diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if index 2b55c85..26de57a 100644 --- a/policy/modules/services/hal.if +++ b/policy/modules/services/hal.if @@ -446,9 +446,7 @@ interface(`hal_manage_pid_files',` # interface(`hal_dontaudit_leaks',` gen_require(` - type hald_log_t; - type hald_t; - type hald_var_run_t; + type hald_log_t, hald_t, hald_var_run_t; ') dontaudit $1 hald_t:fd use; diff --git a/policy/modules/services/ifplugd.if b/policy/modules/services/ifplugd.if index 684bb0a..7665429 100644 --- a/policy/modules/services/ifplugd.if +++ b/policy/modules/services/ifplugd.if @@ -113,8 +113,8 @@ interface(`ifplugd_read_pid_files',` # interface(`ifplugd_admin',` gen_require(` - type ifplugd_t, ifplugd_etc_t; - type ifplugd_var_run_t, ifplugd_initrc_exec_t; + type ifplugd_t, ifplugd_etc_t, ifplugd_var_run_t; + type ifplugd_initrc_exec_t; ') allow $1 ifplugd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/inn.if b/policy/modules/services/inn.if index 31eb768..2f3d8dc 100644 --- a/policy/modules/services/inn.if +++ b/policy/modules/services/inn.if @@ -198,8 +198,8 @@ interface(`inn_domtrans',` interface(`inn_admin',` gen_require(` type innd_t, innd_etc_t, innd_log_t; - type news_spool_t, innd_var_lib_t; - type innd_var_run_t, innd_initrc_exec_t; + type news_spool_t, innd_var_lib_t, innd_var_run_t; + type innd_initrc_exec_t; ') allow $1 innd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/jabber.if b/policy/modules/services/jabber.if index cde3591..9167dc9 100644 --- a/policy/modules/services/jabber.if +++ b/policy/modules/services/jabber.if @@ -113,8 +113,7 @@ interface(`jabberd_manage_lib_files',` interface(`jabber_admin',` gen_require(` type jabberd_t, jabberd_log_t, jabberd_var_lib_t; - type jabberd_var_run_t, jabberd_initrc_exec_t; - type jabberd_router_t; + type jabberd_var_run_t, jabberd_initrc_exec_t, jabberd_router_t; ') allow $1 jabberd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if index f7d4b6d..8c72504 100644 --- a/policy/modules/services/kerberos.if +++ b/policy/modules/services/kerberos.if @@ -69,8 +69,7 @@ interface(`kerberos_domtrans_kpropd',` # interface(`kerberos_use',` gen_require(` - type krb5_conf_t, krb5kdc_conf_t; - type krb5_host_rcache_t; + type krb5_conf_t, krb5kdc_conf_t, krb5_host_rcache_t; ') files_search_etc($1) @@ -338,9 +337,8 @@ interface(`kerberos_admin',` type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t; type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t; type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; - type krb5kdc_principal_t, krb5kdc_tmp_t; + type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t; type krb5kdc_var_run_t, krb5_host_rcache_t; - type kpropd_t; ') allow $1 kadmind_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/kerneloops.if b/policy/modules/services/kerneloops.if index 241f7e7..8fbac8d 100644 --- a/policy/modules/services/kerneloops.if +++ b/policy/modules/services/kerneloops.if @@ -12,8 +12,7 @@ # interface(`kerneloops_domtrans',` gen_require(` - type kerneloops_t; - type kerneloops_exec_t; + type kerneloops_t, kerneloops_exec_t; ') domtrans_pattern($1, kerneloops_exec_t, kerneloops_t) @@ -99,8 +98,7 @@ interface(`kerneloops_manage_tmp_files',` # interface(`kerneloops_admin',` gen_require(` - type kerneloops_t, kerneloops_initrc_exec_t; - type kerneloops_tmp_t; + type kerneloops_t, kerneloops_initrc_exec_t, kerneloops_tmp_t; ') allow $1 kerneloops_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/ksmtuned.if b/policy/modules/services/ksmtuned.if index 40a9405..b733e45 100644 --- a/policy/modules/services/ksmtuned.if +++ b/policy/modules/services/ksmtuned.if @@ -55,8 +55,7 @@ interface(`ksmtuned_initrc_domtrans',` # interface(`ksmtuned_admin',` gen_require(` - type ksmtuned_t, ksmtuned_var_run_t; - type ksmtuned_initrc_exec_t; + type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t; ') allow $1 ksmtuned_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/lircd.if b/policy/modules/services/lircd.if index c0513fa..a296134 100644 --- a/policy/modules/services/lircd.if +++ b/policy/modules/services/lircd.if @@ -75,8 +75,8 @@ interface(`lircd_read_config',` # interface(`lircd_admin',` gen_require(` - type lircd_t, lircd_var_run_t; - type lircd_initrc_exec_t, lircd_etc_t; + type lircd_t, lircd_var_run_t, lircd_etc_t; + type lircd_initrc_exec_t; ') allow $1 lircd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if index 513a070..d3f81b6 100644 --- a/policy/modules/services/memcached.if +++ b/policy/modules/services/memcached.if @@ -12,8 +12,7 @@ # interface(`memcached_domtrans',` gen_require(` - type memcached_t; - type memcached_exec_t; + type memcached_t, memcached_exec_t; ') domtrans_pattern($1, memcached_exec_t, memcached_t) @@ -57,9 +56,7 @@ interface(`memcached_read_pid_files',` # interface(`memcached_admin',` gen_require(` - type memcached_t; - type memcached_initrc_exec_t; - type memcached_var_run_t; + type memcached_t, memcached_initrc_exec_t, memcached_var_run_t; ') allow $1 memcached_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/mock.if b/policy/modules/services/mock.if index 4b0002a..5fe54b1 100644 --- a/policy/modules/services/mock.if +++ b/policy/modules/services/mock.if @@ -223,8 +223,7 @@ interface(`mock_signal',` # interface(`mock_admin',` gen_require(` - type mock_t; - type mock_var_lib_t; + type mock_t, mock_var_lib_t; ') allow $1 mock_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/mojomojo.if b/policy/modules/services/mojomojo.if index cf7968d..b8bf562 100644 --- a/policy/modules/services/mojomojo.if +++ b/policy/modules/services/mojomojo.if @@ -19,10 +19,9 @@ # interface(`mojomojo_admin',` gen_require(` - type httpd_mojomojo_script_t; - type httpd_mojomojo_content_t, httpd_mojomojo_ra_content_t; - type httpd_mojomojo_rw_content_t, httpd_mojomojo_tmp_t; - type httpd_mojomojo_script_exec_t, httpd_mojomojo_htaccess_t; + type httpd_mojomojo_script_t, httpd_mojomojo_content_t, httpd_mojomojo_ra_content_t; + type httpd_mojomojo_rw_content_t, httpd_mojomojo_tmp_t, httpd_mojomojo_htaccess_t; + type httpd_mojomojo_script_exec_t; ') allow $1 httpd_mojomojo_script_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/mpd.if b/policy/modules/services/mpd.if index 03ab1cd..62f2179 100644 --- a/policy/modules/services/mpd.if +++ b/policy/modules/services/mpd.if @@ -239,12 +239,8 @@ interface(`mpd_manage_lib_dirs',` # interface(`mpd_admin',` gen_require(` - type mpd_t; - type mpd_initrc_exec_t; - type mpd_etc_t; - type mpd_data_t; - type mpd_log_t; - type mpd_var_lib_t; + type mpd_t, mpd_initrc_exec_t, mpd_etc_t; + type mpd_data_t, mpd_log_t, mpd_var_lib_t; type mpd_tmpfs_t; ') diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if index 4d1401d..02ba876 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -361,9 +361,8 @@ interface(`mta_mailserver_user_agent',` # interface(`mta_send_mail',` gen_require(` - attribute mta_user_agent; + attribute mta_user_agent, mta_exec_type; type system_mail_t; - attribute mta_exec_type; ') allow $1 mta_exec_type:lnk_file read_lnk_file_perms; diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if index 4d06f74..8b1dcf9 100644 --- a/policy/modules/services/munin.if +++ b/policy/modules/services/munin.if @@ -180,8 +180,7 @@ interface(`munin_admin',` gen_require(` type munin_t, munin_etc_t, munin_tmp_t; type munin_log_t, munin_var_lib_t, munin_var_run_t; - type httpd_munin_content_t; - type munin_initrc_exec_t; + type httpd_munin_content_t, munin_initrc_exec_t; ') allow $1 munin_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if index 6df118b..4d3b208 100644 --- a/policy/modules/services/mysql.if +++ b/policy/modules/services/mysql.if @@ -330,10 +330,9 @@ interface(`mysql_search_pid_files',` # interface(`mysql_admin',` gen_require(` - type mysqld_t, mysqld_var_run_t; - type mysqld_tmp_t, mysqld_db_t; - type mysqld_etc_t, mysqld_log_t; - type mysqld_initrc_exec_t; + type mysqld_t, mysqld_var_run_t, mysqld_initrc_exec_t; + type mysqld_tmp_t, mysqld_db_t, mysqld_log_t; + type mysqld_etc_t; ') allow $1 mysqld_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if index d25b1b1..55e1f6b 100644 --- a/policy/modules/services/nagios.if +++ b/policy/modules/services/nagios.if @@ -13,8 +13,7 @@ # template(`nagios_plugin_template',` gen_require(` - type nagios_t, nrpe_t; - type nagios_log_t; + type nagios_t, nrpe_t, nagios_log_t; ') type nagios_$1_plugin_t; @@ -213,11 +212,9 @@ interface(`nagios_domtrans_nrpe',` # interface(`nagios_admin',` gen_require(` - type nagios_t, nrpe_t; - type nagios_tmp_t, nagios_log_t; - type nagios_etc_t, nrpe_etc_t; - type nagios_spool_t, nagios_var_run_t; - type nagios_initrc_exec_t; + type nagios_t, nrpe_t, nagios_initrc_exec_t; + type nagios_tmp_t, nagios_log_t, nagios_var_run_t; + type nagios_etc_t, nrpe_etc_t, nagios_spool_t; ') allow $1 nagios_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if index d060ea7..995a6cb 100644 --- a/policy/modules/services/nis.if +++ b/policy/modules/services/nis.if @@ -335,10 +335,10 @@ interface(`nis_initrc_domtrans_ypbind',` # interface(`nis_admin',` gen_require(` - type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t; + type ypbind_t, yppasswdd_t, ypserv_t; type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t; type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t; - type ypbind_initrc_exec_t, nis_initrc_exec_t; + type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t; ') allow $1 ypbind_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/nslcd.if b/policy/modules/services/nslcd.if index 2a55401..44c60ea 100644 --- a/policy/modules/services/nslcd.if +++ b/policy/modules/services/nslcd.if @@ -93,8 +93,8 @@ interface(`nslcd_stream_connect',` # interface(`nslcd_admin',` gen_require(` - type nslcd_t, nslcd_initrc_exec_t; - type nslcd_conf_t, nslcd_var_run_t; + type nslcd_t, nslcd_initrc_exec_t, nslcd_var_run_t; + type nslcd_conf_t; ') ps_process_pattern($1, nslcd_t) diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if index 6b240d9..694b002 100644 --- a/policy/modules/services/ntp.if +++ b/policy/modules/services/ntp.if @@ -140,8 +140,7 @@ interface(`ntp_rw_shm',` interface(`ntp_admin',` gen_require(` type ntpd_t, ntpd_tmp_t, ntpd_log_t; - type ntpd_key_t, ntpd_var_run_t; - type ntpd_initrc_exec_t; + type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t; ') allow $1 ntpd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/pads.if b/policy/modules/services/pads.if index 5a14c62..52f47b4 100644 --- a/policy/modules/services/pads.if +++ b/policy/modules/services/pads.if @@ -27,8 +27,8 @@ # interface(`pads_admin',` gen_require(` - type pads_t, pads_config_t; - type pads_var_run_t, pads_initrc_exec_t; + type pads_t, pads_config_t, pads_initrc_exec_t; + type pads_var_run_t; ') allow $1 pads_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/passenger.if b/policy/modules/services/passenger.if index 7f2bbc6..9c4717b 100644 --- a/policy/modules/services/passenger.if +++ b/policy/modules/services/passenger.if @@ -12,8 +12,7 @@ # interface(`passenger_domtrans',` gen_require(` - type passenger_t; - type passenger_exec_t; + type passenger_t, passenger_exec_t; ') allow $1 self:capability { fowner fsetid }; diff --git a/policy/modules/services/pingd.if b/policy/modules/services/pingd.if index 2e6ce68..1bfd8d2 100644 --- a/policy/modules/services/pingd.if +++ b/policy/modules/services/pingd.if @@ -76,8 +76,8 @@ interface(`pingd_manage_config',` # interface(`pingd_admin',` gen_require(` - type pingd_t, pingd_etc_t; - type pingd_initrc_exec_t, pingd_modules_t; + type pingd_t, pingd_etc_t, pingd_modules_t; + type pingd_initrc_exec_t; ') allow $1 pingd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/portreserve.if b/policy/modules/services/portreserve.if index d91c1f5..7f6e277 100644 --- a/policy/modules/services/portreserve.if +++ b/policy/modules/services/portreserve.if @@ -101,8 +101,8 @@ interface(`portreserve_manage_config',` # interface(`portreserve_admin', ` gen_require(` - type portreserve_t, portreserve_etc_t; - type portreserve_initrc_exec_t, portreserve_var_run_t; + type portreserve_t, portreserve_etc_t, portreserve_var_run_t; + type portreserve_initrc_exec_t; ') allow $1 portreserve_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if index ea9aef2..b220a9c 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if @@ -680,16 +680,12 @@ interface(`postfix_domtrans_user_mail_handler',` # interface(`postfix_admin', ` gen_require(` + attribute postfix_spool_type; type postfix_bounce_t, postfix_cleanup_t, postfix_local_t; type postfix_master_t, postfix_pickup_t, postfix_qmgr_t; - type postfix_smtpd_t; - - attribute postfix_spool_type; - type postfix_initrc_exec_t, postfix_data_t, postfix_etc_t; - type postfix_var_run_t; - type postfix_map_tmp_t, postfix_prng_t, postfix_public_t; + type postfix_smtpd_t, postfix_var_run_t; ') allow $1 postfix_bounce_t:process { ptrace signal_perms };