diff --git a/policy/modules/services/ajaxterm.if b/policy/modules/services/ajaxterm.if index 7d6c5ec..2eee297 100644 --- a/policy/modules/services/ajaxterm.if +++ b/policy/modules/services/ajaxterm.if @@ -55,8 +55,7 @@ interface(`ajaxterm_initrc_domtrans',` # interface(`ajaxterm_admin',` gen_require(` - type ajaxterm_t; - type ajaxterm_initrc_exec_t; + type ajaxterm_t, ajaxterm_initrc_exec_t; ') allow $1 ajaxterm_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if index 5509574..0a57cca 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -13,8 +13,7 @@ # template(`apache_content_template',` gen_require(` - attribute httpd_exec_scripts; - attribute httpd_script_exec_type; + attribute httpd_exec_scripts, httpd_script_exec_type; type httpd_t, httpd_suexec_t, httpd_log_t; type httpd_sys_content_t; ') @@ -202,9 +201,8 @@ template(`apache_content_template',` interface(`apache_role',` gen_require(` attribute httpdcontent; - type httpd_user_content_t, httpd_user_htaccess_t; - type httpd_user_script_t, httpd_user_script_exec_t; - type httpd_user_ra_content_t, httpd_user_rw_content_t; + type httpd_user_content_t, httpd_user_htaccess_t, httpd_user_script_t; + type httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t; ') role $1 types httpd_user_script_t; @@ -985,8 +983,7 @@ interface(`apache_delete_sys_content_rw',` interface(`apache_domtrans_sys_script',` gen_require(` attribute httpdcontent; - type httpd_sys_script_t; - type httpd_sys_content_t; + type httpd_sys_script_t, httpd_sys_content_t; ') tunable_policy(`httpd_enable_cgi',` @@ -1318,14 +1315,11 @@ interface(`apache_cgi_domain',` # interface(`apache_admin',` gen_require(` - attribute httpdcontent; - attribute httpd_script_exec_type; - + attribute httpdcontent, httpd_script_exec_type; type httpd_t, httpd_config_t, httpd_log_t; - type httpd_modules_t, httpd_lock_t; - type httpd_var_run_t, httpd_php_tmp_t; + type httpd_modules_t, httpd_lock_t, httpd_bool_t; + type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t; type httpd_suexec_tmp_t, httpd_tmp_t; - type httpd_initrc_exec_t, httpd_bool_t; ') allow $1 httpd_t:process { getattr ptrace signal_perms }; diff --git a/policy/modules/services/apcupsd.if b/policy/modules/services/apcupsd.if index 00cc942..d3451b8 100644 --- a/policy/modules/services/apcupsd.if +++ b/policy/modules/services/apcupsd.if @@ -140,10 +140,8 @@ interface(`apcupsd_cgi_script_domtrans',` # interface(`apcupsd_admin',` gen_require(` - type apcupsd_t, apcupsd_tmp_t; - type apcupsd_log_t, apcupsd_lock_t; - type apcupsd_var_run_t; - type apcupsd_initrc_exec_t; + type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t; + type apcupsd_lock_t, apcupsd_var_run_t, apcupsd_initrc_exec_t; ') allow $1 apcupsd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/avahi.if b/policy/modules/services/avahi.if index e51354d..11e1ba9 100644 --- a/policy/modules/services/avahi.if +++ b/policy/modules/services/avahi.if @@ -151,8 +151,7 @@ interface(`avahi_dontaudit_search_pid',` # interface(`avahi_admin',` gen_require(` - type avahi_t, avahi_var_run_t; - type avahi_initrc_exec_t; + type avahi_t, avahi_var_run_t, avahi_initrc_exec_t; ') allow $1 avahi_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if index 71f5514..b09ef44 100644 --- a/policy/modules/services/bind.if +++ b/policy/modules/services/bind.if @@ -380,10 +380,9 @@ interface(`bind_udp_chat_named',` interface(`bind_admin',` gen_require(` type named_t, named_tmp_t, named_log_t; - type named_conf_t, named_var_run_t; - type named_cache_t, named_zone_t; + type named_conf_t, named_var_run_t, named_cache_t; + type named_zone_t, named_initrc_exec_t; type dnssec_t, ndc_t, named_keytab_t; - type named_initrc_exec_t; ') allow $1 named_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if index 3ef711e..7c5d8c9 100644 --- a/policy/modules/services/bluetooth.if +++ b/policy/modules/services/bluetooth.if @@ -216,9 +216,8 @@ interface(`bluetooth_dontaudit_read_helper_state',` interface(`bluetooth_admin',` gen_require(` type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t; - type bluetooth_var_lib_t, bluetooth_var_run_t; + type bluetooth_var_lib_t, bluetooth_var_run_t, bluetooth_initrc_exec_t; type bluetooth_conf_t, bluetooth_conf_rw_t; - type bluetooth_initrc_exec_t; ') allow $1 bluetooth_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/boinc.if b/policy/modules/services/boinc.if index 2941673..fa9b95a 100644 --- a/policy/modules/services/boinc.if +++ b/policy/modules/services/boinc.if @@ -134,8 +134,7 @@ interface(`boinc_manage_var_lib',` # interface(`boinc_admin',` gen_require(` - type boinc_t, boinc_initrc_exec_t; - type boinc_var_lib_t; + type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t; ') allow $1 boinc_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/bugzilla.if b/policy/modules/services/bugzilla.if index 922c4ba..8280b28 100644 --- a/policy/modules/services/bugzilla.if +++ b/policy/modules/services/bugzilla.if @@ -57,10 +57,9 @@ interface(`bugzilla_dontaudit_rw_script_stream_sockets',` # interface(`bugzilla_admin',` gen_require(` - type httpd_bugzilla_script_t; - type httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t; - type httpd_bugzilla_rw_content_t, httpd_bugzilla_tmp_t; - type httpd_bugzilla_script_exec_t, httpd_bugzilla_htaccess_t; + type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t; + type httpd_bugzilla_rw_content_t, httpd_bugzilla_tmp_t, httpd_bugzilla_script_exec_t; + type httpd_bugzilla_htaccess_t; ') allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/certmaster.if b/policy/modules/services/certmaster.if index 535f3c8..2704e81 100644 --- a/policy/modules/services/certmaster.if +++ b/policy/modules/services/certmaster.if @@ -116,8 +116,7 @@ interface(`certmaster_manage_log',` interface(`certmaster_admin',` gen_require(` type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t; - type certmaster_etc_rw_t, certmaster_var_log_t; - type certmaster_initrc_exec_t; + type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t; ') allow $1 certmaster_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if index 5a98145..49b5829 100644 --- a/policy/modules/services/chronyd.if +++ b/policy/modules/services/chronyd.if @@ -151,10 +151,9 @@ interface(`chronyd_append_keys',` # interface(`chronyd_admin',` gen_require(` - type chronyd_t, chronyd_var_log_t; - type chronyd_var_run_t, chronyd_var_lib_t; - type chronyd_tmpfs_t; - type chronyd_initrc_exec_t, chronyd_keys_t; + type chronyd_t, chronyd_var_log_t, chronyd_var_run_t; + type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t; + type chronyd_keys_t; ') allow $1 chronyd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if index 27061db..01b02f3 100644 --- a/policy/modules/services/clamav.if +++ b/policy/modules/services/clamav.if @@ -152,9 +152,8 @@ interface(`clamav_exec_clamscan',` interface(`clamav_admin',` gen_require(` type clamd_t, clamd_etc_t, clamd_tmp_t; - type clamd_var_log_t, clamd_var_lib_t; - type clamd_var_run_t, clamscan_t, clamscan_tmp_t; - type clamd_initrc_exec_t; + type clamd_var_log_t, clamd_var_lib_t, clamd_var_run_t; + type clamscan_t, clamscan_tmp_t, clamd_initrc_exec_t; type freshclam_t, freshclam_var_log_t; ') diff --git a/policy/modules/services/cmirrord.if b/policy/modules/services/cmirrord.if index 74ab2a1..f1bf7b1 100644 --- a/policy/modules/services/cmirrord.if +++ b/policy/modules/services/cmirrord.if @@ -67,8 +67,7 @@ interface(`cmirrord_read_pid_files',` # interface(`cmirrord_rw_shm',` gen_require(` - type cmirrord_t; - type cmirrord_tmpfs_t; + type cmirrord_t, cmirrord_tmpfs_t; ') allow $1 cmirrord_t:shm { rw_shm_perms destroy }; @@ -98,9 +97,7 @@ interface(`cmirrord_rw_shm',` # interface(`cmirrord_admin',` gen_require(` - type cmirrord_t; - type cmirrord_initrc_exec_t; - type cmirrord_var_run_t; + type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t; ') allow $1 cmirrord_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if index 3f74c12..7fcf2fb 100644 --- a/policy/modules/services/cobbler.if +++ b/policy/modules/services/cobbler.if @@ -185,10 +185,8 @@ interface(`cobbler_dontaudit_rw_log',` interface(`cobblerd_admin',` gen_require(` type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t; - type cobbler_etc_t, cobblerd_initrc_exec_t; - type httpd_cobbler_content_t; - type httpd_cobbler_content_ra_t; - type httpd_cobbler_content_rw_t; + type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t; + type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t; ') allow $1 cobblerd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if index 1fa68c0..3089b83 100644 --- a/policy/modules/services/cron.if +++ b/policy/modules/services/cron.if @@ -118,8 +118,7 @@ template(`cron_common_crontab_template',` interface(`cron_role',` gen_require(` type cronjob_t, crontab_t, crontab_exec_t; - type user_cron_spool_t; - type crond_t; + type user_cron_spool_t, crond_t; ') role $1 types { cronjob_t crontab_t }; diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if index fb3454a..777091a 100644 --- a/policy/modules/services/cups.if +++ b/policy/modules/services/cups.if @@ -316,12 +316,10 @@ interface(`cups_stream_connect_ptal',` interface(`cups_admin',` gen_require(` type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t; - type cupsd_etc_t, cupsd_log_t; - type cupsd_config_var_run_t, cupsd_lpd_var_run_t; - type cupsd_var_run_t, ptal_etc_t; - type ptal_var_run_t, hplip_var_run_t; - type cupsd_initrc_exec_t; - type hplip_etc_t; + type cupsd_etc_t, cupsd_log_t, hplip_etc_t; + type cupsd_config_var_run_t, cupsd_lpd_var_run_t, cupsd_initrc_exec_t; + type cupsd_var_run_t, ptal_etc_t, hplip_var_run_t; + type ptal_var_run_t; ') allow $1 cupsd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/cvs.if b/policy/modules/services/cvs.if index c43ff4c..5bf3e60 100644 --- a/policy/modules/services/cvs.if +++ b/policy/modules/services/cvs.if @@ -58,9 +58,8 @@ interface(`cvs_exec',` # interface(`cvs_admin',` gen_require(` - type cvs_t, cvs_tmp_t; + type cvs_t, cvs_tmp_t, cvs_initrc_exec_t; type cvs_data_t, cvs_var_run_t; - type cvs_initrc_exec_t; ') allow $1 cvs_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if index dd23fbd..8a75e58 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if @@ -41,9 +41,7 @@ interface(`dbus_stub',` template(`dbus_role_template',` gen_require(` class dbus { send_msg acquire_svc }; - - attribute dbusd_unconfined; - attribute session_bus_type; + attribute dbusd_unconfined, session_bus_type; type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t; type $1_t; ') diff --git a/policy/modules/services/ddclient.if b/policy/modules/services/ddclient.if index 0a1a61b..da508f4 100644 --- a/policy/modules/services/ddclient.if +++ b/policy/modules/services/ddclient.if @@ -64,8 +64,8 @@ interface(`ddclient_run',` interface(`ddclient_admin',` gen_require(` type ddclient_t, ddclient_etc_t, ddclient_log_t; - type ddclient_var_t, ddclient_var_lib_t; - type ddclient_var_run_t, ddclient_initrc_exec_t; + type ddclient_var_t, ddclient_var_lib_t, ddclient_initrc_exec_t; + type ddclient_var_run_t; ') allow $1 ddclient_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/dovecot.if b/policy/modules/services/dovecot.if index a40e01b..ee51a19 100644 --- a/policy/modules/services/dovecot.if +++ b/policy/modules/services/dovecot.if @@ -95,13 +95,9 @@ interface(`dovecot_dontaudit_unlink_lib_files',` interface(`dovecot_admin',` gen_require(` type dovecot_t, dovecot_etc_t, dovecot_auth_tmp_t; - type dovecot_spool_t, dovecot_var_lib_t; - type dovecot_var_run_t, dovecot_tmp_t; - type dovecot_var_log_t; - - type dovecot_cert_t, dovecot_passwd_t; - type dovecot_initrc_exec_t; - type dovecot_keytab_t; + type dovecot_spool_t, dovecot_var_lib_t, dovecot_var_log_t; + type dovecot_var_run_t, dovecot_tmp_t, dovecot_keytab_t; + type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t; ') allow $1 dovecot_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/fail2ban.if b/policy/modules/services/fail2ban.if index e4261f5..38715b1 100644 --- a/policy/modules/services/fail2ban.if +++ b/policy/modules/services/fail2ban.if @@ -175,8 +175,8 @@ interface(`fail2ban_dontaudit_leaks',` # interface(`fail2ban_admin',` gen_require(` - type fail2ban_t, fail2ban_log_t; - type fail2ban_var_run_t, fail2ban_initrc_exec_t; + type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t; + type fail2ban_var_run_t; ') allow $1 fail2ban_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if index 943219f..fa9251c 100644 --- a/policy/modules/services/ftp.if +++ b/policy/modules/services/ftp.if @@ -171,9 +171,8 @@ interface(`ftp_dyntrans_sftpd',` interface(`ftp_admin',` gen_require(` type ftpd_t, ftpdctl_t, ftpd_tmp_t; - type ftpd_etc_t, ftpd_lock_t; + type ftpd_etc_t, ftpd_lock_t, ftpd_initrc_exec_t; type ftpd_var_run_t, xferlog_t; - type ftpd_initrc_exec_t; ') allow $1 ftpd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if index 63742a3..c3d7d64 100644 --- a/policy/modules/services/git.if +++ b/policy/modules/services/git.if @@ -25,8 +25,7 @@ # interface(`git_session_role',` gen_require(` - type git_session_t, gitd_exec_t; - type git_session_content_t; + type git_session_t, gitd_exec_t, git_session_content_t; ') ######################################## @@ -61,8 +60,7 @@ interface(`git_session_role',` template(`git_content_template',` gen_require(` - attribute git_system_content; - attribute git_content; + attribute git_system_content, git_content; ') ########################################