diff --git a/policy/modules/apps/pulseaudio.fc b/policy/modules/apps/pulseaudio.fc
index 630ca73..84f23dc 100644
--- a/policy/modules/apps/pulseaudio.fc
+++ b/policy/modules/apps/pulseaudio.fc
@@ -1,9 +1,7 @@
HOME_DIR/\.pulse-cookie gen_context(system_u:object_r:pulseaudio_home_t,s0)
HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
-/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
-
-/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
-
/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
+/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
+/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if
index 0eacdcb..95448d9 100644
--- a/policy/modules/apps/pulseaudio.if
+++ b/policy/modules/apps/pulseaudio.if
@@ -58,7 +58,7 @@ interface(`pulseaudio_domtrans',`
type pulseaudio_t, pulseaudio_exec_t;
')
- domtrans_pattern($1,pulseaudio_exec_t,pulseaudio_t)
+ domtrans_pattern($1, pulseaudio_exec_t, pulseaudio_t)
')
########################################
@@ -88,7 +88,7 @@ interface(`pulseaudio_run',`
########################################
##
-## Execute a pulseaudio in the current domain
+## Execute a pulseaudio in the current domain.
##
##
##
@@ -101,13 +101,13 @@ interface(`pulseaudio_exec',`
type pulseaudio_exec_t;
')
- can_exec($1,pulseaudio_exec_t)
+ can_exec($1, pulseaudio_exec_t)
')
-########################################
+#####################################
##
-## Send and receive messages from
-## pulseaudio over dbus.
+## Connect to pulseaudio over a unix domain
+## stream socket.
##
##
##
@@ -115,38 +115,41 @@ interface(`pulseaudio_exec',`
##
##
#
-interface(`pulseaudio_dbus_chat',`
+interface(`pulseaudio_stream_connect',`
gen_require(`
- type pulseaudio_t;
- class dbus send_msg;
+ type pulseaudio_t, pulseaudio_var_run_t;
')
- allow $1 pulseaudio_t:dbus send_msg;
- allow pulseaudio_t $1:dbus send_msg;
+ files_search_pids($1)
+ allow $1 pulseaudio_t:process signull;
+ allow pulseaudio_t $1:process signull;
+ stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t)
')
########################################
##
-## Read pulseaudio homedir files
+## Send and receive messages from
+## pulseaudio over dbus.
##
-##
+##
##
## Domain allowed access.
##
##
#
-interface(`pulseaudio_read_home_files',`
+interface(`pulseaudio_dbus_chat',`
gen_require(`
- type pulseaudio_home_t;
+ type pulseaudio_t;
+ class dbus send_msg;
')
- userdom_search_user_home_dirs($1)
- read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ allow $1 pulseaudio_t:dbus send_msg;
+ allow pulseaudio_t $1:dbus send_msg;
')
########################################
##
-## Manage pulseaudio homedir files
+## Set the attributes of the pulseaudio homedir.
##
##
##
@@ -154,18 +157,17 @@ interface(`pulseaudio_read_home_files',`
##
##
#
-interface(`pulseaudio_manage_home_files',`
+interface(`pulseaudio_setattr_home_dir',`
gen_require(`
type pulseaudio_home_t;
')
- userdom_search_user_home_dirs($1)
- manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ allow $1 pulseaudio_home_t:dir setattr;
')
########################################
##
-## Allow domain to setattr on pulseaudio homedir
+## Read pulseaudio homedir files.
##
##
##
@@ -173,32 +175,31 @@ interface(`pulseaudio_manage_home_files',`
##
##
#
-interface(`pulseaudio_setattr_home_dir',`
+interface(`pulseaudio_read_home_files',`
gen_require(`
type pulseaudio_home_t;
')
- allow $1 pulseaudio_home_t:dir setattr;
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
')
-#####################################
+########################################
##
-## Connect to pulseaudio over a unix domain
-## stream socket.
+## Create, read, write, and delete pulseaudio
+## home directory files.
##
-##
+##
##
## Domain allowed access.
##
##
#
-interface(`pulseaudio_stream_connect',`
+interface(`pulseaudio_manage_home_files',`
gen_require(`
- type pulseaudio_t, pulseaudio_var_run_t;
+ type pulseaudio_home_t;
')
- files_search_pids($1)
- allow $1 pulseaudio_t:process signull;
- allow pulseaudio_t $1:process signull;
- stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t)
+ userdom_search_user_home_dirs($1)
+ manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
')
diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
index 48f7d91..a4aa82b 100644
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@@ -28,6 +28,7 @@ files_pid_file(pulseaudio_var_run_t)
#
# pulseaudio local policy
#
+
allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config };
allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull };
allow pulseaudio_t self:fifo_file rw_file_perms;
@@ -37,9 +38,9 @@ allow pulseaudio_t self:tcp_socket create_stream_socket_perms;
allow pulseaudio_t self:udp_socket create_socket_perms;
allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
-userdom_search_user_home_dirs(pulseaudio_t)
manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+userdom_search_user_home_dirs(pulseaudio_t)
manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
diff --git a/policy/modules/services/ksmtuned.if b/policy/modules/services/ksmtuned.if
index 62c7274..67e9269 100644
--- a/policy/modules/services/ksmtuned.if
+++ b/policy/modules/services/ksmtuned.if
@@ -1,5 +1,4 @@
-
-## policy for Kernel Samepage Merging (KSM) Tuning Daemon
+## Kernel Samepage Merging (KSM) Tuning Daemon
########################################
##
@@ -19,7 +18,6 @@ interface(`ksmtuned_domtrans',`
domtrans_pattern($1, ksmtuned_exec_t, ksmtuned_t)
')
-
########################################
##
## Execute ksmtuned server in the ksmtuned domain.
@@ -40,7 +38,7 @@ interface(`ksmtuned_initrc_domtrans',`
########################################
##
-## All of the rules required to administrate
+## All of the rules required to administrate
## an ksmtuned environment
##
##
@@ -63,7 +61,7 @@ interface(`ksmtuned_admin',`
allow $1 ksmtuned_t:process { ptrace signal_perms };
ps_process_pattern(ksmtumed_t)
-
+
files_list_pids($1)
admin_pattern($1, ksmtuned_var_run_t)
diff --git a/policy/modules/services/ksmtuned.te b/policy/modules/services/ksmtuned.te
index b59c36b..95dc691 100644
--- a/policy/modules/services/ksmtuned.te
+++ b/policy/modules/services/ksmtuned.te
@@ -1,4 +1,5 @@
-policy_module(ksmtuned,1.0.0)
+
+policy_module(ksmtuned, 1.0.0)
########################################
#
@@ -19,14 +20,9 @@ files_pid_file(ksmtuned_var_run_t)
#
# ksmtuned local policy
#
-allow ksmtuned_t self:capability { sys_ptrace sys_tty_config };
-# Init script handling
-domain_use_interactive_fds(ksmtuned_t)
-
-# internal communication is often done using fifo and unix sockets.
+allow ksmtuned_t self:capability { sys_ptrace sys_tty_config };
allow ksmtuned_t self:fifo_file rw_file_perms;
-allow ksmtuned_t self:unix_stream_socket create_stream_socket_perms;
manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t)
files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file)
diff --git a/policy/modules/services/smokeping.fc b/policy/modules/services/smokeping.fc
index c79e023..9ff2d99 100644
--- a/policy/modules/services/smokeping.fc
+++ b/policy/modules/services/smokeping.fc
@@ -7,5 +7,3 @@
/var/lib/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_lib_t,s0)
/var/run/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_run_t,s0)
-
-
diff --git a/policy/modules/services/smokeping.if b/policy/modules/services/smokeping.if
index 4e5e18b..6be6642 100644
--- a/policy/modules/services/smokeping.if
+++ b/policy/modules/services/smokeping.if
@@ -1,5 +1,4 @@
-
-## policy for smokeping
+## Smokeping network latency measurement.
########################################
##
@@ -129,12 +128,12 @@ interface(`smokeping_manage_lib_files',`
')
files_search_var_lib($1)
- manage_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t)
+ manage_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t)
')
########################################
##
-## All of the rules required to administrate
+## All of the rules required to administrate
## a smokeping environment
##
##
diff --git a/policy/modules/services/smokeping.te b/policy/modules/services/smokeping.te
index c311a16..ffb91bc 100644
--- a/policy/modules/services/smokeping.te
+++ b/policy/modules/services/smokeping.te
@@ -1,5 +1,5 @@
-policy_module(smokeping,1.0.0)
+policy_module(smokeping, 1.0.0)
########################################
#
@@ -28,12 +28,12 @@ allow smokeping_t self:fifo_file rw_fifo_file_perms;
allow smokeping_t self:udp_socket create_socket_perms;
allow smokeping_t self:unix_stream_socket create_stream_socket_perms;
-manage_dirs_pattern(smokeping_t, smokeping_var_run_t, smokeping_var_run_t)
-manage_files_pattern(smokeping_t, smokeping_var_run_t, smokeping_var_run_t)
+manage_dirs_pattern(smokeping_t, smokeping_var_run_t, smokeping_var_run_t)
+manage_files_pattern(smokeping_t, smokeping_var_run_t, smokeping_var_run_t)
files_pid_filetrans(smokeping_t, smokeping_var_run_t, { file dir })
-manage_dirs_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t)
-manage_files_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t)
+manage_dirs_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t)
+manage_files_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t)
files_var_lib_filetrans(smokeping_t, smokeping_var_lib_t, { file dir } )
corecmd_read_bin_symlinks(smokeping_t)
@@ -61,7 +61,7 @@ netutils_domtrans_ping(smokeping_t)
optional_policy(`
apache_content_template(smokeping_cgi)
-
+
allow httpd_smokeping_cgi_script_t self:udp_socket create_socket_perms;
manage_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)