, pam_var_console_t, pam_var_console_t) + manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t) ') ####################################### @@ -1022,7 +1022,7 @@ interface(`auth_delete_pam_console_data',` files_search_var($1) files_search_pids($1) - delete_files_pattern($1,pam_var_console_t,pam_var_console_t) + delete_files_pattern($1, pam_var_console_t, pam_var_console_t) ') ######################################## @@ -1168,7 +1168,7 @@ interface(`auth_domtrans_utempter',` type utempter_t, utempter_exec_t; ') - domtrans_pattern($1,utempter_exec_t,utempter_t) + domtrans_pattern($1, utempter_exec_t, utempter_t) ') ######################################## @@ -1343,7 +1343,7 @@ interface(`auth_log_filetrans_login_records',` type wtmp_t; ') - logging_log_filetrans($1,wtmp_t,file) + logging_log_filetrans($1, wtmp_t, file) ') ######################################## diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 7542302..98eee68 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -31,7 +31,7 @@ application_executable_file(login_exec_t) type pam_console_t; type pam_console_exec_t; -init_system_domain(pam_console_t,pam_console_exec_t) +init_system_domain(pam_console_t, pam_console_exec_t) role system_r types pam_console_t; type pam_t; @@ -39,7 +39,7 @@ domain_type(pam_t) role system_r types pam_t; type pam_exec_t; -domain_entry_file(pam_t,pam_exec_t) +domain_entry_file(pam_t, pam_exec_t) type pam_tmp_t; files_tmp_file(pam_tmp_t) @@ -59,13 +59,13 @@ neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto; type updpwd_t; type updpwd_exec_t; domain_type(updpwd_t) -domain_entry_file(updpwd_t,updpwd_exec_t) +domain_entry_file(updpwd_t, updpwd_exec_t) domain_obj_id_change_exemption(updpwd_t) role system_r types updpwd_t; type utempter_t; type utempter_exec_t; -application_domain(utempter_t,utempter_exec_t) +application_domain(utempter_t, utempter_exec_t) # # var_auth_t is the type of /var/lib/auth, usually @@ -147,8 +147,8 @@ allow pam_t self:sem create_sem_perms; allow pam_t self:msgq create_msgq_perms; allow pam_t self:msg { send receive }; -delete_files_pattern(pam_t,pam_var_run_t,pam_var_run_t) -read_files_pattern(pam_t,pam_var_run_t,pam_var_run_t) +delete_files_pattern(pam_t, pam_var_run_t, pam_var_run_t) +read_files_pattern(pam_t, pam_var_run_t, pam_var_run_t) files_list_pids(pam_t) allow pam_t pam_tmp_t:dir manage_dir_perms; @@ -193,8 +193,8 @@ dontaudit pam_console_t self:capability sys_tty_config; allow pam_console_t self:process { sigchld sigkill sigstop signull signal }; # for /var/run/console.lock checking -read_files_pattern(pam_console_t,pam_var_console_t,pam_var_console_t) -read_lnk_files_pattern(pam_console_t,pam_var_console_t,pam_var_console_t) +read_files_pattern(pam_console_t, pam_var_console_t, pam_var_console_t) +read_lnk_files_pattern(pam_console_t, pam_var_console_t, pam_var_console_t) dontaudit pam_console_t pam_var_console_t:file write; kernel_read_kernel_sysctls(pam_console_t) diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if index f76522e..4cf09f6 100644 --- a/policy/modules/system/clock.if +++ b/policy/modules/system/clock.if @@ -15,7 +15,7 @@ interface(`clock_domtrans',` type hwclock_t, hwclock_exec_t; ') - domtrans_pattern($1,hwclock_exec_t,hwclock_t) + domtrans_pattern($1, hwclock_exec_t, hwclock_t) ') ######################################## @@ -59,7 +59,7 @@ interface(`clock_exec',` type hwclock_exec_t; ') - can_exec($1,hwclock_exec_t) + can_exec($1, hwclock_exec_t) ') ######################################## diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te index 1cc3ae9..e935c7c 100644 --- a/policy/modules/system/clock.te +++ b/policy/modules/system/clock.te @@ -11,7 +11,7 @@ files_type(adjtime_t) type hwclock_t; type hwclock_exec_t; -init_system_domain(hwclock_t,hwclock_exec_t) +init_system_domain(hwclock_t, hwclock_exec_t) role system_r types hwclock_t; ######################################## diff --git a/policy/modules/system/daemontools.te b/policy/modules/system/daemontools.te index 287b191..1e57404 100644 --- a/policy/modules/system/daemontools.te +++ b/policy/modules/system/daemontools.te @@ -1,5 +1,5 @@ -policy_module(daemontools,1.2.0) +policy_module(daemontools, 1.2.0) ######################################## # @@ -14,18 +14,18 @@ files_type(svc_log_t) type svc_multilog_t; type svc_multilog_exec_t; -application_domain(svc_multilog_t,svc_multilog_exec_t) +application_domain(svc_multilog_t, svc_multilog_exec_t) role system_r types svc_multilog_t; type svc_run_t; type svc_run_exec_t; -application_domain(svc_run_t,svc_run_exec_t) +application_domain(svc_run_t, svc_run_exec_t) role system_r types svc_run_t; type svc_start_t; type svc_start_exec_t; -init_domain(svc_start_t,svc_start_exec_t) -init_system_domain(svc_start_t,svc_start_exec_t) +init_domain(svc_start_t, svc_start_exec_t) +init_system_domain(svc_start_t, svc_start_exec_t) role system_r types svc_start_t; type svc_svc_t; @@ -37,7 +37,7 @@ files_type(svc_svc_t) # # multilog creates /service/*/log/status -manage_files_pattern(svc_multilog_t,svc_svc_t,svc_svc_t) +manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t) init_use_fds(svc_multilog_t) diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if index 732b54a..1c51b4b 100644 --- a/policy/modules/system/fstools.if +++ b/policy/modules/system/fstools.if @@ -16,7 +16,7 @@ interface(`fstools_domtrans',` ') corecmd_search_bin($1) - domtrans_pattern($1,fsadm_exec_t,fsadm_t) + domtrans_pattern($1, fsadm_exec_t, fsadm_t) ') ######################################## @@ -60,7 +60,7 @@ interface(`fstools_exec',` type fsadm_exec_t; ') - can_exec($1,fsadm_exec_t) + can_exec($1, fsadm_exec_t) ') ######################################## diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te index 2ae2f1c..e204c3a 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -8,7 +8,7 @@ policy_module(fstools, 1.12.1) type fsadm_t; type fsadm_exec_t; -init_system_domain(fsadm_t,fsadm_exec_t) +init_system_domain(fsadm_t, fsadm_exec_t) role system_r types fsadm_t; type fsadm_log_t; @@ -48,8 +48,8 @@ files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir }) # log files allow fsadm_t fsadm_log_t:dir setattr; -manage_files_pattern(fsadm_t,fsadm_log_t,fsadm_log_t) -logging_log_filetrans(fsadm_t,fsadm_log_t,file) +manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t) +logging_log_filetrans(fsadm_t, fsadm_log_t, file) # Enable swapping to files allow fsadm_t swapfile_t:file { rw_file_perms swapon }; @@ -127,7 +127,7 @@ files_manage_lost_found(fsadm_t) files_manage_isid_type_dirs(fsadm_t) # Write to /etc/mtab. files_manage_etc_runtime_files(fsadm_t) -files_etc_filetrans_etc_runtime(fsadm_t,file) +files_etc_filetrans_etc_runtime(fsadm_t, file) # Access to /initrd devices files_rw_isid_type_dirs(fsadm_t) files_rw_isid_type_blk_files(fsadm_t) @@ -174,7 +174,7 @@ optional_policy(` optional_policy(` # for smartctl cron jobs - cron_system_entry(fsadm_t,fsadm_exec_t) + cron_system_entry(fsadm_t, fsadm_exec_t) ') optional_policy(` diff --git a/policy/modules/system/getty.if b/policy/modules/system/getty.if index 9ae3682..b2b003d 100644 --- a/policy/modules/system/getty.if +++ b/policy/modules/system/getty.if @@ -16,7 +16,7 @@ interface(`getty_domtrans',` ') corecmd_search_bin($1) - domtrans_pattern($1,getty_exec_t,getty_t) + domtrans_pattern($1, getty_exec_t, getty_t) ') ######################################## diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te index 077e95d..dc4a1e8 100644 --- a/policy/modules/system/getty.te +++ b/policy/modules/system/getty.te @@ -8,7 +8,7 @@ policy_module(getty, 1.7.0) type getty_t; type getty_exec_t; -init_domain(getty_t,getty_exec_t) +init_domain(getty_t, getty_exec_t) init_system_domain(getty_t, getty_exec_t) domain_interactive_fd(getty_t) @@ -39,22 +39,22 @@ dontaudit getty_t self:capability sys_tty_config; allow getty_t self:process { getpgid setpgid getsession signal_perms }; allow getty_t self:fifo_file rw_fifo_file_perms; -read_files_pattern(getty_t,getty_etc_t,getty_etc_t) -read_lnk_files_pattern(getty_t,getty_etc_t,getty_etc_t) -files_etc_filetrans(getty_t,getty_etc_t,{ file dir }) +read_files_pattern(getty_t, getty_etc_t, getty_etc_t) +read_lnk_files_pattern(getty_t, getty_etc_t, getty_etc_t) +files_etc_filetrans(getty_t, getty_etc_t,{ file dir }) allow getty_t getty_lock_t:file manage_file_perms; -files_lock_filetrans(getty_t,getty_lock_t,file) +files_lock_filetrans(getty_t, getty_lock_t, file) allow getty_t getty_log_t:file manage_file_perms; -logging_log_filetrans(getty_t,getty_log_t,file) +logging_log_filetrans(getty_t, getty_log_t, file) allow getty_t getty_tmp_t:file manage_file_perms; allow getty_t getty_tmp_t:dir manage_dir_perms; -files_tmp_filetrans(getty_t,getty_tmp_t,{ file dir }) +files_tmp_filetrans(getty_t, getty_tmp_t, { file dir }) -manage_files_pattern(getty_t,getty_var_run_t,getty_var_run_t) -files_pid_filetrans(getty_t,getty_var_run_t,file) +manage_files_pattern(getty_t, getty_var_run_t, getty_var_run_t) +files_pid_filetrans(getty_t, getty_var_run_t, file) kernel_list_proc(getty_t) kernel_read_proc_symlinks(getty_t) diff --git a/policy/modules/system/hostname.if b/policy/modules/system/hostname.if index 1ce151a..8fdea3b 100644 --- a/policy/modules/system/hostname.if +++ b/policy/modules/system/hostname.if @@ -16,7 +16,7 @@ interface(`hostname_domtrans',` ') corecmd_search_bin($1) - domtrans_pattern($1,hostname_exec_t,hostname_t) + domtrans_pattern($1, hostname_exec_t, hostname_t) ') ######################################## @@ -61,5 +61,5 @@ interface(`hostname_exec',` ') corecmd_search_bin($1) - can_exec($1,hostname_exec_t) + can_exec($1, hostname_exec_t) ') diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te index bf6bc23..7cdd8a7 100644 --- a/policy/modules/system/hostname.te +++ b/policy/modules/system/hostname.te @@ -8,7 +8,7 @@ policy_module(hostname, 1.6.0) type hostname_t; type hostname_exec_t; -init_system_domain(hostname_t,hostname_exec_t) +init_system_domain(hostname_t, hostname_exec_t) role system_r types hostname_t; ######################################## diff --git a/policy/modules/system/hotplug.if b/policy/modules/system/hotplug.if index 3741a18..321d2e6 100644 --- a/policy/modules/system/hotplug.if +++ b/policy/modules/system/hotplug.if @@ -19,7 +19,7 @@ interface(`hotplug_domtrans',` ') corecmd_search_bin($1) - domtrans_pattern($1,hotplug_exec_t,hotplug_t) + domtrans_pattern($1, hotplug_exec_t, hotplug_t) ') ######################################## @@ -38,7 +38,7 @@ interface(`hotplug_exec',` ') corecmd_search_bin($1) - can_exec($1,hotplug_exec_t) + can_exec($1, hotplug_exec_t) ') ######################################## @@ -151,8 +151,8 @@ interface(`hotplug_read_config',` files_search_etc($1) allow $1 hotplug_etc_t:dir list_dir_perms; - read_files_pattern($1,hotplug_etc_t,hotplug_etc_t) - read_lnk_files_pattern($1,hotplug_etc_t,hotplug_etc_t) + read_files_pattern($1, hotplug_etc_t, hotplug_etc_t) + read_lnk_files_pattern($1, hotplug_etc_t, hotplug_etc_t) ') ######################################## diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te index 6e01745..12a3cb6 100644 --- a/policy/modules/system/hotplug.te +++ b/policy/modules/system/hotplug.te @@ -8,12 +8,12 @@ policy_module(hotplug, 1.11.2) type hotplug_t; type hotplug_exec_t; -kernel_domtrans_to(hotplug_t,hotplug_exec_t) -init_daemon_domain(hotplug_t,hotplug_exec_t) +kernel_domtrans_to(hotplug_t, hotplug_exec_t) +init_daemon_domain(hotplug_t, hotplug_exec_t) type hotplug_etc_t; files_config_file(hotplug_etc_t) -init_daemon_domain(hotplug_t,hotplug_etc_t) +init_daemon_domain(hotplug_t, hotplug_etc_t) type hotplug_var_run_t; files_pid_file(hotplug_var_run_t) @@ -33,15 +33,15 @@ allow hotplug_t self:netlink_route_socket r_netlink_socket_perms; allow hotplug_t self:udp_socket create_socket_perms; allow hotplug_t self:tcp_socket connected_stream_socket_perms; -read_files_pattern(hotplug_t,hotplug_etc_t,hotplug_etc_t) -read_lnk_files_pattern(hotplug_t,hotplug_etc_t,hotplug_etc_t) -can_exec(hotplug_t,hotplug_etc_t) +read_files_pattern(hotplug_t, hotplug_etc_t, hotplug_etc_t) +read_lnk_files_pattern(hotplug_t, hotplug_etc_t, hotplug_etc_t) +can_exec(hotplug_t, hotplug_etc_t) allow hotplug_t hotplug_etc_t:dir list_dir_perms; -can_exec(hotplug_t,hotplug_exec_t) +can_exec(hotplug_t, hotplug_exec_t) -manage_files_pattern(hotplug_t,hotplug_var_run_t,hotplug_var_run_t) -files_pid_filetrans(hotplug_t,hotplug_var_run_t,file) +manage_files_pattern(hotplug_t, hotplug_var_run_t, hotplug_var_run_t) +files_pid_filetrans(hotplug_t, hotplug_var_run_t, file) kernel_sigchld(hotplug_t) kernel_setpgid(hotplug_t) @@ -83,7 +83,7 @@ domain_dontaudit_getattr_all_domains(hotplug_t) files_read_etc_files(hotplug_t) files_manage_etc_runtime_files(hotplug_t) -files_etc_filetrans_etc_runtime(hotplug_t,file) +files_etc_filetrans_etc_runtime(hotplug_t, file) files_exec_etc_files(hotplug_t) # for when filesystems are not mounted early in the boot: files_dontaudit_search_isid_type_dirs(hotplug_t) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 5f9f21e..7637333 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -334,7 +334,7 @@ interface(`init_domtrans',` type init_t, init_exec_t; ') - domtrans_pattern($1,init_exec_t,init_t) + domtrans_pattern($1, init_exec_t, init_t) ') ######################################## @@ -354,7 +354,7 @@ interface(`init_exec',` ') corecmd_search_bin($1) - can_exec($1,init_exec_t) + can_exec($1, init_exec_t) ') ######################################## @@ -604,7 +604,7 @@ interface(`init_script_file_entry_type',` type initrc_exec_t; ') - domain_entry_file($1,initrc_exec_t) + domain_entry_file($1, initrc_exec_t) ') ######################################## @@ -623,7 +623,7 @@ interface(`init_spec_domtrans_script',` ') files_list_etc($1) - spec_domtrans_pattern($1,initrc_exec_t,initrc_t) + spec_domtrans_pattern($1, initrc_exec_t, initrc_t) ifdef(`enable_mcs',` range_transition $1 initrc_exec_t:process s0; @@ -650,7 +650,7 @@ interface(`init_domtrans_script',` ') files_list_etc($1) - domtrans_pattern($1,initrc_exec_t,initrc_t) + domtrans_pattern($1, initrc_exec_t, initrc_t) ifdef(`enable_mcs',` range_transition $1 initrc_exec_t:process s0; @@ -692,7 +692,7 @@ interface(`init_script_file_domtrans',` ') files_list_etc($1) - domain_auto_trans($1,initrc_exec_t,$2) + domain_auto_trans($1, initrc_exec_t,$2) ') ######################################## @@ -863,7 +863,7 @@ interface(`init_exec_script_files',` ') files_list_etc($1) - can_exec($1,initrc_exec_t) + can_exec($1, initrc_exec_t) ') ######################################## @@ -939,9 +939,9 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) - read_files_pattern($1,initrc_t,initrc_t) - read_lnk_files_pattern($1,initrc_t,initrc_t) - list_dirs_pattern($1,initrc_t,initrc_t) + read_files_pattern($1, initrc_t, initrc_t) + read_lnk_files_pattern($1, initrc_t, initrc_t) + list_dirs_pattern($1, initrc_t, initrc_t) # should move this to separate interface allow $1 initrc_t:process getattr; @@ -1247,7 +1247,7 @@ interface(`init_getattr_script_status_files',` type initrc_state_t; ') - getattr_files_pattern($1,initrc_state_t,initrc_state_t) + getattr_files_pattern($1, initrc_state_t, initrc_state_t) ') ######################################## @@ -1286,7 +1286,7 @@ interface(`init_rw_script_tmp_files',` ') files_search_tmp($1) - rw_files_pattern($1,initrc_tmp_t,initrc_tmp_t) + rw_files_pattern($1, initrc_tmp_t, initrc_tmp_t) ') ######################################## @@ -1316,7 +1316,7 @@ interface(`init_script_tmp_filetrans',` ') files_search_tmp($1) - filetrans_pattern($1,initrc_tmp_t,$2,$3) + filetrans_pattern($1, initrc_tmp_t, $2, $3) ') ######################################## diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index f954c0c..fbea5b1 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -15,7 +15,7 @@ gen_require(` ## Enable support for upstart as the init program. ##

## -gen_tunable(init_upstart,false) +gen_tunable(init_upstart, false) # used for direct running of init scripts # by admin domains @@ -36,8 +36,8 @@ attribute daemon; type init_t; type init_exec_t; domain_type(init_t) -domain_entry_file(init_t,init_exec_t) -kernel_domtrans_to(init_t,init_exec_t) +domain_entry_file(init_t, init_exec_t) +kernel_domtrans_to(init_t, init_exec_t) role system_r types init_t; # @@ -58,7 +58,7 @@ mls_trusted_object(initctl_t) type initrc_t, init_script_domain_type, init_run_all_scripts_domain; type initrc_exec_t, init_script_file_type; domain_type(initrc_t) -domain_entry_file(initrc_t,initrc_exec_t) +domain_entry_file(initrc_t, initrc_exec_t) role system_r types initrc_t; # should be part of the true block # of the below init_upstart tunable @@ -79,7 +79,7 @@ type initrc_var_run_t; files_pid_file(initrc_var_run_t) ifdef(`enable_mls',` - kernel_ranged_domtrans_to(init_t,init_exec_t,s0 - mls_systemhigh) + kernel_ranged_domtrans_to(init_t, init_exec_t, s0 - mls_systemhigh) ') ######################################## @@ -99,16 +99,16 @@ allow init_t self:capability ~sys_module; allow init_t self:fifo_file rw_fifo_file_perms; # Re-exec itself -can_exec(init_t,init_exec_t) +can_exec(init_t, init_exec_t) allow init_t initrc_t:unix_stream_socket connectto; # For /var/run/shutdown.pid. allow init_t init_var_run_t:file manage_file_perms; -files_pid_filetrans(init_t,init_var_run_t,file) +files_pid_filetrans(init_t, init_var_run_t, file) allow init_t initctl_t:fifo_file manage_fifo_file_perms; -dev_filetrans(init_t,initctl_t,fifo_file) +dev_filetrans(init_t, initctl_t, fifo_file) fs_associate_tmpfs(initctl_t) # Modify utmp. @@ -133,7 +133,7 @@ files_read_etc_files(init_t) files_rw_generic_pids(init_t) files_dontaudit_search_isid_type_dirs(init_t) files_manage_etc_runtime_files(init_t) -files_etc_filetrans_etc_runtime(init_t,file) +files_etc_filetrans_etc_runtime(init_t, file) # Run /etc/X11/prefdm: files_exec_etc_files(init_t) # file descriptors inherited from the rootfs: @@ -173,11 +173,11 @@ ifdef(`distro_gentoo',` ifdef(`distro_redhat',` fs_rw_tmpfs_chr_files(init_t) - fs_tmpfs_filetrans(init_t,initctl_t,fifo_file) + fs_tmpfs_filetrans(init_t, initctl_t, fifo_file) ') tunable_policy(`init_upstart',` - corecmd_shell_domtrans(init_t,initrc_t) + corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. # causes problems with upstart @@ -214,7 +214,7 @@ allow initrc_t self:udp_socket create_socket_perms; allow initrc_t self:fifo_file rw_file_perms; allow initrc_t initrc_devpts_t:chr_file rw_term_perms; -term_create_pty(initrc_t,initrc_devpts_t) +term_create_pty(initrc_t, initrc_devpts_t) # Going to single user mode init_exec(initrc_t) @@ -223,18 +223,18 @@ can_exec(initrc_t, init_script_file_type) domtrans_pattern(init_run_all_scripts_domain, initrc_exec_t, initrc_t) -manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t) -manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t) -manage_lnk_files_pattern(initrc_t,initrc_state_t,initrc_state_t) -manage_fifo_files_pattern(initrc_t,initrc_state_t,initrc_state_t) +manage_dirs_pattern(initrc_t, initrc_state_t, initrc_state_t) +manage_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +manage_lnk_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; -files_pid_filetrans(initrc_t,initrc_var_run_t,file) +files_pid_filetrans(initrc_t, initrc_var_run_t, file) -can_exec(initrc_t,initrc_tmp_t) +can_exec(initrc_t, initrc_tmp_t) allow initrc_t initrc_tmp_t:file manage_file_perms; allow initrc_t initrc_tmp_t:dir manage_dir_perms; -files_tmp_filetrans(initrc_t,initrc_tmp_t, { file dir }) +files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir }) init_write_initctl(initrc_t) @@ -349,7 +349,7 @@ files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) files_manage_etc_runtime_files(initrc_t) -files_etc_filetrans_etc_runtime(initrc_t,file) +files_etc_filetrans_etc_runtime(initrc_t, file) files_manage_generic_locks(initrc_t) files_exec_etc_files(initrc_t) files_read_usr_files(initrc_t) @@ -391,7 +391,7 @@ userdom_use_user_terminals(initrc_t) ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) - fs_tmpfs_filetrans(initrc_t,initrc_var_run_t,dir) + fs_tmpfs_filetrans(initrc_t, initrc_var_run_t, dir) # for storing state under /dev/shm fs_setattr_tmpfs_dirs(initrc_t) @@ -420,7 +420,7 @@ ifdef(`distro_gentoo',` # needed until baselayout is fixed to have the # restorecon on /dev to again be immediately after # mounting tmpfs on /dev - fs_tmpfs_filetrans(initrc_t,initrc_state_t,file) + fs_tmpfs_filetrans(initrc_t, initrc_state_t, file) # init scripts touch this clock_dontaudit_write_adjtime(initrc_t) @@ -735,7 +735,7 @@ optional_policy(` optional_policy(` # allow init scripts to su - su_restricted_domain_template(initrc,initrc_t,system_r) + su_restricted_domain_template(initrc, initrc_t, system_r) ') optional_policy(` diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if index 27cacf5..a162c77 100644 --- a/policy/modules/system/ipsec.if +++ b/policy/modules/system/ipsec.if @@ -15,7 +15,7 @@ interface(`ipsec_domtrans',` type ipsec_t, ipsec_exec_t; ') - domtrans_pattern($1,ipsec_exec_t,ipsec_t) + domtrans_pattern($1, ipsec_exec_t, ipsec_t) ') ######################################## @@ -34,7 +34,7 @@ interface(`ipsec_stream_connect',` ') files_search_pids($1) - stream_connect_pattern($1,ipsec_var_run_t,ipsec_var_run_t,ipsec_t) + stream_connect_pattern($1, ipsec_var_run_t, ipsec_var_run_t, ipsec_t) ') ######################################## @@ -70,7 +70,7 @@ interface(`ipsec_exec_mgmt',` type ipsec_exec_t; ') - can_exec($1,ipsec_exec_t) + can_exec($1, ipsec_exec_t) ') ######################################## @@ -166,7 +166,7 @@ interface(`ipsec_manage_pid',` ') files_search_pids($1) - manage_files_pattern($1,ipsec_var_run_t,ipsec_var_run_t) + manage_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t) ') ######################################## @@ -184,7 +184,7 @@ interface(`ipsec_domtrans_racoon',` type racoon_t, racoon_exec_t; ') - domtrans_pattern($1,racoon_exec_t,racoon_t) + domtrans_pattern($1, racoon_exec_t, racoon_t) ') ######################################## @@ -202,7 +202,7 @@ interface(`ipsec_domtrans_setkey',` type setkey_t, setkey_exec_t; ') - domtrans_pattern($1,setkey_exec_t,setkey_t) + domtrans_pattern($1, setkey_exec_t, setkey_t) ') ######################################## diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te index 4f9df30..bc0fd7f 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -8,7 +8,7 @@ policy_module(ipsec, 1.9.1) type ipsec_t; type ipsec_exec_t; -init_daemon_domain(ipsec_t,ipsec_exec_t) +init_daemon_domain(ipsec_t, ipsec_exec_t) role system_r types ipsec_t; # type for ipsec configuration file(s) - not for keys @@ -28,7 +28,7 @@ files_pid_file(ipsec_var_run_t) type ipsec_mgmt_t; type ipsec_mgmt_exec_t; -init_system_domain(ipsec_mgmt_t,ipsec_mgmt_exec_t) +init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) corecmd_shell_entry_type(ipsec_mgmt_t) role system_r types ipsec_mgmt_t; @@ -40,12 +40,12 @@ files_pid_file(ipsec_mgmt_var_run_t) type racoon_t; type racoon_exec_t; -init_daemon_domain(racoon_t,racoon_exec_t) +init_daemon_domain(racoon_t, racoon_exec_t) role system_r types racoon_t; type setkey_t; type setkey_exec_t; -init_system_domain(setkey_t,setkey_exec_t) +init_system_domain(setkey_t, setkey_exec_t) role system_r types setkey_t; ######################################## @@ -63,12 +63,12 @@ allow ipsec_t self:fifo_file read_fifo_file_perms; allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write }; allow ipsec_t ipsec_conf_file_t:dir list_dir_perms; -read_files_pattern(ipsec_t,ipsec_conf_file_t,ipsec_conf_file_t) -read_lnk_files_pattern(ipsec_t,ipsec_conf_file_t,ipsec_conf_file_t) +read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t) +read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t) allow ipsec_t ipsec_key_file_t:dir list_dir_perms; -read_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t) -read_lnk_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t) +read_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) +read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) @@ -80,7 +80,7 @@ can_exec(ipsec_t, ipsec_mgmt_exec_t) # a shell script, we need to find a way to make things work without # letting all sorts of stuff possibly be run... # so try flipping back into the ipsec_mgmt_t domain -corecmd_shell_domtrans(ipsec_t,ipsec_mgmt_t) +corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t) allow ipsec_mgmt_t ipsec_t:fd use; allow ipsec_mgmt_t ipsec_t:fifo_file rw_file_perms; allow ipsec_mgmt_t ipsec_t:process sigchld; @@ -162,21 +162,21 @@ allow ipsec_mgmt_t self:key_socket create_socket_perms; allow ipsec_mgmt_t self:fifo_file rw_file_perms; allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; -files_lock_filetrans(ipsec_mgmt_t,ipsec_mgmt_lock_t,file) +files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file) allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; -files_pid_filetrans(ipsec_mgmt_t,ipsec_mgmt_var_run_t,file) +files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) -manage_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t) -manage_lnk_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t) +manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) +manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms; -files_pid_filetrans(ipsec_mgmt_t,ipsec_var_run_t,sock_file) +files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, sock_file) # _realsetup needs to be able to cat /var/run/pluto.pid, # run ps on that pid, and delete the file -read_files_pattern(ipsec_mgmt_t,ipsec_t,ipsec_t) -read_lnk_files_pattern(ipsec_mgmt_t,ipsec_t,ipsec_t) +read_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t) +read_lnk_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t) # logger, running in ipsec_mgmt_t needs to use sockets allow ipsec_mgmt_t self:unix_dgram_socket { create connect write }; @@ -184,18 +184,18 @@ allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write }; allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms; -manage_files_pattern(ipsec_mgmt_t,ipsec_key_file_t,ipsec_key_file_t) -manage_lnk_files_pattern(ipsec_mgmt_t,ipsec_key_file_t,ipsec_key_file_t) -files_etc_filetrans(ipsec_mgmt_t,ipsec_key_file_t,file) +manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t) +manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t) +files_etc_filetrans(ipsec_mgmt_t, ipsec_key_file_t, file) # whack needs to connect to pluto -stream_connect_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t,ipsec_t) +stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t) can_exec(ipsec_mgmt_t, ipsec_exec_t) can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t) allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read; -domtrans_pattern(ipsec_mgmt_t,ipsec_exec_t,ipsec_t) +domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t) kernel_rw_net_sysctls(ipsec_mgmt_t) # allow pluto to access /proc/net/ipsec_eroute; @@ -282,17 +282,17 @@ allow racoon_t self:udp_socket create_socket_perms; allow racoon_t self:key_socket create_socket_perms; # manage pid file -manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t) -manage_sock_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t) -files_pid_filetrans(racoon_t,ipsec_var_run_t,file) +manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t) +manage_sock_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t) +files_pid_filetrans(racoon_t, ipsec_var_run_t, file) allow racoon_t ipsec_conf_file_t:dir list_dir_perms; -read_files_pattern(racoon_t,ipsec_conf_file_t,ipsec_conf_file_t) -read_lnk_files_pattern(racoon_t,ipsec_conf_file_t,ipsec_conf_file_t) +read_files_pattern(racoon_t, ipsec_conf_file_t, ipsec_conf_file_t) +read_lnk_files_pattern(racoon_t, ipsec_conf_file_t, ipsec_conf_file_t) allow racoon_t ipsec_key_file_t:dir list_dir_perms; -read_files_pattern(racoon_t,ipsec_key_file_t,ipsec_key_file_t) -read_lnk_files_pattern(racoon_t,ipsec_key_file_t,ipsec_key_file_t) +read_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t) +read_lnk_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t) kernel_read_system_state(racoon_t) kernel_read_network_state(racoon_t) @@ -338,8 +338,8 @@ allow setkey_t self:key_socket create_socket_perms; allow setkey_t self:netlink_route_socket create_netlink_socket_perms; allow setkey_t ipsec_conf_file_t:dir list_dir_perms; -read_files_pattern(setkey_t,ipsec_conf_file_t,ipsec_conf_file_t) -read_lnk_files_pattern(setkey_t,ipsec_conf_file_t,ipsec_conf_file_t) +read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t) +read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t) # allow setkey utility to set contexts on SA's and policy domain_ipsec_setcontext_all_domains(setkey_t) diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if index bab19d2..9012783 100644 --- a/policy/modules/system/iptables.if +++ b/policy/modules/system/iptables.if @@ -16,7 +16,7 @@ interface(`iptables_domtrans',` ') corecmd_search_bin($1) - domtrans_pattern($1,iptables_exec_t,iptables_t) + domtrans_pattern($1, iptables_exec_t, iptables_t) ') ######################################## @@ -67,5 +67,5 @@ interface(`iptables_exec',` ') corecmd_search_bin($1) - can_exec($1,iptables_exec_t) + can_exec($1, iptables_exec_t) ') diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te index ab529fb..68d022a 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -8,7 +8,7 @@ policy_module(iptables, 1.8.1) type iptables_t; type iptables_exec_t; -init_system_domain(iptables_t,iptables_exec_t) +init_system_domain(iptables_t, iptables_exec_t) role system_r types iptables_t; type iptables_tmp_t; @@ -28,9 +28,9 @@ allow iptables_t self:process { sigchld sigkill sigstop signull signal }; allow iptables_t self:rawip_socket create_socket_perms; manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t) -files_pid_filetrans(iptables_t,iptables_var_run_t,file) +files_pid_filetrans(iptables_t, iptables_var_run_t, file) -can_exec(iptables_t,iptables_exec_t) +can_exec(iptables_t, iptables_exec_t) allow iptables_t iptables_tmp_t:dir manage_dir_perms; allow iptables_t iptables_tmp_t:file manage_file_perms; diff --git a/policy/modules/system/iscsi.if b/policy/modules/system/iscsi.if index b8e8f4a..6f0b206 100644 --- a/policy/modules/system/iscsi.if +++ b/policy/modules/system/iscsi.if @@ -15,5 +15,5 @@ interface(`iscsid_domtrans',` type iscsid_t, iscsid_exec_t; ') - domtrans_pattern($1,iscsid_exec_t,iscsid_t) + domtrans_pattern($1, iscsid_exec_t, iscsid_t) ') diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te index bfa8bbf..df83ad4 100644 --- a/policy/modules/system/iscsi.te +++ b/policy/modules/system/iscsi.te @@ -47,12 +47,12 @@ allow iscsid_t iscsi_tmp_t:file manage_file_perms; fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, file ) allow iscsid_t iscsi_var_lib_t:dir list_dir_perms; -read_files_pattern(iscsid_t,iscsi_var_lib_t,iscsi_var_lib_t) -read_lnk_files_pattern(iscsid_t,iscsi_var_lib_t,iscsi_var_lib_t) +read_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t) +read_lnk_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t) files_search_var_lib(iscsid_t) -manage_files_pattern(iscsid_t,iscsi_var_run_t,iscsi_var_run_t) -files_pid_filetrans(iscsid_t,iscsi_var_run_t,file) +manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t) +files_pid_filetrans(iscsid_t, iscsi_var_run_t, file) kernel_read_system_state(iscsid_t) diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc index 1cfa7c1..f0ff86b 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -42,7 +42,7 @@ ifdef(`distro_redhat',` /lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) /lib64/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) -/lib/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/lib/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /lib64/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ifdef(`distro_debian',` @@ -115,7 +115,7 @@ ifdef(`distro_redhat',` /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -259,7 +259,7 @@ HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_ /usr/lib(64)?/libdivxdecore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libdivxencore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libdvdcss\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libdvdcss\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if index 7c9b27b..ab261be 100644 --- a/policy/modules/system/libraries.if +++ b/policy/modules/system/libraries.if @@ -16,7 +16,7 @@ interface(`libs_domtrans_ldconfig',` ') corecmd_search_bin($1) - domtrans_pattern($1,ldconfig_exec_t,ldconfig_t) + domtrans_pattern($1, ldconfig_exec_t, ldconfig_t) ') ######################################## @@ -63,8 +63,8 @@ interface(`libs_use_ld_so',` files_list_etc($1) allow $1 lib_t:dir list_dir_perms; - read_lnk_files_pattern($1,lib_t,{ lib_t ld_so_t }) - mmap_files_pattern($1,lib_t,ld_so_t) + read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t }) + mmap_files_pattern($1, lib_t, ld_so_t) allow $1 ld_so_cache_t:file read_file_perms; ') @@ -106,8 +106,8 @@ interface(`libs_exec_ld_so',` ') allow $1 lib_t:dir list_dir_perms; - read_lnk_files_pattern($1,lib_t,{ lib_t ld_so_t }) - exec_files_pattern($1,lib_t,ld_so_t) + read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t }) + exec_files_pattern($1, lib_t, ld_so_t) ') ######################################## @@ -127,7 +127,7 @@ interface(`libs_manage_ld_so',` type lib_t, ld_so_t; ') - manage_files_pattern($1,lib_t,ld_so_t) + manage_files_pattern($1, lib_t, ld_so_t) ') ######################################## @@ -147,7 +147,7 @@ interface(`libs_relabel_ld_so',` type lib_t, ld_so_t; ') - relabel_files_pattern($1,lib_t,ld_so_t) + relabel_files_pattern($1, lib_t, ld_so_t) ') ######################################## @@ -248,9 +248,9 @@ interface(`libs_read_lib_files',` ') files_search_usr($1) - list_dirs_pattern($1,lib_t,lib_t) - read_files_pattern($1,lib_t,lib_t) - read_lnk_files_pattern($1,lib_t,lib_t) + list_dirs_pattern($1, lib_t, lib_t) + read_files_pattern($1, lib_t, lib_t) + read_lnk_files_pattern($1, lib_t, lib_t) ') ######################################## @@ -270,8 +270,8 @@ interface(`libs_exec_lib_files',` files_search_usr($1) allow $1 lib_t:dir list_dir_perms; - read_lnk_files_pattern($1,lib_t,lib_t) - exec_files_pattern($1,lib_t,lib_t) + read_lnk_files_pattern($1, lib_t, lib_t) + exec_files_pattern($1, lib_t, lib_t) ') ######################################## @@ -307,7 +307,7 @@ interface(`libs_manage_lib_files',` type lib_t; ') - manage_files_pattern($1,lib_t,lib_t) + manage_files_pattern($1, lib_t, lib_t) ') ######################################## @@ -325,7 +325,7 @@ interface(`libs_relabelto_lib_files',` type lib_t; ') - relabelto_files_pattern($1,lib_t,lib_t) + relabelto_files_pattern($1, lib_t, lib_t) ') ######################################## @@ -345,7 +345,7 @@ interface(`libs_relabel_lib_files',` type lib_t; ') - relabel_files_pattern($1,lib_t,lib_t) + relabel_files_pattern($1, lib_t, lib_t) ') ######################################## @@ -364,7 +364,7 @@ interface(`libs_delete_lib_symlinks',` type lib_t; ') - delete_lnk_files_pattern($1,lib_t,lib_t) + delete_lnk_files_pattern($1, lib_t, lib_t) ') ######################################## @@ -383,7 +383,7 @@ interface(`libs_manage_shared_libs',` type lib_t, textrel_shlib_t; ') - manage_files_pattern($1,lib_t,{ lib_t textrel_shlib_t }) + manage_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) ') ######################################## @@ -403,8 +403,8 @@ interface(`libs_use_shared_libs',` files_list_usr($1) allow $1 lib_t:dir list_dir_perms; - read_lnk_files_pattern($1,lib_t,{ lib_t textrel_shlib_t }) - mmap_files_pattern($1,lib_t,{ lib_t textrel_shlib_t }) + read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) + mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) allow $1 textrel_shlib_t:file execmod; ') @@ -445,7 +445,7 @@ interface(`libs_relabel_shared_libs',` type lib_t, textrel_shlib_t; ') - relabel_files_pattern($1,lib_t,{ lib_t textrel_shlib_t }) + relabel_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) ') ######################################## diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te index 7416e51..185a7d1 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -20,7 +20,7 @@ files_type(ld_so_t) type ldconfig_t; type ldconfig_exec_t; -init_system_domain(ldconfig_t,ldconfig_exec_t) +init_system_domain(ldconfig_t, ldconfig_exec_t) role system_r types ldconfig_t; type ldconfig_cache_t; @@ -57,14 +57,14 @@ allow ldconfig_t self:capability sys_chroot; manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t) allow ldconfig_t ld_so_cache_t:file manage_file_perms; -files_etc_filetrans(ldconfig_t,ld_so_cache_t,file) +files_etc_filetrans(ldconfig_t, ld_so_cache_t, file) -manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t) -manage_files_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t) -manage_lnk_files_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t) +manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t) +manage_files_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t) +manage_lnk_files_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t) files_tmp_filetrans(ldconfig_t, ldconfig_tmp_t, { file dir lnk_file }) -manage_lnk_files_pattern(ldconfig_t,lib_t,lib_t) +manage_lnk_files_pattern(ldconfig_t, lib_t, lib_t) kernel_read_system_state(ldconfig_t) diff --git a/policy/modules/system/locallogin.if b/policy/modules/system/locallogin.if index 447fe0b..37292fd 100644 --- a/policy/modules/system/locallogin.if +++ b/policy/modules/system/locallogin.if @@ -15,10 +15,10 @@ interface(`locallogin_domtrans',` type local_login_t; ') - auth_domtrans_login_program($1,local_login_t) + auth_domtrans_login_program($1, local_login_t) ifdef(`enable_mcs',` - auth_ranged_domtrans_login_program($1,local_login_t,s0 - mcs_systemhigh) + auth_ranged_domtrans_login_program($1, local_login_t, s0 - mcs_systemhigh) ') ') @@ -127,5 +127,5 @@ interface(`locallogin_domtrans_sulogin',` type sulogin_exec_t, sulogin_t; ') - domtrans_pattern($1,sulogin_exec_t,sulogin_t) + domtrans_pattern($1, sulogin_exec_t, sulogin_t) ') diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index 6a9b414..1088951 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -24,8 +24,8 @@ domain_obj_id_change_exemption(sulogin_t) domain_subj_id_change_exemption(sulogin_t) domain_role_change_exemption(sulogin_t) domain_interactive_fd(sulogin_t) -init_domain(sulogin_t,sulogin_exec_t) -init_system_domain(sulogin_t,sulogin_exec_t) +init_domain(sulogin_t, sulogin_exec_t) +init_system_domain(sulogin_t, sulogin_exec_t) role system_r types sulogin_t; ######################################## @@ -50,7 +50,7 @@ allow local_login_t self:msg { send receive }; allow local_login_t self:key { search write link }; allow local_login_t local_login_lock_t:file manage_file_perms; -files_lock_filetrans(local_login_t,local_login_lock_t,file) +files_lock_filetrans(local_login_t, local_login_lock_t, file) allow local_login_t local_login_tmp_t:dir manage_dir_perms; allow local_login_t local_login_tmp_t:file manage_file_perms; diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if index 59fa98b..e93c344 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -99,7 +99,7 @@ interface(`logging_read_audit_log',` ') files_search_var($1) - read_files_pattern($1,auditd_log_t,auditd_log_t) + read_files_pattern($1, auditd_log_t, auditd_log_t) allow $1 auditd_log_t:dir list_dir_perms; ') @@ -118,7 +118,7 @@ interface(`logging_domtrans_auditctl',` type auditctl_t, auditctl_exec_t; ') - domtrans_pattern($1,auditctl_exec_t,auditctl_t) + domtrans_pattern($1, auditctl_exec_t, auditctl_t) ') ######################################## @@ -162,7 +162,7 @@ interface(`logging_domtrans_auditd',` type auditd_t, auditd_exec_t; ') - domtrans_pattern($1,auditd_exec_t,auditd_t) + domtrans_pattern($1, auditd_exec_t, auditd_t) ') ######################################## @@ -311,7 +311,7 @@ interface(`logging_manage_audit_config',` ') files_search_etc($1) - manage_files_pattern($1,auditd_etc_t,auditd_etc_t) + manage_files_pattern($1, auditd_etc_t, auditd_etc_t) ') ######################################## @@ -331,8 +331,8 @@ interface(`logging_manage_audit_log',` ') files_search_var($1) - manage_dirs_pattern($1,auditd_log_t,auditd_log_t) - manage_files_pattern($1,auditd_log_t,auditd_log_t) + manage_dirs_pattern($1, auditd_log_t, auditd_log_t) + manage_files_pattern($1, auditd_log_t, auditd_log_t) ') ######################################## @@ -351,7 +351,7 @@ interface(`logging_domtrans_klog',` ') corecmd_search_bin($1) - domtrans_pattern($1,klogd_exec_t,klogd_t) + domtrans_pattern($1, klogd_exec_t, klogd_t) ') ######################################## @@ -390,7 +390,7 @@ interface(`logging_domtrans_syslog',` ') corecmd_search_bin($1) - domtrans_pattern($1,syslogd_exec_t,syslogd_t) + domtrans_pattern($1, syslogd_exec_t, syslogd_t) ') ######################################## @@ -420,7 +420,7 @@ interface(`logging_log_filetrans',` ') files_search_var($1) - filetrans_pattern($1,var_log_t,$2,$3) + filetrans_pattern($1, var_log_t, $2, $3) ') ######################################## @@ -468,7 +468,7 @@ interface(`logging_read_audit_config',` ') files_search_etc($1) - read_files_pattern($1,auditd_etc_t,auditd_etc_t) + read_files_pattern($1, auditd_etc_t, auditd_etc_t) allow $1 auditd_etc_t:dir list_dir_perms; ') @@ -666,7 +666,7 @@ interface(`logging_exec_all_logs',` files_search_var($1) allow $1 logfile:dir list_dir_perms; - can_exec($1,logfile) + can_exec($1, logfile) ') ######################################## @@ -705,8 +705,8 @@ interface(`logging_manage_all_logs',` ') files_search_var($1) - manage_files_pattern($1,logfile,logfile) - read_lnk_files_pattern($1,logfile,logfile) + manage_files_pattern($1, logfile, logfile) + read_lnk_files_pattern($1, logfile, logfile) ') ######################################## @@ -727,7 +727,7 @@ interface(`logging_read_generic_logs',` files_search_var($1) allow $1 var_log_t:dir list_dir_perms; - read_files_pattern($1,var_log_t,var_log_t) + read_files_pattern($1, var_log_t, var_log_t) ') ######################################## @@ -747,7 +747,7 @@ interface(`logging_write_generic_logs',` files_search_var($1) allow $1 var_log_t:dir list_dir_perms; - write_files_pattern($1,var_log_t,var_log_t) + write_files_pattern($1, var_log_t, var_log_t) ') ######################################## @@ -785,7 +785,7 @@ interface(`logging_rw_generic_logs',` files_search_var($1) allow $1 var_log_t:dir list_dir_perms; - rw_files_pattern($1,var_log_t,var_log_t) + rw_files_pattern($1, var_log_t, var_log_t) ') ######################################## @@ -806,7 +806,7 @@ interface(`logging_manage_generic_logs',` ') files_search_var($1) - manage_files_pattern($1,var_log_t,var_log_t) + manage_files_pattern($1, var_log_t, var_log_t) ') ######################################## diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 20132d7..d2fe3b7 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -10,7 +10,7 @@ attribute logfile; type auditctl_t; type auditctl_exec_t; -init_system_domain(auditctl_t,auditctl_exec_t) +init_system_domain(auditctl_t, auditctl_exec_t) role system_r types auditctl_t; type auditd_etc_t; @@ -22,7 +22,7 @@ files_security_mountpoint(auditd_log_t) type auditd_t; type auditd_exec_t; -init_daemon_domain(auditd_t,auditd_exec_t) +init_daemon_domain(auditd_t, auditd_exec_t) type auditd_initrc_exec_t; init_script_file(auditd_initrc_exec_t) @@ -47,7 +47,7 @@ mls_trusted_object(devlog_t) type klogd_t; type klogd_exec_t; -init_daemon_domain(klogd_t,klogd_exec_t) +init_daemon_domain(klogd_t, klogd_exec_t) type klogd_tmp_t; files_tmp_file(klogd_tmp_t) @@ -60,7 +60,7 @@ files_type(syslog_conf_t) type syslogd_t; type syslogd_exec_t; -init_daemon_domain(syslogd_t,syslogd_exec_t) +init_daemon_domain(syslogd_t, syslogd_exec_t) type syslogd_initrc_exec_t; init_script_file(syslogd_initrc_exec_t) @@ -91,7 +91,7 @@ ifdef(`enable_mls',` allow auditctl_t self:capability { fsetid dac_read_search dac_override }; allow auditctl_t self:netlink_audit_socket nlmsg_readpriv; -read_files_pattern(auditctl_t,auditd_etc_t,auditd_etc_t) +read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t) allow auditctl_t auditd_etc_t:dir list_dir_perms; # Needed for adding watches @@ -132,13 +132,13 @@ allow auditd_t self:tcp_socket create_stream_socket_perms; allow auditd_t auditd_etc_t:dir list_dir_perms; allow auditd_t auditd_etc_t:file read_file_perms; -manage_files_pattern(auditd_t,auditd_log_t,auditd_log_t) -manage_lnk_files_pattern(auditd_t,auditd_log_t,auditd_log_t) +manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) +manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) allow auditd_t var_log_t:dir search_dir_perms; -manage_files_pattern(auditd_t,auditd_var_run_t,auditd_var_run_t) -manage_sock_files_pattern(auditd_t,auditd_var_run_t,auditd_var_run_t) -files_pid_filetrans(auditd_t,auditd_var_run_t,{ file sock_file }) +manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) +manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) +files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file }) kernel_read_kernel_sysctls(auditd_t) # Needs to be able to run dispatcher. see /etc/audit/auditd.conf @@ -271,12 +271,12 @@ allow klogd_t self:capability sys_admin; dontaudit klogd_t self:capability { sys_resource sys_tty_config }; allow klogd_t self:process signal_perms; -manage_dirs_pattern(klogd_t,klogd_tmp_t,klogd_tmp_t) -manage_files_pattern(klogd_t,klogd_tmp_t,klogd_tmp_t) -files_tmp_filetrans(klogd_t,klogd_tmp_t,{ file dir }) +manage_dirs_pattern(klogd_t, klogd_tmp_t, klogd_tmp_t) +manage_files_pattern(klogd_t, klogd_tmp_t, klogd_tmp_t) +files_tmp_filetrans(klogd_t, klogd_tmp_t,{ file dir }) -manage_files_pattern(klogd_t,klogd_var_run_t,klogd_var_run_t) -files_pid_filetrans(klogd_t,klogd_var_run_t,file) +manage_files_pattern(klogd_t, klogd_var_run_t, klogd_var_run_t) +files_pid_filetrans(klogd_t, klogd_var_run_t, file) kernel_read_system_state(klogd_t) kernel_read_messages(klogd_t) @@ -345,29 +345,29 @@ allow syslogd_t syslog_conf_t:file read_file_perms; # Create and bind to /dev/log or /var/run/log. allow syslogd_t devlog_t:sock_file manage_sock_file_perms; -files_pid_filetrans(syslogd_t,devlog_t,sock_file) +files_pid_filetrans(syslogd_t, devlog_t, sock_file) # create/append log files. -manage_files_pattern(syslogd_t,var_log_t,var_log_t) -rw_fifo_files_pattern(syslogd_t,var_log_t,var_log_t) +manage_files_pattern(syslogd_t, var_log_t, var_log_t) +rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) # Allow access for syslog-ng allow syslogd_t var_log_t:dir { create setattr }; # manage temporary files -manage_dirs_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t) -manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t) -files_tmp_filetrans(syslogd_t,syslogd_tmp_t,{ dir file }) +manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t) files_search_var_lib(syslogd_t) allow syslogd_t syslogd_var_run_t:file manage_file_perms; -files_pid_filetrans(syslogd_t,syslogd_var_run_t,file) +files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) # manage pid file -manage_files_pattern(syslogd_t,syslogd_var_run_t,syslogd_var_run_t) -files_pid_filetrans(syslogd_t,syslogd_var_run_t,file) +manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) +files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) kernel_read_system_state(syslogd_t) kernel_read_kernel_sysctls(syslogd_t) @@ -403,7 +403,7 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) -dev_filetrans(syslogd_t,devlog_t,sock_file) +dev_filetrans(syslogd_t, devlog_t, sock_file) dev_read_sysfs(syslogd_t) domain_use_interactive_fds(syslogd_t) @@ -451,7 +451,7 @@ ifdef(`distro_gentoo',` ifdef(`distro_suse',` # suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel - files_var_lib_filetrans(syslogd_t,devlog_t,sock_file) + files_var_lib_filetrans(syslogd_t, devlog_t, sock_file) ') ifdef(`distro_ubuntu',` diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te index 224131e..5e6ef6d 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -46,7 +46,7 @@ files_tmp_file(lvm_tmp_t) allow clvmd_t self:capability { sys_nice chown ipc_lock sys_admin mknod }; dontaudit clvmd_t self:capability sys_tty_config; -allow clvmd_t self:process { signal_perms setsched }; +allow clvmd_t self:process { signal_perms setsched }; dontaudit clvmd_t self:process ptrace; allow clvmd_t self:socket create_socket_perms; allow clvmd_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if index 5ef7e51..428ce71 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -17,8 +17,8 @@ interface(`miscfiles_read_certs',` ') allow $1 cert_t:dir list_dir_perms; - read_files_pattern($1,cert_t,cert_t) - read_lnk_files_pattern($1,cert_t,cert_t) + read_files_pattern($1, cert_t, cert_t) + read_lnk_files_pattern($1, cert_t, cert_t) ') ######################################## @@ -81,8 +81,8 @@ interface(`miscfiles_read_fonts',` libs_search_lib($1) allow $1 fonts_t:dir list_dir_perms; - read_files_pattern($1,fonts_t,fonts_t) - read_lnk_files_pattern($1,fonts_t,fonts_t) + read_files_pattern($1, fonts_t, fonts_t) + read_lnk_files_pattern($1, fonts_t, fonts_t) ') ######################################## @@ -125,9 +125,9 @@ interface(`miscfiles_manage_fonts',` files_search_usr($1) libs_search_lib($1) - manage_dirs_pattern($1,fonts_t,fonts_t) - manage_files_pattern($1,fonts_t,fonts_t) - manage_lnk_files_pattern($1,fonts_t,fonts_t) + manage_dirs_pattern($1, fonts_t, fonts_t) + manage_files_pattern($1, fonts_t, fonts_t) + manage_lnk_files_pattern($1, fonts_t, fonts_t) ') ######################################## @@ -146,8 +146,8 @@ interface(`miscfiles_read_hwdata',` ') allow $1 hwdata_t:dir list_dir_perms; - read_files_pattern($1,hwdata_t,hwdata_t) - read_lnk_files_pattern($1,hwdata_t,hwdata_t) + read_files_pattern($1, hwdata_t, hwdata_t) + read_lnk_files_pattern($1, hwdata_t, hwdata_t) ') ######################################## @@ -188,8 +188,8 @@ interface(`miscfiles_read_localization',` files_read_etc_symlinks($1) files_search_usr($1) allow $1 locale_t:dir list_dir_perms; - read_files_pattern($1,locale_t,locale_t) - read_lnk_files_pattern($1,locale_t,locale_t) + read_files_pattern($1, locale_t, locale_t) + read_lnk_files_pattern($1, locale_t, locale_t) # why? libs_read_lib_files($1) @@ -212,7 +212,7 @@ interface(`miscfiles_rw_localization',` files_search_usr($1) allow $1 locale_t:dir list_dir_perms; - rw_files_pattern($1,locale_t,locale_t) + rw_files_pattern($1, locale_t, locale_t) ') ######################################## @@ -231,7 +231,7 @@ interface(`miscfiles_relabel_localization',` ') files_search_usr($1) - relabel_files_pattern($1,locale_t,locale_t) + relabel_files_pattern($1, locale_t, locale_t) ') ######################################## @@ -289,8 +289,8 @@ interface(`miscfiles_read_man_pages',` files_search_usr($1) allow $1 man_t:dir list_dir_perms; - read_files_pattern($1,man_t,man_t) - read_lnk_files_pattern($1,man_t,man_t) + read_files_pattern($1, man_t, man_t) + read_lnk_files_pattern($1, man_t, man_t) ') ######################################## @@ -314,9 +314,9 @@ interface(`miscfiles_delete_man_pages',` allow $1 man_t:dir setattr; # RH bug #309351 allow $1 man_t:dir list_dir_perms; - delete_dirs_pattern($1,man_t,man_t) - delete_files_pattern($1,man_t,man_t) - delete_lnk_files_pattern($1,man_t,man_t) + delete_dirs_pattern($1, man_t, man_t) + delete_files_pattern($1, man_t, man_t) + delete_lnk_files_pattern($1, man_t, man_t) ') ######################################## @@ -335,9 +335,9 @@ interface(`miscfiles_manage_man_pages',` ') files_search_usr($1) - manage_dirs_pattern($1,man_t,man_t) - manage_files_pattern($1,man_t,man_t) - read_lnk_files_pattern($1,man_t,man_t) + manage_dirs_pattern($1, man_t, man_t) + manage_files_pattern($1, man_t, man_t) + read_lnk_files_pattern($1, man_t, man_t) ') ######################################## @@ -379,9 +379,9 @@ interface(`miscfiles_manage_public_files',` type public_content_rw_t; ') - manage_dirs_pattern($1,public_content_rw_t,public_content_rw_t) - manage_files_pattern($1,public_content_rw_t,public_content_rw_t) - manage_lnk_files_pattern($1,public_content_rw_t,public_content_rw_t) + manage_dirs_pattern($1, public_content_rw_t, public_content_rw_t) + manage_files_pattern($1, public_content_rw_t, public_content_rw_t) + manage_lnk_files_pattern($1, public_content_rw_t, public_content_rw_t) ') ######################################## @@ -404,8 +404,8 @@ interface(`miscfiles_read_tetex_data',` # cjp: TeX data can be in either of the above dirs allow $1 tetex_data_t:dir list_dir_perms; - read_files_pattern($1,tetex_data_t,tetex_data_t) - read_lnk_files_pattern($1,tetex_data_t,tetex_data_t) + read_files_pattern($1, tetex_data_t, tetex_data_t) + read_lnk_files_pattern($1, tetex_data_t, tetex_data_t) ') ######################################## @@ -429,7 +429,7 @@ interface(`miscfiles_exec_tetex_data',` # cjp: TeX data can be in either of the above dirs allow $1 tetex_data_t:dir list_dir_perms; - exec_files_pattern($1,tetex_data_t,tetex_data_t) + exec_files_pattern($1, tetex_data_t, tetex_data_t) ') ######################################## @@ -466,8 +466,8 @@ interface(`miscfiles_read_test_files',` type test_file_t; ') - read_files_pattern($1,test_file_t,test_file_t) - read_lnk_files_pattern($1,test_file_t,test_file_t) + read_files_pattern($1, test_file_t, test_file_t) + read_lnk_files_pattern($1, test_file_t, test_file_t) ') ######################################## @@ -485,8 +485,8 @@ interface(`miscfiles_exec_test_files',` type test_file_t; ') - exec_files_pattern($1,test_file_t,test_file_t) - read_lnk_files_pattern($1,test_file_t,test_file_t) + exec_files_pattern($1, test_file_t, test_file_t) + read_lnk_files_pattern($1, test_file_t, test_file_t) ') ######################################## @@ -524,8 +524,8 @@ interface(`miscfiles_manage_localization',` type locale_t; ') - manage_dirs_pattern($1,locale_t,locale_t) - manage_files_pattern($1,locale_t,locale_t) - manage_lnk_files_pattern($1,locale_t,locale_t) + manage_dirs_pattern($1, locale_t, locale_t) + manage_files_pattern($1, locale_t, locale_t) + manage_lnk_files_pattern($1, locale_t, locale_t) ') diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index 7250809..7a60d3c 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -20,18 +20,18 @@ files_type(modules_dep_t) type insmod_t; type insmod_exec_t; -application_domain(insmod_t,insmod_exec_t) +application_domain(insmod_t, insmod_exec_t) mls_file_write_all_levels(insmod_t) role system_r types insmod_t; type depmod_t; type depmod_exec_t; -init_system_domain(depmod_t,depmod_exec_t) +init_system_domain(depmod_t, depmod_exec_t) role system_r types depmod_t; type update_modules_t; type update_modules_exec_t; -init_system_domain(update_modules_t,update_modules_exec_t) +init_system_domain(update_modules_t, update_modules_exec_t) role system_r types update_modules_t; type update_modules_tmp_t; @@ -118,7 +118,7 @@ ifdef(`distro_ubuntu',` ') if( ! secure_mode_insmod ) { - kernel_domtrans_to(insmod_t,insmod_exec_t) + kernel_domtrans_to(insmod_t, insmod_exec_t) } optional_policy(` @@ -178,7 +178,7 @@ can_exec(depmod_t, depmod_exec_t) allow depmod_t modules_conf_t:file read_file_perms; allow depmod_t modules_dep_t:file manage_file_perms; -files_kernel_modules_filetrans(depmod_t,modules_dep_t,file) +files_kernel_modules_filetrans(depmod_t, modules_dep_t, file) kernel_read_system_state(depmod_t) @@ -231,8 +231,8 @@ can_exec(update_modules_t, update_modules_exec_t) # manage module loading configuration allow update_modules_t modules_conf_t:file manage_file_perms; -files_kernel_modules_filetrans(update_modules_t,modules_conf_t,file) -files_etc_filetrans(update_modules_t,modules_conf_t,file) +files_kernel_modules_filetrans(update_modules_t, modules_conf_t, file) +files_etc_filetrans(update_modules_t, modules_conf_t, file) # transition to depmod domain_auto_trans(update_modules_t, depmod_exec_t, depmod_t) @@ -241,8 +241,8 @@ allow depmod_t update_modules_t:fd use; allow depmod_t update_modules_t:fifo_file rw_file_perms; allow depmod_t update_modules_t:process sigchld; -manage_dirs_pattern(update_modules_t,update_modules_tmp_t,update_modules_tmp_t) -manage_files_pattern(update_modules_t,update_modules_tmp_t,update_modules_tmp_t) +manage_dirs_pattern(update_modules_t, update_modules_tmp_t, update_modules_tmp_t) +manage_files_pattern(update_modules_t, update_modules_tmp_t, update_modules_tmp_t) files_tmp_filetrans(update_modules_t, update_modules_tmp_t, { file dir }) kernel_read_kernel_sysctls(update_modules_t) diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if index 805bef0..bb547ea 100644 --- a/policy/modules/system/mount.if +++ b/policy/modules/system/mount.if @@ -15,7 +15,7 @@ interface(`mount_domtrans',` type mount_t, mount_exec_t; ') - domtrans_pattern($1,mount_exec_t,mount_t) + domtrans_pattern($1, mount_exec_t, mount_t) ') ######################################## @@ -68,7 +68,7 @@ interface(`mount_exec',` allow $1 mount_exec_t:dir list_dir_perms; allow $1 mount_exec_t:lnk_file read_lnk_file_perms; - can_exec($1,mount_exec_t) + can_exec($1, mount_exec_t) ') ######################################## diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te index 5cf7a76..8d7d9fc 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -11,11 +11,11 @@ policy_module(mount, 1.10.0) ## Allow the mount command to mount any directory or file. ##

## -gen_tunable(allow_mount_anyfile,false) +gen_tunable(allow_mount_anyfile, false) type mount_t; type mount_exec_t; -init_system_domain(mount_t,mount_exec_t) +init_system_domain(mount_t, mount_exec_t) role system_r types mount_t; type mount_loopback_t; # customizable @@ -28,7 +28,7 @@ files_tmp_file(mount_tmp_t) # this is optionally declared in monolithic # policy--duplicate type declaration type unconfined_mount_t; -application_domain(unconfined_mount_t,mount_exec_t) +application_domain(unconfined_mount_t, mount_exec_t) ######################################## # @@ -45,7 +45,7 @@ allow mount_t mount_tmp_t:dir manage_dir_perms; can_exec(mount_t, mount_exec_t) -files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir }) +files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) kernel_read_system_state(mount_t) kernel_read_kernel_sysctls(mount_t) @@ -83,7 +83,7 @@ domain_use_interactive_fds(mount_t) files_search_all(mount_t) files_read_etc_files(mount_t) files_manage_etc_runtime_files(mount_t) -files_etc_filetrans_etc_runtime(mount_t,file) +files_etc_filetrans_etc_runtime(mount_t, file) files_mounton_all_mountpoints(mount_t) files_unmount_rootfs(mount_t) # These rules need to be generalized. Only admin, initrc should have it: @@ -193,6 +193,6 @@ optional_policy(` # optional_policy(` - files_etc_filetrans_etc_runtime(unconfined_mount_t,file) + files_etc_filetrans_etc_runtime(unconfined_mount_t, file) unconfined_domain(unconfined_mount_t) ') diff --git a/policy/modules/system/netlabel.if b/policy/modules/system/netlabel.if index 55b158b..b37cd5b 100644 --- a/policy/modules/system/netlabel.if +++ b/policy/modules/system/netlabel.if @@ -16,7 +16,7 @@ interface(`netlabel_domtrans_mgmt',` ') corecmd_search_bin($1) - domtrans_pattern($1,netlabel_mgmt_exec_t,netlabel_mgmt_t) + domtrans_pattern($1, netlabel_mgmt_exec_t, netlabel_mgmt_t) ') ######################################## diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te index 44470b3..e98925f 100644 --- a/policy/modules/system/netlabel.te +++ b/policy/modules/system/netlabel.te @@ -8,7 +8,7 @@ policy_module(netlabel, 1.3.0) type netlabel_mgmt_t; type netlabel_mgmt_exec_t; -application_domain(netlabel_mgmt_t,netlabel_mgmt_exec_t) +application_domain(netlabel_mgmt_t, netlabel_mgmt_exec_t) role system_r types netlabel_mgmt_t; ######################################## diff --git a/policy/modules/system/pcmcia.if b/policy/modules/system/pcmcia.if index 5f63c3a..ac2b18b 100644 --- a/policy/modules/system/pcmcia.if +++ b/policy/modules/system/pcmcia.if @@ -31,7 +31,7 @@ interface(`pcmcia_domtrans_cardmgr',` type cardmgr_t, cardmgr_exec_t; ') - domtrans_pattern($1,cardmgr_exec_t,cardmgr_t) + domtrans_pattern($1, cardmgr_exec_t, cardmgr_t) ') ######################################## @@ -67,7 +67,7 @@ interface(`pcmcia_domtrans_cardctl',` type cardmgr_t, cardctl_exec_t; ') - domtrans_pattern($1,cardctl_exec_t,cardmgr_t) + domtrans_pattern($1, cardctl_exec_t, cardmgr_t) ') ######################################## @@ -112,7 +112,7 @@ interface(`pcmcia_read_pid',` ') files_search_pids($1) - read_files_pattern($1,cardmgr_var_run_t,cardmgr_var_run_t) + read_files_pattern($1, cardmgr_var_run_t, cardmgr_var_run_t) ') ######################################## @@ -132,7 +132,7 @@ interface(`pcmcia_manage_pid',` ') files_search_pids($1) - manage_files_pattern($1,cardmgr_var_run_t,cardmgr_var_run_t) + manage_files_pattern($1, cardmgr_var_run_t, cardmgr_var_run_t) ') ######################################## @@ -152,5 +152,5 @@ interface(`pcmcia_manage_pid_chr_files',` ') files_search_pids($1) - manage_chr_files_pattern($1,cardmgr_var_run_t,cardmgr_var_run_t) + manage_chr_files_pattern($1, cardmgr_var_run_t, cardmgr_var_run_t) ') diff --git a/policy/modules/system/pcmcia.te b/policy/modules/system/pcmcia.te index 5afa094..4f2324d 100644 --- a/policy/modules/system/pcmcia.te +++ b/policy/modules/system/pcmcia.te @@ -8,7 +8,7 @@ policy_module(pcmcia, 1.6.0) type cardmgr_t; type cardmgr_exec_t; -init_daemon_domain(cardmgr_t,cardmgr_exec_t) +init_daemon_domain(cardmgr_t, cardmgr_exec_t) # Create symbolic links in /dev. # cjp: this should probably be eliminated @@ -22,7 +22,7 @@ type cardmgr_var_run_t; files_pid_file(cardmgr_var_run_t) type cardctl_exec_t; -application_domain(cardmgr_t,cardctl_exec_t) +application_domain(cardmgr_t, cardctl_exec_t) ######################################## # @@ -38,14 +38,14 @@ allow cardmgr_t self:unix_dgram_socket create_socket_perms; allow cardmgr_t self:unix_stream_socket create_socket_perms; allow cardmgr_t cardmgr_lnk_t:lnk_file manage_lnk_file_perms; -dev_filetrans(cardmgr_t,cardmgr_lnk_t,lnk_file) +dev_filetrans(cardmgr_t, cardmgr_lnk_t, lnk_file) # Create stab file -manage_files_pattern(cardmgr_t,cardmgr_var_lib_t,cardmgr_var_lib_t) -files_var_lib_filetrans(cardmgr_t,cardmgr_var_lib_t,file) +manage_files_pattern(cardmgr_t, cardmgr_var_lib_t, cardmgr_var_lib_t) +files_var_lib_filetrans(cardmgr_t, cardmgr_var_lib_t, file) allow cardmgr_t cardmgr_var_run_t:file manage_file_perms; -files_pid_filetrans(cardmgr_t,cardmgr_var_run_t,file) +files_pid_filetrans(cardmgr_t, cardmgr_var_run_t, file) kernel_read_system_state(cardmgr_t) kernel_read_kernel_sysctls(cardmgr_t) diff --git a/policy/modules/system/raid.if b/policy/modules/system/raid.if index 849f921..b3c7bfb 100644 --- a/policy/modules/system/raid.if +++ b/policy/modules/system/raid.if @@ -16,7 +16,7 @@ interface(`raid_domtrans_mdadm',` ') corecmd_search_bin($1) - domtrans_pattern($1,mdadm_exec_t,mdadm_t) + domtrans_pattern($1, mdadm_exec_t, mdadm_t) ') ######################################## diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te index ea5b7be..91f1259 100644 --- a/policy/modules/system/raid.te +++ b/policy/modules/system/raid.te @@ -8,7 +8,7 @@ policy_module(raid, 1.8.1) type mdadm_t; type mdadm_exec_t; -init_daemon_domain(mdadm_t,mdadm_exec_t) +init_daemon_domain(mdadm_t, mdadm_exec_t) role system_r types mdadm_t; type mdadm_var_run_t; @@ -24,8 +24,8 @@ dontaudit mdadm_t self:capability sys_tty_config; allow mdadm_t self:process { sigchld sigkill sigstop signull signal }; allow mdadm_t self:fifo_file rw_fifo_file_perms; -manage_files_pattern(mdadm_t,mdadm_var_run_t,mdadm_var_run_t) -files_pid_filetrans(mdadm_t,mdadm_var_run_t,file) +manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) +files_pid_filetrans(mdadm_t, mdadm_var_run_t, file) kernel_read_system_state(mdadm_t) kernel_read_kernel_sysctls(mdadm_t) diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if index f8b5d9c..d01cffc 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if @@ -17,7 +17,7 @@ interface(`seutil_domtrans_checkpolicy',` files_search_usr($1) corecmd_search_bin($1) - domtrans_pattern($1,checkpolicy_exec_t,checkpolicy_t) + domtrans_pattern($1, checkpolicy_exec_t, checkpolicy_t) ') ######################################## @@ -65,7 +65,7 @@ interface(`seutil_exec_checkpolicy',` files_search_usr($1) corecmd_search_bin($1) - can_exec($1,checkpolicy_exec_t) + can_exec($1, checkpolicy_exec_t) ') ####################################### @@ -84,7 +84,7 @@ interface(`seutil_domtrans_loadpolicy',` ') corecmd_search_bin($1) - domtrans_pattern($1,load_policy_exec_t,load_policy_t) + domtrans_pattern($1, load_policy_exec_t, load_policy_t) ') ######################################## @@ -130,7 +130,7 @@ interface(`seutil_exec_loadpolicy',` ') corecmd_search_bin($1) - can_exec($1,load_policy_exec_t) + can_exec($1, load_policy_exec_t) ') ######################################## @@ -169,7 +169,7 @@ interface(`seutil_domtrans_newrole',` files_search_usr($1) corecmd_search_bin($1) - domtrans_pattern($1,newrole_exec_t,newrole_t) + domtrans_pattern($1, newrole_exec_t, newrole_t) ') ######################################## @@ -218,7 +218,7 @@ interface(`seutil_exec_newrole',` files_search_usr($1) corecmd_search_bin($1) - can_exec($1,newrole_exec_t) + can_exec($1, newrole_exec_t) ') ######################################## @@ -366,7 +366,7 @@ interface(`seutil_domtrans_runinit',` files_search_usr($1) corecmd_search_bin($1) - domtrans_pattern($1,run_init_exec_t,run_init_t) + domtrans_pattern($1, run_init_exec_t, run_init_t) ') ######################################## @@ -390,7 +390,7 @@ interface(`seutil_init_script_domtrans_runinit',` type run_init_t; ') - init_script_file_domtrans($1,run_init_t) + init_script_file_domtrans($1, run_init_t) allow run_init_t $1:fd use; allow run_init_t $1:fifo_file rw_file_perms; @@ -503,7 +503,7 @@ interface(`seutil_domtrans_setfiles',` files_search_usr($1) corecmd_search_bin($1) - domtrans_pattern($1,setfiles_exec_t,setfiles_t) + domtrans_pattern($1, setfiles_exec_t, setfiles_t) ') ######################################## @@ -550,7 +550,7 @@ interface(`seutil_exec_setfiles',` files_search_usr($1) corecmd_search_bin($1) - can_exec($1,setfiles_exec_t) + can_exec($1, setfiles_exec_t) ') ######################################## @@ -610,8 +610,8 @@ interface(`seutil_read_config',` files_search_etc($1) allow $1 selinux_config_t:dir list_dir_perms; - read_files_pattern($1,selinux_config_t,selinux_config_t) - read_lnk_files_pattern($1,selinux_config_t,selinux_config_t) + read_files_pattern($1, selinux_config_t, selinux_config_t) + read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) ') ######################################## @@ -632,7 +632,7 @@ interface(`seutil_rw_config',` files_search_etc($1) allow $1 selinux_config_t:dir list_dir_perms; - rw_files_pattern($1,selinux_config_t,selinux_config_t) + rw_files_pattern($1, selinux_config_t, selinux_config_t) ') ####################################### @@ -680,8 +680,8 @@ interface(`seutil_manage_config',` ') files_search_etc($1) - manage_files_pattern($1,selinux_config_t,selinux_config_t) - read_lnk_files_pattern($1,selinux_config_t,selinux_config_t) + manage_files_pattern($1, selinux_config_t, selinux_config_t) + read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) ') ####################################### @@ -721,7 +721,7 @@ interface(`seutil_search_default_contexts',` ') files_search_etc($1) - search_dirs_pattern($1,selinux_config_t,default_context_t) + search_dirs_pattern($1, selinux_config_t, default_context_t) ') ######################################## @@ -743,7 +743,7 @@ interface(`seutil_read_default_contexts',` files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; allow $1 default_context_t:dir list_dir_perms; - read_files_pattern($1,default_context_t,default_context_t) + read_files_pattern($1, default_context_t, default_context_t) ') ######################################## @@ -763,7 +763,7 @@ interface(`seutil_manage_default_contexts',` files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; - manage_files_pattern($1,default_context_t,default_context_t) + manage_files_pattern($1, default_context_t, default_context_t) ') ######################################## @@ -784,7 +784,7 @@ interface(`seutil_read_file_contexts',` files_search_etc($1) allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; - read_files_pattern($1,file_context_t,file_context_t) + read_files_pattern($1, file_context_t, file_context_t) ') ######################################## @@ -824,7 +824,7 @@ interface(`seutil_rw_file_contexts',` files_search_etc($1) allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; - rw_files_pattern($1,file_context_t,file_context_t) + rw_files_pattern($1, file_context_t, file_context_t) ') ######################################## @@ -845,7 +845,7 @@ interface(`seutil_manage_file_contexts',` files_search_etc($1) allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; - manage_files_pattern($1,file_context_t,file_context_t) + manage_files_pattern($1, file_context_t, file_context_t) ') ######################################## @@ -865,7 +865,7 @@ interface(`seutil_read_bin_policy',` files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; - read_files_pattern($1,policy_config_t,policy_config_t) + read_files_pattern($1, policy_config_t, policy_config_t) ') ######################################## @@ -886,8 +886,8 @@ interface(`seutil_create_bin_policy',` files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; - create_files_pattern($1,policy_config_t,policy_config_t) - write_files_pattern($1,policy_config_t,policy_config_t) + create_files_pattern($1, policy_config_t, policy_config_t) + write_files_pattern($1, policy_config_t, policy_config_t) # typeattribute $1 can_write_binary_policy; ') @@ -930,7 +930,7 @@ interface(`seutil_manage_bin_policy',` files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; - manage_files_pattern($1,policy_config_t,policy_config_t) + manage_files_pattern($1, policy_config_t, policy_config_t) typeattribute $1 can_write_binary_policy; ') @@ -950,8 +950,8 @@ interface(`seutil_read_src_policy',` ') files_search_etc($1) - list_dirs_pattern($1,selinux_config_t,policy_src_t) - read_files_pattern($1,policy_src_t,policy_src_t) + list_dirs_pattern($1, selinux_config_t, policy_src_t) + read_files_pattern($1, policy_src_t, policy_src_t) ') ######################################## @@ -973,8 +973,8 @@ interface(`seutil_manage_src_policy',` files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; - manage_dirs_pattern($1,policy_src_t,policy_src_t) - manage_files_pattern($1,policy_src_t,policy_src_t) + manage_dirs_pattern($1, policy_src_t, policy_src_t) + manage_files_pattern($1, policy_src_t, policy_src_t) ') ######################################## @@ -994,7 +994,7 @@ interface(`seutil_domtrans_semanage',` files_search_usr($1) corecmd_search_bin($1) - domtrans_pattern($1,semanage_exec_t,semanage_t) + domtrans_pattern($1, semanage_exec_t, semanage_t) ') ######################################## @@ -1043,9 +1043,9 @@ interface(`seutil_manage_module_store',` ') files_search_etc($1) - manage_dirs_pattern($1,selinux_config_t,semanage_store_t) - manage_files_pattern($1,semanage_store_t,semanage_store_t) - filetrans_pattern($1,selinux_config_t,semanage_store_t,dir) + manage_dirs_pattern($1, selinux_config_t, semanage_store_t) + manage_files_pattern($1, semanage_store_t, semanage_store_t) + filetrans_pattern($1, selinux_config_t, semanage_store_t, dir) ') ####################################### @@ -1064,7 +1064,7 @@ interface(`seutil_get_semanage_read_lock',` ') files_search_etc($1) - rw_files_pattern($1,selinux_config_t,semanage_read_lock_t) + rw_files_pattern($1, selinux_config_t, semanage_read_lock_t) ') ####################################### @@ -1083,7 +1083,7 @@ interface(`seutil_get_semanage_trans_lock',` ') files_search_etc($1) - rw_files_pattern($1,selinux_config_t,semanage_trans_lock_t) + rw_files_pattern($1, selinux_config_t, semanage_trans_lock_t) ') ######################################## diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 7815d4b..f706ef0 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -44,12 +44,12 @@ files_type(file_context_t) type load_policy_t; type load_policy_exec_t; -application_domain(load_policy_t,load_policy_exec_t) +application_domain(load_policy_t, load_policy_exec_t) role system_r types load_policy_t; type newrole_t; type newrole_exec_t; -application_domain(newrole_t,newrole_exec_t) +application_domain(newrole_t, newrole_exec_t) domain_role_change_exemption(newrole_t) domain_obj_id_change_exemption(newrole_t) domain_interactive_fd(newrole_t) @@ -73,7 +73,7 @@ files_type(policy_src_t) type restorecond_t; type restorecond_exec_t; -init_daemon_domain(restorecond_t,restorecond_exec_t) +init_daemon_domain(restorecond_t, restorecond_exec_t) domain_obj_id_change_exemption(restorecond_t) role system_r types restorecond_t; @@ -82,13 +82,13 @@ files_pid_file(restorecond_var_run_t) type run_init_t; type run_init_exec_t; -application_domain(run_init_t,run_init_exec_t) +application_domain(run_init_t, run_init_exec_t) domain_system_change_exemption(run_init_t) role system_r types run_init_t; type semanage_t; type semanage_exec_t; -application_domain(semanage_t,semanage_exec_t) +application_domain(semanage_t, semanage_exec_t) domain_interactive_fd(semanage_t) role system_r types semanage_t; @@ -106,7 +106,7 @@ files_type(semanage_trans_lock_t) type setfiles_t alias restorecon_t, can_relabelto_binary_policy; type setfiles_exec_t alias restorecon_exec_t; -init_system_domain(setfiles_t,setfiles_exec_t) +init_system_domain(setfiles_t, setfiles_exec_t) domain_obj_id_change_exemption(setfiles_t) ######################################## @@ -117,14 +117,14 @@ domain_obj_id_change_exemption(setfiles_t) allow checkpolicy_t self:capability dac_override; # able to create and modify binary policy files -manage_files_pattern(checkpolicy_t,policy_config_t,policy_config_t) +manage_files_pattern(checkpolicy_t, policy_config_t, policy_config_t) # allow test policies to be created in src directories -filetrans_add_pattern(checkpolicy_t,policy_src_t,policy_config_t,file) +filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file) # only allow read of policy source files -read_files_pattern(checkpolicy_t,policy_src_t,policy_src_t) -read_lnk_files_pattern(checkpolicy_t,policy_src_t,policy_src_t) +read_files_pattern(checkpolicy_t, policy_src_t, policy_src_t) +read_lnk_files_pattern(checkpolicy_t, policy_src_t, policy_src_t) allow checkpolicy_t selinux_config_t:dir search_dir_perms; domain_use_interactive_fds(checkpolicy_t) @@ -219,8 +219,8 @@ allow newrole_t self:unix_dgram_socket sendto; allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -read_files_pattern(newrole_t,default_context_t,default_context_t) -read_lnk_files_pattern(newrole_t,default_context_t,default_context_t) +read_files_pattern(newrole_t, default_context_t, default_context_t) +read_lnk_files_pattern(newrole_t, default_context_t, default_context_t) kernel_read_system_state(newrole_t) kernel_read_kernel_sysctls(newrole_t) @@ -307,7 +307,7 @@ allow restorecond_t self:capability { dac_override dac_read_search fowner }; allow restorecond_t self:fifo_file rw_fifo_file_perms; allow restorecond_t restorecond_var_run_t:file manage_file_perms; -files_pid_filetrans(restorecond_t,restorecond_var_run_t, file) +files_pid_filetrans(restorecond_t, restorecond_var_run_t, file) kernel_use_fds(restorecond_t) kernel_rw_pipes(restorecond_t) diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if index b204eb8..dea7f55 100644 --- a/policy/modules/system/setrans.if +++ b/policy/modules/system/setrans.if @@ -18,6 +18,6 @@ interface(`setrans_translate_context',` allow $1 self:unix_stream_socket create_stream_socket_perms; allow $1 setrans_t:context translate; - stream_connect_pattern($1,setrans_var_run_t,setrans_var_run_t,setrans_t) + stream_connect_pattern($1, setrans_var_run_t, setrans_var_run_t, setrans_t) files_list_pids($1) ') diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te index 2ddabe1..e73af1d 100644 --- a/policy/modules/system/setrans.te +++ b/policy/modules/system/setrans.te @@ -22,11 +22,11 @@ files_pid_file(setrans_var_run_t) mls_trusted_object(setrans_var_run_t) ifdef(`enable_mcs',` - init_ranged_daemon_domain(setrans_t, setrans_exec_t,s0 - mcs_systemhigh) + init_ranged_daemon_domain(setrans_t, setrans_exec_t, s0 - mcs_systemhigh) ') ifdef(`enable_mls',` - init_ranged_daemon_domain(setrans_t, setrans_exec_t,mls_systemhigh) + init_ranged_daemon_domain(setrans_t, setrans_exec_t, mls_systemhigh) ') ######################################## @@ -45,9 +45,9 @@ can_exec(setrans_t, setrans_exec_t) corecmd_search_bin(setrans_t) # create unix domain socket in /var -manage_files_pattern(setrans_t,setrans_var_run_t,setrans_var_run_t) -manage_sock_files_pattern(setrans_t,setrans_var_run_t,setrans_var_run_t) -files_pid_filetrans(setrans_t,setrans_var_run_t,file) +manage_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t) +manage_sock_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t) +files_pid_filetrans(setrans_t, setrans_var_run_t, file) kernel_read_kernel_sysctls(setrans_t) kernel_read_proc_symlinks(setrans_t) diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if index e2eb2fe..a0cd508 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -305,7 +305,7 @@ interface(`sysnet_etc_filetrans_config',` type net_conf_t; ') - files_etc_filetrans($1,net_conf_t,file) + files_etc_filetrans($1, net_conf_t, file) ') ####################################### @@ -426,7 +426,7 @@ interface(`sysnet_exec_ifconfig',` ') corecmd_search_bin($1) - can_exec($1,ifconfig_exec_t) + can_exec($1, ifconfig_exec_t) ') ######################################## @@ -464,7 +464,7 @@ interface(`sysnet_read_dhcp_config',` ') files_search_etc($1) - read_files_pattern($1,dhcp_etc_t,dhcp_etc_t) + read_files_pattern($1, dhcp_etc_t, dhcp_etc_t) ') ######################################## @@ -522,7 +522,7 @@ interface(`sysnet_dhcp_state_filetrans',` ') files_search_var_lib($1) - filetrans_pattern($1,dhcp_state_t,$2,$3) + filetrans_pattern($1, dhcp_state_t, $2, $3) ') ######################################## diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index 1fcc896..86a860f 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -17,7 +17,7 @@ files_type(dhcp_state_t) type dhcpc_t; type dhcpc_exec_t; -init_daemon_domain(dhcpc_t,dhcpc_exec_t) +init_daemon_domain(dhcpc_t, dhcpc_exec_t) role system_r types dhcpc_t; type dhcpc_state_t; @@ -53,24 +53,24 @@ allow dhcpc_t self:packet_socket create_socket_perms; allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write }; allow dhcpc_t dhcp_etc_t:dir list_dir_perms; -read_lnk_files_pattern(dhcpc_t,dhcp_etc_t,dhcp_etc_t) -exec_files_pattern(dhcpc_t,dhcp_etc_t,dhcp_etc_t) +read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) +exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) -manage_files_pattern(dhcpc_t,dhcpc_state_t,dhcpc_state_t) -filetrans_pattern(dhcpc_t,dhcp_state_t,dhcpc_state_t,file) +manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t) +filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file) # create pid file -manage_files_pattern(dhcpc_t,dhcpc_var_run_t,dhcpc_var_run_t) -files_pid_filetrans(dhcpc_t,dhcpc_var_run_t,file) +manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t) +files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, file) # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files # in /etc created by dhcpcd will be labelled net_conf_t. allow dhcpc_t net_conf_t:file manage_file_perms; -files_etc_filetrans(dhcpc_t,net_conf_t,file) +files_etc_filetrans(dhcpc_t, net_conf_t, file) # create temp files -manage_dirs_pattern(dhcpc_t,dhcpc_tmp_t,dhcpc_tmp_t) -manage_files_pattern(dhcpc_t,dhcpc_tmp_t,dhcpc_tmp_t) +manage_dirs_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t) +manage_files_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t) files_tmp_filetrans(dhcpc_t, dhcpc_tmp_t, { file dir }) can_exec(dhcpc_t, dhcpc_exec_t) diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 324001a..ba1536c 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -9,11 +9,11 @@ policy_module(udev, 1.10.2) type udev_t; type udev_exec_t; type udev_helper_exec_t; -kernel_domtrans_to(udev_t,udev_exec_t) +kernel_domtrans_to(udev_t, udev_exec_t) domain_obj_id_change_exemption(udev_t) -domain_entry_file(udev_t,udev_helper_exec_t) +domain_entry_file(udev_t, udev_helper_exec_t) domain_interactive_fd(udev_t) -init_daemon_domain(udev_t,udev_exec_t) +init_daemon_domain(udev_t, udev_exec_t) type udev_etc_t alias etc_udev_t; files_config_file(udev_etc_t) @@ -25,8 +25,8 @@ type udev_var_run_t; files_pid_file(udev_var_run_t) ifdef(`enable_mcs',` - kernel_ranged_domtrans_to(udev_t,udev_exec_t,s0 - mcs_systemhigh) - init_ranged_daemon_domain(udev_t,udev_exec_t,s0 - mcs_systemhigh) + kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh) + init_ranged_daemon_domain(udev_t, udev_exec_t, s0 - mcs_systemhigh) ') ######################################## @@ -62,11 +62,11 @@ allow udev_t udev_etc_t:file read_file_perms; # create udev database in /dev/.udevdb allow udev_t udev_tbl_t:file manage_file_perms; -dev_filetrans(udev_t,udev_tbl_t,file) +dev_filetrans(udev_t, udev_tbl_t, file) -manage_dirs_pattern(udev_t,udev_var_run_t,udev_var_run_t) -manage_files_pattern(udev_t,udev_var_run_t,udev_var_run_t) -files_pid_filetrans(udev_t,udev_var_run_t,{ dir file }) +manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t) +manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) +files_pid_filetrans(udev_t, udev_var_run_t, { dir file }) kernel_read_system_state(udev_t) kernel_getattr_core_if(udev_t) diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if index 2d4c440..5533ca1 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if @@ -188,7 +188,7 @@ interface(`unconfined_domtrans',` type unconfined_t, unconfined_exec_t; ') - domtrans_pattern($1,unconfined_exec_t,unconfined_t) + domtrans_pattern($1, unconfined_exec_t, unconfined_t) ') ######################################## @@ -230,7 +230,7 @@ interface(`unconfined_shell_domtrans',` type unconfined_t; ') - corecmd_shell_domtrans($1,unconfined_t) + corecmd_shell_domtrans($1, unconfined_t) allow unconfined_t $1:fd use; allow unconfined_t $1:fifo_file rw_file_perms; allow unconfined_t $1:process sigchld; diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 877ecb7..8634334 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -2512,7 +2512,7 @@ interface(`userdom_spec_domtrans_all_users',` attribute userdomain; ') - corecmd_shell_spec_domtrans($1,userdomain) + corecmd_shell_spec_domtrans($1, userdomain) allow userdomain $1:fd use; allow userdomain $1:fifo_file rw_file_perms; allow userdomain $1:process sigchld; @@ -2535,7 +2535,7 @@ interface(`userdom_xsession_spec_domtrans_all_users',` attribute userdomain; ') - xserver_xsession_spec_domtrans($1,userdomain) + xserver_xsession_spec_domtrans($1, userdomain) allow userdomain $1:fd use; allow userdomain $1:fifo_file rw_file_perms; allow userdomain $1:process sigchld; @@ -2558,7 +2558,7 @@ interface(`userdom_spec_domtrans_unpriv_users',` attribute unpriv_userdomain; ') - corecmd_shell_spec_domtrans($1,unpriv_userdomain) + corecmd_shell_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; allow unpriv_userdomain $1:fifo_file rw_file_perms; allow unpriv_userdomain $1:process sigchld; @@ -2581,7 +2581,7 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` attribute unpriv_userdomain; ') - xserver_xsession_spec_domtrans($1,unpriv_userdomain) + xserver_xsession_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; allow unpriv_userdomain $1:fifo_file rw_file_perms; allow unpriv_userdomain $1:process sigchld; @@ -2641,7 +2641,7 @@ interface(`userdom_bin_spec_domtrans_unpriv_users',` attribute unpriv_userdomain; ') - corecmd_bin_spec_domtrans($1,unpriv_userdomain) + corecmd_bin_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; allow unpriv_userdomain $1:fifo_file rw_file_perms; allow unpriv_userdomain $1:process sigchld; @@ -2664,7 +2664,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` attribute unpriv_userdomain; ') - domain_entry_file_spec_domtrans($1,unpriv_userdomain) + domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; allow unpriv_userdomain $1:fifo_file rw_file_perms; allow unpriv_userdomain $1:process sigchld; @@ -2850,7 +2850,7 @@ interface(`userdom_read_all_users_state',` attribute userdomain; ') - read_files_pattern($1,userdomain,userdomain) + read_files_pattern($1, userdomain, userdomain) kernel_search_proc($1) ') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index 504f26a..cb0d512 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -11,28 +11,28 @@ policy_module(userdomain, 4.1.3) ## Allow users to connect to mysql ##

## -gen_tunable(allow_user_mysql_connect,false) +gen_tunable(allow_user_mysql_connect, false) ## ##

## Allow users to connect to PostgreSQL ##

##
-gen_tunable(allow_user_postgresql_connect,false) +gen_tunable(allow_user_postgresql_connect, false) ## ##

## Allow regular users direct mouse access ##

##
-gen_tunable(user_direct_mouse,false) +gen_tunable(user_direct_mouse, false) ## ##

## Allow users to read system messages. ##

##
-gen_tunable(user_dmesg,false) +gen_tunable(user_dmesg, false) ## ##

@@ -40,14 +40,14 @@ gen_tunable(user_dmesg,false) ## that do not have extended attributes (FAT, CDROM, FLOPPY) ##

##
-gen_tunable(user_rw_noexattrfile,false) +gen_tunable(user_rw_noexattrfile, false) ## ##

## Allow w to display everyone ##

##
-gen_tunable(user_ttyfile_stat,false) +gen_tunable(user_ttyfile_stat, false) # all user domains attribute userdomain; diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if index 6c8640e..0b1878c 100644 --- a/policy/modules/system/xen.if +++ b/policy/modules/system/xen.if @@ -15,7 +15,7 @@ interface(`xen_domtrans',` type xend_t, xend_exec_t; ') - domtrans_pattern($1,xend_exec_t,xend_t) + domtrans_pattern($1, xend_exec_t, xend_t) ') ######################################## @@ -91,7 +91,7 @@ interface(`xen_append_log',` ') logging_search_logs($1) - append_files_pattern($1,xend_var_log_t,xend_var_log_t) + append_files_pattern($1, xend_var_log_t, xend_var_log_t) dontaudit $1 xend_var_log_t:file write; ') @@ -112,8 +112,8 @@ interface(`xen_manage_log',` ') logging_search_logs($1) - manage_dirs_pattern($1,xend_var_log_t,xend_var_log_t) - manage_files_pattern($1,xend_var_log_t,xend_var_log_t) + manage_dirs_pattern($1, xend_var_log_t, xend_var_log_t) + manage_files_pattern($1, xend_var_log_t, xend_var_log_t) ') ######################################## @@ -133,7 +133,7 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',` type xend_t; ') - dontaudit $1 xend_t:unix_stream_socket { read write }; + dontaudit $1 xend_t:unix_stream_socket { read write }; ') ######################################## @@ -152,7 +152,7 @@ interface(`xen_stream_connect_xenstore',` ') files_search_pids($1) - stream_connect_pattern($1,xenstored_var_run_t,xenstored_var_run_t,xenstored_t) + stream_connect_pattern($1, xenstored_var_run_t, xenstored_var_run_t, xenstored_t) ') ######################################## @@ -171,7 +171,7 @@ interface(`xen_stream_connect',` ') files_search_pids($1) - stream_connect_pattern($1,xend_var_run_t,xend_var_run_t,xend_t) + stream_connect_pattern($1, xend_var_run_t, xend_var_run_t, xend_t) ') ######################################## @@ -189,5 +189,5 @@ interface(`xen_domtrans_xm',` type xm_t, xm_exec_t; ') - domtrans_pattern($1,xm_exec_t,xm_t) + domtrans_pattern($1, xm_exec_t, xm_t) ') diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te index 1de4131..155ef1b 100644 --- a/policy/modules/system/xen.te +++ b/policy/modules/system/xen.te @@ -46,7 +46,7 @@ files_pid_file(xend_var_run_t) type xenstored_t; type xenstored_exec_t; domain_type(xenstored_t) -domain_entry_file(xenstored_t,xenstored_exec_t) +domain_entry_file(xenstored_t, xenstored_exec_t) role system_r types xenstored_t; # var/lib files @@ -60,7 +60,7 @@ files_pid_file(xenstored_var_run_t) type xenconsoled_t; type xenconsoled_exec_t; domain_type(xenconsoled_t) -domain_entry_file(xenconsoled_t,xenconsoled_exec_t) +domain_entry_file(xenconsoled_t, xenconsoled_exec_t) role system_r types xenconsoled_t; # pid files @@ -90,37 +90,37 @@ allow xend_t self:tcp_socket create_stream_socket_perms; allow xend_t self:packet_socket create_socket_perms; allow xend_t xen_image_t:dir list_dir_perms; -manage_dirs_pattern(xend_t,xen_image_t,xen_image_t) -manage_files_pattern(xend_t,xen_image_t,xen_image_t) -read_lnk_files_pattern(xend_t,xen_image_t,xen_image_t) -rw_blk_files_pattern(xend_t,xen_image_t,xen_image_t) +manage_dirs_pattern(xend_t, xen_image_t, xen_image_t) +manage_files_pattern(xend_t, xen_image_t, xen_image_t) +read_lnk_files_pattern(xend_t, xen_image_t, xen_image_t) +rw_blk_files_pattern(xend_t, xen_image_t, xen_image_t) allow xend_t xenctl_t:fifo_file manage_file_perms; dev_filetrans(xend_t, xenctl_t, fifo_file) -manage_files_pattern(xend_t,xend_tmp_t,xend_tmp_t) -manage_dirs_pattern(xend_t,xend_tmp_t,xend_tmp_t) +manage_files_pattern(xend_t, xend_tmp_t, xend_tmp_t) +manage_dirs_pattern(xend_t, xend_tmp_t, xend_tmp_t) files_tmp_filetrans(xend_t, xend_tmp_t, { file dir }) # pid file allow xend_t xend_var_run_t:dir setattr; -manage_files_pattern(xend_t,xend_var_run_t,xend_var_run_t) -manage_sock_files_pattern(xend_t,xend_var_run_t,xend_var_run_t) -manage_fifo_files_pattern(xend_t,xend_var_run_t,xend_var_run_t) -files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file fifo_file }) +manage_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) +manage_sock_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) +manage_fifo_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) +files_pid_filetrans(xend_t, xend_var_run_t, { file sock_file fifo_file }) # log files allow xend_t xend_var_log_t:dir setattr; -manage_files_pattern(xend_t,xend_var_log_t,xend_var_log_t) -manage_sock_files_pattern(xend_t,xend_var_log_t,xend_var_log_t) -logging_log_filetrans(xend_t,xend_var_log_t,{ sock_file file dir }) +manage_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) +manage_sock_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) +logging_log_filetrans(xend_t, xend_var_log_t,{ sock_file file dir }) # var/lib files for xend -manage_dirs_pattern(xend_t,xend_var_lib_t,xend_var_lib_t) -manage_files_pattern(xend_t,xend_var_lib_t,xend_var_lib_t) -manage_sock_files_pattern(xend_t,xend_var_lib_t,xend_var_lib_t) -manage_fifo_files_pattern(xend_t,xend_var_lib_t,xend_var_lib_t) -files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir }) +manage_dirs_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) +manage_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) +manage_sock_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) +manage_fifo_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) +files_var_lib_filetrans(xend_t, xend_var_lib_t,{ file dir }) # transition to store domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t) @@ -171,7 +171,7 @@ files_read_etc_files(xend_t) files_read_kernel_symbol_table(xend_t) files_read_kernel_img(xend_t) files_manage_etc_runtime_files(xend_t) -files_etc_filetrans_etc_runtime(xend_t,file) +files_etc_filetrans_etc_runtime(xend_t, file) files_read_usr_files(xend_t) storage_raw_read_fixed_disk(xend_t) @@ -223,9 +223,9 @@ allow xenconsoled_t self:fifo_file rw_fifo_file_perms; allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms; # pid file -manage_files_pattern(xenconsoled_t,xenconsoled_var_run_t,xenconsoled_var_run_t) -manage_sock_files_pattern(xenconsoled_t,xenconsoled_var_run_t,xenconsoled_var_run_t) -files_pid_filetrans(xenconsoled_t,xenconsoled_var_run_t, { file sock_file }) +manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t) +manage_sock_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t) +files_pid_filetrans(xenconsoled_t, xenconsoled_var_run_t, { file sock_file }) kernel_read_kernel_sysctls(xenconsoled_t) kernel_write_xen_state(xenconsoled_t) @@ -239,7 +239,7 @@ domain_dontaudit_ptrace_all_domains(xenconsoled_t) files_read_usr_files(xenconsoled_t) -term_create_pty(xenconsoled_t,xen_devpts_t) +term_create_pty(xenconsoled_t, xen_devpts_t) term_use_generic_ptys(xenconsoled_t) term_use_console(xenconsoled_t) @@ -261,15 +261,15 @@ allow xenstored_t self:unix_stream_socket create_stream_socket_perms; allow xenstored_t self:unix_dgram_socket create_socket_perms; # pid file -manage_files_pattern(xenstored_t,xenstored_var_run_t,xenstored_var_run_t) -manage_sock_files_pattern(xenstored_t,xenstored_var_run_t,xenstored_var_run_t) -files_pid_filetrans(xenstored_t,xenstored_var_run_t, { file sock_file }) +manage_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) +manage_sock_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) +files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file }) # var/lib files for xenstored -manage_dirs_pattern(xenstored_t,xenstored_var_lib_t,xenstored_var_lib_t) -manage_files_pattern(xenstored_t,xenstored_var_lib_t,xenstored_var_lib_t) -manage_sock_files_pattern(xenstored_t,xenstored_var_lib_t,xenstored_var_lib_t) -files_var_lib_filetrans(xenstored_t,xenstored_var_lib_t,{ file dir sock_file }) +manage_dirs_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) +manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) +manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) +files_var_lib_filetrans(xenstored_t, xenstored_var_lib_t,{ file dir sock_file }) kernel_write_xen_state(xenstored_t) kernel_read_xen_state(xenstored_t) @@ -310,8 +310,8 @@ allow xm_t self:fifo_file rw_fifo_file_perms; allow xm_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xm_t self:tcp_socket create_stream_socket_perms; -manage_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t) -manage_fifo_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t) +manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) +manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) files_search_var_lib(xm_t) allow xm_t xen_image_t:dir rw_dir_perms;