From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 956DF138CCF for ; Mon, 11 May 2015 22:57:31 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E7DF5E0877; Mon, 11 May 2015 22:57:28 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 21488E0877 for ; Mon, 11 May 2015 22:57:28 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id B3648340AD9 for ; Mon, 11 May 2015 22:57:26 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 6FEBA9C8 for ; Mon, 11 May 2015 22:57:25 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1431384823.0e73c60284ee74368c9742064fe937620b15f8d4.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/abrt.if policy/modules/contrib/acct.if policy/modules/contrib/afs.if policy/modules/contrib/aiccu.if policy/modules/contrib/aisexec.if policy/modules/contrib/amavis.if policy/modules/contrib/amtu.if policy/modules/contrib/apache.if policy/modules/contrib/apcupsd.if policy/modules/contrib/apm.if policy/modules/contrib/arpwatch.if policy/modules/contrib/asterisk.if policy/modules/contrib/automount.if policy/modules/contrib/avahi.if policy/modules/contrib/bacula.if policy/modules/contrib/bcfg2.if policy/modules/contrib/bind.if policy/modules/contrib/bird.if policy/modules/contrib/bitcoin.if policy/modules/contrib/bitlbee.if policy/modules/contrib/bluetooth.if policy/modules/contrib/boinc.if policy/modules/contrib/cachefilesd.if policy/modules/contrib/callweaver.if policy/modules/contrib/canna.if policy/modules/contrib/ccs.if policy/modules/contrib/certmaster.if policy/modules/contrib/certmonger.if policy/modules/contrib/cfengine.if policy/modules/cont rib/cgroup.if policy/modules/contrib/chronyd.if policy/modules/contrib/cipe.if policy/modules/contrib/clamav.if policy/modules/contrib/cmirrord.if policy/modules/contrib/cobbler.if policy/modules/contrib/collectd.if policy/modules/contrib/condor.if policy/modules/contrib/corosync.if policy/modules/contrib/couchdb.if policy/modules/contrib/ctdb.if policy/modules/contrib/cups.if policy/modules/contrib/cvs.if policy/modules/contrib/cyphesis.if policy/modules/contrib/cyrus.if policy/modules/contrib/dante.if policy/modules/contrib/ddclient.if policy/modules/contrib/denyhosts.if policy/modules/contrib/dhcp.if policy/modules/contrib/dictd.if policy/modules/contrib/dirmngr.if policy/modules/contrib/distcc.if policy/modules/contrib/dkim.if policy/modules/contrib/dnsmasq.if policy/modules/contrib/dnssectrigger.if policy/modules/contrib/dovecot.if policy/modules/contrib/drbd.if policy/modules/contrib/dspam.if policy/modules/contrib/entropyd.if policy/modules/contrib/exim.if policy/modules/cont rib/fail2ban.if policy/modules/contrib/fcoe.if policy/modules/contrib/fetchmail.if policy/modules/contrib/firewalld.if policy/modules/contrib/ftp.if policy/modules/contrib/gatekeeper.if policy/modules/contrib/gdomap.if policy/modules/contrib/glance.if policy/modules/contrib/glusterfs.if policy/modules/contrib/gpm.if policy/modules/contrib/gpsd.if policy/modules/contrib/hadoop.if policy/modules/contrib/hddtemp.if policy/modules/contrib/howl.if policy/modules/contrib/hypervkvp.if policy/modules/contrib/i18n_input.if policy/modules/contrib/icecast.if policy/modules/contrib/ifplugd.if policy/modules/contrib/inn.if policy/modules/contrib/iodine.if policy/modules/contrib/ircd.if policy/modules/contrib/irqbalance.if policy/modules/contrib/iscsi.if policy/modules/contrib/isns.if policy/modules/contrib/jabber.if policy/modules/contrib/kdump.if policy/modules/contrib/kerberos.if policy/modules/contrib/kerneloops.if policy/modules/contrib/keystone.if policy/modules/contrib/kismet.if policy/mod ules/contrib/ksmtuned.if policy/modules/contrib/kudzu.if policy/modules/contrib/l2tp.if policy/modules/contrib/ldap.if policy/modules/contrib/likewise.if policy/modules/contrib/lircd.if policy/modules/contrib/lldpad.if policy/modules/contrib/mailscanner.if policy/modules/contrib/mcelog.if policy/modules/contrib/memcached.if policy/modules/contrib/minidlna.if policy/modules/contrib/minissdpd.if policy/modules/contrib/mongodb.if policy/modules/contrib/monop.if policy/modules/contrib/mpd.if policy/modules/contrib/mrtg.if policy/modules/contrib/munin.if policy/modules/contrib/mysql.if policy/modules/contrib/nagios.if policy/modules/contrib/nessus.if policy/modules/contrib/networkmanager.if policy/modules/contrib/nis.if policy/modules/contrib/nscd.if policy/modules/contrib/nsd.if policy/modules/contrib/nslcd.if policy/modules/contrib/ntop.if policy/modules/contrib/ntp.if policy/modules/contrib/numad.if policy/modules/contrib/nut.if policy/modules/contrib/oident.if policy/modules/contrib/ openct.if policy/modules/contrib/openhpi.if policy/modules/contrib/openvpn.if policy/modules/contrib/openvswitch.if policy/modules/contrib/pacemaker.if policy/modules/contrib/pads.if policy/modules/contrib/pcscd.if policy/modules/contrib/pegasus.if policy/modules/contrib/perdition.if policy/modules/contrib/pingd.if policy/modules/contrib/pkcs.if policy/modules/contrib/polipo.if policy/modules/contrib/portmap.if policy/modules/contrib/portreserve.if policy/modules/contrib/postfix.if policy/modules/contrib/postfixpolicyd.if policy/modules/contrib/postgrey.if policy/modules/contrib/ppp.if policy/modules/contrib/prelude.if policy/modules/contrib/privoxy.if policy/modules/contrib/psad.if policy/modules/contrib/puppet.if policy/modules/contrib/pxe.if policy/modules/contrib/pyicqt.if policy/modules/contrib/pyzor.if policy/modules/contrib/qpid.if policy/modules/contrib/quantum.if policy/modules/contrib/quota.if policy/modules/contrib/rabbitmq.if policy/modules/contrib/radius.if policy/modul es/contrib/radvd.if policy/modules/contrib/raid.if policy/modules/contrib/redis.if policy/modules/contrib/resmgr.if policy/modules/contrib/rgmanager.if policy/modules/contrib/rhcs.if policy/modules/contrib/rhsmcertd.if policy/modules/contrib/ricci.if policy/modules/contrib/rngd.if policy/modules/contrib/roundup.if policy/modules/contrib/rpc.if policy/modules/contrib/rpcbind.if policy/modules/contrib/rpm.if policy/modules/contrib/rtkit.if policy/modules/contrib/rwho.if policy/modules/contrib/salt.if policy/modules/contrib/samba.if policy/modules/contrib/sanlock.if policy/modules/contrib/sasl.if policy/modules/contrib/sblim.if policy/modules/contrib/sendmail.if policy/modules/contrib/sensord.if policy/modules/contrib/shorewall.if policy/modules/contrib/slpd.if policy/modules/contrib/smartmon.if policy/modules/contrib/smokeping.if policy/modules/contrib/smstools.if policy/modules/contrib/snmp.if policy/modules/contrib/snort.if policy/modules/contrib/soundserver.if policy/modules/contri b/spamassassin.if policy/modules/contrib/squid.if policy/modules/contrib/sssd.if policy/modules/contrib/svnserve.if policy/modules/contrib/sysstat.if policy/modules/contrib/systemtap.if policy/modules/contrib/tcsd.if policy/modules/contrib/tgtd.if policy/modules/contrib/tor.if policy/modules/contrib/transproxy.if policy/modules/contrib/tuned.if policy/modules/contrib/ulogd.if policy/modules/contrib/uptime.if policy/modules/contrib/uucp.if policy/modules/contrib/uuidd.if policy/modules/contrib/varnishd.if policy/modules/contrib/vdagent.if policy/modules/contrib/vhostmd.if policy/modules/contrib/virt.if policy/modules/contrib/vnstatd.if policy/modules/contrib/watchdog.if policy/modules/contrib/wdmd.if policy/modules/contrib/xfs.if policy/modules/contrib/zabbix.if policy/modules/contrib/zarafa.if policy/modules/contrib/zebra.if X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 0e73c60284ee74368c9742064fe937620b15f8d4 X-VCS-Branch: next Date: Mon, 11 May 2015 22:57:25 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 51468fba-b4bd-4aac-be5e-0ed1ec322064 X-Archives-Hash: 137bbbbce329b6cd0c07c54f3aa8c056 commit: 0e73c60284ee74368c9742064fe937620b15f8d4 Author: Jason Zaman perfinion com> AuthorDate: Mon May 11 20:25:10 2015 +0000 Commit: Jason Zaman gentoo org> CommitDate: Mon May 11 22:53:43 2015 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0e73c602 remove initrc_exec_t transitions from contrib _admin interfaces The _admin interfaces have a transition from sysadm_t to initrc_t for the init scripts. These interfere with the run_init integration in openrc, so they need to be removed. policy/modules/contrib/abrt.if | 8 ++++---- policy/modules/contrib/acct.if | 8 ++++---- policy/modules/contrib/afs.if | 8 ++++---- policy/modules/contrib/aiccu.if | 8 ++++---- policy/modules/contrib/aisexec.if | 8 ++++---- policy/modules/contrib/amavis.if | 8 ++++---- policy/modules/contrib/amtu.if | 8 ++++---- policy/modules/contrib/apache.if | 8 ++++---- policy/modules/contrib/apcupsd.if | 8 ++++---- policy/modules/contrib/apm.if | 8 ++++---- policy/modules/contrib/arpwatch.if | 8 ++++---- policy/modules/contrib/asterisk.if | 8 ++++---- policy/modules/contrib/automount.if | 8 ++++---- policy/modules/contrib/avahi.if | 8 ++++---- policy/modules/contrib/bacula.if | 8 ++++---- policy/modules/contrib/bcfg2.if | 8 ++++---- policy/modules/contrib/bind.if | 8 ++++---- policy/modules/contrib/bird.if | 8 ++++---- policy/modules/contrib/bitcoin.if | 8 ++++---- policy/modules/contrib/bitlbee.if | 8 ++++---- policy/modules/contrib/bluetooth.if | 8 ++++---- policy/modules/contrib/boinc.if | 8 ++++---- policy/modules/contrib/cachefilesd.if | 8 ++++---- policy/modules/contrib/callweaver.if | 8 ++++---- policy/modules/contrib/canna.if | 8 ++++---- policy/modules/contrib/ccs.if | 8 ++++---- policy/modules/contrib/certmaster.if | 8 ++++---- policy/modules/contrib/certmonger.if | 8 ++++---- policy/modules/contrib/cfengine.if | 8 ++++---- policy/modules/contrib/cgroup.if | 10 +++++----- policy/modules/contrib/chronyd.if | 8 ++++---- policy/modules/contrib/cipe.if | 8 ++++---- policy/modules/contrib/clamav.if | 8 ++++---- policy/modules/contrib/cmirrord.if | 8 ++++---- policy/modules/contrib/cobbler.if | 8 ++++---- policy/modules/contrib/collectd.if | 8 ++++---- policy/modules/contrib/condor.if | 8 ++++---- policy/modules/contrib/corosync.if | 8 ++++---- policy/modules/contrib/couchdb.if | 8 ++++---- policy/modules/contrib/ctdb.if | 8 ++++---- policy/modules/contrib/cups.if | 8 ++++---- policy/modules/contrib/cvs.if | 8 ++++---- policy/modules/contrib/cyphesis.if | 8 ++++---- policy/modules/contrib/cyrus.if | 8 ++++---- policy/modules/contrib/dante.if | 8 ++++---- policy/modules/contrib/ddclient.if | 8 ++++---- policy/modules/contrib/denyhosts.if | 8 ++++---- policy/modules/contrib/dhcp.if | 8 ++++---- policy/modules/contrib/dictd.if | 8 ++++---- policy/modules/contrib/dirmngr.if | 8 ++++---- policy/modules/contrib/distcc.if | 8 ++++---- policy/modules/contrib/dkim.if | 8 ++++---- policy/modules/contrib/dnsmasq.if | 8 ++++---- policy/modules/contrib/dnssectrigger.if | 8 ++++---- policy/modules/contrib/dovecot.if | 8 ++++---- policy/modules/contrib/drbd.if | 8 ++++---- policy/modules/contrib/dspam.if | 8 ++++---- policy/modules/contrib/entropyd.if | 8 ++++---- policy/modules/contrib/exim.if | 8 ++++---- policy/modules/contrib/fail2ban.if | 8 ++++---- policy/modules/contrib/fcoe.if | 8 ++++---- policy/modules/contrib/fetchmail.if | 8 ++++---- policy/modules/contrib/firewalld.if | 8 ++++---- policy/modules/contrib/ftp.if | 8 ++++---- policy/modules/contrib/gatekeeper.if | 8 ++++---- policy/modules/contrib/gdomap.if | 8 ++++---- policy/modules/contrib/glance.if | 8 ++++---- policy/modules/contrib/glusterfs.if | 8 ++++---- policy/modules/contrib/gpm.if | 8 ++++---- policy/modules/contrib/gpsd.if | 8 ++++---- policy/modules/contrib/hadoop.if | 8 ++++---- policy/modules/contrib/hddtemp.if | 8 ++++---- policy/modules/contrib/howl.if | 8 ++++---- policy/modules/contrib/hypervkvp.if | 8 ++++---- policy/modules/contrib/i18n_input.if | 8 ++++---- policy/modules/contrib/icecast.if | 8 ++++---- policy/modules/contrib/ifplugd.if | 8 ++++---- policy/modules/contrib/inn.if | 8 ++++---- policy/modules/contrib/iodine.if | 8 ++++---- policy/modules/contrib/ircd.if | 8 ++++---- policy/modules/contrib/irqbalance.if | 8 ++++---- policy/modules/contrib/iscsi.if | 8 ++++---- policy/modules/contrib/isns.if | 8 ++++---- policy/modules/contrib/jabber.if | 8 ++++---- policy/modules/contrib/kdump.if | 8 ++++---- policy/modules/contrib/kerberos.if | 8 ++++---- policy/modules/contrib/kerneloops.if | 8 ++++---- policy/modules/contrib/keystone.if | 8 ++++---- policy/modules/contrib/kismet.if | 8 ++++---- policy/modules/contrib/ksmtuned.if | 8 ++++---- policy/modules/contrib/kudzu.if | 8 ++++---- policy/modules/contrib/l2tp.if | 8 ++++---- policy/modules/contrib/ldap.if | 8 ++++---- policy/modules/contrib/likewise.if | 8 ++++---- policy/modules/contrib/lircd.if | 8 ++++---- policy/modules/contrib/lldpad.if | 8 ++++---- policy/modules/contrib/mailscanner.if | 8 ++++---- policy/modules/contrib/mcelog.if | 8 ++++---- policy/modules/contrib/memcached.if | 8 ++++---- policy/modules/contrib/minidlna.if | 8 ++++---- policy/modules/contrib/minissdpd.if | 8 ++++---- policy/modules/contrib/mongodb.if | 8 ++++---- policy/modules/contrib/monop.if | 8 ++++---- policy/modules/contrib/mpd.if | 8 ++++---- policy/modules/contrib/mrtg.if | 8 ++++---- policy/modules/contrib/munin.if | 8 ++++---- policy/modules/contrib/mysql.if | 8 ++++---- policy/modules/contrib/nagios.if | 8 ++++---- policy/modules/contrib/nessus.if | 8 ++++---- policy/modules/contrib/networkmanager.if | 8 ++++---- policy/modules/contrib/nis.if | 10 +++++----- policy/modules/contrib/nscd.if | 8 ++++---- policy/modules/contrib/nsd.if | 8 ++++---- policy/modules/contrib/nslcd.if | 8 ++++---- policy/modules/contrib/ntop.if | 8 ++++---- policy/modules/contrib/ntp.if | 8 ++++---- policy/modules/contrib/numad.if | 8 ++++---- policy/modules/contrib/nut.if | 8 ++++---- policy/modules/contrib/oident.if | 8 ++++---- policy/modules/contrib/openct.if | 8 ++++---- policy/modules/contrib/openhpi.if | 8 ++++---- policy/modules/contrib/openvpn.if | 8 ++++---- policy/modules/contrib/openvswitch.if | 8 ++++---- policy/modules/contrib/pacemaker.if | 8 ++++---- policy/modules/contrib/pads.if | 8 ++++---- policy/modules/contrib/pcscd.if | 8 ++++---- policy/modules/contrib/pegasus.if | 8 ++++---- policy/modules/contrib/perdition.if | 8 ++++---- policy/modules/contrib/pingd.if | 8 ++++---- policy/modules/contrib/pkcs.if | 8 ++++---- policy/modules/contrib/polipo.if | 8 ++++---- policy/modules/contrib/portmap.if | 8 ++++---- policy/modules/contrib/portreserve.if | 8 ++++---- policy/modules/contrib/postfix.if | 8 ++++---- policy/modules/contrib/postfixpolicyd.if | 8 ++++---- policy/modules/contrib/postgrey.if | 8 ++++---- policy/modules/contrib/ppp.if | 8 ++++---- policy/modules/contrib/prelude.if | 8 ++++---- policy/modules/contrib/privoxy.if | 8 ++++---- policy/modules/contrib/psad.if | 8 ++++---- policy/modules/contrib/puppet.if | 8 ++++---- policy/modules/contrib/pxe.if | 8 ++++---- policy/modules/contrib/pyicqt.if | 8 ++++---- policy/modules/contrib/pyzor.if | 8 ++++---- policy/modules/contrib/qpid.if | 8 ++++---- policy/modules/contrib/quantum.if | 8 ++++---- policy/modules/contrib/quota.if | 8 ++++---- policy/modules/contrib/rabbitmq.if | 8 ++++---- policy/modules/contrib/radius.if | 8 ++++---- policy/modules/contrib/radvd.if | 8 ++++---- policy/modules/contrib/raid.if | 8 ++++---- policy/modules/contrib/redis.if | 8 ++++---- policy/modules/contrib/resmgr.if | 8 ++++---- policy/modules/contrib/rgmanager.if | 8 ++++---- policy/modules/contrib/rhcs.if | 8 ++++---- policy/modules/contrib/rhsmcertd.if | 8 ++++---- policy/modules/contrib/ricci.if | 8 ++++---- policy/modules/contrib/rngd.if | 8 ++++---- policy/modules/contrib/roundup.if | 8 ++++---- policy/modules/contrib/rpc.if | 8 ++++---- policy/modules/contrib/rpcbind.if | 8 ++++---- policy/modules/contrib/rpm.if | 8 ++++---- policy/modules/contrib/rtkit.if | 8 ++++---- policy/modules/contrib/rwho.if | 8 ++++---- policy/modules/contrib/salt.if | 16 ++++++++-------- policy/modules/contrib/samba.if | 8 ++++---- policy/modules/contrib/sanlock.if | 8 ++++---- policy/modules/contrib/sasl.if | 8 ++++---- policy/modules/contrib/sblim.if | 8 ++++---- policy/modules/contrib/sendmail.if | 6 +++--- policy/modules/contrib/sensord.if | 8 ++++---- policy/modules/contrib/shorewall.if | 8 ++++---- policy/modules/contrib/slpd.if | 8 ++++---- policy/modules/contrib/smartmon.if | 8 ++++---- policy/modules/contrib/smokeping.if | 8 ++++---- policy/modules/contrib/smstools.if | 8 ++++---- policy/modules/contrib/snmp.if | 8 ++++---- policy/modules/contrib/snort.if | 8 ++++---- policy/modules/contrib/soundserver.if | 8 ++++---- policy/modules/contrib/spamassassin.if | 8 ++++---- policy/modules/contrib/squid.if | 8 ++++---- policy/modules/contrib/sssd.if | 8 ++++---- policy/modules/contrib/svnserve.if | 8 ++++---- policy/modules/contrib/sysstat.if | 8 ++++---- policy/modules/contrib/systemtap.if | 8 ++++---- policy/modules/contrib/tcsd.if | 8 ++++---- policy/modules/contrib/tgtd.if | 8 ++++---- policy/modules/contrib/tor.if | 8 ++++---- policy/modules/contrib/transproxy.if | 8 ++++---- policy/modules/contrib/tuned.if | 8 ++++---- policy/modules/contrib/ulogd.if | 8 ++++---- policy/modules/contrib/uptime.if | 8 ++++---- policy/modules/contrib/uucp.if | 8 ++++---- policy/modules/contrib/uuidd.if | 8 ++++---- policy/modules/contrib/varnishd.if | 16 ++++++++-------- policy/modules/contrib/vdagent.if | 8 ++++---- policy/modules/contrib/vhostmd.if | 8 ++++---- policy/modules/contrib/virt.if | 8 ++++---- policy/modules/contrib/vnstatd.if | 8 ++++---- policy/modules/contrib/watchdog.if | 8 ++++---- policy/modules/contrib/wdmd.if | 8 ++++---- policy/modules/contrib/xfs.if | 8 ++++---- policy/modules/contrib/zabbix.if | 8 ++++---- policy/modules/contrib/zarafa.if | 8 ++++---- policy/modules/contrib/zebra.if | 8 ++++---- 205 files changed, 829 insertions(+), 829 deletions(-) diff --git a/policy/modules/contrib/abrt.if b/policy/modules/contrib/abrt.if index 058d908..6195190 100644 --- a/policy/modules/contrib/abrt.if +++ b/policy/modules/contrib/abrt.if @@ -304,10 +304,10 @@ interface(`abrt_admin',` allow $1 abrt_domain:process { ptrace signal_perms }; ps_process_pattern($1, abrt_domain) - init_labeled_script_domtrans($1, abrt_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 abrt_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, abrt_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 abrt_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, abrt_etc_t) diff --git a/policy/modules/contrib/acct.if b/policy/modules/contrib/acct.if index 81280d0..a49181a 100644 --- a/policy/modules/contrib/acct.if +++ b/policy/modules/contrib/acct.if @@ -106,10 +106,10 @@ interface(`acct_admin',` allow $1 acct_t:process { ptrace signal_perms }; ps_process_pattern($1, acct_t) - init_labeled_script_domtrans($1, acct_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 acct_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, acct_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 acct_initrc_exec_t system_r; + #allow $2 system_r; logging_search_logs($1) admin_pattern($1, acct_data_t) diff --git a/policy/modules/contrib/afs.if b/policy/modules/contrib/afs.if index 3b41be6..04f8f03 100644 --- a/policy/modules/contrib/afs.if +++ b/policy/modules/contrib/afs.if @@ -103,10 +103,10 @@ interface(`afs_admin',` allow $1 afs_domain:process { ptrace signal_perms }; ps_process_pattern($1, afs_domain) - afs_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 afs_initrc_exec_t system_r; - allow $2 system_r; + #afs_initrc_domtrans($1) + #domain_system_change_exemption($1) + #role_transition $2 afs_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, afs_config_t) diff --git a/policy/modules/contrib/aiccu.if b/policy/modules/contrib/aiccu.if index 3b5dcb9..cd049ac 100644 --- a/policy/modules/contrib/aiccu.if +++ b/policy/modules/contrib/aiccu.if @@ -82,10 +82,10 @@ interface(`aiccu_admin',` allow $1 aiccu_t:process { ptrace signal_perms }; ps_process_pattern($1, aiccu_t) - aiccu_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 aiccu_initrc_exec_t system_r; - allow $2 system_r; + #aiccu_initrc_domtrans($1) + #domain_system_change_exemption($1) + #role_transition $2 aiccu_initrc_exec_t system_r; + #allow $2 system_r; admin_pattern($1, aiccu_etc_t) files_list_etc($1) diff --git a/policy/modules/contrib/aisexec.if b/policy/modules/contrib/aisexec.if index a2997fa..1bc0fcf 100644 --- a/policy/modules/contrib/aisexec.if +++ b/policy/modules/contrib/aisexec.if @@ -86,10 +86,10 @@ interface(`aisexecd_admin',` allow $1 aisexec_t:process { ptrace signal_perms }; ps_process_pattern($1, aisexec_t) - init_labeled_script_domtrans($1, aisexec_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 aisexec_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, aisexec_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 aisexec_initrc_exec_t system_r; + #allow $2 system_r; files_list_var_lib($1) admin_pattern($1, aisexec_var_lib_t) diff --git a/policy/modules/contrib/amavis.if b/policy/modules/contrib/amavis.if index 60d4f8c..9b6f2b2 100644 --- a/policy/modules/contrib/amavis.if +++ b/policy/modules/contrib/amavis.if @@ -237,10 +237,10 @@ interface(`amavis_admin',` allow $1 amavis_t:process { ptrace signal_perms }; ps_process_pattern($1, amavis_t) - amavis_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 amavis_initrc_exec_t system_r; - allow $2 system_r; + #amavis_initrc_domtrans($1) + #domain_system_change_exemption($1) + #role_transition $2 amavis_initrc_exec_t system_r; + #allow $2 system_r; files_list_etc($1) admin_pattern($1, amavis_etc_t) diff --git a/policy/modules/contrib/amtu.if b/policy/modules/contrib/amtu.if index 884b23b..fa319c7 100644 --- a/policy/modules/contrib/amtu.if +++ b/policy/modules/contrib/amtu.if @@ -70,8 +70,8 @@ interface(`amtu_admin',` allow $1 amtu_t:process { ptrace signal_perms }; ps_process_pattern($1, amtu_t) - init_labeled_script_domtrans($1, amtu_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 amtu_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, amtu_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 amtu_initrc_exec_t system_r; + #allow $2 system_r; ') diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if index 717c6f7..b148da6 100644 --- a/policy/modules/contrib/apache.if +++ b/policy/modules/contrib/apache.if @@ -1318,10 +1318,10 @@ interface(`apache_admin',` ps_process_pattern($1, { httpd_script_domains httpd_t httpd_helper_t }) ps_process_pattern($1, { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t }) - init_labeled_script_domtrans($1, httpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 httpd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, httpd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 httpd_initrc_exec_t system_r; + #allow $2 system_r; apache_manage_all_content($1) miscfiles_manage_public_files($1) diff --git a/policy/modules/contrib/apcupsd.if b/policy/modules/contrib/apcupsd.if index f3c0aba..2e2b50c 100644 --- a/policy/modules/contrib/apcupsd.if +++ b/policy/modules/contrib/apcupsd.if @@ -149,10 +149,10 @@ interface(`apcupsd_admin',` allow $1 apcupsd_t:process { ptrace signal_perms }; ps_process_pattern($1, apcupsd_t) - apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 apcupsd_initrc_exec_t system_r; - allow $2 system_r; + #apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 apcupsd_initrc_exec_t system_r; + #allow $2 system_r; files_list_var($1) admin_pattern($1, apcupsd_lock_t) diff --git a/policy/modules/contrib/apm.if b/policy/modules/contrib/apm.if index 1a7a97e..f5219a2 100644 --- a/policy/modules/contrib/apm.if +++ b/policy/modules/contrib/apm.if @@ -166,10 +166,10 @@ interface(`apm_admin',` allow $1 apmd_t:process { ptrace signal_perms }; ps_process_pattern($1, apmd_t) - init_labeled_script_domtrans($1, apmd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 apmd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, apmd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 apmd_initrc_exec_t system_r; + #allow $2 system_r; logging_search_logs($1) admin_pattern($1, apmd_log_t) diff --git a/policy/modules/contrib/arpwatch.if b/policy/modules/contrib/arpwatch.if index 50c9b9c..7296bdf 100644 --- a/policy/modules/contrib/arpwatch.if +++ b/policy/modules/contrib/arpwatch.if @@ -143,10 +143,10 @@ interface(`arpwatch_admin',` allow $1 arpwatch_t:process { ptrace signal_perms }; ps_process_pattern($1, arpwatch_t) - arpwatch_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 arpwatch_initrc_exec_t system_r; - allow $2 system_r; + #arpwatch_initrc_domtrans($1) + #domain_system_change_exemption($1) + #role_transition $2 arpwatch_initrc_exec_t system_r; + #allow $2 system_r; files_list_tmp($1) admin_pattern($1, arpwatch_tmp_t) diff --git a/policy/modules/contrib/asterisk.if b/policy/modules/contrib/asterisk.if index 2077053..46ef939 100644 --- a/policy/modules/contrib/asterisk.if +++ b/policy/modules/contrib/asterisk.if @@ -127,10 +127,10 @@ interface(`asterisk_admin',` allow $1 asterisk_t:process { ptrace signal_perms }; ps_process_pattern($1, asterisk_t) - init_labeled_script_domtrans($1, asterisk_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 asterisk_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, asterisk_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 asterisk_initrc_exec_t system_r; + #allow $2 system_r; asterisk_exec($1) diff --git a/policy/modules/contrib/automount.if b/policy/modules/contrib/automount.if index f24e369..82c1ea5 100644 --- a/policy/modules/contrib/automount.if +++ b/policy/modules/contrib/automount.if @@ -159,10 +159,10 @@ interface(`automount_admin',` allow $1 automount_t:process { ptrace signal_perms }; ps_process_pattern($1, automount_t) - init_labeled_script_domtrans($1, automount_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 automount_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, automount_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 automount_initrc_exec_t system_r; + #allow $2 system_r; files_list_etc($1) admin_pattern($1, automount_keytab_t) diff --git a/policy/modules/contrib/avahi.if b/policy/modules/contrib/avahi.if index 9078c3d..b490161 100644 --- a/policy/modules/contrib/avahi.if +++ b/policy/modules/contrib/avahi.if @@ -264,10 +264,10 @@ interface(`avahi_admin',` allow $1 avahi_t:process { ptrace signal_perms }; ps_process_pattern($1, avahi_t) - avahi_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 avahi_initrc_exec_t system_r; - allow $2 system_r; + #avahi_initrc_domtrans($1) + #domain_system_change_exemption($1) + #role_transition $2 avahi_initrc_exec_t system_r; + #allow $2 system_r; files_search_pids($1) admin_pattern($1, avahi_var_run_t) diff --git a/policy/modules/contrib/bacula.if b/policy/modules/contrib/bacula.if index dcd774e..fdfef80 100644 --- a/policy/modules/contrib/bacula.if +++ b/policy/modules/contrib/bacula.if @@ -74,10 +74,10 @@ interface(`bacula_admin',` allow $1 bacula_t:process { ptrace signal_perms }; ps_process_pattern($1, bacula_t) - init_labeled_script_domtrans($1, bacula_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 bacula_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, bacula_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 bacula_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, bacula_etc_t) diff --git a/policy/modules/contrib/bcfg2.if b/policy/modules/contrib/bcfg2.if index ec95d36..311ab75 100644 --- a/policy/modules/contrib/bcfg2.if +++ b/policy/modules/contrib/bcfg2.if @@ -141,10 +141,10 @@ interface(`bcfg2_admin',` allow $1 bcfg2_t:process { ptrace signal_perms }; ps_process_pattern($1, bcfg2_t) - bcfg2_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 bcfg2_initrc_exec_t system_r; - allow $2 system_r; + #bcfg2_initrc_domtrans($1) + #domain_system_change_exemption($1) + #role_transition $2 bcfg2_initrc_exec_t system_r; + #allow $2 system_r; files_search_pids($1) admin_pattern($1, bcfg2_var_run_t) diff --git a/policy/modules/contrib/bind.if b/policy/modules/contrib/bind.if index 531a8f2..835b9c0 100644 --- a/policy/modules/contrib/bind.if +++ b/policy/modules/contrib/bind.if @@ -370,10 +370,10 @@ interface(`bind_admin',` allow $1 { named_t ndc_t }:process { ptrace signal_perms }; ps_process_pattern($1, { named_t ndc_t }) - init_labeled_script_domtrans($1, named_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 named_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, named_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 named_initrc_exec_t system_r; + #allow $2 system_r; files_list_tmp($1) admin_pattern($1, named_tmp_t) diff --git a/policy/modules/contrib/bird.if b/policy/modules/contrib/bird.if index 85c035f..01278df 100644 --- a/policy/modules/contrib/bird.if +++ b/policy/modules/contrib/bird.if @@ -26,10 +26,10 @@ interface(`bird_admin',` allow $1 bird_t:process { ptrace signal_perms }; ps_process_pattern($1, bird_t) - init_labeled_script_domtrans($1, bird_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 bird_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, bird_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 bird_initrc_exec_t system_r; + #allow $2 system_r; files_list_etc($1) admin_pattern($1, bird_etc_t) diff --git a/policy/modules/contrib/bitcoin.if b/policy/modules/contrib/bitcoin.if index 922bc7c..a6d9018 100644 --- a/policy/modules/contrib/bitcoin.if +++ b/policy/modules/contrib/bitcoin.if @@ -26,10 +26,10 @@ interface(`bitcoin_admin',` allow $1 bitcoin_t:process { ptrace signal_perms }; ps_process_pattern($1, bitcoin_t) - init_labeled_script_domtrans($1, bitcoin_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 bitcoin_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, bitcoin_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 bitcoin_initrc_exec_t system_r; + #allow $2 system_r; files_list_tmp($1) admin_pattern($1, bitcoin_tmp_t) diff --git a/policy/modules/contrib/bitlbee.if b/policy/modules/contrib/bitlbee.if index e73fb79..bc326c9 100644 --- a/policy/modules/contrib/bitlbee.if +++ b/policy/modules/contrib/bitlbee.if @@ -47,10 +47,10 @@ interface(`bitlbee_admin',` allow $1 bitlbee_t:process { ptrace signal_perms }; ps_process_pattern($1, bitlbee_t) - init_labeled_script_domtrans($1, bitlbee_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 bitlbee_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, bitlbee_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 bitlbee_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, bitlbee_conf_t) diff --git a/policy/modules/contrib/bluetooth.if b/policy/modules/contrib/bluetooth.if index c723a0a..8e2eff5 100644 --- a/policy/modules/contrib/bluetooth.if +++ b/policy/modules/contrib/bluetooth.if @@ -216,10 +216,10 @@ interface(`bluetooth_admin',` allow $1 bluetooth_t:process { ptrace signal_perms }; ps_process_pattern($1, bluetooth_t) - init_labeled_script_domtrans($1, bluetooth_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 bluetooth_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, bluetooth_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 bluetooth_initrc_exec_t system_r; + #allow $2 system_r; files_list_tmp($1) admin_pattern($1, bluetooth_tmp_t) diff --git a/policy/modules/contrib/boinc.if b/policy/modules/contrib/boinc.if index 02fefaa..3a66e75 100644 --- a/policy/modules/contrib/boinc.if +++ b/policy/modules/contrib/boinc.if @@ -28,10 +28,10 @@ interface(`boinc_admin',` allow $1 { boinc_t boinc_project_t }:process { ptrace signal_perms }; ps_process_pattern($1, { boinc_t boinc_project_t }) - init_labeled_script_domtrans($1, boinc_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 boinc_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, boinc_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 boinc_initrc_exec_t system_r; + #allow $2 system_r; logging_search_logs($1) admin_pattern($1, boinc_log_t) diff --git a/policy/modules/contrib/cachefilesd.if b/policy/modules/contrib/cachefilesd.if index 8de2ab9..4c68242 100644 --- a/policy/modules/contrib/cachefilesd.if +++ b/policy/modules/contrib/cachefilesd.if @@ -26,10 +26,10 @@ interface(`cachefilesd_admin',` allow $1 cachefilesd_t:process { ptrace signal_perms }; ps_process_pattern($1, cachefilesd_t) - init_labeled_script_domtrans($1, cachefilesd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 cachefilesd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, cachefilesd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 cachefilesd_initrc_exec_t system_r; + #allow $2 system_r; files_search_var($1) admin_pattern($1, cachefilesd_cache_t) diff --git a/policy/modules/contrib/callweaver.if b/policy/modules/contrib/callweaver.if index 16f1855..ad4dee3 100644 --- a/policy/modules/contrib/callweaver.if +++ b/policy/modules/contrib/callweaver.if @@ -65,10 +65,10 @@ interface(`callweaver_admin',` allow $1 callweaver_t:process { ptrace signal_perms }; ps_process_pattern($1, callweaver_t) - init_labeled_script_domtrans($1, callweaver_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 callweaver_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, callweaver_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 callweaver_initrc_exec_t system_r; + #allow $2 system_r; logging_search_logs($1) admin_pattern($1, callweaver_log_t) diff --git a/policy/modules/contrib/canna.if b/policy/modules/contrib/canna.if index 400db07..98a34d7 100644 --- a/policy/modules/contrib/canna.if +++ b/policy/modules/contrib/canna.if @@ -46,10 +46,10 @@ interface(`canna_admin',` allow $1 canna_t:process { ptrace signal_perms }; ps_process_pattern($1, canna_t) - init_labeled_script_domtrans($1, canna_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 canna_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, canna_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 canna_initrc_exec_t system_r; + #allow $2 system_r; logging_list_logs($1) admin_pattern($1, canna_log_t) diff --git a/policy/modules/contrib/ccs.if b/policy/modules/contrib/ccs.if index bb17e0f..80ef99e 100644 --- a/policy/modules/contrib/ccs.if +++ b/policy/modules/contrib/ccs.if @@ -105,10 +105,10 @@ interface(`ccs_admin',` allow $1 ccs_t:process { ptrace signal_perms }; ps_process_pattern($1, ccs_t) - init_labeled_script_domtrans($1, ccs_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ccs_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, ccs_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 ccs_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, ccs_conf_t) diff --git a/policy/modules/contrib/certmaster.if b/policy/modules/contrib/certmaster.if index 0c53b18..ad86de9 100644 --- a/policy/modules/contrib/certmaster.if +++ b/policy/modules/contrib/certmaster.if @@ -124,10 +124,10 @@ interface(`certmaster_admin',` allow $1 certmaster_t:process { ptrace signal_perms }; ps_process_pattern($1, certmaster_t) - init_labeled_script_domtrans($1, certmaster_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 certmaster_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, certmaster_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 certmaster_initrc_exec_t system_r; + #allow $2 system_r; files_list_etc($1) miscfiles_manage_generic_cert_dirs($1) diff --git a/policy/modules/contrib/certmonger.if b/policy/modules/contrib/certmonger.if index 008f8ef..bed2a59 100644 --- a/policy/modules/contrib/certmonger.if +++ b/policy/modules/contrib/certmonger.if @@ -162,10 +162,10 @@ interface(`certmonger_admin',` ps_process_pattern($1, certmonger_t) allow $1 certmonger_t:process { ptrace signal_perms }; - certmonger_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 certmonger_initrc_exec_t system_r; - allow $2 system_r; + #certmonger_initrc_domtrans($1) + #domain_system_change_exemption($1) + #role_transition $2 certmonger_initrc_exec_t system_r; + #allow $2 system_r; files_search_var_lib($1) admin_pattern($1, certmonger_var_lib_t) diff --git a/policy/modules/contrib/cfengine.if b/policy/modules/contrib/cfengine.if index a731122..d47ea2a 100644 --- a/policy/modules/contrib/cfengine.if +++ b/policy/modules/contrib/cfengine.if @@ -97,10 +97,10 @@ interface(`cfengine_admin',` allow $1 cfengine_domain:process { ptrace signal_perms }; ps_process_pattern($1, cfengine_domain) - init_labeled_script_domtrans($1, cfengine_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 cfengine_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, cfengine_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 cfengine_initrc_exec_t system_r; + #allow $2 system_r; files_search_var_lib($1) admin_pattern($1, { cfengine_log_t cfengine_var_lib_t }) diff --git a/policy/modules/contrib/cgroup.if b/policy/modules/contrib/cgroup.if index 85ca63f..c136d2f 100644 --- a/policy/modules/contrib/cgroup.if +++ b/policy/modules/contrib/cgroup.if @@ -180,11 +180,11 @@ interface(`cgroup_admin',` admin_pattern($1, cgred_var_run_t) files_list_pids($1) - cgroup_initrc_domtrans_cgconfig($1) - cgroup_initrc_domtrans_cgred($1) - domain_system_change_exemption($1) - role_transition $2 { cgconfig_initrc_exec_t cgred_initrc_exec_t } system_r; - allow $2 system_r; + #cgroup_initrc_domtrans_cgconfig($1) + #cgroup_initrc_domtrans_cgred($1) + #domain_system_change_exemption($1) + #role_transition $2 { cgconfig_initrc_exec_t cgred_initrc_exec_t } system_r; + #allow $2 system_r; cgroup_run_cgclear($1, $2) ') diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if index 32e8265..f504b7b 100644 --- a/policy/modules/contrib/chronyd.if +++ b/policy/modules/contrib/chronyd.if @@ -184,10 +184,10 @@ interface(`chronyd_admin',` allow $1 chronyd_t:process { ptrace signal_perms }; ps_process_pattern($1, chronyd_t) - chronyd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 chronyd_initrc_exec_t system_r; - allow $2 system_r; + #chronyd_initrc_domtrans($1) + #domain_system_change_exemption($1) + #role_transition $2 chronyd_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, chronyd_keys_t) diff --git a/policy/modules/contrib/cipe.if b/policy/modules/contrib/cipe.if index 5fb51b2..11ff777 100644 --- a/policy/modules/contrib/cipe.if +++ b/policy/modules/contrib/cipe.if @@ -25,8 +25,8 @@ interface(`cipe_admin',` allow $1 ciped_t:process { ptrace signal_perms }; ps_process_pattern($1, ciped_t) - init_labeled_script_domtrans($1, ciped_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ciped_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, ciped_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 ciped_initrc_exec_t system_r; + #allow $2 system_r; ') diff --git a/policy/modules/contrib/clamav.if b/policy/modules/contrib/clamav.if index 4cc4a5c..e194bb7 100644 --- a/policy/modules/contrib/clamav.if +++ b/policy/modules/contrib/clamav.if @@ -205,10 +205,10 @@ interface(`clamav_admin',` allow $1 { clamd_t clamscan_t freshclam_t }:process { ptrace signal_perms }; ps_process_pattern($1, { clamd_t clamscan_t freshclam_t }) - init_labeled_script_domtrans($1, clamd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 clamd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, clamd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 clamd_initrc_exec_t system_r; + #allow $2 system_r; files_list_etc($1) admin_pattern($1, clamd_etc_t) diff --git a/policy/modules/contrib/cmirrord.if b/policy/modules/contrib/cmirrord.if index cc4e7cb..242bbc3 100644 --- a/policy/modules/contrib/cmirrord.if +++ b/policy/modules/contrib/cmirrord.if @@ -106,10 +106,10 @@ interface(`cmirrord_admin',` allow $1 cmirrord_t:process { ptrace signal_perms }; ps_process_pattern($1, cmirrord_t) - cmirrord_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 cmirrord_initrc_exec_t system_r; - allow $2 system_r; + #cmirrord_initrc_domtrans($1) + #domain_system_change_exemption($1) + #role_transition $2 cmirrord_initrc_exec_t system_r; + #allow $2 system_r; files_list_pids($1) admin_pattern($1, cmirrord_var_run_t) diff --git a/policy/modules/contrib/cobbler.if b/policy/modules/contrib/cobbler.if index c223f81..8392d01 100644 --- a/policy/modules/contrib/cobbler.if +++ b/policy/modules/contrib/cobbler.if @@ -183,10 +183,10 @@ interface(`cobbler_admin',` allow $1 cobblerd_t:process { ptrace signal_perms }; ps_process_pattern($1, cobblerd_t) - cobblerd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 cobblerd_initrc_exec_t system_r; - allow $2 system_r; + #cobblerd_initrc_domtrans($1) + #domain_system_change_exemption($1) + #role_transition $2 cobblerd_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, cobbler_etc_t) diff --git a/policy/modules/contrib/collectd.if b/policy/modules/contrib/collectd.if index 954309e..9bb2db5 100644 --- a/policy/modules/contrib/collectd.if +++ b/policy/modules/contrib/collectd.if @@ -26,10 +26,10 @@ interface(`collectd_admin',` allow $1 collectd_t:process { ptrace signal_perms }; ps_process_pattern($1, collectd_t) - init_labeled_script_domtrans($1, collectd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 collectd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, collectd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 collectd_initrc_exec_t system_r; + #allow $2 system_r; files_search_pids($1) admin_pattern($1, collectd_var_run_t) diff --git a/policy/modules/contrib/condor.if b/policy/modules/contrib/condor.if index c80aaf5..b350506 100644 --- a/policy/modules/contrib/condor.if +++ b/policy/modules/contrib/condor.if @@ -66,10 +66,10 @@ interface(`condor_admin',` allow $1 condor_domain:process { ptrace signal_perms }; ps_process_pattern($1, condor_domain) - init_labeled_script_domtrans($1, condor_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 condor_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, condor_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 condor_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, condor_conf_t) diff --git a/policy/modules/contrib/corosync.if b/policy/modules/contrib/corosync.if index 694a037..2e5c8e0 100644 --- a/policy/modules/contrib/corosync.if +++ b/policy/modules/contrib/corosync.if @@ -165,10 +165,10 @@ interface(`corosync_admin',` allow $1 corosync_t:process { ptrace signal_perms }; ps_process_pattern($1, corosync_t) - corosync_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 corosync_initrc_exec_t system_r; - allow $2 system_r; + #corosync_initrc_domtrans($1) + #domain_system_change_exemption($1) + #role_transition $2 corosync_initrc_exec_t system_r; + #allow $2 system_r; files_list_tmp($1) admin_pattern($1, corosync_tmp_t) diff --git a/policy/modules/contrib/couchdb.if b/policy/modules/contrib/couchdb.if index 715a826..654e58a 100644 --- a/policy/modules/contrib/couchdb.if +++ b/policy/modules/contrib/couchdb.if @@ -103,10 +103,10 @@ interface(`couchdb_admin',` allow $1 couchdb_t:process { ptrace signal_perms }; ps_process_pattern($1, couchdb_t) - init_labeled_script_domtrans($1, couchdb_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 couchdb_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, couchdb_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 couchdb_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, couchdb_conf_t) diff --git a/policy/modules/contrib/ctdb.if b/policy/modules/contrib/ctdb.if index b25b01d..bb9daea 100644 --- a/policy/modules/contrib/ctdb.if +++ b/policy/modules/contrib/ctdb.if @@ -66,10 +66,10 @@ interface(`ctdb_admin',` allow $1 ctdbd_t:process { ptrace signal_perms }; ps_process_pattern($1, ctdbd_t) - init_labeled_script_domtrans($1, ctdbd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ctdbd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, ctdbd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 ctdbd_initrc_exec_t system_r; + #allow $2 system_r; logging_search_logs($1) admin_pattern($1, ctdbd_log_t) diff --git a/policy/modules/contrib/cups.if b/policy/modules/contrib/cups.if index 3023be7..f5e5fcb 100644 --- a/policy/modules/contrib/cups.if +++ b/policy/modules/contrib/cups.if @@ -357,10 +357,10 @@ interface(`cups_admin',` ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t }) ps_process_pattern($1, { cups_pdf_t hplip_t ptal_t }) - init_labeled_script_domtrans($1, cupsd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 cupsd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, cupsd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 cupsd_initrc_exec_t system_r; + #allow $2 system_r; files_list_etc($1) admin_pattern($1, { cupsd_etc_t cupsd_rw_etc_t ptal_etc_t }) diff --git a/policy/modules/contrib/cvs.if b/policy/modules/contrib/cvs.if index 64775fd..276840c 100644 --- a/policy/modules/contrib/cvs.if +++ b/policy/modules/contrib/cvs.if @@ -65,10 +65,10 @@ interface(`cvs_admin',` allow $1 cvs_t:process { ptrace signal_perms }; ps_process_pattern($1, cvs_t) - init_labeled_script_domtrans($1, cvs_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 cvs_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, cvs_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 cvs_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, cvs_keytab_t) diff --git a/policy/modules/contrib/cyphesis.if b/policy/modules/contrib/cyphesis.if index df8aa4a..86c1316 100644 --- a/policy/modules/contrib/cyphesis.if +++ b/policy/modules/contrib/cyphesis.if @@ -45,10 +45,10 @@ interface(`cyphesis_admin',` allow $1 cyphesis_t:process { ptrace signal_perms }; ps_process_pattern($1, cyphesis_t) - init_labeled_script_domtrans($1, cyphesis_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 cyphesis_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, cyphesis_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 cyphesis_initrc_exec_t system_r; + #allow $2 system_r; logging_search_logs($1) admin_pattern($1, cyphesis_log_t) diff --git a/policy/modules/contrib/cyrus.if b/policy/modules/contrib/cyrus.if index 83bfda6..069eec7 100644 --- a/policy/modules/contrib/cyrus.if +++ b/policy/modules/contrib/cyrus.if @@ -67,10 +67,10 @@ interface(`cyrus_admin',` allow $1 cyrus_t:process { ptrace signal_perms }; ps_process_pattern($1, cyrus_t) - init_labeled_script_domtrans($1, cyrus_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 cyrus_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, cyrus_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 cyrus_initrc_exec_t system_r; + #allow $2 system_r; files_list_etc($1) admin_pattern($1, cyrus_keytab_t) diff --git a/policy/modules/contrib/dante.if b/policy/modules/contrib/dante.if index e709177..8e26fd8 100644 --- a/policy/modules/contrib/dante.if +++ b/policy/modules/contrib/dante.if @@ -26,10 +26,10 @@ interface(`dante_admin',` allow $1 dante_t:process { ptrace signal_perms }; ps_process_pattern($1, dante_t) - init_labeled_script_domtrans($1, dante_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dante_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, dante_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 dante_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, dante_conf_t) diff --git a/policy/modules/contrib/ddclient.if b/policy/modules/contrib/ddclient.if index 5606b40..790ed46 100644 --- a/policy/modules/contrib/ddclient.if +++ b/policy/modules/contrib/ddclient.if @@ -73,10 +73,10 @@ interface(`ddclient_admin',` allow $1 ddclient_t:process { ptrace signal_perms }; ps_process_pattern($1, ddclient_t) - init_labeled_script_domtrans($1, ddclient_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ddclient_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, ddclient_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 ddclient_initrc_exec_t system_r; + #allow $2 system_r; files_list_etc($1) admin_pattern($1, ddclient_etc_t) diff --git a/policy/modules/contrib/denyhosts.if b/policy/modules/contrib/denyhosts.if index a7326da..ee887da 100644 --- a/policy/modules/contrib/denyhosts.if +++ b/policy/modules/contrib/denyhosts.if @@ -63,10 +63,10 @@ interface(`denyhosts_admin',` allow $1 denyhosts_t:process { ptrace signal_perms }; ps_process_pattern($1, denyhosts_t) - denyhosts_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 denyhosts_initrc_exec_t system_r; - allow $2 system_r; + #denyhosts_initrc_domtrans($1) + #domain_system_change_exemption($1) + #role_transition $2 denyhosts_initrc_exec_t system_r; + #allow $2 system_r; files_search_var_lib($1) admin_pattern($1, denyhosts_var_lib_t) diff --git a/policy/modules/contrib/dhcp.if b/policy/modules/contrib/dhcp.if index c697edb..fe3f70a 100644 --- a/policy/modules/contrib/dhcp.if +++ b/policy/modules/contrib/dhcp.if @@ -84,10 +84,10 @@ interface(`dhcpd_admin',` allow $1 dhcpd_t:process { ptrace signal_perms }; ps_process_pattern($1, dhcpd_t) - init_labeled_script_domtrans($1, dhcpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dhcpd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, dhcpd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 dhcpd_initrc_exec_t system_r; + #allow $2 system_r; files_list_tmp($1) admin_pattern($1, dhcpd_tmp_t) diff --git a/policy/modules/contrib/dictd.if b/policy/modules/contrib/dictd.if index 3cc3494..5946e57 100644 --- a/policy/modules/contrib/dictd.if +++ b/policy/modules/contrib/dictd.if @@ -41,10 +41,10 @@ interface(`dictd_admin',` allow $1 dictd_t:process { ptrace signal_perms }; ps_process_pattern($1, dictd_t) - init_labeled_script_domtrans($1, dictd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dictd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, dictd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 dictd_initrc_exec_t system_r; + #allow $2 system_r; files_list_etc($1) admin_pattern($1, dictd_etc_t) diff --git a/policy/modules/contrib/dirmngr.if b/policy/modules/contrib/dirmngr.if index e5f6733..e41f285 100644 --- a/policy/modules/contrib/dirmngr.if +++ b/policy/modules/contrib/dirmngr.if @@ -26,10 +26,10 @@ interface(`dirmngr_admin',` allow $1 dirmngr_t:process { ptrace signal_perms }; ps_process_pattern($1, dirmngr_t) - init_labeled_script_domtrans($1, dirmngr_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dirmngr_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, dirmngr_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 dirmngr_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, dirmngr_conf_t) diff --git a/policy/modules/contrib/distcc.if b/policy/modules/contrib/distcc.if index 473823d..28a4164 100644 --- a/policy/modules/contrib/distcc.if +++ b/policy/modules/contrib/distcc.if @@ -26,10 +26,10 @@ interface(`distcc_admin',` allow $1 distccd_t:process { ptrace signal_perms }; ps_process_pattern($1, distccd_t) - init_labeled_script_domtrans($1, distccd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 distccd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, distccd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 distccd_initrc_exec_t system_r; + #allow $2 system_r; logging_search_logs($1) admin_pattern($1, distccd_log_t) diff --git a/policy/modules/contrib/dkim.if b/policy/modules/contrib/dkim.if index 386e494..7999295 100644 --- a/policy/modules/contrib/dkim.if +++ b/policy/modules/contrib/dkim.if @@ -26,10 +26,10 @@ interface(`dkim_admin',` allow $1 dkim_milter_t:process { ptrace signal_perms }; ps_process_pattern($1, dkim_milter_t) - init_labeled_script_domtrans($1, dkim_milter_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dkim_milter_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, dkim_milter_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 dkim_milter_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, dkim_milter_private_key_t) diff --git a/policy/modules/contrib/dnsmasq.if b/policy/modules/contrib/dnsmasq.if index 62e4948..0ea06df 100644 --- a/policy/modules/contrib/dnsmasq.if +++ b/policy/modules/contrib/dnsmasq.if @@ -273,10 +273,10 @@ interface(`dnsmasq_admin',` allow $1 dnsmasq_t:process { ptrace signal_perms }; ps_process_pattern($1, dnsmasq_t) - init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dnsmasq_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 dnsmasq_initrc_exec_t system_r; + #allow $2 system_r; files_list_var_lib($1) admin_pattern($1, dnsmasq_lease_t) diff --git a/policy/modules/contrib/dnssectrigger.if b/policy/modules/contrib/dnssectrigger.if index 456da5c..2e1bd25 100644 --- a/policy/modules/contrib/dnssectrigger.if +++ b/policy/modules/contrib/dnssectrigger.if @@ -26,10 +26,10 @@ interface(`dnssectrigger_admin',` allow $1 dnssec_triggerd_t:process { ptrace signal_perms }; ps_process_pattern($1, dnssec_triggerd_t) - init_labeled_script_domtrans($1, dnssec_triggerd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dnssec_triggerd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, dnssec_triggerd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 dnssec_triggerd_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, dnssec_trigger_conf_t) diff --git a/policy/modules/contrib/dovecot.if b/policy/modules/contrib/dovecot.if index d5badb7..294d61e 100644 --- a/policy/modules/contrib/dovecot.if +++ b/policy/modules/contrib/dovecot.if @@ -149,10 +149,10 @@ interface(`dovecot_admin',` allow $1 dovecot_t:process { ptrace signal_perms }; ps_process_pattern($1, dovecot_t) - init_labeled_script_domtrans($1, dovecot_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dovecot_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, dovecot_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 dovecot_initrc_exec_t system_r; + #allow $2 system_r; files_list_etc($1) admin_pattern($1, { dovecot_keytab_t dovecot_etc_t }) diff --git a/policy/modules/contrib/drbd.if b/policy/modules/contrib/drbd.if index 9a21639..18dbd73 100644 --- a/policy/modules/contrib/drbd.if +++ b/policy/modules/contrib/drbd.if @@ -46,10 +46,10 @@ interface(`drbd_admin',` allow $1 drbd_t:process { ptrace signal_perms }; ps_process_pattern($1, drbd_t) - init_labeled_script_domtrans($1, drbd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 drbd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, drbd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 drbd_initrc_exec_t system_r; + #allow $2 system_r; files_search_locks($1) admin_pattern($1, drbd_lock_t) diff --git a/policy/modules/contrib/dspam.if b/policy/modules/contrib/dspam.if index 18f2452..b16cb67 100644 --- a/policy/modules/contrib/dspam.if +++ b/policy/modules/contrib/dspam.if @@ -66,10 +66,10 @@ interface(`dspam_admin',` allow $1 dspam_t:process { ptrace signal_perms }; ps_process_pattern($1, dspam_t) - init_labeled_script_domtrans($1, dspam_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dspam_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, dspam_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 dspam_initrc_exec_t system_r; + #allow $2 system_r; logging_search_logs($1) admin_pattern($1, dspam_log_t) diff --git a/policy/modules/contrib/entropyd.if b/policy/modules/contrib/entropyd.if index 1161fbf..1fc147c 100644 --- a/policy/modules/contrib/entropyd.if +++ b/policy/modules/contrib/entropyd.if @@ -25,10 +25,10 @@ interface(`entropyd_admin',` allow $1 entropyd_t:process { ptrace signal_perms }; ps_process_pattern($1, entropyd_t) - init_labeled_script_domtrans($1, entropyd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 entropyd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, entropyd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 entropyd_initrc_exec_t system_r; + #allow $2 system_r; files_search_pids($1) admin_pattern($1, entropyd_var_run_t) diff --git a/policy/modules/contrib/exim.if b/policy/modules/contrib/exim.if index 9bbc690..16d2922 100644 --- a/policy/modules/contrib/exim.if +++ b/policy/modules/contrib/exim.if @@ -288,10 +288,10 @@ interface(`exim_admin',` allow $1 exim_t:process { ptrace signal_perms }; ps_process_pattern($1, exim_t) - init_labeled_script_domtrans($1, exim_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 exim_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, exim_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 exim_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, exim_keytab_t) diff --git a/policy/modules/contrib/fail2ban.if b/policy/modules/contrib/fail2ban.if index 50d0084..0d23647 100644 --- a/policy/modules/contrib/fail2ban.if +++ b/policy/modules/contrib/fail2ban.if @@ -266,10 +266,10 @@ interface(`fail2ban_admin',` allow $1 { fail2ban_t fail2ban_client_t }:process { ptrace signal_perms }; ps_process_pattern($1, { fail2ban_t fail2ban_client_t }) - init_labeled_script_domtrans($1, fail2ban_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 fail2ban_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, fail2ban_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 fail2ban_initrc_exec_t system_r; + #allow $2 system_r; logging_list_logs($1) admin_pattern($1, fail2ban_log_t) diff --git a/policy/modules/contrib/fcoe.if b/policy/modules/contrib/fcoe.if index c3484a9..e8b2446 100644 --- a/policy/modules/contrib/fcoe.if +++ b/policy/modules/contrib/fcoe.if @@ -44,10 +44,10 @@ interface(`fcoe_admin',` allow $1 fcoemon_t:process { ptrace signal_perms }; ps_process_pattern($1, fcoemon_t) - init_labeled_script_domtrans($1, fcoemon_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 fcoemon_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, fcoemon_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 fcoemon_initrc_exec_t system_r; + #allow $2 system_r; files_search_pids($1) admin_pattern($1, fcoemon_var_run_t) diff --git a/policy/modules/contrib/fetchmail.if b/policy/modules/contrib/fetchmail.if index c3f7916..8823986 100644 --- a/policy/modules/contrib/fetchmail.if +++ b/policy/modules/contrib/fetchmail.if @@ -23,10 +23,10 @@ interface(`fetchmail_admin',` type fetchmail_var_run_t, fetchmail_initrc_exec_t, fetchmail_log_t; ') - init_labeled_script_domtrans($1, fetchmail_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 fetchmail_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, fetchmail_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 fetchmail_initrc_exec_t system_r; + #allow $2 system_r; allow $1 fetchmail_t:process { ptrace signal_perms }; ps_process_pattern($1, fetchmail_t) diff --git a/policy/modules/contrib/firewalld.if b/policy/modules/contrib/firewalld.if index c62c567..cbe9016 100644 --- a/policy/modules/contrib/firewalld.if +++ b/policy/modules/contrib/firewalld.if @@ -86,10 +86,10 @@ interface(`firewalld_admin',` allow $1 firewalld_t:process { ptrace signal_perms }; ps_process_pattern($1, firewalld_t) - init_labeled_script_domtrans($1, firewalld_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 firewalld_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, firewalld_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 firewalld_initrc_exec_t system_r; + #allow $2 system_r; files_search_pids($1) admin_pattern($1, firewalld_var_run_t) diff --git a/policy/modules/contrib/ftp.if b/policy/modules/contrib/ftp.if index 65adda9..5d7a53f 100644 --- a/policy/modules/contrib/ftp.if +++ b/policy/modules/contrib/ftp.if @@ -182,10 +182,10 @@ interface(`ftp_admin',` allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }:process { ptrace signal_perms }; ps_process_pattern($1, { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }) - init_labeled_script_domtrans($1, ftpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ftpd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, ftpd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 ftpd_initrc_exec_t system_r; + #allow $2 system_r; miscfiles_manage_public_files($1) diff --git a/policy/modules/contrib/gatekeeper.if b/policy/modules/contrib/gatekeeper.if index 30926d7..879de37 100644 --- a/policy/modules/contrib/gatekeeper.if +++ b/policy/modules/contrib/gatekeeper.if @@ -26,10 +26,10 @@ interface(`gatekeeper_admin',` allow $1 gatekeeper_t:process { ptrace signal_perms }; ps_process_pattern($1, gatekeeper_t) - init_labeled_script_domtrans($1, gatekeeper_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 gatekeeper_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, gatekeeper_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 gatekeeper_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, gatekeeper_etc_t) diff --git a/policy/modules/contrib/gdomap.if b/policy/modules/contrib/gdomap.if index 7d6b6b7..b4ebe6c 100644 --- a/policy/modules/contrib/gdomap.if +++ b/policy/modules/contrib/gdomap.if @@ -45,10 +45,10 @@ interface(`gdomap_admin',` allow $1 gdomap_t:process { ptrace signal_perms }; ps_process_pattern($1, gdomap_t) - init_labeled_script_domtrans($1, gdomap_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 gdomap_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, gdomap_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 gdomap_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, gdomap_conf_t) diff --git a/policy/modules/contrib/glance.if b/policy/modules/contrib/glance.if index 9eacb2c..6966abb 100644 --- a/policy/modules/contrib/glance.if +++ b/policy/modules/contrib/glance.if @@ -245,10 +245,10 @@ interface(`glance_admin',` allow $1 { glance_api_t glance_registry_t }:process signal_perms; ps_process_pattern($1, { glance_api_t glance_registry_t }) - init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t }) - domain_system_change_exemption($1) - role_transition $2 { glance_api_initrc_exec_t glance_registry_initrc_exec_t } system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t }) + #domain_system_change_exemption($1) + #role_transition $2 { glance_api_initrc_exec_t glance_registry_initrc_exec_t } system_r; + #allow $2 system_r; logging_search_logs($1) admin_pattern($1, glance_log_t) diff --git a/policy/modules/contrib/glusterfs.if b/policy/modules/contrib/glusterfs.if index 05233c8..c121fda 100644 --- a/policy/modules/contrib/glusterfs.if +++ b/policy/modules/contrib/glusterfs.if @@ -46,10 +46,10 @@ interface(`glusterfs_admin',` type glusterd_var_run_t; ') - init_labeled_script_domtrans($1, glusterd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 glusterd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, glusterd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 glusterd_initrc_exec_t system_r; + #allow $2 system_r; allow $1 glusterd_t:process { ptrace signal_perms }; ps_process_pattern($1, glusterd_t) diff --git a/policy/modules/contrib/gpm.if b/policy/modules/contrib/gpm.if index f1528c9..65818dc 100644 --- a/policy/modules/contrib/gpm.if +++ b/policy/modules/contrib/gpm.if @@ -106,10 +106,10 @@ interface(`gpm_admin',` allow $1 gpm_t:process { ptrace signal_perms }; ps_process_pattern($1, gpm_t) - init_labeled_script_domtrans($1, gpm_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 gpm_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, gpm_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 gpm_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, gpm_conf_t) diff --git a/policy/modules/contrib/gpsd.if b/policy/modules/contrib/gpsd.if index 92eb564..6d077a4 100644 --- a/policy/modules/contrib/gpsd.if +++ b/policy/modules/contrib/gpsd.if @@ -91,10 +91,10 @@ interface(`gpsd_admin',` allow $1 gpsd_t:process { ptrace signal_perms }; ps_process_pattern($1, gpsd_t) - init_labeled_script_domtrans($1, gpsd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 gpsd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, gpsd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 gpsd_initrc_exec_t system_r; + #allow $2 system_r; files_search_pids($1) admin_pattern($1, gpsd_var_run_t) diff --git a/policy/modules/contrib/hadoop.if b/policy/modules/contrib/hadoop.if index 2b0d488..48f93d3 100644 --- a/policy/modules/contrib/hadoop.if +++ b/policy/modules/contrib/hadoop.if @@ -441,10 +441,10 @@ interface(`hadoop_admin',` allow $1 { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t }:process { ptrace signal_perms }; ps_process_pattern($1, { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t }) - init_labeled_script_domtrans($1, hadoop_init_script_file) - domain_system_change_exemption($1) - role_transition $2 hadoop_init_script_file system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, hadoop_init_script_file) + #domain_system_change_exemption($1) + #role_transition $2 hadoop_init_script_file system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, { hadoop_etc_t zookeeper_etc_t }) diff --git a/policy/modules/contrib/hddtemp.if b/policy/modules/contrib/hddtemp.if index 1728071..718fc12 100644 --- a/policy/modules/contrib/hddtemp.if +++ b/policy/modules/contrib/hddtemp.if @@ -63,10 +63,10 @@ interface(`hddtemp_admin',` allow $1 hddtemp_t:process { ptrace signal_perms }; ps_process_pattern($1, hddtemp_t) - init_labeled_script_domtrans($1, hddtemp_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 hddtemp_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, hddtemp_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 hddtemp_initrc_exec_t system_r; + #allow $2 system_r; admin_pattern($1, hddtemp_etc_t) files_search_etc($1) diff --git a/policy/modules/contrib/howl.if b/policy/modules/contrib/howl.if index dc609f0..d67eac5 100644 --- a/policy/modules/contrib/howl.if +++ b/policy/modules/contrib/howl.if @@ -43,10 +43,10 @@ interface(`howl_admin',` allow $1 howl_t:process { ptrace signal_perms }; ps_process_pattern($1, howl_t) - init_labeled_script_domtrans($1, howl_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 howl_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, howl_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 howl_initrc_exec_t system_r; + #allow $2 system_r; files_search_pids($1) admin_pattern($1, howl_var_run_t) diff --git a/policy/modules/contrib/hypervkvp.if b/policy/modules/contrib/hypervkvp.if index 6517fad..d483ebe 100644 --- a/policy/modules/contrib/hypervkvp.if +++ b/policy/modules/contrib/hypervkvp.if @@ -25,8 +25,8 @@ interface(`hypervkvp_admin',` allow $1 hypervkvpd_t:process { ptrace signal_perms }; ps_process_pattern($1, hypervkvpd_t) - init_labeled_script_domtrans($1, hypervkvpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 hypervkvpd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, hypervkvpd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 hypervkvpd_initrc_exec_t system_r; + #allow $2 system_r; ') diff --git a/policy/modules/contrib/i18n_input.if b/policy/modules/contrib/i18n_input.if index 5eab254..dd6c6a9 100644 --- a/policy/modules/contrib/i18n_input.if +++ b/policy/modules/contrib/i18n_input.if @@ -40,10 +40,10 @@ interface(`i18n_input_admin',` allow $1 i18n_input_t:process { ptrace signal_perms }; ps_process_pattern($1, i18n_input_t) - init_labeled_script_domtrans($1, i18n_input_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 i18n_input_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, i18n_input_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 i18n_input_initrc_exec_t system_r; + #allow $2 system_r; files_search_pids($1) admin_pattern($1, i18n_input_var_run_t) diff --git a/policy/modules/contrib/icecast.if b/policy/modules/contrib/icecast.if index 580b533..0235592 100644 --- a/policy/modules/contrib/icecast.if +++ b/policy/modules/contrib/icecast.if @@ -176,10 +176,10 @@ interface(`icecast_admin',` type icecast_var_run_t; ') - icecast_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 icecast_initrc_exec_t system_r; - allow $2 system_r; + #icecast_initrc_domtrans($1) + #domain_system_change_exemption($1) + #role_transition $2 icecast_initrc_exec_t system_r; + #allow $2 system_r; allow $1 icecast_t:process { ptrace signal_perms }; ps_process_pattern($1, icecast_t) diff --git a/policy/modules/contrib/ifplugd.if b/policy/modules/contrib/ifplugd.if index 8999899..bc3884d 100644 --- a/policy/modules/contrib/ifplugd.if +++ b/policy/modules/contrib/ifplugd.if @@ -122,10 +122,10 @@ interface(`ifplugd_admin',` allow $1 ifplugd_t:process { ptrace signal_perms }; ps_process_pattern($1, ifplugd_t) - init_labeled_script_domtrans($1, ifplugd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ifplugd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, ifplugd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 ifplugd_initrc_exec_t system_r; + #allow $2 system_r; files_list_etc($1) admin_pattern($1, ifplugd_etc_t) diff --git a/policy/modules/contrib/inn.if b/policy/modules/contrib/inn.if index eb87f23..91b81e9 100644 --- a/policy/modules/contrib/inn.if +++ b/policy/modules/contrib/inn.if @@ -230,10 +230,10 @@ interface(`inn_admin',` type innd_var_run_t, innd_initrc_exec_t; ') - init_labeled_script_domtrans($1, innd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 innd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, innd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 innd_initrc_exec_t system_r; + #allow $2 system_r; allow $1 innd_t:process { ptrace signal_perms }; ps_process_pattern($1, innd_t) diff --git a/policy/modules/contrib/iodine.if b/policy/modules/contrib/iodine.if index a0bfbd0..f034884 100644 --- a/policy/modules/contrib/iodine.if +++ b/policy/modules/contrib/iodine.if @@ -47,8 +47,8 @@ interface(`iodine_admin',` allow $1 iodined_t:process { ptrace signal_perms }; ps_process_pattern($1, iodined_t) - init_labeled_script_domtrans($1, iodined_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 iodined_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, iodined_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 iodined_initrc_exec_t system_r; + #allow $2 system_r; ') diff --git a/policy/modules/contrib/ircd.if b/policy/modules/contrib/ircd.if index 1a88664..6d057fd 100644 --- a/policy/modules/contrib/ircd.if +++ b/policy/modules/contrib/ircd.if @@ -23,10 +23,10 @@ interface(`ircd_admin',` type ircd_log_t, ircd_var_lib_t, ircd_var_run_t; ') - init_labeled_script_domtrans($1, ircd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ircd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, ircd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 ircd_initrc_exec_t system_r; + #allow $2 system_r; allow $1 ircd_t:process { ptrace signal_perms }; ps_process_pattern($1, ircd_t) diff --git a/policy/modules/contrib/irqbalance.if b/policy/modules/contrib/irqbalance.if index d7113e7..5f97e41 100644 --- a/policy/modules/contrib/irqbalance.if +++ b/policy/modules/contrib/irqbalance.if @@ -25,10 +25,10 @@ interface(`irqbalance_admin',` allow $1 irqbalance_t:process { ptrace signal_perms }; ps_process_pattern($1, irqbalance_t) - init_labeled_script_domtrans($1, irqbalance_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 irqbalance_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, irqbalance_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 irqbalance_initrc_exec_t system_r; + #allow $2 system_r; files_search_pids($1) admin_pattern($1, irqbalance_var_run_t) diff --git a/policy/modules/contrib/iscsi.if b/policy/modules/contrib/iscsi.if index 1a35420..9e73947 100644 --- a/policy/modules/contrib/iscsi.if +++ b/policy/modules/contrib/iscsi.if @@ -105,10 +105,10 @@ interface(`iscsi_admin',` allow $1 iscsid_t:process { ptrace signal_perms }; ps_process_pattern($1, iscsid_t) - init_labeled_script_domtrans($1, iscsi_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 iscsi_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, iscsi_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 iscsi_initrc_exec_t system_r; + #allow $2 system_r; logging_search_logs($1) admin_pattern($1, iscsi_log_t) diff --git a/policy/modules/contrib/isns.if b/policy/modules/contrib/isns.if index da7e970..baf3539 100644 --- a/policy/modules/contrib/isns.if +++ b/policy/modules/contrib/isns.if @@ -26,10 +26,10 @@ interface(`isnsd_admin',` allow $1 isnsd_t:process { ptrace signal_perms }; ps_process_pattern($1, isnsd_t) - init_labeled_script_domtrans($1, isnsd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 isnsd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, isnsd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 isnsd_initrc_exec_t system_r; + #allow $2 system_r; files_search_var_lib($1) admin_pattern($1, isnsd_var_lib_t) diff --git a/policy/modules/contrib/jabber.if b/policy/modules/contrib/jabber.if index 7eb3811..dda272b 100644 --- a/policy/modules/contrib/jabber.if +++ b/policy/modules/contrib/jabber.if @@ -81,10 +81,10 @@ interface(`jabber_admin',` allow $1 jabberd_domain:process { ptrace signal_perms }; ps_process_pattern($1, jabberd_domain) - init_labeled_script_domtrans($1, jabberd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 jabberd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, jabberd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 jabberd_initrc_exec_t system_r; + #allow $2 system_r; files_search_locks($1) admin_pattern($1, jabberd_lock_t) diff --git a/policy/modules/contrib/kdump.if b/policy/modules/contrib/kdump.if index 3a00b3a..804c498 100644 --- a/policy/modules/contrib/kdump.if +++ b/policy/modules/contrib/kdump.if @@ -102,10 +102,10 @@ interface(`kdump_admin',` allow $1 { kdump_t kdumpctl_t }:process { ptrace signal_perms }; ps_process_pattern($1, { kdump_t kdumpctl_t }) - init_labeled_script_domtrans($1, kdump_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 kdump_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, kdump_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 kdump_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, kdump_etc_t) diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if index 77a5c49..ab3f24e 100644 --- a/policy/modules/contrib/kerberos.if +++ b/policy/modules/contrib/kerberos.if @@ -493,10 +493,10 @@ interface(`kerberos_admin',` allow $1 { kadmind_t krb5kdc_t kpropd_t }:process { ptrace signal_perms }; ps_process_pattern($1, { kadmind_t krb5kdc_t kpropd_t }) - init_labeled_script_domtrans($1, kerberos_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 kerberos_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, kerberos_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 kerberos_initrc_exec_t system_r; + #allow $2 system_r; logging_list_logs($1) admin_pattern($1, kadmind_log_t) diff --git a/policy/modules/contrib/kerneloops.if b/policy/modules/contrib/kerneloops.if index 714448f..7e50bdd 100644 --- a/policy/modules/contrib/kerneloops.if +++ b/policy/modules/contrib/kerneloops.if @@ -108,10 +108,10 @@ interface(`kerneloops_admin',` allow $1 kerneloops_t:process { ptrace signal_perms }; ps_process_pattern($1, kerneloops_t) - init_labeled_script_domtrans($1, kerneloops_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 kerneloops_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, kerneloops_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 kerneloops_initrc_exec_t system_r; + #allow $2 system_r; files_search_tmp($1) admin_pattern($1, kerneloops_tmp_t) diff --git a/policy/modules/contrib/keystone.if b/policy/modules/contrib/keystone.if index e88fb16..7407597 100644 --- a/policy/modules/contrib/keystone.if +++ b/policy/modules/contrib/keystone.if @@ -26,10 +26,10 @@ interface(`keystone_admin',` allow $1 keystone_t:process { ptrace signal_perms }; ps_process_pattern($1, keystone_t) - init_labeled_script_domtrans($1, keystone_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 keystone_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, keystone_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 keystone_initrc_exec_t system_r; + #allow $2 system_r; logging_search_logs($1) admin_pattern($1, keystone_log_t) diff --git a/policy/modules/contrib/kismet.if b/policy/modules/contrib/kismet.if index f20de6e..1a3bc7d 100644 --- a/policy/modules/contrib/kismet.if +++ b/policy/modules/contrib/kismet.if @@ -286,10 +286,10 @@ interface(`kismet_admin',` type kismet_log_t, kismet_tmp_t, kismet_initrc_exec_t; ') - init_labeled_script_domtrans($1, kismet_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 kismet_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, kismet_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 kismet_initrc_exec_t system_r; + #allow $2 system_r; ps_process_pattern($1, kismet_t) allow $1 kismet_t:process { ptrace signal_perms }; diff --git a/policy/modules/contrib/ksmtuned.if b/policy/modules/contrib/ksmtuned.if index 93a64bc..663a091 100644 --- a/policy/modules/contrib/ksmtuned.if +++ b/policy/modules/contrib/ksmtuned.if @@ -61,10 +61,10 @@ interface(`ksmtuned_admin',` type ksmtuned_initrc_exec_t, ksmtuned_log_t; ') - ksmtuned_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 ksmtuned_initrc_exec_t system_r; - allow $2 system_r; + #ksmtuned_initrc_domtrans($1) + #domain_system_change_exemption($1) + #role_transition $2 ksmtuned_initrc_exec_t system_r; + #allow $2 system_r; allow $1 ksmtuned_t:process { ptrace signal_perms }; ps_process_pattern($1, ksmtuned_t) diff --git a/policy/modules/contrib/kudzu.if b/policy/modules/contrib/kudzu.if index 5297064..db57d00 100644 --- a/policy/modules/contrib/kudzu.if +++ b/policy/modules/contrib/kudzu.if @@ -89,10 +89,10 @@ interface(`kudzu_admin',` allow $1 kudzu_t:process { ptrace signal_perms }; ps_process_pattern($1, kudzu_t) - init_labeled_script_domtrans($1, kudzu_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 kudzu_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, kudzu_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 kudzu_initrc_exec_t system_r; + #allow $2 system_r; files_search_tmp($1) admin_pattern($1, kudzu_tmp_t) diff --git a/policy/modules/contrib/l2tp.if b/policy/modules/contrib/l2tp.if index 73e2803..5f364d2 100644 --- a/policy/modules/contrib/l2tp.if +++ b/policy/modules/contrib/l2tp.if @@ -86,10 +86,10 @@ interface(`l2tp_admin',` allow $1 l2tpd_t:process { ptrace signal_perms }; ps_process_pattern($1, l2tpd_t) - init_labeled_script_domtrans($1, l2tpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 l2tpd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, l2tpd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 l2tpd_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, l2tp_conf_t) diff --git a/policy/modules/contrib/ldap.if b/policy/modules/contrib/ldap.if index 7f09b4a..bb0ca32 100644 --- a/policy/modules/contrib/ldap.if +++ b/policy/modules/contrib/ldap.if @@ -122,10 +122,10 @@ interface(`ldap_admin',` allow $1 slapd_t:process { ptrace signal_perms }; ps_process_pattern($1, slapd_t) - init_labeled_script_domtrans($1, slapd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 slapd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, slapd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 slapd_initrc_exec_t system_r; + #allow $2 system_r; files_list_etc($1) admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t }) diff --git a/policy/modules/contrib/likewise.if b/policy/modules/contrib/likewise.if index bd20e8c..3813742 100644 --- a/policy/modules/contrib/likewise.if +++ b/policy/modules/contrib/likewise.if @@ -110,10 +110,10 @@ interface(`likewise_admin',` allow $1 likewise_domains:process { ptrace signal_perms }; ps_process_pattern($1, likewise_domains) - init_labeled_script_domtrans($1, likewise_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 likewise_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, likewise_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 likewise_initrc_exec_t system_r; + #allow $2 system_r; files_list_etc($1) admin_pattern($1, { likewise_etc_t likewise_pstore_lock_t likewise_krb5_ad_t }) diff --git a/policy/modules/contrib/lircd.if b/policy/modules/contrib/lircd.if index dff21a7..50996eb 100644 --- a/policy/modules/contrib/lircd.if +++ b/policy/modules/contrib/lircd.if @@ -84,10 +84,10 @@ interface(`lircd_admin',` allow $1 lircd_t:process { ptrace signal_perms }; ps_process_pattern($1, lircd_t) - init_labeled_script_domtrans($1, lircd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 lircd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, lircd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 lircd_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, lircd_etc_t) diff --git a/policy/modules/contrib/lldpad.if b/policy/modules/contrib/lldpad.if index d18c960..612d86f 100644 --- a/policy/modules/contrib/lldpad.if +++ b/policy/modules/contrib/lldpad.if @@ -45,10 +45,10 @@ interface(`lldpad_admin',` allow $1 lldpad_t:process { ptrace signal_perms }; ps_process_pattern($1, lldpad_t) - init_labeled_script_domtrans($1, lldpad_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 lldpad_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, lldpad_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 lldpad_initrc_exec_t system_r; + #allow $2 system_r; files_search_var_lib($1) admin_pattern($1, lldpad_var_lib_t) diff --git a/policy/modules/contrib/mailscanner.if b/policy/modules/contrib/mailscanner.if index 214cb44..d3bd6c5 100644 --- a/policy/modules/contrib/mailscanner.if +++ b/policy/modules/contrib/mailscanner.if @@ -47,10 +47,10 @@ interface(`mscan_admin',` allow $1 mscan_t:process { ptrace signal_perms }; ps_process_pattern($1, mscan_t) - init_labeled_script_domtrans($1, mscan_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 mscan_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, mscan_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 mscan_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, mscan_etc_t) diff --git a/policy/modules/contrib/mcelog.if b/policy/modules/contrib/mcelog.if index f89651e..82b0846 100644 --- a/policy/modules/contrib/mcelog.if +++ b/policy/modules/contrib/mcelog.if @@ -45,10 +45,10 @@ interface(`mcelog_admin',` allow $1 mcelog_t:process { ptrace signal_perms }; ps_process_pattern($1, mcelog_t) - init_labeled_script_domtrans($1, mcelog_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 mcelog_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, mcelog_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 mcelog_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, mcelog_etc_t) diff --git a/policy/modules/contrib/memcached.if b/policy/modules/contrib/memcached.if index 1d4eb19..6b3c3dc 100644 --- a/policy/modules/contrib/memcached.if +++ b/policy/modules/contrib/memcached.if @@ -124,10 +124,10 @@ interface(`memcached_admin',` allow $1 memcached_t:process { ptrace signal_perms }; ps_process_pattern($1, memcached_t) - init_labeled_script_domtrans($1, memcached_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 memcached_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, memcached_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 memcached_initrc_exec_t system_r; + #allow $2 system_r; files_search_pids($1) admin_pattern($1, memcached_var_run_t) diff --git a/policy/modules/contrib/minidlna.if b/policy/modules/contrib/minidlna.if index 358917a..e58f50a 100644 --- a/policy/modules/contrib/minidlna.if +++ b/policy/modules/contrib/minidlna.if @@ -26,10 +26,10 @@ interface(`minidlna_admin',` allow $1 minidlna_t:process { ptrace signal_perms }; ps_process_pattern($1, minidlna_t) - minidlna_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 minidlna_initrc_exec_t system_r; - allow $2 system_r; + #minidlna_initrc_domtrans($1) + #domain_system_change_exemption($1) + #role_transition $2 minidlna_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, minidlna_conf_t) diff --git a/policy/modules/contrib/minissdpd.if b/policy/modules/contrib/minissdpd.if index f37a116..3121ce0 100644 --- a/policy/modules/contrib/minissdpd.if +++ b/policy/modules/contrib/minissdpd.if @@ -45,10 +45,10 @@ interface(`minissdpd_admin',` allow $1 minissdpd_t:process { ptrace signal_perms }; ps_process_pattern($1, minissdpd_t) - init_labeled_script_domtrans($1, minissdpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 minissdpd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, minissdpd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 minissdpd_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, minissdpd_conf_t) diff --git a/policy/modules/contrib/mongodb.if b/policy/modules/contrib/mongodb.if index b247d25..80ba75c 100644 --- a/policy/modules/contrib/mongodb.if +++ b/policy/modules/contrib/mongodb.if @@ -26,10 +26,10 @@ interface(`mongodb_admin',` allow $1 mongod_t:process { ptrace signal_perms }; ps_process_pattern($1, mongod_t) - init_labeled_script_domtrans($1, mongod_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 mongod_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, mongod_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 mongod_initrc_exec_t system_r; + #allow $2 system_r; logging_search_logs($1) admin_pattern($1, mongod_log_t) diff --git a/policy/modules/contrib/monop.if b/policy/modules/contrib/monop.if index a6ec137..a798087 100644 --- a/policy/modules/contrib/monop.if +++ b/policy/modules/contrib/monop.if @@ -26,10 +26,10 @@ interface(`monop_admin',` allow $1 monopd_t:process { ptrace signal_perms }; ps_process_pattern($1, monopd_t) - init_labeled_script_domtrans($1, monopd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 monopd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, monopd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 monopd_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, monopd_etc_t) diff --git a/policy/modules/contrib/mpd.if b/policy/modules/contrib/mpd.if index 5fa77c7..9be1aa8 100644 --- a/policy/modules/contrib/mpd.if +++ b/policy/modules/contrib/mpd.if @@ -347,10 +347,10 @@ interface(`mpd_admin',` allow $1 mpd_t:process { ptrace signal_perms }; ps_process_pattern($1, mpd_t) - mpd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 mpd_initrc_exec_t system_r; - allow $2 system_r; + #mpd_initrc_domtrans($1) + #domain_system_change_exemption($1) + #role_transition $2 mpd_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, mpd_etc_t) diff --git a/policy/modules/contrib/mrtg.if b/policy/modules/contrib/mrtg.if index c595094..aeac4b2 100644 --- a/policy/modules/contrib/mrtg.if +++ b/policy/modules/contrib/mrtg.if @@ -47,10 +47,10 @@ interface(`mrtg_admin',` allow $1 mrtg_t:process { ptrace signal_perms }; ps_process_pattern($1, mrtg_t) - init_labeled_script_domtrans($1, mrtg_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 mrtg_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, mrtg_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 mrtg_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, mrtg_etc_t) diff --git a/policy/modules/contrib/munin.if b/policy/modules/contrib/munin.if index b744fe3..b540634 100644 --- a/policy/modules/contrib/munin.if +++ b/policy/modules/contrib/munin.if @@ -173,10 +173,10 @@ interface(`munin_admin',` allow $1 { munin_plugin_domain munin_t }:process { ptrace signal_perms }; ps_process_pattern($1, { munin_plugin_domain munin_t }) - init_labeled_script_domtrans($1, munin_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 munin_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, munin_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 munin_initrc_exec_t system_r; + #allow $2 system_r; files_list_tmp($1) admin_pattern($1, { munin_tmp_t munin_plugin_tmp_content }) diff --git a/policy/modules/contrib/mysql.if b/policy/modules/contrib/mysql.if index 590748a..5535d22 100644 --- a/policy/modules/contrib/mysql.if +++ b/policy/modules/contrib/mysql.if @@ -450,10 +450,10 @@ interface(`mysql_admin',` allow $1 { mysqld_safe_t mysqld_t mysqlmanagerd_t }:process { ptrace signal_perms }; ps_process_pattern($1, { mysqld_safe_t mysqld_t mysqlmanagerd_t }) - init_labeled_script_domtrans($1, { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t }) - domain_system_change_exemption($1) - role_transition $2 { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t } system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t }) + #domain_system_change_exemption($1) + #role_transition $2 { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t } system_r; + #allow $2 system_r; files_search_pids($1) admin_pattern($1, { mysqlmanagerd_var_run_t mysqld_var_run_t }) diff --git a/policy/modules/contrib/nagios.if b/policy/modules/contrib/nagios.if index 0641e97..8289ecb 100644 --- a/policy/modules/contrib/nagios.if +++ b/policy/modules/contrib/nagios.if @@ -204,10 +204,10 @@ interface(`nagios_admin',` allow $1 { nagios_t nrpe_t nagios_plugin_domain }:process { ptrace signal_perms }; ps_process_pattern($1, { nagios_t nrpe_t nagios_plugin_domain }) - init_labeled_script_domtrans($1, nagios_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 nagios_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, nagios_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 nagios_initrc_exec_t system_r; + #allow $2 system_r; files_search_tmp($1) admin_pattern($1, { nagios_eventhandler_plugin_tmp_t nagios_tmp_t nagios_system_plugin_tmp_t }) diff --git a/policy/modules/contrib/nessus.if b/policy/modules/contrib/nessus.if index 42e9ed4..5fa68ad 100644 --- a/policy/modules/contrib/nessus.if +++ b/policy/modules/contrib/nessus.if @@ -40,10 +40,10 @@ interface(`nessus_admin',` allow $1 nessusd_t:process { ptrace signal_perms }; ps_process_pattern($1, nessusd_t) - init_labeled_script_domtrans($1, nessusd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 nessusd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, nessusd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 nessusd_initrc_exec_t system_r; + #allow $2 system_r; logging_search_logs($1) admin_pattern($1, nessusd_log_t) diff --git a/policy/modules/contrib/networkmanager.if b/policy/modules/contrib/networkmanager.if index b512ce0..7e1b861 100644 --- a/policy/modules/contrib/networkmanager.if +++ b/policy/modules/contrib/networkmanager.if @@ -297,10 +297,10 @@ interface(`networkmanager_admin',` allow $1 { wpa_cli_t NetworkManager_t }:process { ptrace signal_perms }; ps_process_pattern($1, { wpa_cli_t NetworkManager_t }) - init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 NetworkManager_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 NetworkManager_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, { NetworkManager_etc_t NetworkManager_etc_rw_t }) diff --git a/policy/modules/contrib/nis.if b/policy/modules/contrib/nis.if index 46e55c3..8000aa6 100644 --- a/policy/modules/contrib/nis.if +++ b/policy/modules/contrib/nis.if @@ -381,11 +381,11 @@ interface(`nis_admin',` allow $1 { ypbind_t yppasswdd_t ypserv_t ypxfr_t }:process { ptrace signal_perms }; ps_process_pattern($1, { ypbind_t yppasswdd_t ypserv_t ypxfr_t }) - nis_initrc_domtrans($1) - nis_initrc_domtrans_ypbind($1) - domain_system_change_exemption($1) - role_transition $2 { nis_initrc_exec_t ypbind_initrc_exec_t } system_r; - allow $2 system_r; + #nis_initrc_domtrans($1) + #nis_initrc_domtrans_ypbind($1) + #domain_system_change_exemption($1) + #role_transition $2 { nis_initrc_exec_t ypbind_initrc_exec_t } system_r; + #allow $2 system_r; files_list_tmp($1) admin_pattern($1, { ypserv_tmp_t ypbind_tmp_t }) diff --git a/policy/modules/contrib/nscd.if b/policy/modules/contrib/nscd.if index 8f2ab09..7d046d2 100644 --- a/policy/modules/contrib/nscd.if +++ b/policy/modules/contrib/nscd.if @@ -299,10 +299,10 @@ interface(`nscd_admin',` allow $1 nscd_t:process { ptrace signal_perms }; ps_process_pattern($1, nscd_t) - init_labeled_script_domtrans($1, nscd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 nscd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, nscd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 nscd_initrc_exec_t system_r; + #allow $2 system_r; logging_list_logs($1) admin_pattern($1, nscd_log_t) diff --git a/policy/modules/contrib/nsd.if b/policy/modules/contrib/nsd.if index a9c60ff..6b42add 100644 --- a/policy/modules/contrib/nsd.if +++ b/policy/modules/contrib/nsd.if @@ -54,10 +54,10 @@ interface(`nsd_admin',` allow $1 nsd_t:process { ptrace signal_perms }; ps_process_pattern($1, nsd_t) - init_labeled_script_domtrans($1, nsd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 nsd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, nsd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 nsd_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, { nsd_conf_t nsd_db_t }) diff --git a/policy/modules/contrib/nslcd.if b/policy/modules/contrib/nslcd.if index bbd7cac..4c7aee8 100644 --- a/policy/modules/contrib/nslcd.if +++ b/policy/modules/contrib/nslcd.if @@ -102,10 +102,10 @@ interface(`nslcd_admin',` allow $1 nslcd_t:process { ptrace signal_perms }; ps_process_pattern($1, nslcd_t) - nslcd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 nslcd_initrc_exec_t system_r; - allow $2 system_r; + #nslcd_initrc_domtrans($1) + #domain_system_change_exemption($1) + #role_transition $2 nslcd_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, nslcd_conf_t) diff --git a/policy/modules/contrib/ntop.if b/policy/modules/contrib/ntop.if index beaee73..756b0cc 100644 --- a/policy/modules/contrib/ntop.if +++ b/policy/modules/contrib/ntop.if @@ -26,10 +26,10 @@ interface(`ntop_admin',` allow $1 ntop_t:process { ptrace signal_perms }; ps_process_pattern($1, ntop_t) - init_labeled_script_domtrans($1, ntop_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ntop_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, ntop_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 ntop_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, ntop_etc_t) diff --git a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if index 6a83626..02e6320 100644 --- a/policy/modules/contrib/ntp.if +++ b/policy/modules/contrib/ntp.if @@ -166,10 +166,10 @@ interface(`ntp_admin',` allow $1 ntpd_t:process { ptrace signal_perms }; ps_process_pattern($1, ntpd_t) - init_labeled_script_domtrans($1, ntpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ntpd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, ntpd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 ntpd_initrc_exec_t system_r; + #allow $2 system_r; files_list_etc($1) admin_pattern($1, { ntpd_key_t ntp_conf_t }) diff --git a/policy/modules/contrib/numad.if b/policy/modules/contrib/numad.if index 0d3c270..d5c4a6d 100644 --- a/policy/modules/contrib/numad.if +++ b/policy/modules/contrib/numad.if @@ -26,10 +26,10 @@ interface(`numad_admin',` allow $1 numad_t:process { ptrace signal_perms }; ps_process_pattern($1, numad_t) - init_labeled_script_domtrans($1, numad_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 numad_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, numad_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 numad_initrc_exec_t system_r; + #allow $2 system_r; logging_search_logs($1) admin_pattern($1, numad_log_t) diff --git a/policy/modules/contrib/nut.if b/policy/modules/contrib/nut.if index c606ae6..f0f6b74 100644 --- a/policy/modules/contrib/nut.if +++ b/policy/modules/contrib/nut.if @@ -26,10 +26,10 @@ interface(`nut_admin',` allow $1 nut_domain:process { ptrace signal_perms }; ps_process_pattern($1, nut_domain) - init_labeled_script_domtrans($1, nut_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 nut_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, nut_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 nut_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, nut_conf_t) diff --git a/policy/modules/contrib/oident.if b/policy/modules/contrib/oident.if index 513f452..c4d4419 100644 --- a/policy/modules/contrib/oident.if +++ b/policy/modules/contrib/oident.if @@ -131,10 +131,10 @@ interface(`oident_admin',` allow $1 oidentd_t:process { ptrace signal_perms }; ps_process_pattern($1, oidentd_t) - init_labeled_script_domtrans($1, oidentd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 oidentd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, oidentd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 oidentd_initrc_exec_t system_r; + #allow $2 system_r; files_list_etc($1) admin_pattern($1, oidentd_config_t) diff --git a/policy/modules/contrib/openct.if b/policy/modules/contrib/openct.if index a55238b..4fe22f9 100644 --- a/policy/modules/contrib/openct.if +++ b/policy/modules/contrib/openct.if @@ -120,10 +120,10 @@ interface(`openct_admin',` allow $1 openct_t:process { ptrace signal_perms }; ps_process_pattern($1, openct_t) - init_labeled_script_domtrans($1, openct_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 openct_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, openct_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 openct_initrc_exec_t system_r; + #allow $2 system_r; files_search_pids($1) admin_pattern($1, openct_var_run_t) diff --git a/policy/modules/contrib/openhpi.if b/policy/modules/contrib/openhpi.if index 3c86958..141f3c8 100644 --- a/policy/modules/contrib/openhpi.if +++ b/policy/modules/contrib/openhpi.if @@ -26,10 +26,10 @@ interface(`openhpi_admin',` allow $1 openhpid_t:process { ptrace signal_perms }; ps_process_pattern($1, openhpid_t) - init_labeled_script_domtrans($1, openhpid_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 openhpid_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, openhpid_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 openhpid_initrc_exec_t system_r; + #allow $2 system_r; files_search_var_lib($1) admin_pattern($1, openhpid_var_lib_t) diff --git a/policy/modules/contrib/openvpn.if b/policy/modules/contrib/openvpn.if index 6837e9a..7efa5a5 100644 --- a/policy/modules/contrib/openvpn.if +++ b/policy/modules/contrib/openvpn.if @@ -150,10 +150,10 @@ interface(`openvpn_admin',` allow $1 openvpn_t:process { ptrace signal_perms }; ps_process_pattern($1, openvpn_t) - init_labeled_script_domtrans($1, openvpn_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 openvpn_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, openvpn_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 openvpn_initrc_exec_t system_r; + #allow $2 system_r; files_list_etc($1) admin_pattern($1, { openvpn_etc_t openvpn_etc_rw_t }) diff --git a/policy/modules/contrib/openvswitch.if b/policy/modules/contrib/openvswitch.if index 9b15730..131e6dc 100644 --- a/policy/modules/contrib/openvswitch.if +++ b/policy/modules/contrib/openvswitch.if @@ -64,10 +64,10 @@ interface(`openvswitch_admin',` allow $1 openvswitch_t:process { ptrace signal_perms }; ps_process_pattern($1, openvswitch_t) - init_labeled_script_domtrans($1, openvswitch_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 openvswitch_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, openvswitch_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 openvswitch_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, openvswitch_conf_t) diff --git a/policy/modules/contrib/pacemaker.if b/policy/modules/contrib/pacemaker.if index 9682d9a..3ae9dcf 100644 --- a/policy/modules/contrib/pacemaker.if +++ b/policy/modules/contrib/pacemaker.if @@ -26,10 +26,10 @@ interface(`pacemaker_admin',` allow $1 pacemaker_t:process { ptrace signal_perms }; ps_process_pattern($1, pacemaker_t) - init_labeled_script_domtrans($1, pacemaker_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 pacemaker_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, pacemaker_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 pacemaker_initrc_exec_t system_r; + #allow $2 system_r; files_search_var_lib($1) admin_pattern($1, pacemaker_var_lib_t) diff --git a/policy/modules/contrib/pads.if b/policy/modules/contrib/pads.if index 6e097c9..e9fa6d2 100644 --- a/policy/modules/contrib/pads.if +++ b/policy/modules/contrib/pads.if @@ -26,10 +26,10 @@ interface(`pads_admin', ` allow $1 pads_t:process { ptrace signal_perms }; ps_process_pattern($1, pads_t) - init_labeled_script_domtrans($1, pads_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 pads_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, pads_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 pads_initrc_exec_t system_r; + #allow $2 system_r; files_search_pids($1) admin_pattern($1, pads_var_run_t) diff --git a/policy/modules/contrib/pcscd.if b/policy/modules/contrib/pcscd.if index 7f77d32..aa414bd 100644 --- a/policy/modules/contrib/pcscd.if +++ b/policy/modules/contrib/pcscd.if @@ -128,10 +128,10 @@ interface(`pcscd_admin',` allow $1 pcscd_t:process { ptrace signal_perms }; ps_process_pattern($1, pcscd_t) - init_labeled_script_domtrans($1, pcscd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 pcscd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, pcscd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 pcscd_initrc_exec_t system_r; + #allow $2 system_r; files_search_pids($1) admin_pattern($1, pcscd_var_run_t) diff --git a/policy/modules/contrib/pegasus.if b/policy/modules/contrib/pegasus.if index d2fc677..3b509a4 100644 --- a/policy/modules/contrib/pegasus.if +++ b/policy/modules/contrib/pegasus.if @@ -27,10 +27,10 @@ interface(`pegasus_admin',` allow $1 pegasus_t:process { ptrace signal_perms }; ps_process_pattern($1, pegasus_t) - init_labeled_script_domtrans($1, pegasus_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 pegasus_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, pegasus_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 pegasus_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, pegasus_conf_t) diff --git a/policy/modules/contrib/perdition.if b/policy/modules/contrib/perdition.if index 47e09e1..ffe3965 100644 --- a/policy/modules/contrib/perdition.if +++ b/policy/modules/contrib/perdition.if @@ -40,10 +40,10 @@ interface(`perdition_admin',` allow $1 perdition_t:process { ptrace signal_perms }; ps_process_pattern($1, perdition_t) - init_labeled_script_domtrans($1, perdition_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 perdition_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, perdition_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 perdition_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, perdition_etc_t) diff --git a/policy/modules/contrib/pingd.if b/policy/modules/contrib/pingd.if index 21a6ecb..4194b84 100644 --- a/policy/modules/contrib/pingd.if +++ b/policy/modules/contrib/pingd.if @@ -84,10 +84,10 @@ interface(`pingd_admin',` allow $1 pingd_t:process { ptrace signal_perms }; ps_process_pattern($1, pingd_t) - init_labeled_script_domtrans($1, pingd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 pingd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, pingd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 pingd_initrc_exec_t system_r; + #allow $2 system_r; files_list_etc($1) admin_pattern($1, pingd_etc_t) diff --git a/policy/modules/contrib/pkcs.if b/policy/modules/contrib/pkcs.if index 69be2aa..c3b3223 100644 --- a/policy/modules/contrib/pkcs.if +++ b/policy/modules/contrib/pkcs.if @@ -26,10 +26,10 @@ interface(`pkcs_admin_slotd',` allow $1 pkcs_slotd_t:process { ptrace signal_perms }; ps_process_pattern($1, pkcs_slotd_t) - init_labeled_script_domtrans($1, pkcs_slotd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 pkcs_slotd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, pkcs_slotd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 pkcs_slotd_initrc_exec_t system_r; + #allow $2 system_r; files_search_var_lib($1) admin_pattern($1, pkcs_slotd_var_lib_t) diff --git a/policy/modules/contrib/polipo.if b/policy/modules/contrib/polipo.if index ae27bb7..c6c431e 100644 --- a/policy/modules/contrib/polipo.if +++ b/policy/modules/contrib/polipo.if @@ -125,10 +125,10 @@ interface(`polipo_admin',` allow $1 polipo_system_t:process { ptrace signal_perms }; ps_process_pattern($1, polipo_system_t) - polipo_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 polipo_initrc_exec_t system_r; - allow $2 system_r; + #polipo_initrc_domtrans($1) + #domain_system_change_exemption($1) + #role_transition $2 polipo_initrc_exec_t system_r; + #allow $2 system_r; files_search_var($1) admin_pattern($1, polipo_cache_t) diff --git a/policy/modules/contrib/portmap.if b/policy/modules/contrib/portmap.if index 9f982b5..7cc0695 100644 --- a/policy/modules/contrib/portmap.if +++ b/policy/modules/contrib/portmap.if @@ -114,10 +114,10 @@ interface(`portmap_admin',` allow $1 { portmap_t portmap_helper_t }:process { ptrace signal_perms }; ps_process_pattern($1, { portmap_t portmap_helper_t }) - init_labeled_script_domtrans($1, portmap_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 portmap_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, portmap_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 portmap_initrc_exec_t system_r; + #allow $2 system_r; files_search_pids($1) admin_pattern($1, portmap_var_run_t) diff --git a/policy/modules/contrib/portreserve.if b/policy/modules/contrib/portreserve.if index 5ad5291..ecffbfc 100644 --- a/policy/modules/contrib/portreserve.if +++ b/policy/modules/contrib/portreserve.if @@ -108,10 +108,10 @@ interface(`portreserve_admin',` allow $1 portreserve_t:process { ptrace signal_perms }; ps_process_pattern($1, portreserve_t) - portreserve_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 portreserve_initrc_exec_t system_r; - allow $2 system_r; + #portreserve_initrc_domtrans($1) + #domain_system_change_exemption($1) + #role_transition $2 portreserve_initrc_exec_t system_r; + #allow $2 system_r; files_list_etc($1) admin_pattern($1, portreserve_etc_t) diff --git a/policy/modules/contrib/postfix.if b/policy/modules/contrib/postfix.if index 8e7d1e7..603f2e3 100644 --- a/policy/modules/contrib/postfix.if +++ b/policy/modules/contrib/postfix.if @@ -720,10 +720,10 @@ interface(`postfix_admin',` allow $1 postfix_domain:process { ptrace signal_perms }; ps_process_pattern($1, postfix_domain) - init_labeled_script_domtrans($1, postfix_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 postfix_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, postfix_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 postfix_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t postfix_keytab_t }) diff --git a/policy/modules/contrib/postfixpolicyd.if b/policy/modules/contrib/postfixpolicyd.if index 5de8173..d74f378 100644 --- a/policy/modules/contrib/postfixpolicyd.if +++ b/policy/modules/contrib/postfixpolicyd.if @@ -26,10 +26,10 @@ interface(`postfixpolicyd_admin',` allow $1 postfix_policyd_t:process { ptrace signal_perms }; ps_process_pattern($1, postfix_policyd_t) - init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 postfix_policyd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 postfix_policyd_initrc_exec_t system_r; + #allow $2 system_r; files_list_etc($1) admin_pattern($1, postfix_policyd_conf_t) diff --git a/policy/modules/contrib/postgrey.if b/policy/modules/contrib/postgrey.if index b9e71b5..05a4cd4 100644 --- a/policy/modules/contrib/postgrey.if +++ b/policy/modules/contrib/postgrey.if @@ -67,10 +67,10 @@ interface(`postgrey_admin',` allow $1 postgrey_t:process { ptrace signal_perms }; ps_process_pattern($1, postgrey_t) - init_labeled_script_domtrans($1, postgrey_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 postgrey_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, postgrey_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 postgrey_initrc_exec_t system_r; + #allow $2 system_r; files_list_etc($1) admin_pattern($1, postgrey_etc_t) diff --git a/policy/modules/contrib/ppp.if b/policy/modules/contrib/ppp.if index cd8b8b9..71455d1 100644 --- a/policy/modules/contrib/ppp.if +++ b/policy/modules/contrib/ppp.if @@ -487,10 +487,10 @@ interface(`ppp_admin',` allow $1 { pptp_t pppd_t }:process { ptrace signal_perms }; ps_process_pattern($1, { pptp_t pppd_t }) - ppp_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 pppd_initrc_exec_t system_r; - allow $2 system_r; + #ppp_initrc_domtrans($1) + #domain_system_change_exemption($1) + #role_transition $2 pppd_initrc_exec_t system_r; + #allow $2 system_r; files_list_tmp($1) admin_pattern($1, pppd_tmp_t) diff --git a/policy/modules/contrib/prelude.if b/policy/modules/contrib/prelude.if index db8f510..573fac7 100644 --- a/policy/modules/contrib/prelude.if +++ b/policy/modules/contrib/prelude.if @@ -126,10 +126,10 @@ interface(`prelude_admin',` allow $1 { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t }:process { ptrace signal_perms }; ps_process_pattern($1, { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t }) - init_labeled_script_domtrans($1, prelude_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 prelude_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, prelude_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 prelude_initrc_exec_t system_r; + #allow $2 system_r; files_search_spool($1) admin_pattern($1, prelude_spool_t) diff --git a/policy/modules/contrib/privoxy.if b/policy/modules/contrib/privoxy.if index bdcee30..182267b 100644 --- a/policy/modules/contrib/privoxy.if +++ b/policy/modules/contrib/privoxy.if @@ -26,10 +26,10 @@ interface(`privoxy_admin',` allow $1 privoxy_t:process { ptrace signal_perms }; ps_process_pattern($1, privoxy_t) - init_labeled_script_domtrans($1, privoxy_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 privoxy_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, privoxy_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 privoxy_initrc_exec_t system_r; + #allow $2 system_r; logging_list_logs($1) admin_pattern($1, privoxy_log_t) diff --git a/policy/modules/contrib/psad.if b/policy/modules/contrib/psad.if index cdc83d2..a04483a 100644 --- a/policy/modules/contrib/psad.if +++ b/policy/modules/contrib/psad.if @@ -242,10 +242,10 @@ interface(`psad_admin',` allow $1 psad_t:process { ptrace signal_perms }; ps_process_pattern($1, psad_t) - init_labeled_script_domtrans($1, psad_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 psad_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, psad_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 psad_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, psad_etc_t) diff --git a/policy/modules/contrib/puppet.if b/policy/modules/contrib/puppet.if index 7cb8b1f..9d0c95c 100644 --- a/policy/modules/contrib/puppet.if +++ b/policy/modules/contrib/puppet.if @@ -211,10 +211,10 @@ interface(`puppet_admin',` allow $1 { puppet_t puppetca_t puppetmaster_t }:process { ptrace signal_perms }; ps_process_pattern($1, { puppet_t puppetca_t puppetmaster_t }) - init_labeled_script_domtrans($1, { puppet_initrc_exec_t puppetmaster_initrc_exec_t }) - domain_system_change_exemption($1) - role_transition $2 { puppet_initrc_exec_t puppetmaster_initrc_exec_t } system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, { puppet_initrc_exec_t puppetmaster_initrc_exec_t }) + #domain_system_change_exemption($1) + #role_transition $2 { puppet_initrc_exec_t puppetmaster_initrc_exec_t } system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, puppet_etc_t) diff --git a/policy/modules/contrib/pxe.if b/policy/modules/contrib/pxe.if index 7da286f..3a60f9b 100644 --- a/policy/modules/contrib/pxe.if +++ b/policy/modules/contrib/pxe.if @@ -26,10 +26,10 @@ interface(`pxe_admin',` allow $1 pxe_t:process { ptrace signal_perms }; ps_process_pattern($1, pxe_t) - init_labeled_script_domtrans($1, pxe_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 pxe_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, pxe_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 pxe_initrc_exec_t system_r; + #allow $2 system_r; logging_search_logs($1) admin_pattern($1, pxe_log_t) diff --git a/policy/modules/contrib/pyicqt.if b/policy/modules/contrib/pyicqt.if index 0ccea82..683d0ee 100644 --- a/policy/modules/contrib/pyicqt.if +++ b/policy/modules/contrib/pyicqt.if @@ -26,10 +26,10 @@ interface(`pyicqt_admin',` allow $1 pyicqt_t:process { ptrace signal_perms }; ps_process_pattern($1, pyicqt_t) - init_labeled_script_domtrans($1, pyicqt_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 pyicqt_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, pyicqt_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 pyicqt_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, pyicqt_conf_t) diff --git a/policy/modules/contrib/pyzor.if b/policy/modules/contrib/pyzor.if index c05a504..664b594 100644 --- a/policy/modules/contrib/pyzor.if +++ b/policy/modules/contrib/pyzor.if @@ -118,10 +118,10 @@ interface(`pyzor_admin',` allow $1 pyzord_t:process { ptrace signal_perms }; ps_process_pattern($1, pyzord_t) - init_labeled_script_domtrans($1, pyzord_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 pyzord_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, pyzord_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 pyzord_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, pyzor_etc_t) diff --git a/policy/modules/contrib/qpid.if b/policy/modules/contrib/qpid.if index fe2adf8..307b419 100644 --- a/policy/modules/contrib/qpid.if +++ b/policy/modules/contrib/qpid.if @@ -177,10 +177,10 @@ interface(`qpidd_admin',` allow $1 qpidd_t:process { ptrace signal_perms }; ps_process_pattern($1, qpidd_t) - qpidd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 qpidd_initrc_exec_t system_r; - allow $2 system_r; + #qpidd_initrc_domtrans($1) + #domain_system_change_exemption($1) + #role_transition $2 qpidd_initrc_exec_t system_r; + #allow $2 system_r; files_search_var_lib($1) admin_pattern($1, qpidd_var_lib_t) diff --git a/policy/modules/contrib/quantum.if b/policy/modules/contrib/quantum.if index afc0068..2d9ec09 100644 --- a/policy/modules/contrib/quantum.if +++ b/policy/modules/contrib/quantum.if @@ -26,10 +26,10 @@ interface(`quantum_admin',` allow $1 quantum_t:process { ptrace signal_perms }; ps_process_pattern($1, quantum_t) - init_labeled_script_domtrans($1, quantum_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 quantum_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, quantum_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 quantum_initrc_exec_t system_r; + #allow $2 system_r; logging_search_logs($1) admin_pattern($1, quantum_log_t) diff --git a/policy/modules/contrib/quota.if b/policy/modules/contrib/quota.if index 68611e3..6af6364 100644 --- a/policy/modules/contrib/quota.if +++ b/policy/modules/contrib/quota.if @@ -184,10 +184,10 @@ interface(`quota_admin',` allow $1 { quota_nld_t quota_t }:process { ptrace signal_perms }; ps_process_pattern($1, { quota_nld_t quota_t }) - init_labeled_script_domtrans($1, quota_nld_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 quota_nld_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, quota_nld_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 quota_nld_initrc_exec_t system_r; + #allow $2 system_r; files_list_all($1) admin_pattern($1, { quota_db_t quota_flag_t quota_nld_var_run_t }) diff --git a/policy/modules/contrib/rabbitmq.if b/policy/modules/contrib/rabbitmq.if index 2c3d338..64bd4db 100644 --- a/policy/modules/contrib/rabbitmq.if +++ b/policy/modules/contrib/rabbitmq.if @@ -45,10 +45,10 @@ interface(`rabbitmq_admin',` allow $1 { rabbitmq_epmd_t rabbitmq_beam_t }:process { ptrace signal_perms }; ps_process_pattern($1, { rabbitmq_epmd_t rabbitmq_beam_t }) - init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 rabbitmq_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 rabbitmq_initrc_exec_t system_r; + #allow $2 system_r; logging_search_logs($1) admin_pattern($1, rabbitmq_var_log_t) diff --git a/policy/modules/contrib/radius.if b/policy/modules/contrib/radius.if index 4460582..785c40a 100644 --- a/policy/modules/contrib/radius.if +++ b/policy/modules/contrib/radius.if @@ -41,10 +41,10 @@ interface(`radius_admin',` allow $1 radiusd_t:process { ptrace signal_perms }; ps_process_pattern($1, radiusd_t) - init_labeled_script_domtrans($1, radiusd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 radiusd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, radiusd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 radiusd_initrc_exec_t system_r; + #allow $2 system_r; files_list_etc($1) admin_pattern($1, { radiusd_etc_t radiusd_etc_rw_t }) diff --git a/policy/modules/contrib/radvd.if b/policy/modules/contrib/radvd.if index ac7058d..33a3f31 100644 --- a/policy/modules/contrib/radvd.if +++ b/policy/modules/contrib/radvd.if @@ -26,10 +26,10 @@ interface(`radvd_admin',` allow $1 radvd_t:process { ptrace signal_perms }; ps_process_pattern($1, radvd_t) - init_labeled_script_domtrans($1, radvd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 radvd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, radvd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 radvd_initrc_exec_t system_r; + #allow $2 system_r; files_list_etc($1) admin_pattern($1, radvd_etc_t) diff --git a/policy/modules/contrib/raid.if b/policy/modules/contrib/raid.if index 951db7f..f865481 100644 --- a/policy/modules/contrib/raid.if +++ b/policy/modules/contrib/raid.if @@ -91,10 +91,10 @@ interface(`raid_admin_mdadm',` allow $1 mdadm_t:process { ptrace signal_perms }; ps_process_pattern($1, mdadm_t) - init_labeled_script_domtrans($1, mdadm_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 mdadm_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, mdadm_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 mdadm_initrc_exec_t system_r; + #allow $2 system_r; files_search_pids($1) admin_pattern($1, mdadm_var_run_t) diff --git a/policy/modules/contrib/redis.if b/policy/modules/contrib/redis.if index 3969450..13812be 100644 --- a/policy/modules/contrib/redis.if +++ b/policy/modules/contrib/redis.if @@ -26,10 +26,10 @@ interface(`redis_admin',` allow $1 redis_t:process { ptrace signal_perms }; ps_process_pattern($1, redis_t) - init_labeled_script_domtrans($1, redis_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 redis_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, redis_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 redis_initrc_exec_t system_r; + #allow $2 system_r; logging_search_logs($1) admin_pattern($1, redis_log_t) diff --git a/policy/modules/contrib/resmgr.if b/policy/modules/contrib/resmgr.if index 0d93db6..b6a5cec 100644 --- a/policy/modules/contrib/resmgr.if +++ b/policy/modules/contrib/resmgr.if @@ -46,10 +46,10 @@ interface(`resmgr_admin',` allow $1 resmgrd_t:process { ptrace signal_perms }; ps_process_pattern($1, resmgrd_t) - init_labeled_script_domtrans($1, resmgrd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 resmgrd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, resmgrd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 resmgrd_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, resmgrd_etc_t) diff --git a/policy/modules/contrib/rgmanager.if b/policy/modules/contrib/rgmanager.if index 1c2f9aa..5ab664c 100644 --- a/policy/modules/contrib/rgmanager.if +++ b/policy/modules/contrib/rgmanager.if @@ -105,10 +105,10 @@ interface(`rgmanager_admin',` allow $1 rgmanager_t:process { ptrace signal_perms }; ps_process_pattern($1, rgmanager_t) - init_labeled_script_domtrans($1, rgmanager_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 rgmanager_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, rgmanager_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 rgmanager_initrc_exec_t system_r; + #allow $2 system_r; files_list_tmp($1) admin_pattern($1, rgmanager_tmp_t) diff --git a/policy/modules/contrib/rhcs.if b/policy/modules/contrib/rhcs.if index c8bdea2..10828e8 100644 --- a/policy/modules/contrib/rhcs.if +++ b/policy/modules/contrib/rhcs.if @@ -472,10 +472,10 @@ interface(`rhcs_admin',` allow $1 cluster_domain:process { ptrace signal_perms }; ps_process_pattern($1, cluster_domain) - init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t }) - domain_system_change_exemption($1) - role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t }) + #domain_system_change_exemption($1) + #role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r; + #allow $2 system_r; files_search_pids($1) admin_pattern($1, cluster_pid) diff --git a/policy/modules/contrib/rhsmcertd.if b/policy/modules/contrib/rhsmcertd.if index 6dbc905..98574fe 100644 --- a/policy/modules/contrib/rhsmcertd.if +++ b/policy/modules/contrib/rhsmcertd.if @@ -285,10 +285,10 @@ interface(`rhsmcertd_admin',` allow $1 rhsmcertd_t:process { ptrace signal_perms }; ps_process_pattern($1, rhsmcertd_t) - rhsmcertd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 rhsmcertd_initrc_exec_t system_r; - allow $2 system_r; + #rhsmcertd_initrc_domtrans($1) + #domain_system_change_exemption($1) + #role_transition $2 rhsmcertd_initrc_exec_t system_r; + #allow $2 system_r; logging_search_logs($1) admin_pattern($1, rhsmcertd_log_t) diff --git a/policy/modules/contrib/ricci.if b/policy/modules/contrib/ricci.if index 2ab3ed1..3290abc 100644 --- a/policy/modules/contrib/ricci.if +++ b/policy/modules/contrib/ricci.if @@ -203,10 +203,10 @@ interface(`ricci_admin',` allow $1 ricci_t:process { ptrace signal_perms }; ps_process_pattern($1, ricci_t) - init_labeled_script_domtrans($1, ricci_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ricci_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, ricci_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 ricci_initrc_exec_t system_r; + #allow $2 system_r; files_list_tmp($1) admin_pattern($1, ricci_tmp_t) diff --git a/policy/modules/contrib/rngd.if b/policy/modules/contrib/rngd.if index 13f788f..d182588 100644 --- a/policy/modules/contrib/rngd.if +++ b/policy/modules/contrib/rngd.if @@ -25,10 +25,10 @@ interface(`rngd_admin',` allow $1 rngd_t:process { ptrace signal_perms }; ps_process_pattern($1, rngd_t) - init_labeled_script_domtrans($1, rngd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 rngd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, rngd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 rngd_initrc_exec_t system_r; + #allow $2 system_r; files_search_pids($1) admin_pattern($1, rngd_var_run_t) diff --git a/policy/modules/contrib/roundup.if b/policy/modules/contrib/roundup.if index 975bb6a..f540ee7 100644 --- a/policy/modules/contrib/roundup.if +++ b/policy/modules/contrib/roundup.if @@ -26,10 +26,10 @@ interface(`roundup_admin',` allow $1 roundup_t:process { ptrace signal_perms }; ps_process_pattern($1, roundup_t) - init_labeled_script_domtrans($1, roundup_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 roundup_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, roundup_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 roundup_initrc_exec_t system_r; + #allow $2 system_r; files_list_var_lib($1) admin_pattern($1, roundup_var_lib_t) diff --git a/policy/modules/contrib/rpc.if b/policy/modules/contrib/rpc.if index 157afd9..baf9509 100644 --- a/policy/modules/contrib/rpc.if +++ b/policy/modules/contrib/rpc.if @@ -400,10 +400,10 @@ interface(`rpc_admin',` allow $1 rpc_domain:process { ptrace signal_perms }; ps_process_pattern($1, rpc_domain) - init_labeled_script_domtrans($1, { nfsd_initrc_exec_t rpcd_initrc_exec_t }) - domain_system_change_exemption($1) - role_transition $2 { nfsd_initrc_exec_t rpcd_initrc_exec_t } system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, { nfsd_initrc_exec_t rpcd_initrc_exec_t }) + #domain_system_change_exemption($1) + #role_transition $2 { nfsd_initrc_exec_t rpcd_initrc_exec_t } system_r; + #allow $2 system_r; files_list_etc($1) admin_pattern($1, { gssd_keytab_t exports_t }) diff --git a/policy/modules/contrib/rpcbind.if b/policy/modules/contrib/rpcbind.if index f78fef0..bfee269 100644 --- a/policy/modules/contrib/rpcbind.if +++ b/policy/modules/contrib/rpcbind.if @@ -160,10 +160,10 @@ interface(`rpcbind_admin',` allow $1 rpcbind_t:process { ptrace signal_perms }; ps_process_pattern($1, rpcbind_t) - init_labeled_script_domtrans($1, rpcbind_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 rpcbind_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, rpcbind_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 rpcbind_initrc_exec_t system_r; + #allow $2 system_r; files_search_pids($1) admin_pattern($1, rpcbind_var_run_t) diff --git a/policy/modules/contrib/rpm.if b/policy/modules/contrib/rpm.if index fc9c8d8..4b1a6b3 100644 --- a/policy/modules/contrib/rpm.if +++ b/policy/modules/contrib/rpm.if @@ -634,10 +634,10 @@ interface(`rpm_admin',` allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms }; ps_process_pattern($1, { rpm_t rpm_script_t }) - init_labeled_script_domtrans($1, rpm_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 rpm_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, rpm_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 rpm_initrc_exec_t system_r; + #allow $2 system_r; admin_pattern($1, rpm_file_t) diff --git a/policy/modules/contrib/rtkit.if b/policy/modules/contrib/rtkit.if index e904ec4..37daa13 100644 --- a/policy/modules/contrib/rtkit.if +++ b/policy/modules/contrib/rtkit.if @@ -90,8 +90,8 @@ interface(`rtkit_admin',` allow $1 rtkit_daemon_t:process { ptrace signal_perms }; ps_process_pattern($1, rtkit_daemon_t) - init_labeled_script_domtrans($1, rtkit_daemon_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 rtkit_daemon_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, rtkit_daemon_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 rtkit_daemon_initrc_exec_t system_r; + #allow $2 system_r; ') diff --git a/policy/modules/contrib/rwho.if b/policy/modules/contrib/rwho.if index 0360ff0..01b5928 100644 --- a/policy/modules/contrib/rwho.if +++ b/policy/modules/contrib/rwho.if @@ -142,10 +142,10 @@ interface(`rwho_admin',` allow $1 rwho_t:process { ptrace signal_perms }; ps_process_pattern($1, rwho_t) - init_labeled_script_domtrans($1, rwho_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 rwho_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, rwho_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 rwho_initrc_exec_t system_r; + #allow $2 system_r; logging_list_logs($1) admin_pattern($1, rwho_log_t) diff --git a/policy/modules/contrib/salt.if b/policy/modules/contrib/salt.if index 7ab9e6b..c8e33a5 100644 --- a/policy/modules/contrib/salt.if +++ b/policy/modules/contrib/salt.if @@ -29,12 +29,12 @@ interface(`salt_admin_master',` allow $1 salt_master_t:process { ptrace signal_perms }; ps_process_pattern($1, salt_master_t) - init_labeled_script_domtrans($1, salt_master_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 salt_master_initrc_exec_t system_r; + #init_labeled_script_domtrans($1, salt_master_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 salt_master_initrc_exec_t system_r; # for debugging? - role_transition $2 salt_master_exec_t system_r; + #role_transition $2 salt_master_exec_t system_r; domtrans_pattern($1, salt_master_exec_t, salt_master_t) roleattribute $2 salt_master_roles; @@ -73,12 +73,12 @@ interface(`salt_admin_minion',` allow $1 salt_minion_t:process { ptrace signal_perms }; ps_process_pattern($1, salt_minion_t) - init_labeled_script_domtrans($1, salt_minion_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 salt_minion_initrc_exec_t system_r; + #init_labeled_script_domtrans($1, salt_minion_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 salt_minion_initrc_exec_t system_r; # for debugging - role_transition $2 salt_minion_exec_t system_r; + #role_transition $2 salt_minion_exec_t system_r; domtrans_pattern($1, salt_minion_exec_t, salt_minion_t) roleattribute $2 salt_minion_roles; diff --git a/policy/modules/contrib/samba.if b/policy/modules/contrib/samba.if index 50d07fb..51e6858 100644 --- a/policy/modules/contrib/samba.if +++ b/policy/modules/contrib/samba.if @@ -695,10 +695,10 @@ interface(`samba_admin',` allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms }; ps_process_pattern($1, { nmbd_t smbd_t }) - init_labeled_script_domtrans($1, samba_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 samba_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, samba_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 samba_initrc_exec_t system_r; + #allow $2 system_r; files_list_etc($1) admin_pattern($1, { samba_etc_t smbd_keytab_t }) diff --git a/policy/modules/contrib/sanlock.if b/policy/modules/contrib/sanlock.if index cd6c213..98b2950 100644 --- a/policy/modules/contrib/sanlock.if +++ b/policy/modules/contrib/sanlock.if @@ -104,10 +104,10 @@ interface(`sanlock_admin',` allow $1 sanlock_t:process { ptrace signal_perms }; ps_process_pattern($1, sanlock_t) - sanlock_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 sanlock_initrc_exec_t system_r; - allow $2 system_r; + #sanlock_initrc_domtrans($1) + #domain_system_change_exemption($1) + #role_transition $2 sanlock_initrc_exec_t system_r; + #allow $2 system_r; files_search_pids($1) admin_pattern($1, sanlock_var_run_t) diff --git a/policy/modules/contrib/sasl.if b/policy/modules/contrib/sasl.if index 8c3c151..7da737b 100644 --- a/policy/modules/contrib/sasl.if +++ b/policy/modules/contrib/sasl.if @@ -45,10 +45,10 @@ interface(`sasl_admin',` allow $1 saslauthd_t:process { ptrace signal_perms }; ps_process_pattern($1, saslauthd_t) - init_labeled_script_domtrans($1, saslauthd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 saslauthd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, saslauthd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 saslauthd_initrc_exec_t system_r; + #allow $2 system_r; files_list_etc($1) admin_pattern($1, saslauthd_keytab_t) diff --git a/policy/modules/contrib/sblim.if b/policy/modules/contrib/sblim.if index 98c9e0a..25d94a4 100644 --- a/policy/modules/contrib/sblim.if +++ b/policy/modules/contrib/sblim.if @@ -64,10 +64,10 @@ interface(`sblim_admin',` allow $1 sblim_domain:process { ptrace signal_perms }; ps_process_pattern($1, sblim_domain) - init_labeled_script_domtrans($1, sblim_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 sblim_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, sblim_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 sblim_initrc_exec_t system_r; + #allow $2 system_r; files_search_pids($1) admin_pattern($1, sblim_var_run_t) diff --git a/policy/modules/contrib/sendmail.if b/policy/modules/contrib/sendmail.if index 35ad2a7..7a95364 100644 --- a/policy/modules/contrib/sendmail.if +++ b/policy/modules/contrib/sendmail.if @@ -360,9 +360,9 @@ interface(`sendmail_admin',` allow $1 { unconfined_sendmail_t sendmail_t }:process { ptrace signal_perms }; ps_process_pattern($1, { unconfined_sendmail_t sendmail_t }) - init_labeled_script_domtrans($1, sendmail_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 sendmail_initrc_exec_t system_r; + #init_labeled_script_domtrans($1, sendmail_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 sendmail_initrc_exec_t system_r; files_list_etc($1) admin_pattern($1, sendmail_keytab_t) diff --git a/policy/modules/contrib/sensord.if b/policy/modules/contrib/sensord.if index d204752..ec77409 100644 --- a/policy/modules/contrib/sensord.if +++ b/policy/modules/contrib/sensord.if @@ -25,10 +25,10 @@ interface(`sensord_admin',` allow $1 sensord_t:process { ptrace signal_perms }; ps_process_pattern($1, sensord_t) - init_labeled_script_domtrans($1, sensord_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 sensord_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, sensord_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 sensord_initrc_exec_t system_r; + #allow $2 system_r; files_search_pids($1) admin_pattern($1, sensord_var_run_t) diff --git a/policy/modules/contrib/shorewall.if b/policy/modules/contrib/shorewall.if index 1aeef8a..abcfdf5 100644 --- a/policy/modules/contrib/shorewall.if +++ b/policy/modules/contrib/shorewall.if @@ -179,10 +179,10 @@ interface(`shorewall_admin',` allow $1 shorewall_t:process { ptrace signal_perms }; ps_process_pattern($1, shorewall_t) - init_labeled_script_domtrans($1, shorewall_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 shorewall_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, shorewall_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 shorewall_initrc_exec_t system_r; + #allow $2 system_r; can_exec($1, shorewall_exec_t) diff --git a/policy/modules/contrib/slpd.if b/policy/modules/contrib/slpd.if index ca32e89..c13e32c 100644 --- a/policy/modules/contrib/slpd.if +++ b/policy/modules/contrib/slpd.if @@ -26,10 +26,10 @@ interface(`slpd_admin',` allow $1 slpd_t:process { ptrace signal_perms }; ps_process_pattern($1, slpd_t) - init_labeled_script_domtrans($1, slpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 slpd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, slpd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 slpd_initrc_exec_t system_r; + #allow $2 system_r; logging_search_logs($1) admin_pattern($1, slpd_log_t) diff --git a/policy/modules/contrib/smartmon.if b/policy/modules/contrib/smartmon.if index e0644b5..b0660d6 100644 --- a/policy/modules/contrib/smartmon.if +++ b/policy/modules/contrib/smartmon.if @@ -45,10 +45,10 @@ interface(`smartmon_admin',` allow $1 fsdaemon_t:process { ptrace signal_perms }; ps_process_pattern($1, fsdaemon_t) - init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 fsdaemon_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 fsdaemon_initrc_exec_t system_r; + #allow $2 system_r; files_list_tmp($1) admin_pattern($1, fsdaemon_tmp_t) diff --git a/policy/modules/contrib/smokeping.if b/policy/modules/contrib/smokeping.if index 1fa51c1..8c0eefe 100644 --- a/policy/modules/contrib/smokeping.if +++ b/policy/modules/contrib/smokeping.if @@ -161,10 +161,10 @@ interface(`smokeping_admin',` allow $1 smokeping_t:process { ptrace signal_perms }; ps_process_pattern($1, smokeping_t) - smokeping_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 smokeping_initrc_exec_t system_r; - allow $2 system_r; + #smokeping_initrc_domtrans($1) + #domain_system_change_exemption($1) + #role_transition $2 smokeping_initrc_exec_t system_r; + #allow $2 system_r; files_search_var_lib($1) admin_pattern($1, smokeping_var_lib_t) diff --git a/policy/modules/contrib/smstools.if b/policy/modules/contrib/smstools.if index 81136f0..2b49829 100644 --- a/policy/modules/contrib/smstools.if +++ b/policy/modules/contrib/smstools.if @@ -27,10 +27,10 @@ interface(`smstools_admin',` allow $1 smsd_t:process { ptrace signal_perms }; ps_process_pattern($1, smsd_t) - init_labeled_script_domtrans($1, smsd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 smsd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, smsd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 smsd_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, smsd_conf_t) diff --git a/policy/modules/contrib/snmp.if b/policy/modules/contrib/snmp.if index bf78fa9..0da50f0 100644 --- a/policy/modules/contrib/snmp.if +++ b/policy/modules/contrib/snmp.if @@ -182,10 +182,10 @@ interface(`snmp_admin',` allow $1 snmpd_t:process { ptrace signal_perms }; ps_process_pattern($1, snmpd_t) - init_labeled_script_domtrans($1, snmpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 snmpd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, snmpd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 snmpd_initrc_exec_t system_r; + #allow $2 system_r; logging_list_logs($1) admin_pattern($1, snmpd_log_t) diff --git a/policy/modules/contrib/snort.if b/policy/modules/contrib/snort.if index 7d86b34..910ffb9 100644 --- a/policy/modules/contrib/snort.if +++ b/policy/modules/contrib/snort.if @@ -45,10 +45,10 @@ interface(`snort_admin',` allow $1 snort_t:process { ptrace signal_perms }; ps_process_pattern($1, snort_t) - init_labeled_script_domtrans($1, snort_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 snort_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, snort_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 snort_initrc_exec_t system_r; + #allow $2 system_r; admin_pattern($1, snort_etc_t) files_search_etc($1) diff --git a/policy/modules/contrib/soundserver.if b/policy/modules/contrib/soundserver.if index a5abc5a..c6d0368 100644 --- a/policy/modules/contrib/soundserver.if +++ b/policy/modules/contrib/soundserver.if @@ -41,10 +41,10 @@ interface(`soundserver_admin',` allow $1 soundd_t:process { ptrace signal_perms }; ps_process_pattern($1, soundd_t) - init_labeled_script_domtrans($1, soundd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 soundd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, soundd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 soundd_initrc_exec_t system_r; + #allow $2 system_r; files_list_etc($1) admin_pattern($1, soundd_etc_t) diff --git a/policy/modules/contrib/spamassassin.if b/policy/modules/contrib/spamassassin.if index 7f5a1cc..f697f7b 100644 --- a/policy/modules/contrib/spamassassin.if +++ b/policy/modules/contrib/spamassassin.if @@ -384,10 +384,10 @@ interface(`spamassassin_admin',` allow $1 spamd_t:process { ptrace signal_perms }; ps_process_pattern($1, spamd_t) - init_labeled_script_domtrans($1, spamd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 spamd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, spamd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 spamd_initrc_exec_t system_r; + #allow $2 system_r; files_list_tmp($1) admin_pattern($1, spamd_tmp_t) diff --git a/policy/modules/contrib/squid.if b/policy/modules/contrib/squid.if index 5e1f053..0d43504 100644 --- a/policy/modules/contrib/squid.if +++ b/policy/modules/contrib/squid.if @@ -216,10 +216,10 @@ interface(`squid_admin',` allow $1 squid_t:process { ptrace signal_perms }; ps_process_pattern($1, squid_t) - init_labeled_script_domtrans($1, squid_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 squid_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, squid_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 squid_initrc_exec_t system_r; + #allow $2 system_r; files_list_var($1) admin_pattern($1, squid_cache_t) diff --git a/policy/modules/contrib/sssd.if b/policy/modules/contrib/sssd.if index a240455..4ba98cc 100644 --- a/policy/modules/contrib/sssd.if +++ b/policy/modules/contrib/sssd.if @@ -342,10 +342,10 @@ interface(`sssd_admin',` allow $1 sssd_t:process { ptrace signal_perms }; ps_process_pattern($1, sssd_t) - sssd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 sssd_initrc_exec_t system_r; - allow $2 system_r; + #sssd_initrc_domtrans($1) + #domain_system_change_exemption($1) + #role_transition $2 sssd_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, sssd_conf_t) diff --git a/policy/modules/contrib/svnserve.if b/policy/modules/contrib/svnserve.if index 5cd46e9..043ade5 100644 --- a/policy/modules/contrib/svnserve.if +++ b/policy/modules/contrib/svnserve.if @@ -25,10 +25,10 @@ interface(`svnserve_admin',` allow $1 svnserve_t:process { ptrace signal_perms }; ps_process_pattern($1, svnserve_t) - init_labeled_script_domtrans($1, svnserve_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 svnserve_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, svnserve_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 svnserve_initrc_exec_t system_r; + #allow $2 system_r; files_search_pids($1) admin_pattern($1, svnserve_var_run_t) diff --git a/policy/modules/contrib/sysstat.if b/policy/modules/contrib/sysstat.if index 14ae3f2..46e08d3 100644 --- a/policy/modules/contrib/sysstat.if +++ b/policy/modules/contrib/sysstat.if @@ -46,10 +46,10 @@ interface(`sysstat_admin',` allow $1 sysstat_t:process { ptrace signal_perms }; ps_process_pattern($1, sysstat_t) - init_labeled_script_domtrans($1, sysstat_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 sysstat_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, sysstat_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 sysstat_initrc_exec_t system_r; + #allow $2 system_r; logging_search_logs($1) admin_pattern($1, sysstat_log_t) diff --git a/policy/modules/contrib/systemtap.if b/policy/modules/contrib/systemtap.if index d60a21e..4718ca2 100644 --- a/policy/modules/contrib/systemtap.if +++ b/policy/modules/contrib/systemtap.if @@ -26,10 +26,10 @@ interface(`stapserver_admin',` allow $1 stapserver_t:process { ptrace signal_perms }; ps_process_pattern($1, stapserver_t) - init_labeled_script_domtrans($1, stapserver_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 stapserver_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, stapserver_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 stapserver_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, stapserver_conf_t) diff --git a/policy/modules/contrib/tcsd.if b/policy/modules/contrib/tcsd.if index b42ec1d..d4b8da8 100644 --- a/policy/modules/contrib/tcsd.if +++ b/policy/modules/contrib/tcsd.if @@ -141,10 +141,10 @@ interface(`tcsd_admin',` allow $1 tcsd_t:process { ptrace signal_perms }; ps_process_pattern($1, tcsd_t) - tcsd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 tcsd_initrc_exec_t system_r; - allow $2 system_r; + #tcsd_initrc_domtrans($1) + #domain_system_change_exemption($1) + #role_transition $2 tcsd_initrc_exec_t system_r; + #allow $2 system_r; files_search_var_lib($1) admin_pattern($1, tcsd_var_lib_t) diff --git a/policy/modules/contrib/tgtd.if b/policy/modules/contrib/tgtd.if index dc5b46e..bde65e4 100644 --- a/policy/modules/contrib/tgtd.if +++ b/policy/modules/contrib/tgtd.if @@ -83,10 +83,10 @@ interface(`tgtd_admin',` allow $1 tgtd_t:process { ptrace signal_perms }; ps_process_pattern($1, tgtd_t) - init_labeled_script_domtrans($1, tgtd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 tgtd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, tgtd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 tgtd_initrc_exec_t system_r; + #allow $2 system_r; files_search_var_lib($1) admin_pattern($1, tgtd_var_lib_t) diff --git a/policy/modules/contrib/tor.if b/policy/modules/contrib/tor.if index 61c2e07..6ab1023 100644 --- a/policy/modules/contrib/tor.if +++ b/policy/modules/contrib/tor.if @@ -45,10 +45,10 @@ interface(`tor_admin',` allow $1 tor_t:process { ptrace signal_perms }; ps_process_pattern($1, tor_t) - init_labeled_script_domtrans($1, tor_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 tor_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, tor_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 tor_initrc_exec_t system_r; + #allow $2 system_r; files_list_etc($1) admin_pattern($1, tor_etc_t) diff --git a/policy/modules/contrib/transproxy.if b/policy/modules/contrib/transproxy.if index 81a8351..20102c2 100644 --- a/policy/modules/contrib/transproxy.if +++ b/policy/modules/contrib/transproxy.if @@ -25,10 +25,10 @@ interface(`transproxy_admin',` allow $1 transproxy_t:process { ptrace signal_perms }; ps_process_pattern($1, transproxy_t) - init_labeled_script_domtrans($1, transproxy_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 transproxy_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, transproxy_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 transproxy_initrc_exec_t system_r; + #allow $2 system_r; files_search_pids($1) admin_pattern($1, transproxy_var_run_t) diff --git a/policy/modules/contrib/tuned.if b/policy/modules/contrib/tuned.if index e29db63..9829bad 100644 --- a/policy/modules/contrib/tuned.if +++ b/policy/modules/contrib/tuned.if @@ -122,10 +122,10 @@ interface(`tuned_admin',` allow $1 tuned_t:process { ptrace signal_perms }; ps_process_pattern($1, tuned_t) - tuned_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 tuned_initrc_exec_t system_r; - allow $2 system_r; + #tuned_initrc_domtrans($1) + #domain_system_change_exemption($1) + #role_transition $2 tuned_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, { tuned_etc_t tuned_rw_etc_t }) diff --git a/policy/modules/contrib/ulogd.if b/policy/modules/contrib/ulogd.if index 9b95c3e..43bfd7b 100644 --- a/policy/modules/contrib/ulogd.if +++ b/policy/modules/contrib/ulogd.if @@ -126,10 +126,10 @@ interface(`ulogd_admin',` allow $1 ulogd_t:process { ptrace signal_perms }; ps_process_pattern($1, ulogd_t) - init_labeled_script_domtrans($1, ulogd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ulogd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, ulogd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 ulogd_initrc_exec_t system_r; + #allow $2 system_r; files_list_etc($1) admin_pattern($1, ulogd_etc_t) diff --git a/policy/modules/contrib/uptime.if b/policy/modules/contrib/uptime.if index 19f4724..b9f36e4 100644 --- a/policy/modules/contrib/uptime.if +++ b/policy/modules/contrib/uptime.if @@ -26,10 +26,10 @@ interface(`uptime_admin',` allow $1 uptimed_t:process { ptrace signal_perms }; ps_process_pattern($1, uptimed_t) - init_labeled_script_domtrans($1, uptimed_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 uptimed_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, uptimed_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 uptimed_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, uptimed_etc_t) diff --git a/policy/modules/contrib/uucp.if b/policy/modules/contrib/uucp.if index af9acc0..bf7df04 100644 --- a/policy/modules/contrib/uucp.if +++ b/policy/modules/contrib/uucp.if @@ -104,10 +104,10 @@ interface(`uucp_admin',` type uucpd_var_run_t, uucpd_initrc_exec_t; ') - init_labeled_script_domtrans($1, uucpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 uucpd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, uucpd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 uucpd_initrc_exec_t system_r; + #allow $2 system_r; allow $1 uucpd_t:process { ptrace signal_perms }; ps_process_pattern($1, uucpd_t) diff --git a/policy/modules/contrib/uuidd.if b/policy/modules/contrib/uuidd.if index 6e48653..e33ec25 100644 --- a/policy/modules/contrib/uuidd.if +++ b/policy/modules/contrib/uuidd.if @@ -181,10 +181,10 @@ interface(`uuidd_admin',` allow $1 uuidd_t:process signal_perms; ps_process_pattern($1, uuidd_t) - uuidd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 uuidd_initrc_exec_t system_r; - allow $2 system_r; + #uuidd_initrc_domtrans($1) + #domain_system_change_exemption($1) + #role_transition $2 uuidd_initrc_exec_t system_r; + #allow $2 system_r; files_search_var_lib($1) admin_pattern($1, uuidd_var_lib_t) diff --git a/policy/modules/contrib/varnishd.if b/policy/modules/contrib/varnishd.if index 1c35171..636c20d 100644 --- a/policy/modules/contrib/varnishd.if +++ b/policy/modules/contrib/varnishd.if @@ -160,10 +160,10 @@ interface(`varnishd_admin_varnishlog',` allow $1 varnishlog_t:process { ptrace signal_perms }; ps_process_pattern($1, varnishlog_t) - init_labeled_script_domtrans($1, varnishlog_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 varnishlog_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, varnishlog_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 varnishlog_initrc_exec_t system_r; + #allow $2 system_r; files_list_pids($1) admin_pattern($1, varnishlog_var_run_t) @@ -199,10 +199,10 @@ interface(`varnishd_admin',` allow $1 varnishd_t:process { ptrace signal_perms }; ps_process_pattern($1, varnishd_t) - init_labeled_script_domtrans($1, varnishd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 varnishd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, varnishd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 varnishd_initrc_exec_t system_r; + #allow $2 system_r; files_list_var_lib($1) admin_pattern($1, varnishd_var_lib_t) diff --git a/policy/modules/contrib/vdagent.if b/policy/modules/contrib/vdagent.if index 31c752e..5d3b76c 100644 --- a/policy/modules/contrib/vdagent.if +++ b/policy/modules/contrib/vdagent.if @@ -121,10 +121,10 @@ interface(`vdagent_admin',` allow $1 vdagent_t:process signal_perms; ps_process_pattern($1, vdagent_t) - init_labeled_script_domtrans($1, vdagentd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 vdagentd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, vdagentd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 vdagentd_initrc_exec_t system_r; + #allow $2 system_r; logging_search_logs($1) admin_pattern($1, vdagent_log_t) diff --git a/policy/modules/contrib/vhostmd.if b/policy/modules/contrib/vhostmd.if index 22edd58..0055667 100644 --- a/policy/modules/contrib/vhostmd.if +++ b/policy/modules/contrib/vhostmd.if @@ -219,10 +219,10 @@ interface(`vhostmd_admin',` allow $1 vhostmd_t:process { ptrace signal_perms }; ps_process_pattern($1, vhostmd_t) - vhostmd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 vhostmd_initrc_exec_t system_r; - allow $2 system_r; + #vhostmd_initrc_domtrans($1) + #domain_system_change_exemption($1) + #role_transition $2 vhostmd_initrc_exec_t system_r; + #allow $2 system_r; fs_search_tmpfs($1) admin_pattern($1, vhostmd_tmpfs_t) diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if index 7c97c87..4f531b9 100644 --- a/policy/modules/contrib/virt.if +++ b/policy/modules/contrib/virt.if @@ -1176,10 +1176,10 @@ interface(`virt_admin',` ps_process_pattern($1, { virt_domain svirt_lxc_domain virtd_t }) ps_process_pattern($1, { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }) - init_labeled_script_domtrans($1, virtd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 virtd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, virtd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 virtd_initrc_exec_t system_r; + #allow $2 system_r; fs_search_tmpfs($1) admin_pattern($1, virt_tmpfs_type) diff --git a/policy/modules/contrib/vnstatd.if b/policy/modules/contrib/vnstatd.if index 137ac44..99bddf4 100644 --- a/policy/modules/contrib/vnstatd.if +++ b/policy/modules/contrib/vnstatd.if @@ -168,10 +168,10 @@ interface(`vnstatd_admin',` allow $1 vnstatd_t:process { ptrace signal_perms }; ps_process_pattern($1, vnstatd_t) - init_labeled_script_domtrans($1, vnstatd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 vnstatd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, vnstatd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 vnstatd_initrc_exec_t system_r; + #allow $2 system_r; files_search_pids($1) admin_pattern($1, vnstatd_var_run_t) diff --git a/policy/modules/contrib/watchdog.if b/policy/modules/contrib/watchdog.if index 6461a77..44a1a7c 100644 --- a/policy/modules/contrib/watchdog.if +++ b/policy/modules/contrib/watchdog.if @@ -26,10 +26,10 @@ interface(`watchdog_admin',` allow $1 watchdog_t:process { ptrace signal_perms }; ps_process_pattern($1, watchdog_t) - init_labeled_script_domtrans($1, watchdog_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 watchdog_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, watchdog_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 watchdog_initrc_exec_t system_r; + #allow $2 system_r; logging_search_logs($1) admin_pattern($1, watchdog_log_t) diff --git a/policy/modules/contrib/wdmd.if b/policy/modules/contrib/wdmd.if index 1e3aec0..553b69a 100644 --- a/policy/modules/contrib/wdmd.if +++ b/policy/modules/contrib/wdmd.if @@ -45,10 +45,10 @@ interface(`wdmd_admin',` allow $1 wdmd_t:process { ptrace signal_perms }; ps_process_pattern($1, wdmd_t) - init_labeled_script_domtrans($1, wdmd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 wdmd_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, wdmd_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 wdmd_initrc_exec_t system_r; + #allow $2 system_r; files_search_pids($1) admin_pattern($1, wdmd_var_run_t) diff --git a/policy/modules/contrib/xfs.if b/policy/modules/contrib/xfs.if index 4570b86..3318873 100644 --- a/policy/modules/contrib/xfs.if +++ b/policy/modules/contrib/xfs.if @@ -84,10 +84,10 @@ interface(`xfs_admin',` allow $1 xfs_t:process { ptrace signal_perms }; ps_process_pattern($1, xfs_t) - init_labeled_script_domtrans($1, xfs_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 xfs_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, xfs_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 xfs_initrc_exec_t system_r; + #allow $2 system_r; files_search_pids($1) admin_pattern($1, xfs_var_run_t) diff --git a/policy/modules/contrib/zabbix.if b/policy/modules/contrib/zabbix.if index 29d87d7..0a75b8a 100644 --- a/policy/modules/contrib/zabbix.if +++ b/policy/modules/contrib/zabbix.if @@ -146,10 +146,10 @@ interface(`zabbix_admin',` allow $1 { zabbix_t zabbix_agent_t }:process { ptrace signal_perms }; ps_process_pattern($1, { zabbix_t zabbix_agent_t }) - init_labeled_script_domtrans($1, { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t }) - domain_system_change_exemption($1) - role_transition $2 { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t } system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t }) + #domain_system_change_exemption($1) + #role_transition $2 { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t } system_r; + #allow $2 system_r; logging_list_logs($1) admin_pattern($1, zabbix_log_t) diff --git a/policy/modules/contrib/zarafa.if b/policy/modules/contrib/zarafa.if index 83b4ca5..d2245ae 100644 --- a/policy/modules/contrib/zarafa.if +++ b/policy/modules/contrib/zarafa.if @@ -152,10 +152,10 @@ interface(`zarafa_admin',` allow $1 zarafa_domain:process { ptrace signal_perms }; ps_process_pattern($1, zarafa_domain) - init_labeled_script_domtrans($1, zarafa_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 zarafa_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, zarafa_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 zarafa_initrc_exec_t system_r; + #allow $2 system_r; files_search_etc($1) admin_pattern($1, zarafa_etc_t) diff --git a/policy/modules/contrib/zebra.if b/policy/modules/contrib/zebra.if index 3416401..33aa2ed 100644 --- a/policy/modules/contrib/zebra.if +++ b/policy/modules/contrib/zebra.if @@ -69,10 +69,10 @@ interface(`zebra_admin',` allow $1 zebra_t:process { ptrace signal_perms }; ps_process_pattern($1, zebra_t) - init_labeled_script_domtrans($1, zebra_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 zebra_initrc_exec_t system_r; - allow $2 system_r; + #init_labeled_script_domtrans($1, zebra_initrc_exec_t) + #domain_system_change_exemption($1) + #role_transition $2 zebra_initrc_exec_t system_r; + #allow $2 system_r; files_list_etc($1) admin_pattern($1, zebra_conf_t)