* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, doc/, policy/flask/, support/, policy/support/, ...
2016-12-08 5:03 [gentoo-commits] proj/hardened-refpolicy:next commit in: doc/, config/appconfig-mcs/, doc/templates/, policy/, support/, Jason Zaman
@ 2016-12-08 4:47 ` Jason Zaman
0 siblings, 0 replies; 2+ messages in thread
From: Jason Zaman @ 2016-12-08 4:47 UTC (permalink / raw
To: gentoo-commits
commit: 51d3e4cfd0b1b294cac9b2aeef4691bd22eb0bf7
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Tue Dec 6 12:28:10 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 8 04:43:12 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=51d3e4cf
remove trailing whitespaces
README | 2 +-
config/appconfig-mcs/staff_u_default_contexts | 2 +-
config/appconfig-mls/staff_u_default_contexts | 2 +-
config/appconfig-standard/staff_u_default_contexts | 2 +-
config/file_contexts.subs_dist | 14 +++++-
config/local.users | 4 +-
doc/policy.dtd | 6 +--
doc/templates/module.html | 2 +-
doc/templates/style.css | 12 ++---
man/man8/ftpd_selinux.8 | 2 +-
man/man8/git_selinux.8 | 20 ++++----
man/man8/httpd_selinux.8 | 30 ++++++------
man/man8/kerberos_selinux.8 | 4 +-
man/man8/named_selinux.8 | 6 +--
man/man8/nfs_selinux.8 | 4 +-
man/man8/rsync_selinux.8 | 10 ++--
man/man8/samba_selinux.8 | 22 ++++-----
man/man8/ypbind_selinux.8 | 4 +-
policy/constraints | 12 ++---
policy/flask/access_vectors | 10 ++--
policy/flask/initial_sids | 2 +-
policy/flask/security_classes | 4 +-
policy/mcs | 2 +-
policy/mls | 14 +++---
policy/modules/admin/sudo.if | 2 +-
policy/modules/kernel/corenetwork.if.m4 | 6 +--
policy/modules/kernel/domain.if | 2 +-
policy/modules/kernel/mcs.if | 2 +-
policy/modules/kernel/mls.if | 6 +--
policy/modules/kernel/mls.te | 2 +-
policy/modules/kernel/selinux.te | 2 +-
policy/modules/services/xserver.if | 8 ++--
policy/modules/system/libraries.te | 4 +-
policy/modules/system/logging.if | 2 +-
policy/modules/system/mount.if | 2 +-
policy/modules/system/unconfined.if | 2 +-
policy/support/misc_macros.spt | 2 +-
support/Makefile.devel | 2 +-
support/genclassperms.py | 2 +-
support/genhomedircon | 16 +++----
support/gennetfilter.py | 2 +-
support/pyplate.py | 8 ++--
support/sedoctool.py | 54 +++++++++++-----------
support/segenxml.py | 4 +-
support/selinux-policy-refpolicy.spec | 2 +-
support/selinux-refpolicy-sources.spec.skel | 2 +-
support/set_bools_tuns.awk | 2 +-
47 files changed, 169 insertions(+), 159 deletions(-)
diff --git a/README b/README
index 3f15043..1f803c2 100644
--- a/README
+++ b/README
@@ -233,7 +233,7 @@ install-headers target from the full Reference Policy sources.
To set up a directory to build a local module, one must simply place a .te
file in a directory. A sample Makefile to use in the directory is the
Makefile.example in the doc directory. This may be installed in
-/usr/share/doc, under the directory for the distribution's policy.
+/usr/share/doc, under the directory for the distribution's policy.
Alternatively, the primary Makefile in the headers directory (typically
/usr/share/selinux/NAME/Makefile) can be called directly, using make's -f
option.
diff --git a/config/appconfig-mcs/staff_u_default_contexts b/config/appconfig-mcs/staff_u_default_contexts
index 5606c4e..daefcf7 100644
--- a/config/appconfig-mcs/staff_u_default_contexts
+++ b/config/appconfig-mcs/staff_u_default_contexts
@@ -5,6 +5,6 @@ system_r:crond_t:s0 staff_r:staff_t:s0 staff_r:cronjob_t:s0
system_r:xdm_t:s0 staff_r:staff_t:s0
staff_r:staff_su_t:s0 staff_r:staff_t:s0
staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
-sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
diff --git a/config/appconfig-mls/staff_u_default_contexts b/config/appconfig-mls/staff_u_default_contexts
index 5606c4e..daefcf7 100644
--- a/config/appconfig-mls/staff_u_default_contexts
+++ b/config/appconfig-mls/staff_u_default_contexts
@@ -5,6 +5,6 @@ system_r:crond_t:s0 staff_r:staff_t:s0 staff_r:cronjob_t:s0
system_r:xdm_t:s0 staff_r:staff_t:s0
staff_r:staff_su_t:s0 staff_r:staff_t:s0
staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
-sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
diff --git a/config/appconfig-standard/staff_u_default_contexts b/config/appconfig-standard/staff_u_default_contexts
index 300694c..382fe33 100644
--- a/config/appconfig-standard/staff_u_default_contexts
+++ b/config/appconfig-standard/staff_u_default_contexts
@@ -5,6 +5,6 @@ system_r:crond_t staff_r:staff_t staff_r:cronjob_t
system_r:xdm_t staff_r:staff_t
staff_r:staff_su_t staff_r:staff_t
staff_r:staff_sudo_t staff_r:staff_t
-sysadm_r:sysadm_su_t sysadm_r:sysadm_t
+sysadm_r:sysadm_su_t sysadm_r:sysadm_t
sysadm_r:sysadm_sudo_t sysadm_r:sysadm_t
diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
index 84d8ada..32ac91f 100644
--- a/config/file_contexts.subs_dist
+++ b/config/file_contexts.subs_dist
@@ -1,3 +1,13 @@
+# This file can is used to configure base path aliases as in:
+#
+# /aliased_path /original_path_as_configured_in_file_contexts
+#
+# where original_path_as_configured_in_file_contexts is a base
+# path being used in the main file_contexts configuration file.
+#
+# It does not perform substitutions as done by sed(1), for
+# example, but aliasing.
+#
/etc/init.d /etc/rc.d/init.d
/lib/systemd /usr/lib/systemd
/lib32 /lib
@@ -6,8 +16,8 @@
/run/lock /var/lock
/usr/lib32 /usr/lib
/usr/lib64 /usr/lib
-/usr/local/lib64 /usr/lib
/usr/local/lib32 /usr/lib
-/usr/local/lib/ /usr/lib/
+/usr/local/lib64 /usr/lib
+/usr/local/lib /usr/lib
/var/lib/krb5kdc /var/kerberos/krb5kdc
/var/run/lock /var/lock
diff --git a/config/local.users b/config/local.users
index 7e2bf7a..3f5dd1f 100644
--- a/config/local.users
+++ b/config/local.users
@@ -11,11 +11,11 @@
#
# user username roles role_set [ level default_level range allowed_range ];
#
-# The MLS default level and allowed range should only be specified if
+# The MLS default level and allowed range should only be specified if
# MLS was enabled in the policy.
# sample for administrative user
# user jadmin roles { staff_r sysadm_r };
# sample for regular user
-#user jdoe roles { user_r };
+#user jdoe roles { user_r };
diff --git a/doc/policy.dtd b/doc/policy.dtd
index b797f71..5282985 100644
--- a/doc/policy.dtd
+++ b/doc/policy.dtd
@@ -5,7 +5,7 @@
<!ATTLIST layer
name CDATA #REQUIRED>
<!ELEMENT module (summary,desc?,required?,(interface|template)*,(bool|tunable)*)>
-<!ATTLIST module
+<!ATTLIST module
name CDATA #REQUIRED
filename CDATA #REQUIRED>
<!ELEMENT required (#PCDATA)>
@@ -26,12 +26,12 @@
<!ATTLIST template name CDATA #REQUIRED lineno CDATA #REQUIRED>
<!ELEMENT desc (#PCDATA|%inline.class;)*>
<!ELEMENT param (summary)>
-<!ATTLIST param
+<!ATTLIST param
name CDATA #REQUIRED
optional (true|false) "false"
unused (true|false) "false">
<!ELEMENT infoflow EMPTY>
-<!ATTLIST infoflow
+<!ATTLIST infoflow
type CDATA #REQUIRED
weight CDATA #IMPLIED>
<!ELEMENT rolebase EMPTY>
diff --git a/doc/templates/module.html b/doc/templates/module.html
index a8d008a..87f3522 100644
--- a/doc/templates/module.html
+++ b/doc/templates/module.html
@@ -14,7 +14,7 @@
<a href=#templates>Templates</a>
[[end]]
<h3>Description:</h3>
-[[if mod_desc]]
+[[if mod_desc]]
<p>[[mod_desc]]</p>
[[else]]
<p>[[mod_summary]]</p>
diff --git a/doc/templates/style.css b/doc/templates/style.css
index 9bac0d9..0f06d5c 100644
--- a/doc/templates/style.css
+++ b/doc/templates/style.css
@@ -46,12 +46,12 @@ p {
margin:0px 0px 0px 10px;
padding:0px;
}
-
+
tt {
/* inline code */
font-family: monospace;
}
-
+
table {
background-color:#efefef;
/*background-color: white;*/
@@ -74,7 +74,7 @@ th {
td.header {
font-weight: bold;
}
-
+
#Content>p {margin:0px;}
#Content>p+p {text-indent:30px;}
a {
@@ -123,7 +123,7 @@ a:hover {background-color:#eee;}
font-weight:400;
text-decoration:none;
font-family:verdana, arial, helvetica, sans-serif;
-}
+}
#Template {
margin:5px 0px 25px 5px;
padding:5px 0px 5px 5px;
@@ -147,7 +147,7 @@ a:hover {background-color:#eee;}
font-weight:400;
text-decoration:none;
font-family:verdana, arial, helvetica, sans-serif;
-}
+}
#Description {
margin:0px 0px 0px 5px;
padding:0px 0px 0px 5px;
@@ -204,7 +204,7 @@ body>#Header {height:14px;}
background-color:#eee;
border:1px solid #aaa;
line-height:17px;
- text-align:left;
+ text-align:left;
voice-family: "\"}\"";
voice-family:inherit;
width:160px;
diff --git a/man/man8/ftpd_selinux.8 b/man/man8/ftpd_selinux.8
index 5bebd82..985a6e6 100644
--- a/man/man8/ftpd_selinux.8
+++ b/man/man8/ftpd_selinux.8
@@ -55,7 +55,7 @@ Allow ftp servers to use nfs for public file transfer services.
setsebool -P allow_ftpd_use_nfs on
.TP
system-config-selinux is a GUI tool available to customize SELinux policy settings.
-.SH AUTHOR
+.SH AUTHOR
.PP
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
diff --git a/man/man8/git_selinux.8 b/man/man8/git_selinux.8
index c2142e0..ed8bb76 100644
--- a/man/man8/git_selinux.8
+++ b/man/man8/git_selinux.8
@@ -13,23 +13,23 @@ git_selinux \- Security Enhanced Linux Policy for the Git daemon.
Security-Enhanced Linux secures the Git server via flexible mandatory access
control.
.SH FILE_CONTEXTS
-SELinux requires files to have an extended attribute to define the file type.
-Policy governs the access daemons have to these files.
+SELinux requires files to have an extended attribute to define the file type.
+Policy governs the access daemons have to these files.
SELinux Git policy is very flexible allowing users to setup their web services in as secure a method as possible.
-.PP
+.PP
The following file contexts types are by default defined for Git:
.EX
-git_system_content_t
-.EE
+git_system_content_t
+.EE
- Set files with git_system_content_t if you want the Git system daemon to read the file, and if you want the file to be modifiable and executable by all "Git shell" users.
.EX
-git_session_content_t
-.EE
+git_session_content_t
+.EE
- Set files with git_session_content_t if you want the Git session and system daemon to read the file, and if you want the file to be modifiable and executable by all users. Note that "Git shell" users may not interact with this type.
.SH BOOLEANS
SELinux policy is customizable based on least access required. Git policy is extremely flexible and has several booleans that allow you to manipulate the policy and run Git with the tightest access possible.
.PP
-Allow the Git system daemon to search user home directories so that it can find git session content. This is useful if you want the Git system daemon to host users personal repositories.
+Allow the Git system daemon to search user home directories so that it can find git session content. This is useful if you want the Git system daemon to host users personal repositories.
.EX
sudo setsebool -P git_system_enable_homedirs 1
.EE
@@ -90,7 +90,7 @@ sudo restorecon -R -v /srv/git/project1
.EE
To create a "Git shell" domain that can interact with this repository create a file named project1user.te in the same directory as where the source policy for the Git systemm content type is and add the following:
.EX
-policy_module(project1user, 1.0.0)
+policy_module(project1user, 1.0.0)
git_role_template(project1user)
git_content_delegation(project1user_t, git_project1_content_t)
gen_user(project1user_u, user, project1user_r, s0, s0)
@@ -103,7 +103,7 @@ sudo useradd -Z project1user_u jane
.EE
.PP
system-config-selinux is a GUI tool available to customize SELinux policy settings.
-.SH AUTHOR
+.SH AUTHOR
This manual page was written by Dominick Grift <domg472@gmail.com>.
.SH "SEE ALSO"
selinux(8), git(8), chcon(1), semodule(8), setsebool(8)
diff --git a/man/man8/httpd_selinux.8 b/man/man8/httpd_selinux.8
index 93c4a0a..d5500dd 100644
--- a/man/man8/httpd_selinux.8
+++ b/man/man8/httpd_selinux.8
@@ -12,32 +12,32 @@ httpd_selinux \- Security Enhanced Linux Policy for the httpd daemon
.SH "DESCRIPTION"
Security-Enhanced Linux secures the httpd server via flexible mandatory access
-control.
+control.
.SH FILE_CONTEXTS
-SELinux requires files to have an extended attribute to define the file type.
-Policy governs the access daemons have to these files.
+SELinux requires files to have an extended attribute to define the file type.
+Policy governs the access daemons have to these files.
SELinux httpd policy is very flexible allowing users to setup their web services in as secure a method as possible.
-.PP
+.PP
The following file contexts types are defined for httpd:
.EX
-httpd_sys_content_t
-.EE
+httpd_sys_content_t
+.EE
- Set files with httpd_sys_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read the file, and disallow other non sys scripts from access.
.EX
-httpd_sys_script_exec_t
-.EE
+httpd_sys_script_exec_t
+.EE
- Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types.
.EX
-httpd_sys_content_rw_t
+httpd_sys_content_rw_t
.EE
- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access.
.EX
-httpd_sys_content_ra_t
+httpd_sys_content_ra_t
.EE
- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts and the daemon to read/append to the file, and disallow other non sys scripts from access.
.EX
-httpd_unconfined_script_exec_t
-.EE
+httpd_unconfined_script_exec_t
+.EE
- Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options. It is better to use this script rather than turning off SELinux protection for httpd.
.SH NOTE
@@ -50,7 +50,7 @@ If you want to share files with multiple domains (Apache, FTP, rsync, Samba), yo
setsebool -P allow_httpd_anon_write=1
.EE
-or
+or
.EX
setsebool -P allow_httpd_sys_script_anon_write=1
@@ -102,7 +102,7 @@ setsebool -P httpd_builtin_scripting 0
.PP
SELinux policy can be setup such that httpd scripts are not allowed to connect out to the network.
-This would prevent a hacker from breaking into you httpd server and attacking
+This would prevent a hacker from breaking into you httpd server and attacking
other machines. If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on.
.EX
@@ -111,7 +111,7 @@ setsebool -P httpd_can_network_connect 1
.PP
system-config-selinux is a GUI tool available to customize SELinux policy settings.
-.SH AUTHOR
+.SH AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
.SH "SEE ALSO"
diff --git a/man/man8/kerberos_selinux.8 b/man/man8/kerberos_selinux.8
index a8f81c8..f14276c 100644
--- a/man/man8/kerberos_selinux.8
+++ b/man/man8/kerberos_selinux.8
@@ -12,7 +12,7 @@ kerberos_selinux \- Security Enhanced Linux Policy for Kerberos.
.SH "DESCRIPTION"
Security-Enhanced Linux secures the system via flexible mandatory access
-control. SELinux policy can be configured to deny Kerberos access to confined applications, since it requires daemons to be allowed greater access to certain secure files and additional access to the network.
+control. SELinux policy can be configured to deny Kerberos access to confined applications, since it requires daemons to be allowed greater access to certain secure files and additional access to the network.
.SH BOOLEANS
.PP
You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment.
@@ -21,7 +21,7 @@ setsebool -P allow_kerberos 1
.EE
.PP
system-config-selinux is a GUI tool available to customize SELinux policy settings.
-.SH AUTHOR
+.SH AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
.SH "SEE ALSO"
diff --git a/man/man8/named_selinux.8 b/man/man8/named_selinux.8
index fce0b48..38b7635 100644
--- a/man/man8/named_selinux.8
+++ b/man/man8/named_selinux.8
@@ -12,16 +12,16 @@ named_selinux \- Security Enhanced Linux Policy for the Internet Name server (na
.SH "DESCRIPTION"
Security-Enhanced Linux secures the named server via flexible mandatory access
-control.
+control.
.SH BOOLEANS
-SELinux policy is customizable based on least access required. So by
+SELinux policy is customizable based on least access required. So by
default SELinux policy does not allow named to write master zone files. If you want to have named update the master zone files you need to set the named_write_master_zones boolean.
.EX
setsebool -P named_write_master_zones 1
.EE
.PP
system-config-selinux is a GUI tool available to customize SELinux policy settings.
-.SH AUTHOR
+.SH AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
.SH "SEE ALSO"
diff --git a/man/man8/nfs_selinux.8 b/man/man8/nfs_selinux.8
index 8e30c4c..17018c2 100644
--- a/man/man8/nfs_selinux.8
+++ b/man/man8/nfs_selinux.8
@@ -4,7 +4,7 @@ nfs_selinux \- Security Enhanced Linux Policy for NFS
.SH "DESCRIPTION"
Security Enhanced Linux secures the NFS server via flexible mandatory access
-control.
+control.
.SH BOOLEANS
SELinux policy is customizable based on the least level of access required. SELinux can be configured to not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on:
@@ -24,7 +24,7 @@ If you want to use a remote NFS server for the home directories on this machine,
setsebool -P use_nfs_home_dirs 1
.TP
system-config-selinux is a GUI tool available to customize SELinux policy settings.
-.SH AUTHOR
+.SH AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
.SH "SEE ALSO"
diff --git a/man/man8/rsync_selinux.8 b/man/man8/rsync_selinux.8
index ad9ccf5..8cc3827 100644
--- a/man/man8/rsync_selinux.8
+++ b/man/man8/rsync_selinux.8
@@ -12,11 +12,11 @@ rsync_selinux \- Security Enhanced Linux Policy for the rsync daemon
.SH "DESCRIPTION"
Security-Enhanced Linux secures the rsync server via flexible mandatory access
-control.
+control.
.SH FILE_CONTEXTS
-SELinux requires files to have an extended attribute to define the file type.
-Policy governs the access daemons have to these files.
-If you want to share files using the rsync daemon, you must label the files and directories public_content_t. So if you created a special directory /var/rsync, you
+SELinux requires files to have an extended attribute to define the file type.
+Policy governs the access daemons have to these files.
+If you want to share files using the rsync daemon, you must label the files and directories public_content_t. So if you created a special directory /var/rsync, you
would need to label the directory with the chcon tool.
.TP
chcon -t public_content_t /var/rsync
@@ -45,7 +45,7 @@ setsebool -P allow_rsync_anon_write=1
.SH BOOLEANS
.TP
system-config-selinux is a GUI tool available to customize SELinux policy settings.
-.SH AUTHOR
+.SH AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
.SH "SEE ALSO"
diff --git a/man/man8/samba_selinux.8 b/man/man8/samba_selinux.8
index ca702c7..e5de421 100644
--- a/man/man8/samba_selinux.8
+++ b/man/man8/samba_selinux.8
@@ -4,12 +4,12 @@ samba_selinux \- Security Enhanced Linux Policy for Samba
.SH "DESCRIPTION"
Security-Enhanced Linux secures the Samba server via flexible mandatory access
-control.
+control.
.SH FILE_CONTEXTS
-SELinux requires files to have an extended attribute to define the file type.
-Policy governs the access daemons have to these files.
-If you want to share files other than home directories, those files must be
-labeled samba_share_t. So if you created a special directory /var/eng, you
+SELinux requires files to have an extended attribute to define the file type.
+Policy governs the access daemons have to these files.
+If you want to share files other than home directories, those files must be
+labeled samba_share_t. So if you created a special directory /var/eng, you
would need to label the directory with the chcon tool.
.TP
chcon -t samba_share_t /var/eng
@@ -32,24 +32,24 @@ If you want to share files with multiple domains (Apache, FTP, rsync, Samba), yo
setsebool -P allow_smbd_anon_write=1
.SH BOOLEANS
-.br
-SELinux policy is customizable based on least access required. So by
-default SELinux policy turns off SELinux sharing of home directories and
+.br
+SELinux policy is customizable based on least access required. So by
+default SELinux policy turns off SELinux sharing of home directories and
the use of Samba shares from a remote machine as a home directory.
.TP
-If you are setting up this machine as a Samba server and wish to share the home directories, you need to set the samba_enable_home_dirs boolean.
+If you are setting up this machine as a Samba server and wish to share the home directories, you need to set the samba_enable_home_dirs boolean.
.br
setsebool -P samba_enable_home_dirs 1
.TP
If you want to use a remote Samba server for the home directories on this machine, you must set the use_samba_home_dirs boolean.
-.br
+.br
setsebool -P use_samba_home_dirs 1
.TP
system-config-selinux is a GUI tool available to customize SELinux policy settings.
-.SH AUTHOR
+.SH AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
.SH "SEE ALSO"
diff --git a/man/man8/ypbind_selinux.8 b/man/man8/ypbind_selinux.8
index 5061a5f..8e45055 100644
--- a/man/man8/ypbind_selinux.8
+++ b/man/man8/ypbind_selinux.8
@@ -4,7 +4,7 @@ ypbind_selinux \- Security Enhanced Linux Policy for NIS.
.SH "DESCRIPTION"
Security-Enhanced Linux secures the system via flexible mandatory access
-control. SELinux can be setup deny NIS from working, since it requires daemons to be allowed greater access to the network.
+control. SELinux can be setup deny NIS from working, since it requires daemons to be allowed greater access to the network.
.SH BOOLEANS
.TP
You must set the allow_ypbind boolean to allow your system to work properly in a NIS environment.
@@ -12,7 +12,7 @@ You must set the allow_ypbind boolean to allow your system to work properly in a
setsebool -P allow_ypbind 1
.TP
system-config-selinux is a GUI tool available to customize SELinux policy settings.
-.SH AUTHOR
+.SH AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
.SH "SEE ALSO"
diff --git a/policy/constraints b/policy/constraints
index f7a40cc..90a794b 100644
--- a/policy/constraints
+++ b/policy/constraints
@@ -4,7 +4,7 @@
#
# constrain class_set perm_set expression ;
#
-# expression : ( expression )
+# expression : ( expression )
# | not expression
# | expression and expression
# | expression or expression
@@ -18,11 +18,11 @@
# | t1 op names
# | t2 op names
#
-# op : == | !=
+# op : == | !=
# role_op : == | != | eq | dom | domby | incomp
#
# names : name | { name_list }
-# name_list : name | name_list name
+# name_list : name | name_list name
#
define(`basic_ubac_conditions',`
@@ -68,7 +68,7 @@ exempted_ubac_constraint(chr_file, ubacfile)
exempted_ubac_constraint(blk_file, ubacfile)
# SELinux object identity change constraint:
-constrain dir_file_class_set { create relabelto relabelfrom }
+constrain dir_file_class_set { create relabelto relabelfrom }
(
u1 == u2
or t1 == can_change_object_identity
@@ -98,7 +98,7 @@ constrain process { transition dyntransition noatsecure siginh rlimitinh }
constrain process { transition dyntransition noatsecure siginh rlimitinh }
(
- r1 == r2
+ r1 == r2
or ( t1 == can_change_process_role and t2 == process_user_target )
or ( t1 == cron_source_domain and t2 == cron_job_domain )
or ( t1 == can_system_change and r2 == system_r )
@@ -159,7 +159,7 @@ exempted_ubac_constraint(netlink_scsitransport_socket, ubacsock)
exempted_ubac_constraint(netlink_rdma_socket, ubacsock)
exempted_ubac_constraint(netlink_crypto_socket, ubacsock)
-constrain socket_class_set { create relabelto relabelfrom }
+constrain socket_class_set { create relabelto relabelfrom }
(
u1 == u2
or t1 == can_change_object_identity
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 77cbf1f..168022f 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -60,7 +60,7 @@ common socket
recv_msg
send_msg
name_bind
-}
+}
#
# Define a common prefix for ipc access vectors.
@@ -298,7 +298,7 @@ inherits socket
node_bind
}
-class node
+class node
{
tcp_recv
tcp_send
@@ -416,7 +416,7 @@ inherits ipc
#
-# Define the access vector interpretation for the security server.
+# Define the access vector interpretation for the security server.
#
class security
@@ -444,7 +444,7 @@ class security
class system
{
ipc_info
- syslog_read
+ syslog_read
syslog_mod
syslog_console
module_request
@@ -857,7 +857,7 @@ class x_application_data
class kernel_service
{
use_as_override
- create_files_as
+ create_files_as
}
class tun_socket
diff --git a/policy/flask/initial_sids b/policy/flask/initial_sids
index 95894eb..91ac816 100644
--- a/policy/flask/initial_sids
+++ b/policy/flask/initial_sids
@@ -1,7 +1,7 @@
# FLASK
#
-# Define initial security identifiers
+# Define initial security identifiers
#
sid kernel
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 16768c2..fc5505d 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -1,7 +1,7 @@
# FLASK
#
-# Define the security object classes
+# Define the security object classes
#
# Classes marked as userspace are classes
@@ -119,7 +119,7 @@ class x_synthetic_event # userspace
class x_application_data # userspace
# kernel services that need to override task security, e.g. cachefiles
-class kernel_service
+class kernel_service
class tun_socket
diff --git a/policy/mcs b/policy/mcs
index 216b3d1..4d03011 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -1,6 +1,6 @@
ifdef(`enable_mcs',`
#
-# Define sensitivities
+# Define sensitivities
#
# MCS is single-sensitivity.
diff --git a/policy/mls b/policy/mls
index db3ed90..69ca726 100644
--- a/policy/mls
+++ b/policy/mls
@@ -1,6 +1,6 @@
ifdef(`enable_mls',`
#
-# Define sensitivities
+# Define sensitivities
#
# Domination of sensitivities is in increasin
# numerical order, with s0 being the lowest
@@ -194,7 +194,7 @@ mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_sock
# the socket "write" ops
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } { write setattr relabelfrom connect setopt shutdown }
- (( l1 eq l2 ) or
+ (( l1 eq l2 ) or
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsnetwrite ));
@@ -207,7 +207,7 @@ mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
# UNIX domain socket ops
mlsconstrain unix_stream_socket connectto
- (( l1 eq l2 ) or
+ (( l1 eq l2 ) or
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsnetwrite ) or
@@ -215,7 +215,7 @@ mlsconstrain unix_stream_socket connectto
( t2 == mlstrustedsocket ));
mlsconstrain unix_dgram_socket sendto
- (( l1 eq l2 ) or
+ (( l1 eq l2 ) or
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsnetwrite ) or
@@ -288,9 +288,9 @@ mlsconstrain msg send
#
# No sharing of open file descriptors between levels unless
-# the process type is authorized to use fds created by
+# the process type is authorized to use fds created by
# other levels (mlsfduse) or the fd type is authorized to
-# shared among levels (mlsfdshare).
+# shared among levels (mlsfdshare).
mlsconstrain fd use (
l1 eq l2
or t1 == mlsfduse
@@ -562,7 +562,7 @@ mlsconstrain x_cursor { read getattr use }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
-
+
# the x_cursor "write" ops (implicit single level)
mlsconstrain x_cursor { create destroy write setattr }
(( l1 eq l2 ) or
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 8bd1963..e65690d 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -40,7 +40,7 @@ template(`sudo_role_template',`
# Declarations
#
- type $1_sudo_t, sudodomain;
+ type $1_sudo_t, sudodomain;
userdom_user_application_domain($1_sudo_t, sudo_exec_t)
domain_interactive_fd($1_sudo_t)
domain_role_change_exemption($1_sudo_t)
diff --git a/policy/modules/kernel/corenetwork.if.m4 b/policy/modules/kernel/corenetwork.if.m4
index 8a4db53..468fb34 100644
--- a/policy/modules/kernel/corenetwork.if.m4
+++ b/policy/modules/kernel/corenetwork.if.m4
@@ -7,7 +7,7 @@ define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')
########################################
#
-# Network Interface generated macros
+# Network Interface generated macros
#
########################################
@@ -283,7 +283,7 @@ interface(`corenet_raw_sendrecv_$1_if',`
########################################
#
-# Network node generated macros
+# Network node generated macros
#
########################################
@@ -456,7 +456,7 @@ interface(`corenet_udp_bind_$1_node',`
########################################
#
-# Network port generated macros
+# Network port generated macros
#
########################################
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 92cc408..7b8aec2 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -374,7 +374,7 @@ interface(`domain_cron_exemption_target',`
## <desc>
## <p>
## Allow the specified domain to inherit and use file
-## descriptors from domains with interactive programs.
+## descriptors from domains with interactive programs.
## This does not allow access to the objects being referenced
## by the file descriptors.
## </p>
diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
index b08a6e8..eb4bcfc 100644
--- a/policy/modules/kernel/mcs.if
+++ b/policy/modules/kernel/mcs.if
@@ -73,7 +73,7 @@ interface(`mcs_file_write_all',`
########################################
## <summary>
-## This domain is allowed to sigkill and sigstop
+## This domain is allowed to sigkill and sigstop
## all domains regardless of their MCS category set.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
index 829605b..866936c 100644
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@@ -310,7 +310,7 @@ interface(`mls_socket_write_all_levels',`
########################################
## <summary>
## Make specified domain MLS trusted
-## for receiving network data from
+## for receiving network data from
## network interfaces or hosts at any level.
## </summary>
## <param name="domain">
@@ -991,7 +991,7 @@ interface(`mls_db_downgrade',`
########################################
## <summary>
## Make specified domain MLS trusted
-## for sending dbus messages to
+## for sending dbus messages to
## all levels.
## </summary>
## <param name="domain">
@@ -1012,7 +1012,7 @@ interface(`mls_dbus_send_all_levels',`
########################################
## <summary>
## Make specified domain MLS trusted
-## for receiving dbus messages from
+## for receiving dbus messages from
## all levels.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
index fe4c97d..15e50a3 100644
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@@ -62,7 +62,7 @@ attribute mlstrustedsocket;
attribute privrangetrans;
attribute mlsrangetrans;
-attribute mlsfduse;
+attribute mlsfduse;
attribute mlsfdshare;
attribute mlstranslate;
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index 1efa6bb..c61fc1c 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -23,7 +23,7 @@ attribute selinux_unconfined_type;
type secure_mode_policyload_t;
selinux_labeled_boolean(secure_mode_policyload_t, secure_mode_policyload)
-#
+#
# security_t is the target type when checking
# the permissions in the security class. It is also
# applied to selinuxfs inodes.
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index a5dbdaa..f6dc616 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -670,7 +670,7 @@ interface(`xserver_use_xdm_fds',`
type xdm_t;
')
- allow $1 xdm_t:fd use;
+ allow $1 xdm_t:fd use;
')
########################################
@@ -689,7 +689,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
type xdm_t;
')
- dontaudit $1 xdm_t:fd use;
+ dontaudit $1 xdm_t:fd use;
')
########################################
@@ -707,7 +707,7 @@ interface(`xserver_rw_xdm_pipes',`
type xdm_t;
')
- allow $1 xdm_t:fifo_file { getattr read write };
+ allow $1 xdm_t:fifo_file { getattr read write };
')
########################################
@@ -727,7 +727,7 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
type xdm_t;
')
- dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms;
+ dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms;
')
########################################
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index c62bcee..5eac8c0 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -135,8 +135,8 @@ optional_policy(`
')
optional_policy(`
- # When you install a kernel the postinstall builds a initrd image in tmp
- # and executes ldconfig on it. If you dont allow this kernel installs
+ # When you install a kernel the postinstall builds a initrd image in tmp
+ # and executes ldconfig on it. If you dont allow this kernel installs
# blow up.
rpm_manage_script_tmp_files(ldconfig_t)
')
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 9ededbf..f7d3d69 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -8,7 +8,7 @@
## <desc>
## <p>
## Make the specified type usable for log files in a filesystem.
-## This will also make the type usable for files, making
+## This will also make the type usable for files, making
## calls to files_type() redundant. Failure to use this interface
## for a log file type may result in problems with log
## rotation, log analysis, and log monitoring programs.
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index 279f6d7..ef53635 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -100,7 +100,7 @@ interface(`mount_use_fds',`
type mount_t;
')
- allow $1 mount_t:fd use;
+ allow $1 mount_t:fd use;
')
########################################
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index 2b85a6e..78f9c14 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -51,7 +51,7 @@ interface(`unconfined_domain_noaudit',`
')
tunable_policy(`allow_execmem',`
- # Allow making anonymous memory executable, e.g.
+ # Allow making anonymous memory executable, e.g.
# for runtime-code generation or executable stack.
allow $1 self:process execmem;
')
diff --git a/policy/support/misc_macros.spt b/policy/support/misc_macros.spt
index 4ca5688..7f280db 100644
--- a/policy/support/misc_macros.spt
+++ b/policy/support/misc_macros.spt
@@ -21,7 +21,7 @@ define(`ifndef',`ifdef(`$1',`$3',`$2')')
#
# __endline__
#
-# dummy macro to insert a newline. used for
+# dummy macro to insert a newline. used for
# errprint, so the close parentheses can be
# indented correctly.
#
diff --git a/support/Makefile.devel b/support/Makefile.devel
index d1cbef9..a0e8c2a 100644
--- a/support/Makefile.devel
+++ b/support/Makefile.devel
@@ -179,7 +179,7 @@ tmp/all_interfaces.conf: $(m4support) $(header_interfaces) $(detected_ifs)
# so users dont have to make empty .fc and .if files
$(detected_fcs):
@touch $@
-
+
$(detected_ifs):
@echo "## <summary>$(basename $(@D))</summary>" > $@
diff --git a/support/genclassperms.py b/support/genclassperms.py
index 6d6ce8b..03f31ad 100644
--- a/support/genclassperms.py
+++ b/support/genclassperms.py
@@ -94,7 +94,7 @@ def get_av_db(file_name):
# their own word. It doesn't matter if there will be extra
# white space, it'll get thrown away when the string is split.
av_line.replace("{"," { ")
- av_line.replace("}"," } ")
+ av_line.replace("}"," } ")
# Split up the words on the line and add it to av_data.
av_data += av_line.split()
diff --git a/support/genhomedircon b/support/genhomedircon
index 33dbcc1..355ecb7 100644
--- a/support/genhomedircon
+++ b/support/genhomedircon
@@ -14,7 +14,7 @@
#
# The file CONTEXTDIR/files/homedir_template exists. This file is used to
# set up the home directory context for each real user.
-#
+#
# If a user has more than one role in CONTEXTDIR/local.users, genhomedircon uses
# the first role in the list.
#
@@ -25,7 +25,7 @@
# EXCLUDE_LOGINS. Users who are explicitly defined in CONTEXTDIR/local.users
# are always "real" (including root, in the default configuration).
#
-#
+#
# Old ASSUMPTIONS:
#
# If a user has more than one role in FILECONTEXTDIR/users, genhomedircon uses
@@ -85,7 +85,7 @@ def getPrefixes():
if not prefix in prefixes:
prefixes[prefix] = ""
return prefixes
-
+
def getUsers(filecontextdir):
rc = commands.getstatusoutput("grep ^user %s/users" % filecontextdir)
udict = {}
@@ -215,7 +215,7 @@ def oldgenhomedircon(filecontextdir, filecontext):
# Fill in HOME and ROLE for users that are defined
for u in users.keys():
- update(filecontext, u, users[u])
+ update(filecontext, u, users[u])
#############################################################################
#
@@ -271,7 +271,7 @@ def usage(error = ""):
def warning(warning = ""):
sys.stderr.write("%s\n" % warning)
sys.stderr.flush()
-
+
def errorExit(error):
sys.stderr.write("%s exiting for: " % sys.argv[0])
sys.stderr.write("%s\n" % error)
@@ -291,7 +291,7 @@ class selinuxConfig:
def getFileContextFile(self):
return self.getFileContextDir()+"/file_contexts"
-
+
def getContextDir(self):
return self.selinuxdir+self.type+self.contextdir
@@ -310,7 +310,7 @@ class selinuxConfig:
def getSystemUsersFile(self):
return self.selinuxdir+self.type+"/users/system.users"
-
+
def heading(self):
ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0]
ret += "# edit %s to change file_context\n#\n#\n" % self.getUsersFile()
@@ -416,7 +416,7 @@ class selinuxConfig:
homedirs.sort()
return homedirs
-
+
def genoutput(self):
ret= self.heading()
for h in self.getHomeDirs():
diff --git a/support/gennetfilter.py b/support/gennetfilter.py
index 866db91..a7c9036 100644
--- a/support/gennetfilter.py
+++ b/support/gennetfilter.py
@@ -112,7 +112,7 @@ def parse_corenet(file_name):
del parms[:3]
packets.append(Packet(name,ports))
-
+
corenet_te_in.close()
return packets
diff --git a/support/pyplate.py b/support/pyplate.py
index 44b662a..bc0b6df 100644
--- a/support/pyplate.py
+++ b/support/pyplate.py
@@ -44,7 +44,7 @@ PyPlate defines the following directives:
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
-#
+#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
@@ -273,7 +273,7 @@ class FunctionTemplateNode(TemplateNode):
TemplateNode.execute(self, stream, data)
for key, value in remember_vars.items():
data[key] = value
-
+
class LeafTemplateNode(TemplateNode):
def __init__(self, parent, s):
self.parent = parent
@@ -308,7 +308,7 @@ class ExecTemplateNode(LeafTemplateNode):
def execute(self, stream, data):
exec(self.s, globals(), data)
pass
-
+
class CallTemplateNode(LeafTemplateNode):
def __init__(self, parent, s):
LeafTemplateNode.__init__(self, parent, s)
@@ -318,7 +318,7 @@ class CallTemplateNode(LeafTemplateNode):
"[[%s]] is not a valid function call" % self.s)
self.function_name = match.group(1)
self.vars = "(" + match.group(2).strip() + ",)"
-
+
def execute(self, stream, data):
self.parent.functions[self.function_name].call(
eval(self.vars, globals(), data), stream, data)
diff --git a/support/sedoctool.py b/support/sedoctool.py
index afcdee4..c98a7f3 100644
--- a/support/sedoctool.py
+++ b/support/sedoctool.py
@@ -9,8 +9,8 @@
# the Free Software Foundation, version 2.
"""
- This module generates configuration files and documentation from the
- SELinux reference policy XML format.
+ This module generates configuration files and documentation from the
+ SELinux reference policy XML format.
"""
import sys
@@ -46,11 +46,11 @@ def read_policy_xml(filename):
try:
doc = parseString(xml_fh.read())
- except:
+ except:
xml_fh.close()
error("Error while parsing xml")
- xml_fh.close()
+ xml_fh.close()
return doc
def gen_booleans_conf(doc, file_name, namevalue_list):
@@ -141,7 +141,7 @@ def gen_module_conf(doc, file_name, namevalue_list):
mod_name = mod_layer = None
- mod_name = node.getAttribute("name")
+ mod_name = node.getAttribute("name")
mod_layer = node.parentNode.getAttribute("name")
if mod_name and mod_layer:
@@ -171,7 +171,7 @@ def gen_module_conf(doc, file_name, namevalue_list):
# Set the module to base if it is marked as required.
if mod_req:
file_name.write("%s = %s\n\n" % (mod_name, MOD_BASE))
- # Set the module to enabled if it is not required.
+ # Set the module to enabled if it is not required.
else:
file_name.write("%s = %s\n\n" % (mod_name, MOD_ENABLED))
@@ -222,7 +222,7 @@ def int_cmp_func(a):
"""
return a["interface_name"]
-
+
def temp_cmp_func(a):
"""
Return the template name to sort/compare on.
@@ -295,7 +295,7 @@ def format_txt_desc(node):
desc_buf += desc.data + "\n"
elif desc.nodeName == "p":
desc_buf += desc.firstChild.data + "\n"
- for chld in desc.childNodes:
+ for chld in desc.childNodes:
if chld.nodeName == "ul":
desc_buf += "\n"
for li in chld.getElementsByTagName("li"):
@@ -359,7 +359,7 @@ def gen_docs(doc, working_dir, templatedir):
try:
os.chdir(working_dir)
except:
- error("Could not chdir to target directory")
+ error("Could not chdir to target directory")
#arg, i have to go through this dom tree ahead of time to build up the menus
@@ -401,12 +401,12 @@ def gen_docs(doc, working_dir, templatedir):
body_args = { "menu" : menu_buf,
"content" : content_buf }
-
+
index_file = mod_layer + ".html"
index_fh = open(index_file, "w")
body_tpl = pyplate.Template(bodydata)
body_tpl.execute(index_fh, body_args)
- index_fh.close()
+ index_fh.close()
menu = gen_doc_menu(None, module_list)
menu_args = { "menulist" : menu,
@@ -486,10 +486,10 @@ def gen_docs(doc, working_dir, templatedir):
"interface_parameters" : interface_parameters,
"mod_name": mod_name,
"mod_layer" : mod_layer })
- interfaces.sort(key=int_cmp_func)
+ interfaces.sort(key=int_cmp_func)
interface_tpl = pyplate.Template(intdata)
interface_buf = interface_tpl.execute_string({"interfaces" : interfaces})
-
+
# now generate individual template pages
templates = []
@@ -533,7 +533,7 @@ def gen_docs(doc, working_dir, templatedir):
"mod_name": mod_name,
"mod_layer" : mod_layer })
- templates.sort(key=temp_cmp_func)
+ templates.sort(key=temp_cmp_func)
template_tpl = pyplate.Template(templatedata)
template_buf = template_tpl.execute_string({"templates" : templates})
@@ -584,7 +584,7 @@ def gen_docs(doc, working_dir, templatedir):
tunables.sort(key=tun_cmp_func)
tunable_tpl = pyplate.Template(tundata)
tunable_buf = tunable_tpl.execute_string({"tunables" : tunables})
-
+
menu = gen_doc_menu(mod_layer, module_list)
@@ -611,7 +611,7 @@ def gen_docs(doc, working_dir, templatedir):
boolean_buf = None
module_args = { "mod_layer" : mod_layer,
- "mod_name" : mod_name,
+ "mod_name" : mod_name,
"mod_summary" : mod_summary,
"mod_desc" : mod_desc,
"mod_req" : mod_req,
@@ -625,20 +625,20 @@ def gen_docs(doc, working_dir, templatedir):
body_args = { "menu" : menu_buf,
"content" : module_buf }
-
+
module_file = mod_layer + "_" + mod_name + ".html"
module_fh = open(module_file, "w")
body_tpl = pyplate.Template(bodydata)
body_tpl.execute(module_fh, body_args)
module_fh.close()
-
+
menu = gen_doc_menu(None, module_list)
menu_args = { "menulist" : menu,
"mod_layer" : None }
menu_tpl = pyplate.Template(menudata)
menu_buf = menu_tpl.execute_string(menu_args)
-
+
#build the interface index
all_interfaces.sort(key=int_cmp_func)
interface_tpl = pyplate.Template(intlistdata)
@@ -647,7 +647,7 @@ def gen_docs(doc, working_dir, templatedir):
int_fh = open(int_file, "w")
body_tpl = pyplate.Template(bodydata)
- body_args = { "menu" : menu_buf,
+ body_args = { "menu" : menu_buf,
"content" : interface_buf }
body_tpl.execute(int_fh, body_args)
@@ -662,7 +662,7 @@ def gen_docs(doc, working_dir, templatedir):
temp_fh = open(temp_file, "w")
body_tpl = pyplate.Template(bodydata)
- body_args = { "menu" : menu_buf,
+ body_args = { "menu" : menu_buf,
"content" : template_buf }
body_tpl.execute(temp_fh, body_args)
@@ -702,7 +702,7 @@ def gen_docs(doc, working_dir, templatedir):
temp_fh = open(temp_file, "w")
body_tpl = pyplate.Template(bodydata)
- body_args = { "menu" : menu_buf,
+ body_args = { "menu" : menu_buf,
"content" : tunable_buf }
body_tpl.execute(temp_fh, body_args)
@@ -731,7 +731,7 @@ def gen_docs(doc, working_dir, templatedir):
body_tpl.execute(global_bool_fh, body_args)
global_bool_fh.close()
-
+
#build the boolean index
all_booleans = all_booleans + global_bool
all_booleans.sort(key=bool_cmp_func)
@@ -741,7 +741,7 @@ def gen_docs(doc, working_dir, templatedir):
temp_fh = open(temp_file, "w")
body_tpl = pyplate.Template(bodydata)
- body_args = { "menu" : menu_buf,
+ body_args = { "menu" : menu_buf,
"content" : boolean_buf }
body_tpl.execute(temp_fh, body_args)
@@ -805,7 +805,7 @@ for opt, val in opts:
templatedir = val
doc = read_policy_xml(xmlfile)
-
+
if booleans:
namevalue_list = []
if os.path.exists(booleans):
@@ -834,7 +834,7 @@ if modules:
conf = open(modules, 'r')
except:
error("Could not open modules file for reading")
- namevalue_list = get_conf(conf)
+ namevalue_list = get_conf(conf)
conf.close()
try:
@@ -844,5 +844,5 @@ if modules:
gen_module_conf(doc, conf, namevalue_list)
conf.close()
-if docsdir:
+if docsdir:
gen_docs(doc, docsdir, templatedir)
diff --git a/support/segenxml.py b/support/segenxml.py
index 5f4f7d0..ab8ee52 100644
--- a/support/segenxml.py
+++ b/support/segenxml.py
@@ -90,7 +90,7 @@ def getModuleXML(file_name):
module_buf = []
# Infer the module name, which is the base of the file name.
- module_buf.append("<module name=\"%s\" filename=\"%s\">\n"
+ module_buf.append("<module name=\"%s\" filename=\"%s\">\n"
% (os.path.splitext(os.path.split(file_name)[-1])[0], module_if))
temp_buf = []
@@ -157,7 +157,7 @@ def getModuleXML(file_name):
# Add default summaries and parameters so that the
# DTD is happy.
else:
- warning ("unable to find XML for %s %s()" % (groups[0], groups[1]))
+ warning ("unable to find XML for %s %s()" % (groups[0], groups[1]))
module_buf.append("<summary>\n")
module_buf.append("Summary is missing!\n")
module_buf.append("</summary>\n")
diff --git a/support/selinux-policy-refpolicy.spec b/support/selinux-policy-refpolicy.spec
index 55b422f..f06d2e7 100644
--- a/support/selinux-policy-refpolicy.spec
+++ b/support/selinux-policy-refpolicy.spec
@@ -22,7 +22,7 @@ BuildRequires: python >= 2.6
BuildRequires: libsepol >= 2.1.4
BuildRequires: libsemanage >= 2.0.29
BuildRequires: m4 make gcc
-Obsoletes: policy
+Obsoletes: policy
%description
SELinux Reference Policy - modular.
diff --git a/support/selinux-refpolicy-sources.spec.skel b/support/selinux-refpolicy-sources.spec.skel
index 8973bc7..8a6dbe2 100644
--- a/support/selinux-refpolicy-sources.spec.skel
+++ b/support/selinux-refpolicy-sources.spec.skel
@@ -3,7 +3,7 @@
%define FILE_CON ${POLICYDIR}/contexts/files/file_contexts
%define FC_PRE ${FILE_CON}.pre
-Summary: SELinux Reference Policy configuration source files
+Summary: SELinux Reference Policy configuration source files
Name: selinux-refpolicy-sources
Version: REFPOL_VERSION
Release: 1
diff --git a/support/set_bools_tuns.awk b/support/set_bools_tuns.awk
index cedc19b..4eaa82d 100644
--- a/support/set_bools_tuns.awk
+++ b/support/set_bools_tuns.awk
@@ -5,7 +5,7 @@ BEGIN {
FS="="
}
-/^[[:blank:]]*[[:alpha:]]+/{
+/^[[:blank:]]*[[:alpha:]]+/{
gsub(/[[:blank:]]*/,"")
print "define(`"$1"_conf',`"$2"')"
}
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: doc/, config/appconfig-mcs/, doc/templates/, policy/, support/, ...
@ 2016-12-08 5:03 Jason Zaman
2016-12-08 4:47 ` [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, doc/, policy/flask/, support/, policy/support/, Jason Zaman
0 siblings, 1 reply; 2+ messages in thread
From: Jason Zaman @ 2016-12-08 5:03 UTC (permalink / raw
To: gentoo-commits
commit: 51d3e4cfd0b1b294cac9b2aeef4691bd22eb0bf7
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Tue Dec 6 12:28:10 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 8 04:43:12 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=51d3e4cf
remove trailing whitespaces
README | 2 +-
config/appconfig-mcs/staff_u_default_contexts | 2 +-
config/appconfig-mls/staff_u_default_contexts | 2 +-
config/appconfig-standard/staff_u_default_contexts | 2 +-
config/file_contexts.subs_dist | 14 +++++-
config/local.users | 4 +-
doc/policy.dtd | 6 +--
doc/templates/module.html | 2 +-
doc/templates/style.css | 12 ++---
man/man8/ftpd_selinux.8 | 2 +-
man/man8/git_selinux.8 | 20 ++++----
man/man8/httpd_selinux.8 | 30 ++++++------
man/man8/kerberos_selinux.8 | 4 +-
man/man8/named_selinux.8 | 6 +--
man/man8/nfs_selinux.8 | 4 +-
man/man8/rsync_selinux.8 | 10 ++--
man/man8/samba_selinux.8 | 22 ++++-----
man/man8/ypbind_selinux.8 | 4 +-
policy/constraints | 12 ++---
policy/flask/access_vectors | 10 ++--
policy/flask/initial_sids | 2 +-
policy/flask/security_classes | 4 +-
policy/mcs | 2 +-
policy/mls | 14 +++---
policy/modules/admin/sudo.if | 2 +-
policy/modules/kernel/corenetwork.if.m4 | 6 +--
policy/modules/kernel/domain.if | 2 +-
policy/modules/kernel/mcs.if | 2 +-
policy/modules/kernel/mls.if | 6 +--
policy/modules/kernel/mls.te | 2 +-
policy/modules/kernel/selinux.te | 2 +-
policy/modules/services/xserver.if | 8 ++--
policy/modules/system/libraries.te | 4 +-
policy/modules/system/logging.if | 2 +-
policy/modules/system/mount.if | 2 +-
policy/modules/system/unconfined.if | 2 +-
policy/support/misc_macros.spt | 2 +-
support/Makefile.devel | 2 +-
support/genclassperms.py | 2 +-
support/genhomedircon | 16 +++----
support/gennetfilter.py | 2 +-
support/pyplate.py | 8 ++--
support/sedoctool.py | 54 +++++++++++-----------
support/segenxml.py | 4 +-
support/selinux-policy-refpolicy.spec | 2 +-
support/selinux-refpolicy-sources.spec.skel | 2 +-
support/set_bools_tuns.awk | 2 +-
47 files changed, 169 insertions(+), 159 deletions(-)
diff --git a/README b/README
index 3f15043..1f803c2 100644
--- a/README
+++ b/README
@@ -233,7 +233,7 @@ install-headers target from the full Reference Policy sources.
To set up a directory to build a local module, one must simply place a .te
file in a directory. A sample Makefile to use in the directory is the
Makefile.example in the doc directory. This may be installed in
-/usr/share/doc, under the directory for the distribution's policy.
+/usr/share/doc, under the directory for the distribution's policy.
Alternatively, the primary Makefile in the headers directory (typically
/usr/share/selinux/NAME/Makefile) can be called directly, using make's -f
option.
diff --git a/config/appconfig-mcs/staff_u_default_contexts b/config/appconfig-mcs/staff_u_default_contexts
index 5606c4e..daefcf7 100644
--- a/config/appconfig-mcs/staff_u_default_contexts
+++ b/config/appconfig-mcs/staff_u_default_contexts
@@ -5,6 +5,6 @@ system_r:crond_t:s0 staff_r:staff_t:s0 staff_r:cronjob_t:s0
system_r:xdm_t:s0 staff_r:staff_t:s0
staff_r:staff_su_t:s0 staff_r:staff_t:s0
staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
-sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
diff --git a/config/appconfig-mls/staff_u_default_contexts b/config/appconfig-mls/staff_u_default_contexts
index 5606c4e..daefcf7 100644
--- a/config/appconfig-mls/staff_u_default_contexts
+++ b/config/appconfig-mls/staff_u_default_contexts
@@ -5,6 +5,6 @@ system_r:crond_t:s0 staff_r:staff_t:s0 staff_r:cronjob_t:s0
system_r:xdm_t:s0 staff_r:staff_t:s0
staff_r:staff_su_t:s0 staff_r:staff_t:s0
staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
-sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
diff --git a/config/appconfig-standard/staff_u_default_contexts b/config/appconfig-standard/staff_u_default_contexts
index 300694c..382fe33 100644
--- a/config/appconfig-standard/staff_u_default_contexts
+++ b/config/appconfig-standard/staff_u_default_contexts
@@ -5,6 +5,6 @@ system_r:crond_t staff_r:staff_t staff_r:cronjob_t
system_r:xdm_t staff_r:staff_t
staff_r:staff_su_t staff_r:staff_t
staff_r:staff_sudo_t staff_r:staff_t
-sysadm_r:sysadm_su_t sysadm_r:sysadm_t
+sysadm_r:sysadm_su_t sysadm_r:sysadm_t
sysadm_r:sysadm_sudo_t sysadm_r:sysadm_t
diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
index 84d8ada..32ac91f 100644
--- a/config/file_contexts.subs_dist
+++ b/config/file_contexts.subs_dist
@@ -1,3 +1,13 @@
+# This file can is used to configure base path aliases as in:
+#
+# /aliased_path /original_path_as_configured_in_file_contexts
+#
+# where original_path_as_configured_in_file_contexts is a base
+# path being used in the main file_contexts configuration file.
+#
+# It does not perform substitutions as done by sed(1), for
+# example, but aliasing.
+#
/etc/init.d /etc/rc.d/init.d
/lib/systemd /usr/lib/systemd
/lib32 /lib
@@ -6,8 +16,8 @@
/run/lock /var/lock
/usr/lib32 /usr/lib
/usr/lib64 /usr/lib
-/usr/local/lib64 /usr/lib
/usr/local/lib32 /usr/lib
-/usr/local/lib/ /usr/lib/
+/usr/local/lib64 /usr/lib
+/usr/local/lib /usr/lib
/var/lib/krb5kdc /var/kerberos/krb5kdc
/var/run/lock /var/lock
diff --git a/config/local.users b/config/local.users
index 7e2bf7a..3f5dd1f 100644
--- a/config/local.users
+++ b/config/local.users
@@ -11,11 +11,11 @@
#
# user username roles role_set [ level default_level range allowed_range ];
#
-# The MLS default level and allowed range should only be specified if
+# The MLS default level and allowed range should only be specified if
# MLS was enabled in the policy.
# sample for administrative user
# user jadmin roles { staff_r sysadm_r };
# sample for regular user
-#user jdoe roles { user_r };
+#user jdoe roles { user_r };
diff --git a/doc/policy.dtd b/doc/policy.dtd
index b797f71..5282985 100644
--- a/doc/policy.dtd
+++ b/doc/policy.dtd
@@ -5,7 +5,7 @@
<!ATTLIST layer
name CDATA #REQUIRED>
<!ELEMENT module (summary,desc?,required?,(interface|template)*,(bool|tunable)*)>
-<!ATTLIST module
+<!ATTLIST module
name CDATA #REQUIRED
filename CDATA #REQUIRED>
<!ELEMENT required (#PCDATA)>
@@ -26,12 +26,12 @@
<!ATTLIST template name CDATA #REQUIRED lineno CDATA #REQUIRED>
<!ELEMENT desc (#PCDATA|%inline.class;)*>
<!ELEMENT param (summary)>
-<!ATTLIST param
+<!ATTLIST param
name CDATA #REQUIRED
optional (true|false) "false"
unused (true|false) "false">
<!ELEMENT infoflow EMPTY>
-<!ATTLIST infoflow
+<!ATTLIST infoflow
type CDATA #REQUIRED
weight CDATA #IMPLIED>
<!ELEMENT rolebase EMPTY>
diff --git a/doc/templates/module.html b/doc/templates/module.html
index a8d008a..87f3522 100644
--- a/doc/templates/module.html
+++ b/doc/templates/module.html
@@ -14,7 +14,7 @@
<a href=#templates>Templates</a>
[[end]]
<h3>Description:</h3>
-[[if mod_desc]]
+[[if mod_desc]]
<p>[[mod_desc]]</p>
[[else]]
<p>[[mod_summary]]</p>
diff --git a/doc/templates/style.css b/doc/templates/style.css
index 9bac0d9..0f06d5c 100644
--- a/doc/templates/style.css
+++ b/doc/templates/style.css
@@ -46,12 +46,12 @@ p {
margin:0px 0px 0px 10px;
padding:0px;
}
-
+
tt {
/* inline code */
font-family: monospace;
}
-
+
table {
background-color:#efefef;
/*background-color: white;*/
@@ -74,7 +74,7 @@ th {
td.header {
font-weight: bold;
}
-
+
#Content>p {margin:0px;}
#Content>p+p {text-indent:30px;}
a {
@@ -123,7 +123,7 @@ a:hover {background-color:#eee;}
font-weight:400;
text-decoration:none;
font-family:verdana, arial, helvetica, sans-serif;
-}
+}
#Template {
margin:5px 0px 25px 5px;
padding:5px 0px 5px 5px;
@@ -147,7 +147,7 @@ a:hover {background-color:#eee;}
font-weight:400;
text-decoration:none;
font-family:verdana, arial, helvetica, sans-serif;
-}
+}
#Description {
margin:0px 0px 0px 5px;
padding:0px 0px 0px 5px;
@@ -204,7 +204,7 @@ body>#Header {height:14px;}
background-color:#eee;
border:1px solid #aaa;
line-height:17px;
- text-align:left;
+ text-align:left;
voice-family: "\"}\"";
voice-family:inherit;
width:160px;
diff --git a/man/man8/ftpd_selinux.8 b/man/man8/ftpd_selinux.8
index 5bebd82..985a6e6 100644
--- a/man/man8/ftpd_selinux.8
+++ b/man/man8/ftpd_selinux.8
@@ -55,7 +55,7 @@ Allow ftp servers to use nfs for public file transfer services.
setsebool -P allow_ftpd_use_nfs on
.TP
system-config-selinux is a GUI tool available to customize SELinux policy settings.
-.SH AUTHOR
+.SH AUTHOR
.PP
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
diff --git a/man/man8/git_selinux.8 b/man/man8/git_selinux.8
index c2142e0..ed8bb76 100644
--- a/man/man8/git_selinux.8
+++ b/man/man8/git_selinux.8
@@ -13,23 +13,23 @@ git_selinux \- Security Enhanced Linux Policy for the Git daemon.
Security-Enhanced Linux secures the Git server via flexible mandatory access
control.
.SH FILE_CONTEXTS
-SELinux requires files to have an extended attribute to define the file type.
-Policy governs the access daemons have to these files.
+SELinux requires files to have an extended attribute to define the file type.
+Policy governs the access daemons have to these files.
SELinux Git policy is very flexible allowing users to setup their web services in as secure a method as possible.
-.PP
+.PP
The following file contexts types are by default defined for Git:
.EX
-git_system_content_t
-.EE
+git_system_content_t
+.EE
- Set files with git_system_content_t if you want the Git system daemon to read the file, and if you want the file to be modifiable and executable by all "Git shell" users.
.EX
-git_session_content_t
-.EE
+git_session_content_t
+.EE
- Set files with git_session_content_t if you want the Git session and system daemon to read the file, and if you want the file to be modifiable and executable by all users. Note that "Git shell" users may not interact with this type.
.SH BOOLEANS
SELinux policy is customizable based on least access required. Git policy is extremely flexible and has several booleans that allow you to manipulate the policy and run Git with the tightest access possible.
.PP
-Allow the Git system daemon to search user home directories so that it can find git session content. This is useful if you want the Git system daemon to host users personal repositories.
+Allow the Git system daemon to search user home directories so that it can find git session content. This is useful if you want the Git system daemon to host users personal repositories.
.EX
sudo setsebool -P git_system_enable_homedirs 1
.EE
@@ -90,7 +90,7 @@ sudo restorecon -R -v /srv/git/project1
.EE
To create a "Git shell" domain that can interact with this repository create a file named project1user.te in the same directory as where the source policy for the Git systemm content type is and add the following:
.EX
-policy_module(project1user, 1.0.0)
+policy_module(project1user, 1.0.0)
git_role_template(project1user)
git_content_delegation(project1user_t, git_project1_content_t)
gen_user(project1user_u, user, project1user_r, s0, s0)
@@ -103,7 +103,7 @@ sudo useradd -Z project1user_u jane
.EE
.PP
system-config-selinux is a GUI tool available to customize SELinux policy settings.
-.SH AUTHOR
+.SH AUTHOR
This manual page was written by Dominick Grift <domg472@gmail.com>.
.SH "SEE ALSO"
selinux(8), git(8), chcon(1), semodule(8), setsebool(8)
diff --git a/man/man8/httpd_selinux.8 b/man/man8/httpd_selinux.8
index 93c4a0a..d5500dd 100644
--- a/man/man8/httpd_selinux.8
+++ b/man/man8/httpd_selinux.8
@@ -12,32 +12,32 @@ httpd_selinux \- Security Enhanced Linux Policy for the httpd daemon
.SH "DESCRIPTION"
Security-Enhanced Linux secures the httpd server via flexible mandatory access
-control.
+control.
.SH FILE_CONTEXTS
-SELinux requires files to have an extended attribute to define the file type.
-Policy governs the access daemons have to these files.
+SELinux requires files to have an extended attribute to define the file type.
+Policy governs the access daemons have to these files.
SELinux httpd policy is very flexible allowing users to setup their web services in as secure a method as possible.
-.PP
+.PP
The following file contexts types are defined for httpd:
.EX
-httpd_sys_content_t
-.EE
+httpd_sys_content_t
+.EE
- Set files with httpd_sys_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read the file, and disallow other non sys scripts from access.
.EX
-httpd_sys_script_exec_t
-.EE
+httpd_sys_script_exec_t
+.EE
- Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types.
.EX
-httpd_sys_content_rw_t
+httpd_sys_content_rw_t
.EE
- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access.
.EX
-httpd_sys_content_ra_t
+httpd_sys_content_ra_t
.EE
- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts and the daemon to read/append to the file, and disallow other non sys scripts from access.
.EX
-httpd_unconfined_script_exec_t
-.EE
+httpd_unconfined_script_exec_t
+.EE
- Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options. It is better to use this script rather than turning off SELinux protection for httpd.
.SH NOTE
@@ -50,7 +50,7 @@ If you want to share files with multiple domains (Apache, FTP, rsync, Samba), yo
setsebool -P allow_httpd_anon_write=1
.EE
-or
+or
.EX
setsebool -P allow_httpd_sys_script_anon_write=1
@@ -102,7 +102,7 @@ setsebool -P httpd_builtin_scripting 0
.PP
SELinux policy can be setup such that httpd scripts are not allowed to connect out to the network.
-This would prevent a hacker from breaking into you httpd server and attacking
+This would prevent a hacker from breaking into you httpd server and attacking
other machines. If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on.
.EX
@@ -111,7 +111,7 @@ setsebool -P httpd_can_network_connect 1
.PP
system-config-selinux is a GUI tool available to customize SELinux policy settings.
-.SH AUTHOR
+.SH AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
.SH "SEE ALSO"
diff --git a/man/man8/kerberos_selinux.8 b/man/man8/kerberos_selinux.8
index a8f81c8..f14276c 100644
--- a/man/man8/kerberos_selinux.8
+++ b/man/man8/kerberos_selinux.8
@@ -12,7 +12,7 @@ kerberos_selinux \- Security Enhanced Linux Policy for Kerberos.
.SH "DESCRIPTION"
Security-Enhanced Linux secures the system via flexible mandatory access
-control. SELinux policy can be configured to deny Kerberos access to confined applications, since it requires daemons to be allowed greater access to certain secure files and additional access to the network.
+control. SELinux policy can be configured to deny Kerberos access to confined applications, since it requires daemons to be allowed greater access to certain secure files and additional access to the network.
.SH BOOLEANS
.PP
You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment.
@@ -21,7 +21,7 @@ setsebool -P allow_kerberos 1
.EE
.PP
system-config-selinux is a GUI tool available to customize SELinux policy settings.
-.SH AUTHOR
+.SH AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
.SH "SEE ALSO"
diff --git a/man/man8/named_selinux.8 b/man/man8/named_selinux.8
index fce0b48..38b7635 100644
--- a/man/man8/named_selinux.8
+++ b/man/man8/named_selinux.8
@@ -12,16 +12,16 @@ named_selinux \- Security Enhanced Linux Policy for the Internet Name server (na
.SH "DESCRIPTION"
Security-Enhanced Linux secures the named server via flexible mandatory access
-control.
+control.
.SH BOOLEANS
-SELinux policy is customizable based on least access required. So by
+SELinux policy is customizable based on least access required. So by
default SELinux policy does not allow named to write master zone files. If you want to have named update the master zone files you need to set the named_write_master_zones boolean.
.EX
setsebool -P named_write_master_zones 1
.EE
.PP
system-config-selinux is a GUI tool available to customize SELinux policy settings.
-.SH AUTHOR
+.SH AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
.SH "SEE ALSO"
diff --git a/man/man8/nfs_selinux.8 b/man/man8/nfs_selinux.8
index 8e30c4c..17018c2 100644
--- a/man/man8/nfs_selinux.8
+++ b/man/man8/nfs_selinux.8
@@ -4,7 +4,7 @@ nfs_selinux \- Security Enhanced Linux Policy for NFS
.SH "DESCRIPTION"
Security Enhanced Linux secures the NFS server via flexible mandatory access
-control.
+control.
.SH BOOLEANS
SELinux policy is customizable based on the least level of access required. SELinux can be configured to not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on:
@@ -24,7 +24,7 @@ If you want to use a remote NFS server for the home directories on this machine,
setsebool -P use_nfs_home_dirs 1
.TP
system-config-selinux is a GUI tool available to customize SELinux policy settings.
-.SH AUTHOR
+.SH AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
.SH "SEE ALSO"
diff --git a/man/man8/rsync_selinux.8 b/man/man8/rsync_selinux.8
index ad9ccf5..8cc3827 100644
--- a/man/man8/rsync_selinux.8
+++ b/man/man8/rsync_selinux.8
@@ -12,11 +12,11 @@ rsync_selinux \- Security Enhanced Linux Policy for the rsync daemon
.SH "DESCRIPTION"
Security-Enhanced Linux secures the rsync server via flexible mandatory access
-control.
+control.
.SH FILE_CONTEXTS
-SELinux requires files to have an extended attribute to define the file type.
-Policy governs the access daemons have to these files.
-If you want to share files using the rsync daemon, you must label the files and directories public_content_t. So if you created a special directory /var/rsync, you
+SELinux requires files to have an extended attribute to define the file type.
+Policy governs the access daemons have to these files.
+If you want to share files using the rsync daemon, you must label the files and directories public_content_t. So if you created a special directory /var/rsync, you
would need to label the directory with the chcon tool.
.TP
chcon -t public_content_t /var/rsync
@@ -45,7 +45,7 @@ setsebool -P allow_rsync_anon_write=1
.SH BOOLEANS
.TP
system-config-selinux is a GUI tool available to customize SELinux policy settings.
-.SH AUTHOR
+.SH AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
.SH "SEE ALSO"
diff --git a/man/man8/samba_selinux.8 b/man/man8/samba_selinux.8
index ca702c7..e5de421 100644
--- a/man/man8/samba_selinux.8
+++ b/man/man8/samba_selinux.8
@@ -4,12 +4,12 @@ samba_selinux \- Security Enhanced Linux Policy for Samba
.SH "DESCRIPTION"
Security-Enhanced Linux secures the Samba server via flexible mandatory access
-control.
+control.
.SH FILE_CONTEXTS
-SELinux requires files to have an extended attribute to define the file type.
-Policy governs the access daemons have to these files.
-If you want to share files other than home directories, those files must be
-labeled samba_share_t. So if you created a special directory /var/eng, you
+SELinux requires files to have an extended attribute to define the file type.
+Policy governs the access daemons have to these files.
+If you want to share files other than home directories, those files must be
+labeled samba_share_t. So if you created a special directory /var/eng, you
would need to label the directory with the chcon tool.
.TP
chcon -t samba_share_t /var/eng
@@ -32,24 +32,24 @@ If you want to share files with multiple domains (Apache, FTP, rsync, Samba), yo
setsebool -P allow_smbd_anon_write=1
.SH BOOLEANS
-.br
-SELinux policy is customizable based on least access required. So by
-default SELinux policy turns off SELinux sharing of home directories and
+.br
+SELinux policy is customizable based on least access required. So by
+default SELinux policy turns off SELinux sharing of home directories and
the use of Samba shares from a remote machine as a home directory.
.TP
-If you are setting up this machine as a Samba server and wish to share the home directories, you need to set the samba_enable_home_dirs boolean.
+If you are setting up this machine as a Samba server and wish to share the home directories, you need to set the samba_enable_home_dirs boolean.
.br
setsebool -P samba_enable_home_dirs 1
.TP
If you want to use a remote Samba server for the home directories on this machine, you must set the use_samba_home_dirs boolean.
-.br
+.br
setsebool -P use_samba_home_dirs 1
.TP
system-config-selinux is a GUI tool available to customize SELinux policy settings.
-.SH AUTHOR
+.SH AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
.SH "SEE ALSO"
diff --git a/man/man8/ypbind_selinux.8 b/man/man8/ypbind_selinux.8
index 5061a5f..8e45055 100644
--- a/man/man8/ypbind_selinux.8
+++ b/man/man8/ypbind_selinux.8
@@ -4,7 +4,7 @@ ypbind_selinux \- Security Enhanced Linux Policy for NIS.
.SH "DESCRIPTION"
Security-Enhanced Linux secures the system via flexible mandatory access
-control. SELinux can be setup deny NIS from working, since it requires daemons to be allowed greater access to the network.
+control. SELinux can be setup deny NIS from working, since it requires daemons to be allowed greater access to the network.
.SH BOOLEANS
.TP
You must set the allow_ypbind boolean to allow your system to work properly in a NIS environment.
@@ -12,7 +12,7 @@ You must set the allow_ypbind boolean to allow your system to work properly in a
setsebool -P allow_ypbind 1
.TP
system-config-selinux is a GUI tool available to customize SELinux policy settings.
-.SH AUTHOR
+.SH AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
.SH "SEE ALSO"
diff --git a/policy/constraints b/policy/constraints
index f7a40cc..90a794b 100644
--- a/policy/constraints
+++ b/policy/constraints
@@ -4,7 +4,7 @@
#
# constrain class_set perm_set expression ;
#
-# expression : ( expression )
+# expression : ( expression )
# | not expression
# | expression and expression
# | expression or expression
@@ -18,11 +18,11 @@
# | t1 op names
# | t2 op names
#
-# op : == | !=
+# op : == | !=
# role_op : == | != | eq | dom | domby | incomp
#
# names : name | { name_list }
-# name_list : name | name_list name
+# name_list : name | name_list name
#
define(`basic_ubac_conditions',`
@@ -68,7 +68,7 @@ exempted_ubac_constraint(chr_file, ubacfile)
exempted_ubac_constraint(blk_file, ubacfile)
# SELinux object identity change constraint:
-constrain dir_file_class_set { create relabelto relabelfrom }
+constrain dir_file_class_set { create relabelto relabelfrom }
(
u1 == u2
or t1 == can_change_object_identity
@@ -98,7 +98,7 @@ constrain process { transition dyntransition noatsecure siginh rlimitinh }
constrain process { transition dyntransition noatsecure siginh rlimitinh }
(
- r1 == r2
+ r1 == r2
or ( t1 == can_change_process_role and t2 == process_user_target )
or ( t1 == cron_source_domain and t2 == cron_job_domain )
or ( t1 == can_system_change and r2 == system_r )
@@ -159,7 +159,7 @@ exempted_ubac_constraint(netlink_scsitransport_socket, ubacsock)
exempted_ubac_constraint(netlink_rdma_socket, ubacsock)
exempted_ubac_constraint(netlink_crypto_socket, ubacsock)
-constrain socket_class_set { create relabelto relabelfrom }
+constrain socket_class_set { create relabelto relabelfrom }
(
u1 == u2
or t1 == can_change_object_identity
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 77cbf1f..168022f 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -60,7 +60,7 @@ common socket
recv_msg
send_msg
name_bind
-}
+}
#
# Define a common prefix for ipc access vectors.
@@ -298,7 +298,7 @@ inherits socket
node_bind
}
-class node
+class node
{
tcp_recv
tcp_send
@@ -416,7 +416,7 @@ inherits ipc
#
-# Define the access vector interpretation for the security server.
+# Define the access vector interpretation for the security server.
#
class security
@@ -444,7 +444,7 @@ class security
class system
{
ipc_info
- syslog_read
+ syslog_read
syslog_mod
syslog_console
module_request
@@ -857,7 +857,7 @@ class x_application_data
class kernel_service
{
use_as_override
- create_files_as
+ create_files_as
}
class tun_socket
diff --git a/policy/flask/initial_sids b/policy/flask/initial_sids
index 95894eb..91ac816 100644
--- a/policy/flask/initial_sids
+++ b/policy/flask/initial_sids
@@ -1,7 +1,7 @@
# FLASK
#
-# Define initial security identifiers
+# Define initial security identifiers
#
sid kernel
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 16768c2..fc5505d 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -1,7 +1,7 @@
# FLASK
#
-# Define the security object classes
+# Define the security object classes
#
# Classes marked as userspace are classes
@@ -119,7 +119,7 @@ class x_synthetic_event # userspace
class x_application_data # userspace
# kernel services that need to override task security, e.g. cachefiles
-class kernel_service
+class kernel_service
class tun_socket
diff --git a/policy/mcs b/policy/mcs
index 216b3d1..4d03011 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -1,6 +1,6 @@
ifdef(`enable_mcs',`
#
-# Define sensitivities
+# Define sensitivities
#
# MCS is single-sensitivity.
diff --git a/policy/mls b/policy/mls
index db3ed90..69ca726 100644
--- a/policy/mls
+++ b/policy/mls
@@ -1,6 +1,6 @@
ifdef(`enable_mls',`
#
-# Define sensitivities
+# Define sensitivities
#
# Domination of sensitivities is in increasin
# numerical order, with s0 being the lowest
@@ -194,7 +194,7 @@ mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_sock
# the socket "write" ops
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } { write setattr relabelfrom connect setopt shutdown }
- (( l1 eq l2 ) or
+ (( l1 eq l2 ) or
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsnetwrite ));
@@ -207,7 +207,7 @@ mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
# UNIX domain socket ops
mlsconstrain unix_stream_socket connectto
- (( l1 eq l2 ) or
+ (( l1 eq l2 ) or
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsnetwrite ) or
@@ -215,7 +215,7 @@ mlsconstrain unix_stream_socket connectto
( t2 == mlstrustedsocket ));
mlsconstrain unix_dgram_socket sendto
- (( l1 eq l2 ) or
+ (( l1 eq l2 ) or
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsnetwrite ) or
@@ -288,9 +288,9 @@ mlsconstrain msg send
#
# No sharing of open file descriptors between levels unless
-# the process type is authorized to use fds created by
+# the process type is authorized to use fds created by
# other levels (mlsfduse) or the fd type is authorized to
-# shared among levels (mlsfdshare).
+# shared among levels (mlsfdshare).
mlsconstrain fd use (
l1 eq l2
or t1 == mlsfduse
@@ -562,7 +562,7 @@ mlsconstrain x_cursor { read getattr use }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
-
+
# the x_cursor "write" ops (implicit single level)
mlsconstrain x_cursor { create destroy write setattr }
(( l1 eq l2 ) or
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 8bd1963..e65690d 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -40,7 +40,7 @@ template(`sudo_role_template',`
# Declarations
#
- type $1_sudo_t, sudodomain;
+ type $1_sudo_t, sudodomain;
userdom_user_application_domain($1_sudo_t, sudo_exec_t)
domain_interactive_fd($1_sudo_t)
domain_role_change_exemption($1_sudo_t)
diff --git a/policy/modules/kernel/corenetwork.if.m4 b/policy/modules/kernel/corenetwork.if.m4
index 8a4db53..468fb34 100644
--- a/policy/modules/kernel/corenetwork.if.m4
+++ b/policy/modules/kernel/corenetwork.if.m4
@@ -7,7 +7,7 @@ define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')
########################################
#
-# Network Interface generated macros
+# Network Interface generated macros
#
########################################
@@ -283,7 +283,7 @@ interface(`corenet_raw_sendrecv_$1_if',`
########################################
#
-# Network node generated macros
+# Network node generated macros
#
########################################
@@ -456,7 +456,7 @@ interface(`corenet_udp_bind_$1_node',`
########################################
#
-# Network port generated macros
+# Network port generated macros
#
########################################
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 92cc408..7b8aec2 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -374,7 +374,7 @@ interface(`domain_cron_exemption_target',`
## <desc>
## <p>
## Allow the specified domain to inherit and use file
-## descriptors from domains with interactive programs.
+## descriptors from domains with interactive programs.
## This does not allow access to the objects being referenced
## by the file descriptors.
## </p>
diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
index b08a6e8..eb4bcfc 100644
--- a/policy/modules/kernel/mcs.if
+++ b/policy/modules/kernel/mcs.if
@@ -73,7 +73,7 @@ interface(`mcs_file_write_all',`
########################################
## <summary>
-## This domain is allowed to sigkill and sigstop
+## This domain is allowed to sigkill and sigstop
## all domains regardless of their MCS category set.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
index 829605b..866936c 100644
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@@ -310,7 +310,7 @@ interface(`mls_socket_write_all_levels',`
########################################
## <summary>
## Make specified domain MLS trusted
-## for receiving network data from
+## for receiving network data from
## network interfaces or hosts at any level.
## </summary>
## <param name="domain">
@@ -991,7 +991,7 @@ interface(`mls_db_downgrade',`
########################################
## <summary>
## Make specified domain MLS trusted
-## for sending dbus messages to
+## for sending dbus messages to
## all levels.
## </summary>
## <param name="domain">
@@ -1012,7 +1012,7 @@ interface(`mls_dbus_send_all_levels',`
########################################
## <summary>
## Make specified domain MLS trusted
-## for receiving dbus messages from
+## for receiving dbus messages from
## all levels.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
index fe4c97d..15e50a3 100644
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@@ -62,7 +62,7 @@ attribute mlstrustedsocket;
attribute privrangetrans;
attribute mlsrangetrans;
-attribute mlsfduse;
+attribute mlsfduse;
attribute mlsfdshare;
attribute mlstranslate;
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index 1efa6bb..c61fc1c 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -23,7 +23,7 @@ attribute selinux_unconfined_type;
type secure_mode_policyload_t;
selinux_labeled_boolean(secure_mode_policyload_t, secure_mode_policyload)
-#
+#
# security_t is the target type when checking
# the permissions in the security class. It is also
# applied to selinuxfs inodes.
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index a5dbdaa..f6dc616 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -670,7 +670,7 @@ interface(`xserver_use_xdm_fds',`
type xdm_t;
')
- allow $1 xdm_t:fd use;
+ allow $1 xdm_t:fd use;
')
########################################
@@ -689,7 +689,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
type xdm_t;
')
- dontaudit $1 xdm_t:fd use;
+ dontaudit $1 xdm_t:fd use;
')
########################################
@@ -707,7 +707,7 @@ interface(`xserver_rw_xdm_pipes',`
type xdm_t;
')
- allow $1 xdm_t:fifo_file { getattr read write };
+ allow $1 xdm_t:fifo_file { getattr read write };
')
########################################
@@ -727,7 +727,7 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
type xdm_t;
')
- dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms;
+ dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms;
')
########################################
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index c62bcee..5eac8c0 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -135,8 +135,8 @@ optional_policy(`
')
optional_policy(`
- # When you install a kernel the postinstall builds a initrd image in tmp
- # and executes ldconfig on it. If you dont allow this kernel installs
+ # When you install a kernel the postinstall builds a initrd image in tmp
+ # and executes ldconfig on it. If you dont allow this kernel installs
# blow up.
rpm_manage_script_tmp_files(ldconfig_t)
')
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 9ededbf..f7d3d69 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -8,7 +8,7 @@
## <desc>
## <p>
## Make the specified type usable for log files in a filesystem.
-## This will also make the type usable for files, making
+## This will also make the type usable for files, making
## calls to files_type() redundant. Failure to use this interface
## for a log file type may result in problems with log
## rotation, log analysis, and log monitoring programs.
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index 279f6d7..ef53635 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -100,7 +100,7 @@ interface(`mount_use_fds',`
type mount_t;
')
- allow $1 mount_t:fd use;
+ allow $1 mount_t:fd use;
')
########################################
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index 2b85a6e..78f9c14 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -51,7 +51,7 @@ interface(`unconfined_domain_noaudit',`
')
tunable_policy(`allow_execmem',`
- # Allow making anonymous memory executable, e.g.
+ # Allow making anonymous memory executable, e.g.
# for runtime-code generation or executable stack.
allow $1 self:process execmem;
')
diff --git a/policy/support/misc_macros.spt b/policy/support/misc_macros.spt
index 4ca5688..7f280db 100644
--- a/policy/support/misc_macros.spt
+++ b/policy/support/misc_macros.spt
@@ -21,7 +21,7 @@ define(`ifndef',`ifdef(`$1',`$3',`$2')')
#
# __endline__
#
-# dummy macro to insert a newline. used for
+# dummy macro to insert a newline. used for
# errprint, so the close parentheses can be
# indented correctly.
#
diff --git a/support/Makefile.devel b/support/Makefile.devel
index d1cbef9..a0e8c2a 100644
--- a/support/Makefile.devel
+++ b/support/Makefile.devel
@@ -179,7 +179,7 @@ tmp/all_interfaces.conf: $(m4support) $(header_interfaces) $(detected_ifs)
# so users dont have to make empty .fc and .if files
$(detected_fcs):
@touch $@
-
+
$(detected_ifs):
@echo "## <summary>$(basename $(@D))</summary>" > $@
diff --git a/support/genclassperms.py b/support/genclassperms.py
index 6d6ce8b..03f31ad 100644
--- a/support/genclassperms.py
+++ b/support/genclassperms.py
@@ -94,7 +94,7 @@ def get_av_db(file_name):
# their own word. It doesn't matter if there will be extra
# white space, it'll get thrown away when the string is split.
av_line.replace("{"," { ")
- av_line.replace("}"," } ")
+ av_line.replace("}"," } ")
# Split up the words on the line and add it to av_data.
av_data += av_line.split()
diff --git a/support/genhomedircon b/support/genhomedircon
index 33dbcc1..355ecb7 100644
--- a/support/genhomedircon
+++ b/support/genhomedircon
@@ -14,7 +14,7 @@
#
# The file CONTEXTDIR/files/homedir_template exists. This file is used to
# set up the home directory context for each real user.
-#
+#
# If a user has more than one role in CONTEXTDIR/local.users, genhomedircon uses
# the first role in the list.
#
@@ -25,7 +25,7 @@
# EXCLUDE_LOGINS. Users who are explicitly defined in CONTEXTDIR/local.users
# are always "real" (including root, in the default configuration).
#
-#
+#
# Old ASSUMPTIONS:
#
# If a user has more than one role in FILECONTEXTDIR/users, genhomedircon uses
@@ -85,7 +85,7 @@ def getPrefixes():
if not prefix in prefixes:
prefixes[prefix] = ""
return prefixes
-
+
def getUsers(filecontextdir):
rc = commands.getstatusoutput("grep ^user %s/users" % filecontextdir)
udict = {}
@@ -215,7 +215,7 @@ def oldgenhomedircon(filecontextdir, filecontext):
# Fill in HOME and ROLE for users that are defined
for u in users.keys():
- update(filecontext, u, users[u])
+ update(filecontext, u, users[u])
#############################################################################
#
@@ -271,7 +271,7 @@ def usage(error = ""):
def warning(warning = ""):
sys.stderr.write("%s\n" % warning)
sys.stderr.flush()
-
+
def errorExit(error):
sys.stderr.write("%s exiting for: " % sys.argv[0])
sys.stderr.write("%s\n" % error)
@@ -291,7 +291,7 @@ class selinuxConfig:
def getFileContextFile(self):
return self.getFileContextDir()+"/file_contexts"
-
+
def getContextDir(self):
return self.selinuxdir+self.type+self.contextdir
@@ -310,7 +310,7 @@ class selinuxConfig:
def getSystemUsersFile(self):
return self.selinuxdir+self.type+"/users/system.users"
-
+
def heading(self):
ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0]
ret += "# edit %s to change file_context\n#\n#\n" % self.getUsersFile()
@@ -416,7 +416,7 @@ class selinuxConfig:
homedirs.sort()
return homedirs
-
+
def genoutput(self):
ret= self.heading()
for h in self.getHomeDirs():
diff --git a/support/gennetfilter.py b/support/gennetfilter.py
index 866db91..a7c9036 100644
--- a/support/gennetfilter.py
+++ b/support/gennetfilter.py
@@ -112,7 +112,7 @@ def parse_corenet(file_name):
del parms[:3]
packets.append(Packet(name,ports))
-
+
corenet_te_in.close()
return packets
diff --git a/support/pyplate.py b/support/pyplate.py
index 44b662a..bc0b6df 100644
--- a/support/pyplate.py
+++ b/support/pyplate.py
@@ -44,7 +44,7 @@ PyPlate defines the following directives:
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
-#
+#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
@@ -273,7 +273,7 @@ class FunctionTemplateNode(TemplateNode):
TemplateNode.execute(self, stream, data)
for key, value in remember_vars.items():
data[key] = value
-
+
class LeafTemplateNode(TemplateNode):
def __init__(self, parent, s):
self.parent = parent
@@ -308,7 +308,7 @@ class ExecTemplateNode(LeafTemplateNode):
def execute(self, stream, data):
exec(self.s, globals(), data)
pass
-
+
class CallTemplateNode(LeafTemplateNode):
def __init__(self, parent, s):
LeafTemplateNode.__init__(self, parent, s)
@@ -318,7 +318,7 @@ class CallTemplateNode(LeafTemplateNode):
"[[%s]] is not a valid function call" % self.s)
self.function_name = match.group(1)
self.vars = "(" + match.group(2).strip() + ",)"
-
+
def execute(self, stream, data):
self.parent.functions[self.function_name].call(
eval(self.vars, globals(), data), stream, data)
diff --git a/support/sedoctool.py b/support/sedoctool.py
index afcdee4..c98a7f3 100644
--- a/support/sedoctool.py
+++ b/support/sedoctool.py
@@ -9,8 +9,8 @@
# the Free Software Foundation, version 2.
"""
- This module generates configuration files and documentation from the
- SELinux reference policy XML format.
+ This module generates configuration files and documentation from the
+ SELinux reference policy XML format.
"""
import sys
@@ -46,11 +46,11 @@ def read_policy_xml(filename):
try:
doc = parseString(xml_fh.read())
- except:
+ except:
xml_fh.close()
error("Error while parsing xml")
- xml_fh.close()
+ xml_fh.close()
return doc
def gen_booleans_conf(doc, file_name, namevalue_list):
@@ -141,7 +141,7 @@ def gen_module_conf(doc, file_name, namevalue_list):
mod_name = mod_layer = None
- mod_name = node.getAttribute("name")
+ mod_name = node.getAttribute("name")
mod_layer = node.parentNode.getAttribute("name")
if mod_name and mod_layer:
@@ -171,7 +171,7 @@ def gen_module_conf(doc, file_name, namevalue_list):
# Set the module to base if it is marked as required.
if mod_req:
file_name.write("%s = %s\n\n" % (mod_name, MOD_BASE))
- # Set the module to enabled if it is not required.
+ # Set the module to enabled if it is not required.
else:
file_name.write("%s = %s\n\n" % (mod_name, MOD_ENABLED))
@@ -222,7 +222,7 @@ def int_cmp_func(a):
"""
return a["interface_name"]
-
+
def temp_cmp_func(a):
"""
Return the template name to sort/compare on.
@@ -295,7 +295,7 @@ def format_txt_desc(node):
desc_buf += desc.data + "\n"
elif desc.nodeName == "p":
desc_buf += desc.firstChild.data + "\n"
- for chld in desc.childNodes:
+ for chld in desc.childNodes:
if chld.nodeName == "ul":
desc_buf += "\n"
for li in chld.getElementsByTagName("li"):
@@ -359,7 +359,7 @@ def gen_docs(doc, working_dir, templatedir):
try:
os.chdir(working_dir)
except:
- error("Could not chdir to target directory")
+ error("Could not chdir to target directory")
#arg, i have to go through this dom tree ahead of time to build up the menus
@@ -401,12 +401,12 @@ def gen_docs(doc, working_dir, templatedir):
body_args = { "menu" : menu_buf,
"content" : content_buf }
-
+
index_file = mod_layer + ".html"
index_fh = open(index_file, "w")
body_tpl = pyplate.Template(bodydata)
body_tpl.execute(index_fh, body_args)
- index_fh.close()
+ index_fh.close()
menu = gen_doc_menu(None, module_list)
menu_args = { "menulist" : menu,
@@ -486,10 +486,10 @@ def gen_docs(doc, working_dir, templatedir):
"interface_parameters" : interface_parameters,
"mod_name": mod_name,
"mod_layer" : mod_layer })
- interfaces.sort(key=int_cmp_func)
+ interfaces.sort(key=int_cmp_func)
interface_tpl = pyplate.Template(intdata)
interface_buf = interface_tpl.execute_string({"interfaces" : interfaces})
-
+
# now generate individual template pages
templates = []
@@ -533,7 +533,7 @@ def gen_docs(doc, working_dir, templatedir):
"mod_name": mod_name,
"mod_layer" : mod_layer })
- templates.sort(key=temp_cmp_func)
+ templates.sort(key=temp_cmp_func)
template_tpl = pyplate.Template(templatedata)
template_buf = template_tpl.execute_string({"templates" : templates})
@@ -584,7 +584,7 @@ def gen_docs(doc, working_dir, templatedir):
tunables.sort(key=tun_cmp_func)
tunable_tpl = pyplate.Template(tundata)
tunable_buf = tunable_tpl.execute_string({"tunables" : tunables})
-
+
menu = gen_doc_menu(mod_layer, module_list)
@@ -611,7 +611,7 @@ def gen_docs(doc, working_dir, templatedir):
boolean_buf = None
module_args = { "mod_layer" : mod_layer,
- "mod_name" : mod_name,
+ "mod_name" : mod_name,
"mod_summary" : mod_summary,
"mod_desc" : mod_desc,
"mod_req" : mod_req,
@@ -625,20 +625,20 @@ def gen_docs(doc, working_dir, templatedir):
body_args = { "menu" : menu_buf,
"content" : module_buf }
-
+
module_file = mod_layer + "_" + mod_name + ".html"
module_fh = open(module_file, "w")
body_tpl = pyplate.Template(bodydata)
body_tpl.execute(module_fh, body_args)
module_fh.close()
-
+
menu = gen_doc_menu(None, module_list)
menu_args = { "menulist" : menu,
"mod_layer" : None }
menu_tpl = pyplate.Template(menudata)
menu_buf = menu_tpl.execute_string(menu_args)
-
+
#build the interface index
all_interfaces.sort(key=int_cmp_func)
interface_tpl = pyplate.Template(intlistdata)
@@ -647,7 +647,7 @@ def gen_docs(doc, working_dir, templatedir):
int_fh = open(int_file, "w")
body_tpl = pyplate.Template(bodydata)
- body_args = { "menu" : menu_buf,
+ body_args = { "menu" : menu_buf,
"content" : interface_buf }
body_tpl.execute(int_fh, body_args)
@@ -662,7 +662,7 @@ def gen_docs(doc, working_dir, templatedir):
temp_fh = open(temp_file, "w")
body_tpl = pyplate.Template(bodydata)
- body_args = { "menu" : menu_buf,
+ body_args = { "menu" : menu_buf,
"content" : template_buf }
body_tpl.execute(temp_fh, body_args)
@@ -702,7 +702,7 @@ def gen_docs(doc, working_dir, templatedir):
temp_fh = open(temp_file, "w")
body_tpl = pyplate.Template(bodydata)
- body_args = { "menu" : menu_buf,
+ body_args = { "menu" : menu_buf,
"content" : tunable_buf }
body_tpl.execute(temp_fh, body_args)
@@ -731,7 +731,7 @@ def gen_docs(doc, working_dir, templatedir):
body_tpl.execute(global_bool_fh, body_args)
global_bool_fh.close()
-
+
#build the boolean index
all_booleans = all_booleans + global_bool
all_booleans.sort(key=bool_cmp_func)
@@ -741,7 +741,7 @@ def gen_docs(doc, working_dir, templatedir):
temp_fh = open(temp_file, "w")
body_tpl = pyplate.Template(bodydata)
- body_args = { "menu" : menu_buf,
+ body_args = { "menu" : menu_buf,
"content" : boolean_buf }
body_tpl.execute(temp_fh, body_args)
@@ -805,7 +805,7 @@ for opt, val in opts:
templatedir = val
doc = read_policy_xml(xmlfile)
-
+
if booleans:
namevalue_list = []
if os.path.exists(booleans):
@@ -834,7 +834,7 @@ if modules:
conf = open(modules, 'r')
except:
error("Could not open modules file for reading")
- namevalue_list = get_conf(conf)
+ namevalue_list = get_conf(conf)
conf.close()
try:
@@ -844,5 +844,5 @@ if modules:
gen_module_conf(doc, conf, namevalue_list)
conf.close()
-if docsdir:
+if docsdir:
gen_docs(doc, docsdir, templatedir)
diff --git a/support/segenxml.py b/support/segenxml.py
index 5f4f7d0..ab8ee52 100644
--- a/support/segenxml.py
+++ b/support/segenxml.py
@@ -90,7 +90,7 @@ def getModuleXML(file_name):
module_buf = []
# Infer the module name, which is the base of the file name.
- module_buf.append("<module name=\"%s\" filename=\"%s\">\n"
+ module_buf.append("<module name=\"%s\" filename=\"%s\">\n"
% (os.path.splitext(os.path.split(file_name)[-1])[0], module_if))
temp_buf = []
@@ -157,7 +157,7 @@ def getModuleXML(file_name):
# Add default summaries and parameters so that the
# DTD is happy.
else:
- warning ("unable to find XML for %s %s()" % (groups[0], groups[1]))
+ warning ("unable to find XML for %s %s()" % (groups[0], groups[1]))
module_buf.append("<summary>\n")
module_buf.append("Summary is missing!\n")
module_buf.append("</summary>\n")
diff --git a/support/selinux-policy-refpolicy.spec b/support/selinux-policy-refpolicy.spec
index 55b422f..f06d2e7 100644
--- a/support/selinux-policy-refpolicy.spec
+++ b/support/selinux-policy-refpolicy.spec
@@ -22,7 +22,7 @@ BuildRequires: python >= 2.6
BuildRequires: libsepol >= 2.1.4
BuildRequires: libsemanage >= 2.0.29
BuildRequires: m4 make gcc
-Obsoletes: policy
+Obsoletes: policy
%description
SELinux Reference Policy - modular.
diff --git a/support/selinux-refpolicy-sources.spec.skel b/support/selinux-refpolicy-sources.spec.skel
index 8973bc7..8a6dbe2 100644
--- a/support/selinux-refpolicy-sources.spec.skel
+++ b/support/selinux-refpolicy-sources.spec.skel
@@ -3,7 +3,7 @@
%define FILE_CON ${POLICYDIR}/contexts/files/file_contexts
%define FC_PRE ${FILE_CON}.pre
-Summary: SELinux Reference Policy configuration source files
+Summary: SELinux Reference Policy configuration source files
Name: selinux-refpolicy-sources
Version: REFPOL_VERSION
Release: 1
diff --git a/support/set_bools_tuns.awk b/support/set_bools_tuns.awk
index cedc19b..4eaa82d 100644
--- a/support/set_bools_tuns.awk
+++ b/support/set_bools_tuns.awk
@@ -5,7 +5,7 @@ BEGIN {
FS="="
}
-/^[[:blank:]]*[[:alpha:]]+/{
+/^[[:blank:]]*[[:alpha:]]+/{
gsub(/[[:blank:]]*/,"")
print "define(`"$1"_conf',`"$2"')"
}
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-12-08 5:03 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-12-08 5:03 [gentoo-commits] proj/hardened-refpolicy:next commit in: doc/, config/appconfig-mcs/, doc/templates/, policy/, support/, Jason Zaman
2016-12-08 4:47 ` [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, doc/, policy/flask/, support/, policy/support/, Jason Zaman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox