[selinux-policy: 3087/3172] Whitespace, newline and tab fixes.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:34:37 UTC 2010
commit 68ac47d8c50b1e60a19782d1cb7a93211d2702be
Author: Dominick Grift <domg472 at gmail.com>
Date: Wed Sep 22 12:07:37 2010 +0200
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
policy/modules/services/cachefilesd.te | 2 +-
policy/modules/services/ccs.te | 2 +-
policy/modules/services/certmaster.te | 4 +-
policy/modules/services/certmonger.te | 2 +-
policy/modules/services/clamav.te | 10 ++--
policy/modules/services/clogd.te | 1 -
policy/modules/services/cmirrord.te | 6 +-
policy/modules/services/cobbler.te | 30 +++++-----
policy/modules/services/consolekit.te | 2 +-
policy/modules/services/cron.te | 30 +++++-----
policy/modules/services/cups.te | 4 +-
policy/modules/services/cvs.te | 6 +-
policy/modules/services/dbus.te | 2 +-
policy/modules/services/denyhosts.te | 2 +-
policy/modules/services/devicekit.te | 1 -
policy/modules/services/dovecot.te | 4 +-
policy/modules/services/exim.te | 22 +++---
policy/modules/services/fail2ban.te | 2 +-
policy/modules/services/ftp.te | 105 ++++++++++++++++----------------
policy/modules/services/git.te | 43 ++++++-------
policy/modules/services/hal.te | 8 +-
policy/modules/services/hddtemp.te | 1 -
policy/modules/services/icecast.te | 10 ++--
policy/modules/services/inn.te | 2 +
policy/modules/services/jabber.te | 3 +-
policy/modules/services/kerberos.te | 6 +-
policy/modules/services/ksmtuned.te | 1 -
policy/modules/services/ldap.te | 2 +-
policy/modules/services/lpd.te | 6 +-
policy/modules/services/milter.te | 13 ++--
policy/modules/services/mock.te | 5 +-
policy/modules/services/mpd.te | 9 +--
policy/modules/services/mta.te | 6 +-
policy/modules/services/munin.te | 2 +-
policy/modules/services/mysql.te | 6 +-
policy/modules/services/nagios.te | 3 +-
policy/modules/services/nscd.te | 7 +-
37 files changed, 181 insertions(+), 189 deletions(-)
---
diff --git a/policy/modules/services/cachefilesd.te b/policy/modules/services/cachefilesd.te
index 33faf8b..b3a0541 100644
--- a/policy/modules/services/cachefilesd.te
+++ b/policy/modules/services/cachefilesd.te
@@ -100,7 +100,7 @@ allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms;
# Allow access to cache superstructure
allow cachefilesd_t cachefiles_var_t:dir { rw_dir_perms delete_dir_perms };
-allow cachefilesd_t cachefiles_var_t:file { rename delete_file_perms};
+allow cachefilesd_t cachefiles_var_t:file { rename delete_file_perms };
# Permit statfs on the backing filesystem
fs_getattr_xattr_fs(cachefilesd_t)
diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te
index 112dc77..8d7e14e 100644
--- a/policy/modules/services/ccs.te
+++ b/policy/modules/services/ccs.te
@@ -107,7 +107,7 @@ sysnet_dns_name_resolve(ccs_t)
userdom_manage_unpriv_user_shared_mem(ccs_t)
userdom_manage_unpriv_user_semaphores(ccs_t)
-ifdef(`hide_broken_symptoms', `
+ifdef(`hide_broken_symptoms',`
corecmd_dontaudit_write_bin_dirs(ccs_t)
files_manage_isid_type_files(ccs_t)
')
diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te
index 4aef864..dbfd0a6 100644
--- a/policy/modules/services/certmaster.te
+++ b/policy/modules/services/certmaster.te
@@ -43,12 +43,12 @@ files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir })
# log files
manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t)
-logging_log_filetrans(certmaster_t, certmaster_var_log_t, file )
+logging_log_filetrans(certmaster_t, certmaster_var_log_t, file)
# pid file
manage_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t)
manage_sock_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t)
-files_pid_filetrans(certmaster_t ,certmaster_var_run_t, { file sock_file })
+files_pid_filetrans(certmaster_t, certmaster_var_run_t, { file sock_file })
# read meminfo
kernel_read_system_state(certmaster_t)
diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te
index 1a65b5e..1c87fb3 100644
--- a/policy/modules/services/certmonger.te
+++ b/policy/modules/services/certmonger.te
@@ -32,7 +32,7 @@ allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
-files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir } )
+files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir })
manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index ae2656a..bf47a16 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -1,9 +1,9 @@
policy_module(clamav, 1.8.1)
## <desc>
-## <p>
-## Allow clamd to use JIT compiler
-## </p>
+## <p>
+## Allow clamd to use JIT compiler
+## </p>
## </desc>
gen_tunable(clamd_use_jit, false)
@@ -150,7 +150,7 @@ optional_policy(`
tunable_policy(`clamd_use_jit',`
allow clamd_t self:process execmem;
allow clamscan_t self:process execmem;
-', `
+',`
dontaudit clamd_t self:process execmem;
dontaudit clamscan_t self:process execmem;
')
@@ -226,7 +226,7 @@ optional_policy(`
tunable_policy(`clamd_use_jit',`
allow freshclam_t self:process execmem;
-', `
+',`
dontaudit freshclam_t self:process execmem;
')
diff --git a/policy/modules/services/clogd.te b/policy/modules/services/clogd.te
index 6077339..b1edc92 100644
--- a/policy/modules/services/clogd.te
+++ b/policy/modules/services/clogd.te
@@ -23,7 +23,6 @@ files_pid_file(clogd_var_run_t)
allow clogd_t self:capability { net_admin mknod };
allow clogd_t self:process signal;
-
allow clogd_t self:sem create_sem_perms;
allow clogd_t self:shm create_shm_perms;
allow clogd_t self:netlink_socket create_socket_perms;
diff --git a/policy/modules/services/cmirrord.te b/policy/modules/services/cmirrord.te
index bb7d429..9b581ae 100644
--- a/policy/modules/services/cmirrord.te
+++ b/policy/modules/services/cmirrord.te
@@ -1,4 +1,4 @@
-policy_module(cmirrord,1.0.0)
+policy_module(cmirrord, 1.0.0)
########################################
#
@@ -26,9 +26,7 @@ files_pid_file(cmirrord_var_run_t)
allow cmirrord_t self:capability { net_admin kill };
dontaudit cmirrord_t self:capability sys_tty_config;
allow cmirrord_t self:process signal;
-
allow cmirrord_t self:fifo_file rw_fifo_file_perms;
-
allow cmirrord_t self:sem create_sem_perms;
allow cmirrord_t self:shm create_shm_perms;
allow cmirrord_t self:netlink_socket create_socket_perms;
@@ -51,5 +49,5 @@ logging_send_syslog_msg(cmirrord_t)
miscfiles_read_localization(cmirrord_t)
optional_policy(`
- corosync_stream_connect(cmirrord_t)
+ corosync_stream_connect(cmirrord_t)
')
diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te
index 6a6d7d7..c4d678b 100644
--- a/policy/modules/services/cobbler.te
+++ b/policy/modules/services/cobbler.te
@@ -6,32 +6,32 @@ policy_module(cobbler, 1.1.0)
#
## <desc>
-## <p>
-## Allow Cobbler to modify public files
-## used for public file transfer services.
-## </p>
+## <p>
+## Allow Cobbler to modify public files
+## used for public file transfer services.
+## </p>
## </desc>
gen_tunable(cobbler_anon_write, false)
-
+
## <desc>
-## <p>
-## Allow Cobbler to connect to the
-## network using TCP.
-## </p>
+## <p>
+## Allow Cobbler to connect to the
+## network using TCP.
+## </p>
## </desc>
gen_tunable(cobbler_can_network_connect, false)
## <desc>
-## <p>
-## Allow Cobbler to access cifs file systems.
-## </p>
+## <p>
+## Allow Cobbler to access cifs file systems.
+## </p>
## </desc>
gen_tunable(cobbler_use_cifs, false)
## <desc>
-## <p>
-## Allow Cobbler to access nfs file systems.
-## </p>
+## <p>
+## Allow Cobbler to access nfs file systems.
+## </p>
## </desc>
gen_tunable(cobbler_use_nfs, false)
diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
index cc2058b..16c0746 100644
--- a/policy/modules/services/consolekit.te
+++ b/policy/modules/services/consolekit.te
@@ -113,7 +113,7 @@ optional_policy(`
')
optional_policy(`
- policykit_dbus_chat(consolekit_t)
+ policykit_dbus_chat(consolekit_t)
policykit_domtrans_auth(consolekit_t)
policykit_read_lib(consolekit_t)
policykit_read_reload(consolekit_t)
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index eb079a2..6dfdc3f 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -10,18 +10,18 @@ gen_require(`
#
## <desc>
-## <p>
-## Allow system cron jobs to relabel filesystem
-## for restoring file contexts.
-## </p>
+## <p>
+## Allow system cron jobs to relabel filesystem
+## for restoring file contexts.
+## </p>
## </desc>
gen_tunable(cron_can_relabel, false)
## <desc>
-## <p>
-## Enable extra rules in the cron domain
-## to support fcron.
-## </p>
+## <p>
+## Enable extra rules in the cron domain
+## to support fcron.
+## </p>
## </desc>
gen_tunable(fcron_crond, false)
@@ -138,7 +138,7 @@ selinux_compute_create_context(admin_crontab_t)
selinux_compute_relabel_context(admin_crontab_t)
selinux_compute_user_contexts(admin_crontab_t)
-tunable_policy(`fcron_crond', `
+tunable_policy(`fcron_crond',`
# fcron wants an instant update of a crontab change for the administrator
# also crontab does a security check for crontab -u
allow admin_crontab_t self:process setfscreate;
@@ -251,7 +251,7 @@ ifdef(`distro_debian',`
')
')
-ifdef(`distro_redhat', `
+ifdef(`distro_redhat',`
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
optional_policy(`
@@ -268,8 +268,8 @@ optional_policy(`
')
optional_policy(`
- djbdns_search_tinydns_keys(crond_t)
- djbdns_link_tinydns_keys(crond_t)
+ djbdns_search_tinydns_keys(crond_t)
+ djbdns_link_tinydns_keys(crond_t)
')
optional_policy(`
@@ -287,7 +287,7 @@ optional_policy(`
mono_domtrans(crond_t)
')
-tunable_policy(`fcron_crond', `
+tunable_policy(`fcron_crond',`
allow crond_t system_cron_spool_t:file manage_file_perms;
')
@@ -472,7 +472,7 @@ miscfiles_manage_man_pages(system_cronjob_t)
seutil_read_config(system_cronjob_t)
-ifdef(`distro_redhat', `
+ifdef(`distro_redhat',`
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
allow crond_t system_cron_spool_t:file manage_file_perms;
@@ -687,7 +687,7 @@ read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
allow crond_t user_cron_spool_t:file manage_lnk_file_perms;
-tunable_policy(`fcron_crond', `
+tunable_policy(`fcron_crond',`
allow crond_t user_cron_spool_t:file manage_file_perms;
')
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
index 6160cea..4dd87b8 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -163,7 +163,7 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
allow cupsd_t hplip_var_run_t:file read_file_perms;
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
-allow cupsd_t ptal_var_run_t : sock_file setattr_sock_file_perms;
+allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
kernel_read_system_state(cupsd_t)
kernel_read_network_state(cupsd_t)
@@ -657,7 +657,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
-files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
+files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file)
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te
index 9e8d14b..0216eb4 100644
--- a/policy/modules/services/cvs.te
+++ b/policy/modules/services/cvs.te
@@ -6,9 +6,9 @@ policy_module(cvs, 1.9.0)
#
## <desc>
-## <p>
-## Allow cvs daemon to read shadow
-## </p>
+## <p>
+## Allow cvs daemon to read shadow
+## </p>
## </desc>
gen_tunable(allow_cvs_read_shadow, false)
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index c725cae..d9416fc 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -152,7 +152,7 @@ optional_policy(`
')
optional_policy(`
- policykit_dbus_chat(system_dbusd_t)
+ policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
')
diff --git a/policy/modules/services/denyhosts.te b/policy/modules/services/denyhosts.te
index d53ee7e..b10da2c 100644
--- a/policy/modules/services/denyhosts.te
+++ b/policy/modules/services/denyhosts.te
@@ -77,5 +77,5 @@ optional_policy(`
')
optional_policy(`
- gnome_dontaudit_search_config(denyhosts_t)
+ gnome_dontaudit_search_config(denyhosts_t)
')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index 6cee08f..58416a0 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -309,4 +309,3 @@ optional_policy(`
optional_policy(`
vbetool_domtrans(devicekit_power_t)
')
-
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index 64bc566..aff2296 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -164,8 +164,8 @@ optional_policy(`
')
optional_policy(`
- postfix_manage_private_sockets(dovecot_t)
- postfix_search_spool(dovecot_t)
+ postfix_manage_private_sockets(dovecot_t)
+ postfix_search_spool(dovecot_t)
')
optional_policy(`
diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
index 6c819a3..18c3c33 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -6,24 +6,24 @@ policy_module(exim, 1.5.0)
#
## <desc>
-## <p>
-## Allow exim to connect to databases (postgres, mysql)
-## </p>
+## <p>
+## Allow exim to connect to databases (postgres, mysql)
+## </p>
## </desc>
gen_tunable(exim_can_connect_db, false)
## <desc>
-## <p>
-## Allow exim to read unprivileged user files.
-## </p>
+## <p>
+## Allow exim to read unprivileged user files.
+## </p>
## </desc>
gen_tunable(exim_read_user_files, false)
## <desc>
-## <p>
-## Allow exim to create, read, write, and delete
-## unprivileged user files.
-## </p>
+## <p>
+## Allow exim to create, read, write, and delete
+## unprivileged user files.
+## </p>
## </desc>
gen_tunable(exim_manage_user_files, false)
@@ -174,7 +174,7 @@ optional_policy(`
')
optional_policy(`
- nagios_search_spool(exim_t)
+ nagios_search_spool(exim_t)
')
optional_policy(`
diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
index e09b9df..7c5bf19 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@@ -94,7 +94,7 @@ optional_policy(`
')
optional_policy(`
- gnome_dontaudit_search_config(fail2ban_t)
+ gnome_dontaudit_search_config(fail2ban_t)
')
optional_policy(`
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index 6033c3b..37de4be 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -6,82 +6,82 @@ policy_module(ftp, 1.12.0)
#
## <desc>
-## <p>
-## Allow ftp servers to upload files, used for public file
-## transfer services. Directories must be labeled
-## public_content_rw_t.
-## </p>
+## <p>
+## Allow ftp servers to upload files, used for public file
+## transfer services. Directories must be labeled
+## public_content_rw_t.
+## </p>
## </desc>
gen_tunable(allow_ftpd_anon_write, false)
## <desc>
-## <p>
-## Allow ftp servers to login to local users and
-## read/write all files on the system, governed by DAC.
-## </p>
+## <p>
+## Allow ftp servers to login to local users and
+## read/write all files on the system, governed by DAC.
+## </p>
## </desc>
gen_tunable(allow_ftpd_full_access, false)
## <desc>
-## <p>
-## Allow ftp servers to use cifs
-## used for public file transfer services.
-## </p>
+## <p>
+## Allow ftp servers to use cifs
+## used for public file transfer services.
+## </p>
## </desc>
gen_tunable(allow_ftpd_use_cifs, false)
## <desc>
-## <p>
-## Allow ftp servers to use nfs
-## used for public file transfer services.
-## </p>
+## <p>
+## Allow ftp servers to use nfs
+## used for public file transfer services.
+## </p>
## </desc>
gen_tunable(allow_ftpd_use_nfs, false)
## <desc>
-## <p>
-## Allow ftp servers to use connect to mysql database
-## </p>
+## <p>
+## Allow ftp servers to use connect to mysql database
+## </p>
## </desc>
gen_tunable(ftpd_connect_db, false)
## <desc>
-## <p>
-## Allow ftp to read and write files in the user home directories
-## </p>
+## <p>
+## Allow ftp to read and write files in the user home directories
+## </p>
## </desc>
gen_tunable(ftp_home_dir, false)
## <desc>
-## <p>
-## Allow anon internal-sftp to upload files, used for
-## public file transfer services. Directories must be labeled
-## public_content_rw_t.
-## </p>
+## <p>
+## Allow anon internal-sftp to upload files, used for
+## public file transfer services. Directories must be labeled
+## public_content_rw_t.
+## </p>
## </desc>
gen_tunable(sftpd_anon_write, false)
## <desc>
-## <p>
-## Allow sftp-internal to read and write files
-## in the user home directories
-## </p>
+## <p>
+## Allow sftp-internal to read and write files
+## in the user home directories
+## </p>
## </desc>
gen_tunable(sftpd_enable_homedirs, false)
## <desc>
-## <p>
-## Allow sftp-internal to login to local users and
-## read/write all files on the system, governed by DAC.
-## </p>
+## <p>
+## Allow sftp-internal to login to local users and
+## read/write all files on the system, governed by DAC.
+## </p>
## </desc>
gen_tunable(sftpd_full_access, false)
## <desc>
-## <p>
-## Allow interlnal-sftp to read and write files
-## in the user ssh home directories.
-## </p>
+## <p>
+## Allow interlnal-sftp to read and write files
+## in the user ssh home directories.
+## </p>
## </desc>
gen_tunable(sftpd_write_ssh_home, false)
@@ -181,7 +181,7 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
-files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} )
+files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
# proftpd requires the client side to bind a socket so that
# it can stat the socket to perform access control decisions,
@@ -291,10 +291,10 @@ tunable_policy(`ftp_home_dir',`
userdom_manage_user_home_content(ftpd_t)
userdom_manage_user_tmp_files(ftpd_t)
userdom_tmp_filetrans_user_tmp(ftpd_t, file)
-', `
- # Needed for permissive mode, to make sure everything gets labeled correctly
- userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file })
- files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
+',`
+ # Needed for permissive mode, to make sure everything gets labeled correctly
+ userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file })
+ files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
@@ -400,6 +400,7 @@ userdom_use_user_terminals(ftpdctl_t)
#
# sftpd local policy
#
+
files_read_etc_files(sftpd_t)
# allow read access to /home by default
@@ -408,13 +409,13 @@ userdom_read_user_home_content_symlinks(sftpd_t)
userdom_dontaudit_list_admin_dir(sftpd_t)
tunable_policy(`sftpd_full_access',`
- allow sftpd_t self:capability { dac_override dac_read_search };
- fs_read_noxattr_fs_files(sftpd_t)
- auth_manage_all_files_except_shadow(sftpd_t)
+ allow sftpd_t self:capability { dac_override dac_read_search };
+ fs_read_noxattr_fs_files(sftpd_t)
+ auth_manage_all_files_except_shadow(sftpd_t)
')
tunable_policy(`sftpd_write_ssh_home',`
- ssh_manage_home_files(sftpd_t)
+ ssh_manage_home_files(sftpd_t)
')
tunable_policy(`sftpd_enable_homedirs',`
@@ -424,9 +425,9 @@ tunable_policy(`sftpd_enable_homedirs',`
files_list_home(sftpd_t)
userdom_read_user_home_content_files(sftpd_t)
userdom_manage_user_home_content(sftpd_t)
-', `
- # Needed for permissive mode, to make sure everything gets labeled correctly
- userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
+',`
+ # Needed for permissive mode, to make sure everything gets labeled correctly
+ userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
index cf17085..cebb167 100644
--- a/policy/modules/services/git.te
+++ b/policy/modules/services/git.te
@@ -1,23 +1,23 @@
policy_module(git, 1.0.3)
## <desc>
-## <p>
-## Allow Git daemon system to search home directories.
-## </p>
+## <p>
+## Allow Git daemon system to search home directories.
+## </p>
## </desc>
gen_tunable(git_system_enable_homedirs, false)
## <desc>
-## <p>
-## Allow Git daemon system to access cifs file systems.
-## </p>
+## <p>
+## Allow Git daemon system to access cifs file systems.
+## </p>
## </desc>
gen_tunable(git_system_use_cifs, false)
## <desc>
-## <p>
-## Allow Git daemon system to access nfs file systems.
-## </p>
+## <p>
+## Allow Git daemon system to access nfs file systems.
+## </p>
## </desc>
gen_tunable(git_system_use_nfs, false)
@@ -51,10 +51,10 @@ typealias git_system_content_t alias git_data_t;
#
## <desc>
-## <p>
-## Allow Git daemon session to bind
-## tcp sockets to all unreserved ports.
-## </p>
+## <p>
+## Allow Git daemon session to bind
+## tcp sockets to all unreserved ports.
+## </p>
## </desc>
gen_tunable(git_session_bind_all_unreserved_ports, false)
@@ -119,26 +119,26 @@ list_dirs_pattern(git_system_t, git_content, git_content)
read_files_pattern(git_system_t, git_content, git_content)
files_search_var_lib(git_system_t)
-tunable_policy(`git_system_enable_homedirs', `
+tunable_policy(`git_system_enable_homedirs',`
userdom_search_user_home_dirs(git_system_t)
')
-tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs', `
+tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
fs_list_nfs(git_system_t)
fs_read_nfs_files(git_system_t)
')
-tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs', `
+tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',`
fs_list_cifs(git_system_t)
fs_read_cifs_files(git_system_t)
')
-tunable_policy(`git_system_use_cifs', `
+tunable_policy(`git_system_use_cifs',`
fs_list_cifs(git_system_t)
fs_read_cifs_files(git_system_t)
')
-tunable_policy(`git_system_use_nfs', `
+tunable_policy(`git_system_use_nfs',`
fs_list_nfs(git_system_t)
fs_read_nfs_files(git_system_t)
')
@@ -156,17 +156,17 @@ userdom_search_user_home_dirs(git_session_t)
userdom_use_user_terminals(git_session_t)
-tunable_policy(`git_session_bind_all_unreserved_ports', `
+tunable_policy(`git_session_bind_all_unreserved_ports',`
corenet_tcp_bind_all_unreserved_ports(git_session_t)
corenet_sendrecv_generic_server_packets(git_session_t)
')
-tunable_policy(`use_nfs_home_dirs', `
+tunable_policy(`use_nfs_home_dirs',`
fs_list_nfs(git_session_t)
fs_read_nfs_files(git_session_t)
')
-tunable_policy(`use_samba_home_dirs', `
+tunable_policy(`use_samba_home_dirs',`
fs_list_cifs(git_session_t)
fs_read_cifs_files(git_session_t)
')
@@ -189,4 +189,3 @@ optional_policy(`
git_role_template(git_shell)
gen_user(git_shell_u, user, git_shell_r, s0, s0)
-
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
index e72b063..b3fdcd5 100644
--- a/policy/modules/services/hal.te
+++ b/policy/modules/services/hal.te
@@ -316,7 +316,7 @@ optional_policy(`
')
optional_policy(`
- policykit_dbus_chat(hald_t)
+ policykit_dbus_chat(hald_t)
policykit_domtrans_auth(hald_t)
policykit_domtrans_resolve(hald_t)
policykit_read_lib(hald_t)
@@ -333,7 +333,7 @@ optional_policy(`
optional_policy(`
shutdown_domtrans(hald_t)
-')
+')
optional_policy(`
udev_domtrans(hald_t)
@@ -411,7 +411,7 @@ logging_send_syslog_msg(hald_acl_t)
miscfiles_read_localization(hald_acl_t)
optional_policy(`
- policykit_dbus_chat(hald_acl_t)
+ policykit_dbus_chat(hald_acl_t)
policykit_domtrans_auth(hald_acl_t)
policykit_read_lib(hald_acl_t)
policykit_read_reload(hald_acl_t)
@@ -493,7 +493,7 @@ files_read_usr_files(hald_keymap_t)
miscfiles_read_localization(hald_keymap_t)
-# This is caused by a bug in hald and PolicyKit.
+# This is caused by a bug in hald and PolicyKit.
# Should be removed when this is fixed
cron_read_system_job_lib_files(hald_t)
diff --git a/policy/modules/services/hddtemp.te b/policy/modules/services/hddtemp.te
index 267bb4c..1647fc4 100644
--- a/policy/modules/services/hddtemp.te
+++ b/policy/modules/services/hddtemp.te
@@ -46,4 +46,3 @@ storage_raw_read_fixed_disk(hddtemp_t)
logging_send_syslog_msg(hddtemp_t)
miscfiles_read_localization(hddtemp_t)
-
diff --git a/policy/modules/services/icecast.te b/policy/modules/services/icecast.te
index 80befb0..6bf7cc3 100644
--- a/policy/modules/services/icecast.te
+++ b/policy/modules/services/icecast.te
@@ -6,10 +6,10 @@ policy_module(icecast, 1.0.1)
#
## <desc>
-## <p>
-## Allow icecast to connect to all ports, not just
-## sound ports.
-## </p>
+## <p>
+## Allow icecast to connect to all ports, not just
+## sound ports.
+## </p>
## </desc>
gen_tunable(icecast_connect_any, false)
@@ -39,7 +39,7 @@ allow icecast_t self:tcp_socket create_stream_socket_perms;
manage_dirs_pattern(icecast_t, icecast_log_t, icecast_log_t)
manage_files_pattern(icecast_t, icecast_log_t, icecast_log_t)
-logging_log_filetrans(icecast_t, icecast_log_t, { file dir } )
+logging_log_filetrans(icecast_t, icecast_log_t, { file dir })
manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te
index 61ea05e..dc7dd01 100644
--- a/policy/modules/services/inn.te
+++ b/policy/modules/services/inn.te
@@ -4,6 +4,7 @@ policy_module(inn, 1.9.0)
#
# Declarations
#
+
type innd_t;
type innd_exec_t;
init_daemon_domain(innd_t, innd_exec_t)
@@ -30,6 +31,7 @@ files_mountpoint(news_spool_t)
#
# Local policy
#
+
allow innd_t self:capability { dac_override kill setgid setuid };
dontaudit innd_t self:capability sys_tty_config;
allow innd_t self:process { setsched signal_perms };
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
index 975bbcd..5f8840f 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -1,4 +1,3 @@
-
policy_module(jabber, 1.8.0)
########################################
@@ -84,7 +83,7 @@ corenet_tcp_bind_jabber_router_port(jabberd_router_t)
corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
optional_policy(`
- kerberos_use(jabberd_router_t)
+ kerberos_use(jabberd_router_t)
')
########################################
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
index 4e39714..744e7d6 100644
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@@ -6,9 +6,9 @@ policy_module(kerberos, 1.11.0)
#
## <desc>
-## <p>
-## Allow confined applications to run with kerberos.
-## </p>
+## <p>
+## Allow confined applications to run with kerberos.
+## </p>
## </desc>
gen_tunable(allow_kerberos, false)
diff --git a/policy/modules/services/ksmtuned.te b/policy/modules/services/ksmtuned.te
index ffe035c..01adbed 100644
--- a/policy/modules/services/ksmtuned.te
+++ b/policy/modules/services/ksmtuned.te
@@ -49,4 +49,3 @@ mls_file_read_to_clearance(ksmtuned_t)
term_use_all_terms(ksmtuned_t)
miscfiles_read_localization(ksmtuned_t)
-
diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
index ee5e345..10c2d54 100644
--- a/policy/modules/services/ldap.te
+++ b/policy/modules/services/ldap.te
@@ -82,7 +82,7 @@ manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
manage_files_pattern(slapd_t, slapd_tmpfs_t, slapd_tmpfs_t)
-fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t,file)
+fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t, file)
manage_dirs_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
index 2727020..1887c50 100644
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -6,9 +6,9 @@ policy_module(lpd, 1.12.0)
#
## <desc>
-## <p>
-## Use lpd server instead of cups
-## </p>
+## <p>
+## Use lpd server instead of cups
+## </p>
## </desc>
gen_tunable(use_lpd_server, false)
diff --git a/policy/modules/services/milter.te b/policy/modules/services/milter.te
index 6ba48ff..f42a489 100644
--- a/policy/modules/services/milter.te
+++ b/policy/modules/services/milter.te
@@ -33,7 +33,6 @@ files_type(spamass_milter_state_t)
#
allow dkim_milter_t self:capability { kill setgid setuid };
-
allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
@@ -47,8 +46,8 @@ mta_read_config(dkim_milter_t)
########################################
#
# milter-greylist local policy
-# ensure smtp clients retry mail like real MTAs and not spamware
-# http://hcpnet.free.fr/milter-greylist/
+# ensure smtp clients retry mail like real MTAs and not spamware
+# http://hcpnet.free.fr/milter-greylist/
#
# It removes any existing socket (not owned by root) whilst running as root,
@@ -76,8 +75,8 @@ mta_read_config(greylist_milter_t)
########################################
#
# milter-regex local policy
-# filter emails using regular expressions
-# http://www.benzedrine.cx/milter-regex.html
+# filter emails using regular expressions
+# http://www.benzedrine.cx/milter-regex.html
#
# It removes any existing socket (not owned by root) whilst running as root
@@ -96,8 +95,8 @@ mta_read_config(regex_milter_t)
########################################
#
# spamass-milter local policy
-# pipe emails through SpamAssassin
-# http://savannah.nongnu.org/projects/spamass-milt/
+# pipe emails through SpamAssassin
+# http://savannah.nongnu.org/projects/spamass-milt/
#
# The milter runs from /var/lib/spamass-milter
diff --git a/policy/modules/services/mock.te b/policy/modules/services/mock.te
index 6f8fda5..b05a9cd 100644
--- a/policy/modules/services/mock.te
+++ b/policy/modules/services/mock.te
@@ -27,6 +27,7 @@ files_type(mock_var_lib_t)
#
# mock local policy
#
+
allow mock_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
allow mock_t self:process { siginh noatsecure signull transition rlimitinh setsched setpgid sigkill };
dontaudit mock_t self:process { siginh noatsecure rlimitinh };
@@ -40,14 +41,14 @@ files_var_filetrans(mock_t, mock_cache_t, { dir file } )
manage_dirs_pattern(mock_t, mock_tmp_t, mock_tmp_t)
manage_files_pattern(mock_t, mock_tmp_t, mock_tmp_t)
-files_tmp_filetrans(mock_t, mock_tmp_t, { dir file } )
+files_tmp_filetrans(mock_t, mock_tmp_t, { dir file })
can_exec(mock_t, mock_tmp_t)
manage_dirs_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
manage_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
manage_lnk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
manage_chr_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
-files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file } )
+files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file })
can_exec(mock_t, mock_var_lib_t)
allow mock_t mock_var_lib_t:dir mounton;
diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te
index 71464f6..84bc8bb 100644
--- a/policy/modules/services/mpd.te
+++ b/policy/modules/services/mpd.te
@@ -1,4 +1,4 @@
-policy_module(mpd,1.0.0)
+policy_module(mpd, 1.0.0)
########################################
#
@@ -41,7 +41,6 @@ files_type(mpd_var_lib_t)
#cjp: dac_override bug in mpd relating to mpd.log file
allow mpd_t self:capability { dac_override kill setgid setuid };
allow mpd_t self:process { getsched setsched setrlimit signal signull };
-
allow mpd_t self:fifo_file rw_fifo_file_perms;
allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow mpd_t self:tcp_socket create_stream_socket_perms;
@@ -102,10 +101,10 @@ optional_policy(`
optional_policy(`
pulseaudio_exec(mpd_t)
- pulseaudio_stream_connect(mpd_t)
- pulseaudio_signull(mpd_t)
+ pulseaudio_stream_connect(mpd_t)
+ pulseaudio_signull(mpd_t)
')
optional_policy(`
- udev_read_db(mpd_t)
+ udev_read_db(mpd_t)
')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index f99b9fc..36e64e9 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -93,7 +93,7 @@ optional_policy(`
optional_policy(`
arpwatch_manage_tmp_files(system_mail_t)
- ifdef(`hide_broken_symptoms', `
+ ifdef(`hide_broken_symptoms',`
arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
')
')
@@ -194,7 +194,7 @@ optional_policy(`
arpwatch_search_data(mailserver_delivery)
arpwatch_manage_tmp_files(mta_user_agent)
- ifdef(`hide_broken_symptoms', `
+ ifdef(`hide_broken_symptoms',`
arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
')
@@ -314,8 +314,6 @@ kernel_read_system_state(user_mail_domain)
kernel_read_network_state(user_mail_domain)
kernel_request_load_module(user_mail_domain)
-
-
optional_policy(`
# postfix needs this for newaliases
files_getattr_tmp_dirs(user_mail_domain)
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
index 13d365d..6f8b0fd 100644
--- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te
@@ -193,7 +193,7 @@ optional_policy(`
# local policy for disk plugins
#
-allow munin_disk_plugin_t self:capability { sys_admin sys_rawio };
+allow munin_disk_plugin_t self:capability { sys_admin sys_rawio };
allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index 5e96c0a..ac63be9 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0)
#
## <desc>
-## <p>
-## Allow mysqld to connect to all ports
-## </p>
+## <p>
+## Allow mysqld to connect to all ports
+## </p>
## </desc>
gen_tunable(mysql_connect_any, false)
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
index 1029389..61a3920 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -141,6 +141,7 @@ optional_policy(`
#
# Nagios CGI local policy
#
+
optional_policy(`
apache_content_template(nagios)
typealias httpd_nagios_script_t alias nagios_cgi_t;
@@ -268,7 +269,6 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
#
allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
-
allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms;
allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms;
allow nagios_mail_plugin_t self:udp_socket create_socket_perms;
@@ -321,7 +321,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
allow nagios_services_plugin_t self:process { signal sigkill };
-
allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
allow nagios_services_plugin_t self:udp_socket create_socket_perms;
diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te
index 6a174f5..6b54db7 100644
--- a/policy/modules/services/nscd.te
+++ b/policy/modules/services/nscd.te
@@ -5,9 +5,9 @@ gen_require(`
')
## <desc>
-## <p>
-## Allow confined applications to use nscd shared memory.
-## </p>
+## <p>
+## Allow confined applications to use nscd shared memory.
+## </p>
## </desc>
gen_tunable(nscd_use_shm, false)
@@ -146,6 +146,7 @@ optional_policy(`
samba_append_log(nscd_t)
samba_dontaudit_use_fds(nscd_t)
')
+
samba_read_config(nscd_t)
samba_read_var_files(nscd_t)
')
More information about the scm-commits
mailing list