diff --git a/policy/modules/services/cachefilesd.te b/policy/modules/services/cachefilesd.te
index 33faf8b..b3a0541 100644
--- a/policy/modules/services/cachefilesd.te
+++ b/policy/modules/services/cachefilesd.te
@@ -100,7 +100,7 @@ allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms;
# Allow access to cache superstructure
allow cachefilesd_t cachefiles_var_t:dir { rw_dir_perms delete_dir_perms };
-allow cachefilesd_t cachefiles_var_t:file { rename delete_file_perms};
+allow cachefilesd_t cachefiles_var_t:file { rename delete_file_perms };
# Permit statfs on the backing filesystem
fs_getattr_xattr_fs(cachefilesd_t)
diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te
index 112dc77..8d7e14e 100644
--- a/policy/modules/services/ccs.te
+++ b/policy/modules/services/ccs.te
@@ -107,7 +107,7 @@ sysnet_dns_name_resolve(ccs_t)
userdom_manage_unpriv_user_shared_mem(ccs_t)
userdom_manage_unpriv_user_semaphores(ccs_t)
-ifdef(`hide_broken_symptoms', `
+ifdef(`hide_broken_symptoms',`
corecmd_dontaudit_write_bin_dirs(ccs_t)
files_manage_isid_type_files(ccs_t)
')
diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te
index 4aef864..dbfd0a6 100644
--- a/policy/modules/services/certmaster.te
+++ b/policy/modules/services/certmaster.te
@@ -43,12 +43,12 @@ files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir })
# log files
manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t)
-logging_log_filetrans(certmaster_t, certmaster_var_log_t, file )
+logging_log_filetrans(certmaster_t, certmaster_var_log_t, file)
# pid file
manage_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t)
manage_sock_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t)
-files_pid_filetrans(certmaster_t ,certmaster_var_run_t, { file sock_file })
+files_pid_filetrans(certmaster_t, certmaster_var_run_t, { file sock_file })
# read meminfo
kernel_read_system_state(certmaster_t)
diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te
index 1a65b5e..1c87fb3 100644
--- a/policy/modules/services/certmonger.te
+++ b/policy/modules/services/certmonger.te
@@ -32,7 +32,7 @@ allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
-files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir } )
+files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir })
manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index ae2656a..bf47a16 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -1,9 +1,9 @@
policy_module(clamav, 1.8.1)
## <desc>
-## <p>
-## Allow clamd to use JIT compiler
-## </p>
+## <p>
+## Allow clamd to use JIT compiler
+## </p>
## </desc>
gen_tunable(clamd_use_jit, false)
@@ -150,7 +150,7 @@ optional_policy(`
tunable_policy(`clamd_use_jit',`
allow clamd_t self:process execmem;
allow clamscan_t self:process execmem;
-', `
+',`
dontaudit clamd_t self:process execmem;
dontaudit clamscan_t self:process execmem;
')
@@ -226,7 +226,7 @@ optional_policy(`
tunable_policy(`clamd_use_jit',`
allow freshclam_t self:process execmem;
-', `
+',`
dontaudit freshclam_t self:process execmem;
')
diff --git a/policy/modules/services/clogd.te b/policy/modules/services/clogd.te
index 6077339..b1edc92 100644
--- a/policy/modules/services/clogd.te
+++ b/policy/modules/services/clogd.te
@@ -23,7 +23,6 @@ files_pid_file(clogd_var_run_t)
allow clogd_t self:capability { net_admin mknod };
allow clogd_t self:process signal;
-
allow clogd_t self:sem create_sem_perms;
allow clogd_t self:shm create_shm_perms;
allow clogd_t self:netlink_socket create_socket_perms;
diff --git a/policy/modules/services/cmirrord.te b/policy/modules/services/cmirrord.te
index bb7d429..9b581ae 100644
--- a/policy/modules/services/cmirrord.te
+++ b/policy/modules/services/cmirrord.te
@@ -1,4 +1,4 @@
-policy_module(cmirrord,1.0.0)
+policy_module(cmirrord, 1.0.0)
########################################
#
@@ -26,9 +26,7 @@ files_pid_file(cmirrord_var_run_t)
allow cmirrord_t self:capability { net_admin kill };
dontaudit cmirrord_t self:capability sys_tty_config;
allow cmirrord_t self:process signal;
-
allow cmirrord_t self:fifo_file rw_fifo_file_perms;
-
allow cmirrord_t self:sem create_sem_perms;
allow cmirrord_t self:shm create_shm_perms;
allow cmirrord_t self:netlink_socket create_socket_perms;
@@ -51,5 +49,5 @@ logging_send_syslog_msg(cmirrord_t)
miscfiles_read_localization(cmirrord_t)
optional_policy(`
- corosync_stream_connect(cmirrord_t)
+ corosync_stream_connect(cmirrord_t)
')
diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te
index 6a6d7d7..c4d678b 100644
--- a/policy/modules/services/cobbler.te
+++ b/policy/modules/services/cobbler.te
@@ -6,32 +6,32 @@ policy_module(cobbler, 1.1.0)
#
## <desc>
-## <p>
-## Allow Cobbler to modify public files
-## used for public file transfer services.
-## </p>
+## <p>
+## Allow Cobbler to modify public files
+## used for public file transfer services.
+## </p>
## </desc>
gen_tunable(cobbler_anon_write, false)
-
+
## <desc>
-## <p>
-## Allow Cobbler to connect to the
-## network using TCP.
-## </p>
+## <p>
+## Allow Cobbler to connect to the
+## network using TCP.
+## </p>
## </desc>
gen_tunable(cobbler_can_network_connect, false)
## <desc>
-## <p>
-## Allow Cobbler to access cifs file systems.
-## </p>
+## <p>
+## Allow Cobbler to access cifs file systems.
+## </p>
## </desc>
gen_tunable(cobbler_use_cifs, false)
## <desc>
-## <p>
-## Allow Cobbler to access nfs file systems.
-## </p>
+## <p>
+## Allow Cobbler to access nfs file systems.
+## </p>
## </desc>
gen_tunable(cobbler_use_nfs, false)
diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
index cc2058b..16c0746 100644
--- a/policy/modules/services/consolekit.te
+++ b/policy/modules/services/consolekit.te
@@ -113,7 +113,7 @@ optional_policy(`
')
optional_policy(`
- policykit_dbus_chat(consolekit_t)
+ policykit_dbus_chat(consolekit_t)
policykit_domtrans_auth(consolekit_t)
policykit_read_lib(consolekit_t)
policykit_read_reload(consolekit_t)
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index eb079a2..6dfdc3f 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -10,18 +10,18 @@ gen_require(`
#
## <desc>
-## <p>
-## Allow system cron jobs to relabel filesystem
-## for restoring file contexts.
-## </p>
+## <p>
+## Allow system cron jobs to relabel filesystem
+## for restoring file contexts.
+## </p>
## </desc>
gen_tunable(cron_can_relabel, false)
## <desc>
-## <p>
-## Enable extra rules in the cron domain
-## to support fcron.
-## </p>
+## <p>
+## Enable extra rules in the cron domain
+## to support fcron.
+## </p>
## </desc>
gen_tunable(fcron_crond, false)
@@ -138,7 +138,7 @@ selinux_compute_create_context(admin_crontab_t)
selinux_compute_relabel_context(admin_crontab_t)
selinux_compute_user_contexts(admin_crontab_t)
-tunable_policy(`fcron_crond', `
+tunable_policy(`fcron_crond',`
# fcron wants an instant update of a crontab change for the administrator
# also crontab does a security check for crontab -u
allow admin_crontab_t self:process setfscreate;
@@ -251,7 +251,7 @@ ifdef(`distro_debian',`
')
')
-ifdef(`distro_redhat', `
+ifdef(`distro_redhat',`
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
optional_policy(`
@@ -268,8 +268,8 @@ optional_policy(`
')
optional_policy(`
- djbdns_search_tinydns_keys(crond_t)
- djbdns_link_tinydns_keys(crond_t)
+ djbdns_search_tinydns_keys(crond_t)
+ djbdns_link_tinydns_keys(crond_t)
')
optional_policy(`
@@ -287,7 +287,7 @@ optional_policy(`
mono_domtrans(crond_t)
')
-tunable_policy(`fcron_crond', `
+tunable_policy(`fcron_crond',`
allow crond_t system_cron_spool_t:file manage_file_perms;
')
@@ -472,7 +472,7 @@ miscfiles_manage_man_pages(system_cronjob_t)
seutil_read_config(system_cronjob_t)
-ifdef(`distro_redhat', `
+ifdef(`distro_redhat',`
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
allow crond_t system_cron_spool_t:file manage_file_perms;
@@ -687,7 +687,7 @@ read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
allow crond_t user_cron_spool_t:file manage_lnk_file_perms;
-tunable_policy(`fcron_crond', `
+tunable_policy(`fcron_crond',`
allow crond_t user_cron_spool_t:file manage_file_perms;
')
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
index 6160cea..4dd87b8 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -163,7 +163,7 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
allow cupsd_t hplip_var_run_t:file read_file_perms;
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
-allow cupsd_t ptal_var_run_t : sock_file setattr_sock_file_perms;
+allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
kernel_read_system_state(cupsd_t)
kernel_read_network_state(cupsd_t)
@@ -657,7 +657,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
-files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
+files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file)
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te
index 9e8d14b..0216eb4 100644
--- a/policy/modules/services/cvs.te
+++ b/policy/modules/services/cvs.te
@@ -6,9 +6,9 @@ policy_module(cvs, 1.9.0)
#
## <desc>
-## <p>
-## Allow cvs daemon to read shadow
-## </p>
+## <p>
+## Allow cvs daemon to read shadow
+## </p>
## </desc>
gen_tunable(allow_cvs_read_shadow, false)
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index c725cae..d9416fc 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -152,7 +152,7 @@ optional_policy(`
')
optional_policy(`
- policykit_dbus_chat(system_dbusd_t)
+ policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
')
diff --git a/policy/modules/services/denyhosts.te b/policy/modules/services/denyhosts.te
index d53ee7e..b10da2c 100644
--- a/policy/modules/services/denyhosts.te
+++ b/policy/modules/services/denyhosts.te
@@ -77,5 +77,5 @@ optional_policy(`
')
optional_policy(`
- gnome_dontaudit_search_config(denyhosts_t)
+ gnome_dontaudit_search_config(denyhosts_t)
')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index 6cee08f..58416a0 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -309,4 +309,3 @@ optional_policy(`
optional_policy(`
vbetool_domtrans(devicekit_power_t)
')
-
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index 64bc566..aff2296 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -164,8 +164,8 @@ optional_policy(`
')
optional_policy(`
- postfix_manage_private_sockets(dovecot_t)
- postfix_search_spool(dovecot_t)
+ postfix_manage_private_sockets(dovecot_t)
+ postfix_search_spool(dovecot_t)
')
optional_policy(`
diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
index 6c819a3..18c3c33 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -6,24 +6,24 @@ policy_module(exim, 1.5.0)
#
## <desc>
-## <p>
-## Allow exim to connect to databases (postgres, mysql)
-## </p>
+## <p>
+## Allow exim to connect to databases (postgres, mysql)
+## </p>
## </desc>
gen_tunable(exim_can_connect_db, false)
## <desc>
-## <p>
-## Allow exim to read unprivileged user files.
-## </p>
+## <p>
+## Allow exim to read unprivileged user files.
+## </p>
## </desc>
gen_tunable(exim_read_user_files, false)
## <desc>
-## <p>
-## Allow exim to create, read, write, and delete
-## unprivileged user files.
-## </p>
+## <p>
+## Allow exim to create, read, write, and delete
+## unprivileged user files.
+## </p>
## </desc>
gen_tunable(exim_manage_user_files, false)
@@ -174,7 +174,7 @@ optional_policy(`
')
optional_policy(`
- nagios_search_spool(exim_t)
+ nagios_search_spool(exim_t)
')
optional_policy(`
diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
index e09b9df..7c5bf19 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@@ -94,7 +94,7 @@ optional_policy(`
')
optional_policy(`
- gnome_dontaudit_search_config(fail2ban_t)
+ gnome_dontaudit_search_config(fail2ban_t)
')
optional_policy(`
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index 6033c3b..37de4be 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -6,82 +6,82 @@ policy_module(ftp, 1.12.0)
#
## <desc>
-## <p>
-## Allow ftp servers to upload files, used for public file
-## transfer services. Directories must be labeled
-## public_content_rw_t.
-## </p>
+## <p>
+## Allow ftp servers to upload files, used for public file
+## transfer services. Directories must be labeled
+## public_content_rw_t.
+## </p>
## </desc>
gen_tunable(allow_ftpd_anon_write, false)
## <desc>
-## <p>
-## Allow ftp servers to login to local users and
-## read/write all files on the system, governed by DAC.
-## </p>
+## <p>
+## Allow ftp servers to login to local users and
+## read/write all files on the system, governed by DAC.
+## </p>
## </desc>
gen_tunable(allow_ftpd_full_access, false)
## <desc>
-## <p>
-## Allow ftp servers to use cifs
-## used for public file transfer services.
-## </p>
+## <p>
+## Allow ftp servers to use cifs
+## used for public file transfer services.
+## </p>
## </desc>
gen_tunable(allow_ftpd_use_cifs, false)
## <desc>
-## <p>
-## Allow ftp servers to use nfs
-## used for public file transfer services.
-## </p>
+## <p>
+## Allow ftp servers to use nfs
+## used for public file transfer services.
+## </p>
## </desc>
gen_tunable(allow_ftpd_use_nfs, false)
## <desc>
-## <p>
-## Allow ftp servers to use connect to mysql database
-## </p>
+## <p>
+## Allow ftp servers to use connect to mysql database
+## </p>
## </desc>
gen_tunable(ftpd_connect_db, false)
## <desc>
-## <p>
-## Allow ftp to read and write files in the user home directories
-## </p>
+## <p>
+## Allow ftp to read and write files in the user home directories
+## </p>
## </desc>
gen_tunable(ftp_home_dir, false)
## <desc>
-## <p>
-## Allow anon internal-sftp to upload files, used for
-## public file transfer services. Directories must be labeled
-## public_content_rw_t.
-## </p>
+## <p>
+## Allow anon internal-sftp to upload files, used for
+## public file transfer services. Directories must be labeled
+## public_content_rw_t.
+## </p>
## </desc>
gen_tunable(sftpd_anon_write, false)
## <desc>
-## <p>
-## Allow sftp-internal to read and write files
-## in the user home directories
-## </p>
+## <p>
+## Allow sftp-internal to read and write files
+## in the user home directories
+## </p>
## </desc>
gen_tunable(sftpd_enable_homedirs, false)
## <desc>
-## <p>
-## Allow sftp-internal to login to local users and
-## read/write all files on the system, governed by DAC.
-## </p>
+## <p>
+## Allow sftp-internal to login to local users and
+## read/write all files on the system, governed by DAC.
+## </p>
## </desc>
gen_tunable(sftpd_full_access, false)
## <desc>
-## <p>
-## Allow interlnal-sftp to read and write files
-## in the user ssh home directories.
-## </p>
+## <p>
+## Allow interlnal-sftp to read and write files
+## in the user ssh home directories.
+## </p>
## </desc>
gen_tunable(sftpd_write_ssh_home, false)
@@ -181,7 +181,7 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
-files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} )
+files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
# proftpd requires the client side to bind a socket so that
# it can stat the socket to perform access control decisions,
@@ -291,10 +291,10 @@ tunable_policy(`ftp_home_dir',`
userdom_manage_user_home_content(ftpd_t)
userdom_manage_user_tmp_files(ftpd_t)
userdom_tmp_filetrans_user_tmp(ftpd_t, file)
-', `
- # Needed for permissive mode, to make sure everything gets labeled correctly
- userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file })
- files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
+',`
+ # Needed for permissive mode, to make sure everything gets labeled correctly
+ userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file })
+ files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
@@ -400,6 +400,7 @@ userdom_use_user_terminals(ftpdctl_t)
#
# sftpd local policy
#
+
files_read_etc_files(sftpd_t)
# allow read access to /home by default
@@ -408,13 +409,13 @@ userdom_read_user_home_content_symlinks(sftpd_t)
userdom_dontaudit_list_admin_dir(sftpd_t)
tunable_policy(`sftpd_full_access',`
- allow sftpd_t self:capability { dac_override dac_read_search };
- fs_read_noxattr_fs_files(sftpd_t)
- auth_manage_all_files_except_shadow(sftpd_t)
+ allow sftpd_t self:capability { dac_override dac_read_search };
+ fs_read_noxattr_fs_files(sftpd_t)
+ auth_manage_all_files_except_shadow(sftpd_t)
')
tunable_policy(`sftpd_write_ssh_home',`
- ssh_manage_home_files(sftpd_t)
+ ssh_manage_home_files(sftpd_t)
')
tunable_policy(`sftpd_enable_homedirs',`
@@ -424,9 +425,9 @@ tunable_policy(`sftpd_enable_homedirs',`
files_list_home(sftpd_t)
userdom_read_user_home_content_files(sftpd_t)
userdom_manage_user_home_content(sftpd_t)
-', `
- # Needed for permissive mode, to make sure everything gets labeled correctly
- userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
+',`
+ # Needed for permissive mode, to make sure everything gets labeled correctly
+ userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
index cf17085..cebb167 100644
--- a/policy/modules/services/git.te
+++ b/policy/modules/services/git.te
@@ -1,23 +1,23 @@
policy_module(git, 1.0.3)
## <desc>
-## <p>
-## Allow Git daemon system to search home directories.
-## </p>
+## <p>
+## Allow Git daemon system to search home directories.
+## </p>
## </desc>
gen_tunable(git_system_enable_homedirs, false)
## <desc>
-## <p>
-## Allow Git daemon system to access cifs file systems.
-## </p>
+## <p>
+## Allow Git daemon system to access cifs file systems.
+## </p>
## </desc>
gen_tunable(git_system_use_cifs, false)
## <desc>
-## <p>
-## Allow Git daemon system to access nfs file systems.
-## </p>
+## <p>
+## Allow Git daemon system to access nfs file systems.
+## </p>
## </desc>
gen_tunable(git_system_use_nfs, false)
@@ -51,10 +51,10 @@ typealias git_system_content_t alias git_data_t;
#
## <desc>
-## <p>
-## Allow Git daemon session to bind
-## tcp sockets to all unreserved ports.
-## </p>
+## <p>
+## Allow Git daemon session to bind
+## tcp sockets to all unreserved ports.
+## </p>
## </desc>
gen_tunable(git_session_bind_all_unreserved_ports, false)
@@ -119,26 +119,26 @@ list_dirs_pattern(git_system_t, git_content, git_content)
read_files_pattern(git_system_t, git_content, git_content)
files_search_var_lib(git_system_t)
-tunable_policy(`git_system_enable_homedirs', `
+tunable_policy(`git_system_enable_homedirs',`
userdom_search_user_home_dirs(git_system_t)
')
-tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs', `
+tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
fs_list_nfs(git_system_t)
fs_read_nfs_files(git_system_t)
')
-tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs', `
+tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',`
fs_list_cifs(git_system_t)
fs_read_cifs_files(git_system_t)
')
-tunable_policy(`git_system_use_cifs', `
+tunable_policy(`git_system_use_cifs',`
fs_list_cifs(git_system_t)
fs_read_cifs_files(git_system_t)
')
-tunable_policy(`git_system_use_nfs', `
+tunable_policy(`git_system_use_nfs',`
fs_list_nfs(git_system_t)
fs_read_nfs_files(git_system_t)
')
@@ -156,17 +156,17 @@ userdom_search_user_home_dirs(git_session_t)
userdom_use_user_terminals(git_session_t)
-tunable_policy(`git_session_bind_all_unreserved_ports', `
+tunable_policy(`git_session_bind_all_unreserved_ports',`
corenet_tcp_bind_all_unreserved_ports(git_session_t)
corenet_sendrecv_generic_server_packets(git_session_t)
')
-tunable_policy(`use_nfs_home_dirs', `
+tunable_policy(`use_nfs_home_dirs',`
fs_list_nfs(git_session_t)
fs_read_nfs_files(git_session_t)
')
-tunable_policy(`use_samba_home_dirs', `
+tunable_policy(`use_samba_home_dirs',`
fs_list_cifs(git_session_t)
fs_read_cifs_files(git_session_t)
')
@@ -189,4 +189,3 @@ optional_policy(`
git_role_template(git_shell)
gen_user(git_shell_u, user, git_shell_r, s0, s0)
-
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
index e72b063..b3fdcd5 100644
--- a/policy/modules/services/hal.te
+++ b/policy/modules/services/hal.te
@@ -316,7 +316,7 @@ optional_policy(`
')
optional_policy(`
- policykit_dbus_chat(hald_t)
+ policykit_dbus_chat(hald_t)
policykit_domtrans_auth(hald_t)
policykit_domtrans_resolve(hald_t)
policykit_read_lib(hald_t)
@@ -333,7 +333,7 @@ optional_policy(`
optional_policy(`
shutdown_domtrans(hald_t)
-')
+')
optional_policy(`
udev_domtrans(hald_t)
@@ -411,7 +411,7 @@ logging_send_syslog_msg(hald_acl_t)
miscfiles_read_localization(hald_acl_t)
optional_policy(`
- policykit_dbus_chat(hald_acl_t)
+ policykit_dbus_chat(hald_acl_t)
policykit_domtrans_auth(hald_acl_t)
policykit_read_lib(hald_acl_t)
policykit_read_reload(hald_acl_t)
@@ -493,7 +493,7 @@ files_read_usr_files(hald_keymap_t)
miscfiles_read_localization(hald_keymap_t)
-# This is caused by a bug in hald and PolicyKit.
+# This is caused by a bug in hald and PolicyKit.
# Should be removed when this is fixed
cron_read_system_job_lib_files(hald_t)
diff --git a/policy/modules/services/hddtemp.te b/policy/modules/services/hddtemp.te
index 267bb4c..1647fc4 100644
--- a/policy/modules/services/hddtemp.te
+++ b/policy/modules/services/hddtemp.te
@@ -46,4 +46,3 @@ storage_raw_read_fixed_disk(hddtemp_t)
logging_send_syslog_msg(hddtemp_t)
miscfiles_read_localization(hddtemp_t)
-
diff --git a/policy/modules/services/icecast.te b/policy/modules/services/icecast.te
index 80befb0..6bf7cc3 100644
--- a/policy/modules/services/icecast.te
+++ b/policy/modules/services/icecast.te
@@ -6,10 +6,10 @@ policy_module(icecast, 1.0.1)
#
## <desc>
-## <p>
-## Allow icecast to connect to all ports, not just
-## sound ports.
-## </p>
+## <p>
+## Allow icecast to connect to all ports, not just
+## sound ports.
+## </p>
## </desc>
gen_tunable(icecast_connect_any, false)
@@ -39,7 +39,7 @@ allow icecast_t self:tcp_socket create_stream_socket_perms;
manage_dirs_pattern(icecast_t, icecast_log_t, icecast_log_t)
manage_files_pattern(icecast_t, icecast_log_t, icecast_log_t)
-logging_log_filetrans(icecast_t, icecast_log_t, { file dir } )
+logging_log_filetrans(icecast_t, icecast_log_t, { file dir })
manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te
index 61ea05e..dc7dd01 100644
--- a/policy/modules/services/inn.te
+++ b/policy/modules/services/inn.te
@@ -4,6 +4,7 @@ policy_module(inn, 1.9.0)
#
# Declarations
#
+
type innd_t;
type innd_exec_t;
init_daemon_domain(innd_t, innd_exec_t)
@@ -30,6 +31,7 @@ files_mountpoint(news_spool_t)
#
# Local policy
#
+
allow innd_t self:capability { dac_override kill setgid setuid };
dontaudit innd_t self:capability sys_tty_config;
allow innd_t self:process { setsched signal_perms };
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
index 975bbcd..5f8840f 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -1,4 +1,3 @@
-
policy_module(jabber, 1.8.0)
########################################
@@ -84,7 +83,7 @@ corenet_tcp_bind_jabber_router_port(jabberd_router_t)
corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
optional_policy(`
- kerberos_use(jabberd_router_t)
+ kerberos_use(jabberd_router_t)
')
########################################
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
index 4e39714..744e7d6 100644
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@@ -6,9 +6,9 @@ policy_module(kerberos, 1.11.0)
#
## <desc>
-## <p>
-## Allow confined applications to run with kerberos.
-## </p>
+## <p>
+## Allow confined applications to run with kerberos.
+## </p>
## </desc>
gen_tunable(allow_kerberos, false)
diff --git a/policy/modules/services/ksmtuned.te b/policy/modules/services/ksmtuned.te
index ffe035c..01adbed 100644
--- a/policy/modules/services/ksmtuned.te
+++ b/policy/modules/services/ksmtuned.te
@@ -49,4 +49,3 @@ mls_file_read_to_clearance(ksmtuned_t)
term_use_all_terms(ksmtuned_t)
miscfiles_read_localization(ksmtuned_t)
-
diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
index ee5e345..10c2d54 100644
--- a/policy/modules/services/ldap.te
+++ b/policy/modules/services/ldap.te
@@ -82,7 +82,7 @@ manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
manage_files_pattern(slapd_t, slapd_tmpfs_t, slapd_tmpfs_t)
-fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t,file)
+fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t, file)
manage_dirs_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
index 2727020..1887c50 100644
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -6,9 +6,9 @@ policy_module(lpd, 1.12.0)
#
## <desc>
-## <p>
-## Use lpd server instead of cups
-## </p>
+## <p>
+## Use lpd server instead of cups
+## </p>
## </desc>
gen_tunable(use_lpd_server, false)
diff --git a/policy/modules/services/milter.te b/policy/modules/services/milter.te
index 6ba48ff..f42a489 100644
--- a/policy/modules/services/milter.te
+++ b/policy/modules/services/milter.te
@@ -33,7 +33,6 @@ files_type(spamass_milter_state_t)
#
allow dkim_milter_t self:capability { kill setgid setuid };
-
allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
@@ -47,8 +46,8 @@ mta_read_config(dkim_milter_t)
########################################
#
# milter-greylist local policy
-# ensure smtp clients retry mail like real MTAs and not spamware
-# http://hcpnet.free.fr/milter-greylist/
+# ensure smtp clients retry mail like real MTAs and not spamware
+# http://hcpnet.free.fr/milter-greylist/
#
# It removes any existing socket (not owned by root) whilst running as root,
@@ -76,8 +75,8 @@ mta_read_config(greylist_milter_t)
########################################
#
# milter-regex local policy
-# filter emails using regular expressions
-# http://www.benzedrine.cx/milter-regex.html
+# filter emails using regular expressions
+# http://www.benzedrine.cx/milter-regex.html
#
# It removes any existing socket (not owned by root) whilst running as root
@@ -96,8 +95,8 @@ mta_read_config(regex_milter_t)
########################################
#
# spamass-milter local policy
-# pipe emails through SpamAssassin
-# http://savannah.nongnu.org/projects/spamass-milt/
+# pipe emails through SpamAssassin
+# http://savannah.nongnu.org/projects/spamass-milt/
#
# The milter runs from /var/lib/spamass-milter
diff --git a/policy/modules/services/mock.te b/policy/modules/services/mock.te
index 6f8fda5..b05a9cd 100644
--- a/policy/modules/services/mock.te
+++ b/policy/modules/services/mock.te
@@ -27,6 +27,7 @@ files_type(mock_var_lib_t)
#
# mock local policy
#
+
allow mock_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
allow mock_t self:process { siginh noatsecure signull transition rlimitinh setsched setpgid sigkill };
dontaudit mock_t self:process { siginh noatsecure rlimitinh };
@@ -40,14 +41,14 @@ files_var_filetrans(mock_t, mock_cache_t, { dir file } )
manage_dirs_pattern(mock_t, mock_tmp_t, mock_tmp_t)
manage_files_pattern(mock_t, mock_tmp_t, mock_tmp_t)
-files_tmp_filetrans(mock_t, mock_tmp_t, { dir file } )
+files_tmp_filetrans(mock_t, mock_tmp_t, { dir file })
can_exec(mock_t, mock_tmp_t)
manage_dirs_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
manage_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
manage_lnk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
manage_chr_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
-files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file } )
+files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file })
can_exec(mock_t, mock_var_lib_t)
allow mock_t mock_var_lib_t:dir mounton;
diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te
index 71464f6..84bc8bb 100644
--- a/policy/modules/services/mpd.te
+++ b/policy/modules/services/mpd.te
@@ -1,4 +1,4 @@
-policy_module(mpd,1.0.0)
+policy_module(mpd, 1.0.0)
########################################
#
@@ -41,7 +41,6 @@ files_type(mpd_var_lib_t)
#cjp: dac_override bug in mpd relating to mpd.log file
allow mpd_t self:capability { dac_override kill setgid setuid };
allow mpd_t self:process { getsched setsched setrlimit signal signull };
-
allow mpd_t self:fifo_file rw_fifo_file_perms;
allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow mpd_t self:tcp_socket create_stream_socket_perms;
@@ -102,10 +101,10 @@ optional_policy(`
optional_policy(`
pulseaudio_exec(mpd_t)
- pulseaudio_stream_connect(mpd_t)
- pulseaudio_signull(mpd_t)
+ pulseaudio_stream_connect(mpd_t)
+ pulseaudio_signull(mpd_t)
')
optional_policy(`
- udev_read_db(mpd_t)
+ udev_read_db(mpd_t)
')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index f99b9fc..36e64e9 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -93,7 +93,7 @@ optional_policy(`
optional_policy(`
arpwatch_manage_tmp_files(system_mail_t)
- ifdef(`hide_broken_symptoms', `
+ ifdef(`hide_broken_symptoms',`
arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
')
')
@@ -194,7 +194,7 @@ optional_policy(`
arpwatch_search_data(mailserver_delivery)
arpwatch_manage_tmp_files(mta_user_agent)
- ifdef(`hide_broken_symptoms', `
+ ifdef(`hide_broken_symptoms',`
arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
')
@@ -314,8 +314,6 @@ kernel_read_system_state(user_mail_domain)
kernel_read_network_state(user_mail_domain)
kernel_request_load_module(user_mail_domain)
-
-
optional_policy(`
# postfix needs this for newaliases
files_getattr_tmp_dirs(user_mail_domain)
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
index 13d365d..6f8b0fd 100644
--- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te
@@ -193,7 +193,7 @@ optional_policy(`
# local policy for disk plugins
#
-allow munin_disk_plugin_t self:capability { sys_admin sys_rawio };
+allow munin_disk_plugin_t self:capability { sys_admin sys_rawio };
allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index 5e96c0a..ac63be9 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0)
#
## <desc>
-## <p>
-## Allow mysqld to connect to all ports
-## </p>
+## <p>
+## Allow mysqld to connect to all ports
+## </p>
## </desc>
gen_tunable(mysql_connect_any, false)
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
index 1029389..61a3920 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -141,6 +141,7 @@ optional_policy(`
#
# Nagios CGI local policy
#
+
optional_policy(`
apache_content_template(nagios)
typealias httpd_nagios_script_t alias nagios_cgi_t;
@@ -268,7 +269,6 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
#
allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
-
allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms;
allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms;
allow nagios_mail_plugin_t self:udp_socket create_socket_perms;
@@ -321,7 +321,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
allow nagios_services_plugin_t self:process { signal sigkill };
-
allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
allow nagios_services_plugin_t self:udp_socket create_socket_perms;
diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te
index 6a174f5..6b54db7 100644
--- a/policy/modules/services/nscd.te
+++ b/policy/modules/services/nscd.te
@@ -5,9 +5,9 @@ gen_require(`
')
## <desc>
-## <p>
-## Allow confined applications to use nscd shared memory.
-## </p>
+## <p>
+## Allow confined applications to use nscd shared memory.
+## </p>
## </desc>
gen_tunable(nscd_use_shm, false)
@@ -146,6 +146,7 @@ optional_policy(`
samba_append_log(nscd_t)
samba_dontaudit_use_fds(nscd_t)
')
+
samba_read_config(nscd_t)
samba_read_var_files(nscd_t)
')