diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te index d595020..5be7dc8 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -252,16 +252,15 @@ ifdef(`hide_broken_symptoms',` domain_dontaudit_leaks(abrt_helper_t) userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) - - optional_policy(` - rpm_dontaudit_leaks(abrt_helper_t) - ') - dev_dontaudit_read_all_blk_files(abrt_helper_t) dev_dontaudit_read_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) + + optional_policy(` + rpm_dontaudit_leaks(abrt_helper_t) + ') ') ifdef(`hide_broken_symptoms',` diff --git a/policy/modules/services/afs.te b/policy/modules/services/afs.te index a9879a5..7e2cdf2 100644 --- a/policy/modules/services/afs.te +++ b/policy/modules/services/afs.te @@ -82,10 +82,6 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir }) kernel_rw_afs_state(afs_t) -ifdef(`hide_broken_symptoms',` - kernel_rw_unlabeled_files(afs_t) -') - corenet_all_recvfrom_unlabeled(afs_t) corenet_all_recvfrom_netlabel(afs_t) corenet_tcp_sendrecv_generic_if(afs_t) @@ -111,6 +107,10 @@ miscfiles_read_localization(afs_t) sysnet_dns_name_resolve(afs_t) +ifdef(`hide_broken_symptoms',` + kernel_rw_unlabeled_files(afs_t) +') + ######################################## # # AFS bossserver local policy diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te index bf47a16..f9af97c 100644 --- a/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te @@ -220,16 +220,16 @@ clamav_stream_connect(freshclam_t) userdom_stream_connect(freshclam_t) -optional_policy(` - cron_system_entry(freshclam_t, freshclam_exec_t) -') - tunable_policy(`clamd_use_jit',` allow freshclam_t self:process execmem; ',` dontaudit freshclam_t self:process execmem; ') +optional_policy(` + cron_system_entry(freshclam_t, freshclam_exec_t) +') + ######################################## # # clamscam local policy diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index 6dfdc3f..2a7f7f4 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -99,10 +99,6 @@ files_lock_file(system_cronjob_lock_t) type system_cronjob_tmp_t alias system_crond_tmp_t; files_tmp_file(system_cronjob_tmp_t) -ifdef(`enable_mcs',` - init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh) -') - type unconfined_cronjob_t; domain_type(unconfined_cronjob_t) domain_cron_exemption_target(unconfined_cronjob_t) @@ -122,6 +118,10 @@ typealias system_cronjob_var_lib_t alias system_crond_var_lib_t; type system_cronjob_var_run_t; files_pid_file(system_cronjob_var_run_t) +ifdef(`enable_mcs',` + init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh) +') + ######################################## # # Admin crontab local policy @@ -263,6 +263,10 @@ tunable_policy(`allow_polyinstantiation',` files_polyinstantiate_all(crond_t) ') +tunable_policy(`fcron_crond',` + allow crond_t system_cron_spool_t:file manage_file_perms; +') + optional_policy(` apache_search_sys_content(crond_t) ') @@ -287,10 +291,6 @@ optional_policy(` mono_domtrans(crond_t) ') -tunable_policy(`fcron_crond',` - allow crond_t system_cron_spool_t:file manage_file_perms; -') - optional_policy(` amanda_search_var_lib(crond_t) ') diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te index 4dd87b8..b3ab30f 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -609,10 +609,6 @@ userdom_dontaudit_search_admin_dir(cups_pdf_t) lpd_manage_spool(cups_pdf_t) -optional_policy(` - gnome_read_config(cups_pdf_t) -') - tunable_policy(`use_nfs_home_dirs',` fs_search_auto_mountpoints(cups_pdf_t) fs_manage_nfs_dirs(cups_pdf_t) @@ -624,6 +620,10 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(cups_pdf_t) ') +optional_policy(` + gnome_read_config(cups_pdf_t) +') + ######################################## # # HPLIP local policy