nicer te_trans conflict fix

refpolicy/policy/modules/services/sendmail.te

@@ -35,17 +35,6 @@ allow sendmail_t self:fifo_file rw_file_perms;
 allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
 allow sendmail_t self:unix_dgram_socket create_socket_perms;
 
-allow sendmail_t sendmail_log_t:file create_file_perms;
-allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr };
-logging_create_log(sendmail_t,sendmail_log_t,{ file dir })
-
-allow sendmail_t sendmail_tmp_t:dir create_dir_perms;
-allow sendmail_t sendmail_tmp_t:file create_file_perms;
-files_create_tmp_files(sendmail_t, sendmail_tmp_t, { file dir })
-
-allow sendmail_t sendmail_var_run_t:file { getattr create read write append setattr unlink };
-files_create_pid(sendmail_t,sendmail_var_run_t)
-
 kernel_read_kernel_sysctl(sendmail_t)
 # for piping mail to a command
 kernel_read_system_state(sendmail_t)
@@ -112,6 +101,17 @@ ifdef(`targeted_policy',`
 	term_dontaudit_use_unallocated_tty(sendmail_t)
 	term_dontaudit_use_generic_pty(sendmail_t)
 	files_dontaudit_read_root_file(sendmail_t)
+',`
+	allow sendmail_t sendmail_log_t:file create_file_perms;
+	allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr };
+	logging_create_log(sendmail_t,sendmail_log_t,{ file dir })
+
+	allow sendmail_t sendmail_tmp_t:dir create_dir_perms;
+	allow sendmail_t sendmail_tmp_t:file create_file_perms;
+	files_create_tmp_files(sendmail_t, sendmail_tmp_t, { file dir })
+
+	allow sendmail_t sendmail_var_run_t:file { getattr create read write append setattr unlink };
+	files_create_pid(sendmail_t,sendmail_var_run_t)
 ')
 
 optional_policy(`nis.te',`

refpolicy/policy/modules/services/xdm.te

@@ -55,7 +55,6 @@ files_tmpfs_file(xdm_tmpfs_t)
 # Local policy
 #
 
-ifdef(`targeted_policy',`',`
 allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
 allow xdm_t self:process { setexec setpgid setsched setrlimit };
 allow xdm_t self:fifo_file rw_file_perms;
@@ -63,6 +62,24 @@ ifdef(`targeted_policy',`',`
 allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow xdm_t self:unix_dgram_socket create_socket_perms;
 
+kernel_read_system_state(xdm_t)
+kernel_read_kernel_sysctl(xdm_t)
+
+dev_read_rand(xdm_t)
+dev_read_urand(xdm_t)
+
+selinux_get_fs_mount(xdm_t)
+selinux_validate_context(xdm_t)
+selinux_compute_access_vector(xdm_t)
+selinux_compute_create_context(xdm_t)
+selinux_compute_relabel_context(xdm_t)
+selinux_compute_user_contexts(xdm_t)
+
+files_read_etc_runtime_files(xdm_t)
+
+ifdef(`targeted_policy',`
+	unconfined_domain_template(xdm_t)
+',`
 	allow xdm_t xdm_lock_t:file create_file_perms;
 	files_create_lock(xdm_t,xdm_lock_t)
 
@@ -81,21 +98,7 @@ ifdef(`targeted_policy',`',`
 	allow xdm_t xdm_var_lib_t:file create_file_perms;
 	allow xdm_t xdm_var_lib_t:dir create_dir_perms;
 	files_create_var_lib(xdm_t,xdm_var_lib_t)
-
-	kernel_read_system_state(xdm_t)
-	kernel_read_kernel_sysctl(xdm_t)
-
-	dev_read_rand(xdm_t)
-	dev_read_urand(xdm_t)
-
-	selinux_get_fs_mount(xdm_t)
-	selinux_validate_context(xdm_t)
-	selinux_compute_access_vector(xdm_t)
-	selinux_compute_create_context(xdm_t)
-	selinux_compute_relabel_context(xdm_t)
-	selinux_compute_user_contexts(xdm_t)
-
-	files_read_etc_runtime_files(xdm_t)
+')
 
 ifdef(`TODO',`
 # cjp: TODO: integrate strict policy:
@@ -417,4 +420,3 @@ ifdef(`targeted_policy',`',`
 # Supress permission check on .ICE-unix
 dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
 ') dnl end TODO
-')