[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     b833293ccac6e1bbb679f5ec28c6e321e1cf09d4
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 18:55:15 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Nov 25 18:55:15 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b833293c

rsync: syntax error in rsync_admin interface

---
 policy/modules/contrib/rsync.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/rsync.if b/policy/modules/contrib/rsync.if
index 431471b..e916de8 100644
--- a/policy/modules/contrib/rsync.if
+++ b/policy/modules/contrib/rsync.if
@@ -257,7 +257,7 @@ interface(`rsync_etc_filetrans_config',`
 interface(`rsync_admin',`
 	gen_require(`
 		type rsync_t, rsync_etc_t, rsync_data_t;
-		type rsync_log_t, rsync_tmp_t. rsync_var_run_t;
+		type rsync_log_t, rsync_tmp_t, rsync_var_run_t;
 	')
 
 	allow $1 rsync_t:process { ptrace signal_perms };

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     e30a8c762fd4750dc53a9db1bb5b4730cbe7657d
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 19:09:30 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Nov 25 19:09:30 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e30a8c76

uptime: syntax error in uptime_admin

---
 policy/modules/contrib/uptime.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/uptime.if b/policy/modules/contrib/uptime.if
index 01a3234..19f4724 100644
--- a/policy/modules/contrib/uptime.if
+++ b/policy/modules/contrib/uptime.if
@@ -19,7 +19,7 @@
 #
 interface(`uptime_admin',`
 	gen_require(`
-		type uptimed_t, uptimed_initrc_exec_t. uptimed_etc_t;
+		type uptimed_t, uptimed_initrc_exec_t, uptimed_etc_t;
 		type uptimed_spool_t, uptimed_var_run_t;
 	')
 

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     a77c0e7238df249f89bef6d82a14198111a8dee8
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 19:40:10 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Nov 25 19:40:10 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a77c0e72

syntax errors in ccs_admin interface

---
 policy/modules/contrib/ccs.if | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/ccs.if b/policy/modules/contrib/ccs.if
index 5ded72d..bb17e0f 100644
--- a/policy/modules/contrib/ccs.if
+++ b/policy/modules/contrib/ccs.if
@@ -98,8 +98,8 @@ interface(`ccs_manage_config',`
 interface(`ccs_admin',`
 	gen_require(`
 		type ccs_t, ccs_initrc_exec_t, cluster_conf_t;
-		type ccs_var_lib_t_t, ccs_var_log_t;
-		type ccs_var_run_t, ccs_tmp_t;
+		type ccs_var_lib_t, ccs_var_log_t;
+		type ccs_var_run_t, ccs_tmp_t, ccs_conf_t;
 	')
 
 	allow $1 ccs_t:process { ptrace signal_perms };

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     35090387bc1524af4521330b61f972f5b840e0fd
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 19:40:10 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Nov 25 19:49:01 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=35090387

ccs: syntax errors in ccs_admin interface

---
 policy/modules/contrib/ccs.if | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/ccs.if b/policy/modules/contrib/ccs.if
index 5ded72d..bb17e0f 100644
--- a/policy/modules/contrib/ccs.if
+++ b/policy/modules/contrib/ccs.if
@@ -98,8 +98,8 @@ interface(`ccs_manage_config',`
 interface(`ccs_admin',`
 	gen_require(`
 		type ccs_t, ccs_initrc_exec_t, cluster_conf_t;
-		type ccs_var_lib_t_t, ccs_var_log_t;
-		type ccs_var_run_t, ccs_tmp_t;
+		type ccs_var_lib_t, ccs_var_log_t;
+		type ccs_var_run_t, ccs_tmp_t, ccs_conf_t;
 	')
 
 	allow $1 ccs_t:process { ptrace signal_perms };

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     a845481a68abc4bc5391c3b5190a5c9189ee24e1
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 18:55:15 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Nov 25 19:49:00 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a845481a

rsync: syntax error in rsync_admin interface

---
 policy/modules/contrib/rsync.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/rsync.if b/policy/modules/contrib/rsync.if
index 431471b..e916de8 100644
--- a/policy/modules/contrib/rsync.if
+++ b/policy/modules/contrib/rsync.if
@@ -257,7 +257,7 @@ interface(`rsync_etc_filetrans_config',`
 interface(`rsync_admin',`
 	gen_require(`
 		type rsync_t, rsync_etc_t, rsync_data_t;
-		type rsync_log_t, rsync_tmp_t. rsync_var_run_t;
+		type rsync_log_t, rsync_tmp_t, rsync_var_run_t;
 	')
 
 	allow $1 rsync_t:process { ptrace signal_perms };

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     b55fb167646606852cc2b65cfee2102e77e0424f
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 19:09:30 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Nov 25 19:49:01 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b55fb167

uptime: syntax error in uptime_admin

---
 policy/modules/contrib/uptime.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/uptime.if b/policy/modules/contrib/uptime.if
index 01a3234..19f4724 100644
--- a/policy/modules/contrib/uptime.if
+++ b/policy/modules/contrib/uptime.if
@@ -19,7 +19,7 @@
 #
 interface(`uptime_admin',`
 	gen_require(`
-		type uptimed_t, uptimed_initrc_exec_t. uptimed_etc_t;
+		type uptimed_t, uptimed_initrc_exec_t, uptimed_etc_t;
 		type uptimed_spool_t, uptimed_var_run_t;
 	')
 

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     27a58a987755c49f761f7ba2094019134c89fe0a
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 19:55:02 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Nov 25 19:55:02 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=27a58a98

condor: fix syntax in condor_admin

---
 policy/modules/contrib/condor.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/condor.if b/policy/modules/contrib/condor.if
index 881d92f..c80aaf5 100644
--- a/policy/modules/contrib/condor.if
+++ b/policy/modules/contrib/condor.if
@@ -58,7 +58,7 @@ template(`condor_domain_template',`
 interface(`condor_admin',`
 	gen_require(`
 		attribute condor_domain;
-		type condor_initrc_exec_config_t, condor_log_t;
+		type condor_initrc_exec_t, condor_log_t;
 		type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
 		type condor_var_run_t, condor_startd_tmp_t, condor_conf_t;
 	')

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     83c60c386b1a8829bc1fbc7a8374b1026cd6e3ff
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 19:58:57 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Nov 25 19:58:57 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=83c60c38

distcc: syntax error in distcc_admin

---
 policy/modules/contrib/distcc.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/distcc.if b/policy/modules/contrib/distcc.if
index 24d8c74..473823d 100644
--- a/policy/modules/contrib/distcc.if
+++ b/policy/modules/contrib/distcc.if
@@ -20,7 +20,7 @@
 interface(`distcc_admin',`
 	gen_require(`
 		type distccd_t, distccd_t, distccd_log_t;
-		type disccd_var_run_t, distccd_tmp_t, distccd_initrc_exec_t;
+		type distccd_var_run_t, distccd_tmp_t, distccd_initrc_exec_t;
 	')
 
 	allow $1 distccd_t:process { ptrace signal_perms };

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     f49a5bfa7d2c454247e1dca331b35d702ace25a7
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 20:09:28 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Nov 25 20:09:28 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f49a5bfa

ftp: syntax error in ftp_admin

---
 policy/modules/contrib/ftp.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/ftp.if b/policy/modules/contrib/ftp.if
index 4498143..65adda9 100644
--- a/policy/modules/contrib/ftp.if
+++ b/policy/modules/contrib/ftp.if
@@ -179,7 +179,7 @@ interface(`ftp_admin',`
 		type ftpd_keytab_t;
 	')
 
-	allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd }:process { ptrace signal_perms };
+	allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }:process { ptrace signal_perms };
 	ps_process_pattern($1, { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t })
 
 	init_labeled_script_domtrans($1, ftpd_initrc_exec_t)

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     f659d7a06b408e7d6755c83a8bed13580321302e
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 20:16:59 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Nov 25 20:16:59 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f659d7a0

kerberos: syntax error in kerberos_admin

---
 policy/modules/contrib/kerberos.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if
index f6c00d8..9d898c9 100644
--- a/policy/modules/contrib/kerberos.if
+++ b/policy/modules/contrib/kerberos.if
@@ -490,7 +490,7 @@ interface(`kerberos_admin',`
 		type krb5kdc_var_run_t, krb5_host_rcache_t;
 	')
 
-	allow $1 { kadmind_t krb5kdc_t kpropd }:process { ptrace signal_perms };
+	allow $1 { kadmind_t krb5kdc_t kpropd_t }:process { ptrace signal_perms };
 	ps_process_pattern($1, { kadmind_t krb5kdc_t kpropd })
 
 	init_labeled_script_domtrans($1, kerberos_initrc_exec_t)

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     20e30b96e2b4b61f8b8baba4e87be6012c9c865e
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 20:16:59 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Nov 25 20:23:56 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=20e30b96

kerberos: syntax error in kerberos_admin

---
 policy/modules/contrib/kerberos.if | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if
index f6c00d8..77a5c49 100644
--- a/policy/modules/contrib/kerberos.if
+++ b/policy/modules/contrib/kerberos.if
@@ -490,8 +490,8 @@ interface(`kerberos_admin',`
 		type krb5kdc_var_run_t, krb5_host_rcache_t;
 	')
 
-	allow $1 { kadmind_t krb5kdc_t kpropd }:process { ptrace signal_perms };
-	ps_process_pattern($1, { kadmind_t krb5kdc_t kpropd })
+	allow $1 { kadmind_t krb5kdc_t kpropd_t }:process { ptrace signal_perms };
+	ps_process_pattern($1, { kadmind_t krb5kdc_t kpropd_t })
 
 	init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
 	domain_system_change_exemption($1)

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     bbe9d2ea126659ff346ddcc9ac0bedae6557a3ef
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 20:28:25 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Nov 25 20:28:25 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=bbe9d2ea

kismet: syntax error in kismet_admin

---
 policy/modules/contrib/kismet.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/kismet.if b/policy/modules/contrib/kismet.if
index aa2a337..f20de6e 100644
--- a/policy/modules/contrib/kismet.if
+++ b/policy/modules/contrib/kismet.if
@@ -283,7 +283,7 @@ interface(`kismet_manage_log',`
 interface(`kismet_admin',`
 	gen_require(`
 		type kismet_t, kismet_var_lib_t, kismet_var_run_t;
-		type kismet_log_t, kismet_tmp_t;
+		type kismet_log_t, kismet_tmp_t, kismet_initrc_exec_t;
 	')
 
 	init_labeled_script_domtrans($1, kismet_initrc_exec_t)

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     10aa5f14bdf46ec1ce88634a6d6a10cf58827b8a
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 20:31:52 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Nov 25 20:31:52 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=10aa5f14

nut: syntax error in nut_admin

---
 policy/modules/contrib/nut.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/nut.if b/policy/modules/contrib/nut.if
index 57c0161..c606ae6 100644
--- a/policy/modules/contrib/nut.if
+++ b/policy/modules/contrib/nut.if
@@ -24,7 +24,7 @@ interface(`nut_admin',`
 	')
 
 	allow $1 nut_domain:process { ptrace signal_perms };
-	ps_process_pattern($1, nut_domain_t)
+	ps_process_pattern($1, nut_domain)
 
 	init_labeled_script_domtrans($1, nut_initrc_exec_t)
 	domain_system_change_exemption($1)

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     eb7c115f852535aa0fa8c80d3fc2ec86569a0963
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 20:35:53 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Nov 25 20:35:53 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=eb7c115f

prelude: syntax error in prelude_admin

---
 policy/modules/contrib/prelude.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/prelude.if b/policy/modules/contrib/prelude.if
index c83a838..db8f510 100644
--- a/policy/modules/contrib/prelude.if
+++ b/policy/modules/contrib/prelude.if
@@ -120,6 +120,7 @@ interface(`prelude_admin',`
 		type prelude_var_run_t, prelude_var_lib_t, prelude_log_t;
 		type prelude_audisp_t, prelude_audisp_var_run_t;
 		type prelude_initrc_exec_t, prelude_lml_t, prelude_lml_tmp_t;
+		type prelude_correlator_t;
 	')
 
 	allow $1 { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t }:process { ptrace signal_perms };

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     c3fed11dfdfdde6e2e29330986c226062229e6e4
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 20:40:36 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Nov 25 20:40:36 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c3fed11d

psad: syntax error in psad_admin

---
 policy/modules/contrib/psad.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/psad.if b/policy/modules/contrib/psad.if
index d4dcf78..cdc83d2 100644
--- a/policy/modules/contrib/psad.if
+++ b/policy/modules/contrib/psad.if
@@ -236,7 +236,7 @@ interface(`psad_admin',`
 	gen_require(`
 		type psad_t, psad_var_run_t, psad_var_log_t;
 		type psad_initrc_exec_t, psad_var_lib_t;
-		type psad_tmp_t;
+		type psad_tmp_t, psad_etc_t;
 	')
 
 	allow $1 psad_t:process { ptrace signal_perms };

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     21f81bf6342d022a6882ea495b717652a9df9211
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 20:28:25 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Nov 25 20:48:52 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=21f81bf6

kismet: syntax error in kismet_admin

---
 policy/modules/contrib/kismet.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/kismet.if b/policy/modules/contrib/kismet.if
index aa2a337..f20de6e 100644
--- a/policy/modules/contrib/kismet.if
+++ b/policy/modules/contrib/kismet.if
@@ -283,7 +283,7 @@ interface(`kismet_manage_log',`
 interface(`kismet_admin',`
 	gen_require(`
 		type kismet_t, kismet_var_lib_t, kismet_var_run_t;
-		type kismet_log_t, kismet_tmp_t;
+		type kismet_log_t, kismet_tmp_t, kismet_initrc_exec_t;
 	')
 
 	init_labeled_script_domtrans($1, kismet_initrc_exec_t)

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     8d9a34ffb6fd2703925e149218959e57576a344c
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 20:35:53 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Nov 25 20:48:52 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8d9a34ff

prelude: syntax error in prelude_admin

---
 policy/modules/contrib/prelude.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/prelude.if b/policy/modules/contrib/prelude.if
index c83a838..db8f510 100644
--- a/policy/modules/contrib/prelude.if
+++ b/policy/modules/contrib/prelude.if
@@ -120,6 +120,7 @@ interface(`prelude_admin',`
 		type prelude_var_run_t, prelude_var_lib_t, prelude_log_t;
 		type prelude_audisp_t, prelude_audisp_var_run_t;
 		type prelude_initrc_exec_t, prelude_lml_t, prelude_lml_tmp_t;
+		type prelude_correlator_t;
 	')
 
 	allow $1 { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t }:process { ptrace signal_perms };

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     e5e4aae28e2810b8aa5327e047062ee53601fbab
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 19:55:02 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Nov 25 20:48:52 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e5e4aae2

condor: fix syntax in condor_admin

---
 policy/modules/contrib/condor.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/condor.if b/policy/modules/contrib/condor.if
index 881d92f..c80aaf5 100644
--- a/policy/modules/contrib/condor.if
+++ b/policy/modules/contrib/condor.if
@@ -58,7 +58,7 @@ template(`condor_domain_template',`
 interface(`condor_admin',`
 	gen_require(`
 		attribute condor_domain;
-		type condor_initrc_exec_config_t, condor_log_t;
+		type condor_initrc_exec_t, condor_log_t;
 		type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
 		type condor_var_run_t, condor_startd_tmp_t, condor_conf_t;
 	')

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     b561776384d2605df7b23e28451b95e926791a7b
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 20:16:59 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Nov 25 20:48:52 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b5617763

kerberos: syntax error in kerberos_admin

---
 policy/modules/contrib/kerberos.if | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if
index f6c00d8..77a5c49 100644
--- a/policy/modules/contrib/kerberos.if
+++ b/policy/modules/contrib/kerberos.if
@@ -490,8 +490,8 @@ interface(`kerberos_admin',`
 		type krb5kdc_var_run_t, krb5_host_rcache_t;
 	')
 
-	allow $1 { kadmind_t krb5kdc_t kpropd }:process { ptrace signal_perms };
-	ps_process_pattern($1, { kadmind_t krb5kdc_t kpropd })
+	allow $1 { kadmind_t krb5kdc_t kpropd_t }:process { ptrace signal_perms };
+	ps_process_pattern($1, { kadmind_t krb5kdc_t kpropd_t })
 
 	init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
 	domain_system_change_exemption($1)

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     8ac49205bc253606632ac09766932ec01e8596ca
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 19:09:30 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Nov 25 20:48:52 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8ac49205

uptime: syntax error in uptime_admin

---
 policy/modules/contrib/uptime.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/uptime.if b/policy/modules/contrib/uptime.if
index 01a3234..19f4724 100644
--- a/policy/modules/contrib/uptime.if
+++ b/policy/modules/contrib/uptime.if
@@ -19,7 +19,7 @@
 #
 interface(`uptime_admin',`
 	gen_require(`
-		type uptimed_t, uptimed_initrc_exec_t. uptimed_etc_t;
+		type uptimed_t, uptimed_initrc_exec_t, uptimed_etc_t;
 		type uptimed_spool_t, uptimed_var_run_t;
 	')
 

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     9e65ab369352163081c9ea86cac45e4305318b3b
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 19:40:10 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Nov 25 20:48:52 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9e65ab36

ccs: syntax errors in ccs_admin interface

---
 policy/modules/contrib/ccs.if | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/ccs.if b/policy/modules/contrib/ccs.if
index 5ded72d..bb17e0f 100644
--- a/policy/modules/contrib/ccs.if
+++ b/policy/modules/contrib/ccs.if
@@ -98,8 +98,8 @@ interface(`ccs_manage_config',`
 interface(`ccs_admin',`
 	gen_require(`
 		type ccs_t, ccs_initrc_exec_t, cluster_conf_t;
-		type ccs_var_lib_t_t, ccs_var_log_t;
-		type ccs_var_run_t, ccs_tmp_t;
+		type ccs_var_lib_t, ccs_var_log_t;
+		type ccs_var_run_t, ccs_tmp_t, ccs_conf_t;
 	')
 
 	allow $1 ccs_t:process { ptrace signal_perms };

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     d2d4a1b280906dd00a21c4887437c44a855d48c5
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 20:09:28 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Nov 25 20:48:52 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d2d4a1b2

ftp: syntax error in ftp_admin

---
 policy/modules/contrib/ftp.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/ftp.if b/policy/modules/contrib/ftp.if
index 4498143..65adda9 100644
--- a/policy/modules/contrib/ftp.if
+++ b/policy/modules/contrib/ftp.if
@@ -179,7 +179,7 @@ interface(`ftp_admin',`
 		type ftpd_keytab_t;
 	')
 
-	allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd }:process { ptrace signal_perms };
+	allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }:process { ptrace signal_perms };
 	ps_process_pattern($1, { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t })
 
 	init_labeled_script_domtrans($1, ftpd_initrc_exec_t)

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     862e75c27df537e60b7a41bf607b64ca92346b6e
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 20:31:52 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Nov 25 20:48:52 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=862e75c2

nut: syntax error in nut_admin

---
 policy/modules/contrib/nut.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/nut.if b/policy/modules/contrib/nut.if
index 57c0161..c606ae6 100644
--- a/policy/modules/contrib/nut.if
+++ b/policy/modules/contrib/nut.if
@@ -24,7 +24,7 @@ interface(`nut_admin',`
 	')
 
 	allow $1 nut_domain:process { ptrace signal_perms };
-	ps_process_pattern($1, nut_domain_t)
+	ps_process_pattern($1, nut_domain)
 
 	init_labeled_script_domtrans($1, nut_initrc_exec_t)
 	domain_system_change_exemption($1)

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     d7d421c7a94fd7cb13db97f2c014aaa76ba10471
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 19:58:57 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Nov 25 20:48:52 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d7d421c7

distcc: syntax error in distcc_admin

---
 policy/modules/contrib/distcc.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/distcc.if b/policy/modules/contrib/distcc.if
index 24d8c74..473823d 100644
--- a/policy/modules/contrib/distcc.if
+++ b/policy/modules/contrib/distcc.if
@@ -20,7 +20,7 @@
 interface(`distcc_admin',`
 	gen_require(`
 		type distccd_t, distccd_t, distccd_log_t;
-		type disccd_var_run_t, distccd_tmp_t, distccd_initrc_exec_t;
+		type distccd_var_run_t, distccd_tmp_t, distccd_initrc_exec_t;
 	')
 
 	allow $1 distccd_t:process { ptrace signal_perms };

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     6e4028838250c5dd397cc036f9e26b591b65a5b3
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 18:55:15 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Nov 25 20:48:51 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6e402883

rsync: syntax error in rsync_admin interface

---
 policy/modules/contrib/rsync.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/rsync.if b/policy/modules/contrib/rsync.if
index 431471b..e916de8 100644
--- a/policy/modules/contrib/rsync.if
+++ b/policy/modules/contrib/rsync.if
@@ -257,7 +257,7 @@ interface(`rsync_etc_filetrans_config',`
 interface(`rsync_admin',`
 	gen_require(`
 		type rsync_t, rsync_etc_t, rsync_data_t;
-		type rsync_log_t, rsync_tmp_t. rsync_var_run_t;
+		type rsync_log_t, rsync_tmp_t, rsync_var_run_t;
 	')
 
 	allow $1 rsync_t:process { ptrace signal_perms };

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     027f6d5b1edc3ff7ef67a3fb4981863764fc0aa0
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 20:40:36 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Nov 25 20:48:52 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=027f6d5b

psad: syntax error in psad_admin

---
 policy/modules/contrib/psad.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/psad.if b/policy/modules/contrib/psad.if
index d4dcf78..cdc83d2 100644
--- a/policy/modules/contrib/psad.if
+++ b/policy/modules/contrib/psad.if
@@ -236,7 +236,7 @@ interface(`psad_admin',`
 	gen_require(`
 		type psad_t, psad_var_run_t, psad_var_log_t;
 		type psad_initrc_exec_t, psad_var_lib_t;
-		type psad_tmp_t;
+		type psad_tmp_t, psad_etc_t;
 	')
 
 	allow $1 psad_t:process { ptrace signal_perms };

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     fae9e3e65e96422c41c75be98fc76f7815873b5e
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 20:53:09 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Nov 25 20:53:09 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fae9e3e6

quota: syntax error in quota_admin

---
 policy/modules/contrib/quota.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/quota.if b/policy/modules/contrib/quota.if
index da64218..68611e3 100644
--- a/policy/modules/contrib/quota.if
+++ b/policy/modules/contrib/quota.if
@@ -190,7 +190,7 @@ interface(`quota_admin',`
 	allow $2 system_r;
 
 	files_list_all($1)
-	admin_pattern($1, { quota_db_t quota_flag quota_nld_var_run_t })
+	admin_pattern($1, { quota_db_t quota_flag_t quota_nld_var_run_t })
 
 	quota_run($1, $2)
 ')

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     756f05ce025be70d1034b088b2136c6c34d9e805
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 20:56:20 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Nov 25 20:56:20 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=756f05ce

rpcbind: syntax error in rpcbind_admin

---
 policy/modules/contrib/rpcbind.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/rpcbind.if b/policy/modules/contrib/rpcbind.if
index 3b5e9ee..1a1cb99 100644
--- a/policy/modules/contrib/rpcbind.if
+++ b/policy/modules/contrib/rpcbind.if
@@ -160,7 +160,7 @@ interface(`rpcbind_admin',`
 	allow $1 rpcbind_t:process { ptrace signal_perms };
 	ps_process_pattern($1, rpcbind_t)
 
-	init_labeled_script_domtrans($1, rbcbind_initrc_exec_t)
+	init_labeled_script_domtrans($1, rpcbind_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 rpcbind_initrc_exec_t system_r;
 	allow $2 system_r;

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     9b748095c0d218b29da1436cf3c30f758a241f32
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 21:00:39 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Nov 25 21:00:39 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9b748095

rpm: syntax error in rpm_admin

---
 policy/modules/contrib/rpm.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/rpm.if b/policy/modules/contrib/rpm.if
index ef3b225..5f6c499 100644
--- a/policy/modules/contrib/rpm.if
+++ b/policy/modules/contrib/rpm.if
@@ -626,7 +626,7 @@ interface(`rpm_pid_filetrans_rpm_pid',`
 interface(`rpm_admin',`
 	gen_require(`
 		type rpm_t, rpm_script_t, rpm_initrc_exec_t;
-		type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t;
+		type rpm_cache_t, rpm_var_lib_t, rpm_lock_t;
 		type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t;
 		type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t;
 	')

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     fd01e13998cd15c42eb2fc021ace1c711b8a8d04
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 21:00:39 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Nov 25 21:03:06 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fd01e139

rpm: syntax error in rpm_admin

---
 policy/modules/contrib/rpm.if | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/rpm.if b/policy/modules/contrib/rpm.if
index ef3b225..fc9c8d8 100644
--- a/policy/modules/contrib/rpm.if
+++ b/policy/modules/contrib/rpm.if
@@ -626,8 +626,8 @@ interface(`rpm_pid_filetrans_rpm_pid',`
 interface(`rpm_admin',`
 	gen_require(`
 		type rpm_t, rpm_script_t, rpm_initrc_exec_t;
-		type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t;
-		type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t;
+		type rpm_cache_t, rpm_var_lib_t, rpm_lock_t;
+		type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t, rpm_var_run_t;
 		type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t;
 	')
 

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     5ab4b8ce6a835fc34165892e19ec1e8748bac5ea
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 21:07:53 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Nov 25 21:07:53 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5ab4b8ce

remove spamassassin_role from spamassassin_admin

---
 policy/modules/contrib/spamassassin.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/spamassassin.if b/policy/modules/contrib/spamassassin.if
index 1499b0b..ed5c827 100644
--- a/policy/modules/contrib/spamassassin.if
+++ b/policy/modules/contrib/spamassassin.if
@@ -404,5 +404,5 @@ interface(`spamassassin_admin',`
 	files_list_pids($1)
 	admin_pattern($1, spamd_var_run_t)
 
-	spamassassin_role($2, $1)
+	#spamassassin_role($2, $1)
 ')

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     cefd5e37d13bd652c0275088978b9fd47520a203
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 21:11:34 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Nov 25 21:11:34 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cefd5e37

systemtap: syntax error in stapserver_admin

---
 policy/modules/contrib/systemtap.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/systemtap.if b/policy/modules/contrib/systemtap.if
index c755e2d..d60a21e 100644
--- a/policy/modules/contrib/systemtap.if
+++ b/policy/modules/contrib/systemtap.if
@@ -20,7 +20,7 @@
 interface(`stapserver_admin',`
 	gen_require(`
 		type stapserver_t, stapserver_conf_t, stapserver_log_t;
-		type stap_server_var_run_t, stapserver_initrc_exec_t, stapserver_var_lib_t;
+		type stapserver_var_run_t, stapserver_initrc_exec_t, stapserver_var_lib_t;
 	')
 
 	allow $1 stapserver_t:process { ptrace signal_perms };

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     d3cc51cb79883e69e1e75343a253f2f69cd5ed06
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 21:17:51 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Nov 25 21:17:51 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d3cc51cb

svnserve: syntax error in svnserve_admin

---
 policy/modules/contrib/svnserve.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/svnserve.if b/policy/modules/contrib/svnserve.if
index 2ac91b6..5cd46e9 100644
--- a/policy/modules/contrib/svnserve.if
+++ b/policy/modules/contrib/svnserve.if
@@ -31,5 +31,5 @@ interface(`svnserve_admin',`
 	allow $2 system_r;
 
 	files_search_pids($1)
-	admin_pattern($1, httpd_var_run_t)
+	admin_pattern($1, svnserve_var_run_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     279c33e1da588f06248aea7b40321a8cfa8d50f7
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 21:23:05 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Nov 25 21:23:05 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=279c33e1

zabbix: syntax error in zabbix_admin

---
 policy/modules/contrib/zabbix.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/zabbix.if b/policy/modules/contrib/zabbix.if
index dd63de0..2c55b97 100644
--- a/policy/modules/contrib/zabbix.if
+++ b/policy/modules/contrib/zabbix.if
@@ -138,7 +138,7 @@ interface(`zabbix_agent_tcp_connect',`
 #
 interface(`zabbix_admin',`
 	gen_require(`
-		type zabbix_t, zabbix_log_t, zabbix_var_run_t;
+		type zabbix_t, zabbix_agent_t, zabbix_log_t, zabbix_var_run_t;
 		type zabbix_initrc_exec_t, zabbit_agent_initrc_exec_t, zabbix_tmp_t;
 		type zabbit_tmpfs_t;
 	')

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     88ca8170d5289454399fd107bd170e8392663f61
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 21:23:05 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Nov 25 21:25:59 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=88ca8170

zabbix: syntax error in zabbix_admin

---
 policy/modules/contrib/zabbix.if | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/contrib/zabbix.if b/policy/modules/contrib/zabbix.if
index dd63de0..29d87d7 100644
--- a/policy/modules/contrib/zabbix.if
+++ b/policy/modules/contrib/zabbix.if
@@ -138,9 +138,9 @@ interface(`zabbix_agent_tcp_connect',`
 #
 interface(`zabbix_admin',`
 	gen_require(`
-		type zabbix_t, zabbix_log_t, zabbix_var_run_t;
-		type zabbix_initrc_exec_t, zabbit_agent_initrc_exec_t, zabbix_tmp_t;
-		type zabbit_tmpfs_t;
+		type zabbix_t, zabbix_agent_t, zabbix_log_t, zabbix_var_run_t;
+		type zabbix_initrc_exec_t, zabbix_agent_initrc_exec_t, zabbix_tmp_t;
+		type zabbix_tmpfs_t;
 	')
 
 	allow $1 { zabbix_t zabbix_agent_t }:process { ptrace signal_perms };

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Jason Zaman]

commit:     30451cc4ca123da3b5066e7387717e9163b319ad
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:13 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec  3 08:43:33 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=30451cc4

uptime: syntax error in uptime_admin

---
 policy/modules/contrib/uptime.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/uptime.if b/policy/modules/contrib/uptime.if
index 01a3234..19f4724 100644
--- a/policy/modules/contrib/uptime.if
+++ b/policy/modules/contrib/uptime.if
@@ -19,7 +19,7 @@
 #
 interface(`uptime_admin',`
 	gen_require(`
-		type uptimed_t, uptimed_initrc_exec_t. uptimed_etc_t;
+		type uptimed_t, uptimed_initrc_exec_t, uptimed_etc_t;
 		type uptimed_spool_t, uptimed_var_run_t;
 	')
 

[gentoo-commits] proj/hardened-refpolicy:userroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     30451cc4ca123da3b5066e7387717e9163b319ad
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:13 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec  3 08:43:33 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=30451cc4

uptime: syntax error in uptime_admin

---
 policy/modules/contrib/uptime.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/uptime.if b/policy/modules/contrib/uptime.if
index 01a3234..19f4724 100644
--- a/policy/modules/contrib/uptime.if
+++ b/policy/modules/contrib/uptime.if
@@ -19,7 +19,7 @@
 #
 interface(`uptime_admin',`
 	gen_require(`
-		type uptimed_t, uptimed_initrc_exec_t. uptimed_etc_t;
+		type uptimed_t, uptimed_initrc_exec_t, uptimed_etc_t;
 		type uptimed_spool_t, uptimed_var_run_t;
 	')
 

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     30451cc4ca123da3b5066e7387717e9163b319ad
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:13 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec  3 08:43:33 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=30451cc4

uptime: syntax error in uptime_admin

---
 policy/modules/contrib/uptime.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/uptime.if b/policy/modules/contrib/uptime.if
index 01a3234..19f4724 100644
--- a/policy/modules/contrib/uptime.if
+++ b/policy/modules/contrib/uptime.if
@@ -19,7 +19,7 @@
 #
 interface(`uptime_admin',`
 	gen_require(`
-		type uptimed_t, uptimed_initrc_exec_t. uptimed_etc_t;
+		type uptimed_t, uptimed_initrc_exec_t, uptimed_etc_t;
 		type uptimed_spool_t, uptimed_var_run_t;
 	')
 

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     c0443c2bf50696969c5534eab62caf5c3fd2d4cd
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:01 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec  3 08:43:19 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c0443c2b

distcc: syntax error in distcc_admin

---
 policy/modules/contrib/distcc.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/distcc.if b/policy/modules/contrib/distcc.if
index 24d8c74..473823d 100644
--- a/policy/modules/contrib/distcc.if
+++ b/policy/modules/contrib/distcc.if
@@ -20,7 +20,7 @@
 interface(`distcc_admin',`
 	gen_require(`
 		type distccd_t, distccd_t, distccd_log_t;
-		type disccd_var_run_t, distccd_tmp_t, distccd_initrc_exec_t;
+		type distccd_var_run_t, distccd_tmp_t, distccd_initrc_exec_t;
 	')
 
 	allow $1 distccd_t:process { ptrace signal_perms };

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     817c2b06a9056545eb11ff3d6f247c4d52913fdc
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:04 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec  3 08:43:19 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=817c2b06

kismet: syntax error in kismet_admin

---
 policy/modules/contrib/kismet.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/kismet.if b/policy/modules/contrib/kismet.if
index aa2a337..f20de6e 100644
--- a/policy/modules/contrib/kismet.if
+++ b/policy/modules/contrib/kismet.if
@@ -283,7 +283,7 @@ interface(`kismet_manage_log',`
 interface(`kismet_admin',`
 	gen_require(`
 		type kismet_t, kismet_var_lib_t, kismet_var_run_t;
-		type kismet_log_t, kismet_tmp_t;
+		type kismet_log_t, kismet_tmp_t, kismet_initrc_exec_t;
 	')
 
 	init_labeled_script_domtrans($1, kismet_initrc_exec_t)

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     73ef58b0056f5406b4a8911385b2b8beb35c7f92
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:00 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec  3 08:43:19 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=73ef58b0

condor: syntax error in condor_admin

---
 policy/modules/contrib/condor.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/condor.if b/policy/modules/contrib/condor.if
index 881d92f..c80aaf5 100644
--- a/policy/modules/contrib/condor.if
+++ b/policy/modules/contrib/condor.if
@@ -58,7 +58,7 @@ template(`condor_domain_template',`
 interface(`condor_admin',`
 	gen_require(`
 		attribute condor_domain;
-		type condor_initrc_exec_config_t, condor_log_t;
+		type condor_initrc_exec_t, condor_log_t;
 		type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
 		type condor_var_run_t, condor_startd_tmp_t, condor_conf_t;
 	')

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     3dc49e7336ef420697a7fa36661518c47e4f4356
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:05 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec  3 08:43:19 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3dc49e73

nut: syntax error in nut_admin

---
 policy/modules/contrib/nut.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/nut.if b/policy/modules/contrib/nut.if
index 57c0161..c606ae6 100644
--- a/policy/modules/contrib/nut.if
+++ b/policy/modules/contrib/nut.if
@@ -24,7 +24,7 @@ interface(`nut_admin',`
 	')
 
 	allow $1 nut_domain:process { ptrace signal_perms };
-	ps_process_pattern($1, nut_domain_t)
+	ps_process_pattern($1, nut_domain)
 
 	init_labeled_script_domtrans($1, nut_initrc_exec_t)
 	domain_system_change_exemption($1)

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     c178e55dd18e808d161bf03084c768a3fe069427
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:10 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec  3 08:43:32 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c178e55d

rpm: syntax error in rpm_admin

---
 policy/modules/contrib/rpm.if | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/rpm.if b/policy/modules/contrib/rpm.if
index ef3b225..fc9c8d8 100644
--- a/policy/modules/contrib/rpm.if
+++ b/policy/modules/contrib/rpm.if
@@ -626,8 +626,8 @@ interface(`rpm_pid_filetrans_rpm_pid',`
 interface(`rpm_admin',`
 	gen_require(`
 		type rpm_t, rpm_script_t, rpm_initrc_exec_t;
-		type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t;
-		type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t;
+		type rpm_cache_t, rpm_var_lib_t, rpm_lock_t;
+		type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t, rpm_var_run_t;
 		type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t;
 	')
 

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     cf39871364351cf39081d785e73b26131b8221db
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:38:59 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec  3 08:43:00 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cf398713

ccs: syntax errors in ccs_admin interface

---
 policy/modules/contrib/ccs.if | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/ccs.if b/policy/modules/contrib/ccs.if
index 5ded72d..bb17e0f 100644
--- a/policy/modules/contrib/ccs.if
+++ b/policy/modules/contrib/ccs.if
@@ -98,8 +98,8 @@ interface(`ccs_manage_config',`
 interface(`ccs_admin',`
 	gen_require(`
 		type ccs_t, ccs_initrc_exec_t, cluster_conf_t;
-		type ccs_var_lib_t_t, ccs_var_log_t;
-		type ccs_var_run_t, ccs_tmp_t;
+		type ccs_var_lib_t, ccs_var_log_t;
+		type ccs_var_run_t, ccs_tmp_t, ccs_conf_t;
 	')
 
 	allow $1 ccs_t:process { ptrace signal_perms };

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     ba2ce29976d91e58d6cf6912552ca6ec0f563f9b
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:06 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec  3 08:43:19 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ba2ce299

prelude: syntax error in prelude_admin

---
 policy/modules/contrib/prelude.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/prelude.if b/policy/modules/contrib/prelude.if
index c83a838..db8f510 100644
--- a/policy/modules/contrib/prelude.if
+++ b/policy/modules/contrib/prelude.if
@@ -120,6 +120,7 @@ interface(`prelude_admin',`
 		type prelude_var_run_t, prelude_var_lib_t, prelude_log_t;
 		type prelude_audisp_t, prelude_audisp_var_run_t;
 		type prelude_initrc_exec_t, prelude_lml_t, prelude_lml_tmp_t;
+		type prelude_correlator_t;
 	')
 
 	allow $1 { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t }:process { ptrace signal_perms };

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     c4c6cf58cad3174b2cd02b7a2734a06901f45007
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:07 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec  3 08:43:19 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c4c6cf58

psad: syntax error in psad_admin

---
 policy/modules/contrib/psad.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/psad.if b/policy/modules/contrib/psad.if
index d4dcf78..cdc83d2 100644
--- a/policy/modules/contrib/psad.if
+++ b/policy/modules/contrib/psad.if
@@ -236,7 +236,7 @@ interface(`psad_admin',`
 	gen_require(`
 		type psad_t, psad_var_run_t, psad_var_log_t;
 		type psad_initrc_exec_t, psad_var_lib_t;
-		type psad_tmp_t;
+		type psad_tmp_t, psad_etc_t;
 	')
 
 	allow $1 psad_t:process { ptrace signal_perms };

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     830ec3e6758f5d6887a9f681a871caf0b293eabc
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:12 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec  3 08:43:32 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=830ec3e6

svnserve: syntax error in svnserve_admin

---
 policy/modules/contrib/svnserve.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/svnserve.if b/policy/modules/contrib/svnserve.if
index 2ac91b6..5cd46e9 100644
--- a/policy/modules/contrib/svnserve.if
+++ b/policy/modules/contrib/svnserve.if
@@ -31,5 +31,5 @@ interface(`svnserve_admin',`
 	allow $2 system_r;
 
 	files_search_pids($1)
-	admin_pattern($1, httpd_var_run_t)
+	admin_pattern($1, svnserve_var_run_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     70d7fd9925e72bb51c0fa62de900238385e28781
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:11 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec  3 08:43:32 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=70d7fd99

systemtap: syntax error in stapserver_admin

---
 policy/modules/contrib/systemtap.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/systemtap.if b/policy/modules/contrib/systemtap.if
index c755e2d..d60a21e 100644
--- a/policy/modules/contrib/systemtap.if
+++ b/policy/modules/contrib/systemtap.if
@@ -20,7 +20,7 @@
 interface(`stapserver_admin',`
 	gen_require(`
 		type stapserver_t, stapserver_conf_t, stapserver_log_t;
-		type stap_server_var_run_t, stapserver_initrc_exec_t, stapserver_var_lib_t;
+		type stapserver_var_run_t, stapserver_initrc_exec_t, stapserver_var_lib_t;
 	')
 
 	allow $1 stapserver_t:process { ptrace signal_perms };

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     5bbf23fc711e26d7c7073567e105313fadcd6c3c
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:02 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec  3 08:43:19 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5bbf23fc

ftp: syntax error in ftp_admin

---
 policy/modules/contrib/ftp.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/ftp.if b/policy/modules/contrib/ftp.if
index 4498143..65adda9 100644
--- a/policy/modules/contrib/ftp.if
+++ b/policy/modules/contrib/ftp.if
@@ -179,7 +179,7 @@ interface(`ftp_admin',`
 		type ftpd_keytab_t;
 	')
 
-	allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd }:process { ptrace signal_perms };
+	allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }:process { ptrace signal_perms };
 	ps_process_pattern($1, { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t })
 
 	init_labeled_script_domtrans($1, ftpd_initrc_exec_t)

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     1a6ba9f4ab6c255289c3a43d6ba130101b1aed4b
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:09 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec  3 08:43:32 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1a6ba9f4

rpcbind: syntax error in rpcbind_admin

---
 policy/modules/contrib/rpcbind.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/rpcbind.if b/policy/modules/contrib/rpcbind.if
index 3b5e9ee..1a1cb99 100644
--- a/policy/modules/contrib/rpcbind.if
+++ b/policy/modules/contrib/rpcbind.if
@@ -160,7 +160,7 @@ interface(`rpcbind_admin',`
 	allow $1 rpcbind_t:process { ptrace signal_perms };
 	ps_process_pattern($1, rpcbind_t)
 
-	init_labeled_script_domtrans($1, rbcbind_initrc_exec_t)
+	init_labeled_script_domtrans($1, rpcbind_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 rpcbind_initrc_exec_t system_r;
 	allow $2 system_r;

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     89e9586e05e56f7e16e58f39e2b8f62dbeae4772
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:08 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec  3 08:43:32 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=89e9586e

quota: syntax error in quota_admin

---
 policy/modules/contrib/quota.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/quota.if b/policy/modules/contrib/quota.if
index da64218..68611e3 100644
--- a/policy/modules/contrib/quota.if
+++ b/policy/modules/contrib/quota.if
@@ -190,7 +190,7 @@ interface(`quota_admin',`
 	allow $2 system_r;
 
 	files_list_all($1)
-	admin_pattern($1, { quota_db_t quota_flag quota_nld_var_run_t })
+	admin_pattern($1, { quota_db_t quota_flag_t quota_nld_var_run_t })
 
 	quota_run($1, $2)
 ')

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     7e0d04ce8a6717c305f2811ac84d6f1e0f25fc53
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:03 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec  3 08:43:19 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7e0d04ce

kerberos: syntax error in kerberos_admin

---
 policy/modules/contrib/kerberos.if | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if
index f6c00d8..77a5c49 100644
--- a/policy/modules/contrib/kerberos.if
+++ b/policy/modules/contrib/kerberos.if
@@ -490,8 +490,8 @@ interface(`kerberos_admin',`
 		type krb5kdc_var_run_t, krb5_host_rcache_t;
 	')
 
-	allow $1 { kadmind_t krb5kdc_t kpropd }:process { ptrace signal_perms };
-	ps_process_pattern($1, { kadmind_t krb5kdc_t kpropd })
+	allow $1 { kadmind_t krb5kdc_t kpropd_t }:process { ptrace signal_perms };
+	ps_process_pattern($1, { kadmind_t krb5kdc_t kpropd_t })
 
 	init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
 	domain_system_change_exemption($1)

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     60135df3a91152af95bdab0fb136da7d5a3523e1
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:16 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec  3 08:43:33 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=60135df3

remove spamassassin_role() from spamassassin_admin()

spamassassin_role contains some named filetrans's which can not be
applied twice. The roles already contain spamassassin_role which makes
adding spamassassin_admin impossible. This removes the role so they can
both be applied.

---
 policy/modules/contrib/spamassassin.if | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/contrib/spamassassin.if b/policy/modules/contrib/spamassassin.if
index 1499b0b..7f5a1cc 100644
--- a/policy/modules/contrib/spamassassin.if
+++ b/policy/modules/contrib/spamassassin.if
@@ -404,5 +404,6 @@ interface(`spamassassin_admin',`
 	files_list_pids($1)
 	admin_pattern($1, spamd_var_run_t)
 
-	spamassassin_role($2, $1)
+	# This makes it impossible to apply _admin if _role has already been applied
+	#spamassassin_role($2, $1)
 ')

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     023ffc02b383f6e2a7c1c7a4fb0ecf032bde1014
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:14 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec  3 08:43:33 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=023ffc02

zabbix: syntax error in zabbix_admin

---
 policy/modules/contrib/zabbix.if | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/contrib/zabbix.if b/policy/modules/contrib/zabbix.if
index dd63de0..29d87d7 100644
--- a/policy/modules/contrib/zabbix.if
+++ b/policy/modules/contrib/zabbix.if
@@ -138,9 +138,9 @@ interface(`zabbix_agent_tcp_connect',`
 #
 interface(`zabbix_admin',`
 	gen_require(`
-		type zabbix_t, zabbix_log_t, zabbix_var_run_t;
-		type zabbix_initrc_exec_t, zabbit_agent_initrc_exec_t, zabbix_tmp_t;
-		type zabbit_tmpfs_t;
+		type zabbix_t, zabbix_agent_t, zabbix_log_t, zabbix_var_run_t;
+		type zabbix_initrc_exec_t, zabbix_agent_initrc_exec_t, zabbix_tmp_t;
+		type zabbix_tmpfs_t;
 	')
 
 	allow $1 { zabbix_t zabbix_agent_t }:process { ptrace signal_perms };

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     46d4ce5719f6e53d1aa290d714581f80753b5a20
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Dec  2 15:30:48 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec  3 08:43:33 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=46d4ce57

Module version bump for _admin fixes from Jason Zaman.

---
 policy/modules/contrib/ccs.te          | 2 +-
 policy/modules/contrib/condor.te       | 2 +-
 policy/modules/contrib/distcc.te       | 2 +-
 policy/modules/contrib/ftp.te          | 2 +-
 policy/modules/contrib/kerberos.te     | 2 +-
 policy/modules/contrib/kismet.te       | 2 +-
 policy/modules/contrib/nut.te          | 2 +-
 policy/modules/contrib/prelude.te      | 2 +-
 policy/modules/contrib/psad.te         | 2 +-
 policy/modules/contrib/pyzor.te        | 2 +-
 policy/modules/contrib/quota.te        | 2 +-
 policy/modules/contrib/rpcbind.te      | 2 +-
 policy/modules/contrib/rpm.te          | 2 +-
 policy/modules/contrib/spamassassin.te | 2 +-
 policy/modules/contrib/svnserve.te     | 2 +-
 policy/modules/contrib/systemtap.te    | 2 +-
 policy/modules/contrib/uptime.te       | 2 +-
 policy/modules/contrib/zabbix.te       | 2 +-
 18 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/policy/modules/contrib/ccs.te b/policy/modules/contrib/ccs.te
index 849873d..b6f7ae6 100644
--- a/policy/modules/contrib/ccs.te
+++ b/policy/modules/contrib/ccs.te
@@ -1,4 +1,4 @@
-policy_module(ccs, 1.7.0)
+policy_module(ccs, 1.7.1)
 
 ########################################
 #

diff --git a/policy/modules/contrib/condor.te b/policy/modules/contrib/condor.te
index 3787034..81fb9ae 100644
--- a/policy/modules/contrib/condor.te
+++ b/policy/modules/contrib/condor.te
@@ -1,4 +1,4 @@
-policy_module(condor, 1.1.0)
+policy_module(condor, 1.1.1)
 
 ########################################
 #

diff --git a/policy/modules/contrib/distcc.te b/policy/modules/contrib/distcc.te
index 898b2f4..284b070 100644
--- a/policy/modules/contrib/distcc.te
+++ b/policy/modules/contrib/distcc.te
@@ -1,4 +1,4 @@
-policy_module(distcc, 1.9.0)
+policy_module(distcc, 1.9.1)
 
 ########################################
 #

diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
index b59e761..7681fec 100644
--- a/policy/modules/contrib/ftp.te
+++ b/policy/modules/contrib/ftp.te
@@ -1,4 +1,4 @@
-policy_module(ftp, 1.16.1)
+policy_module(ftp, 1.16.2)
 
 ########################################
 #

diff --git a/policy/modules/contrib/kerberos.te b/policy/modules/contrib/kerberos.te
index 8833d59..976a98d 100644
--- a/policy/modules/contrib/kerberos.te
+++ b/policy/modules/contrib/kerberos.te
@@ -1,4 +1,4 @@
-policy_module(kerberos, 1.12.0)
+policy_module(kerberos, 1.12.1)
 
 ########################################
 #

diff --git a/policy/modules/contrib/kismet.te b/policy/modules/contrib/kismet.te
index 8ad0d4d..d4f318b 100644
--- a/policy/modules/contrib/kismet.te
+++ b/policy/modules/contrib/kismet.te
@@ -1,4 +1,4 @@
-policy_module(kismet, 1.7.0)
+policy_module(kismet, 1.7.1)
 
 ########################################
 #

diff --git a/policy/modules/contrib/nut.te b/policy/modules/contrib/nut.te
index ab8b8da..78b7eda 100644
--- a/policy/modules/contrib/nut.te
+++ b/policy/modules/contrib/nut.te
@@ -1,4 +1,4 @@
-policy_module(nut, 1.3.1)
+policy_module(nut, 1.3.2)
 
 ########################################
 #

diff --git a/policy/modules/contrib/prelude.te b/policy/modules/contrib/prelude.te
index 8f44609..e21e13c 100644
--- a/policy/modules/contrib/prelude.te
+++ b/policy/modules/contrib/prelude.te
@@ -1,4 +1,4 @@
-policy_module(prelude, 1.4.0)
+policy_module(prelude, 1.4.1)
 
 ########################################
 #

diff --git a/policy/modules/contrib/psad.te b/policy/modules/contrib/psad.te
index b5d717b..4124deb 100644
--- a/policy/modules/contrib/psad.te
+++ b/policy/modules/contrib/psad.te
@@ -1,4 +1,4 @@
-policy_module(psad, 1.1.0)
+policy_module(psad, 1.1.1)
 
 ########################################
 #

diff --git a/policy/modules/contrib/pyzor.te b/policy/modules/contrib/pyzor.te
index 2439d13..464007e 100644
--- a/policy/modules/contrib/pyzor.te
+++ b/policy/modules/contrib/pyzor.te
@@ -1,4 +1,4 @@
-policy_module(pyzor, 2.3.0)
+policy_module(pyzor, 2.3.1)
 
 ########################################
 #

diff --git a/policy/modules/contrib/quota.te b/policy/modules/contrib/quota.te
index f47c8e8..69c08f8 100644
--- a/policy/modules/contrib/quota.te
+++ b/policy/modules/contrib/quota.te
@@ -1,4 +1,4 @@
-policy_module(quota, 1.6.0)
+policy_module(quota, 1.6.1)
 
 ########################################
 #

diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index eefc5df..86ddde4 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.7.1)
+policy_module(rpcbind, 1.7.2)
 
 ########################################
 #

diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 8d44a78..3354cd1 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -1,4 +1,4 @@
-policy_module(rpm, 1.16.0)
+policy_module(rpm, 1.16.1)
 
 ########################################
 #

diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
index 35053ab..e8e2174 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -1,4 +1,4 @@
-policy_module(spamassassin, 2.7.0)
+policy_module(spamassassin, 2.7.1)
 
 ########################################
 #

diff --git a/policy/modules/contrib/svnserve.te b/policy/modules/contrib/svnserve.te
index 49d688d..57c9df5 100644
--- a/policy/modules/contrib/svnserve.te
+++ b/policy/modules/contrib/svnserve.te
@@ -1,4 +1,4 @@
-policy_module(svnserve, 1.1.0)
+policy_module(svnserve, 1.1.1)
 
 ########################################
 #

diff --git a/policy/modules/contrib/systemtap.te b/policy/modules/contrib/systemtap.te
index ffde368..cdc4e70 100644
--- a/policy/modules/contrib/systemtap.te
+++ b/policy/modules/contrib/systemtap.te
@@ -1,4 +1,4 @@
-policy_module(systemtap, 1.1.0)
+policy_module(systemtap, 1.1.1)
 
 ########################################
 #

diff --git a/policy/modules/contrib/uptime.te b/policy/modules/contrib/uptime.te
index 58397dc..8d5e69a 100644
--- a/policy/modules/contrib/uptime.te
+++ b/policy/modules/contrib/uptime.te
@@ -1,4 +1,4 @@
-policy_module(uptime, 1.5.0)
+policy_module(uptime, 1.5.1)
 
 ########################################
 #

diff --git a/policy/modules/contrib/zabbix.te b/policy/modules/contrib/zabbix.te
index 6ea314a..d61d657 100644
--- a/policy/modules/contrib/zabbix.te
+++ b/policy/modules/contrib/zabbix.te
@@ -1,4 +1,4 @@
-policy_module(zabbix, 1.7.0)
+policy_module(zabbix, 1.7.1)
 
 ########################################
 #

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     b6fc3fcdd166ae3851c52e32a1f8f50c4b4d047e
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:15 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec  3 08:43:33 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b6fc3fcd

remove pyzor_role() from pyzor_admin()

pyzor_role contains some named filetrans's which can not be applied
twice. The roles already contain pyzor_role which makes adding
pyzor_admin impossible. This removes the role so they can both be
applied.

---
 policy/modules/contrib/pyzor.if | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/contrib/pyzor.if b/policy/modules/contrib/pyzor.if
index 593c03d..c05a504 100644
--- a/policy/modules/contrib/pyzor.if
+++ b/policy/modules/contrib/pyzor.if
@@ -132,5 +132,6 @@ interface(`pyzor_admin',`
 	files_search_var_lib($1)
 	admin_pattern($1, pyzor_var_lib_t)
 
-	pyzor_role($2, $1)
+	# This makes it impossible to apply _admin if _role has already been applied
+	#pyzor_role($2, $1)
 ')

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     5544629a0aa065819ff40dfefef33f70218b0cab
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Feb  3 13:48:40 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  9 17:17:24 2015 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5544629a

add fcontext for openntpd drift file

---
 policy/modules/contrib/ntp.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index 6105583..c74d996 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -27,4 +27,5 @@
 
 ifdef(`distro_gentoo',`
 /usr/bin/sntp	--	gen_context(system_u:object_r:ntpdate_exec_t,s0)
+/var/lib/openntpd/ntpd.drift	--	gen_context(system_u:object_r:ntp_drift_t,s0)
 ')

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     b649a2b3c92b17613faaf013a03357399095059e
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Feb  9 17:17:40 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  9 17:17:40 2015 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b649a2b3

salt: allow salt to ps all processes

Salt needs to be able to list all processes to check if services
are running

---
 policy/modules/contrib/salt.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 970b183..4c76ecc 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -269,7 +269,7 @@ corenet_tcp_connect_salt_port(salt_minion_t)
 dev_read_sysfs(salt_minion_t)
 
 domain_dontaudit_exec_all_entry_files(salt_minion_t)
-domain_dontaudit_search_all_domains_state(salt_minion_t)
+domain_read_all_domains_state(salt_minion_t)
 
 files_manage_all_non_security_file_types(salt_minion_t)
 

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     105c5c80ee234d6bed09a47fa36746382e3830f7
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri May 15 13:25:06 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri May 15 13:25:06 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=105c5c80

postmap is a user command

When a postfix admin updates a postfix database, he has to call
"postmap hash:/etc/postfix/databasename" in order to regenerate the
database (in case of a hash database in the example).

To allow postmap to give feedback on errors, grant it access to the user
terminals and private file descriptors of the admin.

 policy/modules/contrib/postfix.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index afc1fde..1c0a34c 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -500,6 +500,8 @@ corecmd_read_bin_files(postfix_map_t)
 corecmd_read_bin_pipes(postfix_map_t)
 corecmd_read_bin_sockets(postfix_map_t)
 
+domain_use_interactive_fds(postfix_map_t)
+
 files_list_home(postfix_map_t)
 files_read_usr_files(postfix_map_t)
 files_read_etc_runtime_files(postfix_map_t)
@@ -511,6 +513,8 @@ logging_send_syslog_msg(postfix_map_t)
 
 miscfiles_read_localization(postfix_map_t)
 
+userdom_use_user_terminals(postfix_map_t)
+
 optional_policy(`
 	locallogin_dontaudit_use_fds(postfix_map_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     7f4df16703908b51f8a290532f1902a5981134ce
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri May 15 13:28:36 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri May 15 13:28:36 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7f4df167

Move specifics to ifdef distro_gentoo

 policy/modules/contrib/postfix.te | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 1c0a34c..47cfeb0 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -500,8 +500,6 @@ corecmd_read_bin_files(postfix_map_t)
 corecmd_read_bin_pipes(postfix_map_t)
 corecmd_read_bin_sockets(postfix_map_t)
 
-domain_use_interactive_fds(postfix_map_t)
-
 files_list_home(postfix_map_t)
 files_read_usr_files(postfix_map_t)
 files_read_etc_runtime_files(postfix_map_t)
@@ -513,8 +511,6 @@ logging_send_syslog_msg(postfix_map_t)
 
 miscfiles_read_localization(postfix_map_t)
 
-userdom_use_user_terminals(postfix_map_t)
-
 optional_policy(`
 	locallogin_dontaudit_use_fds(postfix_map_t)
 ')
@@ -815,4 +811,12 @@ ifdef(`distro_gentoo',`
 	#
 
 	rw_sock_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
+
+	#####################################
+	#
+	# Local postmap policy
+	#
+	
+	domain_use_interactive_fds(postfix_map_t)
+	userdom_use_user_terminals(postfix_map_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     115949be334ab475bf97fa29ad8dc2bc88b71c4c
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri May 15 13:46:27 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri May 15 13:46:27 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=115949be

Add bugfix number to policy change for tracking

 policy/modules/contrib/postfix.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 47cfeb0..738ce6f 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -816,7 +816,8 @@ ifdef(`distro_gentoo',`
 	#
 	# Local postmap policy
 	#
-	
+
+	# Bug #549566
 	domain_use_interactive_fds(postfix_map_t)
 	userdom_use_user_terminals(postfix_map_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     4181d381fa9d12a6c7836c6acbc06ccc8b26e6b6
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri May 15 13:21:49 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri May 15 13:21:49 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4181d381

Remove catch-all for postfix libraries

The postfix libraries in /usr/lib/postfix were by default marked as
postfix_exec_t. This however is a design mistake. Libraries should be
of a library type (of which lib_t is a default) so that applications
that use it have the proper read/execute rights without needing those on
the *real* executable types of an application.

 policy/modules/contrib/postfix.fc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/contrib/postfix.fc b/policy/modules/contrib/postfix.fc
index da1791b..b71d844 100644
--- a/policy/modules/contrib/postfix.fc
+++ b/policy/modules/contrib/postfix.fc
@@ -4,7 +4,8 @@
 
 /etc/rc\.d/init\.d/postfix	--	gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
 
-/usr/lib/postfix/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
+# Remove catch-all so that .so files remain lib_t
+#/usr/lib/postfix/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
 /usr/lib/postfix/cleanup	--	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
 /usr/lib/postfix/local	--	gen_context(system_u:object_r:postfix_local_exec_t,s0)
 /usr/lib/postfix/master	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     ed321efa9ab9fe5c813e35546e662e8675916d6f
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 15 17:22:44 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat May 16 11:13:01 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ed321efa

use init_manage_service_template in _admin interfaces N-Z

Most foo_admin interfaces have transitions on the
foo_initrc_exec_t to system_r. These are only applicable
for RedHat <6. This replaces them with a template which
can easily be changed for other init systems.

make validate passes for all combinations of distros,
standard/mcs/mls, monolithic y/n and direct_initrc y/n

This patch is for files starting with N-Z.

 policy/modules/contrib/nagios.if         |  5 +----
 policy/modules/contrib/nessus.if         |  5 +----
 policy/modules/contrib/networkmanager.if |  5 +----
 policy/modules/contrib/nis.if            |  7 ++-----
 policy/modules/contrib/nscd.if           |  5 +----
 policy/modules/contrib/nsd.if            |  5 +----
 policy/modules/contrib/nslcd.if          |  5 +----
 policy/modules/contrib/ntop.if           |  5 +----
 policy/modules/contrib/ntp.if            |  5 +----
 policy/modules/contrib/numad.if          |  5 +----
 policy/modules/contrib/nut.if            |  5 +----
 policy/modules/contrib/oident.if         |  5 +----
 policy/modules/contrib/openct.if         |  5 +----
 policy/modules/contrib/openhpi.if        |  5 +----
 policy/modules/contrib/openvpn.if        |  5 +----
 policy/modules/contrib/openvswitch.if    |  5 +----
 policy/modules/contrib/pacemaker.if      |  5 +----
 policy/modules/contrib/pads.if           |  5 +----
 policy/modules/contrib/pcscd.if          |  5 +----
 policy/modules/contrib/pegasus.if        |  5 +----
 policy/modules/contrib/perdition.if      |  5 +----
 policy/modules/contrib/pingd.if          |  5 +----
 policy/modules/contrib/pkcs.if           |  5 +----
 policy/modules/contrib/polipo.if         |  5 +----
 policy/modules/contrib/portmap.if        |  5 +----
 policy/modules/contrib/portreserve.if    |  5 +----
 policy/modules/contrib/postfix.if        |  5 +----
 policy/modules/contrib/postfixpolicyd.if |  5 +----
 policy/modules/contrib/postgrey.if       |  5 +----
 policy/modules/contrib/ppp.if            |  5 +----
 policy/modules/contrib/prelude.if        |  5 +----
 policy/modules/contrib/privoxy.if        |  5 +----
 policy/modules/contrib/psad.if           |  5 +----
 policy/modules/contrib/puppet.if         |  6 ++----
 policy/modules/contrib/pxe.if            |  5 +----
 policy/modules/contrib/pyicqt.if         |  5 +----
 policy/modules/contrib/pyzor.if          |  5 +----
 policy/modules/contrib/qpid.if           |  5 +----
 policy/modules/contrib/quantum.if        |  5 +----
 policy/modules/contrib/quota.if          |  5 +----
 policy/modules/contrib/rabbitmq.if       |  5 +----
 policy/modules/contrib/radius.if         |  5 +----
 policy/modules/contrib/radvd.if          |  5 +----
 policy/modules/contrib/raid.if           |  5 +----
 policy/modules/contrib/redis.if          |  5 +----
 policy/modules/contrib/resmgr.if         |  5 +----
 policy/modules/contrib/rgmanager.if      |  5 +----
 policy/modules/contrib/rhcs.if           |  7 +++----
 policy/modules/contrib/rhsmcertd.if      |  5 +----
 policy/modules/contrib/ricci.if          |  5 +----
 policy/modules/contrib/rngd.if           |  5 +----
 policy/modules/contrib/roundup.if        |  5 +----
 policy/modules/contrib/rpc.if            |  7 +++----
 policy/modules/contrib/rpcbind.if        |  5 +----
 policy/modules/contrib/rpm.if            |  5 +----
 policy/modules/contrib/rtkit.if          |  5 +----
 policy/modules/contrib/rwho.if           |  5 +----
 policy/modules/contrib/samba.if          |  5 +----
 policy/modules/contrib/samhain.if        |  5 +----
 policy/modules/contrib/sanlock.if        |  5 +----
 policy/modules/contrib/sasl.if           |  5 +----
 policy/modules/contrib/sblim.if          |  5 +----
 policy/modules/contrib/sendmail.if       |  4 +---
 policy/modules/contrib/sensord.if        |  5 +----
 policy/modules/contrib/shorewall.if      |  5 +----
 policy/modules/contrib/slpd.if           |  5 +----
 policy/modules/contrib/smartmon.if       |  5 +----
 policy/modules/contrib/smokeping.if      |  5 +----
 policy/modules/contrib/smstools.if       |  5 +----
 policy/modules/contrib/snmp.if           |  5 +----
 policy/modules/contrib/snort.if          |  5 +----
 policy/modules/contrib/soundserver.if    |  5 +----
 policy/modules/contrib/spamassassin.if   |  5 +----
 policy/modules/contrib/squid.if          |  5 +----
 policy/modules/contrib/sssd.if           |  5 +----
 policy/modules/contrib/svnserve.if       |  5 +----
 policy/modules/contrib/sysstat.if        |  5 +----
 policy/modules/contrib/systemtap.if      |  5 +----
 policy/modules/contrib/tcsd.if           |  5 +----
 policy/modules/contrib/tgtd.if           |  5 +----
 policy/modules/contrib/tor.if            |  5 +----
 policy/modules/contrib/transproxy.if     |  5 +----
 policy/modules/contrib/tuned.if          |  5 +----
 policy/modules/contrib/ulogd.if          |  5 +----
 policy/modules/contrib/uptime.if         |  5 +----
 policy/modules/contrib/uucp.if           |  5 +----
 policy/modules/contrib/uuidd.if          |  5 +----
 policy/modules/contrib/varnishd.if       | 10 ++--------
 policy/modules/contrib/vdagent.if        |  5 +----
 policy/modules/contrib/vhostmd.if        |  5 +----
 policy/modules/contrib/virt.if           |  5 +----
 policy/modules/contrib/vnstatd.if        |  5 +----
 policy/modules/contrib/watchdog.if       |  5 +----
 policy/modules/contrib/wdmd.if           |  5 +----
 policy/modules/contrib/xfs.if            |  5 +----
 policy/modules/contrib/zabbix.if         |  6 ++----
 policy/modules/contrib/zarafa.if         |  5 +----
 policy/modules/contrib/zebra.if          |  5 +----
 98 files changed, 106 insertions(+), 396 deletions(-)

diff --git a/policy/modules/contrib/nagios.if b/policy/modules/contrib/nagios.if
index 0641e97..93f07fd 100644
--- a/policy/modules/contrib/nagios.if
+++ b/policy/modules/contrib/nagios.if
@@ -204,10 +204,7 @@ interface(`nagios_admin',`
 	allow $1 { nagios_t nrpe_t nagios_plugin_domain }:process { ptrace signal_perms };
 	ps_process_pattern($1, { nagios_t nrpe_t nagios_plugin_domain })
 
-	init_labeled_script_domtrans($1, nagios_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 nagios_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, nagios_t, nagios_initrc_exec_t)
 
 	files_search_tmp($1)
 	admin_pattern($1, { nagios_eventhandler_plugin_tmp_t nagios_tmp_t nagios_system_plugin_tmp_t })

diff --git a/policy/modules/contrib/nessus.if b/policy/modules/contrib/nessus.if
index 42e9ed4..b1defe3 100644
--- a/policy/modules/contrib/nessus.if
+++ b/policy/modules/contrib/nessus.if
@@ -40,10 +40,7 @@ interface(`nessus_admin',`
 	allow $1 nessusd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, nessusd_t)
 
-	init_labeled_script_domtrans($1, nessusd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 nessusd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, nessusd_t, nessusd_initrc_exec_t)
 
 	logging_search_logs($1)
 	admin_pattern($1, nessusd_log_t)

diff --git a/policy/modules/contrib/networkmanager.if b/policy/modules/contrib/networkmanager.if
index b512ce0..9d63750 100644
--- a/policy/modules/contrib/networkmanager.if
+++ b/policy/modules/contrib/networkmanager.if
@@ -297,10 +297,7 @@ interface(`networkmanager_admin',`
 	allow $1 { wpa_cli_t NetworkManager_t }:process { ptrace signal_perms };
 	ps_process_pattern($1, { wpa_cli_t NetworkManager_t })
 
-	init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 NetworkManager_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, NetworkManager_t, NetworkManager_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, { NetworkManager_etc_t NetworkManager_etc_rw_t })

diff --git a/policy/modules/contrib/nis.if b/policy/modules/contrib/nis.if
index 46e55c3..f7cb0a6 100644
--- a/policy/modules/contrib/nis.if
+++ b/policy/modules/contrib/nis.if
@@ -381,11 +381,8 @@ interface(`nis_admin',`
 	allow $1 { ypbind_t yppasswdd_t ypserv_t ypxfr_t }:process { ptrace signal_perms };
 	ps_process_pattern($1, { ypbind_t yppasswdd_t ypserv_t ypxfr_t })
 
-	nis_initrc_domtrans($1)
-	nis_initrc_domtrans_ypbind($1)
-	domain_system_change_exemption($1)
-	role_transition $2 { nis_initrc_exec_t ypbind_initrc_exec_t } system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, ypbind_t, ypbind_initrc_exec_t)
+	init_manage_service_template($1, $2, ypserv_t, nis_initrc_exec_t)
 
 	files_list_tmp($1)
 	admin_pattern($1, { ypserv_tmp_t ypbind_tmp_t })

diff --git a/policy/modules/contrib/nscd.if b/policy/modules/contrib/nscd.if
index 8f2ab09..e92e2d0 100644
--- a/policy/modules/contrib/nscd.if
+++ b/policy/modules/contrib/nscd.if
@@ -299,10 +299,7 @@ interface(`nscd_admin',`
 	allow $1 nscd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, nscd_t)
 
-	init_labeled_script_domtrans($1, nscd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 nscd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, nscd_t, nscd_initrc_exec_t)
 
 	logging_list_logs($1)
 	admin_pattern($1, nscd_log_t)

diff --git a/policy/modules/contrib/nsd.if b/policy/modules/contrib/nsd.if
index a9c60ff..208cc12 100644
--- a/policy/modules/contrib/nsd.if
+++ b/policy/modules/contrib/nsd.if
@@ -54,10 +54,7 @@ interface(`nsd_admin',`
 	allow $1 nsd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, nsd_t)
 
-	init_labeled_script_domtrans($1, nsd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 nsd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, nsd_t, nsd_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, { nsd_conf_t nsd_db_t })

diff --git a/policy/modules/contrib/nslcd.if b/policy/modules/contrib/nslcd.if
index bbd7cac..86bc919 100644
--- a/policy/modules/contrib/nslcd.if
+++ b/policy/modules/contrib/nslcd.if
@@ -102,10 +102,7 @@ interface(`nslcd_admin',`
 	allow $1 nslcd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, nslcd_t)
 
-	nslcd_initrc_domtrans($1)
-	domain_system_change_exemption($1)
-	role_transition $2 nslcd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, nslcd_t, nslcd_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, nslcd_conf_t)

diff --git a/policy/modules/contrib/ntop.if b/policy/modules/contrib/ntop.if
index beaee73..4ffb735 100644
--- a/policy/modules/contrib/ntop.if
+++ b/policy/modules/contrib/ntop.if
@@ -26,10 +26,7 @@ interface(`ntop_admin',`
 	allow $1 ntop_t:process { ptrace signal_perms };
 	ps_process_pattern($1, ntop_t)
 
-	init_labeled_script_domtrans($1, ntop_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 ntop_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, ntop_t, ntop_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, ntop_etc_t)

diff --git a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if
index 6a83626..f31c689 100644
--- a/policy/modules/contrib/ntp.if
+++ b/policy/modules/contrib/ntp.if
@@ -166,10 +166,7 @@ interface(`ntp_admin',`
 	allow $1 ntpd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, ntpd_t)
 
-	init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 ntpd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, ntpd_t, ntpd_initrc_exec_t)
 
 	files_list_etc($1)
 	admin_pattern($1, { ntpd_key_t ntp_conf_t })

diff --git a/policy/modules/contrib/numad.if b/policy/modules/contrib/numad.if
index 0d3c270..77cd980 100644
--- a/policy/modules/contrib/numad.if
+++ b/policy/modules/contrib/numad.if
@@ -26,10 +26,7 @@ interface(`numad_admin',`
 	allow $1 numad_t:process { ptrace signal_perms };
 	ps_process_pattern($1, numad_t)
 
-	init_labeled_script_domtrans($1, numad_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 numad_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, numad_t, numad_initrc_exec_t)
 
 	logging_search_logs($1)
 	admin_pattern($1, numad_log_t)

diff --git a/policy/modules/contrib/nut.if b/policy/modules/contrib/nut.if
index c606ae6..7e27efe 100644
--- a/policy/modules/contrib/nut.if
+++ b/policy/modules/contrib/nut.if
@@ -26,10 +26,7 @@ interface(`nut_admin',`
 	allow $1 nut_domain:process { ptrace signal_perms };
 	ps_process_pattern($1, nut_domain)
 
-	init_labeled_script_domtrans($1, nut_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 nut_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, nut_domain, nut_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, nut_conf_t)

diff --git a/policy/modules/contrib/oident.if b/policy/modules/contrib/oident.if
index 513f452..0bce8c7 100644
--- a/policy/modules/contrib/oident.if
+++ b/policy/modules/contrib/oident.if
@@ -131,10 +131,7 @@ interface(`oident_admin',`
 	allow $1 oidentd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, oidentd_t)
 
-	init_labeled_script_domtrans($1, oidentd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 oidentd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, oidentd_t, oidentd_initrc_exec_t)
 
 	files_list_etc($1)
 	admin_pattern($1, oidentd_config_t)

diff --git a/policy/modules/contrib/openct.if b/policy/modules/contrib/openct.if
index a55238b..fbb910f 100644
--- a/policy/modules/contrib/openct.if
+++ b/policy/modules/contrib/openct.if
@@ -120,10 +120,7 @@ interface(`openct_admin',`
 	allow $1 openct_t:process { ptrace signal_perms };
 	ps_process_pattern($1, openct_t)
 
-	init_labeled_script_domtrans($1, openct_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 openct_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, openct_t, openct_initrc_exec_t)
 
 	files_search_pids($1)
 	admin_pattern($1, openct_var_run_t)

diff --git a/policy/modules/contrib/openhpi.if b/policy/modules/contrib/openhpi.if
index 3c86958..a167d25 100644
--- a/policy/modules/contrib/openhpi.if
+++ b/policy/modules/contrib/openhpi.if
@@ -26,10 +26,7 @@ interface(`openhpi_admin',`
 	allow $1 openhpid_t:process { ptrace signal_perms };
 	ps_process_pattern($1, openhpid_t)
 
-	init_labeled_script_domtrans($1, openhpid_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 openhpid_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, openhpid_t, openhpid_initrc_exec_t)
 
 	files_search_var_lib($1)
 	admin_pattern($1, openhpid_var_lib_t)

diff --git a/policy/modules/contrib/openvpn.if b/policy/modules/contrib/openvpn.if
index 6837e9a..ca3e2f2 100644
--- a/policy/modules/contrib/openvpn.if
+++ b/policy/modules/contrib/openvpn.if
@@ -150,10 +150,7 @@ interface(`openvpn_admin',`
 	allow $1 openvpn_t:process { ptrace signal_perms };
 	ps_process_pattern($1, openvpn_t)
 
-	init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 openvpn_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, openvpn_t, openvpn_initrc_exec_t)
 
 	files_list_etc($1)
 	admin_pattern($1, { openvpn_etc_t openvpn_etc_rw_t })

diff --git a/policy/modules/contrib/openvswitch.if b/policy/modules/contrib/openvswitch.if
index 9b15730..cf9e657 100644
--- a/policy/modules/contrib/openvswitch.if
+++ b/policy/modules/contrib/openvswitch.if
@@ -64,10 +64,7 @@ interface(`openvswitch_admin',`
 	allow $1 openvswitch_t:process { ptrace signal_perms };
 	ps_process_pattern($1, openvswitch_t)
 
-	init_labeled_script_domtrans($1, openvswitch_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 openvswitch_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, openvswitch_t, openvswitch_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, openvswitch_conf_t)

diff --git a/policy/modules/contrib/pacemaker.if b/policy/modules/contrib/pacemaker.if
index 9682d9a..2202234 100644
--- a/policy/modules/contrib/pacemaker.if
+++ b/policy/modules/contrib/pacemaker.if
@@ -26,10 +26,7 @@ interface(`pacemaker_admin',`
 	allow $1 pacemaker_t:process { ptrace signal_perms };
 	ps_process_pattern($1, pacemaker_t)
 
-	init_labeled_script_domtrans($1, pacemaker_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 pacemaker_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, pacemaker_t, pacemaker_initrc_exec_t)
 
 	files_search_var_lib($1)
 	admin_pattern($1, pacemaker_var_lib_t)

diff --git a/policy/modules/contrib/pads.if b/policy/modules/contrib/pads.if
index 6e097c9..544169e 100644
--- a/policy/modules/contrib/pads.if
+++ b/policy/modules/contrib/pads.if
@@ -26,10 +26,7 @@ interface(`pads_admin', `
 	allow $1 pads_t:process { ptrace signal_perms };
 	ps_process_pattern($1, pads_t)
 
-	init_labeled_script_domtrans($1, pads_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 pads_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, pads_t, pads_initrc_exec_t)
 
 	files_search_pids($1)
 	admin_pattern($1, pads_var_run_t)

diff --git a/policy/modules/contrib/pcscd.if b/policy/modules/contrib/pcscd.if
index 7f77d32..e858008 100644
--- a/policy/modules/contrib/pcscd.if
+++ b/policy/modules/contrib/pcscd.if
@@ -128,10 +128,7 @@ interface(`pcscd_admin',`
 	allow $1 pcscd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, pcscd_t)
 
-	init_labeled_script_domtrans($1, pcscd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 pcscd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, pcscd_t, pcscd_initrc_exec_t)
 
 	files_search_pids($1)
 	admin_pattern($1, pcscd_var_run_t)

diff --git a/policy/modules/contrib/pegasus.if b/policy/modules/contrib/pegasus.if
index d2fc677..ed2f077 100644
--- a/policy/modules/contrib/pegasus.if
+++ b/policy/modules/contrib/pegasus.if
@@ -27,10 +27,7 @@ interface(`pegasus_admin',`
 	allow $1 pegasus_t:process { ptrace signal_perms };
 	ps_process_pattern($1, pegasus_t)
 
-	init_labeled_script_domtrans($1, pegasus_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 pegasus_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, pegasus_t, pegasus_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, pegasus_conf_t)

diff --git a/policy/modules/contrib/perdition.if b/policy/modules/contrib/perdition.if
index 47e09e1..debfd38 100644
--- a/policy/modules/contrib/perdition.if
+++ b/policy/modules/contrib/perdition.if
@@ -40,10 +40,7 @@ interface(`perdition_admin',`
 	allow $1 perdition_t:process { ptrace signal_perms };
 	ps_process_pattern($1, perdition_t)
 
-	init_labeled_script_domtrans($1, perdition_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 perdition_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, perdition_t, perdition_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, perdition_etc_t)

diff --git a/policy/modules/contrib/pingd.if b/policy/modules/contrib/pingd.if
index 21a6ecb..30d36fe 100644
--- a/policy/modules/contrib/pingd.if
+++ b/policy/modules/contrib/pingd.if
@@ -84,10 +84,7 @@ interface(`pingd_admin',`
 	allow $1 pingd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, pingd_t)
 
-	init_labeled_script_domtrans($1, pingd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 pingd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, pingd_t, pingd_initrc_exec_t)
 
 	files_list_etc($1)
 	admin_pattern($1, pingd_etc_t)

diff --git a/policy/modules/contrib/pkcs.if b/policy/modules/contrib/pkcs.if
index 69be2aa..d21ba76 100644
--- a/policy/modules/contrib/pkcs.if
+++ b/policy/modules/contrib/pkcs.if
@@ -26,10 +26,7 @@ interface(`pkcs_admin_slotd',`
 	allow $1 pkcs_slotd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, pkcs_slotd_t)
 
-	init_labeled_script_domtrans($1, pkcs_slotd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 pkcs_slotd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, pkcs_slotd_t, pkcs_slotd_initrc_exec_t)
 
 	files_search_var_lib($1)
 	admin_pattern($1, pkcs_slotd_var_lib_t)

diff --git a/policy/modules/contrib/polipo.if b/policy/modules/contrib/polipo.if
index ae27bb7..b523ccc 100644
--- a/policy/modules/contrib/polipo.if
+++ b/policy/modules/contrib/polipo.if
@@ -125,10 +125,7 @@ interface(`polipo_admin',`
 	allow $1 polipo_system_t:process { ptrace signal_perms };
 	ps_process_pattern($1, polipo_system_t)
 
-	polipo_initrc_domtrans($1)
-	domain_system_change_exemption($1)
-	role_transition $2 polipo_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, polipo_t, polipo_initrc_exec_t)
 
 	files_search_var($1)
 	admin_pattern($1, polipo_cache_t)

diff --git a/policy/modules/contrib/portmap.if b/policy/modules/contrib/portmap.if
index 9f982b5..ee8cd17 100644
--- a/policy/modules/contrib/portmap.if
+++ b/policy/modules/contrib/portmap.if
@@ -114,10 +114,7 @@ interface(`portmap_admin',`
 	allow $1 { portmap_t portmap_helper_t }:process { ptrace signal_perms };
 	ps_process_pattern($1, { portmap_t portmap_helper_t })
 
-	init_labeled_script_domtrans($1, portmap_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 portmap_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, portmap_t, portmap_initrc_exec_t)
 
 	files_search_pids($1)
 	admin_pattern($1, portmap_var_run_t)

diff --git a/policy/modules/contrib/portreserve.if b/policy/modules/contrib/portreserve.if
index 5ad5291..0401fd2 100644
--- a/policy/modules/contrib/portreserve.if
+++ b/policy/modules/contrib/portreserve.if
@@ -108,10 +108,7 @@ interface(`portreserve_admin',`
 	allow $1 portreserve_t:process { ptrace signal_perms };
 	ps_process_pattern($1, portreserve_t)
 
-	portreserve_initrc_domtrans($1)
-	domain_system_change_exemption($1)
-	role_transition $2 portreserve_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, portreserve_t, portreserve_initrc_exec_t)
 
 	files_list_etc($1)
 	admin_pattern($1, portreserve_etc_t)

diff --git a/policy/modules/contrib/postfix.if b/policy/modules/contrib/postfix.if
index 8e7d1e7..40e6bf2 100644
--- a/policy/modules/contrib/postfix.if
+++ b/policy/modules/contrib/postfix.if
@@ -720,10 +720,7 @@ interface(`postfix_admin',`
 	allow $1 postfix_domain:process { ptrace signal_perms };
 	ps_process_pattern($1, postfix_domain)
 
-	init_labeled_script_domtrans($1, postfix_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 postfix_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, postfix_t, postfix_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t postfix_keytab_t })

diff --git a/policy/modules/contrib/postfixpolicyd.if b/policy/modules/contrib/postfixpolicyd.if
index 5de8173..3d925b7 100644
--- a/policy/modules/contrib/postfixpolicyd.if
+++ b/policy/modules/contrib/postfixpolicyd.if
@@ -26,10 +26,7 @@ interface(`postfixpolicyd_admin',`
 	allow $1 postfix_policyd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, postfix_policyd_t)
 
-	init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 postfix_policyd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, postfix_policyd_t, postfix_policyd_initrc_exec_t)
 
 	files_list_etc($1)
 	admin_pattern($1, postfix_policyd_conf_t)

diff --git a/policy/modules/contrib/postgrey.if b/policy/modules/contrib/postgrey.if
index b9e71b5..50b620d 100644
--- a/policy/modules/contrib/postgrey.if
+++ b/policy/modules/contrib/postgrey.if
@@ -67,10 +67,7 @@ interface(`postgrey_admin',`
 	allow $1 postgrey_t:process { ptrace signal_perms };
 	ps_process_pattern($1, postgrey_t)
 
-	init_labeled_script_domtrans($1, postgrey_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 postgrey_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, postgrey_t, postgrey_initrc_exec_t)
 
 	files_list_etc($1)
 	admin_pattern($1, postgrey_etc_t)

diff --git a/policy/modules/contrib/ppp.if b/policy/modules/contrib/ppp.if
index cd8b8b9..52c2acf 100644
--- a/policy/modules/contrib/ppp.if
+++ b/policy/modules/contrib/ppp.if
@@ -487,10 +487,7 @@ interface(`ppp_admin',`
 	allow $1 { pptp_t pppd_t }:process { ptrace signal_perms };
 	ps_process_pattern($1, { pptp_t pppd_t })
 
-	ppp_initrc_domtrans($1)
-	domain_system_change_exemption($1)
-	role_transition $2 pppd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, pppd_t, pppd_initrc_exec_t)
 
 	files_list_tmp($1)
 	admin_pattern($1, pppd_tmp_t)

diff --git a/policy/modules/contrib/prelude.if b/policy/modules/contrib/prelude.if
index db8f510..406d8ac 100644
--- a/policy/modules/contrib/prelude.if
+++ b/policy/modules/contrib/prelude.if
@@ -126,10 +126,7 @@ interface(`prelude_admin',`
 	allow $1 { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t }:process { ptrace signal_perms };
 	ps_process_pattern($1, { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t })
 
-	init_labeled_script_domtrans($1, prelude_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 prelude_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, prelude_t, prelude_initrc_exec_t)
 
 	files_search_spool($1)
 	admin_pattern($1, prelude_spool_t)

diff --git a/policy/modules/contrib/privoxy.if b/policy/modules/contrib/privoxy.if
index bdcee30..30a6e1f 100644
--- a/policy/modules/contrib/privoxy.if
+++ b/policy/modules/contrib/privoxy.if
@@ -26,10 +26,7 @@ interface(`privoxy_admin',`
 	allow $1 privoxy_t:process { ptrace signal_perms };
 	ps_process_pattern($1, privoxy_t)
 
-	init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 privoxy_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, privoxy_t, privoxy_initrc_exec_t)
 
 	logging_list_logs($1)
 	admin_pattern($1, privoxy_log_t)

diff --git a/policy/modules/contrib/psad.if b/policy/modules/contrib/psad.if
index cdc83d2..645dca6 100644
--- a/policy/modules/contrib/psad.if
+++ b/policy/modules/contrib/psad.if
@@ -242,10 +242,7 @@ interface(`psad_admin',`
 	allow $1 psad_t:process { ptrace signal_perms };
 	ps_process_pattern($1, psad_t)
 
-	init_labeled_script_domtrans($1, psad_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 psad_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, psad_t, psad_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, psad_etc_t)

diff --git a/policy/modules/contrib/puppet.if b/policy/modules/contrib/puppet.if
index 7cb8b1f..79ef096 100644
--- a/policy/modules/contrib/puppet.if
+++ b/policy/modules/contrib/puppet.if
@@ -211,10 +211,8 @@ interface(`puppet_admin',`
 	allow $1 { puppet_t puppetca_t puppetmaster_t }:process { ptrace signal_perms };
 	ps_process_pattern($1, { puppet_t puppetca_t puppetmaster_t })
 
-	init_labeled_script_domtrans($1, { puppet_initrc_exec_t puppetmaster_initrc_exec_t })
-	domain_system_change_exemption($1)
-	role_transition $2 { puppet_initrc_exec_t puppetmaster_initrc_exec_t } system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, puppet_t, puppet_initrc_exec_t)
+	init_manage_service_template($1, $2, puppetmaster_t, puppetmaster_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, puppet_etc_t)

diff --git a/policy/modules/contrib/pxe.if b/policy/modules/contrib/pxe.if
index 7da286f..7924c86 100644
--- a/policy/modules/contrib/pxe.if
+++ b/policy/modules/contrib/pxe.if
@@ -26,10 +26,7 @@ interface(`pxe_admin',`
 	allow $1 pxe_t:process { ptrace signal_perms };
 	ps_process_pattern($1, pxe_t)
 
-	init_labeled_script_domtrans($1, pxe_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 pxe_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, pxe_t, pxe_initrc_exec_t)
 
 	logging_search_logs($1)
 	admin_pattern($1, pxe_log_t)

diff --git a/policy/modules/contrib/pyicqt.if b/policy/modules/contrib/pyicqt.if
index 0ccea82..89fcf94 100644
--- a/policy/modules/contrib/pyicqt.if
+++ b/policy/modules/contrib/pyicqt.if
@@ -26,10 +26,7 @@ interface(`pyicqt_admin',`
 	allow $1 pyicqt_t:process { ptrace signal_perms };
 	ps_process_pattern($1, pyicqt_t)
 
-	init_labeled_script_domtrans($1, pyicqt_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 pyicqt_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, pyicqt_t, pyicqt_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, pyicqt_conf_t)

diff --git a/policy/modules/contrib/pyzor.if b/policy/modules/contrib/pyzor.if
index c05a504..127cfb8 100644
--- a/policy/modules/contrib/pyzor.if
+++ b/policy/modules/contrib/pyzor.if
@@ -118,10 +118,7 @@ interface(`pyzor_admin',`
 	allow $1 pyzord_t:process { ptrace signal_perms };
 	ps_process_pattern($1, pyzord_t)
 
-	init_labeled_script_domtrans($1, pyzord_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 pyzord_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, pyzord_t, pyzord_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, pyzor_etc_t)

diff --git a/policy/modules/contrib/qpid.if b/policy/modules/contrib/qpid.if
index fe2adf8..457b143 100644
--- a/policy/modules/contrib/qpid.if
+++ b/policy/modules/contrib/qpid.if
@@ -177,10 +177,7 @@ interface(`qpidd_admin',`
 	allow $1 qpidd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, qpidd_t)
 
-	qpidd_initrc_domtrans($1)
-	domain_system_change_exemption($1)
-	role_transition $2 qpidd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, qpidd_t, qpidd_initrc_exec_t)
 
 	files_search_var_lib($1)
 	admin_pattern($1, qpidd_var_lib_t)

diff --git a/policy/modules/contrib/quantum.if b/policy/modules/contrib/quantum.if
index afc0068..b158c7e 100644
--- a/policy/modules/contrib/quantum.if
+++ b/policy/modules/contrib/quantum.if
@@ -26,10 +26,7 @@ interface(`quantum_admin',`
 	allow $1 quantum_t:process { ptrace signal_perms };
 	ps_process_pattern($1, quantum_t)
 
-	init_labeled_script_domtrans($1, quantum_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 quantum_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, quantum_t, quantum_initrc_exec_t)
 
 	logging_search_logs($1)
 	admin_pattern($1, quantum_log_t)

diff --git a/policy/modules/contrib/quota.if b/policy/modules/contrib/quota.if
index 68611e3..3fbb18e 100644
--- a/policy/modules/contrib/quota.if
+++ b/policy/modules/contrib/quota.if
@@ -184,10 +184,7 @@ interface(`quota_admin',`
 	allow $1 { quota_nld_t quota_t }:process { ptrace signal_perms };
 	ps_process_pattern($1, { quota_nld_t quota_t })
 
-	init_labeled_script_domtrans($1, quota_nld_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 quota_nld_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, quota_nld_t, quota_nld_initrc_exec_t)
 
 	files_list_all($1)
 	admin_pattern($1, { quota_db_t quota_flag_t quota_nld_var_run_t })

diff --git a/policy/modules/contrib/rabbitmq.if b/policy/modules/contrib/rabbitmq.if
index 2c3d338..71f30bb 100644
--- a/policy/modules/contrib/rabbitmq.if
+++ b/policy/modules/contrib/rabbitmq.if
@@ -45,10 +45,7 @@ interface(`rabbitmq_admin',`
 	allow $1 { rabbitmq_epmd_t rabbitmq_beam_t }:process { ptrace signal_perms };
 	ps_process_pattern($1, { rabbitmq_epmd_t rabbitmq_beam_t })
 
-	init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 rabbitmq_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, { rabbitmq_epmd_t rabbitmq_beam_t }, rabbitmq_initrc_exec_t)
 
 	logging_search_logs($1)
 	admin_pattern($1, rabbitmq_var_log_t)

diff --git a/policy/modules/contrib/radius.if b/policy/modules/contrib/radius.if
index 4460582..b0a7db0 100644
--- a/policy/modules/contrib/radius.if
+++ b/policy/modules/contrib/radius.if
@@ -41,10 +41,7 @@ interface(`radius_admin',`
 	allow $1 radiusd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, radiusd_t)
 
-	init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 radiusd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, radiusd_t, radiusd_initrc_exec_t)
 
 	files_list_etc($1)
 	admin_pattern($1, { radiusd_etc_t radiusd_etc_rw_t })

diff --git a/policy/modules/contrib/radvd.if b/policy/modules/contrib/radvd.if
index ac7058d..a9a77f5 100644
--- a/policy/modules/contrib/radvd.if
+++ b/policy/modules/contrib/radvd.if
@@ -26,10 +26,7 @@ interface(`radvd_admin',`
 	allow $1 radvd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, radvd_t)
 
-	init_labeled_script_domtrans($1, radvd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 radvd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, radvd_t, radvd_initrc_exec_t)
 
 	files_list_etc($1)
 	admin_pattern($1, radvd_etc_t)

diff --git a/policy/modules/contrib/raid.if b/policy/modules/contrib/raid.if
index 951db7f..60198cf 100644
--- a/policy/modules/contrib/raid.if
+++ b/policy/modules/contrib/raid.if
@@ -91,10 +91,7 @@ interface(`raid_admin_mdadm',`
 	allow $1 mdadm_t:process { ptrace signal_perms };
 	ps_process_pattern($1, mdadm_t)
 
-	init_labeled_script_domtrans($1, mdadm_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 mdadm_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, mdadm_t, mdadm_initrc_exec_t)
 
 	files_search_pids($1)
 	admin_pattern($1, mdadm_var_run_t)

diff --git a/policy/modules/contrib/redis.if b/policy/modules/contrib/redis.if
index 3969450..0c0d62d 100644
--- a/policy/modules/contrib/redis.if
+++ b/policy/modules/contrib/redis.if
@@ -26,10 +26,7 @@ interface(`redis_admin',`
 	allow $1 redis_t:process { ptrace signal_perms };
 	ps_process_pattern($1, redis_t)
 
-	init_labeled_script_domtrans($1, redis_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 redis_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, redis_t, redis_initrc_exec_t)
 
 	logging_search_logs($1)
 	admin_pattern($1, redis_log_t)

diff --git a/policy/modules/contrib/resmgr.if b/policy/modules/contrib/resmgr.if
index 0d93db6..30312f5 100644
--- a/policy/modules/contrib/resmgr.if
+++ b/policy/modules/contrib/resmgr.if
@@ -46,10 +46,7 @@ interface(`resmgr_admin',`
 	allow $1 resmgrd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, resmgrd_t)
 
-	init_labeled_script_domtrans($1, resmgrd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 resmgrd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, resmgrd_t, resmgrd_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, resmgrd_etc_t)

diff --git a/policy/modules/contrib/rgmanager.if b/policy/modules/contrib/rgmanager.if
index 1c2f9aa..a1be103 100644
--- a/policy/modules/contrib/rgmanager.if
+++ b/policy/modules/contrib/rgmanager.if
@@ -105,10 +105,7 @@ interface(`rgmanager_admin',`
 	allow $1 rgmanager_t:process { ptrace signal_perms };
 	ps_process_pattern($1, rgmanager_t)
 
-	init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 rgmanager_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, rgmanager_t, rgmanager_initrc_exec_t)
 
 	files_list_tmp($1)
 	admin_pattern($1, rgmanager_tmp_t)

diff --git a/policy/modules/contrib/rhcs.if b/policy/modules/contrib/rhcs.if
index c8bdea2..fa4c5d9 100644
--- a/policy/modules/contrib/rhcs.if
+++ b/policy/modules/contrib/rhcs.if
@@ -467,15 +467,14 @@ interface(`rhcs_admin',`
 		attribute cluster_log;
 		type dlm_controld_initrc_exec_t, foghorn_initrc_exec_t, fenced_lock_t;
 		type fenced_tmp_t, qdiskd_var_lib_t;
+		type dlm_controld_t, foghorn_t;
 	')
 
 	allow $1 cluster_domain:process { ptrace signal_perms };
 	ps_process_pattern($1, cluster_domain)
 
-	init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
-	domain_system_change_exemption($1)
-	role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, dlm_controld_t, dlm_controld_initrc_exec_t)
+	init_manage_service_template($1, $2, foghorn_t, foghorn_initrc_exec_t)
 
 	files_search_pids($1)
 	admin_pattern($1, cluster_pid)

diff --git a/policy/modules/contrib/rhsmcertd.if b/policy/modules/contrib/rhsmcertd.if
index 6dbc905..019f668 100644
--- a/policy/modules/contrib/rhsmcertd.if
+++ b/policy/modules/contrib/rhsmcertd.if
@@ -285,10 +285,7 @@ interface(`rhsmcertd_admin',`
 	allow $1 rhsmcertd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, rhsmcertd_t)
 
-	rhsmcertd_initrc_domtrans($1)
-	domain_system_change_exemption($1)
-	role_transition $2 rhsmcertd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, rhsmcertd_t, rhsmcertd_initrc_exec_t)
 
 	logging_search_logs($1)
 	admin_pattern($1, rhsmcertd_log_t)

diff --git a/policy/modules/contrib/ricci.if b/policy/modules/contrib/ricci.if
index 2ab3ed1..05015c8 100644
--- a/policy/modules/contrib/ricci.if
+++ b/policy/modules/contrib/ricci.if
@@ -203,10 +203,7 @@ interface(`ricci_admin',`
 	allow $1 ricci_t:process { ptrace signal_perms };
 	ps_process_pattern($1, ricci_t)
 
-	init_labeled_script_domtrans($1, ricci_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 ricci_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, ricci_t, ricci_initrc_exec_t)
 
 	files_list_tmp($1)
 	admin_pattern($1, ricci_tmp_t)

diff --git a/policy/modules/contrib/rngd.if b/policy/modules/contrib/rngd.if
index 13f788f..51397eb 100644
--- a/policy/modules/contrib/rngd.if
+++ b/policy/modules/contrib/rngd.if
@@ -25,10 +25,7 @@ interface(`rngd_admin',`
 	allow $1 rngd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, rngd_t)
 
-	init_labeled_script_domtrans($1, rngd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 rngd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, rngd_t, rngd_initrc_exec_t)
 
 	files_search_pids($1)
 	admin_pattern($1, rngd_var_run_t)

diff --git a/policy/modules/contrib/roundup.if b/policy/modules/contrib/roundup.if
index 975bb6a..0a351b5 100644
--- a/policy/modules/contrib/roundup.if
+++ b/policy/modules/contrib/roundup.if
@@ -26,10 +26,7 @@ interface(`roundup_admin',`
 	allow $1 roundup_t:process { ptrace signal_perms };
 	ps_process_pattern($1, roundup_t)
 
-	init_labeled_script_domtrans($1, roundup_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 roundup_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, roundup_t, roundup_initrc_exec_t)
 
 	files_list_var_lib($1)
 	admin_pattern($1, roundup_var_lib_t)

diff --git a/policy/modules/contrib/rpc.if b/policy/modules/contrib/rpc.if
index 157afd9..2ac2914 100644
--- a/policy/modules/contrib/rpc.if
+++ b/policy/modules/contrib/rpc.if
@@ -395,15 +395,14 @@ interface(`rpc_admin',`
 		type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t;
 		type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t;
 		type nfsd_ro_t, nfsd_rw_t, gssd_keytab_t;
+		type nfsd_t, rpcd_t;
 	')
 
 	allow $1 rpc_domain:process { ptrace signal_perms };
 	ps_process_pattern($1, rpc_domain)
 
-	init_labeled_script_domtrans($1, { nfsd_initrc_exec_t rpcd_initrc_exec_t })
- 	domain_system_change_exemption($1)
- 	role_transition $2 { nfsd_initrc_exec_t rpcd_initrc_exec_t } system_r;
- 	allow $2 system_r;
+	init_manage_service_template($1, $2, nfsd_t, nfsd_initrc_exec_t)
+	init_manage_service_template($1, $2, rpcd_t, rpcd_initrc_exec_t)
 
 	files_list_etc($1)
 	admin_pattern($1, { gssd_keytab_t exports_t })

diff --git a/policy/modules/contrib/rpcbind.if b/policy/modules/contrib/rpcbind.if
index f78fef0..da34256 100644
--- a/policy/modules/contrib/rpcbind.if
+++ b/policy/modules/contrib/rpcbind.if
@@ -160,10 +160,7 @@ interface(`rpcbind_admin',`
 	allow $1 rpcbind_t:process { ptrace signal_perms };
 	ps_process_pattern($1, rpcbind_t)
 
-	init_labeled_script_domtrans($1, rpcbind_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 rpcbind_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, rpcbind_t, rpcbind_initrc_exec_t)
 
 	files_search_pids($1)
 	admin_pattern($1, rpcbind_var_run_t)

diff --git a/policy/modules/contrib/rpm.if b/policy/modules/contrib/rpm.if
index fc9c8d8..554536f 100644
--- a/policy/modules/contrib/rpm.if
+++ b/policy/modules/contrib/rpm.if
@@ -634,10 +634,7 @@ interface(`rpm_admin',`
 	allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms };
 	ps_process_pattern($1, { rpm_t rpm_script_t })
 
-	init_labeled_script_domtrans($1, rpm_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 rpm_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, rpm_t, rpm_initrc_exec_t)
 
 	admin_pattern($1, rpm_file_t)
 

diff --git a/policy/modules/contrib/rtkit.if b/policy/modules/contrib/rtkit.if
index e904ec4..39e82ad 100644
--- a/policy/modules/contrib/rtkit.if
+++ b/policy/modules/contrib/rtkit.if
@@ -90,8 +90,5 @@ interface(`rtkit_admin',`
 	allow $1 rtkit_daemon_t:process { ptrace signal_perms };
 	ps_process_pattern($1, rtkit_daemon_t)
 
-	init_labeled_script_domtrans($1, rtkit_daemon_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 rtkit_daemon_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, rtkit_daemon_t, rtkit_daemon_initrc_exec_t)
 ')

diff --git a/policy/modules/contrib/rwho.if b/policy/modules/contrib/rwho.if
index 0360ff0..b07754b 100644
--- a/policy/modules/contrib/rwho.if
+++ b/policy/modules/contrib/rwho.if
@@ -142,10 +142,7 @@ interface(`rwho_admin',`
 	allow $1 rwho_t:process { ptrace signal_perms };
 	ps_process_pattern($1, rwho_t)
 
-	init_labeled_script_domtrans($1, rwho_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 rwho_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, rwho_t, rwho_initrc_exec_t)
 
 	logging_list_logs($1)
 	admin_pattern($1, rwho_log_t)

diff --git a/policy/modules/contrib/samba.if b/policy/modules/contrib/samba.if
index 50d07fb..a9b0c3a 100644
--- a/policy/modules/contrib/samba.if
+++ b/policy/modules/contrib/samba.if
@@ -695,10 +695,7 @@ interface(`samba_admin',`
 	allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms };
 	ps_process_pattern($1, { nmbd_t smbd_t })
 
-	init_labeled_script_domtrans($1, samba_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 samba_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, samba_t, samba_initrc_exec_t)
 
 	files_list_etc($1)
 	admin_pattern($1, { samba_etc_t smbd_keytab_t })

diff --git a/policy/modules/contrib/samhain.if b/policy/modules/contrib/samhain.if
index b1ebcee..053e454 100644
--- a/policy/modules/contrib/samhain.if
+++ b/policy/modules/contrib/samhain.if
@@ -221,10 +221,7 @@ interface(`samhain_admin',`
 	ps_process_pattern($1, samhain_domain)
 
 	# duplicate role transition: remove samhain_admin(sysadm_t, sysadm_r) first
-	# init_labeled_script_domtrans($1, samhain_initrc_exec_t)
-	# domain_system_change_exemption($1)
-	# role_transition $2 samhain_initrc_exec_t system_r;
-	# allow $2 system_r;
+	# init_manage_service_template($1, $2, samhain_domain, samhain_initrc_exec_t)
 
 	files_list_var_lib($1)
 	admin_pattern($1, samhain_db_t)

diff --git a/policy/modules/contrib/sanlock.if b/policy/modules/contrib/sanlock.if
index cd6c213..2c4feed 100644
--- a/policy/modules/contrib/sanlock.if
+++ b/policy/modules/contrib/sanlock.if
@@ -104,10 +104,7 @@ interface(`sanlock_admin',`
 	allow $1 sanlock_t:process { ptrace signal_perms };
 	ps_process_pattern($1, sanlock_t)
 
-	sanlock_initrc_domtrans($1)
-	domain_system_change_exemption($1)
-	role_transition $2 sanlock_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, sanlock_t, sanlock_initrc_exec_t)
 
 	files_search_pids($1)
 	admin_pattern($1, sanlock_var_run_t)

diff --git a/policy/modules/contrib/sasl.if b/policy/modules/contrib/sasl.if
index 8c3c151..3bbf29b 100644
--- a/policy/modules/contrib/sasl.if
+++ b/policy/modules/contrib/sasl.if
@@ -45,10 +45,7 @@ interface(`sasl_admin',`
 	allow $1 saslauthd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, saslauthd_t)
 
-	init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 saslauthd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, saslauthd_t, saslauthd_initrc_exec_t)
 
 	files_list_etc($1)
 	admin_pattern($1, saslauthd_keytab_t)

diff --git a/policy/modules/contrib/sblim.if b/policy/modules/contrib/sblim.if
index 98c9e0a..f3c6717 100644
--- a/policy/modules/contrib/sblim.if
+++ b/policy/modules/contrib/sblim.if
@@ -64,10 +64,7 @@ interface(`sblim_admin',`
 	allow $1 sblim_domain:process { ptrace signal_perms };
 	ps_process_pattern($1, sblim_domain)
 
-	init_labeled_script_domtrans($1, sblim_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 sblim_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, sblim_domain, sblim_initrc_exec_t)
 
 	files_search_pids($1)
 	admin_pattern($1, sblim_var_run_t)

diff --git a/policy/modules/contrib/sendmail.if b/policy/modules/contrib/sendmail.if
index 35ad2a7..761fd1c 100644
--- a/policy/modules/contrib/sendmail.if
+++ b/policy/modules/contrib/sendmail.if
@@ -360,9 +360,7 @@ interface(`sendmail_admin',`
 	allow $1 { unconfined_sendmail_t sendmail_t }:process { ptrace signal_perms };
 	ps_process_pattern($1, { unconfined_sendmail_t sendmail_t })
 
-	init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 sendmail_initrc_exec_t system_r;
+	init_manage_service_template($1, $2, sendmail_t, sendmail_initrc_exec_t)
 
 	files_list_etc($1)
 	admin_pattern($1, sendmail_keytab_t)

diff --git a/policy/modules/contrib/sensord.if b/policy/modules/contrib/sensord.if
index d204752..a1d174b 100644
--- a/policy/modules/contrib/sensord.if
+++ b/policy/modules/contrib/sensord.if
@@ -25,10 +25,7 @@ interface(`sensord_admin',`
 	allow $1 sensord_t:process { ptrace signal_perms };
 	ps_process_pattern($1, sensord_t)
 
-	init_labeled_script_domtrans($1, sensord_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 sensord_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, sensord_t, sensord_initrc_exec_t)
 
 	files_search_pids($1)
 	admin_pattern($1, sensord_var_run_t)

diff --git a/policy/modules/contrib/shorewall.if b/policy/modules/contrib/shorewall.if
index 1aeef8a..5eaff00 100644
--- a/policy/modules/contrib/shorewall.if
+++ b/policy/modules/contrib/shorewall.if
@@ -179,10 +179,7 @@ interface(`shorewall_admin',`
 	allow $1 shorewall_t:process { ptrace signal_perms };
 	ps_process_pattern($1, shorewall_t)
 
-	init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 shorewall_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, shorewall_t, shorewall_initrc_exec_t)
 
 	can_exec($1, shorewall_exec_t)
 

diff --git a/policy/modules/contrib/slpd.if b/policy/modules/contrib/slpd.if
index ca32e89..25b1386 100644
--- a/policy/modules/contrib/slpd.if
+++ b/policy/modules/contrib/slpd.if
@@ -26,10 +26,7 @@ interface(`slpd_admin',`
 	allow $1 slpd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, slpd_t)
 
-	init_labeled_script_domtrans($1, slpd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 slpd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, slpd_t, slpd_initrc_exec_t)
 
 	logging_search_logs($1)
 	admin_pattern($1, slpd_log_t)

diff --git a/policy/modules/contrib/smartmon.if b/policy/modules/contrib/smartmon.if
index e0644b5..1b80197 100644
--- a/policy/modules/contrib/smartmon.if
+++ b/policy/modules/contrib/smartmon.if
@@ -45,10 +45,7 @@ interface(`smartmon_admin',`
 	allow $1 fsdaemon_t:process { ptrace signal_perms };
 	ps_process_pattern($1, fsdaemon_t)
 
-	init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 fsdaemon_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, fsdaemon_t, fsdaemon_initrc_exec_t)
 
 	files_list_tmp($1)
 	admin_pattern($1, fsdaemon_tmp_t)

diff --git a/policy/modules/contrib/smokeping.if b/policy/modules/contrib/smokeping.if
index 1fa51c1..fe1459e 100644
--- a/policy/modules/contrib/smokeping.if
+++ b/policy/modules/contrib/smokeping.if
@@ -161,10 +161,7 @@ interface(`smokeping_admin',`
 	allow $1 smokeping_t:process { ptrace signal_perms };
 	ps_process_pattern($1, smokeping_t)
 
-	smokeping_initrc_domtrans($1)
-	domain_system_change_exemption($1)
-	role_transition $2 smokeping_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, smokeping_t, smokeping_initrc_exec_t)
 
 	files_search_var_lib($1)
 	admin_pattern($1, smokeping_var_lib_t)

diff --git a/policy/modules/contrib/smstools.if b/policy/modules/contrib/smstools.if
index 81136f0..7253219 100644
--- a/policy/modules/contrib/smstools.if
+++ b/policy/modules/contrib/smstools.if
@@ -27,10 +27,7 @@ interface(`smstools_admin',`
 	allow $1 smsd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, smsd_t)
 
-	init_labeled_script_domtrans($1, smsd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 smsd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, smsd_t, smsd_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, smsd_conf_t)

diff --git a/policy/modules/contrib/snmp.if b/policy/modules/contrib/snmp.if
index bf78fa9..1bb9c25 100644
--- a/policy/modules/contrib/snmp.if
+++ b/policy/modules/contrib/snmp.if
@@ -182,10 +182,7 @@ interface(`snmp_admin',`
 	allow $1 snmpd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, snmpd_t)
 
-	init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 snmpd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, snmpd_t, snmpd_initrc_exec_t)
 
 	logging_list_logs($1)
 	admin_pattern($1, snmpd_log_t)

diff --git a/policy/modules/contrib/snort.if b/policy/modules/contrib/snort.if
index 7d86b34..3ac3e94 100644
--- a/policy/modules/contrib/snort.if
+++ b/policy/modules/contrib/snort.if
@@ -45,10 +45,7 @@ interface(`snort_admin',`
 	allow $1 snort_t:process { ptrace signal_perms };
 	ps_process_pattern($1, snort_t)
 
-	init_labeled_script_domtrans($1, snort_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 snort_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, snort_t, snort_initrc_exec_t)
 
 	admin_pattern($1, snort_etc_t)
 	files_search_etc($1)

diff --git a/policy/modules/contrib/soundserver.if b/policy/modules/contrib/soundserver.if
index a5abc5a..622083e 100644
--- a/policy/modules/contrib/soundserver.if
+++ b/policy/modules/contrib/soundserver.if
@@ -41,10 +41,7 @@ interface(`soundserver_admin',`
 	allow $1 soundd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, soundd_t)
 
-	init_labeled_script_domtrans($1, soundd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 soundd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, soundd_t, soundd_initrc_exec_t)
 
 	files_list_etc($1)
 	admin_pattern($1, soundd_etc_t)

diff --git a/policy/modules/contrib/spamassassin.if b/policy/modules/contrib/spamassassin.if
index 7f5a1cc..9505db9 100644
--- a/policy/modules/contrib/spamassassin.if
+++ b/policy/modules/contrib/spamassassin.if
@@ -384,10 +384,7 @@ interface(`spamassassin_admin',`
 	allow $1 spamd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, spamd_t)
 
-	init_labeled_script_domtrans($1, spamd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 spamd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, spamd_t, spamd_initrc_exec_t)
 
 	files_list_tmp($1)
 	admin_pattern($1, spamd_tmp_t)

diff --git a/policy/modules/contrib/squid.if b/policy/modules/contrib/squid.if
index 5e1f053..22a9cf4 100644
--- a/policy/modules/contrib/squid.if
+++ b/policy/modules/contrib/squid.if
@@ -216,10 +216,7 @@ interface(`squid_admin',`
 	allow $1 squid_t:process { ptrace signal_perms };
 	ps_process_pattern($1, squid_t)
 
-	init_labeled_script_domtrans($1, squid_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 squid_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, squid_t, squid_initrc_exec_t)
 
 	files_list_var($1)
 	admin_pattern($1, squid_cache_t)

diff --git a/policy/modules/contrib/sssd.if b/policy/modules/contrib/sssd.if
index a240455..33a8245 100644
--- a/policy/modules/contrib/sssd.if
+++ b/policy/modules/contrib/sssd.if
@@ -342,10 +342,7 @@ interface(`sssd_admin',`
 	allow $1 sssd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, sssd_t)
 
-	sssd_initrc_domtrans($1)
-	domain_system_change_exemption($1)
-	role_transition $2 sssd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, sssd_t, sssd_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, sssd_conf_t)

diff --git a/policy/modules/contrib/svnserve.if b/policy/modules/contrib/svnserve.if
index 5cd46e9..c1deaa4 100644
--- a/policy/modules/contrib/svnserve.if
+++ b/policy/modules/contrib/svnserve.if
@@ -25,10 +25,7 @@ interface(`svnserve_admin',`
 	allow $1 svnserve_t:process { ptrace signal_perms };
 	ps_process_pattern($1, svnserve_t)
 
-	init_labeled_script_domtrans($1, svnserve_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 svnserve_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, svnserve_t, svnserve_initrc_exec_t)
 
 	files_search_pids($1)
 	admin_pattern($1, svnserve_var_run_t)

diff --git a/policy/modules/contrib/sysstat.if b/policy/modules/contrib/sysstat.if
index 14ae3f2..ab84adf 100644
--- a/policy/modules/contrib/sysstat.if
+++ b/policy/modules/contrib/sysstat.if
@@ -46,10 +46,7 @@ interface(`sysstat_admin',`
 	allow $1 sysstat_t:process { ptrace signal_perms };
 	ps_process_pattern($1, sysstat_t)
 
-	init_labeled_script_domtrans($1, sysstat_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 sysstat_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, sysstat_t, sysstat_initrc_exec_t)
 
 	logging_search_logs($1)
 	admin_pattern($1, sysstat_log_t)

diff --git a/policy/modules/contrib/systemtap.if b/policy/modules/contrib/systemtap.if
index d60a21e..417ab39 100644
--- a/policy/modules/contrib/systemtap.if
+++ b/policy/modules/contrib/systemtap.if
@@ -26,10 +26,7 @@ interface(`stapserver_admin',`
 	allow $1 stapserver_t:process { ptrace signal_perms };
 	ps_process_pattern($1, stapserver_t)
 
-	init_labeled_script_domtrans($1, stapserver_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 stapserver_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, stapserver_t, stapserver_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, stapserver_conf_t)

diff --git a/policy/modules/contrib/tcsd.if b/policy/modules/contrib/tcsd.if
index b42ec1d..bbcfe28 100644
--- a/policy/modules/contrib/tcsd.if
+++ b/policy/modules/contrib/tcsd.if
@@ -141,10 +141,7 @@ interface(`tcsd_admin',`
 	allow $1 tcsd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, tcsd_t)
 
-	tcsd_initrc_domtrans($1)
-	domain_system_change_exemption($1)
-	role_transition $2 tcsd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, tcsd_t, tcsd_initrc_exec_t)
 
 	files_search_var_lib($1)
 	admin_pattern($1, tcsd_var_lib_t)

diff --git a/policy/modules/contrib/tgtd.if b/policy/modules/contrib/tgtd.if
index dc5b46e..348ba3c 100644
--- a/policy/modules/contrib/tgtd.if
+++ b/policy/modules/contrib/tgtd.if
@@ -83,10 +83,7 @@ interface(`tgtd_admin',`
 	allow $1 tgtd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, tgtd_t)
 
-	init_labeled_script_domtrans($1, tgtd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 tgtd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, tgtd_t, tgtd_initrc_exec_t)
 
 	files_search_var_lib($1)
 	admin_pattern($1, tgtd_var_lib_t)

diff --git a/policy/modules/contrib/tor.if b/policy/modules/contrib/tor.if
index 61c2e07..0e937e3 100644
--- a/policy/modules/contrib/tor.if
+++ b/policy/modules/contrib/tor.if
@@ -45,10 +45,7 @@ interface(`tor_admin',`
 	allow $1 tor_t:process { ptrace signal_perms };
 	ps_process_pattern($1, tor_t)
 
-	init_labeled_script_domtrans($1, tor_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 tor_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, tor_t, tor_initrc_exec_t)
 
 	files_list_etc($1)
 	admin_pattern($1, tor_etc_t)

diff --git a/policy/modules/contrib/transproxy.if b/policy/modules/contrib/transproxy.if
index 81a8351..da66c3e 100644
--- a/policy/modules/contrib/transproxy.if
+++ b/policy/modules/contrib/transproxy.if
@@ -25,10 +25,7 @@ interface(`transproxy_admin',`
 	allow $1 transproxy_t:process { ptrace signal_perms };
 	ps_process_pattern($1, transproxy_t)
 
-	init_labeled_script_domtrans($1, transproxy_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 transproxy_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, transproxy_t, transproxy_initrc_exec_t)
 
 	files_search_pids($1)
 	admin_pattern($1, transproxy_var_run_t)

diff --git a/policy/modules/contrib/tuned.if b/policy/modules/contrib/tuned.if
index e29db63..8bff06c 100644
--- a/policy/modules/contrib/tuned.if
+++ b/policy/modules/contrib/tuned.if
@@ -122,10 +122,7 @@ interface(`tuned_admin',`
 	allow $1 tuned_t:process { ptrace signal_perms };
 	ps_process_pattern($1, tuned_t)
 
-	tuned_initrc_domtrans($1)
-	domain_system_change_exemption($1)
-	role_transition $2 tuned_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, tuned_t, tuned_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, { tuned_etc_t tuned_rw_etc_t })

diff --git a/policy/modules/contrib/ulogd.if b/policy/modules/contrib/ulogd.if
index 9b95c3e..66f375b 100644
--- a/policy/modules/contrib/ulogd.if
+++ b/policy/modules/contrib/ulogd.if
@@ -126,10 +126,7 @@ interface(`ulogd_admin',`
 	allow $1 ulogd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, ulogd_t)
 
-	init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 ulogd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, ulogd_t, ulogd_initrc_exec_t)
 
 	files_list_etc($1)
 	admin_pattern($1, ulogd_etc_t)

diff --git a/policy/modules/contrib/uptime.if b/policy/modules/contrib/uptime.if
index 19f4724..b5afd2a 100644
--- a/policy/modules/contrib/uptime.if
+++ b/policy/modules/contrib/uptime.if
@@ -26,10 +26,7 @@ interface(`uptime_admin',`
 	allow $1 uptimed_t:process { ptrace signal_perms };
 	ps_process_pattern($1, uptimed_t)
 
-	init_labeled_script_domtrans($1, uptimed_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 uptimed_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, uptimed_t, uptimed_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, uptimed_etc_t)

diff --git a/policy/modules/contrib/uucp.if b/policy/modules/contrib/uucp.if
index af9acc0..dc16612 100644
--- a/policy/modules/contrib/uucp.if
+++ b/policy/modules/contrib/uucp.if
@@ -104,10 +104,7 @@ interface(`uucp_admin',`
 		type uucpd_var_run_t, uucpd_initrc_exec_t;
 	')
 
-	init_labeled_script_domtrans($1, uucpd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 uucpd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, uucpd_t, uucpd_initrc_exec_t)
 
 	allow $1 uucpd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, uucpd_t)

diff --git a/policy/modules/contrib/uuidd.if b/policy/modules/contrib/uuidd.if
index 6e48653..a576a6e 100644
--- a/policy/modules/contrib/uuidd.if
+++ b/policy/modules/contrib/uuidd.if
@@ -181,10 +181,7 @@ interface(`uuidd_admin',`
 	allow $1 uuidd_t:process signal_perms;
 	ps_process_pattern($1, uuidd_t)
 
-	uuidd_initrc_domtrans($1)
-	domain_system_change_exemption($1)
-	role_transition $2 uuidd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, uuidd_t, uuidd_initrc_exec_t)
 
 	files_search_var_lib($1)
 	admin_pattern($1, uuidd_var_lib_t)

diff --git a/policy/modules/contrib/varnishd.if b/policy/modules/contrib/varnishd.if
index 1c35171..fa2ccbf 100644
--- a/policy/modules/contrib/varnishd.if
+++ b/policy/modules/contrib/varnishd.if
@@ -160,10 +160,7 @@ interface(`varnishd_admin_varnishlog',`
 	allow $1 varnishlog_t:process { ptrace signal_perms };
 	ps_process_pattern($1, varnishlog_t)
 
-	init_labeled_script_domtrans($1, varnishlog_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 varnishlog_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, varnishlog_t, varnishlog_initrc_exec_t)
 
 	files_list_pids($1)
 	admin_pattern($1, varnishlog_var_run_t)
@@ -199,10 +196,7 @@ interface(`varnishd_admin',`
 	allow $1 varnishd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, varnishd_t)
 
-	init_labeled_script_domtrans($1, varnishd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 varnishd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, varnishd_t, varnishd_initrc_exec_t)
 
 	files_list_var_lib($1)
 	admin_pattern($1, varnishd_var_lib_t)

diff --git a/policy/modules/contrib/vdagent.if b/policy/modules/contrib/vdagent.if
index 31c752e..6957e8a 100644
--- a/policy/modules/contrib/vdagent.if
+++ b/policy/modules/contrib/vdagent.if
@@ -121,10 +121,7 @@ interface(`vdagent_admin',`
 	allow $1 vdagent_t:process signal_perms;
 	ps_process_pattern($1, vdagent_t)
 
-	init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 vdagentd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, vdagentd_t, vdagentd_initrc_exec_t)
 
 	logging_search_logs($1)
 	admin_pattern($1, vdagent_log_t)

diff --git a/policy/modules/contrib/vhostmd.if b/policy/modules/contrib/vhostmd.if
index 22edd58..d7cff66 100644
--- a/policy/modules/contrib/vhostmd.if
+++ b/policy/modules/contrib/vhostmd.if
@@ -219,10 +219,7 @@ interface(`vhostmd_admin',`
 	allow $1 vhostmd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, vhostmd_t)
 
-	vhostmd_initrc_domtrans($1)
-	domain_system_change_exemption($1)
-	role_transition $2 vhostmd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, vhostmd_t, vhostmd_initrc_exec_t)
 
 	fs_search_tmpfs($1)
 	admin_pattern($1, vhostmd_tmpfs_t)

diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if
index 7c97c87..13023a1 100644
--- a/policy/modules/contrib/virt.if
+++ b/policy/modules/contrib/virt.if
@@ -1176,10 +1176,7 @@ interface(`virt_admin',`
 	ps_process_pattern($1, { virt_domain svirt_lxc_domain virtd_t })
 	ps_process_pattern($1, { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t })
 
-	init_labeled_script_domtrans($1, virtd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 virtd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, virtd_t, virtd_initrc_exec_t)
 
 	fs_search_tmpfs($1)
 	admin_pattern($1, virt_tmpfs_type)

diff --git a/policy/modules/contrib/vnstatd.if b/policy/modules/contrib/vnstatd.if
index 137ac44..2a711fa 100644
--- a/policy/modules/contrib/vnstatd.if
+++ b/policy/modules/contrib/vnstatd.if
@@ -168,10 +168,7 @@ interface(`vnstatd_admin',`
 	allow $1 vnstatd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, vnstatd_t)
 
-	init_labeled_script_domtrans($1, vnstatd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 vnstatd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, vnstatd_t, vnstatd_initrc_exec_t)
 
 	files_search_pids($1)
 	admin_pattern($1, vnstatd_var_run_t)

diff --git a/policy/modules/contrib/watchdog.if b/policy/modules/contrib/watchdog.if
index 6461a77..c2b2dd4 100644
--- a/policy/modules/contrib/watchdog.if
+++ b/policy/modules/contrib/watchdog.if
@@ -26,10 +26,7 @@ interface(`watchdog_admin',`
 	allow $1 watchdog_t:process { ptrace signal_perms };
 	ps_process_pattern($1, watchdog_t)
 
-	init_labeled_script_domtrans($1, watchdog_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 watchdog_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, watchdog_t, watchdog_initrc_exec_t)
 
 	logging_search_logs($1)
 	admin_pattern($1, watchdog_log_t)

diff --git a/policy/modules/contrib/wdmd.if b/policy/modules/contrib/wdmd.if
index 1e3aec0..f76d6e6 100644
--- a/policy/modules/contrib/wdmd.if
+++ b/policy/modules/contrib/wdmd.if
@@ -45,10 +45,7 @@ interface(`wdmd_admin',`
 	allow $1 wdmd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, wdmd_t)
 
-	init_labeled_script_domtrans($1, wdmd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 wdmd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, wdmd_t, wdmd_initrc_exec_t)
 
 	files_search_pids($1)
 	admin_pattern($1, wdmd_var_run_t)

diff --git a/policy/modules/contrib/xfs.if b/policy/modules/contrib/xfs.if
index 4570b86..609b464 100644
--- a/policy/modules/contrib/xfs.if
+++ b/policy/modules/contrib/xfs.if
@@ -84,10 +84,7 @@ interface(`xfs_admin',`
 	allow $1 xfs_t:process { ptrace signal_perms };
 	ps_process_pattern($1, xfs_t)
 
-	init_labeled_script_domtrans($1, xfs_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 xfs_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, xfs_t, xfs_initrc_exec_t)
 
 	files_search_pids($1)
 	admin_pattern($1, xfs_var_run_t)

diff --git a/policy/modules/contrib/zabbix.if b/policy/modules/contrib/zabbix.if
index 29d87d7..5932ce4 100644
--- a/policy/modules/contrib/zabbix.if
+++ b/policy/modules/contrib/zabbix.if
@@ -146,10 +146,8 @@ interface(`zabbix_admin',`
 	allow $1 { zabbix_t zabbix_agent_t }:process { ptrace signal_perms };
 	ps_process_pattern($1, { zabbix_t zabbix_agent_t })
 
-	init_labeled_script_domtrans($1, { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t })
-	domain_system_change_exemption($1)
-	role_transition $2 { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t } system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, zabbix_t, zabbix_initrc_exec_t)
+	init_manage_service_template($1, $2, zabbix_agent_t, zabbix_agent_initrc_exec_t)
 
 	logging_list_logs($1)
 	admin_pattern($1, zabbix_log_t)

diff --git a/policy/modules/contrib/zarafa.if b/policy/modules/contrib/zarafa.if
index 83b4ca5..240d160 100644
--- a/policy/modules/contrib/zarafa.if
+++ b/policy/modules/contrib/zarafa.if
@@ -152,10 +152,7 @@ interface(`zarafa_admin',`
 	allow $1 zarafa_domain:process { ptrace signal_perms };
 	ps_process_pattern($1, zarafa_domain)
 
-	init_labeled_script_domtrans($1, zarafa_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 zarafa_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, zarafa_t, zarafa_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, zarafa_etc_t)

diff --git a/policy/modules/contrib/zebra.if b/policy/modules/contrib/zebra.if
index 3416401..a011864 100644
--- a/policy/modules/contrib/zebra.if
+++ b/policy/modules/contrib/zebra.if
@@ -69,10 +69,7 @@ interface(`zebra_admin',`
 	allow $1 zebra_t:process { ptrace signal_perms };
 	ps_process_pattern($1, zebra_t)
 
-	init_labeled_script_domtrans($1, zebra_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 zebra_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, zebra_t, zebra_initrc_exec_t)
 
 	files_list_etc($1)
 	admin_pattern($1, zebra_conf_t)

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/

[Jason Zaman]

commit:     985425010d0e2cf547ad2f00b1b39d8863ca07b1
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 15 17:21:24 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat May 16 11:13:00 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=98542501

use init_manage_service_template in _admin interfaces A-M

Most foo_admin interfaces have transitions on the
foo_initrc_exec_t to system_r. These are only applicable
for RedHat <6. This replaces them with a template which
can easily be changed for other init systems.

make validate passes for all combinations of distros,
standard/mcs/mls, monolithic y/n and direct_initrc y/n

This patch is for files starting with A-M.

 policy/modules/contrib/abrt.if          | 5 +----
 policy/modules/contrib/acct.if          | 5 +----
 policy/modules/contrib/afs.if           | 5 +----
 policy/modules/contrib/aiccu.if         | 5 +----
 policy/modules/contrib/aisexec.if       | 5 +----
 policy/modules/contrib/amavis.if        | 5 +----
 policy/modules/contrib/amtu.if          | 5 +----
 policy/modules/contrib/apache.if        | 5 +----
 policy/modules/contrib/apcupsd.if       | 5 +----
 policy/modules/contrib/apm.if           | 5 +----
 policy/modules/contrib/arpwatch.if      | 5 +----
 policy/modules/contrib/asterisk.if      | 5 +----
 policy/modules/contrib/automount.if     | 5 +----
 policy/modules/contrib/avahi.if         | 5 +----
 policy/modules/contrib/bacula.if        | 5 +----
 policy/modules/contrib/bcfg2.if         | 5 +----
 policy/modules/contrib/bind.if          | 5 +----
 policy/modules/contrib/bird.if          | 5 +----
 policy/modules/contrib/bitlbee.if       | 5 +----
 policy/modules/contrib/bluetooth.if     | 5 +----
 policy/modules/contrib/boinc.if         | 5 +----
 policy/modules/contrib/cachefilesd.if   | 5 +----
 policy/modules/contrib/callweaver.if    | 5 +----
 policy/modules/contrib/canna.if         | 5 +----
 policy/modules/contrib/ccs.if           | 5 +----
 policy/modules/contrib/certmaster.if    | 5 +----
 policy/modules/contrib/certmonger.if    | 5 +----
 policy/modules/contrib/cfengine.if      | 5 +----
 policy/modules/contrib/cgroup.if        | 7 ++-----
 policy/modules/contrib/chronyd.if       | 5 +----
 policy/modules/contrib/cipe.if          | 5 +----
 policy/modules/contrib/clamav.if        | 5 +----
 policy/modules/contrib/cmirrord.if      | 5 +----
 policy/modules/contrib/cobbler.if       | 5 +----
 policy/modules/contrib/collectd.if      | 5 +----
 policy/modules/contrib/condor.if        | 5 +----
 policy/modules/contrib/corosync.if      | 5 +----
 policy/modules/contrib/couchdb.if       | 5 +----
 policy/modules/contrib/ctdb.if          | 5 +----
 policy/modules/contrib/cups.if          | 5 +----
 policy/modules/contrib/cvs.if           | 5 +----
 policy/modules/contrib/cyphesis.if      | 5 +----
 policy/modules/contrib/cyrus.if         | 5 +----
 policy/modules/contrib/dante.if         | 5 +----
 policy/modules/contrib/ddclient.if      | 5 +----
 policy/modules/contrib/denyhosts.if     | 5 +----
 policy/modules/contrib/dhcp.if          | 5 +----
 policy/modules/contrib/dictd.if         | 5 +----
 policy/modules/contrib/dirmngr.if       | 5 +----
 policy/modules/contrib/distcc.if        | 5 +----
 policy/modules/contrib/dkim.if          | 5 +----
 policy/modules/contrib/dnsmasq.if       | 5 +----
 policy/modules/contrib/dnssectrigger.if | 5 +----
 policy/modules/contrib/dovecot.if       | 5 +----
 policy/modules/contrib/drbd.if          | 5 +----
 policy/modules/contrib/dspam.if         | 5 +----
 policy/modules/contrib/entropyd.if      | 5 +----
 policy/modules/contrib/exim.if          | 5 +----
 policy/modules/contrib/fail2ban.if      | 5 +----
 policy/modules/contrib/fcoe.if          | 5 +----
 policy/modules/contrib/fetchmail.if     | 5 +----
 policy/modules/contrib/firewalld.if     | 5 +----
 policy/modules/contrib/ftp.if           | 5 +----
 policy/modules/contrib/gatekeeper.if    | 5 +----
 policy/modules/contrib/gdomap.if        | 5 +----
 policy/modules/contrib/glance.if        | 6 ++----
 policy/modules/contrib/glusterfs.if     | 5 +----
 policy/modules/contrib/gpm.if           | 5 +----
 policy/modules/contrib/gpsd.if          | 5 +----
 policy/modules/contrib/hadoop.if        | 5 +----
 policy/modules/contrib/hddtemp.if       | 5 +----
 policy/modules/contrib/howl.if          | 5 +----
 policy/modules/contrib/hypervkvp.if     | 5 +----
 policy/modules/contrib/i18n_input.if    | 5 +----
 policy/modules/contrib/icecast.if       | 5 +----
 policy/modules/contrib/ifplugd.if       | 5 +----
 policy/modules/contrib/inn.if           | 5 +----
 policy/modules/contrib/iodine.if        | 5 +----
 policy/modules/contrib/ircd.if          | 5 +----
 policy/modules/contrib/irqbalance.if    | 5 +----
 policy/modules/contrib/iscsi.if         | 5 +----
 policy/modules/contrib/isns.if          | 5 +----
 policy/modules/contrib/jabber.if        | 5 +----
 policy/modules/contrib/kdump.if         | 5 +----
 policy/modules/contrib/kerberos.if      | 5 +----
 policy/modules/contrib/kerneloops.if    | 5 +----
 policy/modules/contrib/keystone.if      | 5 +----
 policy/modules/contrib/kismet.if        | 5 +----
 policy/modules/contrib/ksmtuned.if      | 5 +----
 policy/modules/contrib/kudzu.if         | 5 +----
 policy/modules/contrib/l2tp.if          | 5 +----
 policy/modules/contrib/ldap.if          | 5 +----
 policy/modules/contrib/likewise.if      | 5 +----
 policy/modules/contrib/lircd.if         | 5 +----
 policy/modules/contrib/lldpad.if        | 5 +----
 policy/modules/contrib/mailscanner.if   | 5 +----
 policy/modules/contrib/mcelog.if        | 5 +----
 policy/modules/contrib/memcached.if     | 5 +----
 policy/modules/contrib/minidlna.if      | 5 +----
 policy/modules/contrib/minissdpd.if     | 5 +----
 policy/modules/contrib/mongodb.if       | 5 +----
 policy/modules/contrib/monop.if         | 5 +----
 policy/modules/contrib/mpd.if           | 5 +----
 policy/modules/contrib/mrtg.if          | 5 +----
 policy/modules/contrib/munin.if         | 5 +----
 policy/modules/contrib/mysql.if         | 6 ++----
 106 files changed, 109 insertions(+), 425 deletions(-)

diff --git a/policy/modules/contrib/abrt.if b/policy/modules/contrib/abrt.if
index 058d908..22e4ad7 100644
--- a/policy/modules/contrib/abrt.if
+++ b/policy/modules/contrib/abrt.if
@@ -304,10 +304,7 @@ interface(`abrt_admin',`
 	allow $1 abrt_domain:process { ptrace signal_perms };
 	ps_process_pattern($1, abrt_domain)
 
-	init_labeled_script_domtrans($1, abrt_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 abrt_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, abrt_t, abrt_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, abrt_etc_t)

diff --git a/policy/modules/contrib/acct.if b/policy/modules/contrib/acct.if
index 81280d0..d1f8699 100644
--- a/policy/modules/contrib/acct.if
+++ b/policy/modules/contrib/acct.if
@@ -106,10 +106,7 @@ interface(`acct_admin',`
 	allow $1 acct_t:process { ptrace signal_perms };
 	ps_process_pattern($1, acct_t)
 
-	init_labeled_script_domtrans($1, acct_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 acct_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, acct_t, acct_initrc_exec_t)
 
 	logging_search_logs($1)
 	admin_pattern($1, acct_data_t)

diff --git a/policy/modules/contrib/afs.if b/policy/modules/contrib/afs.if
index 3b41be6..4b243ec 100644
--- a/policy/modules/contrib/afs.if
+++ b/policy/modules/contrib/afs.if
@@ -103,10 +103,7 @@ interface(`afs_admin',`
 	allow $1 afs_domain:process { ptrace signal_perms };
 	ps_process_pattern($1, afs_domain)
 
-	afs_initrc_domtrans($1)
-	domain_system_change_exemption($1)
-	role_transition $2 afs_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, afs_domain, afs_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, afs_config_t)

diff --git a/policy/modules/contrib/aiccu.if b/policy/modules/contrib/aiccu.if
index 3b5dcb9..55238af 100644
--- a/policy/modules/contrib/aiccu.if
+++ b/policy/modules/contrib/aiccu.if
@@ -82,10 +82,7 @@ interface(`aiccu_admin',`
 	allow $1 aiccu_t:process { ptrace signal_perms };
 	ps_process_pattern($1, aiccu_t)
 
-	aiccu_initrc_domtrans($1)
-	domain_system_change_exemption($1)
-	role_transition $2 aiccu_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, aiccu_t, aiccu_initrc_exec_t)
 
 	admin_pattern($1, aiccu_etc_t)
 	files_list_etc($1)

diff --git a/policy/modules/contrib/aisexec.if b/policy/modules/contrib/aisexec.if
index a2997fa..2b168f7 100644
--- a/policy/modules/contrib/aisexec.if
+++ b/policy/modules/contrib/aisexec.if
@@ -86,10 +86,7 @@ interface(`aisexecd_admin',`
 	allow $1 aisexec_t:process { ptrace signal_perms };
 	ps_process_pattern($1, aisexec_t)
 
-	init_labeled_script_domtrans($1, aisexec_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 aisexec_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, aisexec_t, aisexec_initrc_exec_t)
 
 	files_list_var_lib($1)
 	admin_pattern($1, aisexec_var_lib_t)

diff --git a/policy/modules/contrib/amavis.if b/policy/modules/contrib/amavis.if
index 60d4f8c..a7770bc 100644
--- a/policy/modules/contrib/amavis.if
+++ b/policy/modules/contrib/amavis.if
@@ -237,10 +237,7 @@ interface(`amavis_admin',`
 	allow $1 amavis_t:process { ptrace signal_perms };
 	ps_process_pattern($1, amavis_t)
 
-	amavis_initrc_domtrans($1)
- 	domain_system_change_exemption($1)
- 	role_transition $2 amavis_initrc_exec_t system_r;
- 	allow $2 system_r;
+	init_manage_service_template($1, $2, amavis_t, amavis_initrc_exec_t)
 
 	files_list_etc($1)
 	admin_pattern($1, amavis_etc_t)

diff --git a/policy/modules/contrib/amtu.if b/policy/modules/contrib/amtu.if
index 884b23b..903e81e 100644
--- a/policy/modules/contrib/amtu.if
+++ b/policy/modules/contrib/amtu.if
@@ -70,8 +70,5 @@ interface(`amtu_admin',`
 	allow $1 amtu_t:process { ptrace signal_perms };
 	ps_process_pattern($1, amtu_t)
 
-	init_labeled_script_domtrans($1, amtu_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 amtu_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, amtu_t, amtu_initrc_exec_t)
 ')

diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if
index 717c6f7..944cfe8 100644
--- a/policy/modules/contrib/apache.if
+++ b/policy/modules/contrib/apache.if
@@ -1318,10 +1318,7 @@ interface(`apache_admin',`
 	ps_process_pattern($1, { httpd_script_domains httpd_t httpd_helper_t })
 	ps_process_pattern($1, { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t })
 
-	init_labeled_script_domtrans($1, httpd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 httpd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, httpd_t, httpd_initrc_exec_t)
 
 	apache_manage_all_content($1)
 	miscfiles_manage_public_files($1)

diff --git a/policy/modules/contrib/apcupsd.if b/policy/modules/contrib/apcupsd.if
index f3c0aba..d824aa9 100644
--- a/policy/modules/contrib/apcupsd.if
+++ b/policy/modules/contrib/apcupsd.if
@@ -149,10 +149,7 @@ interface(`apcupsd_admin',`
 	allow $1 apcupsd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, apcupsd_t)
 
-	apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 apcupsd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, apcupsd_t, apcupsd_initrc_exec_t)
 
 	files_list_var($1)
 	admin_pattern($1, apcupsd_lock_t)

diff --git a/policy/modules/contrib/apm.if b/policy/modules/contrib/apm.if
index 1a7a97e..bd802ef 100644
--- a/policy/modules/contrib/apm.if
+++ b/policy/modules/contrib/apm.if
@@ -166,10 +166,7 @@ interface(`apm_admin',`
 	allow $1 apmd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, apmd_t)
 
-	init_labeled_script_domtrans($1, apmd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 apmd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, apmd_t, apmd_initrc_exec_t)
 
 	logging_search_logs($1)
 	admin_pattern($1, apmd_log_t)

diff --git a/policy/modules/contrib/arpwatch.if b/policy/modules/contrib/arpwatch.if
index 50c9b9c..b7e293c 100644
--- a/policy/modules/contrib/arpwatch.if
+++ b/policy/modules/contrib/arpwatch.if
@@ -143,10 +143,7 @@ interface(`arpwatch_admin',`
 	allow $1 arpwatch_t:process { ptrace signal_perms };
 	ps_process_pattern($1, arpwatch_t)
 
-	arpwatch_initrc_domtrans($1)
-	domain_system_change_exemption($1)
-	role_transition $2 arpwatch_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, arpwatch_t, arpwatch_initrc_exec_t)
 
 	files_list_tmp($1)
 	admin_pattern($1, arpwatch_tmp_t)

diff --git a/policy/modules/contrib/asterisk.if b/policy/modules/contrib/asterisk.if
index 2077053..6099c72 100644
--- a/policy/modules/contrib/asterisk.if
+++ b/policy/modules/contrib/asterisk.if
@@ -127,10 +127,7 @@ interface(`asterisk_admin',`
 	allow $1 asterisk_t:process { ptrace signal_perms };
 	ps_process_pattern($1, asterisk_t)
 
-	init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 asterisk_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, asterisk_t, asterisk_initrc_exec_t)
 
 	asterisk_exec($1)
 

diff --git a/policy/modules/contrib/automount.if b/policy/modules/contrib/automount.if
index f24e369..d430f2d 100644
--- a/policy/modules/contrib/automount.if
+++ b/policy/modules/contrib/automount.if
@@ -159,10 +159,7 @@ interface(`automount_admin',`
 	allow $1 automount_t:process { ptrace signal_perms };
 	ps_process_pattern($1, automount_t)
 
-	init_labeled_script_domtrans($1, automount_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 automount_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, automount_t, automount_initrc_exec_t)
 
 	files_list_etc($1)
 	admin_pattern($1, automount_keytab_t)

diff --git a/policy/modules/contrib/avahi.if b/policy/modules/contrib/avahi.if
index 9078c3d..1fd5f7b 100644
--- a/policy/modules/contrib/avahi.if
+++ b/policy/modules/contrib/avahi.if
@@ -264,10 +264,7 @@ interface(`avahi_admin',`
 	allow $1 avahi_t:process { ptrace signal_perms };
 	ps_process_pattern($1, avahi_t)
 
-	avahi_initrc_domtrans($1)
-	domain_system_change_exemption($1)
-	role_transition $2 avahi_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, avahi_t, avahi_initrc_exec_t)
 
 	files_search_pids($1)
 	admin_pattern($1, avahi_var_run_t)

diff --git a/policy/modules/contrib/bacula.if b/policy/modules/contrib/bacula.if
index dcd774e..eebcc36 100644
--- a/policy/modules/contrib/bacula.if
+++ b/policy/modules/contrib/bacula.if
@@ -74,10 +74,7 @@ interface(`bacula_admin',`
 	allow $1 bacula_t:process { ptrace signal_perms };
 	ps_process_pattern($1, bacula_t)
 
-	init_labeled_script_domtrans($1, bacula_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 bacula_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, bacula_t, bacula_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, bacula_etc_t)

diff --git a/policy/modules/contrib/bcfg2.if b/policy/modules/contrib/bcfg2.if
index ec95d36..5dbbbf6 100644
--- a/policy/modules/contrib/bcfg2.if
+++ b/policy/modules/contrib/bcfg2.if
@@ -141,10 +141,7 @@ interface(`bcfg2_admin',`
 	allow $1 bcfg2_t:process { ptrace signal_perms };
 	ps_process_pattern($1, bcfg2_t)
 
-	bcfg2_initrc_domtrans($1)
-	domain_system_change_exemption($1)
-	role_transition $2 bcfg2_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, bcfg2_t, bcfg2_initrc_exec_t)
 
 	files_search_pids($1)
 	admin_pattern($1, bcfg2_var_run_t)

diff --git a/policy/modules/contrib/bind.if b/policy/modules/contrib/bind.if
index 531a8f2..35b6677 100644
--- a/policy/modules/contrib/bind.if
+++ b/policy/modules/contrib/bind.if
@@ -370,10 +370,7 @@ interface(`bind_admin',`
 	allow $1 { named_t ndc_t }:process { ptrace signal_perms };
 	ps_process_pattern($1, { named_t ndc_t })
 
-	init_labeled_script_domtrans($1, named_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 named_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, named_t, named_initrc_exec_t)
 
 	files_list_tmp($1)
 	admin_pattern($1, named_tmp_t)

diff --git a/policy/modules/contrib/bird.if b/policy/modules/contrib/bird.if
index 85c035f..e67c27c 100644
--- a/policy/modules/contrib/bird.if
+++ b/policy/modules/contrib/bird.if
@@ -26,10 +26,7 @@ interface(`bird_admin',`
 	allow $1 bird_t:process { ptrace signal_perms };
 	ps_process_pattern($1, bird_t)
 
-	init_labeled_script_domtrans($1, bird_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 bird_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, bird_t, bird_initrc_exec_t)
 
 	files_list_etc($1)
 	admin_pattern($1, bird_etc_t)

diff --git a/policy/modules/contrib/bitlbee.if b/policy/modules/contrib/bitlbee.if
index e73fb79..fd46d30 100644
--- a/policy/modules/contrib/bitlbee.if
+++ b/policy/modules/contrib/bitlbee.if
@@ -47,10 +47,7 @@ interface(`bitlbee_admin',`
 	allow $1 bitlbee_t:process { ptrace signal_perms };
 	ps_process_pattern($1, bitlbee_t)
 
-	init_labeled_script_domtrans($1, bitlbee_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 bitlbee_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, bitlbee_t, bitlbee_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, bitlbee_conf_t)

diff --git a/policy/modules/contrib/bluetooth.if b/policy/modules/contrib/bluetooth.if
index c723a0a..756b596 100644
--- a/policy/modules/contrib/bluetooth.if
+++ b/policy/modules/contrib/bluetooth.if
@@ -216,10 +216,7 @@ interface(`bluetooth_admin',`
 	allow $1 bluetooth_t:process { ptrace signal_perms };
 	ps_process_pattern($1, bluetooth_t)
 
-	init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 bluetooth_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, bluetooth_t, bluetooth_initrc_exec_t)
 
 	files_list_tmp($1)
 	admin_pattern($1, bluetooth_tmp_t)

diff --git a/policy/modules/contrib/boinc.if b/policy/modules/contrib/boinc.if
index 02fefaa..fe241e7 100644
--- a/policy/modules/contrib/boinc.if
+++ b/policy/modules/contrib/boinc.if
@@ -28,10 +28,7 @@ interface(`boinc_admin',`
 	allow $1 { boinc_t boinc_project_t }:process { ptrace signal_perms };
 	ps_process_pattern($1, { boinc_t boinc_project_t })
 
-	init_labeled_script_domtrans($1, boinc_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 boinc_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, boinc_t, boinc_initrc_exec_t)
 
 	logging_search_logs($1)
 	admin_pattern($1, boinc_log_t)

diff --git a/policy/modules/contrib/cachefilesd.if b/policy/modules/contrib/cachefilesd.if
index 8de2ab9..efe2a89 100644
--- a/policy/modules/contrib/cachefilesd.if
+++ b/policy/modules/contrib/cachefilesd.if
@@ -26,10 +26,7 @@ interface(`cachefilesd_admin',`
 	allow $1 cachefilesd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, cachefilesd_t)
 
-	init_labeled_script_domtrans($1, cachefilesd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 cachefilesd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, cachefilesd_t, cachefilesd_initrc_exec_t)
 
 	files_search_var($1)
 	admin_pattern($1, cachefilesd_cache_t)

diff --git a/policy/modules/contrib/callweaver.if b/policy/modules/contrib/callweaver.if
index 16f1855..e88350c 100644
--- a/policy/modules/contrib/callweaver.if
+++ b/policy/modules/contrib/callweaver.if
@@ -65,10 +65,7 @@ interface(`callweaver_admin',`
 	allow $1 callweaver_t:process { ptrace signal_perms };
 	ps_process_pattern($1, callweaver_t)
 
-	init_labeled_script_domtrans($1, callweaver_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 callweaver_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, callweaver_t, callweaver_initrc_exec_t)
 
 	logging_search_logs($1)
 	admin_pattern($1, callweaver_log_t)

diff --git a/policy/modules/contrib/canna.if b/policy/modules/contrib/canna.if
index 400db07..079b09e 100644
--- a/policy/modules/contrib/canna.if
+++ b/policy/modules/contrib/canna.if
@@ -46,10 +46,7 @@ interface(`canna_admin',`
 	allow $1 canna_t:process { ptrace signal_perms };
 	ps_process_pattern($1, canna_t)
 
-	init_labeled_script_domtrans($1, canna_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 canna_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, canna_t, canna_initrc_exec_t)
 
 	logging_list_logs($1)
 	admin_pattern($1, canna_log_t)

diff --git a/policy/modules/contrib/ccs.if b/policy/modules/contrib/ccs.if
index bb17e0f..834cc04 100644
--- a/policy/modules/contrib/ccs.if
+++ b/policy/modules/contrib/ccs.if
@@ -105,10 +105,7 @@ interface(`ccs_admin',`
 	allow $1 ccs_t:process { ptrace signal_perms };
 	ps_process_pattern($1, ccs_t)
 
-	init_labeled_script_domtrans($1, ccs_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 ccs_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, ccs_t, ccs_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, ccs_conf_t)

diff --git a/policy/modules/contrib/certmaster.if b/policy/modules/contrib/certmaster.if
index 0c53b18..25939b6 100644
--- a/policy/modules/contrib/certmaster.if
+++ b/policy/modules/contrib/certmaster.if
@@ -124,10 +124,7 @@ interface(`certmaster_admin',`
 	allow $1 certmaster_t:process { ptrace signal_perms };
 	ps_process_pattern($1, certmaster_t)
 
-	init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 certmaster_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, certmaster_t, certmaster_initrc_exec_t)
 
 	files_list_etc($1)
 	miscfiles_manage_generic_cert_dirs($1)

diff --git a/policy/modules/contrib/certmonger.if b/policy/modules/contrib/certmonger.if
index 008f8ef..a52667d 100644
--- a/policy/modules/contrib/certmonger.if
+++ b/policy/modules/contrib/certmonger.if
@@ -162,10 +162,7 @@ interface(`certmonger_admin',`
 	ps_process_pattern($1, certmonger_t)
 	allow $1 certmonger_t:process { ptrace signal_perms };
 
-	certmonger_initrc_domtrans($1)
-	domain_system_change_exemption($1)
-	role_transition $2 certmonger_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, certmonger_t, certmonger_initrc_exec_t)
 
 	files_search_var_lib($1)
 	admin_pattern($1, certmonger_var_lib_t)

diff --git a/policy/modules/contrib/cfengine.if b/policy/modules/contrib/cfengine.if
index a731122..a7e3641 100644
--- a/policy/modules/contrib/cfengine.if
+++ b/policy/modules/contrib/cfengine.if
@@ -97,10 +97,7 @@ interface(`cfengine_admin',`
 	allow $1 cfengine_domain:process { ptrace signal_perms };
 	ps_process_pattern($1, cfengine_domain)
 
-	init_labeled_script_domtrans($1, cfengine_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 cfengine_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, cfengine_domain, cfengine_initrc_exec_t)
 
 	files_search_var_lib($1)
 	admin_pattern($1, { cfengine_log_t cfengine_var_lib_t })

diff --git a/policy/modules/contrib/cgroup.if b/policy/modules/contrib/cgroup.if
index 85ca63f..6653c55 100644
--- a/policy/modules/contrib/cgroup.if
+++ b/policy/modules/contrib/cgroup.if
@@ -180,11 +180,8 @@ interface(`cgroup_admin',`
 	admin_pattern($1, cgred_var_run_t)
 	files_list_pids($1)
 
-	cgroup_initrc_domtrans_cgconfig($1)
-	cgroup_initrc_domtrans_cgred($1)
-	domain_system_change_exemption($1)
-	role_transition $2 { cgconfig_initrc_exec_t cgred_initrc_exec_t } system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, cgred_t, cgred_initrc_exec_t)
+	init_manage_service_template($1, $2, cgconfig_t, cgconfig_initrc_exec_t)
 
 	cgroup_run_cgclear($1, $2)
 ')

diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if
index 32e8265..6a121a3 100644
--- a/policy/modules/contrib/chronyd.if
+++ b/policy/modules/contrib/chronyd.if
@@ -184,10 +184,7 @@ interface(`chronyd_admin',`
 	allow $1 chronyd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, chronyd_t)
 
-	chronyd_initrc_domtrans($1)
-	domain_system_change_exemption($1)
-	role_transition $2 chronyd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, chronyd_t, chronyd_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, chronyd_keys_t)

diff --git a/policy/modules/contrib/cipe.if b/policy/modules/contrib/cipe.if
index 5fb51b2..c590aa2 100644
--- a/policy/modules/contrib/cipe.if
+++ b/policy/modules/contrib/cipe.if
@@ -25,8 +25,5 @@ interface(`cipe_admin',`
 	allow $1 ciped_t:process { ptrace signal_perms };
 	ps_process_pattern($1, ciped_t)
 
-	init_labeled_script_domtrans($1, ciped_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 ciped_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, ciped_t, ciped_initrc_exec_t)
 ')

diff --git a/policy/modules/contrib/clamav.if b/policy/modules/contrib/clamav.if
index 4cc4a5c..7dc1af4 100644
--- a/policy/modules/contrib/clamav.if
+++ b/policy/modules/contrib/clamav.if
@@ -205,10 +205,7 @@ interface(`clamav_admin',`
 	allow $1 { clamd_t clamscan_t freshclam_t }:process { ptrace signal_perms };
 	ps_process_pattern($1, { clamd_t clamscan_t freshclam_t })
 
-	init_labeled_script_domtrans($1, clamd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 clamd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, clamd_t, clamd_initrc_exec_t)
 
 	files_list_etc($1)
 	admin_pattern($1, clamd_etc_t)

diff --git a/policy/modules/contrib/cmirrord.if b/policy/modules/contrib/cmirrord.if
index cc4e7cb..4dc9905 100644
--- a/policy/modules/contrib/cmirrord.if
+++ b/policy/modules/contrib/cmirrord.if
@@ -106,10 +106,7 @@ interface(`cmirrord_admin',`
 	allow $1 cmirrord_t:process { ptrace signal_perms };
 	ps_process_pattern($1, cmirrord_t)
 
-	cmirrord_initrc_domtrans($1)
-	domain_system_change_exemption($1)
-	role_transition $2 cmirrord_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, cmirrord_t, cmirrord_initrc_exec_t)
 
 	files_list_pids($1)
 	admin_pattern($1, cmirrord_var_run_t)

diff --git a/policy/modules/contrib/cobbler.if b/policy/modules/contrib/cobbler.if
index c223f81..38bc9cc 100644
--- a/policy/modules/contrib/cobbler.if
+++ b/policy/modules/contrib/cobbler.if
@@ -183,10 +183,7 @@ interface(`cobbler_admin',`
 	allow $1 cobblerd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, cobblerd_t)
 
-	cobblerd_initrc_domtrans($1)
-	domain_system_change_exemption($1)
-	role_transition $2 cobblerd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, cobblerd_t, cobblerd_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, cobbler_etc_t)

diff --git a/policy/modules/contrib/collectd.if b/policy/modules/contrib/collectd.if
index 954309e..c5233c8 100644
--- a/policy/modules/contrib/collectd.if
+++ b/policy/modules/contrib/collectd.if
@@ -26,10 +26,7 @@ interface(`collectd_admin',`
 	allow $1 collectd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, collectd_t)
 
-	init_labeled_script_domtrans($1, collectd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 collectd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, collectd_t, collectd_initrc_exec_t)
 
 	files_search_pids($1)
 	admin_pattern($1, collectd_var_run_t)

diff --git a/policy/modules/contrib/condor.if b/policy/modules/contrib/condor.if
index c80aaf5..21af45f 100644
--- a/policy/modules/contrib/condor.if
+++ b/policy/modules/contrib/condor.if
@@ -66,10 +66,7 @@ interface(`condor_admin',`
 	allow $1 condor_domain:process { ptrace signal_perms };
 	ps_process_pattern($1, condor_domain)
 
-	init_labeled_script_domtrans($1, condor_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 condor_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, condor_domain, condor_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, condor_conf_t)

diff --git a/policy/modules/contrib/corosync.if b/policy/modules/contrib/corosync.if
index 694a037..c2b378a 100644
--- a/policy/modules/contrib/corosync.if
+++ b/policy/modules/contrib/corosync.if
@@ -165,10 +165,7 @@ interface(`corosync_admin',`
 	allow $1 corosync_t:process { ptrace signal_perms };
 	ps_process_pattern($1, corosync_t)
 
-	corosync_initrc_domtrans($1)
-	domain_system_change_exemption($1)
-	role_transition $2 corosync_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, corosync_t, corosync_initrc_exec_t)
 
 	files_list_tmp($1)
 	admin_pattern($1, corosync_tmp_t)

diff --git a/policy/modules/contrib/couchdb.if b/policy/modules/contrib/couchdb.if
index 715a826..d53f86a 100644
--- a/policy/modules/contrib/couchdb.if
+++ b/policy/modules/contrib/couchdb.if
@@ -103,10 +103,7 @@ interface(`couchdb_admin',`
 	allow $1 couchdb_t:process { ptrace signal_perms };
 	ps_process_pattern($1, couchdb_t)
 
-	init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 couchdb_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, couchdb_t, couchdb_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, couchdb_conf_t)

diff --git a/policy/modules/contrib/ctdb.if b/policy/modules/contrib/ctdb.if
index b25b01d..83e224b 100644
--- a/policy/modules/contrib/ctdb.if
+++ b/policy/modules/contrib/ctdb.if
@@ -66,10 +66,7 @@ interface(`ctdb_admin',`
 	allow $1 ctdbd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, ctdbd_t)
 
-	init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 ctdbd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, ctdbd_t, ctdbd_initrc_exec_t)
 
 	logging_search_logs($1)
 	admin_pattern($1, ctdbd_log_t)

diff --git a/policy/modules/contrib/cups.if b/policy/modules/contrib/cups.if
index 3023be7..6025300 100644
--- a/policy/modules/contrib/cups.if
+++ b/policy/modules/contrib/cups.if
@@ -357,10 +357,7 @@ interface(`cups_admin',`
 	ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t })
 	ps_process_pattern($1, { cups_pdf_t hplip_t ptal_t })
 
-	init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 cupsd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, cupsd_t, cupsd_initrc_exec_t)
 
 	files_list_etc($1)
 	admin_pattern($1, { cupsd_etc_t cupsd_rw_etc_t ptal_etc_t })

diff --git a/policy/modules/contrib/cvs.if b/policy/modules/contrib/cvs.if
index 64775fd..01cce48 100644
--- a/policy/modules/contrib/cvs.if
+++ b/policy/modules/contrib/cvs.if
@@ -65,10 +65,7 @@ interface(`cvs_admin',`
 	allow $1 cvs_t:process { ptrace signal_perms };
 	ps_process_pattern($1, cvs_t)
 
-	init_labeled_script_domtrans($1, cvs_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 cvs_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, cvs_t, cvs_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, cvs_keytab_t)

diff --git a/policy/modules/contrib/cyphesis.if b/policy/modules/contrib/cyphesis.if
index df8aa4a..d929015 100644
--- a/policy/modules/contrib/cyphesis.if
+++ b/policy/modules/contrib/cyphesis.if
@@ -45,10 +45,7 @@ interface(`cyphesis_admin',`
 	allow $1 cyphesis_t:process { ptrace signal_perms };
 	ps_process_pattern($1, cyphesis_t)
 
-	init_labeled_script_domtrans($1, cyphesis_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 cyphesis_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, cyphesis_t, cyphesis_initrc_exec_t)
 
 	logging_search_logs($1)
 	admin_pattern($1, cyphesis_log_t)

diff --git a/policy/modules/contrib/cyrus.if b/policy/modules/contrib/cyrus.if
index 83bfda6..b85d8be 100644
--- a/policy/modules/contrib/cyrus.if
+++ b/policy/modules/contrib/cyrus.if
@@ -67,10 +67,7 @@ interface(`cyrus_admin',`
 	allow $1 cyrus_t:process { ptrace signal_perms };
 	ps_process_pattern($1, cyrus_t)
 
-	init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 cyrus_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, cyrus_t, cyrus_initrc_exec_t)
 
 	files_list_etc($1)
 	admin_pattern($1, cyrus_keytab_t)

diff --git a/policy/modules/contrib/dante.if b/policy/modules/contrib/dante.if
index e709177..85e12ff 100644
--- a/policy/modules/contrib/dante.if
+++ b/policy/modules/contrib/dante.if
@@ -26,10 +26,7 @@ interface(`dante_admin',`
 	allow $1 dante_t:process { ptrace signal_perms };
 	ps_process_pattern($1, dante_t)
 
-	init_labeled_script_domtrans($1, dante_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 dante_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, dante_t, dante_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, dante_conf_t)

diff --git a/policy/modules/contrib/ddclient.if b/policy/modules/contrib/ddclient.if
index 5606b40..ff557b3 100644
--- a/policy/modules/contrib/ddclient.if
+++ b/policy/modules/contrib/ddclient.if
@@ -73,10 +73,7 @@ interface(`ddclient_admin',`
 	allow $1 ddclient_t:process { ptrace signal_perms };
 	ps_process_pattern($1, ddclient_t)
 
-	init_labeled_script_domtrans($1, ddclient_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 ddclient_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, ddclient_t, ddclient_initrc_exec_t)
 
 	files_list_etc($1)
 	admin_pattern($1, ddclient_etc_t)

diff --git a/policy/modules/contrib/denyhosts.if b/policy/modules/contrib/denyhosts.if
index a7326da..822264f 100644
--- a/policy/modules/contrib/denyhosts.if
+++ b/policy/modules/contrib/denyhosts.if
@@ -63,10 +63,7 @@ interface(`denyhosts_admin',`
 	allow $1 denyhosts_t:process { ptrace signal_perms };
 	ps_process_pattern($1, denyhosts_t)
 
-	denyhosts_initrc_domtrans($1)
-	domain_system_change_exemption($1)
-	role_transition $2 denyhosts_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, denyhosts_t, denyhosts_initrc_exec_t)
 
 	files_search_var_lib($1)
 	admin_pattern($1, denyhosts_var_lib_t)

diff --git a/policy/modules/contrib/dhcp.if b/policy/modules/contrib/dhcp.if
index c697edb..c6c9861 100644
--- a/policy/modules/contrib/dhcp.if
+++ b/policy/modules/contrib/dhcp.if
@@ -84,10 +84,7 @@ interface(`dhcpd_admin',`
 	allow $1 dhcpd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, dhcpd_t)
 
-	init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 dhcpd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, dhcpd_t, dhcpd_initrc_exec_t)
 
 	files_list_tmp($1)
 	admin_pattern($1, dhcpd_tmp_t)

diff --git a/policy/modules/contrib/dictd.if b/policy/modules/contrib/dictd.if
index 3cc3494..2b08886 100644
--- a/policy/modules/contrib/dictd.if
+++ b/policy/modules/contrib/dictd.if
@@ -41,10 +41,7 @@ interface(`dictd_admin',`
 	allow $1 dictd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, dictd_t)
 
-	init_labeled_script_domtrans($1, dictd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 dictd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, dictd_t, dictd_initrc_exec_t)
 
 	files_list_etc($1)
 	admin_pattern($1, dictd_etc_t)

diff --git a/policy/modules/contrib/dirmngr.if b/policy/modules/contrib/dirmngr.if
index e5f6733..68c8c5d 100644
--- a/policy/modules/contrib/dirmngr.if
+++ b/policy/modules/contrib/dirmngr.if
@@ -26,10 +26,7 @@ interface(`dirmngr_admin',`
 	allow $1 dirmngr_t:process { ptrace signal_perms };
 	ps_process_pattern($1, dirmngr_t)
 
-	init_labeled_script_domtrans($1, dirmngr_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 dirmngr_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, dirmngr_t, dirmngr_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, dirmngr_conf_t)

diff --git a/policy/modules/contrib/distcc.if b/policy/modules/contrib/distcc.if
index 473823d..4490ec0 100644
--- a/policy/modules/contrib/distcc.if
+++ b/policy/modules/contrib/distcc.if
@@ -26,10 +26,7 @@ interface(`distcc_admin',`
 	allow $1 distccd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, distccd_t)
 
-	init_labeled_script_domtrans($1, distccd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 distccd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, distccd_t, distccd_initrc_exec_t)
 
 	logging_search_logs($1)
 	admin_pattern($1, distccd_log_t)

diff --git a/policy/modules/contrib/dkim.if b/policy/modules/contrib/dkim.if
index 386e494..26655cc 100644
--- a/policy/modules/contrib/dkim.if
+++ b/policy/modules/contrib/dkim.if
@@ -26,10 +26,7 @@ interface(`dkim_admin',`
 	allow $1 dkim_milter_t:process { ptrace signal_perms };
 	ps_process_pattern($1, dkim_milter_t)
 
-	init_labeled_script_domtrans($1, dkim_milter_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 dkim_milter_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, dkim_milter_t, dkim_milter_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, dkim_milter_private_key_t)

diff --git a/policy/modules/contrib/dnsmasq.if b/policy/modules/contrib/dnsmasq.if
index 62e4948..10ff51a 100644
--- a/policy/modules/contrib/dnsmasq.if
+++ b/policy/modules/contrib/dnsmasq.if
@@ -273,10 +273,7 @@ interface(`dnsmasq_admin',`
 	allow $1 dnsmasq_t:process { ptrace signal_perms };
 	ps_process_pattern($1, dnsmasq_t)
 
-	init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 dnsmasq_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, dnsmasq_t, dnsmasq_initrc_exec_t)
 
 	files_list_var_lib($1)
 	admin_pattern($1, dnsmasq_lease_t)

diff --git a/policy/modules/contrib/dnssectrigger.if b/policy/modules/contrib/dnssectrigger.if
index 456da5c..880a3fd 100644
--- a/policy/modules/contrib/dnssectrigger.if
+++ b/policy/modules/contrib/dnssectrigger.if
@@ -26,10 +26,7 @@ interface(`dnssectrigger_admin',`
 	allow $1 dnssec_triggerd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, dnssec_triggerd_t)
 
-	init_labeled_script_domtrans($1, dnssec_triggerd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 dnssec_triggerd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, dnssec_triggerd_t, dnssec_triggerd_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, dnssec_trigger_conf_t)

diff --git a/policy/modules/contrib/dovecot.if b/policy/modules/contrib/dovecot.if
index d5badb7..4308ca8 100644
--- a/policy/modules/contrib/dovecot.if
+++ b/policy/modules/contrib/dovecot.if
@@ -149,10 +149,7 @@ interface(`dovecot_admin',`
 	allow $1 dovecot_t:process { ptrace signal_perms };
 	ps_process_pattern($1, dovecot_t)
 
-	init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 dovecot_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, dovecot_t, dovecot_initrc_exec_t)
 
 	files_list_etc($1)
 	admin_pattern($1, { dovecot_keytab_t dovecot_etc_t })

diff --git a/policy/modules/contrib/drbd.if b/policy/modules/contrib/drbd.if
index 9a21639..9084ecf 100644
--- a/policy/modules/contrib/drbd.if
+++ b/policy/modules/contrib/drbd.if
@@ -46,10 +46,7 @@ interface(`drbd_admin',`
 	allow $1 drbd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, drbd_t)
 
-	init_labeled_script_domtrans($1, drbd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 drbd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, drbd_t, drbd_initrc_exec_t)
 
 	files_search_locks($1)
 	admin_pattern($1, drbd_lock_t)

diff --git a/policy/modules/contrib/dspam.if b/policy/modules/contrib/dspam.if
index 18f2452..c0e8192 100644
--- a/policy/modules/contrib/dspam.if
+++ b/policy/modules/contrib/dspam.if
@@ -66,10 +66,7 @@ interface(`dspam_admin',`
 	allow $1 dspam_t:process { ptrace signal_perms };
 	ps_process_pattern($1, dspam_t)
 
-	init_labeled_script_domtrans($1, dspam_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 dspam_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, dspam_t, dspam_initrc_exec_t)
 
 	logging_search_logs($1)
 	admin_pattern($1, dspam_log_t)

diff --git a/policy/modules/contrib/entropyd.if b/policy/modules/contrib/entropyd.if
index 1161fbf..776a5c9 100644
--- a/policy/modules/contrib/entropyd.if
+++ b/policy/modules/contrib/entropyd.if
@@ -25,10 +25,7 @@ interface(`entropyd_admin',`
 	allow $1 entropyd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, entropyd_t)
 
-	init_labeled_script_domtrans($1, entropyd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 entropyd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, entropyd_t, entropyd_initrc_exec_t)
 
 	files_search_pids($1)
 	admin_pattern($1, entropyd_var_run_t)

diff --git a/policy/modules/contrib/exim.if b/policy/modules/contrib/exim.if
index 9bbc690..7ba1907 100644
--- a/policy/modules/contrib/exim.if
+++ b/policy/modules/contrib/exim.if
@@ -288,10 +288,7 @@ interface(`exim_admin',`
 	allow $1 exim_t:process { ptrace signal_perms };
 	ps_process_pattern($1, exim_t)
 
-	init_labeled_script_domtrans($1, exim_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 exim_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, exim_t, exim_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, exim_keytab_t)

diff --git a/policy/modules/contrib/fail2ban.if b/policy/modules/contrib/fail2ban.if
index 50d0084..0571b2a 100644
--- a/policy/modules/contrib/fail2ban.if
+++ b/policy/modules/contrib/fail2ban.if
@@ -266,10 +266,7 @@ interface(`fail2ban_admin',`
 	allow $1 { fail2ban_t fail2ban_client_t }:process { ptrace signal_perms };
 	ps_process_pattern($1, { fail2ban_t fail2ban_client_t })
 
-	init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 fail2ban_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, fail2ban_t, fail2ban_initrc_exec_t)
 
 	logging_list_logs($1)
 	admin_pattern($1, fail2ban_log_t)

diff --git a/policy/modules/contrib/fcoe.if b/policy/modules/contrib/fcoe.if
index c3484a9..f241160 100644
--- a/policy/modules/contrib/fcoe.if
+++ b/policy/modules/contrib/fcoe.if
@@ -44,10 +44,7 @@ interface(`fcoe_admin',`
 	allow $1 fcoemon_t:process { ptrace signal_perms };
 	ps_process_pattern($1, fcoemon_t)
 
-	init_labeled_script_domtrans($1, fcoemon_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 fcoemon_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, fcoemon_t, fcoemon_initrc_exec_t)
 
 	files_search_pids($1)
 	admin_pattern($1, fcoemon_var_run_t)

diff --git a/policy/modules/contrib/fetchmail.if b/policy/modules/contrib/fetchmail.if
index c3f7916..06f3ebb 100644
--- a/policy/modules/contrib/fetchmail.if
+++ b/policy/modules/contrib/fetchmail.if
@@ -23,10 +23,7 @@ interface(`fetchmail_admin',`
 		type fetchmail_var_run_t, fetchmail_initrc_exec_t, fetchmail_log_t;
 	')
 
-	init_labeled_script_domtrans($1, fetchmail_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 fetchmail_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, fetchmail_t, fetchmail_initrc_exec_t)
 
 	allow $1 fetchmail_t:process { ptrace signal_perms };
 	ps_process_pattern($1, fetchmail_t)

diff --git a/policy/modules/contrib/firewalld.if b/policy/modules/contrib/firewalld.if
index c62c567..70c1229 100644
--- a/policy/modules/contrib/firewalld.if
+++ b/policy/modules/contrib/firewalld.if
@@ -86,10 +86,7 @@ interface(`firewalld_admin',`
 	allow $1 firewalld_t:process { ptrace signal_perms };
 	ps_process_pattern($1, firewalld_t)
 
-	init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 firewalld_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, firewalld_t, firewalld_initrc_exec_t)
 
 	files_search_pids($1)
 	admin_pattern($1, firewalld_var_run_t)

diff --git a/policy/modules/contrib/ftp.if b/policy/modules/contrib/ftp.if
index 65adda9..12b1b3c 100644
--- a/policy/modules/contrib/ftp.if
+++ b/policy/modules/contrib/ftp.if
@@ -182,10 +182,7 @@ interface(`ftp_admin',`
 	allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }:process { ptrace signal_perms };
 	ps_process_pattern($1, { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t })
 
-	init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 ftpd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, ftpd_t, ftpd_initrc_exec_t)
 
 	miscfiles_manage_public_files($1)
 

diff --git a/policy/modules/contrib/gatekeeper.if b/policy/modules/contrib/gatekeeper.if
index 30926d7..c4bc44c 100644
--- a/policy/modules/contrib/gatekeeper.if
+++ b/policy/modules/contrib/gatekeeper.if
@@ -26,10 +26,7 @@ interface(`gatekeeper_admin',`
 	allow $1 gatekeeper_t:process { ptrace signal_perms };
 	ps_process_pattern($1, gatekeeper_t)
 
-	init_labeled_script_domtrans($1, gatekeeper_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 gatekeeper_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, gatekeeper_t, gatekeeper_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, gatekeeper_etc_t)

diff --git a/policy/modules/contrib/gdomap.if b/policy/modules/contrib/gdomap.if
index 7d6b6b7..5ecf51d 100644
--- a/policy/modules/contrib/gdomap.if
+++ b/policy/modules/contrib/gdomap.if
@@ -45,10 +45,7 @@ interface(`gdomap_admin',`
 	allow $1 gdomap_t:process { ptrace signal_perms };
 	ps_process_pattern($1, gdomap_t)
 
-	init_labeled_script_domtrans($1, gdomap_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 gdomap_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, gdomap_t, gdomap_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, gdomap_conf_t)

diff --git a/policy/modules/contrib/glance.if b/policy/modules/contrib/glance.if
index 9eacb2c..a7725ea 100644
--- a/policy/modules/contrib/glance.if
+++ b/policy/modules/contrib/glance.if
@@ -245,10 +245,8 @@ interface(`glance_admin',`
 	allow $1 { glance_api_t glance_registry_t }:process signal_perms;
 	ps_process_pattern($1, { glance_api_t glance_registry_t })
 
-	init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
-	domain_system_change_exemption($1)
-	role_transition $2 { glance_api_initrc_exec_t glance_registry_initrc_exec_t } system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, glance_api_t, glance_api_initrc_exec_t)
+	init_manage_service_template($1, $2, glance_registry_t, glance_registry_initrc_exec_t)
 
 	logging_search_logs($1)
 	admin_pattern($1, glance_log_t)

diff --git a/policy/modules/contrib/glusterfs.if b/policy/modules/contrib/glusterfs.if
index 05233c8..a3f095d 100644
--- a/policy/modules/contrib/glusterfs.if
+++ b/policy/modules/contrib/glusterfs.if
@@ -46,10 +46,7 @@ interface(`glusterfs_admin',`
 		type glusterd_var_run_t;
 	')
 
-	init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 glusterd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, glusterd_t, glusterd_initrc_exec_t)
 
 	allow $1 glusterd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, glusterd_t)

diff --git a/policy/modules/contrib/gpm.if b/policy/modules/contrib/gpm.if
index f1528c9..d7de36a 100644
--- a/policy/modules/contrib/gpm.if
+++ b/policy/modules/contrib/gpm.if
@@ -106,10 +106,7 @@ interface(`gpm_admin',`
 	allow $1 gpm_t:process { ptrace signal_perms };
 	ps_process_pattern($1, gpm_t)
 
-	init_labeled_script_domtrans($1, gpm_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 gpm_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, gpm_t, gpm_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, gpm_conf_t)

diff --git a/policy/modules/contrib/gpsd.if b/policy/modules/contrib/gpsd.if
index 92eb564..196e0f6 100644
--- a/policy/modules/contrib/gpsd.if
+++ b/policy/modules/contrib/gpsd.if
@@ -91,10 +91,7 @@ interface(`gpsd_admin',`
 	allow $1 gpsd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, gpsd_t)
 
-	init_labeled_script_domtrans($1, gpsd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 gpsd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, gpsd_t, gpsd_initrc_exec_t)
 
 	files_search_pids($1)
 	admin_pattern($1, gpsd_var_run_t)

diff --git a/policy/modules/contrib/hadoop.if b/policy/modules/contrib/hadoop.if
index 2b0d488..5d417b4 100644
--- a/policy/modules/contrib/hadoop.if
+++ b/policy/modules/contrib/hadoop.if
@@ -441,10 +441,7 @@ interface(`hadoop_admin',`
 	allow $1 { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t }:process { ptrace signal_perms };
 	ps_process_pattern($1, { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t })
 
-	init_labeled_script_domtrans($1, hadoop_init_script_file)
-	domain_system_change_exemption($1)
-	role_transition $2 hadoop_init_script_file system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, hadoop_domain, hadoop_init_script_file)
 
 	files_search_etc($1)
 	admin_pattern($1, { hadoop_etc_t zookeeper_etc_t })

diff --git a/policy/modules/contrib/hddtemp.if b/policy/modules/contrib/hddtemp.if
index 1728071..99acdc8 100644
--- a/policy/modules/contrib/hddtemp.if
+++ b/policy/modules/contrib/hddtemp.if
@@ -63,10 +63,7 @@ interface(`hddtemp_admin',`
 	allow $1 hddtemp_t:process { ptrace signal_perms };
 	ps_process_pattern($1, hddtemp_t)
 
-	init_labeled_script_domtrans($1, hddtemp_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 hddtemp_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, hddtemp_t, hddtemp_initrc_exec_t)
 
 	admin_pattern($1, hddtemp_etc_t)
 	files_search_etc($1)

diff --git a/policy/modules/contrib/howl.if b/policy/modules/contrib/howl.if
index dc609f0..b89f82e 100644
--- a/policy/modules/contrib/howl.if
+++ b/policy/modules/contrib/howl.if
@@ -43,10 +43,7 @@ interface(`howl_admin',`
 	allow $1 howl_t:process { ptrace signal_perms };
 	ps_process_pattern($1, howl_t)
 
-	init_labeled_script_domtrans($1, howl_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 howl_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, howl_t, howl_initrc_exec_t)
 
 	files_search_pids($1)
 	admin_pattern($1, howl_var_run_t)

diff --git a/policy/modules/contrib/hypervkvp.if b/policy/modules/contrib/hypervkvp.if
index 6517fad..9775774 100644
--- a/policy/modules/contrib/hypervkvp.if
+++ b/policy/modules/contrib/hypervkvp.if
@@ -25,8 +25,5 @@ interface(`hypervkvp_admin',`
 	allow $1 hypervkvpd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, hypervkvpd_t)
 
-	init_labeled_script_domtrans($1, hypervkvpd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 hypervkvpd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, hypervkvpd_t, hypervkvpd_initrc_exec_t)
 ')

diff --git a/policy/modules/contrib/i18n_input.if b/policy/modules/contrib/i18n_input.if
index 5eab254..37ff663 100644
--- a/policy/modules/contrib/i18n_input.if
+++ b/policy/modules/contrib/i18n_input.if
@@ -40,10 +40,7 @@ interface(`i18n_input_admin',`
 	allow $1 i18n_input_t:process { ptrace signal_perms };
 	ps_process_pattern($1, i18n_input_t)
 
-	init_labeled_script_domtrans($1, i18n_input_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 i18n_input_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, i18n_input_t, i18n_input_initrc_exec_t)
 
 	files_search_pids($1)
 	admin_pattern($1, i18n_input_var_run_t)

diff --git a/policy/modules/contrib/icecast.if b/policy/modules/contrib/icecast.if
index 580b533..2d32ce6 100644
--- a/policy/modules/contrib/icecast.if
+++ b/policy/modules/contrib/icecast.if
@@ -176,10 +176,7 @@ interface(`icecast_admin',`
 		type icecast_var_run_t;
 	')
 
-	icecast_initrc_domtrans($1)
-	domain_system_change_exemption($1)
-	role_transition $2 icecast_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, icecast_t, icecast_initrc_exec_t)
 
 	allow $1 icecast_t:process { ptrace signal_perms };
 	ps_process_pattern($1, icecast_t)

diff --git a/policy/modules/contrib/ifplugd.if b/policy/modules/contrib/ifplugd.if
index 8999899..2aacc4e 100644
--- a/policy/modules/contrib/ifplugd.if
+++ b/policy/modules/contrib/ifplugd.if
@@ -122,10 +122,7 @@ interface(`ifplugd_admin',`
 	allow $1 ifplugd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, ifplugd_t)
 
-	init_labeled_script_domtrans($1, ifplugd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 ifplugd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, ifplugd_t, ifplugd_initrc_exec_t)
 
 	files_list_etc($1)
 	admin_pattern($1, ifplugd_etc_t)

diff --git a/policy/modules/contrib/inn.if b/policy/modules/contrib/inn.if
index eb87f23..7eff1ab 100644
--- a/policy/modules/contrib/inn.if
+++ b/policy/modules/contrib/inn.if
@@ -230,10 +230,7 @@ interface(`inn_admin',`
 		type innd_var_run_t, innd_initrc_exec_t;
 	')
 
-	init_labeled_script_domtrans($1, innd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 innd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, innd_t, innd_initrc_exec_t)
 
 	allow $1 innd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, innd_t)

diff --git a/policy/modules/contrib/iodine.if b/policy/modules/contrib/iodine.if
index a0bfbd0..e813a57 100644
--- a/policy/modules/contrib/iodine.if
+++ b/policy/modules/contrib/iodine.if
@@ -47,8 +47,5 @@ interface(`iodine_admin',`
 	allow $1 iodined_t:process { ptrace signal_perms };
 	ps_process_pattern($1, iodined_t)
 
-	init_labeled_script_domtrans($1, iodined_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 iodined_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, iodined_t, iodined_initrc_exec_t)
 ')

diff --git a/policy/modules/contrib/ircd.if b/policy/modules/contrib/ircd.if
index 1a88664..3a6c3af 100644
--- a/policy/modules/contrib/ircd.if
+++ b/policy/modules/contrib/ircd.if
@@ -23,10 +23,7 @@ interface(`ircd_admin',`
 		type ircd_log_t, ircd_var_lib_t, ircd_var_run_t;
 	')
 
-	init_labeled_script_domtrans($1, ircd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 ircd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, ircd_t, ircd_initrc_exec_t)
 
 	allow $1 ircd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, ircd_t)

diff --git a/policy/modules/contrib/irqbalance.if b/policy/modules/contrib/irqbalance.if
index d7113e7..19b7b16 100644
--- a/policy/modules/contrib/irqbalance.if
+++ b/policy/modules/contrib/irqbalance.if
@@ -25,10 +25,7 @@ interface(`irqbalance_admin',`
 	allow $1 irqbalance_t:process { ptrace signal_perms };
 	ps_process_pattern($1, irqbalance_t)
 
-	init_labeled_script_domtrans($1, irqbalance_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 irqbalance_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, irqbalance_t, irqbalance_initrc_exec_t)
 
 	files_search_pids($1)
 	admin_pattern($1, irqbalance_var_run_t)

diff --git a/policy/modules/contrib/iscsi.if b/policy/modules/contrib/iscsi.if
index 1a35420..ce0df75 100644
--- a/policy/modules/contrib/iscsi.if
+++ b/policy/modules/contrib/iscsi.if
@@ -105,10 +105,7 @@ interface(`iscsi_admin',`
 	allow $1 iscsid_t:process { ptrace signal_perms };
 	ps_process_pattern($1, iscsid_t)
 
-	init_labeled_script_domtrans($1, iscsi_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 iscsi_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, iscsi_t, iscsi_initrc_exec_t)
 
 	logging_search_logs($1)
 	admin_pattern($1, iscsi_log_t)

diff --git a/policy/modules/contrib/isns.if b/policy/modules/contrib/isns.if
index da7e970..c5b8a34 100644
--- a/policy/modules/contrib/isns.if
+++ b/policy/modules/contrib/isns.if
@@ -26,10 +26,7 @@ interface(`isnsd_admin',`
 	allow $1 isnsd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, isnsd_t)
 
-	init_labeled_script_domtrans($1, isnsd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 isnsd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, isnsd_t, isnsd_initrc_exec_t)
 
 	files_search_var_lib($1)
 	admin_pattern($1, isnsd_var_lib_t)

diff --git a/policy/modules/contrib/jabber.if b/policy/modules/contrib/jabber.if
index 7eb3811..40ae8d2 100644
--- a/policy/modules/contrib/jabber.if
+++ b/policy/modules/contrib/jabber.if
@@ -81,10 +81,7 @@ interface(`jabber_admin',`
 	allow $1 jabberd_domain:process { ptrace signal_perms };
 	ps_process_pattern($1, jabberd_domain)
 
-	init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 jabberd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, jabberd_domain, jabberd_initrc_exec_t)
 
 	files_search_locks($1)
 	admin_pattern($1, jabberd_lock_t)

diff --git a/policy/modules/contrib/kdump.if b/policy/modules/contrib/kdump.if
index 3a00b3a..94f78c0 100644
--- a/policy/modules/contrib/kdump.if
+++ b/policy/modules/contrib/kdump.if
@@ -102,10 +102,7 @@ interface(`kdump_admin',`
 	allow $1 { kdump_t kdumpctl_t }:process { ptrace signal_perms };
 	ps_process_pattern($1, { kdump_t kdumpctl_t })
 
-	init_labeled_script_domtrans($1, kdump_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 kdump_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, kdump_t, kdump_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, kdump_etc_t)

diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if
index 77a5c49..97fc16c 100644
--- a/policy/modules/contrib/kerberos.if
+++ b/policy/modules/contrib/kerberos.if
@@ -493,10 +493,7 @@ interface(`kerberos_admin',`
 	allow $1 { kadmind_t krb5kdc_t kpropd_t }:process { ptrace signal_perms };
 	ps_process_pattern($1, { kadmind_t krb5kdc_t kpropd_t })
 
-	init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 kerberos_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, { kadmind_t krb5kdc_t }, kerberos_initrc_exec_t)
 
 	logging_list_logs($1)
 	admin_pattern($1, kadmind_log_t)

diff --git a/policy/modules/contrib/kerneloops.if b/policy/modules/contrib/kerneloops.if
index 714448f..5077ce5 100644
--- a/policy/modules/contrib/kerneloops.if
+++ b/policy/modules/contrib/kerneloops.if
@@ -108,10 +108,7 @@ interface(`kerneloops_admin',`
 	allow $1 kerneloops_t:process { ptrace signal_perms };
 	ps_process_pattern($1, kerneloops_t)
 
-	init_labeled_script_domtrans($1, kerneloops_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 kerneloops_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, kerneloops_t, kerneloops_initrc_exec_t)
 
 	files_search_tmp($1)
 	admin_pattern($1, kerneloops_tmp_t)

diff --git a/policy/modules/contrib/keystone.if b/policy/modules/contrib/keystone.if
index e88fb16..44aba27 100644
--- a/policy/modules/contrib/keystone.if
+++ b/policy/modules/contrib/keystone.if
@@ -26,10 +26,7 @@ interface(`keystone_admin',`
 	allow $1 keystone_t:process { ptrace signal_perms };
 	ps_process_pattern($1, keystone_t)
 
-	init_labeled_script_domtrans($1, keystone_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 keystone_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, keystone_t, keystone_initrc_exec_t)
 
 	logging_search_logs($1)
 	admin_pattern($1, keystone_log_t)

diff --git a/policy/modules/contrib/kismet.if b/policy/modules/contrib/kismet.if
index f20de6e..9ef087d 100644
--- a/policy/modules/contrib/kismet.if
+++ b/policy/modules/contrib/kismet.if
@@ -286,10 +286,7 @@ interface(`kismet_admin',`
 		type kismet_log_t, kismet_tmp_t, kismet_initrc_exec_t;
 	')
 
-	init_labeled_script_domtrans($1, kismet_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 kismet_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, kismet_t, kismet_initrc_exec_t)
 
 	ps_process_pattern($1, kismet_t)
 	allow $1 kismet_t:process { ptrace signal_perms };

diff --git a/policy/modules/contrib/ksmtuned.if b/policy/modules/contrib/ksmtuned.if
index 93a64bc..cc0227e 100644
--- a/policy/modules/contrib/ksmtuned.if
+++ b/policy/modules/contrib/ksmtuned.if
@@ -61,10 +61,7 @@ interface(`ksmtuned_admin',`
 		type ksmtuned_initrc_exec_t, ksmtuned_log_t;
 	')
 
-	ksmtuned_initrc_domtrans($1)
-	domain_system_change_exemption($1)
-	role_transition $2 ksmtuned_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, ksmtuned_t, ksmtuned_initrc_exec_t)
 
 	allow $1 ksmtuned_t:process { ptrace signal_perms };
 	ps_process_pattern($1, ksmtuned_t)

diff --git a/policy/modules/contrib/kudzu.if b/policy/modules/contrib/kudzu.if
index 5297064..4b9caf4 100644
--- a/policy/modules/contrib/kudzu.if
+++ b/policy/modules/contrib/kudzu.if
@@ -89,10 +89,7 @@ interface(`kudzu_admin',`
 	allow $1 kudzu_t:process { ptrace signal_perms };
 	ps_process_pattern($1, kudzu_t)
 
-	init_labeled_script_domtrans($1, kudzu_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 kudzu_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, kudzu_t, kudzu_initrc_exec_t)
 
 	files_search_tmp($1)
 	admin_pattern($1, kudzu_tmp_t)

diff --git a/policy/modules/contrib/l2tp.if b/policy/modules/contrib/l2tp.if
index 73e2803..f981467 100644
--- a/policy/modules/contrib/l2tp.if
+++ b/policy/modules/contrib/l2tp.if
@@ -86,10 +86,7 @@ interface(`l2tp_admin',`
 	allow $1 l2tpd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, l2tpd_t)
 
-	init_labeled_script_domtrans($1, l2tpd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 l2tpd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, l2tpd_t, l2tpd_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, l2tp_conf_t)

diff --git a/policy/modules/contrib/ldap.if b/policy/modules/contrib/ldap.if
index 7f09b4a..8738743 100644
--- a/policy/modules/contrib/ldap.if
+++ b/policy/modules/contrib/ldap.if
@@ -122,10 +122,7 @@ interface(`ldap_admin',`
 	allow $1 slapd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, slapd_t)
 
-	init_labeled_script_domtrans($1, slapd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 slapd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, slapd_t, slapd_initrc_exec_t)
 
 	files_list_etc($1)
 	admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t })

diff --git a/policy/modules/contrib/likewise.if b/policy/modules/contrib/likewise.if
index bd20e8c..0dedf0a 100644
--- a/policy/modules/contrib/likewise.if
+++ b/policy/modules/contrib/likewise.if
@@ -110,10 +110,7 @@ interface(`likewise_admin',`
 	allow $1 likewise_domains:process { ptrace signal_perms };
 	ps_process_pattern($1, likewise_domains)
 
-	init_labeled_script_domtrans($1, likewise_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 likewise_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, likewise_domains, likewise_initrc_exec_t)
 
 	files_list_etc($1)
 	admin_pattern($1, { likewise_etc_t likewise_pstore_lock_t likewise_krb5_ad_t })

diff --git a/policy/modules/contrib/lircd.if b/policy/modules/contrib/lircd.if
index dff21a7..4eda783 100644
--- a/policy/modules/contrib/lircd.if
+++ b/policy/modules/contrib/lircd.if
@@ -84,10 +84,7 @@ interface(`lircd_admin',`
 	allow $1 lircd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, lircd_t)
 
-	init_labeled_script_domtrans($1, lircd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 lircd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, lircd_t, lircd_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, lircd_etc_t)

diff --git a/policy/modules/contrib/lldpad.if b/policy/modules/contrib/lldpad.if
index d18c960..0e7d6b7 100644
--- a/policy/modules/contrib/lldpad.if
+++ b/policy/modules/contrib/lldpad.if
@@ -45,10 +45,7 @@ interface(`lldpad_admin',`
 	allow $1 lldpad_t:process { ptrace signal_perms };
 	ps_process_pattern($1, lldpad_t)
 
-	init_labeled_script_domtrans($1, lldpad_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 lldpad_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, lldpad_t, lldpad_initrc_exec_t)
 
 	files_search_var_lib($1)
 	admin_pattern($1, lldpad_var_lib_t)

diff --git a/policy/modules/contrib/mailscanner.if b/policy/modules/contrib/mailscanner.if
index 214cb44..05767bd 100644
--- a/policy/modules/contrib/mailscanner.if
+++ b/policy/modules/contrib/mailscanner.if
@@ -47,10 +47,7 @@ interface(`mscan_admin',`
 	allow $1 mscan_t:process { ptrace signal_perms };
 	ps_process_pattern($1, mscan_t)
 
-	init_labeled_script_domtrans($1, mscan_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 mscan_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, mscan_t, mscan_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, mscan_etc_t)

diff --git a/policy/modules/contrib/mcelog.if b/policy/modules/contrib/mcelog.if
index f89651e..bdcf3e2 100644
--- a/policy/modules/contrib/mcelog.if
+++ b/policy/modules/contrib/mcelog.if
@@ -45,10 +45,7 @@ interface(`mcelog_admin',`
 	allow $1 mcelog_t:process { ptrace signal_perms };
 	ps_process_pattern($1, mcelog_t)
 
-	init_labeled_script_domtrans($1, mcelog_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 mcelog_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, mcelog_t, mcelog_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, mcelog_etc_t)

diff --git a/policy/modules/contrib/memcached.if b/policy/modules/contrib/memcached.if
index 1d4eb19..9449397 100644
--- a/policy/modules/contrib/memcached.if
+++ b/policy/modules/contrib/memcached.if
@@ -124,10 +124,7 @@ interface(`memcached_admin',`
 	allow $1 memcached_t:process { ptrace signal_perms };
 	ps_process_pattern($1, memcached_t)
 
-	init_labeled_script_domtrans($1, memcached_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 memcached_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, memcached_t, memcached_initrc_exec_t)
 
 	files_search_pids($1)
 	admin_pattern($1, memcached_var_run_t)

diff --git a/policy/modules/contrib/minidlna.if b/policy/modules/contrib/minidlna.if
index 358917a..cc883c0 100644
--- a/policy/modules/contrib/minidlna.if
+++ b/policy/modules/contrib/minidlna.if
@@ -26,10 +26,7 @@ interface(`minidlna_admin',`
 	allow $1 minidlna_t:process { ptrace signal_perms };
 	ps_process_pattern($1, minidlna_t)
 
-	minidlna_initrc_domtrans($1)
-	domain_system_change_exemption($1)
-	role_transition $2 minidlna_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, minidlna_t, minidlna_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, minidlna_conf_t)

diff --git a/policy/modules/contrib/minissdpd.if b/policy/modules/contrib/minissdpd.if
index f37a116..56d3a93 100644
--- a/policy/modules/contrib/minissdpd.if
+++ b/policy/modules/contrib/minissdpd.if
@@ -45,10 +45,7 @@ interface(`minissdpd_admin',`
 	allow $1 minissdpd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, minissdpd_t)
 
-	init_labeled_script_domtrans($1, minissdpd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 minissdpd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, minissdpd_t, minissdpd_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, minissdpd_conf_t)

diff --git a/policy/modules/contrib/mongodb.if b/policy/modules/contrib/mongodb.if
index b247d25..7e28134 100644
--- a/policy/modules/contrib/mongodb.if
+++ b/policy/modules/contrib/mongodb.if
@@ -26,10 +26,7 @@ interface(`mongodb_admin',`
 	allow $1 mongod_t:process { ptrace signal_perms };
 	ps_process_pattern($1, mongod_t)
 
-	init_labeled_script_domtrans($1, mongod_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 mongod_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, mongod_t, mongod_initrc_exec_t)
 
 	logging_search_logs($1)
 	admin_pattern($1, mongod_log_t)

diff --git a/policy/modules/contrib/monop.if b/policy/modules/contrib/monop.if
index a6ec137..18a9bac 100644
--- a/policy/modules/contrib/monop.if
+++ b/policy/modules/contrib/monop.if
@@ -26,10 +26,7 @@ interface(`monop_admin',`
 	allow $1 monopd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, monopd_t)
 
-	init_labeled_script_domtrans($1, monopd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 monopd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, monopd_t, monopd_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, monopd_etc_t)

diff --git a/policy/modules/contrib/mpd.if b/policy/modules/contrib/mpd.if
index 5fa77c7..affd9c8 100644
--- a/policy/modules/contrib/mpd.if
+++ b/policy/modules/contrib/mpd.if
@@ -347,10 +347,7 @@ interface(`mpd_admin',`
 	allow $1 mpd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, mpd_t)
 
-	mpd_initrc_domtrans($1)
-	domain_system_change_exemption($1)
-	role_transition $2 mpd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, mpd_t, mpd_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, mpd_etc_t)

diff --git a/policy/modules/contrib/mrtg.if b/policy/modules/contrib/mrtg.if
index c595094..edafa6b 100644
--- a/policy/modules/contrib/mrtg.if
+++ b/policy/modules/contrib/mrtg.if
@@ -47,10 +47,7 @@ interface(`mrtg_admin',`
 	allow $1 mrtg_t:process { ptrace signal_perms };
 	ps_process_pattern($1, mrtg_t)
 
-	init_labeled_script_domtrans($1, mrtg_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 mrtg_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, mrtg_t, mrtg_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, mrtg_etc_t)

diff --git a/policy/modules/contrib/munin.if b/policy/modules/contrib/munin.if
index b744fe3..06af328 100644
--- a/policy/modules/contrib/munin.if
+++ b/policy/modules/contrib/munin.if
@@ -173,10 +173,7 @@ interface(`munin_admin',`
 	allow $1 { munin_plugin_domain munin_t }:process { ptrace signal_perms };
 	ps_process_pattern($1, { munin_plugin_domain munin_t })
 
-	init_labeled_script_domtrans($1, munin_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 munin_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, munin_t, munin_initrc_exec_t)
 
 	files_list_tmp($1)
 	admin_pattern($1, { munin_tmp_t munin_plugin_tmp_content })

diff --git a/policy/modules/contrib/mysql.if b/policy/modules/contrib/mysql.if
index 590748a..f93cbfb 100644
--- a/policy/modules/contrib/mysql.if
+++ b/policy/modules/contrib/mysql.if
@@ -450,10 +450,8 @@ interface(`mysql_admin',`
 	allow $1 { mysqld_safe_t mysqld_t mysqlmanagerd_t }:process { ptrace signal_perms };
 	ps_process_pattern($1, { mysqld_safe_t mysqld_t mysqlmanagerd_t })
 
-	init_labeled_script_domtrans($1, {  mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t })
-	domain_system_change_exemption($1)
-	role_transition $2 { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t } system_r;
-	allow $2 system_r;
+	init_manage_service_template($1, $2, mysqld_t, mysqld_initrc_exec_t)
+	init_manage_service_template($1, $2, mysqlmanagerd_t, mysqlmanagerd_initrc_exec_t)
 
 	files_search_pids($1)
 	admin_pattern($1, { mysqlmanagerd_var_run_t mysqld_var_run_t })