diff --git a/policy/modules/services/varnishd.te b/policy/modules/services/varnishd.te
index 95c6dc3..b1446c9 100644
--- a/policy/modules/services/varnishd.te
+++ b/policy/modules/services/varnishd.te
@@ -6,10 +6,10 @@ policy_module(varnishd, 1.1.0)
#
##
-##
-## Allow varnishd to connect to all ports,
-## not just HTTP.
-##
+##
+## Allow varnishd to connect to all ports,
+## not just HTTP.
+##
##
gen_tunable(varnishd_connect_any, false)
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index af8a03e..9930bcb 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -4,54 +4,55 @@ policy_module(virt, 1.4.0)
#
# Declarations
#
+
attribute virsh_transition_domain;
##
-##
-## Allow virt to use serial/parallell communication ports
-##
+##
+## Allow virt to use serial/parallell communication ports
+##
##
gen_tunable(virt_use_comm, false)
##
-##
-## Allow virt to read fuse files
-##
+##
+## Allow virt to read fuse files
+##
##
gen_tunable(virt_use_fusefs, false)
##
-##
-## Allow virt to manage nfs files
-##
+##
+## Allow virt to manage nfs files
+##
##
gen_tunable(virt_use_nfs, false)
##
-##
-## Allow virt to manage cifs files
-##
+##
+## Allow virt to manage cifs files
+##
##
gen_tunable(virt_use_samba, false)
##
-##
-## Allow virt to manage device configuration, (pci)
-##
+##
+## Allow virt to manage device configuration, (pci)
+##
##
gen_tunable(virt_use_sysfs, false)
##
-##
-## Allow virtual machine to interact with the xserver
-##
+##
+## Allow virtual machine to interact with the xserver
+##
##
gen_tunable(virt_use_xserver, false)
##
-##
-## Allow virt to use usb devices
-##
+##
+## Allow virt to use usb devices
+##
##
gen_tunable(virt_use_usb, true)
@@ -205,7 +206,6 @@ optional_policy(`
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
-
allow virtd_t self:fifo_file rw_fifo_file_perms;
allow virtd_t self:unix_stream_socket create_stream_socket_perms;
allow virtd_t self:tcp_socket create_stream_socket_perms;
@@ -577,8 +577,6 @@ typealias virsh_exec_t alias xm_exec_t;
allow virsh_t self:capability { dac_override ipc_lock sys_tty_config };
allow virsh_t self:process { getcap getsched setcap signal };
-
-# internal communication is often done using fifo and unix sockets.
allow virsh_t self:fifo_file rw_fifo_file_perms;
allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow virsh_t self:tcp_socket create_stream_socket_perms;
@@ -646,7 +644,7 @@ optional_policy(`
optional_policy(`
vhostmd_rw_tmpfs_files(virsh_t)
- vhostmd_stream_connect(virsh_t)
+ vhostmd_stream_connect(virsh_t)
vhostmd_dontaudit_rw_stream_connect(virsh_t)
')
@@ -671,4 +669,3 @@ optional_policy(`
userdom_search_admin_dir(virsh_ssh_t)
')
-
diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te
index db526e6..d2bb9c8 100644
--- a/policy/modules/services/vnstatd.te
+++ b/policy/modules/services/vnstatd.te
@@ -1,4 +1,4 @@
-policy_module(vnstatd,1.0.0)
+policy_module(vnstatd, 1.0.0)
########################################
#
@@ -24,13 +24,12 @@ cron_system_entry(vnstat_t, vnstat_exec_t)
# vnstatd local policy
#
allow vnstatd_t self:process { fork signal };
-
allow vnstatd_t self:fifo_file rw_fifo_file_perms;
allow vnstatd_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
-files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file } )
+files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file })
domain_use_interactive_fds(vnstatd_t)
@@ -45,13 +44,12 @@ miscfiles_read_localization(vnstatd_t)
# vnstat local policy
#
allow vnstat_t self:process { signal };
-
allow vnstat_t self:fifo_file rw_fifo_file_perms;
allow vnstat_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
-files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file } )
+files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file })
kernel_read_network_state(vnstat_t)
kernel_read_system_state(vnstat_t)
@@ -65,5 +63,3 @@ fs_getattr_xattr_fs(vnstat_t)
logging_send_syslog_msg(vnstat_t)
miscfiles_read_localization(vnstat_t)
-
-
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 29d5384..2c08270 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,44 +26,43 @@ gen_require(`
#
##
-##
-## Allows clients to write to the X server shared
-## memory segments.
-##
+##
+## Allows clients to write to the X server shared
+## memory segments.
+##
##
gen_tunable(allow_write_xshm, false)
##
-##
-## Allows XServer to execute writable memory
-##
+##
+## Allows XServer to execute writable memory
+##
##
gen_tunable(allow_xserver_execmem, false)
##
-##
-## Allow xdm logins as sysadm
-##
+##
+## Allow xdm logins as sysadm
+##
##
gen_tunable(xdm_sysadm_login, false)
##
-##
-## Support X userspace object manager
-##
+##
+## Support X userspace object manager
+##
##
gen_tunable(xserver_object_manager, false)
##
-##
-## Allow regular users direct dri device access
-##
+##
+## Allow regular users direct dri device access
+##
##
gen_tunable(user_direct_dri, false)
attribute xdmhomewriter;
attribute x_userdomain;
-
attribute x_domain;
# X Events
@@ -121,12 +120,12 @@ typealias user_input_xevent_t alias { auditadm_input_xevent_t secadm_input_xeven
type remote_t;
xserver_object_types_template(remote)
-xserver_common_x_domain_template(remote,remote_t)
+xserver_common_x_domain_template(remote, remote_t)
type user_fonts_t;
typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t };
typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t };
-typealias user_fonts_t alias { xguest_fonts_t unconfined_fonts_t user_fonts_home_t };
+typealias user_fonts_t alias { xguest_fonts_t unconfined_fonts_t user_fonts_home_t };
userdom_user_home_content(user_fonts_t)
type user_fonts_cache_t;
@@ -153,7 +152,7 @@ ubac_constrained(iceauth_t)
type iceauth_home_t;
typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t };
typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t };
-typealias iceauth_home_t alias { xguest_iceauth_home_t };
+typealias iceauth_home_t alias { xguest_iceauth_home_t };
files_poly_member(iceauth_home_t)
userdom_user_home_content(iceauth_home_t)
@@ -292,13 +291,13 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(iceauth_t)
')
-ifdef(`hide_broken_symptoms', `
+ifdef(`hide_broken_symptoms',`
dev_dontaudit_read_urand(iceauth_t)
dev_dontaudit_rw_dri(iceauth_t)
dev_dontaudit_rw_generic_dev_nodes(iceauth_t)
fs_dontaudit_list_inotifyfs(iceauth_t)
fs_dontaudit_rw_anon_inodefs_files(iceauth_t)
- term_dontaudit_use_unallocated_ttys(iceauth_t)
+ term_dontaudit_use_unallocated_ttys(iceauth_t)
userdom_dontaudit_read_user_home_content_files(iceauth_t)
userdom_dontaudit_write_user_home_content_files(iceauth_t)
@@ -362,13 +361,13 @@ userdom_use_user_terminals(xauth_t)
userdom_read_user_tmp_files(xauth_t)
userdom_read_all_users_state(xauth_t)
-ifdef(`hide_broken_symptoms', `
- fs_dontaudit_rw_anon_inodefs_files(xauth_t)
- fs_dontaudit_list_inotifyfs(xauth_t)
- userdom_manage_user_home_content_files(xauth_t)
- userdom_manage_user_tmp_files(xauth_t)
- dev_dontaudit_rw_generic_dev_nodes(xauth_t)
- miscfiles_read_fonts(xauth_t)
+ifdef(`hide_broken_symptoms',`
+ fs_dontaudit_rw_anon_inodefs_files(xauth_t)
+ fs_dontaudit_list_inotifyfs(xauth_t)
+ userdom_manage_user_home_content_files(xauth_t)
+ userdom_manage_user_tmp_files(xauth_t)
+ dev_dontaudit_rw_generic_dev_nodes(xauth_t)
+ miscfiles_read_fonts(xauth_t)
')
xserver_rw_xdm_tmp_files(xauth_t)
@@ -382,8 +381,8 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(xauth_t)
')
-ifdef(`hide_broken_symptoms', `
- term_dontaudit_use_unallocated_ttys(xauth_t)
+ifdef(`hide_broken_symptoms',`
+ term_dontaudit_use_unallocated_ttys(xauth_t)
dev_dontaudit_rw_dri(xauth_t)
')
@@ -470,7 +469,7 @@ manage_dirs_pattern(xdm_t, xdm_spool_t, xdm_spool_t)
manage_files_pattern(xdm_t, xdm_spool_t, xdm_spool_t)
files_spool_filetrans(xdm_t, xdm_spool_t, { file dir })
-manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
+manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
manage_sock_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
@@ -728,10 +727,8 @@ optional_policy(`
optional_policy(`
networkmanager_dbus_chat(xdm_t)
')
-
')
-
optional_policy(`
# Talk to the console mouse server.
gpm_stream_connect(xdm_t)
@@ -763,7 +760,7 @@ optional_policy(`
')
optional_policy(`
- policykit_dbus_chat(xdm_t)
+ policykit_dbus_chat(xdm_t)
policykit_domtrans_auth(xdm_t)
policykit_read_lib(xdm_t)
policykit_read_reload(xdm_t)
@@ -822,13 +819,13 @@ optional_policy(`
unconfined_signal(xdm_t)
')
- ifndef(`distro_redhat',`
- allow xdm_t self:process { execheap execmem };
- ')
+ifndef(`distro_redhat',`
+ allow xdm_t self:process { execheap execmem };
+')
- ifdef(`distro_rhel4',`
- allow xdm_t self:process { execheap execmem };
- ')
+ifdef(`distro_rhel4',`
+ allow xdm_t self:process { execheap execmem };
+')
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
@@ -912,11 +909,11 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
-manage_dirs_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t)
+manage_dirs_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t)
manage_files_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t)
files_var_lib_filetrans(xserver_t, xserver_var_lib_t, dir)
-manage_dirs_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t)
+manage_dirs_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t)
manage_files_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t)
manage_sock_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
files_pid_filetrans(xserver_t, xserver_var_run_t, { file dir })
diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
index 3509088..b72ec20 100644
--- a/policy/modules/services/zarafa.te
+++ b/policy/modules/services/zarafa.te
@@ -47,7 +47,7 @@ files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir })
# zarafa_server local policy
#
-allow zarafa_server_t self:capability { chown kill net_bind_service};
+allow zarafa_server_t self:capability { chown kill net_bind_service };
allow zarafa_server_t self:process { setrlimit signal };
corenet_tcp_bind_zarafa_port(zarafa_server_t)
@@ -73,7 +73,7 @@ optional_policy(`
#
allow zarafa_spooler_t self:capability { chown kill };
-allow zarafa_spooler_t self:process { signal };
+allow zarafa_spooler_t self:process { signal };
corenet_tcp_connect_smtp_port(zarafa_spooler_t)
@@ -110,7 +110,6 @@ allow zarafa_monitor_t self:capability chown;
# bad permission on /etc/zarafa
allow zarafa_domain self:capability { dac_override setgid setuid };
-
allow zarafa_domain self:fifo_file rw_fifo_file_perms;
allow zarafa_domain self:tcp_socket create_stream_socket_perms;
allow zarafa_domain self:unix_stream_socket create_stream_socket_perms;
diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te
index c349adc..24b60e7 100644
--- a/policy/modules/services/zebra.te
+++ b/policy/modules/services/zebra.te
@@ -6,9 +6,9 @@ policy_module(zebra, 1.11.1)
#
##
-##
-## Allow zebra daemon to write it configuration files
-##
+##
+## Allow zebra daemon to write it configuration files
+##
##
#
gen_tunable(allow_zebra_write_config, false)