diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 8ad2aef..2aa3642 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,5 @@
+- Deprecate module name as first parameter of optional_policy()
+ now that optionals are allowed everywhere.
- Enable optional blocks in base module and monolithic policy.
This requires checkpolicy 1.30.1.
- Fix vpn module declaration.
diff --git a/refpolicy/policy/modules/admin/acct.te b/refpolicy/policy/modules/admin/acct.te
index 8716138..7d06f6b 100644
--- a/refpolicy/policy/modules/admin/acct.te
+++ b/refpolicy/policy/modules/admin/acct.te
@@ -77,8 +77,8 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(acct_t)
')
-optional_policy(`cron',`
- optional_policy(`authlogin',`
+optional_policy(`
+ optional_policy(`
# for monthly cron job
auth_log_filetrans_login_records(acct_t)
auth_manage_login_records(acct_t)
@@ -87,15 +87,15 @@ optional_policy(`cron',`
cron_system_entry(acct_t,acct_exec_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(acct_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(acct_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(acct_t)
')
diff --git a/refpolicy/policy/modules/admin/alsa.te b/refpolicy/policy/modules/admin/alsa.te
index 32f2f8e..e93af95 100644
--- a/refpolicy/policy/modules/admin/alsa.te
+++ b/refpolicy/policy/modules/admin/alsa.te
@@ -46,6 +46,6 @@ miscfiles_read_localization(alsa_t)
userdom_manage_unpriv_user_semaphores(alsa_t)
userdom_manage_unpriv_user_shared_mem(alsa_t)
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(alsa_t)
')
diff --git a/refpolicy/policy/modules/admin/amanda.te b/refpolicy/policy/modules/admin/amanda.te
index ac48efa..dab8194 100644
--- a/refpolicy/policy/modules/admin/amanda.te
+++ b/refpolicy/policy/modules/admin/amanda.te
@@ -77,7 +77,7 @@ role system_r types amanda_recover_t;
type amanda_recover_dir_t;
files_type(amanda_recover_dir_t)
-optional_policy(`prelink',`
+optional_policy(`
prelink_object_file(amanda_usr_lib_t)
')
@@ -169,19 +169,19 @@ libs_use_shared_libs(amanda_t)
sysnet_read_config(amanda_t)
-optional_policy(`authlogin',`
+optional_policy(`
auth_read_shadow(amanda_t)
')
-optional_policy(`logging',`
+optional_policy(`
logging_send_syslog_msg(amanda_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(amanda_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(amanda_t)
')
@@ -254,10 +254,10 @@ sysnet_read_config(amanda_recover_t)
userdom_search_sysadm_home_content_dirs(amanda_recover_t)
-optional_policy(`mount',`
+optional_policy(`
mount_send_nfs_client_request(amanda_recover_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(amanda_recover_t)
')
diff --git a/refpolicy/policy/modules/admin/anaconda.te b/refpolicy/policy/modules/admin/anaconda.te
index 0e963bb..9ec5e44 100644
--- a/refpolicy/policy/modules/admin/anaconda.te
+++ b/refpolicy/policy/modules/admin/anaconda.te
@@ -31,28 +31,28 @@ ifdef(`distro_redhat',`
bootloader_create_runtime_file(anaconda_t)
')
-optional_policy(`dmesg',`
+optional_policy(`
dmesg_domtrans(anaconda_t)
')
-optional_policy(`kudzu',`
+optional_policy(`
kudzu_domtrans(anaconda_t)
')
-optional_policy(`rpm',`
+optional_policy(`
rpm_domtrans(anaconda_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_domtrans(anaconda_t)
')
-optional_policy(`usermanage',`
+optional_policy(`
usermanage_domtrans_admin_passwd(anaconda_t)
')
ifdef(`TODO',`
-optional_policy(`ssh',`
+optional_policy(`
role system_r types sysadm_ssh_agent_t;
domain_auto_trans(anaconda_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
')
diff --git a/refpolicy/policy/modules/admin/apt.te b/refpolicy/policy/modules/admin/apt.te
index 3a659b6..8797036 100644
--- a/refpolicy/policy/modules/admin/apt.te
+++ b/refpolicy/policy/modules/admin/apt.te
@@ -115,22 +115,22 @@ ifdef(`targeted_policy',`
')
# with boolean, for cron-apt and such?
-#optional_policy(`cron',`
+#optional_policy(`
# cron_system_entry(apt_t,apt_exec_t)
#')
-optional_policy(`dpkg',`
+optional_policy(`
# dpkg interaction
dpkg_read_db(apt_t)
dpkg_domtrans(apt_t)
dpkg_lock_db(apt_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(apt_t)
')
-optional_policy(`rpm',`
+optional_policy(`
rpm_read_db(apt_t)
rpm_domtrans(apt_t)
')
diff --git a/refpolicy/policy/modules/admin/bootloader.te b/refpolicy/policy/modules/admin/bootloader.te
index b13756c..304a39a 100644
--- a/refpolicy/policy/modules/admin/bootloader.te
+++ b/refpolicy/policy/modules/admin/bootloader.te
@@ -175,18 +175,18 @@ ifdef(`targeted_policy',`
term_use_generic_ptys(bootloader_t)
')
-optional_policy(`fstools',`
+optional_policy(`
fstools_exec(bootloader_t)
')
-optional_policy(`lvm',`
+optional_policy(`
dev_rw_lvm_control(bootloader_t)
lvm_domtrans(bootloader_t)
lvm_read_config(bootloader_t)
')
-optional_policy(`modutils',`
+optional_policy(`
modutils_exec_insmod(bootloader_t)
modutils_read_module_deps(bootloader_t)
modutils_read_module_config(bootloader_t)
@@ -195,15 +195,15 @@ optional_policy(`modutils',`
modutils_exec_update_mods(bootloader_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(bootloader_t)
')
-optional_policy(`rpm',`
+optional_policy(`
rpm_rw_pipes(bootloader_t)
')
-optional_policy(`userdomain',`
+optional_policy(`
userdom_dontaudit_search_staff_home_dirs(bootloader_t)
userdom_dontaudit_search_sysadm_home_dirs(bootloader_t)
')
diff --git a/refpolicy/policy/modules/admin/certwatch.te b/refpolicy/policy/modules/admin/certwatch.te
index 8087765..daca9e1 100644
--- a/refpolicy/policy/modules/admin/certwatch.te
+++ b/refpolicy/policy/modules/admin/certwatch.te
@@ -29,6 +29,6 @@ miscfiles_read_localization(certwatch_t)
apache_exec_modules(certwatch_t)
-optional_policy(`cron',`
+optional_policy(`
cron_system_entry(certwatch_t,certwatch_exec_t)
')
diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te
index 7157fb4..e5df4c6 100644
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ b/refpolicy/policy/modules/admin/consoletype.te
@@ -67,60 +67,60 @@ ifdef(`distro_redhat',`
fs_rw_tmpfs_chr_files(consoletype_t)
')
-optional_policy(`apm',`
+optional_policy(`
apm_use_fds(consoletype_t)
apm_write_pipes(consoletype_t)
')
-optional_policy(`authlogin', `
+optional_policy(`
auth_read_pam_pid(consoletype_t)
')
-optional_policy(`cron',`
+optional_policy(`
cron_read_pipes(consoletype_t)
cron_use_system_job_fds(consoletype_t)
')
-optional_policy(`firstboot',`
+optional_policy(`
files_read_etc_files(consoletype_t)
firstboot_use_fds(consoletype_t)
firstboot_write_pipes(consoletype_t)
')
-optional_policy(`logrotate',`
+optional_policy(`
logrotate_dontaudit_use_fds(consoletype_t)
')
-optional_policy(`lpd',`
+optional_policy(`
lpd_read_config(consoletype_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(consoletype_t)
')
-optional_policy(`rpm',`
+optional_policy(`
# Commonly used from postinst scripts
rpm_read_pipes(consoletype_t)
')
-optional_policy(`userdomain',`
+optional_policy(`
userdom_use_unpriv_users_fds(consoletype_t)
')
ifdef(`TODO',`
-optional_policy(`xdm', `
+optional_policy(`
allow consoletype_t xdm_tmp_t:file rw_file_perms;
')
# this goes to xdm module
ifdef(`targeted_policy',`
- optional_policy(`consoletype',`
+ optional_policy(`
consoletype_domtrans(xdm_t)
')
')
-optional_policy(`lpd', `
+optional_policy(`
allow consoletype_t printconf_t:file r_file_perms;
')
diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te
index 52413bd..150feec 100644
--- a/refpolicy/policy/modules/admin/dmesg.te
+++ b/refpolicy/policy/modules/admin/dmesg.te
@@ -64,11 +64,11 @@ ifdef(`strict_policy',`
userdom_use_sysadm_terms(dmesg_t)
userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
- optional_policy(`selinuxutil',`
+ optional_policy(`
seutil_sigchld_newrole(dmesg_t)
')
- optional_policy(`udev',`
+ optional_policy(`
udev_read_db(dmesg_t)
')
')
diff --git a/refpolicy/policy/modules/admin/dpkg.te b/refpolicy/policy/modules/admin/dpkg.te
index 14cc4be..220ed1c 100644
--- a/refpolicy/policy/modules/admin/dpkg.te
+++ b/refpolicy/policy/modules/admin/dpkg.te
@@ -180,15 +180,15 @@ ifdef(`targeted_policy',`
')
# TODO: allow?
-#optional_policy(`cron',`
+#optional_policy(`
# cron_system_entry(dpkg_t,dpkg_exec_t)
#')
-optional_policy(`mount',`
+optional_policy(`
mount_send_nfs_client_request(dpkg_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(dpkg_t)
')
@@ -204,10 +204,10 @@ modutils_domtrans_insmod(dpkg_t)
seutil_domtrans_loadpolicy(dpkg_t)
seutil_domtrans_restorecon(dpkg_t)
userdom_use_all_users_fds(dpkg_t)
-optional_policy(`mta',`
+optional_policy(`
mta_send_mail(dpkg_t)
')
-optional_policy(`usermanage',`
+optional_policy(`
usermanage_domtrans_groupadd(dpkg_t)
usermanage_domtrans_useradd(dpkg_t)
')
@@ -325,7 +325,7 @@ ifdef(`distro_redhat',`
ifdef(`targeted_policy',`
unconfined_domain(dpkg_script_t)
',`
- optional_policy(`bootloader',`
+ optional_policy(`
bootloader_domtrans(dpkg_script_t)
')
')
@@ -334,15 +334,15 @@ tunable_policy(`allow_execmem',`
allow dpkg_script_t self:process execmem;
')
-optional_policy(`mta',`
+optional_policy(`
mta_send_mail(dpkg_script_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(dpkg_script_t)
')
-optional_policy(`usermanage',`
+optional_policy(`
usermanage_domtrans_groupadd(dpkg_script_t)
usermanage_domtrans_useradd(dpkg_script_t)
')
diff --git a/refpolicy/policy/modules/admin/firstboot.te b/refpolicy/policy/modules/admin/firstboot.te
index 85984d5..e8b10b1 100644
--- a/refpolicy/policy/modules/admin/firstboot.te
+++ b/refpolicy/policy/modules/admin/firstboot.te
@@ -111,15 +111,15 @@ ifdef(`targeted_policy',`
unconfined_domtrans(firstboot_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(firstboot_t)
')
-optional_policy(`samba',`
+optional_policy(`
samba_rw_config(firstboot_t)
')
-optional_policy(`usermanage',`
+optional_policy(`
usermanage_domtrans_chfn(firstboot_t)
usermanage_domtrans_groupadd(firstboot_t)
usermanage_domtrans_passwd(firstboot_t)
diff --git a/refpolicy/policy/modules/admin/kudzu.te b/refpolicy/policy/modules/admin/kudzu.te
index 78589cd..303d6d1 100644
--- a/refpolicy/policy/modules/admin/kudzu.te
+++ b/refpolicy/policy/modules/admin/kudzu.te
@@ -135,34 +135,34 @@ ifdef(`targeted_policy',`
unconfined_domain(kudzu_t)
')
-optional_policy(`gpm',`
+optional_policy(`
gpm_getattr_gpmctl(kudzu_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(kudzu_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(kudzu_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(kudzu_t)
')
ifdef(`TODO',`
allow kudzu_t modules_conf_t:file unlink;
-optional_policy(`lpd',`
+optional_policy(`
allow kudzu_t printconf_t:file { getattr read };
')
-optional_policy(`xserver',`
+optional_policy(`
allow kudzu_t xserver_exec_t:file getattr;
')
-optional_policy(`rhgb',`
+optional_policy(`
allow kudzu_t rhgb_t:unix_stream_socket connectto;
')
-optional_policy(`userhelper',`
+optional_policy(`
role system_r types sysadm_userhelper_t;
domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t)
')
diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te
index 61040ce..b312f66 100644
--- a/refpolicy/policy/modules/admin/logrotate.te
+++ b/refpolicy/policy/modules/admin/logrotate.te
@@ -135,59 +135,59 @@ ifdef(`targeted_policy',`
unconfined_domain(logrotate_t)
')
-optional_policy(`acct',`
+optional_policy(`
acct_domtrans(logrotate_t)
acct_manage_data(logrotate_t)
acct_exec_data(logrotate_t)
')
-optional_policy(`apache',`
+optional_policy(`
apache_read_config(logrotate_t)
apache_domtrans(logrotate_t)
apache_signull(logrotate_t)
')
-optional_policy(`consoletype',`
+optional_policy(`
consoletype_exec(logrotate_t)
')
-optional_policy(`cups',`
+optional_policy(`
cups_domtrans(logrotate_t)
')
-optional_policy(`hostname',`
+optional_policy(`
hostname_exec(logrotate_t)
')
-optional_policy(`samba',`
+optional_policy(`
samba_exec_log(logrotate_t)
')
-optional_policy(`mailman',`
+optional_policy(`
mailman_exec(logrotate_t)
mailman_search_data(logrotate_t)
mailman_manage_log(logrotate_t)
')
-optional_policy(`mysql',`
+optional_policy(`
mysql_read_config(logrotate_t)
mysql_search_db(logrotate_t)
mysql_stream_connect(logrotate_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(logrotate_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(logrotate_t)
')
-optional_policy(`slrnpull',`
+optional_policy(`
slrnpull_manage_spool(logrotate_t)
')
-optional_policy(`squid',`
+optional_policy(`
# cjp: why?
squid_domtrans(logrotate_t)
')
diff --git a/refpolicy/policy/modules/admin/logwatch.te b/refpolicy/policy/modules/admin/logwatch.te
index ad4bf1e..669df86 100644
--- a/refpolicy/policy/modules/admin/logwatch.te
+++ b/refpolicy/policy/modules/admin/logwatch.te
@@ -78,35 +78,35 @@ userdom_dontaudit_getattr_sysadm_home_dirs(logwatch_t)
mta_send_mail(logwatch_t)
-optional_policy(`apache',`
+optional_policy(`
apache_read_log(logwatch_t)
')
-optional_policy(`bind',`
+optional_policy(`
bind_read_config(logwatch_t)
bind_read_zone(logwatch_t)
')
-optional_policy(`cron',`
+optional_policy(`
cron_system_entry(logwatch_t, logwatch_exec_t)
')
-optional_policy(`mta',`
+optional_policy(`
mta_getattr_spool(logwatch_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(logwatch_t)
')
-optional_policy(`ntp',`
+optional_policy(`
ntp_domtrans(logwatch_t)
')
-optional_policy(`rpc',`
+optional_policy(`
rpc_search_nfs_state_data(logwatch_t)
')
-optional_policy(`samba',`
+optional_policy(`
samba_read_log(logwatch_t)
')
diff --git a/refpolicy/policy/modules/admin/mrtg.te b/refpolicy/policy/modules/admin/mrtg.te
index dcf042b..ad531e1 100644
--- a/refpolicy/policy/modules/admin/mrtg.te
+++ b/refpolicy/policy/modules/admin/mrtg.te
@@ -131,36 +131,36 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(mrtg_t)
')
-optional_policy(`apache',`
+optional_policy(`
apache_manage_sys_content(mrtg_t)
')
-optional_policy(`cron',`
+optional_policy(`
cron_system_entry(mrtg_t,mrtg_exec_t)
')
-optional_policy(`hostname',`
+optional_policy(`
hostname_exec(mrtg_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(mrtg_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(mrtg_t)
')
-optional_policy(`quota',`
+optional_policy(`
quota_dontaudit_getattr_db(mrtg_t)
')
-optional_policy(`snmp',`
+optional_policy(`
snmp_udp_chat(mrtg_t)
snmp_read_snmp_var_lib_files(mrtg_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(mrtg_t)
')
diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
index aa1edd9..07d4544 100644
--- a/refpolicy/policy/modules/admin/netutils.te
+++ b/refpolicy/policy/modules/admin/netutils.te
@@ -83,7 +83,7 @@ ifdef(`targeted_policy',`
term_use_unallocated_ttys(netutils_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(netutils_t)
')
@@ -146,19 +146,19 @@ ifdef(`targeted_policy',`
')
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(ping_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(ping_t)
')
-optional_policy(`pcmcia',`
+optional_policy(`
pcmcia_use_cardmgr_fds(ping_t)
')
-optional_policy(`hotplug',`
+optional_policy(`
hotplug_use_fds(ping_t)
')
@@ -228,11 +228,11 @@ tunable_policy(`user_ping',`
term_use_all_user_ptys(traceroute_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(traceroute_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(traceroute_t)
')
diff --git a/refpolicy/policy/modules/admin/portage.if b/refpolicy/policy/modules/admin/portage.if
index 7b4229f..86f8567 100644
--- a/refpolicy/policy/modules/admin/portage.if
+++ b/refpolicy/policy/modules/admin/portage.if
@@ -201,7 +201,7 @@ template(`portage_compile_domain_template',`
ifdef(`TODO',`
# some gui ebuilds want to interact with X server, like xawtv
- optional_policy(`xdm',`
+ optional_policy(`
allow $1_t xdm_xserver_tmp_t:dir { add_name remove_name write };
allow $1_t xdm_xserver_tmp_t:sock_file { create getattr unlink write };
')
diff --git a/refpolicy/policy/modules/admin/portage.te b/refpolicy/policy/modules/admin/portage.te
index e83d18d..4f6adbc 100644
--- a/refpolicy/policy/modules/admin/portage.te
+++ b/refpolicy/policy/modules/admin/portage.te
@@ -85,17 +85,17 @@ init_exec(portage_t)
# run setfiles -r
seutil_domtrans_setfiles(portage_t)
-optional_policy(`bootloader',`
+optional_policy(`
bootloader_domtrans(portage_t)
')
-optional_policy(`modutils',`
+optional_policy(`
modutils_domtrans_depmod(portage_t)
modutils_domtrans_update_mods(portage_t)
#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
')
-optional_policy(`usermanage',`
+optional_policy(`
usermanage_domtrans_groupadd(portage_t)
usermanage_domtrans_useradd(portage_t)
')
diff --git a/refpolicy/policy/modules/admin/prelink.te b/refpolicy/policy/modules/admin/prelink.te
index d50a943..267813e 100644
--- a/refpolicy/policy/modules/admin/prelink.te
+++ b/refpolicy/policy/modules/admin/prelink.te
@@ -78,6 +78,6 @@ libs_delete_lib_symlinks(prelink_t)
miscfiles_read_localization(prelink_t)
-optional_policy(`cron',`
+optional_policy(`
cron_system_entry(prelink_t, prelink_exec_t)
')
diff --git a/refpolicy/policy/modules/admin/quota.te b/refpolicy/policy/modules/admin/quota.te
index dcc02b2..4f188d2 100644
--- a/refpolicy/policy/modules/admin/quota.te
+++ b/refpolicy/policy/modules/admin/quota.te
@@ -67,11 +67,11 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(quota_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(quota_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(quota_t)
')
diff --git a/refpolicy/policy/modules/admin/readahead.te b/refpolicy/policy/modules/admin/readahead.te
index 1bbcff8..7f91460 100644
--- a/refpolicy/policy/modules/admin/readahead.te
+++ b/refpolicy/policy/modules/admin/readahead.te
@@ -76,6 +76,6 @@ ifdef(`targeted_policy',`
term_dontaudit_use_generic_ptys(readahead_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(readahead_t)
')
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index c83a0a9..502e1ed 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -187,15 +187,15 @@ ifdef(`targeted_policy',`
logging_log_filetrans(rpm_t,rpm_log_t,file)
')
-optional_policy(`cron',`
+optional_policy(`
cron_system_entry(rpm_t,rpm_exec_t)
')
-optional_policy(`mount',`
+optional_policy(`
mount_send_nfs_client_request(rpm_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(rpm_t)
')
@@ -212,7 +212,7 @@ allow rpm_t mount_t:tcp_socket write;
allow rpm_t rpc_pipefs_t:dir search;
-optional_policy(`gnome-pty-helper',`
+optional_policy(`
allow rpm_t sysadm_gph_t:fd use;
')
') dnl endif TODO
@@ -337,13 +337,13 @@ ifdef(`distro_redhat',`
ifdef(`targeted_policy',`
unconfined_domain(rpm_script_t)
',`
- optional_policy(`bootloader',`
+ optional_policy(`
bootloader_domtrans(rpm_script_t)
')
')
ifdef(`distro_redhat',`
- optional_policy(`mta',`
+ optional_policy(`
mta_send_mail(rpm_script_t)
')
')
@@ -352,21 +352,21 @@ tunable_policy(`allow_execmem',`
allow rpm_script_t self:process execmem;
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(rpm_script_t)
')
-optional_policy(`usermanage',`
+optional_policy(`
usermanage_domtrans_groupadd(rpm_script_t)
usermanage_domtrans_useradd(rpm_script_t)
')
ifdef(`TODO',`
-optional_policy(`lpd',`
+optional_policy(`
can_exec(rpm_script_t,printconf_t)
')
-optional_policy(`cups',`
+optional_policy(`
allow cupsd_t rpm_var_lib_t:dir r_dir_perms;
allow cupsd_t rpm_var_lib_t:file r_file_perms;
allow cupsd_t rpb_var_lib_t:lnk_file r_file_perms;
@@ -374,16 +374,16 @@ allow cupsd_t initrc_exec_t:file r_file_perms;
domain_auto_trans(rpm_script_t, cupsd_exec_t, cupsd_t)
')
-optional_policy(`ssh-agent',`
+optional_policy(`
domain_auto_trans(rpm_script_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
')
-optional_policy(`prelink',`
+optional_policy(`
domain_auto_trans(rpm_t, prelink_exec_t, prelink_t)
')
ifdef(`hide_broken_symptoms', `
- optional_policy(`pamconsole',`
+ optional_policy(`
domain_trans(rpm_t, pam_console_exec_t, rpm_script_t)
')
')
diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if
index 80f4d81..b248a9a 100644
--- a/refpolicy/policy/modules/admin/su.if
+++ b/refpolicy/policy/modules/admin/su.if
@@ -61,15 +61,15 @@ template(`su_restricted_domain_template', `
miscfiles_read_localization($1_su_t)
- optional_policy(`cron',`
+ optional_policy(`
cron_read_pipes($1_su_t)
')
- optional_policy(`kerberos',`
+ optional_policy(`
kerberos_use($1_su_t)
')
- optional_policy(`nscd',`
+ optional_policy(`
nscd_socket_use($1_su_t)
')
@@ -206,20 +206,20 @@ template(`su_per_userdomain_template',`
fs_search_cifs($1_su_t)
')
- optional_policy(`cron',`
+ optional_policy(`
cron_read_pipes($1_su_t)
')
- optional_policy(`kerberos',`
+ optional_policy(`
kerberos_use($1_su_t)
')
- optional_policy(`nscd',`
+ optional_policy(`
nscd_socket_use($1_su_t)
')
# Modify .Xauthority file (via xauth program).
- optional_policy(`xserver',`
+ optional_policy(`
# file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
# file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
# file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)
diff --git a/refpolicy/policy/modules/admin/sudo.if b/refpolicy/policy/modules/admin/sudo.if
index 73fa50e..0cf001e 100644
--- a/refpolicy/policy/modules/admin/sudo.if
+++ b/refpolicy/policy/modules/admin/sudo.if
@@ -129,11 +129,11 @@ template(`sudo_per_userdomain_template',`
# for some PAM modules and for cwd
userdom_dontaudit_search_all_users_home_content($1_sudo_t)
- optional_policy(`nis',`
+ optional_policy(`
nis_use_ypbind($1_sudo_t)
')
- optional_policy(`nscd',`
+ optional_policy(`
nscd_socket_use($1_sudo_t)
')
diff --git a/refpolicy/policy/modules/admin/tmpreaper.te b/refpolicy/policy/modules/admin/tmpreaper.te
index 480aa04..ca46e5c 100644
--- a/refpolicy/policy/modules/admin/tmpreaper.te
+++ b/refpolicy/policy/modules/admin/tmpreaper.te
@@ -44,7 +44,7 @@ miscfiles_delete_man_pages(tmpreaper_t)
cron_system_entry(tmpreaper_t,tmpreaper_exec_t)
-optional_policy(`lpd',`
+optional_policy(`
lpd_manage_spool(tmpreaper_t)
')
diff --git a/refpolicy/policy/modules/admin/updfstab.te b/refpolicy/policy/modules/admin/updfstab.te
index 7a9fdc7..9bc2278 100644
--- a/refpolicy/policy/modules/admin/updfstab.te
+++ b/refpolicy/policy/modules/admin/updfstab.te
@@ -91,40 +91,40 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(updfstab_t)
')
-optional_policy(`authlogin',`
+optional_policy(`
auth_domtrans_pam_console(updfstab_t)
')
-optional_policy(`dbus',`
+optional_policy(`
init_dbus_chat_script(updfstab_t)
dbus_system_bus_client_template(updfstab,updfstab_t)
dbus_send_system_bus(updfstab_t)
')
-optional_policy(`fstools',`
+optional_policy(`
fstools_getattr_swap_files(updfstab_t)
')
-optional_policy(`hal',`
+optional_policy(`
hal_stream_connect(updfstab_t)
hal_dbus_chat(updfstab_t)
')
-optional_policy(`modutils',`
+optional_policy(`
modutils_read_module_config(updfstab_t)
modutils_exec_insmod(updfstab_t)
modutils_read_module_deps(updfstab_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(updfstab_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(updfstab_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(updfstab_t)
')
diff --git a/refpolicy/policy/modules/admin/usbmodules.te b/refpolicy/policy/modules/admin/usbmodules.te
index 50a298d..76d5c5b 100644
--- a/refpolicy/policy/modules/admin/usbmodules.te
+++ b/refpolicy/policy/modules/admin/usbmodules.te
@@ -39,10 +39,10 @@ libs_use_shared_libs(usbmodules_t)
modutils_read_module_deps(usbmodules_t)
-optional_policy(`hotplug',`
+optional_policy(`
hotplug_read_config(usbmodules_t)
')
-optional_policy(`logging',`
+optional_policy(`
logging_send_syslog_msg(usbmodules_t)
')
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index 6d90b56..c66e420 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -132,11 +132,11 @@ userdom_use_unpriv_users_fds(chfn_t)
# on user home dir
userdom_dontaudit_search_all_users_home_content(chfn_t)
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(chfn_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(chfn_t)
')
@@ -178,7 +178,7 @@ logging_send_syslog_msg(crack_t)
userdom_dontaudit_search_sysadm_home_dirs(crack_t)
-optional_policy(`cron',`
+optional_policy(`
cron_system_entry(crack_t,crack_exec_t)
')
@@ -248,20 +248,20 @@ userdom_use_unpriv_users_fds(groupadd_t)
# for when /root is the cwd
userdom_dontaudit_search_sysadm_home_dirs(groupadd_t)
-optional_policy(`dpkg',`
+optional_policy(`
dpkg_use_fds(groupadd_t)
dpkg_rw_pipes(groupadd_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(groupadd_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(groupadd_t)
')
-optional_policy(`rpm',`
+optional_policy(`
rpm_use_fds(groupadd_t)
rpm_rw_pipes(groupadd_t)
')
@@ -346,11 +346,11 @@ userdom_read_all_users_state(passwd_t)
# on user home dir
userdom_dontaudit_search_all_users_home_content(passwd_t)
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(passwd_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(passwd_t)
')
@@ -437,7 +437,7 @@ userdom_use_unpriv_users_fds(sysadm_passwd_t)
# on user home dir
userdom_dontaudit_search_all_users_home_content(sysadm_passwd_t)
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(sysadm_passwd_t)
')
@@ -516,20 +516,20 @@ userdom_generic_user_home_dir_filetrans_generic_user_home_content(useradd_t,notd
mta_manage_spool(useradd_t)
-optional_policy(`dpkg',`
+optional_policy(`
dpkg_use_fds(useradd_t)
dpkg_rw_pipes(useradd_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(useradd_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(useradd_t)
')
-optional_policy(`rpm',`
+optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
diff --git a/refpolicy/policy/modules/admin/vbetool.te b/refpolicy/policy/modules/admin/vbetool.te
index 88456a7..bdeef88 100644
--- a/refpolicy/policy/modules/admin/vbetool.te
+++ b/refpolicy/policy/modules/admin/vbetool.te
@@ -30,6 +30,6 @@ libs_use_shared_libs(vbetool_t)
miscfiles_read_localization(vbetool_t)
-optional_policy(`hal',`
+optional_policy(`
hal_rw_pid_files(vbetool_t)
')
diff --git a/refpolicy/policy/modules/admin/vpn.te b/refpolicy/policy/modules/admin/vpn.te
index b82662a..865b0b2 100644
--- a/refpolicy/policy/modules/admin/vpn.te
+++ b/refpolicy/policy/modules/admin/vpn.te
@@ -106,22 +106,22 @@ sysnet_manage_config(vpnc_t)
userdom_use_all_users_fds(vpnc_t)
userdom_dontaudit_search_all_users_home_content(vpnc_t)
-optional_policy(`dbus',`
+optional_policy(`
dbus_system_bus_client_template(vpnc,vpnc_t)
dbus_send_system_bus(vpnc_t)
- optional_policy(`networkmanager',`
+ optional_policy(`
networkmanager_dbus_chat(vpnc_t)
')
')
-optional_policy(`mount',`
+optional_policy(`
mount_send_nfs_client_request(vpnc_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(vpnc_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(vpnc_t)
')
diff --git a/refpolicy/policy/modules/apps/calamaris.te b/refpolicy/policy/modules/apps/calamaris.te
index ab87bf2..b73221e 100644
--- a/refpolicy/policy/modules/apps/calamaris.te
+++ b/refpolicy/policy/modules/apps/calamaris.te
@@ -76,22 +76,22 @@ userdom_dontaudit_list_sysadm_home_dirs(calamaris_t)
squid_read_log(calamaris_t)
-optional_policy(`apache', `
+optional_policy(`
apache_search_sys_content(calamaris_t)
')
-optional_policy(`bind', `
+optional_policy(`
bind_udp_chat_named(calamaris_t)
')
-optional_policy(`cron', `
+optional_policy(`
cron_system_entry(calamaris_t,calamaris_exec_t)
')
-optional_policy(`mta',`
+optional_policy(`
mta_send_mail(calamaris_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(calamaris_t)
')
diff --git a/refpolicy/policy/modules/apps/ethereal.if b/refpolicy/policy/modules/apps/ethereal.if
index 1d06a9b..6215059 100644
--- a/refpolicy/policy/modules/apps/ethereal.if
+++ b/refpolicy/policy/modules/apps/ethereal.if
@@ -143,24 +143,24 @@ template(`ethereal_per_userdomain_template',`
fs_manage_cifs_symlinks($1_ethereal_t)
')
- optional_policy(`nscd',`
+ optional_policy(`
nscd_socket_use($1_ethereal_t)
')
# Manual transition from userhelper
- optional_policy(`userhelper', `
+ optional_policy(`
userhelper_use_user_fd($1,$1_ethereal_t)
userhelper_sigchld_user($1,$1_ethereal_t)
')
- optional_policy(`xserver',`
+ optional_policy(`
xserver_user_client_template($1,$1_ethereal_t,$1_ethereal_tmpfs_t)
xserver_create_xdm_tmp_sockets($1_ethereal_t)
')
ifdef(`TODO',`
# Why does it write this?
- optional_policy(`snmpd.te', `
+ optional_policy(`
dontaudit sysadm_ethereal_t snmpd_var_lib_t:file write;
')
#TODO
diff --git a/refpolicy/policy/modules/apps/ethereal.te b/refpolicy/policy/modules/apps/ethereal.te
index 5d9c713..8451069 100644
--- a/refpolicy/policy/modules/apps/ethereal.te
+++ b/refpolicy/policy/modules/apps/ethereal.te
@@ -52,6 +52,6 @@ seutil_use_newrole_fds(tethereal_t)
sysnet_dns_name_resolve(tethereal_t)
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(tethereal_t)
')
diff --git a/refpolicy/policy/modules/apps/evolution.if b/refpolicy/policy/modules/apps/evolution.if
index 44d1418..497deb0 100644
--- a/refpolicy/policy/modules/apps/evolution.if
+++ b/refpolicy/policy/modules/apps/evolution.if
@@ -376,16 +376,16 @@ template(`evolution_per_userdomain_template',`
#userdom_dontaudit_manage_user_home_subdirs($1,$1_evolution_t)
')
- optional_policy(`automount',`
+ optional_policy(`
automount_read_state($1_evolution_t)
')
# Allow printing the mail
- optional_policy(`cups',`
+ optional_policy(`
cups_read_rw_config($1_evolution_t)
')
- optional_policy(`dbus',`
+ optional_policy(`
dbus_system_bus_client_template($1_evolution,$1_evolution_t)
dbus_send_system_bus($1_evolution_t)
dbus_user_bus_client_template($1,$1_evolution,$1_evolution_t)
@@ -393,26 +393,26 @@ template(`evolution_per_userdomain_template',`
')
# Encrypt mail
- optional_policy(`gpg',`
+ optional_policy(`
gpg_domtrans_user_gpg($1,$1_evolution_t)
gpg_signal_user_gpg($1,$1_evolution_t)
')
- optional_policy(`lpd',`
+ optional_policy(`
lpd_domtrans_user_lpr($1,$1_evolution_t)
')
# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing)
- optional_policy(`nis',`
+ optional_policy(`
nis_use_ypbind($1_evolution_t)
')
- optional_policy(`nscd',`
+ optional_policy(`
nscd_socket_use($1_evolution_exchange_t)
')
### Junk mail filtering (start spamd)
- optional_policy(`spamassassin',`
+ optional_policy(`
spamassassin_exec_spamd($1_evolution_t)
spamassassin_domtrans_user_client($1,$1_evolution_t)
spamassassin_domtrans_user_local_client($1,$1_evolution_t)
@@ -509,7 +509,7 @@ template(`evolution_per_userdomain_template',`
fs_manage_cifs_files($1_evolution_alarm_t)
')
- optional_policy(`nscd',`
+ optional_policy(`
nscd_socket_use($1_evolution_alarm_t)
')
@@ -590,7 +590,7 @@ template(`evolution_per_userdomain_template',`
fs_manage_cifs_files($1_evolution_exchange_t)
')
- optional_policy(`nscd',`
+ optional_policy(`
nscd_socket_use($1_evolution_exchange_t)
')
@@ -689,7 +689,7 @@ template(`evolution_per_userdomain_template',`
fs_manage_cifs_files($1_evolution_server_t)
')
- optional_policy(`nscd',`
+ optional_policy(`
nscd_socket_use($1_evolution_server_t)
')
@@ -740,7 +740,7 @@ template(`evolution_per_userdomain_template',`
xserver_user_client_template($1,$1_evolution_webcal_t,$1_evolution_webcal_tmpfs_t)
- optional_policy(`nscd',`
+ optional_policy(`
nscd_socket_use($1_evolution_webcal_t)
')
diff --git a/refpolicy/policy/modules/apps/games.if b/refpolicy/policy/modules/apps/games.if
index 03310d0..1e88bbd 100644
--- a/refpolicy/policy/modules/apps/games.if
+++ b/refpolicy/policy/modules/apps/games.if
@@ -148,11 +148,11 @@ template(`games_per_userdomain_template',`
allow $1_games_t self:process execmem;
')
- optional_policy(`nscd',`
+ optional_policy(`
nscd_socket_use($1_games_t)
')
- optional_policy(`xserver',`
+ optional_policy(`
xserver_user_client_template($1,$1_games_t,$1_games_tmpfs_t)
xserver_create_xdm_tmp_sockets($1_games_t)
xserver_read_xdm_lib_files($1_games_t)
@@ -167,7 +167,7 @@ template(`games_per_userdomain_template',`
allow $1_games_t $1_gnome_settings_t:file create_file_perms;
allow $1_games_t $1_gnome_settings_t:lnk_file create_lnk_perms;
#missing policy
- optional_policy(`mozilla', `
+ optional_policy(`
dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto;
')
')
diff --git a/refpolicy/policy/modules/apps/games.te b/refpolicy/policy/modules/apps/games.te
index d1a8a34..786c5d1 100644
--- a/refpolicy/policy/modules/apps/games.te
+++ b/refpolicy/policy/modules/apps/games.te
@@ -68,11 +68,11 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_files(games_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(games_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(games_t)
')
diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if
index 0d9786b..7732182 100644
--- a/refpolicy/policy/modules/apps/gpg.if
+++ b/refpolicy/policy/modules/apps/gpg.if
@@ -131,7 +131,7 @@ template(`gpg_per_userdomain_template',`
userdom_use_user_terminals($1,$1_gpg_t)
- optional_policy(`nis',`
+ optional_policy(`
nis_use_ypbind($1_gpg_t)
')
diff --git a/refpolicy/policy/modules/apps/irc.if b/refpolicy/policy/modules/apps/irc.if
index 6dda6fd..67ab3ba 100644
--- a/refpolicy/policy/modules/apps/irc.if
+++ b/refpolicy/policy/modules/apps/irc.if
@@ -160,12 +160,12 @@ template(`irc_per_userdomain_template',`
fs_manage_cifs_symlinks($1_irc_t)
')
- optional_policy(`nis',`
+ optional_policy(`
nis_use_ypbind($1_irc_t)
')
ifdef(`TODO',`
- optional_policy(`ircd.te', `
+ optional_policy(`
allow $1_irc_t ircd_t:tcp_socket { connectto recvfrom };
allow ircd_t $1_irc_t:tcp_socket { acceptfrom recvfrom };
kernel_tcp_recvfrom($1_irc_t)
diff --git a/refpolicy/policy/modules/apps/java.if b/refpolicy/policy/modules/apps/java.if
index 015f28d..0c950ec 100644
--- a/refpolicy/policy/modules/apps/java.if
+++ b/refpolicy/policy/modules/apps/java.if
@@ -161,15 +161,15 @@ template(`java_per_userdomain_template',`
miscfiles_legacy_read_localization($1_javaplugin_t)
')
- optional_policy(`nis',`
+ optional_policy(`
nis_use_ypbind($1_javaplugin_t)
')
- optional_policy(`nscd',`
+ optional_policy(`
nscd_socket_use($1_javaplugin_t)
')
- optional_policy(`xserver',`
+ optional_policy(`
xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t)
')
')
diff --git a/refpolicy/policy/modules/apps/lockdev.if b/refpolicy/policy/modules/apps/lockdev.if
index d0c4e73..ddf08c4 100644
--- a/refpolicy/policy/modules/apps/lockdev.if
+++ b/refpolicy/policy/modules/apps/lockdev.if
@@ -81,7 +81,7 @@ template(`lockdev_per_userdomain_template',`
userdom_use_user_terminals($1, $1_lockdev_t)
- optional_policy(`logging',`
+ optional_policy(`
logging_send_syslog_msg($1_t)
')
')
diff --git a/refpolicy/policy/modules/apps/mozilla.if b/refpolicy/policy/modules/apps/mozilla.if
index 70f04e4..3fc2844 100644
--- a/refpolicy/policy/modules/apps/mozilla.if
+++ b/refpolicy/policy/modules/apps/mozilla.if
@@ -331,40 +331,40 @@ template(`mozilla_per_userdomain_template',`
')
- optional_policy(`apache',`
+ optional_policy(`
apache_read_user_scripts($1,$1_mozilla_t)
apache_read_user_content($1,$1_mozilla_t)
')
- optional_policy(`cups',`
+ optional_policy(`
cups_read_rw_config($1_mozilla_t)
')
- optional_policy(`dbus', `
+ optional_policy(`
dbus_system_bus_client_template($1_mozilla,$1_mozilla_t)
dbus_send_system_bus($1_mozilla_t)
ifdef(`TODO',`
- optional_policy(`cups', `
+ optional_policy(`
allow cupsd_t $1_mozilla_t:dbus send_msg;
')
')
')
- optional_policy(`nscd',`
+ optional_policy(`
nscd_socket_use($1_mozilla_t)
')
- optional_policy(`squid',`
+ optional_policy(`
squid_use($1_mozilla_t)
')
- optional_policy(`lpd',`
+ optional_policy(`
lpd_domtrans_user_lpr($1,$1_mozilla_t)
')
ifdef(`TODO',`
# Java plugin
- optional_policy(`java',`
+ optional_policy(`
#reh, these are hacked in types due to the use of the java_per_userdomain_template
type $1_mozilla_tmp_t;
files_tmp_file($1_mozilla_tmp_t)
@@ -381,7 +381,7 @@ template(`mozilla_per_userdomain_template',`
')
######### Launch mplayer
- optional_policy(`mplayer',`
+ optional_policy(`
domain_auto_trans($1_mozilla_t, mplayer_exec_t, $1_mplayer_t)
dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write };
dontaudit $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write };
@@ -404,7 +404,7 @@ template(`mozilla_per_userdomain_template',`
# support (is this possible?).
# GNOME integration
- optional_policy(`gnome',`
+ optional_policy(`
gnome_application($1_mozilla, $1)
gnome_file_dialog($1_mozilla, $1)
')
diff --git a/refpolicy/policy/modules/apps/mplayer.if b/refpolicy/policy/modules/apps/mplayer.if
index 6a41c55..5ebf68f 100644
--- a/refpolicy/policy/modules/apps/mplayer.if
+++ b/refpolicy/policy/modules/apps/mplayer.if
@@ -448,11 +448,11 @@ template(`mplayer_per_userdomain_template',`
userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_mplayer_t)
')
- optional_policy(`alsa',`
+ optional_policy(`
alsa_read_rw_config($1_mplayer_t)
')
- optional_policy(`nscd',`
+ optional_policy(`
nscd_socket_use($1_mplayer_t)
')
')
diff --git a/refpolicy/policy/modules/apps/screen.if b/refpolicy/policy/modules/apps/screen.if
index 4478c4d..111b585 100644
--- a/refpolicy/policy/modules/apps/screen.if
+++ b/refpolicy/policy/modules/apps/screen.if
@@ -186,17 +186,17 @@ template(`screen_per_userdomain_template',`
fs_read_nfs_symlinks($1_screen_t)
')
- optional_policy(`nis',`
+ optional_policy(`
nis_use_ypbind($1_screen_t)
')
- optional_policy(`nscd',`
+ optional_policy(`
nscd_socket_use($1_screen_t)
')
ifdef(`TODO',`
# Inherit and use descriptors from gnome-pty-helper.
- optional_policy(`gnome-pty-helper.te',`
+ optional_policy(`
allow $1_screen_t $1_gph_t:fd use;
')
') dnl TODO
diff --git a/refpolicy/policy/modules/apps/slocate.te b/refpolicy/policy/modules/apps/slocate.te
index 54894bd..f5f337d 100644
--- a/refpolicy/policy/modules/apps/slocate.te
+++ b/refpolicy/policy/modules/apps/slocate.te
@@ -51,6 +51,6 @@ libs_use_ld_so(locate_t)
miscfiles_read_localization(locate_t)
-optional_policy(`cron',`
+optional_policy(`
cron_system_entry(locate_t, locate_exec_t)
')
diff --git a/refpolicy/policy/modules/apps/thunderbird.if b/refpolicy/policy/modules/apps/thunderbird.if
index b11bc8d..2d2080c 100644
--- a/refpolicy/policy/modules/apps/thunderbird.if
+++ b/refpolicy/policy/modules/apps/thunderbird.if
@@ -301,26 +301,26 @@ template(`thunderbird_per_userdomain_template',`
userdom_dontaudit_manage_user_home_content_dirs($1,$1_thunderbird_t)
')
- optional_policy(`dbus', `
+ optional_policy(`
dbus_system_bus_client_template($1_thunderbird,$1_thunderbird_t)
dbus_user_bus_client_template($1,$1_thunderbird,$1_thunderbird_t)
dbus_send_system_bus($1_thunderbird_t)
dbus_send_user_bus($1,$1_thunderbird_t)
')
- optional_policy(`lpr',`
+ optional_policy(`
lpd_domtrans_user_lpr($1,$1_thunderbird_t)
')
- optional_policy(`cups',`
+ optional_policy(`
cups_read_rw_config($1_thunderbird_t)
')
- optional_policy(`gpg', `
+ optional_policy(`
gpg_domtrans_user_gpg($1,$1_thunderbird_t)
')
- optional_policy(`nis',`
+ optional_policy(`
nis_use_ypbind($1_thunderbird_t)
')
@@ -343,7 +343,7 @@ template(`thunderbird_per_userdomain_template',`
')
# GNOME support
- optional_policy(`gnome', `
+ optional_policy(`
gnome_application($1_thunderbird, $1)
gnome_file_dialog($1_thunderbird, $1)
allow $1_thunderbird_t $1_gnome_settings_t:file { read write };
diff --git a/refpolicy/policy/modules/apps/tvtime.if b/refpolicy/policy/modules/apps/tvtime.if
index 1bf5022..4a6899b 100644
--- a/refpolicy/policy/modules/apps/tvtime.if
+++ b/refpolicy/policy/modules/apps/tvtime.if
@@ -142,7 +142,7 @@ template(`tvtime_per_userdomain_template',`
fs_manage_cifs_symlinks($1_tvtime_t)
')
- optional_policy(`xserver',`
+ optional_policy(`
xserver_user_client_template($1,$1_tvtime_t,$1_tvtime_tmpfs_t)
')
')
diff --git a/refpolicy/policy/modules/apps/uml.if b/refpolicy/policy/modules/apps/uml.if
index 3e2fbc1..caf26dd 100644
--- a/refpolicy/policy/modules/apps/uml.if
+++ b/refpolicy/policy/modules/apps/uml.if
@@ -187,24 +187,24 @@ template(`uml_per_userdomain_template',`
userdom_use_user_terminals($1,$1_uml_t)
- optional_policy(`mount',`
+ optional_policy(`
mount_send_nfs_client_request($1_uml_t)
')
- optional_policy(`nis',`
+ optional_policy(`
nis_use_ypbind($1_uml_t)
')
- optional_policy(`ssh',`
+ optional_policy(`
ssh_tcp_connect($1_uml_t)
')
ifdef(`TODO',`
# for X
- optional_policy(`startx',`
+ optional_policy(`
ifelse($1, sysadm,`
',`
- optional_policy(`xdm',`
+ optional_policy(`
allow $1_uml_t xdm_xserver_tmp_t:dir search;
')
allow $1_uml_t $1_xserver_tmp_t:sock_file write;
@@ -212,7 +212,7 @@ template(`uml_per_userdomain_template',`
')
')
- optional_policy(`uml_net.te',`
+ optional_policy(`
# for uml_net
domain_auto_trans($1_uml_t, uml_net_exec_t, uml_net_t)
allow uml_net_t $1_uml_t:unix_stream_socket { read write };
@@ -222,7 +222,7 @@ template(`uml_per_userdomain_template',`
dontaudit uml_net_t $1_uml_rw_t:dir { getattr search };
')
#TODO
- optional_policy(`xauth',`
+ optional_policy(`
allow $1_uml_t $1_xauth_home_t:file { getattr read };
')
')
diff --git a/refpolicy/policy/modules/apps/uml.te b/refpolicy/policy/modules/apps/uml.te
index bd99059..e04c6b1 100644
--- a/refpolicy/policy/modules/apps/uml.te
+++ b/refpolicy/policy/modules/apps/uml.te
@@ -67,10 +67,10 @@ ifdef(`targeted_policy',`
term_dontaudit_use_generic_ptys(uml_switch_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(uml_switch_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(uml_switch_t)
')
diff --git a/refpolicy/policy/modules/apps/userhelper.if b/refpolicy/policy/modules/apps/userhelper.if
index a8bda8c..7447019 100644
--- a/refpolicy/policy/modules/apps/userhelper.if
+++ b/refpolicy/policy/modules/apps/userhelper.if
@@ -161,7 +161,7 @@ template(`userhelper_per_userdomain_template',`
userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t)
ifdef(`distro_redhat',`
- optional_policy(`rpm',`
+ optional_policy(`
# Allow transitioning to rpm_t, for up2date
rpm_domtrans($1_userhelper_t)
')
@@ -174,19 +174,19 @@ template(`userhelper_per_userdomain_template',`
userdom_entry_spec_domtrans_sysadm($1_userhelper_t)
')
- optional_policy(`ethereal',`
+ optional_policy(`
ethereal_domtrans_user_ethereal($1,$1_userhelper_t)
')
- optional_policy(`logging',`
+ optional_policy(`
logging_send_syslog_msg($1_userhelper_t)
')
- optional_policy(`nis',`
+ optional_policy(`
nis_use_ypbind($1_userhelper_t)
')
- optional_policy(`nscd',`
+ optional_policy(`
nscd_socket_use($1_userhelper_t)
')
@@ -195,14 +195,14 @@ template(`userhelper_per_userdomain_template',`
allow $1_userhelper_t xdm_var_run_t:dir search;
allow $1_userhelper_t xdm_t:fifo_file { getattr read write ioctl };
- optional_policy(`gnome-pty-helper.te',`
+ optional_policy(`
allow $1_userhelper_t gphdomain:fd use;
')
- optional_policy(`xauth', `
+ optional_policy(`
domain_auto_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t)
allow $1_userhelper_t $1_xauth_home_t:file { getattr read };
')
- optional_policy(`mozilla', `
+ optional_policy(`
domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t)
')
# for when the network connection is killed
diff --git a/refpolicy/policy/modules/apps/usernetctl.if b/refpolicy/policy/modules/apps/usernetctl.if
index dc2ebb9..06d73e3 100644
--- a/refpolicy/policy/modules/apps/usernetctl.if
+++ b/refpolicy/policy/modules/apps/usernetctl.if
@@ -60,15 +60,15 @@ interface(`usernetctl_run',`
sysnet_run_ifconfig(usernetctl_t,$2,$3)
sysnet_run_dhcpc(usernetctl_t,$2,$3)
- optional_policy(`consoletype',`
+ optional_policy(`
consoletype_run(usernetctl_t,$2,$3)
')
- optional_policy(`iptables',`
+ optional_policy(`
iptables_run(usernetctl_t,$2,$3)
')
- optional_policy(`modutils',`
+ optional_policy(`
modutils_run_insmod(usernetctl_t,$2,$3)
')
')
diff --git a/refpolicy/policy/modules/apps/usernetctl.te b/refpolicy/policy/modules/apps/usernetctl.te
index 6eb5ad7..8a51e3f 100644
--- a/refpolicy/policy/modules/apps/usernetctl.te
+++ b/refpolicy/policy/modules/apps/usernetctl.te
@@ -61,10 +61,10 @@ seutil_read_config(usernetctl_t)
sysnet_read_config(usernetctl_t)
-optional_policy(`hostname',`
+optional_policy(`
hostname_exec(usernetctl_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(usernetctl_t)
')
diff --git a/refpolicy/policy/modules/apps/webalizer.te b/refpolicy/policy/modules/apps/webalizer.te
index a0aab80..0800b1a 100644
--- a/refpolicy/policy/modules/apps/webalizer.te
+++ b/refpolicy/policy/modules/apps/webalizer.te
@@ -97,18 +97,18 @@ ifdef(`targeted_policy',`
term_use_unallocated_ttys(webalizer_t)
')
-optional_policy(`ftp',`
+optional_policy(`
ftp_read_log(webalizer_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(webalizer_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(webalizer_t)
')
-optional_policy(`cron',`
+optional_policy(`
cron_system_entry(webalizer_t,webalizer_exec_t)
')
diff --git a/refpolicy/policy/modules/kernel/domain.if b/refpolicy/policy/modules/kernel/domain.if
index e67dd9d..da70fa0 100644
--- a/refpolicy/policy/modules/kernel/domain.if
+++ b/refpolicy/policy/modules/kernel/domain.if
@@ -51,7 +51,7 @@ interface(`domain_type',`
')
# send init a sigchld and signull
- optional_policy(`init',`
+ optional_policy(`
init_sigchld($1)
init_signull($1)
')
@@ -59,20 +59,20 @@ interface(`domain_type',`
# these seem questionable:
# allow any domain to connect to the LDAP server
- optional_policy(`ldap',`
+ optional_policy(`
ldap_use($1)
')
- optional_policy(`rpm',`
+ optional_policy(`
rpm_use_fds($1)
rpm_read_pipes($1)
')
- optional_policy(`selinux',`
+ optional_policy(`
selinux_dontaudit_read_fs($1)
')
- optional_policy(`selinuxutil',`
+ optional_policy(`
seutil_dontaudit_read_config($1)
')
')
diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
index eb63505..9474c11 100644
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
@@ -411,7 +411,7 @@ interface(`files_read_all_files',`
allow $1 file_type:dir search;
allow $1 file_type:file r_file_perms;
- optional_policy(`authlogin',`
+ optional_policy(`
auth_read_shadow($1)
')
')
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 58780de..5d9124f 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -247,32 +247,32 @@ tunable_policy(`read_default_t',`
files_read_default_pipes(kernel_t)
')
-optional_policy(`hotplug',`
+optional_policy(`
hotplug_search_config(kernel_t)
')
-optional_policy(`init',`
+optional_policy(`
init_sigchld(kernel_t)
')
-optional_policy(`libraries',`
+optional_policy(`
libs_use_ld_so(kernel_t)
libs_use_shared_libs(kernel_t)
')
-optional_policy(`logging',`
+optional_policy(`
logging_send_syslog_msg(kernel_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(kernel_t)
')
-optional_policy(`portmap',`
+optional_policy(`
portmap_udp_send(kernel_t)
')
-optional_policy(`rpc',`
+optional_policy(`
# nfs kernel server needs kernel UDP access. It is less risky and painful
# to just give it everything.
allow kernel_t self:tcp_socket create_stream_socket_perms;
@@ -317,7 +317,7 @@ optional_policy(`rpc',`
')
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_read_config(kernel_t)
seutil_read_bin_policy(kernel_t)
')
@@ -331,7 +331,7 @@ ifdef(`targeted_policy',`
allow unlabeled_t self:filesystem associate;
')
-optional_policy(`init',`
+optional_policy(`
# If you load a new policy that removes active domains, processes can
# get stuck if you do not allow unlabeled processes to signal init.
# If you load an incompatible policy, you should probably reboot,
diff --git a/refpolicy/policy/modules/services/amavis.te b/refpolicy/policy/modules/services/amavis.te
index 6455fd6..c084736 100644
--- a/refpolicy/policy/modules/services/amavis.te
+++ b/refpolicy/policy/modules/services/amavis.te
@@ -134,15 +134,15 @@ cron_rw_pipes(amavis_t)
mta_read_config(amavis_t)
-optional_policy(`clamav',`
+optional_policy(`
clamav_stream_connect(amavis_t)
')
-optional_policy(`ldap',`
+optional_policy(`
ldap_use(amavis_t)
')
-optional_policy(`spamassassin',`
+optional_policy(`
spamassassin_exec(amavis_t)
spamassassin_exec_client(amavis_t)
')
diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
index 8d07704..4fb4c86 100644
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@@ -217,24 +217,24 @@ template(`apache_content_template',`
sysnet_read_config(httpd_$1_script_t)
')
- optional_policy(`mount',`
+ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
mount_send_nfs_client_request(httpd_$1_script_t)
')
')
- optional_policy(`mta',`
+ optional_policy(`
mta_send_mail(httpd_$1_script_t)
')
- optional_policy(`nis',`
+ optional_policy(`
tunable_policy(`httpd_enable_cgi && allow_ypbind',`
nis_use_ypbind_uncond(httpd_$1_script_t)
')
')
- optional_policy(`nscd',`
+ optional_policy(`
nscd_socket_use(httpd_$1_script_t)
')
')
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index 1309042..d7b1cce 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -122,7 +122,7 @@ ifdef(`targeted_policy',`
typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
')
-optional_policy(`prelink',`
+optional_policy(`
prelink_object_file(httpd_modules_t)
')
@@ -396,19 +396,19 @@ tunable_policy(`httpd_tty_comm',`
userdom_dontaudit_use_sysadm_terms(httpd_t)
')
-optional_policy(`calamaris',`
+optional_policy(`
calamaris_read_www_files(httpd_t)
')
-optional_policy(`daemontools',`
+optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
-optional_policy(`kerberos',`
+optional_policy(`
kerberos_use(httpd_t)
')
-optional_policy(`mailman',`
+optional_policy(`
mailman_signal_cgi(httpd_t)
mailman_domtrans_cgi(httpd_t)
# should have separate types for public and private archives
@@ -416,25 +416,25 @@ optional_policy(`mailman',`
mailman_read_archive(httpd_t)
')
-optional_policy(`mysql',`
+optional_policy(`
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(httpd_t)
')
-optional_policy(`postgresql',`
+optional_policy(`
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(httpd_t)
')
-optional_policy(`udev', `
+optional_policy(`
udev_read_db(httpd_t)
')
@@ -509,11 +509,11 @@ libs_use_shared_libs(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
-optional_policy(`mysql',`
+optional_policy(`
mysql_stream_connect(httpd_php_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(httpd_php_t)
')
@@ -632,28 +632,28 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_exec_cifs_files(httpd_suexec_t)
')
-optional_policy(`mailman',`
+optional_policy(`
mailman_domtrans_cgi(httpd_suexec_t)
')
-optional_policy(`mount',`
+optional_policy(`
tunable_policy(`httpd_can_network_connect',`
mount_send_nfs_client_request(httpd_suexec_t)
')
')
-optional_policy(`mta',`
+optional_policy(`
mta_stub(httpd_suexec_t)
# apache should set close-on-exec
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(httpd_suexec_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(httpd_suexec_t)
')
@@ -687,7 +687,7 @@ ifdef(`targeted_policy',`
')
')
-optional_policy(`mysql',`
+optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
')
@@ -699,10 +699,10 @@ optional_policy(`mysql',`
unconfined_domain(httpd_unconfined_script_t)
-optional_policy(`cron',`
+optional_policy(`
cron_system_entry(httpd_t, httpd_exec_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(httpd_unconfined_script_t)
')
diff --git a/refpolicy/policy/modules/services/apm.te b/refpolicy/policy/modules/services/apm.te
index 48761d2..c01e916 100644
--- a/refpolicy/policy/modules/services/apm.te
+++ b/refpolicy/policy/modules/services/apm.te
@@ -156,15 +156,15 @@ ifdef(`distro_redhat',`
can_exec(apmd_t, apmd_var_run_t)
# ifconfig_exec_t needs to be run in its own domain for Red Hat
- optional_policy(`sysnetwork',`
+ optional_policy(`
sysnet_domtrans_ifconfig(apmd_t)
')
- optional_policy(`iptables',`
+ optional_policy(`
iptables_domtrans(apmd_t)
')
- optional_policy(`netutils',`
+ optional_policy(`
netutils_domtrans(apmd_t)
')
@@ -186,50 +186,50 @@ ifdef(`targeted_policy',`
unconfined_domain(apmd_t)
')
-optional_policy(`automount',`
+optional_policy(`
automount_domtrans(apmd_t)
')
-optional_policy(`clock',`
+optional_policy(`
clock_domtrans(apmd_t)
clock_rw_adjtime(apmd_t)
')
-optional_policy(`cron',`
+optional_policy(`
cron_system_entry(apmd_t, apmd_exec_t)
cron_anacron_domtrans_system_job(apmd_t)
')
-optional_policy(`dbus',`
+optional_policy(`
dbus_stub(apmd_t)
- optional_policy(`networkmanager',`
+ optional_policy(`
networkmanager_dbus_chat(apmd_t)
')
')
-optional_policy(`logrotate',`
+optional_policy(`
logrotate_use_fds(apmd_t)
')
-optional_policy(`mta',`
+optional_policy(`
mta_send_mail(apmd_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(apmd_t)
')
-optional_policy(`pcmcia',`
+optional_policy(`
pcmcia_domtrans_cardmgr(apmd_t)
pcmcia_domtrans_cardctl(apmd_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(apmd_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(apmd_t)
udev_read_state(apmd_t) #necessary?
')
@@ -237,7 +237,7 @@ optional_policy(`udev',`
ifdef(`TODO',`
allow apmd_t proc_t:file write;
allow apmd_t user_tty_type:chr_file { ioctl read getattr lock write append };
-optional_policy(`cron',`
+optional_policy(`
allow apmd_t crond_t:fifo_file { getattr read write ioctl };
')
')
diff --git a/refpolicy/policy/modules/services/arpwatch.te b/refpolicy/policy/modules/services/arpwatch.te
index a53702c..f54f5f0 100644
--- a/refpolicy/policy/modules/services/arpwatch.te
+++ b/refpolicy/policy/modules/services/arpwatch.te
@@ -99,19 +99,19 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(arpwatch_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(arpwatch_t)
')
-optional_policy(`qmail',`
+optional_policy(`
corecmd_search_bin(arpwatch_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(arpwatch_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(arpwatch_t)
')
diff --git a/refpolicy/policy/modules/services/audioentropy.te b/refpolicy/policy/modules/services/audioentropy.te
index c01456c..17e3572 100644
--- a/refpolicy/policy/modules/services/audioentropy.te
+++ b/refpolicy/policy/modules/services/audioentropy.te
@@ -62,11 +62,11 @@ ifdef(`targeted_policy', `
term_dontaudit_use_generic_ptys(entropyd_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(entropyd_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(entropyd_t)
')
diff --git a/refpolicy/policy/modules/services/automount.te b/refpolicy/policy/modules/services/automount.te
index 990cd01..c0dd711 100644
--- a/refpolicy/policy/modules/services/automount.te
+++ b/refpolicy/policy/modules/services/automount.te
@@ -140,30 +140,30 @@ ifdef(`targeted_policy', `
term_dontaudit_use_generic_ptys(automount_t)
')
-optional_policy(`apm',`
+optional_policy(`
corecmd_exec_bin(automount_t)
')
-optional_policy(`bind',`
+optional_policy(`
bind_search_cache(automount_t)
')
-optional_policy(`fstools',`
+optional_policy(`
fstools_domtrans(automount_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(automount_t)
')
-optional_policy(`rpc',`
+optional_policy(`
rpc_search_nfs_state_data(automount_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(automount_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(automount_t)
')
diff --git a/refpolicy/policy/modules/services/avahi.te b/refpolicy/policy/modules/services/avahi.te
index 63623d4..876e499 100644
--- a/refpolicy/policy/modules/services/avahi.te
+++ b/refpolicy/policy/modules/services/avahi.te
@@ -88,20 +88,20 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(avahi_t)
')
-optional_policy(`dbus',`
+optional_policy(`
dbus_system_bus_client_template(avahi,avahi_t)
dbus_connect_system_bus(avahi_t)
dbus_send_system_bus(avahi_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(avahi_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(avahi_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(avahi_t)
')
diff --git a/refpolicy/policy/modules/services/bind.te b/refpolicy/policy/modules/services/bind.te
index c660545..2e26d01 100644
--- a/refpolicy/policy/modules/services/bind.te
+++ b/refpolicy/policy/modules/services/bind.te
@@ -157,7 +157,7 @@ tunable_policy(`named_write_master_zones',`
allow named_t named_zone_t:lnk_file create_lnk_perms;
')
-optional_policy(`dbus',`
+optional_policy(`
gen_require(`
class dbus send_msg;
')
@@ -172,16 +172,16 @@ optional_policy(`dbus',`
dbus_connect_system_bus(named_t)
dbus_send_system_bus(named_t)
- optional_policy(`networkmanager',`
+ optional_policy(`
networkmanager_dbus_chat(named_t)
')
')
-optional_policy(`mount',`
+optional_policy(`
mount_send_nfs_client_request(named_t)
')
-optional_policy(`networkmanager',`
+optional_policy(`
# this seems like fds that arent being
# closed. these should probably be
# dontaudits instead.
@@ -190,19 +190,19 @@ optional_policy(`networkmanager',`
networkmanager_rw_routing_sockets(named_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(named_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(named_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(named_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(named_t)
')
@@ -280,14 +280,14 @@ ifdef(`targeted_policy',`
term_use_generic_ptys(ndc_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(ndc_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(ndc_t)
')
-optional_policy(`ppp',`
+optional_policy(`
ppp_dontaudit_use_fds(ndc_t)
')
diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te
index 225b82a..6576760 100644
--- a/refpolicy/policy/modules/services/bluetooth.te
+++ b/refpolicy/policy/modules/services/bluetooth.te
@@ -144,21 +144,21 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(bluetooth_t)
')
-optional_policy(`dbus',`
+optional_policy(`
dbus_system_bus_client_template(bluetooth,bluetooth_t)
dbus_connect_system_bus(bluetooth_t)
dbus_send_system_bus(bluetooth_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(bluetooth_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(bluetooth_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(bluetooth_t)
')
@@ -205,17 +205,17 @@ logging_send_syslog_msg(bluetooth_helper_t)
miscfiles_read_localization(bluetooth_helper_t)
miscfiles_read_fonts(bluetooth_helper_t)
-optional_policy(`dbus',`
+optional_policy(`
dbus_system_bus_client_template(bluetooth_helper,bluetooth_helper_t)
dbus_connect_system_bus(bluetooth_helper_t)
dbus_send_system_bus(bluetooth_helper_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(bluetooth_helper_t)
')
-optional_policy(`xserver',`
+optional_policy(`
xserver_stream_connect_xdm(bluetooth_helper_t)
')
@@ -235,7 +235,7 @@ ifdef(`targeted_policy',`
allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto;
userdom_read_all_users_home_content_files(bluetooth_helper_t)
- optional_policy(`xserver',`
+ optional_policy(`
xserver_stream_connect_xdm(bluetooth_helper_t)
')
')
diff --git a/refpolicy/policy/modules/services/canna.te b/refpolicy/policy/modules/services/canna.te
index acac47b..670e3d6 100644
--- a/refpolicy/policy/modules/services/canna.te
+++ b/refpolicy/policy/modules/services/canna.te
@@ -93,14 +93,14 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(canna_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(canna_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(canna_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(canna_t)
')
diff --git a/refpolicy/policy/modules/services/clamav.te b/refpolicy/policy/modules/services/clamav.te
index b02af07..3c68646 100644
--- a/refpolicy/policy/modules/services/clamav.te
+++ b/refpolicy/policy/modules/services/clamav.te
@@ -121,7 +121,7 @@ cron_use_fds(clamd_t)
cron_use_system_job_fds(clamd_t)
cron_rw_pipes(clamd_t)
-optional_policy(`amavis',`
+optional_policy(`
amavis_read_lib_files(clamd_t)
')
diff --git a/refpolicy/policy/modules/services/comsat.te b/refpolicy/policy/modules/services/comsat.te
index 77512c8..1445d07 100644
--- a/refpolicy/policy/modules/services/comsat.te
+++ b/refpolicy/policy/modules/services/comsat.te
@@ -80,15 +80,15 @@ userdom_dontaudit_getattr_sysadm_ttys(comsat_t)
mta_getattr_spool(comsat_t)
-optional_policy(`kerberos',`
+optional_policy(`
kerberos_use(comsat_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(comsat_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(comsat_t)
')
diff --git a/refpolicy/policy/modules/services/cpucontrol.te b/refpolicy/policy/modules/services/cpucontrol.te
index adf69e3..d2891df 100644
--- a/refpolicy/policy/modules/services/cpucontrol.te
+++ b/refpolicy/policy/modules/services/cpucontrol.te
@@ -61,15 +61,15 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(cpucontrol_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(cpucontrol_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(cpucontrol_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(cpucontrol_t)
')
@@ -115,14 +115,14 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(cpuspeed_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(cpuspeed_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(cpuspeed_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(cpuspeed_t)
')
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index dd65944..e5825e0 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -154,12 +154,12 @@ template(`cron_per_userdomain_template',`
allow crond_t $1_cron_spool_t:file create_file_perms;
')
- optional_policy(`nis',`
+ optional_policy(`
nis_use_ypbind($1_crond_t)
')
ifdef(`TODO',`
- optional_policy(`apache',`
+ optional_policy(`
create_dir_file($1_crond_t, httpd_$1_content_t)
')
allow $1_crond_t tmp_t:dir rw_dir_perms;
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index f5d0c40..78acdb5 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -141,7 +141,7 @@ userdom_list_all_users_home_dirs(crond_t)
ifdef(`distro_redhat', `
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
- optional_policy(`rpm',`
+ optional_policy(`
rpm_manage_log(crond_t)
')
')
@@ -167,7 +167,7 @@ ifdef(`targeted_policy',`
allow crond_t unconfined_t:dbus send_msg;
allow crond_t initrc_t:dbus send_msg;
- optional_policy(`mono',`
+ optional_policy(`
mono_domtrans(crond_t)
')
',`
@@ -182,33 +182,33 @@ tunable_policy(`fcron_crond', `
allow crond_t system_cron_spool_t:file create_file_perms;
')
-optional_policy(`amavis',`
+optional_policy(`
amavis_search_lib(crond_t)
')
-optional_policy(`hal',`
+optional_policy(`
hal_dbus_send(crond_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(crond_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(crond_t)
')
-optional_policy(`rpm',`
+optional_policy(`
# Commonly used from postinst scripts
rpm_read_pipes(crond_t)
')
-optional_policy(`postgresql',`
+optional_policy(`
# allow crond to find /usr/lib/postgresql/bin/do.maintenance
postgresql_search_db(crond_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(crond_t)
')
@@ -217,7 +217,7 @@ optional_policy(`udev',`
# System cron process domain
#
-optional_policy(`squid',`
+optional_policy(`
# cjp: why?
squid_domtrans(system_crond_t)
')
@@ -348,7 +348,7 @@ ifdef(`targeted_policy',`
ifdef(`distro_redhat', `
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
- optional_policy(`rpm',`
+ optional_policy(`
rpm_manage_log(system_crond_t)
')
')
@@ -365,7 +365,7 @@ ifdef(`targeted_policy',`
seutil_read_file_contexts(system_crond_t)
')
- optional_policy(`apache',`
+ optional_policy(`
# Needed for certwatch
apache_exec_modules(system_crond_t)
apache_read_config(system_crond_t)
@@ -373,57 +373,57 @@ ifdef(`targeted_policy',`
apache_read_sys_content(system_crond_t)
')
- optional_policy(`cyrus',`
+ optional_policy(`
cyrus_manage_data(system_crond_t)
')
- optional_policy(`ftp',`
+ optional_policy(`
ftp_read_log(system_crond_t)
')
- optional_policy(`inn',`
+ optional_policy(`
inn_manage_log(system_crond_t)
inn_manage_pid(system_crond_t)
inn_read_config(system_crond_t)
')
- optional_policy(`mrtg',`
+ optional_policy(`
mrtg_append_create_logs(system_crond_t)
')
- optional_policy(`mysql',`
+ optional_policy(`
mysql_read_config(system_crond_t)
')
- optional_policy(`nis',`
+ optional_policy(`
nis_use_ypbind(system_crond_t)
')
- optional_policy(`nscd',`
+ optional_policy(`
nscd_socket_use(system_crond_t)
')
- optional_policy(`postfix',`
+ optional_policy(`
postfix_read_config(system_crond_t)
')
- optional_policy(`prelink',`
+ optional_policy(`
prelink_read_cache(system_crond_t)
prelink_manage_log(system_crond_t)
prelink_delete_cache(system_crond_t)
')
- optional_policy(`samba',`
+ optional_policy(`
samba_read_config(system_crond_t)
samba_read_log(system_crond_t)
#samba_read_secrets(system_crond_t)
')
- optional_policy(`slocate',`
+ optional_policy(`
slocate_create_append_log(system_crond_t)
')
- optional_policy(`sysstat',`
+ optional_policy(`
sysstat_manage_log(system_crond_t)
')
diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te
index 3b130c9..cc38a0c 100644
--- a/refpolicy/policy/modules/services/cups.te
+++ b/refpolicy/policy/modules/services/cups.te
@@ -203,51 +203,51 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(cupsd_t)
')
-optional_policy(`cron',`
+optional_policy(`
cron_system_entry(cupsd_t, cupsd_exec_t)
')
-optional_policy(`dbus',`
+optional_policy(`
dbus_system_bus_client_template(cupsd,cupsd_t)
dbus_send_system_bus(cupsd_t)
userdom_dbus_send_all_users(cupsd_t)
- optional_policy(`hal',`
+ optional_policy(`
hal_dbus_chat(cupsd_t)
')
')
-optional_policy(`hostname',`
+optional_policy(`
hostname_exec(cupsd_t)
')
-optional_policy(`inetd',`
+optional_policy(`
inetd_core_service_domain(cupsd_t,cupsd_exec_t,cupsd_t)
')
-optional_policy(`mount',`
+optional_policy(`
mount_send_nfs_client_request(cupsd_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(cupsd_t)
')
-optional_policy(`portmap',`
+optional_policy(`
portmap_udp_chat(cupsd_t)
')
-optional_policy(`samba',`
+optional_policy(`
samba_rw_var_files(cupsd_t)
# cjp: rw_dir_perms was here, but doesnt make sense
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(cupsd_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(cupsd_t)
')
@@ -355,11 +355,11 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_files(ptal_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(ptal_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(ptal_t)
')
@@ -456,15 +456,15 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_files(hplip_t)
')
-optional_policy(`mount',`
+optional_policy(`
mount_send_nfs_client_request(hplip_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(hplip_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(hplip_t)
')
@@ -572,7 +572,7 @@ userdom_dontaudit_search_sysadm_home_dirs(cupsd_config_t)
ifdef(`distro_redhat',`
init_getattr_script_files(cupsd_config_t)
- optional_policy(`rpm',`
+ optional_policy(`
rpm_read_db(cupsd_config_t)
')
')
@@ -583,49 +583,49 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_files(cupsd_config_t)
')
-optional_policy(`cron',`
+optional_policy(`
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
-optional_policy(`dbus',`
+optional_policy(`
dbus_system_bus_client_template(cupsd_config,cupsd_config_t)
dbus_connect_system_bus(cupsd_config_t)
dbus_send_system_bus(cupsd_config_t)
- optional_policy(`hal',`
+ optional_policy(`
hal_dbus_chat(cupsd_config_t)
')
')
-optional_policy(`hal',`
+optional_policy(`
hal_domtrans(cupsd_config_t)
')
-optional_policy(`hostname',`
+optional_policy(`
hostname_exec(cupsd_config_t)
')
-optional_policy(`logrotate',`
+optional_policy(`
logrotate_use_fds(cupsd_config_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(cupsd_config_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(cupsd_config_t)
')
-optional_policy(`rpm',`
+optional_policy(`
rpm_read_db(cupsd_config_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(cupsd_config_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(cupsd_config_t)
')
@@ -641,7 +641,7 @@ ifdef(`targeted_policy', `
unconfined_read_pipes(cupsd_t)
- optional_policy(`dbus',`
+ optional_policy(`
init_dbus_chat_script(cupsd_t)
unconfined_dbus_send(cupsd_t)
@@ -671,7 +671,7 @@ allow cupsd_lpd_t self:udp_socket create_socket_perms;
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t self:capability { setuid setgid };
files_search_home(cupsd_lpd_t)
-optional_policy(`kerberos',`
+optional_policy(`
kerberos_use(cupsd_lpd_t)
')
#end for identd
@@ -724,10 +724,10 @@ miscfiles_read_localization(cupsd_lpd_t)
sysnet_read_config(cupsd_lpd_t)
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(cupsd_lpd_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(cupsd_lpd_t)
')
diff --git a/refpolicy/policy/modules/services/cvs.te b/refpolicy/policy/modules/services/cvs.te
index 2519663..ef87fb9 100644
--- a/refpolicy/policy/modules/services/cvs.te
+++ b/refpolicy/policy/modules/services/cvs.te
@@ -92,17 +92,17 @@ tunable_policy(`allow_cvs_read_shadow',`
auth_tunable_read_shadow(cvs_t)
')
-optional_policy(`kerberos',`
+optional_policy(`
kerberos_use(cvs_t)
kerberos_read_keytab(cvs_t)
kerberos_read_config(cvs_t)
kerberos_dontaudit_write_config(cvs_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(cvs_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(cvs_t)
')
diff --git a/refpolicy/policy/modules/services/cyrus.te b/refpolicy/policy/modules/services/cyrus.te
index 171a7e7..08ff84e 100644
--- a/refpolicy/policy/modules/services/cyrus.te
+++ b/refpolicy/policy/modules/services/cyrus.te
@@ -118,26 +118,26 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(cyrus_t)
')
-optional_policy(`cron',`
+optional_policy(`
cron_system_entry(cyrus_t,cyrus_exec_t)
')
-optional_policy(`mount',`
+optional_policy(`
mount_send_nfs_client_request(cyrus_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(cyrus_t)
')
-optional_policy(`sasl',`
+optional_policy(`
sasl_connect(cyrus_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(cyrus_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(cyrus_t)
')
diff --git a/refpolicy/policy/modules/services/dbskk.te b/refpolicy/policy/modules/services/dbskk.te
index 090a661..bb54982 100644
--- a/refpolicy/policy/modules/services/dbskk.te
+++ b/refpolicy/policy/modules/services/dbskk.te
@@ -32,7 +32,7 @@ allow dbskkd_t self:udp_socket create_socket_perms;
allow dbskkd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow dbskkd_t self:capability { setuid setgid };
files_search_home(dbskkd_t)
-optional_policy(`kerberos',`
+optional_policy(`
kerberos_use(dbskkd_t)
')
#end for identd
@@ -76,10 +76,10 @@ miscfiles_read_localization(dbskkd_t)
sysnet_read_config(dbskkd_t)
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(dbskkd_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(dbskkd_t)
')
diff --git a/refpolicy/policy/modules/services/dbus.if b/refpolicy/policy/modules/services/dbus.if
index e376365..a0f6b56 100644
--- a/refpolicy/policy/modules/services/dbus.if
+++ b/refpolicy/policy/modules/services/dbus.if
@@ -164,11 +164,11 @@ template(`dbus_per_userdomain_template',`
files_read_default_pipes($1_dbusd_t)
')
- optional_policy(`authlogin',`
+ optional_policy(`
auth_read_pam_console_data($1_dbusd_t)
')
- optional_policy(`nscd',`
+ optional_policy(`
nscd_socket_use($1_dbusd_t)
')
diff --git a/refpolicy/policy/modules/services/dbus.te b/refpolicy/policy/modules/services/dbus.te
index 2d35030..07bd6fc 100644
--- a/refpolicy/policy/modules/services/dbus.te
+++ b/refpolicy/policy/modules/services/dbus.te
@@ -124,18 +124,18 @@ tunable_policy(`read_default_t',`
files_read_default_pipes(system_dbusd_t)
')
-optional_policy(`bind',`
+optional_policy(`
bind_domtrans(system_dbusd_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(system_dbusd_t)
')
-optional_policy(`sysnetwork',`
+optional_policy(`
sysnet_domtrans_dhcpc(system_dbusd_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(system_dbusd_t)
')
diff --git a/refpolicy/policy/modules/services/dhcp.te b/refpolicy/policy/modules/services/dhcp.te
index d9e0cb9..72af5a9 100644
--- a/refpolicy/policy/modules/services/dhcp.te
+++ b/refpolicy/policy/modules/services/dhcp.te
@@ -115,27 +115,27 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(dhcpd_t)
')
-optional_policy(`bind',`
+optional_policy(`
# used for dynamic DNS
bind_read_dnssec_keys(dhcpd_t)
')
-optional_policy(`mount',`
+optional_policy(`
mount_send_nfs_client_request(dhcpd_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(dhcpd_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(dhcpd_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(dhcpd_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(dhcpd_t)
')
diff --git a/refpolicy/policy/modules/services/dictd.te b/refpolicy/policy/modules/services/dictd.te
index f00e31d..362b4ba 100644
--- a/refpolicy/policy/modules/services/dictd.te
+++ b/refpolicy/policy/modules/services/dictd.te
@@ -87,18 +87,18 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(dictd_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(dictd_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(dictd_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(dictd_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(dictd_t)
')
diff --git a/refpolicy/policy/modules/services/distcc.te b/refpolicy/policy/modules/services/distcc.te
index 2a491e4..ec0a754 100644
--- a/refpolicy/policy/modules/services/distcc.te
+++ b/refpolicy/policy/modules/services/distcc.te
@@ -95,14 +95,14 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(distccd_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(distccd_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(distccd_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(distccd_t)
')
diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te
index 3eff293..b84404a 100644
--- a/refpolicy/policy/modules/services/dovecot.te
+++ b/refpolicy/policy/modules/services/dovecot.te
@@ -124,19 +124,19 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(dovecot_t)
')
-optional_policy(`kerberos',`
+optional_policy(`
kerberos_use(dovecot_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(dovecot_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(dovecot_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(dovecot_t)
')
@@ -180,18 +180,18 @@ seutil_dontaudit_search_config(dovecot_auth_t)
sysnet_dns_name_resolve(dovecot_auth_t)
-optional_policy(`kerberos',`
+optional_policy(`
kerberos_use(dovecot_auth_t)
')
-optional_policy(`logging',`
+optional_policy(`
logging_send_syslog_msg(dovecot_auth_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(dovecot_auth_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(dovecot_auth_t)
')
diff --git a/refpolicy/policy/modules/services/fetchmail.te b/refpolicy/policy/modules/services/fetchmail.te
index cd16606..b4c2276 100644
--- a/refpolicy/policy/modules/services/fetchmail.te
+++ b/refpolicy/policy/modules/services/fetchmail.te
@@ -98,10 +98,10 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(fetchmail_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(fetchmail_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(fetchmail_t)
')
diff --git a/refpolicy/policy/modules/services/finger.te b/refpolicy/policy/modules/services/finger.te
index fad79af..b6a591d 100644
--- a/refpolicy/policy/modules/services/finger.te
+++ b/refpolicy/policy/modules/services/finger.te
@@ -110,26 +110,26 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(fingerd_t)
')
-optional_policy(`cron',`
+optional_policy(`
cron_system_entry(fingerd_t,fingerd_exec_t)
')
-optional_policy(`logrotate',`
+optional_policy(`
logrotate_exec(fingerd_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(fingerd_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(fingerd_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(fingerd_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(fingerd_t)
')
diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te
index 252024e..169e8da 100644
--- a/refpolicy/policy/modules/services/ftp.te
+++ b/refpolicy/policy/modules/services/ftp.te
@@ -135,7 +135,7 @@ ifdef(`targeted_policy',`
term_dontaudit_use_generic_ptys(ftpd_t)
term_dontaudit_use_unallocated_ttys(ftpd_t)
- optional_policy(`ftp',`
+ optional_policy(`
tunable_policy(`ftpd_is_daemon',`
userdom_manage_generic_user_home_content_files(ftpd_t)
userdom_manage_generic_user_home_content_symlinks(ftpd_t)
@@ -180,23 +180,23 @@ tunable_policy(`use_samba_home_dirs && ftp_home_dir',`
fs_read_cifs_symlinks(ftpd_t)
')
-optional_policy(`cron',`
+optional_policy(`
corecmd_exec_shell(ftpd_t)
files_read_usr_files(ftpd_t)
cron_system_entry(ftpd_t, ftpd_exec_t)
- optional_policy(`logrotate',`
+ optional_policy(`
logrotate_exec(ftpd_t)
')
')
-optional_policy(`daemontools',`
+optional_policy(`
daemontools_service_domain(ftpd_t, ftpd_exec_t)
')
-optional_policy(`inetd',`
+optional_policy(`
#reh: typeattributes not allowed in conditionals yet.
#tunable_policy(`! ftpd_is_daemon',`
# inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
@@ -204,25 +204,25 @@ optional_policy(`inetd',`
inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
- optional_policy(`tcpd',`
+ optional_policy(`
tunable_policy(`! ftpd_is_daemon',`
tcpd_domtrans(tcpd_t)
')
')
')
-optional_policy(`mount',`
+optional_policy(`
mount_send_nfs_client_request(ftpd_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(ftpd_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(ftpd_t)
')
-optional_policy(`udev', `
+optional_policy(`
udev_read_db(ftpd_t)
')
diff --git a/refpolicy/policy/modules/services/gpm.te b/refpolicy/policy/modules/services/gpm.te
index 4fae74d..faf01f4 100644
--- a/refpolicy/policy/modules/services/gpm.te
+++ b/refpolicy/policy/modules/services/gpm.te
@@ -84,11 +84,11 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_files(gpm_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(gpm_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(gpm_t)
')
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index 8ef18ef..827f414 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -153,30 +153,30 @@ ifdef(`targeted_policy', `
files_dontaudit_getattr_home_dir(hald_t)
')
-optional_policy(`apm',`
+optional_policy(`
# For /usr/libexec/hald-addon-acpi
# writes to /var/run/acpid.socket
apm_stream_connect(hald_t)
')
-optional_policy(`automount', `
+optional_policy(`
automount_dontaudit_getattr_tmp_dirs(hald_t)
')
-optional_policy(`bind',`
+optional_policy(`
bind_search_cache(hald_t)
')
-optional_policy(`clock',`
+optional_policy(`
clock_domtrans(hald_t)
')
-optional_policy(`cups',`
+optional_policy(`
cups_domtrans_config(hald_t)
cups_signal_config(hald_t)
')
-optional_policy(`dbus',`
+optional_policy(`
dbus_system_bus_client_template(hald,hald_t)
dbus_send_system_bus(hald_t)
dbus_connect_system_bus(hald_t)
@@ -184,58 +184,58 @@ optional_policy(`dbus',`
init_dbus_chat_script(hald_t)
- optional_policy(`networkmanager',`
+ optional_policy(`
networkmanager_dbus_chat(hald_t)
')
')
-optional_policy(`dmidecode',`
+optional_policy(`
# For /usr/libexec/hald-probe-smbios
dmidecode_domtrans(hald_t)
')
-optional_policy(`hotplug',`
+optional_policy(`
hotplug_read_config(hald_t)
')
-optional_policy(`lvm', `
+optional_policy(`
lvm_domtrans(hald_t)
')
-optional_policy(`mount',`
+optional_policy(`
mount_domtrans(hald_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(hald_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(hald_t)
')
-optional_policy(`pcmcia',`
+optional_policy(`
pcmcia_manage_pid(hald_t)
pcmcia_manage_pid_chr_files(hald_t)
')
-optional_policy(`rpc',`
+optional_policy(`
rpc_search_nfs_state_data(hald_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(hald_t)
')
-optional_policy(`udev', `
+optional_policy(`
udev_domtrans(hald_t)
udev_read_db(hald_t)
')
-optional_policy(`updfstab',`
+optional_policy(`
updfstab_domtrans(hald_t)
')
-optional_policy(`vbetool',`
+optional_policy(`
vbetool_domtrans(hald_t)
')
diff --git a/refpolicy/policy/modules/services/howl.te b/refpolicy/policy/modules/services/howl.te
index c174c49..64e7ec8 100644
--- a/refpolicy/policy/modules/services/howl.te
+++ b/refpolicy/policy/modules/services/howl.te
@@ -82,14 +82,14 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_files(howl_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(howl_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(howl_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(howl_t)
')
diff --git a/refpolicy/policy/modules/services/i18n_input.te b/refpolicy/policy/modules/services/i18n_input.te
index 76b204d..3be7c8f 100644
--- a/refpolicy/policy/modules/services/i18n_input.te
+++ b/refpolicy/policy/modules/services/i18n_input.te
@@ -102,22 +102,22 @@ tunable_policy(`use_samba_home_dirs',`
fs_read_cifs_symlinks(i18n_input_t)
')
-optional_policy(`canna',`
+optional_policy(`
canna_stream_connect(i18n_input_t)
')
-optional_policy(`mount',`
+optional_policy(`
mount_send_nfs_client_request(i18n_input_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(i18n_input_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(i18n_input_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(i18n_input_t)
')
diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te
index 2df83f3..d92c91d 100644
--- a/refpolicy/policy/modules/services/inetd.te
+++ b/refpolicy/policy/modules/services/inetd.te
@@ -127,31 +127,31 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_files(inetd_t)
')
-optional_policy(`amanda',`
+optional_policy(`
amanda_search_lib(inetd_t)
')
-optional_policy(`mount',`
+optional_policy(`
mount_send_nfs_client_request(inetd_t)
')
# Communicate with the portmapper.
-optional_policy(`portmap',`
+optional_policy(`
portmap_udp_send(inetd_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(inetd_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(inetd_t)
')
ifdef(`targeted_policy',`
unconfined_domain(inetd_t)
',`
- optional_policy(`unconfined',`
+ optional_policy(`
unconfined_domtrans(inetd_t)
')
')
@@ -216,21 +216,21 @@ tunable_policy(`run_ssh_inetd',`
corenet_tcp_bind_ssh_port(inetd_t)
')
-optional_policy(`ftp',`
+optional_policy(`
tunable_policy(`ftpd_is_daemon',`
# Allows it to check exec privs on daemon
ftp_check_exec(inetd_t)
')
')
-optional_policy(`kerberos',`
+optional_policy(`
kerberos_use(inetd_child_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(inetd_child_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(inetd_child_t)
')
diff --git a/refpolicy/policy/modules/services/inn.te b/refpolicy/policy/modules/services/inn.te
index a83d9d2..ec28063 100644
--- a/refpolicy/policy/modules/services/inn.te
+++ b/refpolicy/policy/modules/services/inn.te
@@ -122,26 +122,26 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(innd_t)
')
-optional_policy(`cron',`
+optional_policy(`
cron_system_entry(innd_t, innd_exec_t)
')
-optional_policy(`hostname',`
+optional_policy(`
hostname_exec(innd_t)
')
-optional_policy(`mount',`
+optional_policy(`
mount_send_nfs_client_request(innd_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(innd_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(innd_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(innd_t)
')
diff --git a/refpolicy/policy/modules/services/irqbalance.te b/refpolicy/policy/modules/services/irqbalance.te
index f470ec4..25368c0 100644
--- a/refpolicy/policy/modules/services/irqbalance.te
+++ b/refpolicy/policy/modules/services/irqbalance.te
@@ -60,10 +60,10 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(irqbalance_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(irqbalance_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(irqbalance_t)
')
diff --git a/refpolicy/policy/modules/services/kerberos.te b/refpolicy/policy/modules/services/kerberos.te
index 2374b88..89e3d43 100644
--- a/refpolicy/policy/modules/services/kerberos.te
+++ b/refpolicy/policy/modules/services/kerberos.te
@@ -137,15 +137,15 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_files(kadmind_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(kadmind_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(kadmind_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(kadmind_t)
')
@@ -237,14 +237,14 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_files(krb5kdc_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(krb5kdc_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(krb5kdc_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(krb5kdc_t)
')
diff --git a/refpolicy/policy/modules/services/ktalk.te b/refpolicy/policy/modules/services/ktalk.te
index d00edae..9f2cbb8 100644
--- a/refpolicy/policy/modules/services/ktalk.te
+++ b/refpolicy/policy/modules/services/ktalk.te
@@ -36,7 +36,7 @@ allow ktalkd_t self:capability { setuid setgid };
allow ktalkd_t self:dir search;
allow ktalkd_t self:{ lnk_file file } { getattr read };
files_search_home(ktalkd_t)
-optional_policy(`kerberos',`
+optional_policy(`
kerberos_use(ktalkd_t)
')
#end for identd
@@ -84,10 +84,10 @@ miscfiles_read_localization(ktalkd_t)
sysnet_read_config(ktalkd_t)
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(ktalkd_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(ktalkd_t)
')
diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te
index 290da67..5cb2797 100644
--- a/refpolicy/policy/modules/services/ldap.te
+++ b/refpolicy/policy/modules/services/ldap.te
@@ -138,18 +138,18 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(slapd_t)
')
-optional_policy(`kerberos',`
+optional_policy(`
kerberos_use(slapd_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(slapd_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(slapd_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(slapd_t)
')
diff --git a/refpolicy/policy/modules/services/lpd.if b/refpolicy/policy/modules/services/lpd.if
index 3873992..b981547 100644
--- a/refpolicy/policy/modules/services/lpd.if
+++ b/refpolicy/policy/modules/services/lpd.if
@@ -184,27 +184,27 @@ template(`lpd_per_userdomain_template',`
fs_read_cifs_symlinks($1_lpr_t)
')
- optional_policy(`cups',`
+ optional_policy(`
cups_read_config($1_lpr_t)
cups_tcp_connect($1_lpr_t)
cups_read_config($2)
cups_tcp_connect($2)
')
- optional_policy(`logging',`
+ optional_policy(`
logging_send_syslog_msg($1_lpr_t)
')
- optional_policy(`nscd',`
+ optional_policy(`
nscd_socket_use($1_lpr_t)
')
- optional_policy(`nis',`
+ optional_policy(`
nis_use_ypbind($1_lpr_t)
')
ifdef(`TODO',`
- optional_policy(`xdm', `
+ optional_policy(`
allow $1_lpr_t xdm_t:fd use;
allow $1_lpr_t xdm_var_run_t:dir search;
allow $1_lpr_t xdm_t:fifo_file { getattr read write ioctl };
diff --git a/refpolicy/policy/modules/services/lpd.te b/refpolicy/policy/modules/services/lpd.te
index f3e7514..e9516cb 100644
--- a/refpolicy/policy/modules/services/lpd.te
+++ b/refpolicy/policy/modules/services/lpd.te
@@ -104,15 +104,15 @@ ifdef(`targeted_policy',`
term_use_unallocated_ttys(checkpc_t)
')
-optional_policy(`cron',`
+optional_policy(`
cron_system_entry(checkpc_t,checkpc_exec_t)
')
-optional_policy(`logging',`
+optional_policy(`
logging_send_syslog_msg(checkpc_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(checkpc_t)
')
@@ -223,19 +223,19 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(lpd_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(lpd_t)
nis_tcp_connect_ypbind(lpd_t)
')
-optional_policy(`portmap',`
+optional_policy(`
portmap_udp_send(lpd_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(lpd_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(lpd_t)
')
diff --git a/refpolicy/policy/modules/services/mailman.if b/refpolicy/policy/modules/services/mailman.if
index b398141..91e99dc 100644
--- a/refpolicy/policy/modules/services/mailman.if
+++ b/refpolicy/policy/modules/services/mailman.if
@@ -88,11 +88,11 @@ template(`mailman_domain_template', `
sysnet_read_config(mailman_$1_t)
- optional_policy(`mount',`
+ optional_policy(`
mount_send_nfs_client_request(mailman_$1_t)
')
- optional_policy(`nis',`
+ optional_policy(`
nis_use_ypbind(mailman_$1_t)
')
')
diff --git a/refpolicy/policy/modules/services/mailman.te b/refpolicy/policy/modules/services/mailman.te
index 03228c9..742b23f 100644
--- a/refpolicy/policy/modules/services/mailman.te
+++ b/refpolicy/policy/modules/services/mailman.te
@@ -35,7 +35,7 @@ mailman_domain_template(queue)
# optionals for file contexts yet, so it is promoted
# to global scope until such facilities exist.
-optional_policy(`apache',`
+optional_policy(`
allow mailman_cgi_t mailman_archive_t:dir create_dir_perms;
allow mailman_cgi_t mailman_archive_t:lnk_file create_lnk_perms;
allow mailman_cgi_t mailman_archive_t:file create_file_perms;
@@ -64,7 +64,7 @@ allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
ifdef(`TODO',`
-optional_policy(`qmail',`
+optional_policy(`
allow mailman_mail_t qmail_spool_t:file { read ioctl getattr };
# do we really need this?
allow mailman_mail_t qmail_lspawn_t:fifo_file write;
@@ -105,10 +105,10 @@ mta_tcp_connect_all_mailservers(mailman_queue_t)
su_exec(mailman_queue_t)
-optional_policy(`cron',`
+optional_policy(`
cron_system_entry(mailman_queue_t,mailman_queue_exec_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(mailman_queue_t)
')
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index ec6a483..3f76942 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -95,23 +95,23 @@ template(`mta_base_mail_template',`
sysnet_read_config($1_mail_t)
sysnet_dns_name_resolve($1_mail_t)
- optional_policy(`nis',`
+ optional_policy(`
nis_use_ypbind($1_mail_t)
')
- optional_policy(`nscd',`
+ optional_policy(`
nscd_socket_use($1_mail_t)
')
- optional_policy(`postfix',`
+ optional_policy(`
postfix_domtrans_user_mail_handler($1_mail_t)
')
- optional_policy(`procmail',`
+ optional_policy(`
procmail_exec($1_mail_t)
')
- optional_policy(`sendmail',`
+ optional_policy(`
gen_require(`
type etc_mail_t, mail_spool_t, mqueue_spool_t;
')
@@ -236,7 +236,7 @@ template(`mta_per_userdomain_template',`
fs_manage_cifs_symlinks($1_mail_t)
')
- optional_policy(`postfix',`
+ optional_policy(`
allow $1_mail_t self:capability dac_override;
# Read user temporary files.
@@ -282,7 +282,7 @@ template(`mta_admin_template',`
userdom_read_unpriv_users_home_content_files($1_mail_t)
')
- optional_policy(`postfix',`
+ optional_policy(`
gen_require(`
attribute mta_user_agent;
type etc_aliases_t;
@@ -409,11 +409,11 @@ interface(`mta_mailserver_delivery',`
allow $1 mail_spool_t:file { create ioctl read getattr lock append };
allow $1 mail_spool_t:lnk_file { create read getattr };
- optional_policy(`dovecot',`
+ optional_policy(`
dovecot_manage_spool($1)
')
- optional_policy(`mailman',`
+ optional_policy(`
# so MTA can access /var/lib/mailman/mail/wrapper
files_search_var_lib($1)
@@ -441,7 +441,7 @@ interface(`mta_mailserver_user_agent',`
typeattribute $1 mta_user_agent;
- optional_policy(`apache',`
+ optional_policy(`
# apache should set close-on-exec
apache_dontaudit_rw_stream_sockets($1)
apache_dontaudit_rw_sys_script_stream_sockets($1)
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index c2fe2fc..534bddc 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -34,7 +34,7 @@ role system_r types system_mail_t;
# cjp: need to resolve this, but require{}
# does not work in the else part of the optional
#ifdef(`strict_policy',`
-# optional_policy(`sendmail',`',`
+# optional_policy(`',`
# init_system_domain(system_mail_t,sendmail_exec_t)
# ')
#')
@@ -85,7 +85,7 @@ ifdef(`targeted_policy',`
userdom_generic_user_home_dir_filetrans_generic_user_home_content(mailserver_delivery,{ dir file lnk_file sock_file fifo_file })
# cjp: another require-in-else to resolve
-# optional_policy(`postfix',`',`
+# optional_policy(`',`
corecmd_exec_bin(system_mail_t)
corecmd_exec_sbin(system_mail_t)
@@ -98,7 +98,7 @@ ifdef(`targeted_policy',`
# ')
')
-optional_policy(`apache',`
+optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
apache_append_squirrelmail_data(system_mail_t)
@@ -109,7 +109,7 @@ optional_policy(`apache',`
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
')
-optional_policy(`arpwatch',`
+optional_policy(`
arpwatch_manage_tmp_files(system_mail_t)
ifdef(`hide_broken_symptoms', `
@@ -117,24 +117,24 @@ optional_policy(`arpwatch',`
')
')
-optional_policy(`cron',`
+optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
')
-optional_policy(`cvs',`
+optional_policy(`
cvs_read_data(system_mail_t)
')
-optional_policy(`logrotate',`
+optional_policy(`
logrotate_read_tmp_files(system_mail_t)
')
-optional_policy(`logwatch',`
+optional_policy(`
logwatch_read_tmp_files(system_mail_t)
')
-optional_policy(`postfix',`
+optional_policy(`
allow system_mail_t etc_aliases_t:dir create_dir_perms;
allow system_mail_t etc_aliases_t:file create_file_perms;
allow system_mail_t etc_aliases_t:lnk_file create_lnk_perms;
@@ -156,33 +156,33 @@ optional_policy(`postfix',`
postfix_config_filetrans(system_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file })
')
- optional_policy(`cron',`
+ optional_policy(`
cron_rw_tcp_sockets(system_mail_t)
')
')
-optional_policy(`sendmail',`
+optional_policy(`
userdom_dontaudit_use_unpriv_users_ptys(system_mail_t)
- optional_policy(`cron',`
+ optional_policy(`
cron_dontaudit_append_system_job_tmp_files(system_mail_t)
')
')
-optional_policy(`smartmon',`
+optional_policy(`
smartmon_read_tmp_files(system_mail_t)
')
# should break this up among sections:
-optional_policy(`arpwatch',`
+optional_policy(`
# why is mail delivered to a directory of type arpwatch_data_t?
arpwatch_search_data(mailserver_delivery)
arpwatch_manage_tmp_files(mta_user_agent)
ifdef(`hide_broken_symptoms', `
arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
')
- optional_policy(`cron',`
+ optional_policy(`
cron_read_system_job_tmp_files(mta_user_agent)
')
')
diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te
index af86f54..d4a30c2 100644
--- a/refpolicy/policy/modules/services/mysql.te
+++ b/refpolicy/policy/modules/services/mysql.te
@@ -121,26 +121,26 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(mysqld_t)
')
-optional_policy(`daemontools',`
+optional_policy(`
daemontools_service_domain(mysqld_t, mysqld_exec_t)
')
-optional_policy(`mount',`
+optional_policy(`
mount_send_nfs_client_request(mysqld_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(mysqld_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(mysqld_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(mysqld_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(mysqld_t)
')
diff --git a/refpolicy/policy/modules/services/networkmanager.te b/refpolicy/policy/modules/services/networkmanager.te
index 7cd261a..8112eb5 100644
--- a/refpolicy/policy/modules/services/networkmanager.te
+++ b/refpolicy/policy/modules/services/networkmanager.te
@@ -115,21 +115,21 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_files(NetworkManager_t)
')
-optional_policy(`bind',`
+optional_policy(`
bind_domtrans(NetworkManager_t)
bind_manage_cache(NetworkManager_t)
bind_signal(NetworkManager_t)
')
-optional_policy(`bluetooth',`
+optional_policy(`
bluetooth_dontaudit_read_helper_files(NetworkManager_t)
')
-optional_policy(`consoletype',`
+optional_policy(`
consoletype_exec(NetworkManager_t)
')
-optional_policy(`dbus',`
+optional_policy(`
gen_require(`
class dbus send_msg;
')
@@ -141,31 +141,31 @@ optional_policy(`dbus',`
dbus_send_system_bus(NetworkManager_t)
')
-optional_policy(`howl',`
+optional_policy(`
howl_signal(NetworkManager_t)
')
-optional_policy(`mount',`
+optional_policy(`
mount_send_nfs_client_request(NetworkManager_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(NetworkManager_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(NetworkManager_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(NetworkManager_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(NetworkManager_t)
')
-optional_policy(`vpn',`
+optional_policy(`
vpn_domtrans(NetworkManager_t)
vpn_signal(NetworkManager_t)
')
diff --git a/refpolicy/policy/modules/services/nis.if b/refpolicy/policy/modules/services/nis.if
index f5b10e8..bae0653 100644
--- a/refpolicy/policy/modules/services/nis.if
+++ b/refpolicy/policy/modules/services/nis.if
@@ -114,7 +114,7 @@ interface(`nis_use_ypbind',`
dontaudit $1 var_yp_t:dir search;
')
- optional_policy(`mount',`
+ optional_policy(`
tunable_policy(`allow_ypbind',`
mount_send_nfs_client_request($1)
')
diff --git a/refpolicy/policy/modules/services/nis.te b/refpolicy/policy/modules/services/nis.te
index b11a6cb..137b5f1 100644
--- a/refpolicy/policy/modules/services/nis.te
+++ b/refpolicy/policy/modules/services/nis.te
@@ -127,15 +127,15 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_files(ypbind_t)
')
-optional_policy(`mount',`
+optional_policy(`
mount_send_nfs_client_request(ypbind_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(ypbind_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(ypbind_t)
')
@@ -228,15 +228,15 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(yppasswdd_t)
')
-optional_policy(`hostname',`
+optional_policy(`
hostname_exec(yppasswdd_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(yppasswdd_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(yppasswdd_t)
')
@@ -326,11 +326,11 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(ypserv_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(ypserv_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(ypserv_t)
')
diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te
index e4ae3dc..37802b0 100644
--- a/refpolicy/policy/modules/services/nscd.te
+++ b/refpolicy/policy/modules/services/nscd.te
@@ -122,14 +122,14 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(nscd_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(nscd_t)
')
-optional_policy(`samba',`
+optional_policy(`
samba_stream_connect_winbind(nscd_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(nscd_t)
')
diff --git a/refpolicy/policy/modules/services/ntp.te b/refpolicy/policy/modules/services/ntp.te
index 7492501..39f0b90 100644
--- a/refpolicy/policy/modules/services/ntp.te
+++ b/refpolicy/policy/modules/services/ntp.te
@@ -122,40 +122,40 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_files(ntpd_t)
')
-optional_policy(`cron',`
+optional_policy(`
# for cron jobs
cron_system_entry(ntpd_t,ntpdate_exec_t)
')
-optional_policy(`firstboot',`
+optional_policy(`
firstboot_dontaudit_use_fds(ntpd_t)
')
-optional_policy(`logrotate',`
+optional_policy(`
logrotate_exec(ntpd_t)
')
-optional_policy(`mount',`
+optional_policy(`
mount_send_nfs_client_request(ntpd_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(ntpd_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(ntpd_t)
')
-optional_policy(`samba',`
+optional_policy(`
samba_stream_connect_winbind(ntpd_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(ntpd_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(ntpd_t)
')
diff --git a/refpolicy/policy/modules/services/openct.te b/refpolicy/policy/modules/services/openct.te
index b6ccdd8..3e55f55 100644
--- a/refpolicy/policy/modules/services/openct.te
+++ b/refpolicy/policy/modules/services/openct.te
@@ -62,10 +62,10 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(openct_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(openct_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(openct_t)
')
diff --git a/refpolicy/policy/modules/services/pegasus.te b/refpolicy/policy/modules/services/pegasus.te
index 6c44a03..55a5075 100644
--- a/refpolicy/policy/modules/services/pegasus.te
+++ b/refpolicy/policy/modules/services/pegasus.te
@@ -117,19 +117,19 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_files(pegasus_t)
')
-optional_policy(`logging',`
+optional_policy(`
logging_send_syslog_msg(pegasus_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(pegasus_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(pegasus_t)
seutil_dontaudit_read_config(pegasus_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(pegasus_t)
')
diff --git a/refpolicy/policy/modules/services/portmap.te b/refpolicy/policy/modules/services/portmap.te
index a76f2f2..113f921 100644
--- a/refpolicy/policy/modules/services/portmap.te
+++ b/refpolicy/policy/modules/services/portmap.te
@@ -103,32 +103,32 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_files(portmap_t)
')
-optional_policy(`inetd',`
+optional_policy(`
inetd_udp_send(portmap_t)
')
-optional_policy(`mount',`
+optional_policy(`
mount_send_nfs_client_request(portmap_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(portmap_t)
nis_udp_send_ypbind(portmap_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(portmap_t)
')
-optional_policy(`rpc',`
+optional_policy(`
rpc_udp_send_nfs(portmap_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(portmap_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(portmap_t)
')
@@ -202,10 +202,10 @@ ifdef(`targeted_policy', `
term_dontaudit_use_generic_ptys(portmap_helper_t)
')
-optional_policy(`mount',`
+optional_policy(`
mount_send_nfs_client_request(portmap_helper_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(portmap_helper_t)
')
diff --git a/refpolicy/policy/modules/services/postfix.if b/refpolicy/policy/modules/services/postfix.if
index 2202fc7..adde578 100644
--- a/refpolicy/policy/modules/services/postfix.if
+++ b/refpolicy/policy/modules/services/postfix.if
@@ -91,11 +91,11 @@ template(`postfix_domain_template',`
files_dontaudit_read_root_files(postfix_$1_t)
')
- optional_policy(`nscd',`
+ optional_policy(`
nscd_socket_use(postfix_$1_t)
')
- optional_policy(`udev',`
+ optional_policy(`
udev_read_db(postfix_$1_t)
')
')
@@ -129,7 +129,7 @@ template(`postfix_server_domain_template',`
sysnet_read_config(postfix_$1_t)
- optional_policy(`nis',`
+ optional_policy(`
nis_use_ypbind(postfix_$1_t)
')
')
diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te
index 37e7cf7..cd496b0 100644
--- a/refpolicy/policy/modules/services/postfix.te
+++ b/refpolicy/policy/modules/services/postfix.te
@@ -174,11 +174,11 @@ sysnet_read_config(postfix_master_t)
mta_rw_aliases(postfix_master_t)
mta_read_sendmail_bin(postfix_master_t)
-optional_policy(`mount',`
+optional_policy(`
mount_send_nfs_client_request(postfix_master_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(postfix_master_t)
')
@@ -280,7 +280,7 @@ mta_delete_spool(postfix_local_t)
# For reading spamassasin
mta_read_config(postfix_local_t)
-optional_policy(`procmail',`
+optional_policy(`
procmail_domtrans(postfix_local_t)
')
@@ -360,7 +360,7 @@ tunable_policy(`read_default_t',`
files_read_default_pipes(postfix_map_t)
')
-optional_policy(`locallogin',`
+optional_policy(`
locallogin_dontaudit_use_fds(postfix_map_t)
')
@@ -402,11 +402,11 @@ allow postfix_pipe_t postfix_public_t:fifo_file { getattr write };
allow postfix_pipe_t postfix_spool_t:dir search;
allow postfix_pipe_t postfix_spool_t:file rw_file_perms;
-optional_policy(`procmail',`
+optional_policy(`
procmail_domtrans(postfix_pipe_t)
')
-optional_policy(`mailman',`
+optional_policy(`
mailman_domtrans_queue(postfix_pipe_t)
')
@@ -441,14 +441,14 @@ ifdef(`targeted_policy', `
term_use_generic_ptys(postfix_postdrop_t)
')
-optional_policy(`crond',`
+optional_policy(`
cron_use_fds(postfix_postdrop_t)
cron_rw_pipes(postfix_postdrop_t)
cron_use_system_job_fds(postfix_postdrop_t)
cron_rw_system_job_pipes(postfix_postdrop_t)
')
-optional_policy(`ppp',`
+optional_policy(`
ppp_use_fds(postfix_postqueue_t)
ppp_sigchld(postfix_postqueue_t)
')
@@ -491,7 +491,7 @@ init_use_script_fds(postfix_postqueue_t)
sysnet_dontaudit_read_config(postfix_postqueue_t)
ifdef(`TODO',`
-optional_policy(`gnome-pty-helper', `allow postfix_postqueue_t user_gph_t:fd use;')
+optional_policy(`allow postfix_postqueue_t user_gph_t:fd use;')
')
########################################
@@ -584,6 +584,6 @@ allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms;
files_read_usr_files(postfix_smtpd_t)
mta_read_aliases(postfix_smtpd_t)
-optional_policy(`sasl',`
+optional_policy(`
sasl_connect(postfix_smtpd_t)
')
diff --git a/refpolicy/policy/modules/services/postgresql.te b/refpolicy/policy/modules/services/postgresql.te
index faf817a..d602f4d 100644
--- a/refpolicy/policy/modules/services/postgresql.te
+++ b/refpolicy/policy/modules/services/postgresql.te
@@ -152,36 +152,36 @@ tunable_policy(`allow_execmem',`
allow postgresql_t self:process execmem;
')
-optional_policy(`consoletype',`
+optional_policy(`
consoletype_exec(postgresql_t)
')
-optional_policy(`cron',`
+optional_policy(`
cron_search_spool(postgresql_t)
cron_system_entry(postgresql_t,postgresql_exec_t)
')
-optional_policy(`hostname',`
+optional_policy(`
hostname_exec(postgresql_t)
')
-optional_policy(`kerberos',`
+optional_policy(`
kerberos_use(postgresql_t)
')
-optional_policy(`mount',`
+optional_policy(`
mount_send_nfs_client_request(postgresql_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(postgresql_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(postgresql_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(postgresql_t)
')
diff --git a/refpolicy/policy/modules/services/ppp.te b/refpolicy/policy/modules/services/ppp.te
index 62f156d..6ec1539 100644
--- a/refpolicy/policy/modules/services/ppp.te
+++ b/refpolicy/policy/modules/services/ppp.te
@@ -181,7 +181,7 @@ ifdef(`targeted_policy', `
term_dontaudit_use_generic_ptys(pppd_t)
files_dontaudit_read_root_files(pppd_t)
- optional_policy(`postfix',`
+ optional_policy(`
gen_require(`
bool postfix_disable_trans;
')
@@ -191,34 +191,34 @@ ifdef(`targeted_policy', `
}
')
',`
- optional_policy(`postfix',`
+ optional_policy(`
postfix_domtrans_master(pppd_t)
')
')
-optional_policy(`modutils',`
+optional_policy(`
tunable_policy(`pppd_can_insmod && ! secure_mode_insmod',`
modutils_domtrans_insmod_uncond(pppd_t)
')
')
-optional_policy(`mta',`
+optional_policy(`
mta_send_mail(pppd_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(pppd_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(pppd_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(pppd_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(pppd_t)
')
@@ -302,23 +302,23 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(pptp_t)
')
-optional_policy(`hostname',`
+optional_policy(`
hostname_exec(pptp_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(pptp_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(pptp_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(pptp_t)
')
-optional_policy(`postfix',`
+optional_policy(`
postfix_read_config(pppd_t)
')
diff --git a/refpolicy/policy/modules/services/privoxy.te b/refpolicy/policy/modules/services/privoxy.te
index 8146e06..b4ba164 100644
--- a/refpolicy/policy/modules/services/privoxy.te
+++ b/refpolicy/policy/modules/services/privoxy.te
@@ -86,18 +86,18 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(privoxy_t)
')
-optional_policy(`mount',`
+optional_policy(`
mount_send_nfs_client_request(privoxy_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(privoxy_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(privoxy_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(privoxy_t)
')
diff --git a/refpolicy/policy/modules/services/procmail.te b/refpolicy/policy/modules/services/procmail.te
index a8366b0..e3a8433 100644
--- a/refpolicy/policy/modules/services/procmail.te
+++ b/refpolicy/policy/modules/services/procmail.te
@@ -79,27 +79,27 @@ ifdef(`targeted_policy', `
files_getattr_tmp_dirs(procmail_t)
')
-optional_policy(`logging',`
+optional_policy(`
logging_send_syslog_msg(procmail_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(procmail_t)
')
-optional_policy(`postfix',`
+optional_policy(`
# for a bug in the postfix local program
postfix_dontaudit_rw_local_tcp_sockets(procmail_t)
postfix_dontaudit_use_fds(procmail_t)
')
-optional_policy(`sendmail',`
+optional_policy(`
mta_read_config(procmail_t)
sendmail_rw_tcp_sockets(procmail_t)
sendmail_rw_unix_stream_sockets(procmail_t)
')
-optional_policy(`spamassassin',`
+optional_policy(`
corenet_udp_bind_generic_port(procmail_t)
corenet_tcp_connect_spamd_port(procmail_t)
diff --git a/refpolicy/policy/modules/services/publicfile.te b/refpolicy/policy/modules/services/publicfile.te
index ceab2ae..7b91ac9 100644
--- a/refpolicy/policy/modules/services/publicfile.te
+++ b/refpolicy/policy/modules/services/publicfile.te
@@ -28,11 +28,11 @@ files_search_var(publicfile_t)
libs_use_ld_so(publicfile_t)
libs_use_shared_libs(publicfile_t)
-optional_policy(`daemontools',`
+optional_policy(`
daemontools_ipc_domain(publicfile_t)
')
-optional_policy(`ucspitcp',`
+optional_policy(`
ucspitcp_service_domain(publicfile_t, publicfile_exec_t)
')
diff --git a/refpolicy/policy/modules/services/radius.te b/refpolicy/policy/modules/services/radius.te
index 5955b4d..9335bc9 100644
--- a/refpolicy/policy/modules/services/radius.te
+++ b/refpolicy/policy/modules/services/radius.te
@@ -109,26 +109,26 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_files(radiusd_t)
')
-optional_policy(`cron',`
+optional_policy(`
cron_system_entry(radiusd_t,radiusd_exec_t)
')
-optional_policy(`logrotate',`
+optional_policy(`
logrotate_exec(radiusd_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(radiusd_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(radiusd_t)
')
-optional_policy(`snmp',`
+optional_policy(`
snmp_tcp_connect(radiusd_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(radiusd_t)
')
diff --git a/refpolicy/policy/modules/services/radvd.te b/refpolicy/policy/modules/services/radvd.te
index ab311e8..5e2fb65 100644
--- a/refpolicy/policy/modules/services/radvd.te
+++ b/refpolicy/policy/modules/services/radvd.te
@@ -84,14 +84,14 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(radvd_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(radvd_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(radvd_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(radvd_t)
')
diff --git a/refpolicy/policy/modules/services/rdisc.te b/refpolicy/policy/modules/services/rdisc.te
index 1a734f7..2226c7d 100644
--- a/refpolicy/policy/modules/services/rdisc.te
+++ b/refpolicy/policy/modules/services/rdisc.te
@@ -62,10 +62,10 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(rdisc_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(rdisc_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(rdisc_t)
')
diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te
index 8e96e51..18d90dc 100644
--- a/refpolicy/policy/modules/services/remotelogin.te
+++ b/refpolicy/policy/modules/services/remotelogin.te
@@ -153,18 +153,18 @@ tunable_policy(`use_samba_home_dirs',`
fs_read_cifs_symlinks(remote_login_t)
')
-optional_policy(`alsa',`
+optional_policy(`
alsa_domtrans(remote_login_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(remote_login_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(remote_login_t)
')
-optional_policy(`usermanage',`
+optional_policy(`
usermanage_read_crack_db(remote_login_t)
')
diff --git a/refpolicy/policy/modules/services/rhgb.te b/refpolicy/policy/modules/services/rhgb.te
index 99acd6b..a02aeb7 100644
--- a/refpolicy/policy/modules/services/rhgb.te
+++ b/refpolicy/policy/modules/services/rhgb.te
@@ -112,19 +112,19 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(rhgb_t)
')
-optional_policy(`firstboot',`
+optional_policy(`
firstboot_read_rw_files(rhgb_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(rhgb_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(rhgb_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(rhgb_t)
')
diff --git a/refpolicy/policy/modules/services/rlogin.te b/refpolicy/policy/modules/services/rlogin.te
index 3c93e1a..028e5be 100644
--- a/refpolicy/policy/modules/services/rlogin.te
+++ b/refpolicy/policy/modules/services/rlogin.te
@@ -94,18 +94,18 @@ userdom_read_all_users_home_content_files(rlogind_t)
remotelogin_domtrans(rlogind_t)
-optional_policy(`kerberos',`
+optional_policy(`
kerberos_read_keytab(rlogind_t)
# for identd; cjp: this should probably only be inetd_child rules?
kerberos_use(rlogind_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(rlogind_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(rlogind_t)
')
diff --git a/refpolicy/policy/modules/services/roundup.te b/refpolicy/policy/modules/services/roundup.te
index d1ab3af..609ac11 100644
--- a/refpolicy/policy/modules/services/roundup.te
+++ b/refpolicy/policy/modules/services/roundup.te
@@ -94,19 +94,19 @@ ifdef(`targeted_policy',`
term_dontaudit_use_generic_ptys(roundup_t)
')
-optional_policy(`mount',`
+optional_policy(`
mount_send_nfs_client_request(roundup_t)
')
-optional_policy(`mysql',`
+optional_policy(`
mysql_stream_connect(roundup_t)
mysql_search_db(roundup_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(roundup_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(roundup_t)
')
diff --git a/refpolicy/policy/modules/services/rpc.if b/refpolicy/policy/modules/services/rpc.if
index 6083364..bd069ad 100644
--- a/refpolicy/policy/modules/services/rpc.if
+++ b/refpolicy/policy/modules/services/rpc.if
@@ -101,19 +101,19 @@ template(`rpc_domain_template', `
files_dontaudit_read_root_files($1_t)
')
- optional_policy(`mount',`
+ optional_policy(`
mount_send_nfs_client_request($1_t)
')
- optional_policy(`nis',`
+ optional_policy(`
nis_use_ypbind($1_t)
')
- optional_policy(`selinuxutil',`
+ optional_policy(`
seutil_sigchld_newrole($1_t)
')
- optional_policy(`udev',`
+ optional_policy(`
udev_read_db($1_t)
')
')
diff --git a/refpolicy/policy/modules/services/rpc.te b/refpolicy/policy/modules/services/rpc.te
index abb9a7c..62e52cf 100644
--- a/refpolicy/policy/modules/services/rpc.te
+++ b/refpolicy/policy/modules/services/rpc.te
@@ -69,7 +69,7 @@ ifdef(`distro_redhat',`
allow rpcd_t self:capability { chown dac_override setgid setuid };
')
-optional_policy(`nis',`
+optional_policy(`
nis_read_ypserv_config(rpcd_t)
')
@@ -153,7 +153,7 @@ tunable_policy(`allow_gssd_read_tmp',`
userdom_read_unpriv_users_tmp_symlinks(gssd_t)
')
-optional_policy(`kerberos',`
+optional_policy(`
kerberos_use(gssd_t)
kerberos_read_keytab(gssd_t)
')
diff --git a/refpolicy/policy/modules/services/rshd.te b/refpolicy/policy/modules/services/rshd.te
index 0d78310..f432bb4 100644
--- a/refpolicy/policy/modules/services/rshd.te
+++ b/refpolicy/policy/modules/services/rshd.te
@@ -82,16 +82,16 @@ tunable_policy(`use_samba_home_dirs',`
fs_read_cifs_symlinks(rshd_t)
')
-optional_policy(`kerberos',`
+optional_policy(`
kerberos_use(rshd_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(rshd_t)
')
ifdef(`TODO',`
-optional_policy(`rlogind',`
+optional_policy(`
allow rshd_t rlogind_tmp_t:file rw_file_perms;
')
')
diff --git a/refpolicy/policy/modules/services/rsync.te b/refpolicy/policy/modules/services/rsync.te
index 240ce5b..ae35a20 100644
--- a/refpolicy/policy/modules/services/rsync.te
+++ b/refpolicy/policy/modules/services/rsync.te
@@ -87,22 +87,22 @@ tunable_policy(`allow_rsync_anon_write',`
miscfiles_manage_public_files(rsync_t)
')
-optional_policy(`daemontools',`
+optional_policy(`
daemontools_service_domain(rsync_t, rsync_exec_t)
')
-optional_policy(`kerberos',`
+optional_policy(`
kerberos_use(rsync_t)
')
-optional_policy(`inetd',`
+optional_policy(`
inetd_service_domain(rsync_t,rsync_exec_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(rsync_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(rsync_t)
')
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
index b04994e..ef4fa9e 100644
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@@ -146,11 +146,11 @@ ifdef(`targeted_policy',`
term_use_unallocated_ttys(samba_net_t)
')
-optional_policy(`kerberos',`
+optional_policy(`
kerberos_use(samba_net_t)
')
-optional_policy(`ldap',`
+optional_policy(`
allow samba_net_t self:tcp_socket create_socket_perms;
corenet_tcp_sendrecv_all_if(samba_net_t)
corenet_raw_sendrecv_all_if(samba_net_t)
@@ -162,7 +162,7 @@ optional_policy(`ldap',`
sysnet_read_config(samba_net_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(samba_net_t)
')
@@ -298,27 +298,27 @@ tunable_policy(`allow_smbd_anon_write',`
miscfiles_manage_public_files(smbd_t)
')
-optional_policy(`cups',`
+optional_policy(`
cups_read_rw_config(smbd_t)
')
-optional_policy(`kerberos',`
+optional_policy(`
kerberos_use(smbd_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(smbd_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(smbd_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(smbd_t)
')
-optional_policy(`udev', `
+optional_policy(`
udev_read_db(smbd_t)
')
@@ -425,15 +425,15 @@ ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_ttys(nmbd_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(nmbd_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(nmbd_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(nmbd_t)
')
@@ -515,11 +515,11 @@ sysnet_read_config(smbmount_t)
userdom_use_all_users_fds(smbmount_t)
userdom_use_sysadm_ttys(smbmount_t)
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(smbmount_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(smbmount_t)
')
@@ -605,19 +605,19 @@ miscfiles_read_localization(swat_t)
sysnet_read_config(swat_t)
-optional_policy(`cups',`
+optional_policy(`
cups_read_rw_config(swat_t)
')
-optional_policy(`kerberos',`
+optional_policy(`
kerberos_use(swat_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(swat_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(swat_t)
')
@@ -717,23 +717,23 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_files(winbind_t)
')
-optional_policy(`kerberos',`
+optional_policy(`
kerberos_use(winbind_t)
')
-optional_policy(`mount',`
+optional_policy(`
mount_send_nfs_client_request(winbind_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(winbind_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(winbind_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(winbind_t)
')
@@ -771,11 +771,11 @@ ifdef(`targeted_policy',`
term_use_unallocated_ttys(winbind_helper_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(winbind_helper_t)
')
-optional_policy(`squid',`
+optional_policy(`
squid_read_log(winbind_helper_t)
squid_append_log(winbind_helper_t)
')
diff --git a/refpolicy/policy/modules/services/sasl.te b/refpolicy/policy/modules/services/sasl.te
index 44719ba..5d0e609 100644
--- a/refpolicy/policy/modules/services/sasl.te
+++ b/refpolicy/policy/modules/services/sasl.te
@@ -93,15 +93,15 @@ tunable_policy(`allow_saslauthd_read_shadow',`
auth_tunable_read_shadow(saslauthd_t)
')
-optional_policy(`mysql',`
+optional_policy(`
mysql_search_db(saslauthd_t)
mysql_stream_connect(saslauthd_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(saslauthd_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(saslauthd_t)
')
diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te
index 3ce5d74..1139497 100644
--- a/refpolicy/policy/modules/services/sendmail.te
+++ b/refpolicy/policy/modules/services/sendmail.te
@@ -116,29 +116,29 @@ ifdef(`targeted_policy',`
files_pid_filetrans(sendmail_t,sendmail_var_run_t,file)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(sendmail_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(sendmail_t)
')
-optional_policy(`postfix',`
+optional_policy(`
postfix_exec_master(sendmail_t)
postfix_read_config(sendmail_t)
postfix_search_spool(sendmail_t)
')
-optional_policy(`procmail',`
+optional_policy(`
procmail_domtrans(sendmail_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(sendmail_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(sendmail_t)
')
diff --git a/refpolicy/policy/modules/services/slrnpull.te b/refpolicy/policy/modules/services/slrnpull.te
index e25afb6..c7de93a 100644
--- a/refpolicy/policy/modules/services/slrnpull.te
+++ b/refpolicy/policy/modules/services/slrnpull.te
@@ -74,14 +74,14 @@ ifdef(`targeted_policy',`
term_dontaudit_use_generic_ptys(slrnpull_t)
')
-optional_policy(`cron',`
+optional_policy(`
cron_system_entry(slrnpull_t,slrnpull_exec_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(slrnpull_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(slrnpull_t)
')
diff --git a/refpolicy/policy/modules/services/smartmon.te b/refpolicy/policy/modules/services/smartmon.te
index 5791d1e..876d839 100644
--- a/refpolicy/policy/modules/services/smartmon.te
+++ b/refpolicy/policy/modules/services/smartmon.te
@@ -94,14 +94,14 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(fsdaemon_t)
')
-optional_policy(`mta',`
+optional_policy(`
mta_send_mail(fsdaemon_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(fsdaemon_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(fsdaemon_t)
')
diff --git a/refpolicy/policy/modules/services/snmp.te b/refpolicy/policy/modules/services/snmp.te
index d547023..df50f2f 100644
--- a/refpolicy/policy/modules/services/snmp.te
+++ b/refpolicy/policy/modules/services/snmp.te
@@ -117,7 +117,7 @@ userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
userdom_dontaudit_search_sysadm_home_dirs(snmpd_t)
ifdef(`distro_redhat', `
- optional_policy(`rpm',`
+ optional_policy(`
rpm_read_db(snmpd_t)
rpm_dontaudit_manage_db(snmpd_t)
')
@@ -129,31 +129,31 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_files(snmpd_t)
')
-optional_policy(`amanda',`
+optional_policy(`
amanda_dontaudit_read_dumpdates(snmpd_t)
')
-optional_policy(`cups',`
+optional_policy(`
cups_read_rw_config(snmpd_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(snmpd_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(snmpd_t)
')
-optional_policy(`rpc',`
+optional_policy(`
rpc_search_nfs_state_data(snmpd_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(snmpd_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(snmpd_t)
')
diff --git a/refpolicy/policy/modules/services/spamassassin.if b/refpolicy/policy/modules/services/spamassassin.if
index 060b714..f57fdca 100644
--- a/refpolicy/policy/modules/services/spamassassin.if
+++ b/refpolicy/policy/modules/services/spamassassin.if
@@ -161,24 +161,24 @@ template(`spamassassin_per_userdomain_template',`
files_read_default_pipes($1_spamc_t)
')
- optional_policy(`evolution',`
+ optional_policy(`
# Allow connection to spamd socket above
evolution_stream_connect($1,$1_spamc_t)
')
- optional_policy(`mount',`
+ optional_policy(`
mount_send_nfs_client_request($1_spamc_t)
')
- optional_policy(`nis',`
+ optional_policy(`
nis_use_ypbind($1_spamc_t)
')
- optional_policy(`nscd',`
+ optional_policy(`
nscd_socket_use($1_spamc_t)
')
- optional_policy(`sendmail',`
+ optional_policy(`
mta_read_config($1_spamc_t)
sendmail_stub($1_spamc_t)
')
@@ -315,12 +315,12 @@ template(`spamassassin_per_userdomain_template',`
fs_manage_cifs_symlinks($1_spamassassin_t)
')
- optional_policy(`evolution',`
+ optional_policy(`
# Write pid file and socket in ~/.evolution/cache/tmp
evolution_home_filetrans($1,spamd_t,spamd_tmp_t,{ file sock_file })
')
- optional_policy(`nis',`
+ optional_policy(`
# cjp: clearly some redundancy here
nis_use_ypbind($1_spamassassin_t)
@@ -330,7 +330,7 @@ template(`spamassassin_per_userdomain_template',`
')
')
- optional_policy(`sendmail',`
+ optional_policy(`
mta_read_config($1_spamassassin_t)
sendmail_stub($1_spamassassin_t)
')
diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te
index 31167a0..ed2062a 100644
--- a/refpolicy/policy/modules/services/spamassassin.te
+++ b/refpolicy/policy/modules/services/spamassassin.te
@@ -138,37 +138,37 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(spamd_t)
')
-optional_policy(`cron',`
+optional_policy(`
cron_system_entry(spamd_t,spamd_exec_t)
')
-optional_policy(`amavis',`
+optional_policy(`
amavis_manage_lib_files(spamd_t)
')
-optional_policy(`daemontools',`
+optional_policy(`
daemontools_service_domain(spamd_t,spamd_exec_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(spamd_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(spamd_t)
')
-optional_policy(`sendmail',`
+optional_policy(`
sendmail_stub(spamd_t)
mta_read_config(spamd_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(spamd_t)
')
ifdef(`TODO',`
-optional_policy(`amavis', `
+optional_policy(`
# for bayes tokens
allow spamd_t var_lib_t:dir { getattr search };
allow spamd_t amavisd_lib_t:dir rw_dir_perms;
diff --git a/refpolicy/policy/modules/services/squid.te b/refpolicy/policy/modules/services/squid.te
index 8037fc7..808b1fe 100644
--- a/refpolicy/policy/modules/services/squid.te
+++ b/refpolicy/policy/modules/services/squid.te
@@ -145,7 +145,7 @@ tunable_policy(`squid_connect_any',`
corenet_tcp_connect_all_ports(squid_t)
')
-optional_policy(`logrotate',`
+optional_policy(`
allow squid_t self:capability kill;
cron_use_fds(squid_t)
cron_use_system_job_fds(squid_t)
@@ -153,27 +153,27 @@ optional_policy(`logrotate',`
cron_write_system_job_pipes(squid_t)
')
-optional_policy(`mount',`
+optional_policy(`
mount_send_nfs_client_request(squid_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(squid_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(squid_t)
')
-optional_policy(`samba',`
+optional_policy(`
samba_domtrans_winbind_helper(squid_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(squid_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(squid_t)
')
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index a89a355..8d7a188 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -208,19 +208,19 @@ template(`ssh_per_userdomain_template',`
corenet_tcp_bind_ssh_port($1_ssh_t)
')
- optional_policy(`kerberos',`
+ optional_policy(`
kerberos_use($1_ssh_t)
')
- optional_policy(`nis',`
+ optional_policy(`
nis_use_ypbind($1_ssh_t)
')
- optional_policy(`nscd',`
+ optional_policy(`
nscd_socket_use($1_ssh_t)
')
- optional_policy(`xserver',`
+ optional_policy(`
xserver_user_client_template($1,$1_ssh_t,$1_ssh_tmpfs_t)
xserver_domtrans_user_xauth($1,$1_ssh_t)
')
@@ -348,11 +348,11 @@ template(`ssh_per_userdomain_template',`
fs_cifs_domtrans($1_ssh_agent_t, $1_t)
')
- optional_policy(`nis',`
+ optional_policy(`
nis_use_ypbind($1_ssh_agent_t)
')
-# optional_policy(`xdm',`
+# optional_policy(`
# # KDM:
# xdm_sigchld($1_ssh_agent_t)
# ')
@@ -394,7 +394,7 @@ template(`ssh_per_userdomain_template',`
# $1_ssh_keysign_t local policy
#
- optional_policy(`nscd',`
+ optional_policy(`
nscd_socket_use($1_ssh_keysign_t)
')
')
@@ -530,7 +530,7 @@ template(`ssh_server_template', `
# cjp: commenting out until typeattribute works in conditional
# and require block in optional else is resolved
- #optional_policy(`inetd',`
+ #optional_policy(`
# tunable_policy(`run_ssh_inetd',`
# allow $1_t self:process signal;
# files_list_pids($1_t)
@@ -547,15 +547,15 @@ template(`ssh_server_template', `
init_use_script_ptys($1_t)
#')
- optional_policy(`kerberos',`
+ optional_policy(`
kerberos_use($1_t)
')
- optional_policy(`mount',`
+ optional_policy(`
mount_send_nfs_client_request($1_t)
')
- optional_policy(`nscd',`
+ optional_policy(`
nscd_socket_use($1_t)
')
')
diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te
index a320fca..546f8d7 100644
--- a/refpolicy/policy/modules/services/ssh.te
+++ b/refpolicy/policy/modules/services/ssh.te
@@ -52,7 +52,7 @@ ifdef(`targeted_policy',`
ssh_server_template(sshd_extern)
# cjp: commenting this out until typeattribute works in a conditional
-# optional_policy(`inetd',`
+# optional_policy(`
# tunable_policy(`run_ssh_inetd',`
# inetd_tcp_service_domain(sshd_t,sshd_exec_t)
# ',`
@@ -117,11 +117,11 @@ ifdef(`targeted_policy',`',`
userdom_use_unpriv_users_ptys(sshd_t)
')
- optional_policy(`daemontools',`
+ optional_policy(`
daemontools_service_domain(sshd_t, sshd_exec_t)
')
- optional_policy(`rpm',`
+ optional_policy(`
rpm_use_script_fds(sshd_t)
')
@@ -133,11 +133,11 @@ ifdef(`targeted_policy',`',`
# some versions of sshd on the new SE Linux require setattr
allow sshd_t ptyfile:chr_file relabelto;
- optional_policy(`xauth',`
+ optional_policy(`
domain_trans(sshd_t, xauth_exec_t, userdomain)
')
',`
- optional_policy(`xauth',`
+ optional_policy(`
domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
')
# Relabel and access ptys created by sshd
@@ -176,7 +176,7 @@ ifdef(`targeted_policy',`',`
# is allocated
allow user_mini_domain sshd_extern_t:unix_stream_socket rw_stream_socket_perms;
- optional_policy(`inetd',`
+ optional_policy(`
tunable_policy(`run_ssh_inetd',`
domain_trans(inetd_t, sshd_exec_t, sshd_extern_t)
',`
@@ -258,11 +258,11 @@ ifdef(`targeted_policy',`',`
files_dontaudit_read_root_files(ssh_keygen_t)
')
- optional_policy(`selinuxutil',`
+ optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
')
- optional_policy(`udev',`
+ optional_policy(`
udev_read_db(ssh_keygen_t)
')
')
diff --git a/refpolicy/policy/modules/services/stunnel.te b/refpolicy/policy/modules/services/stunnel.te
index 14e6a0f..88bda4a 100644
--- a/refpolicy/policy/modules/services/stunnel.te
+++ b/refpolicy/policy/modules/services/stunnel.te
@@ -103,19 +103,19 @@ ifdef(`distro_gentoo', `
files_dontaudit_read_root_files(stunnel_t)
')
- optional_policy(`daemontools',`
+ optional_policy(`
daemontools_service_domain(stunnel_t, stunnel_exec_t)
')
- optional_policy(`mount',`
+ optional_policy(`
mount_send_nfs_client_request(stunnel_t)
')
- optional_policy(`selinuxutil',`
+ optional_policy(`
seutil_sigchld_newrole(stunnel_t)
')
- optional_policy(`udev',`
+ optional_policy(`
udev_read_db(stunnel_t)
')
',`
@@ -126,15 +126,15 @@ ifdef(`distro_gentoo', `
files_read_etc_files(stunnel_t)
files_search_home(stunnel_t)
- optional_policy(`kerberos',`
+ optional_policy(`
kerberos_use(stunnel_t)
')
- optional_policy(`nis',`
+ optional_policy(`
nis_use_ypbind(stunnel_t)
')
- optional_policy(`nscd',`
+ optional_policy(`
nscd_socket_use(stunnel_t)
')
')
diff --git a/refpolicy/policy/modules/services/sysstat.te b/refpolicy/policy/modules/services/sysstat.te
index 620c380..21ac35a 100644
--- a/refpolicy/policy/modules/services/sysstat.te
+++ b/refpolicy/policy/modules/services/sysstat.te
@@ -61,10 +61,10 @@ miscfiles_read_localization(sysstat_t)
userdom_dontaudit_list_sysadm_home_dirs(sysstat_t)
-optional_policy(`cron',`
+optional_policy(`
cron_system_entry(sysstat_t,sysstat_exec_t)
')
-optional_policy(`logging',`
+optional_policy(`
logging_send_syslog_msg(sysstat_t)
')
diff --git a/refpolicy/policy/modules/services/tcpd.te b/refpolicy/policy/modules/services/tcpd.te
index dc6ec20..f80f307 100644
--- a/refpolicy/policy/modules/services/tcpd.te
+++ b/refpolicy/policy/modules/services/tcpd.te
@@ -52,22 +52,22 @@ sysnet_read_config(tcpd_t)
inetd_domtrans_child(tcpd_t)
-optional_policy(`finger',`
+optional_policy(`
finger_domtrans(tcpd_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(tcpd_t)
')
-optional_policy(`portmap',`
+optional_policy(`
portmap_udp_send(tcpd_t)
')
-optional_policy(`rlogin',`
+optional_policy(`
rlogin_domtrans(tcpd_t)
')
-optional_policy(`rshd',`
+optional_policy(`
rshd_domtrans(tcpd_t)
')
diff --git a/refpolicy/policy/modules/services/telnet.te b/refpolicy/policy/modules/services/telnet.te
index a36dfc7..3d4a2df 100644
--- a/refpolicy/policy/modules/services/telnet.te
+++ b/refpolicy/policy/modules/services/telnet.te
@@ -90,15 +90,15 @@ sysnet_read_config(telnetd_t)
remotelogin_domtrans(telnetd_t)
# for identd; cjp: this should probably only be inetd_child rules?
-optional_policy(`kerberos',`
+optional_policy(`
kerberos_use(telnetd_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(telnetd_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(telnetd_t)
')
diff --git a/refpolicy/policy/modules/services/tftp.te b/refpolicy/policy/modules/services/tftp.te
index 3e1f202..9f3097c 100644
--- a/refpolicy/policy/modules/services/tftp.te
+++ b/refpolicy/policy/modules/services/tftp.te
@@ -90,18 +90,18 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_files(tftpd_t)
')
-optional_policy(`mount',`
+optional_policy(`
mount_send_nfs_client_request(tftpd_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(tftpd_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(tftpd_t)
')
-optional_policy(`udev', `
+optional_policy(`
udev_read_db(tftpd_t)
')
diff --git a/refpolicy/policy/modules/services/timidity.te b/refpolicy/policy/modules/services/timidity.te
index 50d4a38..cea6beb 100644
--- a/refpolicy/policy/modules/services/timidity.te
+++ b/refpolicy/policy/modules/services/timidity.te
@@ -91,10 +91,10 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(timidity_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(timidity_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(timidity_t)
')
diff --git a/refpolicy/policy/modules/services/tor.te b/refpolicy/policy/modules/services/tor.te
index 705272c..901cd08 100644
--- a/refpolicy/policy/modules/services/tor.te
+++ b/refpolicy/policy/modules/services/tor.te
@@ -92,6 +92,6 @@ miscfiles_read_localization(tor_t)
sysnet_dns_name_resolve(tor_t)
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(tor_t)
')
diff --git a/refpolicy/policy/modules/services/ucspitcp.te b/refpolicy/policy/modules/services/ucspitcp.te
index cdaa0fb..81ee26c 100644
--- a/refpolicy/policy/modules/services/ucspitcp.te
+++ b/refpolicy/policy/modules/services/ucspitcp.te
@@ -43,7 +43,7 @@ files_search_var(rblsmtpd_t)
libs_use_ld_so(rblsmtpd_t)
libs_use_shared_libs(rblsmtpd_t)
-optional_policy(`daemontools',`
+optional_policy(`
daemontools_ipc_domain(rblsmtpd_t)
')
@@ -84,7 +84,7 @@ libs_use_shared_libs(ucspitcp_t)
sysnet_read_config(ucspitcp_t)
-optional_policy(`daemontools',`
+optional_policy(`
daemontools_service_domain(ucspitcp_t,ucspitcp_exec_t)
daemontools_read_svc(ucspitcp_t)
')
diff --git a/refpolicy/policy/modules/services/uucp.te b/refpolicy/policy/modules/services/uucp.te
index 20d12d9..bd62422 100644
--- a/refpolicy/policy/modules/services/uucp.te
+++ b/refpolicy/policy/modules/services/uucp.te
@@ -98,14 +98,14 @@ miscfiles_read_localization(uucpd_t)
sysnet_read_config(uucpd_t)
-optional_policy(`kerberos',`
+optional_policy(`
kerberos_use(uucpd_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(uucpd_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(uucpd_t)
')
diff --git a/refpolicy/policy/modules/services/xfs.te b/refpolicy/policy/modules/services/xfs.te
index d52a3ff..9cd8f96 100644
--- a/refpolicy/policy/modules/services/xfs.te
+++ b/refpolicy/policy/modules/services/xfs.te
@@ -79,14 +79,14 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(xfs_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(xfs_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(xfs_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(xfs_t)
')
diff --git a/refpolicy/policy/modules/services/xserver.if b/refpolicy/policy/modules/services/xserver.if
index 6cf46cb..c928d83 100644
--- a/refpolicy/policy/modules/services/xserver.if
+++ b/refpolicy/policy/modules/services/xserver.if
@@ -159,19 +159,19 @@ template(`xserver_common_domain_template',`
sysnet_read_config($1_xserver_t)
- optional_policy(`authlogin',`
+ optional_policy(`
auth_search_pam_console_data($1_xserver_t)
')
- optional_policy(`nis',`
+ optional_policy(`
nis_use_ypbind($1_xserver_t)
')
- optional_policy(`nscd',`
+ optional_policy(`
nscd_socket_use($1_xserver_t)
')
- optional_policy(`xfs',`
+ optional_policy(`
xfs_stream_connect($1_xserver_t)
')
@@ -288,7 +288,7 @@ template(`xserver_per_userdomain_template',`
userdom_setattr_user_ttys($1,$1_xserver_t)
userdom_rw_user_tmpfs_files($1,$1_xserver_t)
- optional_policy(`userhelper',`
+ optional_policy(`
userhelper_search_config($1_xserver_t)
')
@@ -371,11 +371,11 @@ template(`xserver_per_userdomain_template',`
fs_manage_cifs_files($1_xauth_t)
')
- optional_policy(`nis',`
+ optional_policy(`
nis_use_ypbind($1_xauth_t)
')
- optional_policy(`ssh',`
+ optional_policy(`
ssh_sigchld($1_xauth_t)
ssh_read_pipes($1_xauth_t)
ssh_dontaudit_rw_tcp_sockets($1_xauth_t)
@@ -567,7 +567,7 @@ template(`xserver_user_client_template',`
')
# for X over a ssh tunnel
- optional_policy(`ssh',`
+ optional_policy(`
kernel_tcp_recvfrom($2)
ssh_tcp_connect($2)
')
diff --git a/refpolicy/policy/modules/services/xserver.te b/refpolicy/policy/modules/services/xserver.te
index d362fda..ae96e2e 100644
--- a/refpolicy/policy/modules/services/xserver.te
+++ b/refpolicy/policy/modules/services/xserver.te
@@ -60,7 +60,7 @@ logging_log_file(xserver_log_t)
xserver_common_domain_template(xdm)
init_system_domain(xdm_xserver_t,xserver_exec_t)
-optional_policy(`prelink',`
+optional_policy(`
prelink_object_file(xkb_var_lib_t)
')
@@ -290,7 +290,7 @@ ifdef(`strict_policy',`
# allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms;
')
- optional_policy(`alsa',`
+ optional_policy(`
alsa_domtrans(xdm_t)
')
')
@@ -315,50 +315,50 @@ tunable_policy(`use_samba_home_dirs',`
fs_exec_cifs_files(xdm_t)
')
-optional_policy(`gpm',`
+optional_policy(`
# Talk to the console mouse server.
gpm_stream_connect(xdm_t)
gpm_setattr_gpmctl(xdm_t)
')
-optional_policy(`hostname',`
+optional_policy(`
hostname_exec(xdm_t)
')
-optional_policy(`loadkeys',`
+optional_policy(`
loadkeys_exec(xdm_t)
')
-optional_policy(`locallogin',`
+optional_policy(`
locallogin_signull(xdm_t)
')
-optional_policy(`mta',`
+optional_policy(`
# Do not audit attempts to check whether user root has email
mta_dontaudit_getattr_spool_files(xdm_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(xdm_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(xdm_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(xdm_t)
')
-optional_policy(`userhelper',`
+optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
')
-optional_policy(`usermanage',`
+optional_policy(`
usermanage_read_crack_db(xdm_t)
')
-optional_policy(`xfs',`
+optional_policy(`
xfs_stream_connect(xdm_t)
')
@@ -429,7 +429,7 @@ ifdef(`targeted_policy',`
unconfined_domtrans(xdm_xserver_t)
')
-optional_policy(`rhgb',`
+optional_policy(`
rhgb_rw_shm(xdm_xserver_t)
rhgb_rw_tmpfs_files(xdm_xserver_t)
')
diff --git a/refpolicy/policy/modules/services/zebra.te b/refpolicy/policy/modules/services/zebra.te
index 7002ab4..7124720 100644
--- a/refpolicy/policy/modules/services/zebra.te
+++ b/refpolicy/policy/modules/services/zebra.te
@@ -114,22 +114,22 @@ ifdef(`targeted_policy', `
unconfined_sigchld(zebra_t)
')
-optional_policy(`ldap',`
+optional_policy(`
ldap_use(zebra_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(zebra_t)
')
-optional_policy(`zebra',`
+optional_policy(`
rpm_read_pipes(zebra_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(zebra_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(zebra_t)
')
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 9e864a3..dddd366 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -58,19 +58,19 @@ template(`authlogin_common_auth_domain_template',`
sysnet_dns_name_resolve($1_chkpwd_t)
sysnet_use_ldap($1_chkpwd_t)
- optional_policy(`kerberos',`
+ optional_policy(`
kerberos_use($1_chkpwd_t)
')
- optional_policy(`nis',`
+ optional_policy(`
nis_use_ypbind($1_chkpwd_t)
')
- optional_policy(`nscd',`
+ optional_policy(`
nscd_socket_use($1_chkpwd_t)
')
- optional_policy(`samba',`
+ optional_policy(`
samba_stream_connect_winbind($1_chkpwd_t)
')
')
@@ -275,15 +275,15 @@ interface(`auth_domtrans_chk_passwd',`
sysnet_dns_name_resolve($1)
sysnet_use_ldap($1)
- optional_policy(`kerberos',`
+ optional_policy(`
kerberos_use($1)
')
- optional_policy(`nis',`
+ optional_policy(`
nis_use_ypbind($1)
')
- optional_policy(`samba',`
+ optional_policy(`
samba_stream_connect_winbind($1)
')
')
@@ -1154,11 +1154,11 @@ interface(`auth_use_nsswitch',`
sysnet_dns_name_resolve($1)
sysnet_use_ldap($1)
- optional_policy(`nis',`
+ optional_policy(`
nis_use_ypbind($1)
')
- optional_policy(`samba',`
+ optional_policy(`
samba_stream_connect_winbind($1)
')
')
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index fbb4652..11dddec 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -117,15 +117,15 @@ logging_send_syslog_msg(pam_t)
userdom_use_unpriv_users_fds(pam_t)
-optional_policy(`locallogin',`
+optional_policy(`
locallogin_use_fds(pam_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(pam_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(pam_t)
')
@@ -223,25 +223,25 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_files(pam_console_t)
')
-optional_policy(`gpm',`
+optional_policy(`
gpm_getattr_gpmctl(pam_console_t)
gpm_setattr_gpmctl(pam_console_t)
')
-optional_policy(`hotplug',`
+optional_policy(`
hotplug_use_fds(pam_console_t)
hotplug_dontaudit_search_config(pam_console_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(pam_console_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(pam_console_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(pam_console_t)
')
@@ -301,12 +301,12 @@ logging_search_logs(utempter_t)
# Allow utemper to write to /tmp/.xses-*
userdom_write_unpriv_users_tmp_files(utempter_t)
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(utempter_t)
')
ifdef(`TODO',`
-optional_policy(`xdm',`
+optional_policy(`
can_pipe_xdm(utempter_t)
')
')
diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te
index eae12da..fa90fde 100644
--- a/refpolicy/policy/modules/system/clock.te
+++ b/refpolicy/policy/modules/system/clock.te
@@ -67,23 +67,23 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(hwclock_t)
')
-optional_policy(`apm',`
+optional_policy(`
apm_append_log(hwclock_t)
apm_rw_stream_sockets(hwclock_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(hwclock_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(hwclock_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(hwclock_t)
')
-optional_policy(`userdomain',`
+optional_policy(`
userdom_dontaudit_use_unpriv_user_fds(hwclock_t)
')
diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te
index cb4a266..ac64ff6 100644
--- a/refpolicy/policy/modules/system/fstools.te
+++ b/refpolicy/policy/modules/system/fstools.te
@@ -157,21 +157,21 @@ tunable_policy(`read_default_t',`
files_read_default_pipes(fsadm_t)
')
-optional_policy(`amanda',`
+optional_policy(`
amanda_rw_dumpdates_files(fsadm_t)
amanda_append_log_files(fsadm_t)
')
-optional_policy(`cron',`
+optional_policy(`
# for smartctl cron jobs
cron_system_entry(fsadm_t,fsadm_exec_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(fsadm_t)
')
-optional_policy(`rhgb',`
+optional_policy(`
fs_dontaudit_write_ramfs_pipes(fsadm_t)
rhgb_stub(fsadm_t)
')
diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te
index 456e3b5..cea7642 100644
--- a/refpolicy/policy/modules/system/getty.te
+++ b/refpolicy/policy/modules/system/getty.te
@@ -107,14 +107,14 @@ ifdef(`targeted_policy',`
term_dontaudit_use_generic_ptys(getty_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(getty_t)
')
-optional_policy(`ppp',`
+optional_policy(`
ppp_domtrans(getty_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(getty_t)
')
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index e039a86..a71dfa6 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -126,7 +126,7 @@ userdom_dontaudit_use_unpriv_user_fds(hotplug_t)
userdom_dontaudit_search_sysadm_home_dirs(hotplug_t)
ifdef(`distro_redhat', `
- optional_policy(`netutils',`
+ optional_policy(`
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(hotplug_t)
fs_rw_tmpfs_chr_files(hotplug_t)
@@ -138,52 +138,52 @@ ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_ttys(hotplug_t)
term_dontaudit_use_generic_ptys(hotplug_t)
- optional_policy(`consoletype',`
+ optional_policy(`
consoletype_domtrans(hotplug_t)
')
')
-optional_policy(`dbus',`
+optional_policy(`
dbus_system_bus_client_template(hotplug,hotplug_t)
')
-optional_policy(`fstools',`
+optional_policy(`
fstools_domtrans(hotplug_t)
')
-optional_policy(`hal',`
+optional_policy(`
hal_dgram_send(hotplug_t)
')
-optional_policy(`hostname',`
+optional_policy(`
hostname_exec(hotplug_t)
')
-optional_policy(`iptables',`
+optional_policy(`
iptables_domtrans(hotplug_t)
')
-optional_policy(`mount',`
+optional_policy(`
mount_domtrans(hotplug_t)
')
-optional_policy(`mta',`
+optional_policy(`
mta_send_mail(hotplug_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(hotplug_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(hotplug_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(hotplug_t)
')
-optional_policy(`sysnetwork',`
+optional_policy(`
sysnet_domtrans_dhcpc(hotplug_t)
sysnet_signal_dhcpc(hotplug_t)
sysnet_kill_dhcpc(hotplug_t)
@@ -195,16 +195,16 @@ optional_policy(`sysnetwork',`
sysnet_domtrans_ifconfig(hotplug_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_domtrans(hotplug_t)
udev_helper_domtrans(hotplug_t)
udev_read_db(hotplug_t)
')
-optional_policy(`updfstab',`
+optional_policy(`
updfstab_domtrans(hotplug_t)
')
-optional_policy(`usbmodules',`
+optional_policy(`
usbmodules_domtrans(hotplug_t)
')
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index dad3d96..819ff14 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -109,7 +109,7 @@ interface(`init_daemon_domain',`
allow $1 $2:file { rx_file_perms entrypoint };
')
- optional_policy(`nscd',`
+ optional_policy(`
nscd_socket_use($1)
')
')
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index ab16f6b..9ab09cc 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -174,20 +174,20 @@ ifdef(`targeted_policy',`
unconfined_domain(init_t)
')
-optional_policy(`authlogin',`
+optional_policy(`
auth_rw_login_records(init_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(init_t)
')
-optional_policy(`portmap',`
+optional_policy(`
portmap_udp_send(init_t)
')
# Run the shell in the sysadm_t domain for single-user mode.
-optional_policy(`userdomain',`
+optional_policy(`
userdom_shell_domtrans_sysadm(init_t)
')
@@ -402,11 +402,11 @@ ifdef(`distro_debian',`
')
ifdef(`distro_gentoo',`
- optional_policy(`arpwatch',`
+ optional_policy(`
arpwatch_manage_data_files(initrc_t)
')
- optional_policy(`dhcp',`
+ optional_policy(`
dhcpd_setattr_state_files(initrc_t)
')
')
@@ -453,27 +453,27 @@ ifdef(`distro_redhat',`
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
- optional_policy(`bind',`
+ optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
')
- optional_policy(`rpc',`
+ optional_policy(`
#for /etc/rc.d/init.d/nfs to create /etc/exports
rpc_write_exports(initrc_t)
')
- optional_policy(`sysnetwork',`
+ optional_policy(`
sysnet_rw_dhcp_config(initrc_t)
')
- optional_policy(`xserver',`
+ optional_policy(`
xserver_delete_log(initrc_t)
')
')
ifdef(`distro_suse',`
- optional_policy(`xserver',`
+ optional_policy(`
# set permissions on /tmp/.X11-unix
xserver_setattr_xdm_tmp_dirs(initrc_t)
')
@@ -483,85 +483,85 @@ ifdef(`targeted_policy',`
domain_subj_id_change_exemption(initrc_t)
unconfined_domain(initrc_t)
- optional_policy(`mono',`
+ optional_policy(`
mono_domtrans(initrc_t)
')
',`
# cjp: require doesnt work in optionals :\
# this also would result in a type transition
# conflict if sendmail is enabled
-# optional_policy(`sendmail',`',`
+# optional_policy(`',`
# mta_send_mail(initrc_t)
# ')
')
-optional_policy(`amavis',`
+optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
')
-optional_policy(`apm',`
+optional_policy(`
dev_rw_apm_bios(initrc_t)
')
-optional_policy(`apache',`
+optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
')
-optional_policy(`automount',`
+optional_policy(`
automount_exec_config(initrc_t)
')
-optional_policy(`bind',`
+optional_policy(`
bind_read_config(initrc_t)
# for chmod in start script
bind_setattr_pid_dirs(initrc_t)
')
-optional_policy(`bluetooth',`
+optional_policy(`
dev_read_usbfs(initrc_t)
bluetooth_read_config(initrc_t)
')
-optional_policy(`clamav',`
+optional_policy(`
clamav_read_config(initrc_t)
')
-optional_policy(`cpucontrol',`
+optional_policy(`
cpucontrol_stub(initrc_t)
dev_getattr_cpu_dev(initrc_t)
')
-optional_policy(`cups',`
+optional_policy(`
cups_read_log(initrc_t)
')
-optional_policy(`daemontools',`
+optional_policy(`
daemontools_manage_svc(initrc_t)
')
-optional_policy(`dbus',`
+optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_send_system_bus(initrc_t)
dbus_system_bus_client_template(initrc,initrc_t)
dbus_read_config(initrc_t)
- optional_policy(`networkmanager',`
+ optional_policy(`
networkmanager_dbus_chat(initrc_t)
')
')
-optional_policy(`ftp',`
+optional_policy(`
ftp_read_config(initrc_t)
')
-optional_policy(`gpm',`
+optional_policy(`
gpm_setattr_gpmctl(initrc_t)
')
-optional_policy(`hotplug',`
+optional_policy(`
dev_read_usbfs(initrc_t)
# init scripts run /etc/hotplug/usb.rc
@@ -570,29 +570,29 @@ optional_policy(`hotplug',`
modutils_read_module_deps(initrc_t)
')
-optional_policy(`inn',`
+optional_policy(`
inn_exec_config(initrc_t)
')
-optional_policy(`ipsec',`
+optional_policy(`
ipsec_read_config(initrc_t)
ipsec_manage_pid(initrc_t)
')
-optional_policy(`kerberos',`
+optional_policy(`
kerberos_use(initrc_t)
')
-optional_policy(`ldap',`
+optional_policy(`
ldap_read_config(initrc_t)
ldap_list_db(initrc_t)
')
-optional_policy(`loadkeys',`
+optional_policy(`
loadkeys_exec(initrc_t)
')
-optional_policy(`lpd',`
+optional_policy(`
# This is needed to permit chown to read /var/spool/lpd/lp.
# This is opens up security more than necessary; this means that ANYTHING
# running in the initrc_t domain can read the printer spool directory.
@@ -603,7 +603,7 @@ optional_policy(`lpd',`
lpd_read_config(initrc_t)
')
-optional_policy(`lvm',`
+optional_policy(`
#allow initrc_t lvm_control_t:chr_file unlink;
dev_read_lvm_control(initrc_t)
@@ -612,17 +612,17 @@ optional_policy(`lvm',`
lvm_read_config(initrc_t)
')
-optional_policy(`mailman',`
+optional_policy(`
mailman_list_data(initrc_t)
mailman_read_data_symlinks(initrc_t)
')
-optional_policy(`mta',`
+optional_policy(`
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-optional_policy(`mysql',`
+optional_policy(`
ifdef(`distro_redhat',`
mysql_manage_db_dirs(initrc_t)
')
@@ -631,38 +631,38 @@ optional_policy(`mysql',`
mysql_write_log(initrc_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(initrc_t)
nis_udp_send_ypbind(initrc_t)
nis_list_var_yp(initrc_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(initrc_t)
')
-optional_policy(`raid',`
+optional_policy(`
raid_manage_mdadm_pid(initrc_t)
')
-optional_policy(`rpc',`
+optional_policy(`
rpc_read_exports(initrc_t)
')
-optional_policy(`postgresql',`
+optional_policy(`
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-optional_policy(`postfix',`
+optional_policy(`
postfix_list_spool(initrc_t)
')
-optional_policy(`quota',`
+optional_policy(`
quota_manage_flags(initrc_t)
')
-optional_policy(`rhgb',`
+optional_policy(`
corecmd_shell_entry_type(initrc_t)
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
@@ -671,7 +671,7 @@ optional_policy(`rhgb',`
rhgb_stream_connect(initrc_t)
')
-optional_policy(`rpm',`
+optional_policy(`
# bash tries to access a block device in the initrd
kernel_dontaudit_getattr_unlabeled_blk_files(initrc_t)
@@ -685,46 +685,46 @@ optional_policy(`rpm',`
rpm_manage_db(initrc_t)
')
-optional_policy(`samba',`
+optional_policy(`
samba_rw_config(initrc_t)
samba_read_winbind_pid(initrc_t)
')
-optional_policy(`squid',`
+optional_policy(`
squid_read_config(initrc_t)
squid_manage_logs(initrc_t)
')
-optional_policy(`ssh',`
+optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
')
# allow init scripts to su
-optional_policy(`su',`
+optional_policy(`
su_restricted_domain_template(initrc,initrc_t,system_r)
')
-optional_policy(`sysnetwork',`
+optional_policy(`
sysnet_read_dhcpc_state(initrc_t)
')
-optional_policy(`uml',`
+optional_policy(`
uml_setattr_util_sockets(initrc_t)
')
-optional_policy(`xfs',`
+optional_policy(`
miscfiles_manage_fonts(initrc_t)
# cjp: is this really needed?
xfs_read_sockets(initrc_t)
')
-optional_policy(`xserver',`
+optional_policy(`
# init s cript wants to check if it needs to update windowmanagerlist
xserver_read_xdm_rw_config(initrc_t)
')
-optional_policy(`zebra',`
+optional_policy(`
zebra_read_config(initrc_t)
')
diff --git a/refpolicy/policy/modules/system/ipsec.te b/refpolicy/policy/modules/system/ipsec.te
index dd4ee28..4b618ef 100644
--- a/refpolicy/policy/modules/system/ipsec.te
+++ b/refpolicy/policy/modules/system/ipsec.te
@@ -130,15 +130,15 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_files(ipsec_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(ipsec_t)
')
-optional_policy(`selinuxutils',`
+optional_policy(`
seutil_sigchld_newrole(ipsec_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(ipsec_t)
')
@@ -255,11 +255,11 @@ sysnet_domtrans_ifconfig(ipsec_mgmt_t)
userdom_use_sysadm_terms(ipsec_mgmt_t)
-optional_policy(`consoletype',`
+optional_policy(`
consoletype_exec(ipsec_mgmt_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(ipsec_mgmt_t)
')
diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te
index d81e6f1..5098c76 100644
--- a/refpolicy/policy/modules/system/iptables.te
+++ b/refpolicy/policy/modules/system/iptables.te
@@ -81,24 +81,24 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_files(iptables_t)
')
-optional_policy(`firstboot',`
+optional_policy(`
firstboot_use_fds(iptables_t)
firstboot_write_pipes(iptables_t)
')
-optional_policy(`modutils',`
+optional_policy(`
modutils_domtrans_insmod(iptables_t)
')
-optional_policy(`nis',`
+optional_policy(`
# for iptables -L
nis_use_ypbind(iptables_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(iptables_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(iptables_t)
')
diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te
index 8a2b5e0..8ed52a3 100644
--- a/refpolicy/policy/modules/system/libraries.te
+++ b/refpolicy/policy/modules/system/libraries.te
@@ -82,7 +82,7 @@ logging_send_syslog_msg(ldconfig_t)
userdom_use_all_users_fds(ldconfig_t)
ifdef(`hide_broken_symptoms',`
- optional_policy(`unconfined',`
+ optional_policy(`
unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
')
')
@@ -92,7 +92,7 @@ ifdef(`targeted_policy',`
unconfined_domain(ldconfig_t)
')
-optional_policy(`apache',`
+optional_policy(`
# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
apache_dontaudit_search_modules(ldconfig_t)
')
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index f9be092..62e6690 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -196,24 +196,24 @@ tunable_policy(`use_samba_home_dirs',`
fs_read_cifs_symlinks(local_login_t)
')
-optional_policy(`gpm',`
+optional_policy(`
gpm_getattr_gpmctl(local_login_t)
gpm_setattr_gpmctl(local_login_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(local_login_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(local_login_t)
')
-optional_policy(`usermanage',`
+optional_policy(`
usermanage_read_crack_db(local_login_t)
')
-optional_policy(`alsa',`
+optional_policy(`
alsa_domtrans(local_login_t)
')
@@ -278,10 +278,10 @@ ifdef(`sulogin_no_pam', `
selinux_compute_user_contexts(sulogin_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(sulogin_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(sulogin_t)
')
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 80e2252..2268747 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -180,11 +180,11 @@ ifdef(`targeted_policy',`
unconfined_dontaudit_read_pipes(auditd_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(auditd_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(auditd_t)
')
@@ -242,7 +242,7 @@ mls_file_read_up(klogd_t)
userdom_dontaudit_search_sysadm_home_dirs(klogd_t)
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(klogd_t)
')
@@ -251,7 +251,7 @@ ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(klogd_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(klogd_t)
')
@@ -364,23 +364,23 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(syslogd_t)
')
-optional_policy(`inn',`
+optional_policy(`
inn_manage_log(syslogd_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(syslogd_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(syslogd_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(syslogd_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(syslogd_t)
')
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index 1f9d055..1628962 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -110,15 +110,15 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_files(clvmd_t)
')
-optional_policy(`mount',`
+optional_policy(`
mount_send_nfs_client_request(clvmd_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(clvmd_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(clvmd_t)
')
@@ -258,14 +258,14 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_files(lvm_t)
')
-optional_policy(`bootloader',`
+optional_policy(`
bootloader_rw_tmp_files(lvm_t)
')
-optional_policy(`gpm',`
+optional_policy(`
gpm_dontaudit_getattr_gpmctl(lvm_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(lvm_t)
')
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index 6d863ab..415ad30 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -127,23 +127,23 @@ ifdef(`targeted_policy',`
unconfined_domain(insmod_t)
')
-optional_policy(`hotplug',`
+optional_policy(`
hotplug_search_config(insmod_t)
')
-optional_policy(`mount',`
+optional_policy(`
mount_domtrans(insmod_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(insmod_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(insmod_t)
')
-optional_policy(`rhgb',`
+optional_policy(`
fs_manage_ramfs_files(insmod_t)
rhgb_use_fds(insmod_t)
@@ -153,13 +153,13 @@ optional_policy(`rhgb',`
')
')
-optional_policy(`rpm',`
+optional_policy(`
rpm_rw_pipes(insmod_t)
')
ifdef(`TODO',`
allow insmod_t proc_t:file rw_file_perms;
-optional_policy(`xserver',`
+optional_policy(`
xserver_getattr_log(insmod_t)
allow insmod_t xserver_misc_device_t:chr_file { read write };
')
@@ -214,7 +214,7 @@ ifdef(`targeted_policy', `
term_use_generic_ptys(depmod_t)
')
-optional_policy(`rpm',`
+optional_policy(`
rpm_rw_pipes(depmod_t)
')
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index 9161405..08a5c9c 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -92,14 +92,14 @@ sysnet_use_portmap(mount_t)
userdom_use_all_users_fds(mount_t)
ifdef(`distro_redhat',`
- optional_policy(`authlogin',`
+ optional_policy(`
auth_read_pam_console_data(mount_t)
# mount config by default sets fscontext=removable_t
fs_relabelfrom_dos_fs(mount_t)
')
')
-optional_policy(`portmap',`
+optional_policy(`
# for nfs
corenet_non_ipsec_sendrecv(mount_t)
corenet_tcp_sendrecv_all_if(mount_t)
@@ -122,16 +122,16 @@ optional_policy(`portmap',`
portmap_udp_chat(mount_t)
- optional_policy(`nis',`
+ optional_policy(`
nis_use_ypbind(mount_t)
')
')
-optional_policy(`apm',`
+optional_policy(`
apm_use_fds(mount_t)
')
-optional_policy(`rhgb',`
+optional_policy(`
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
@@ -140,11 +140,11 @@ optional_policy(`rhgb',`
')
# for kernel package installation
-optional_policy(`rpm',`
+optional_policy(`
rpm_rw_pipes(mount_t)
')
-optional_policy(`samba',`
+optional_policy(`
samba_domtrans_smbmount(mount_t)
')
diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te
index df17b40..e857127 100644
--- a/refpolicy/policy/modules/system/pcmcia.te
+++ b/refpolicy/policy/modules/system/pcmcia.te
@@ -128,12 +128,12 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(cardmgr_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_dontaudit_read_config(cardmgr_t)
seutil_sigchld_newrole(cardmgr_t)
')
-optional_policy(`sysnetwork',`
+optional_policy(`
sysnet_domtrans_dhcpc(cardmgr_t)
sysnet_read_dhcpc_pid(cardmgr_t)
@@ -145,7 +145,7 @@ optional_policy(`sysnetwork',`
sysnet_sigstop_dhcpc(cardmgr_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(cardmgr_t)
')
diff --git a/refpolicy/policy/modules/system/raid.te b/refpolicy/policy/modules/system/raid.te
index f6ad01f..e34eb6c 100644
--- a/refpolicy/policy/modules/system/raid.te
+++ b/refpolicy/policy/modules/system/raid.te
@@ -75,11 +75,11 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_files(mdadm_t)
')
-optional_policy(`selinux',`
+optional_policy(`
seutil_sigchld_newrole(mdadm_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(mdadm_t)
')
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 9b7f564..54a4013 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -208,7 +208,7 @@ userdom_use_all_users_fds(load_policy_t)
ifdef(`hide_broken_symptoms',`
# cjp: cover up stray file descriptors.
dontaudit load_policy_t selinux_config_t:file write;
- optional_policy(`unconfined',`
+ optional_policy(`
unconfined_dontaudit_read_pipes(load_policy_t)
')
')
@@ -314,11 +314,11 @@ ifdef(`targeted_policy',`
}
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(newrole_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(newrole_t)
')
@@ -398,7 +398,7 @@ ifdef(`hide_broken_symptoms',`
udev_dontaudit_rw_dgram_sockets(restorecon_t)
')
-optional_policy(`hotplug',`
+optional_policy(`
hotplug_use_fds(restorecon_t)
')
@@ -474,11 +474,11 @@ ifdef(`targeted_policy',`',`
logging_send_syslog_msg(run_init_t)
- optional_policy(`daemontools',`
+ optional_policy(`
daemontools_domtrans_start(run_init_t)
')
- optional_policy(`nscd',`
+ optional_policy(`
nscd_socket_use(run_init_t)
')
@@ -527,7 +527,7 @@ seutil_manage_module_store(semanage_t)
seutil_get_semanage_trans_lock(semanage_t)
seutil_get_semanage_read_lock(semanage_t)
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(semanage_t)
')
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 50e4d0f..34c1841 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -157,11 +157,11 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_files(dhcpc_t)
')
-optional_policy(`consoletype',`
+optional_policy(`
consoletype_domtrans(dhcpc_t)
')
-optional_policy(`dbus',`
+optional_policy(`
gen_require(`
class dbus send_msg;
')
@@ -174,7 +174,7 @@ optional_policy(`dbus',`
dbus_connect_system_bus(dhcpc_t)
dbus_send_system_bus(dhcpc_t)
- optional_policy(`networkmanager',`
+ optional_policy(`
networkmanager_dbus_chat(dhcpc_t)
')
@@ -184,11 +184,11 @@ optional_policy(`dbus',`
')
')
-optional_policy(`hostname',`
+optional_policy(`
hostname_domtrans(dhcpc_t)
')
-optional_policy(`hotplug',`
+optional_policy(`
hotplug_getattr_config_dirs(dhcpc_t)
hotplug_search_config(dhcpc_t)
@@ -198,7 +198,7 @@ optional_policy(`hotplug',`
')
# for the dhcp client to run ping to check IP addresses
-optional_policy(`netutils',`
+optional_policy(`
netutils_domtrans_ping(dhcpc_t)
netutils_domtrans(dhcpc_t)
',`
@@ -206,7 +206,7 @@ optional_policy(`netutils',`
allow dhcpc_t self:rawip_socket create_socket_perms;
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(dhcpc_t)
nis_signal_ypbind(dhcpc_t)
nis_read_ypbind_pid(dhcpc_t)
@@ -217,36 +217,36 @@ optional_policy(`nis',`
nis_domtrans_ypbind(dhcpc_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_domtrans(dhcpc_t)
nscd_read_pid(dhcpc_t)
')
-optional_policy(`ntp',`
+optional_policy(`
# dhclient sometimes starts ntpd
init_exec_script_files(dhcpc_t)
ntp_domtrans(dhcpc_t)
')
-optional_policy(`pcmcia',`
+optional_policy(`
pcmcia_stub(dhcpc_t)
dev_rw_cardmgr(dhcpc_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db(dhcpc_t)
')
-optional_policy(`userdomain',`
+optional_policy(`
userdom_use_all_users_fds(dhcpc_t)
')
-optional_policy(`xen',`
+optional_policy(`
xen_append_log(dhcpc_t)
')
@@ -318,11 +318,11 @@ seutil_use_runinit_fds(ifconfig_t)
userdom_use_all_users_fds(ifconfig_t)
ifdef(`hide_broken_symptoms',`
- optional_policy(`pcmcia',`
+ optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
- optional_policy(`udev',`
+ optional_policy(`
udev_dontaudit_rw_dgram_sockets(ifconfig_t)
')
')
@@ -332,18 +332,18 @@ ifdef(`targeted_policy',`
term_use_unallocated_ttys(ifconfig_t)
')
-optional_policy(`netutils',`
+optional_policy(`
netutils_domtrans(dhcpc_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(ifconfig_t)
')
-optional_policy(`ppp',`
+optional_policy(`
ppp_use_fds(ifconfig_t)
')
-optional_policy(`xen',`
+optional_policy(`
xen_append_log(ifconfig_t)
')
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index b5c67a4..7c32ad7 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -166,40 +166,40 @@ ifdef(`targeted_policy',`
unconfined_domain(udev_t)
')
-optional_policy(`authlogin',`
+optional_policy(`
auth_read_pam_console_data(udev_t)
auth_domtrans_pam_console(udev_t)
')
-optional_policy(`consoletype',`
+optional_policy(`
consoletype_exec(udev_t)
')
-optional_policy(`dbus',`
+optional_policy(`
dbus_system_bus_client_template(udev,udev_t)
')
-optional_policy(`hal',`
+optional_policy(`
hal_dgram_send(udev_t)
')
-optional_policy(`hotplug',`
+optional_policy(`
hotplug_read_config(udev_t)
')
-optional_policy(`nis',`
+optional_policy(`
nis_use_ypbind(udev_t)
')
-optional_policy(`nscd',`
+optional_policy(`
nscd_socket_use(udev_t)
')
-optional_policy(`sysnetwork',`
+optional_policy(`
sysnet_domtrans_dhcpc(udev_t)
')
-#optional_policy(`xdm',`
+#optional_policy(`
# xdm_read_pid(udev_t)
#')
diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
index 68a09fd..79d3af0 100644
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -63,29 +63,29 @@ interface(`unconfined_domain_noaudit',`
')
- optional_policy(`authlogin',`
+ optional_policy(`
auth_unconfined($1)
')
- optional_policy(`dbus',`
+ optional_policy(`
# Communicate via dbusd.
dbus_system_bus_unconfined($1)
')
- optional_policy(`libraries',`
+ optional_policy(`
libs_use_shared_libs($1)
')
- optional_policy(`nscd',`
+ optional_policy(`
nscd_unconfined($1)
')
- optional_policy(`selinuxutil',`
+ optional_policy(`
seutil_create_bin_policy($1)
seutil_relabelto_bin_policy($1)
')
- optional_policy(`storage',`
+ optional_policy(`
storage_unconfined($1)
')
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index 1d76b1c..d6da5b4 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -41,123 +41,123 @@ ifdef(`targeted_policy',`
userdom_unconfined(unconfined_t)
userdom_priveleged_home_dir_manager(unconfined_t)
- optional_policy(`amanda',`
+ optional_policy(`
amanda_domtrans_recover(unconfined_t)
')
- optional_policy(`apache',`
+ optional_policy(`
apache_domtrans_helper(unconfined_t)
')
- optional_policy(`bind',`
+ optional_policy(`
bind_domtrans_ndc(unconfined_t)
')
- optional_policy(`bluetooth',`
+ optional_policy(`
bluetooth_domtrans_helper(unconfined_t)
')
- optional_policy(`dbus',`
+ optional_policy(`
dbus_stub(unconfined_t)
- optional_policy(`avahi',`
+ optional_policy(`
avahi_dbus_chat(unconfined_t)
')
- optional_policy(`bluetooth',`
+ optional_policy(`
bluetooth_dbus_chat(unconfined_t)
')
- optional_policy(`cups',`
+ optional_policy(`
cups_dbus_chat_config(unconfined_t)
')
- optional_policy(`hal',`
+ optional_policy(`
hal_dbus_chat(unconfined_t)
')
- optional_policy(`networkmanager',`
+ optional_policy(`
networkmanager_dbus_chat(unconfined_t)
')
')
- optional_policy(`dmidecode',`
+ optional_policy(`
dmidecode_domtrans(unconfined_t)
')
- optional_policy(`firstboot',`
+ optional_policy(`
firstboot_domtrans(unconfined_t)
')
- optional_policy(`java',`
+ optional_policy(`
java_domtrans(unconfined_t)
')
- optional_policy(`lpd',`
+ optional_policy(`
lpd_domtrans_checkpc(unconfined_t)
')
- optional_policy(`modutils',`
+ optional_policy(`
modutils_domtrans_update_mods(unconfined_t)
')
- optional_policy(`mono',`
+ optional_policy(`
mono_domtrans(unconfined_t)
')
- optional_policy(`netutils',`
+ optional_policy(`
netutils_domtrans_ping(unconfined_t)
')
- optional_policy(`portmap',`
+ optional_policy(`
portmap_domtrans_helper(unconfined_t)
')
- optional_policy(`postfix',`
+ optional_policy(`
postfix_domtrans_map(unconfined_t)
# cjp: this should probably be removed:
postfix_domtrans_master(unconfined_t)
')
- optional_policy(`rpc',`
+ optional_policy(`
# cjp: this should probably be removed:
rpc_domtrans_nfsd(unconfined_t)
')
- optional_policy(`rpm',`
+ optional_policy(`
rpm_domtrans(unconfined_t)
')
- optional_policy(`samba',`
+ optional_policy(`
samba_domtrans_net(unconfined_t)
samba_domtrans_winbind_helper(unconfined_t)
')
- optional_policy(`sendmail',`
+ optional_policy(`
sendmail_domtrans(unconfined_t)
')
- optional_policy(`sysnetwork',`
+ optional_policy(`
sysnet_domtrans_dhcpc(unconfined_t)
')
- optional_policy(`usermanage',`
+ optional_policy(`
usermanage_domtrans_admin_passwd(unconfined_t)
')
- optional_policy(`vpn',`
+ optional_policy(`
vpn_domtrans(unconfined_t)
')
- optional_policy(`webalizer',`
+ optional_policy(`
webalizer_domtrans(unconfined_t)
')
- optional_policy(`wine',`
+ optional_policy(`
wine_domtrans(unconfined_t)
')
- optional_policy(`xserver',`
+ optional_policy(`
xserver_domtrans_xdm_xserver(unconfined_t)
')
')
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 8bda242..eb07854 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -318,71 +318,71 @@ template(`base_user_template',`
term_getattr_all_user_ttys($1_t)
')
- optional_policy(`apm',`
+ optional_policy(`
# Allow graphical boot to check battery lifespan
apm_stream_connect($1_t)
')
- optional_policy(`canna',`
+ optional_policy(`
canna_stream_connect($1_t)
')
- optional_policy(`cups',`
+ optional_policy(`
cups_stream_connect_ptal($1_t)
')
- optional_policy(`dbus',`
+ optional_policy(`
dbus_system_bus_client_template($1,$1_t)
- optional_policy(`cups',`
+ optional_policy(`
cups_dbus_chat_config($1_t)
')
- optional_policy(`hal',`
+ optional_policy(`
hal_dbus_chat($1_t)
')
- optional_policy(`networkmanager',`
+ optional_policy(`
networkmanager_dbus_chat($1_t)
')
')
- optional_policy(`dictd',`
+ optional_policy(`
dictd_tcp_connect($1_t)
')
- optional_policy(`ftp',`
+ optional_policy(`
tunable_policy(`ftpd_is_daemon',`
ftp_tcp_connect($1_t)
')
')
- optional_policy(`finger',`
+ optional_policy(`
finger_tcp_connect($1_t)
')
- optional_policy(`i18n_input',`
+ optional_policy(`
i18n_use($1_t)
')
- optional_policy(`inetd',`
+ optional_policy(`
inetd_tcp_connect($1_t)
inetd_udp_send($1_t)
inetd_use_fds($1_t)
inetd_rw_tcp_sockets($1_t)
')
- optional_policy(`inn',`
+ optional_policy(`
inn_read_config($1_t)
inn_read_news_lib($1_t)
inn_read_news_spool($1_t)
')
- optional_policy(`nis',`
+ optional_policy(`
nis_use_ypbind($1_t)
')
- optional_policy(`mysql',`
+ optional_policy(`
ifdef(`strict_policy',`
tunable_policy(`allow_user_mysql_connect',`
mysql_stream_connect($1_t)
@@ -390,57 +390,57 @@ template(`base_user_template',`
')
')
- optional_policy(`nscd',`
+ optional_policy(`
nscd_socket_use($1_t)
')
- optional_policy(`pcmcia',`
+ optional_policy(`
# to allow monitoring of pcmcia status
pcmcia_read_pid($1_t)
')
- optional_policy(`portmap',`
+ optional_policy(`
portmap_tcp_connect($1_t)
')
- optional_policy(`quota',`
+ optional_policy(`
quota_dontaudit_getattr_db($1_t)
')
- optional_policy(`rpc',`
+ optional_policy(`
rpc_dontaudit_getattr_exports($1_t)
rpc_manage_nfs_rw_content($1_t)
')
- optional_policy(`rpm',`
+ optional_policy(`
files_getattr_var_lib_dirs($1_t)
files_search_var_lib($1_t)
rpm_read_db($1_t)
rpm_dontaudit_manage_db($1_t)
')
- optional_policy(`samba',`
+ optional_policy(`
samba_stream_connect_winbind($1_t)
')
- optional_policy(`slrnpull',`
+ optional_policy(`
slrnpull_search_spool($1_t)
')
- optional_policy(`squid',`
+ optional_policy(`
squid_use($1_t)
')
- optional_policy(`usermanage',`
+ optional_policy(`
usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
')
- optional_policy(`usernetctl',`
+ optional_policy(`
usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
')
- optional_policy(`xserver',`
+ optional_policy(`
dev_rw_xserver_misc($1_t)
xserver_user_client_template($1,$1_t,$1_tmpfs_t)
xserver_xsession_entry_type($1_t)
@@ -609,44 +609,44 @@ template(`unpriv_user_template', `
corenet_tcp_bind_generic_port($1_t)
')
- optional_policy(`dbus',`
+ optional_policy(`
dbus_stub($1_t)
- optional_policy(`bluetooth',`
+ optional_policy(`
bluetooth_dbus_chat($1_t)
')
')
- optional_policy(`kerberos',`
+ optional_policy(`
kerberos_use($1_t)
')
- optional_policy(`loadkeys',`
+ optional_policy(`
loadkeys_run($1_t,$1_r,$1_tty_device_t)
')
# for running depmod as part of the kernel packaging process
- optional_policy(`modutils',`
+ optional_policy(`
modutils_read_module_config($1_t)
')
- optional_policy(`netutils',`
+ optional_policy(`
netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
')
# Run pppd in pppd_t by default for user
- optional_policy(`ppp', `
+ optional_policy(`
ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
')
- optional_policy(`selinuxutil',`
+ optional_policy(`
# for when the network connection is killed
seutil_dontaudit_signal_newrole($1_t)
')
# Need the following rule to allow users to run vpnc
- optional_policy(`xserver', `
+ optional_policy(`
corenet_tcp_bind_xserver_port($1_t)
')
@@ -890,19 +890,19 @@ template(`admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
- optional_policy(`cron',`
+ optional_policy(`
cron_admin_template($1,$1_t,$1_r)
')
- optional_policy(`ethereal',`
+ optional_policy(`
ethereal_admin_template($1,$1_t,$1_r)
')
- optional_policy(`lpd',`
+ optional_policy(`
lpr_admin_template($1,$1_t,$1_r)
')
- optional_policy(`mta',`
+ optional_policy(`
mta_admin_template($1,$1_t,$1_r)
')
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index d43a2a4..c28ad16 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -110,7 +110,7 @@ ifdef(`targeted_policy',`
allow staff_r secadm_r;
')
- optional_policy(`samba',`
+ optional_policy(`
samba_per_userdomain_template(user)
')
',`
@@ -160,12 +160,12 @@ ifdef(`targeted_policy',`
init_exec(sysadm_t)
ifdef(`direct_sysadm_daemon',`
- optional_policy(`init',`
+ optional_policy(`
init_run_daemon(sysadm_t,sysadm_r,admin_terminal)
')
',`
ifdef(`distro_gentoo',`
- optional_policy(`selinuxutil',`
+ optional_policy(`
seutil_init_script_run_runinit(sysadm_t,sysadm_r,admin_terminal)
')
')
@@ -190,46 +190,46 @@ ifdef(`targeted_policy',`
domain_ptrace_all_domains(sysadm_t)
')
- optional_policy(`amanda',`
+ optional_policy(`
amanda_run_recover(sysadm_t,sysadm_r,admin_terminal)
')
- optional_policy(`apache',`
+ optional_policy(`
apache_run_helper(sysadm_t,sysadm_r,admin_terminal)
#apache_run_all_scripts(sysadm_t,sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
')
- optional_policy(`apm',`
+ optional_policy(`
# cjp: why is this not apm_run_client
apm_domtrans_client(sysadm_t)
')
- optional_policy(`apt',`
+ optional_policy(`
apt_run(sysadm_t,sysadm_r,admin_terminal)
')
- optional_policy(`bootloader',`
+ optional_policy(`
bootloader_run(sysadm_t,sysadm_r,admin_terminal)
')
- optional_policy(`bind',`
+ optional_policy(`
bind_run_ndc(sysadm_t,sysadm_r,admin_terminal)
')
- optional_policy(`bluetooth',`
+ optional_policy(`
bluetooth_run_helper(sysadm_t,sysadm_r,admin_terminal)
')
- optional_policy(`clock',`
+ optional_policy(`
clock_run(sysadm_t,sysadm_r,admin_terminal)
')
- optional_policy(`certwatch',`
+ optional_policy(`
certwatach_run(sysadm_t,sysadm_r,admin_terminal)
')
- optional_policy(`consoletype',`
+ optional_policy(`
consoletype_exec(sysadm_t)
ifdef(`enable_mls',`
@@ -237,11 +237,11 @@ ifdef(`targeted_policy',`
')
')
- optional_policy(`ddcprobe',`
+ optional_policy(`
ddcprobe_run(sysadm_t,sysadm_r,admin_terminal)
')
- optional_policy(`dmesg',`
+ optional_policy(`
dmesg_exec(sysadm_t)
ifdef(`enable_mls',`
@@ -249,31 +249,31 @@ ifdef(`targeted_policy',`
')
')
- optional_policy(`dmidecode',`
+ optional_policy(`
dmidecode_run(sysadm_t,sysadm_r,admin_terminal)
')
- optional_policy(`dpkg',`
+ optional_policy(`
dpkg_run(sysadm_t,sysadm_r,admin_terminal)
')
- optional_policy(`ethereal',`
+ optional_policy(`
ethereal_run_tethereal(sysadm_t,sysadm_r,admin_terminal)
')
- optional_policy(`firstboot',`
+ optional_policy(`
firstboot_run(sysadm_t,sysadm_r,sysadm_tty_device_t)
')
- optional_policy(`fstools',`
+ optional_policy(`
fstools_run(sysadm_t,sysadm_r,admin_terminal)
')
- optional_policy(`hostname',`
+ optional_policy(`
hostname_run(sysadm_t,sysadm_r,admin_terminal)
')
- optional_policy(`ipsec',`
+ optional_policy(`
# allow system administrator to use the ipsec script to look
# at things (e.g., ipsec auto --status)
# probably should create an ipsec_admin role for this kind of thing
@@ -283,89 +283,89 @@ ifdef(`targeted_policy',`
ipsec_getattr_key_sockets(sysadm_t)
')
- optional_policy(`iptables',`
+ optional_policy(`
iptables_run(sysadm_t,sysadm_r,admin_terminal)
')
- optional_policy(`libraries',`
+ optional_policy(`
libs_run_ldconfig(sysadm_t,sysadm_r,admin_terminal)
')
- optional_policy(`lvm',`
+ optional_policy(`
lvm_run(sysadm_t,sysadm_r,admin_terminal)
')
- optional_policy(`logrotate',`
+ optional_policy(`
logrotate_run(sysadm_t,sysadm_r,admin_terminal)
')
- optional_policy(`lpd',`
+ optional_policy(`
lpd_run_checkpc(sysadm_t,sysadm_r,admin_terminal)
')
- optional_policy(`kudzu',`
+ optional_policy(`
kudzu_run(sysadm_t,sysadm_r,admin_terminal)
')
- optional_policy(`modutils',`
+ optional_policy(`
modutils_run_depmod(sysadm_t,sysadm_r,admin_terminal)
modutils_run_insmod(sysadm_t,sysadm_r,admin_terminal)
modutils_run_update_mods(sysadm_t,sysadm_r,admin_terminal)
')
- optional_policy(`mount',`
+ optional_policy(`
mount_run(sysadm_t,sysadm_r,admin_terminal)
')
- optional_policy(`mysql',`
+ optional_policy(`
mysql_stream_connect(sysadm_t)
')
- optional_policy(`netutils',`
+ optional_policy(`
netutils_run(sysadm_t,sysadm_r,admin_terminal)
netutils_run_ping(sysadm_t,sysadm_r,admin_terminal)
netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal)
')
- optional_policy(`rpc',`
+ optional_policy(`
rpc_domtrans_nfsd(sysadm_t)
')
- optional_policy(`ntp',`
+ optional_policy(`
ntp_stub()
corenet_udp_bind_ntp_port(sysadm_t)
')
- optional_policy(`pcmcia',`
+ optional_policy(`
pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal)
')
- optional_policy(`portage',`
+ optional_policy(`
portage_run(sysadm_t,sysadm_r,admin_terminal)
')
- optional_policy(`portmap',`
+ optional_policy(`
portmap_run_helper(sysadm_t,sysadm_r,admin_terminal)
')
- optional_policy(`quota',`
+ optional_policy(`
quota_run(sysadm_t,sysadm_r,admin_terminal)
')
- optional_policy(`radius',`
+ optional_policy(`
radius_use(sysadm_t,sysadm_r,admin_terminal)
')
- optional_policy(`rpm',`
+ optional_policy(`
rpm_run(sysadm_t,sysadm_r,admin_terminal)
')
- optional_policy(`samba',`
+ optional_policy(`
samba_run_net(sysadm_t,sysadm_r,admin_terminal)
samba_run_winbind_helper(sysadm_t,sysadm_r,admin_terminal)
')
- optional_policy(`selinuxutil',`
+ optional_policy(`
seutil_run_restorecon(sysadm_t,sysadm_r,admin_terminal)
seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
@@ -393,30 +393,30 @@ ifdef(`targeted_policy',`
')
')
- optional_policy(`sysnetwork',`
+ optional_policy(`
sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal)
sysnet_run_dhcpc(sysadm_t,sysadm_r,admin_terminal)
')
- optional_policy(`unconfined',`
+ optional_policy(`
unconfined_domtrans(sysadm_t,sysadm_r,admin_terminal)
')
- optional_policy(`usbmodules',`
+ optional_policy(`
usbmodules_run(sysadm_t,sysadm_r,admin_terminal)
')
- optional_policy(`usermanage',`
+ optional_policy(`
usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal)
usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
')
- optional_policy(`vpn',`
+ optional_policy(`
vpn_run(sysadm_t,sysadm_r,admin_terminal)
')
- optional_policy(`webalizer',`
+ optional_policy(`
webalizer_run(sysadm_t,sysadm_r,admin_terminal)
')
')
diff --git a/refpolicy/policy/support/loadable_module.spt b/refpolicy/policy/support/loadable_module.spt
index 93b726a..efc9f6d 100644
--- a/refpolicy/policy/support/loadable_module.spt
+++ b/refpolicy/policy/support/loadable_module.spt
@@ -92,15 +92,28 @@ define(`policy_call_depth',0)
# Optional policy handling
#
define(`optional_policy',`
- optional {
- pushdef(`__in_optional_policy') dnl
- $2
- popdef(`__in_optional_policy') dnl
- ifelse(`$3',`',`',`
- } else {
- $3
+ ifelse(regexp(`$1',`\W'),`-1',`
+ errprint(__file__:__line__`: deprecated use of module name ($1) as first parameter of optional_policy() block.' __endline__)
+ optional {
+ pushdef(`__in_optional_policy') dnl
+ $2
+ popdef(`__in_optional_policy') dnl
+ ifelse(`$3',`',`',`
+ } else {
+ $3
+ ')
+ }
+ ',`
+ optional {
+ pushdef(`__in_optional_policy') dnl
+ $1
+ popdef(`__in_optional_policy') dnl
+ ifelse(`$2',`',`',`
+ } else {
+ $2
+ ')
+ }
')
- }
')
##############################