From 72b2c66256ab820081b1aed13200771023c7e6bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Thu, 13 Aug 2020 14:24:35 +0200 Subject: [PATCH] whitespace cleanup MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Remove trailing white spaces and mixed up indents Signed-off-by: Christian Göttsche --- Changelog | 1 - Changelog.contrib | 113 +++++++++--------- Changelog.old | 6 +- config/appconfig-mcs/staff_u_default_contexts | 1 - config/appconfig-mcs/user_u_default_contexts | 1 - config/appconfig-mls/staff_u_default_contexts | 1 - config/appconfig-mls/user_u_default_contexts | 1 - .../guest_u_default_contexts | 1 - .../staff_u_default_contexts | 1 - .../user_u_default_contexts | 1 - man/man8/httpd_selinux.8 | 2 - man/man8/named_selinux.8 | 2 - man/ru/man8/ftpd_selinux.8 | 2 - man/ru/man8/httpd_selinux.8 | 2 - man/ru/man8/named_selinux.8 | 2 - policy/constraints | 4 +- policy/modules/admin/logrotate.te | 1 - policy/modules/admin/sectoolm.te | 1 - policy/modules/apps/sigrok.te | 2 +- policy/modules/apps/syncthing.te | 1 - policy/modules/kernel/domain.if | 4 +- policy/modules/kernel/files.if | 2 +- policy/modules/kernel/kernel.if | 1 - policy/modules/kernel/ubac.te | 1 - policy/modules/roles/secadm.if | 1 - policy/modules/roles/sysadm.te | 1 - policy/modules/services/abrt.if | 1 - policy/modules/services/chronyd.te | 1 - policy/modules/services/dnsmasq.if | 2 +- policy/modules/services/mon.if | 1 - policy/modules/services/oident.te | 4 +- policy/modules/services/policykit.te | 1 - policy/modules/services/stunnel.te | 1 - policy/modules/services/tpm2.if | 3 +- policy/modules/services/xserver.if | 4 +- policy/modules/system/miscfiles.if | 1 - policy/modules/system/modutils.te | 1 - policy/modules/system/mount.if | 1 - policy/modules/system/sysnetwork.fc | 1 - policy/modules/system/systemd.fc | 1 - policy/modules/system/udev.te | 1 - policy/modules/system/userdomain.if | 2 +- 42 files changed, 72 insertions(+), 110 deletions(-) diff --git a/Changelog b/Changelog index 1300bc605..a5ba6ca6c 100644 --- a/Changelog +++ b/Changelog @@ -2233,4 +2233,3 @@ Sven Vermeulen (27): Allow initrc_t to read stunnel configuration Introduce exec-check interfaces for passwd binaries and useradd binaries chfn_t reads in file context information and executes nscd - diff --git a/Changelog.contrib b/Changelog.contrib index a910f0326..562063832 100644 --- a/Changelog.contrib +++ b/Changelog.contrib @@ -859,24 +859,24 @@ Dominick Grift (126): Typo fix in ksmtuned_admin() by Shintaro Fujiwara Fix monolithic built Change file context spec for aide log files to catch suffixes - Module version bumps for changes in various policy modules by Sven + Module version bumps for changes in various policy modules by Sven Vermeulen Squid: Use a single pattern for brevity - Irc was already allowed to create tcp sockets, it only needed an + Irc was already allowed to create tcp sockets, it only needed an additional accept, and listen to be able to act as a proxy - Its probably a better idea to use the httpd_sys_ra_content_t type sid + Its probably a better idea to use the httpd_sys_ra_content_t type sid for logs in these locations - Module version bump for changes to the tcsd policy module by Lukas + Module version bump for changes to the tcsd policy module by Lukas Vrabec - Module version bump for changes to various policy modules by Miroslav + Module version bump for changes to various policy modules by Miroslav Grepl Module version bump for changes to the samba policy module by Dan Walsh - Module version bump for changes to the telepathy policy module by + Module version bump for changes to the telepathy policy module by Miroslav Grepl We do not have a boinc domain type attribute Change boolean description a bit Additional rabbitmq couchdb support - Module version bumps for changes to various policy modules by Miroslav + Module version bumps for changes to various policy modules by Miroslav Grepl Additional git tcp networking rules Additional ktalkd udp networking rules @@ -889,25 +889,25 @@ Dominick Grift (126): Addtional tgtd tcp networking rules Additional polipo tcp networking rules Fix asterisk files_spool_filetrans() - Module version bump for changes to the networkmanager policy module by + Module version bump for changes to the networkmanager policy module by Lukas Vrabec - Additional fs_tmpfs_filetrans() for munin service plugin content on + Additional fs_tmpfs_filetrans() for munin service plugin content on tmpfs - Module version bump for changes to various policy modules by Miroslav + Module version bump for changes to various policy modules by Miroslav Grepl - Support rlogind, and telnetd as init daemon domains ( i think fedora is + Support rlogind, and telnetd as init daemon domains ( i think fedora is campaigning to get rid of (x)?inetd ) - Support mariadb logging, file context specification for mariadb specific + Support mariadb logging, file context specification for mariadb specific config location - Change logwatch boolean identifier to something more self-documenting. + Change logwatch boolean identifier to something more self-documenting. Additional tcp networking rules - Module version bump for changes to various policy modules by Miroslav + Module version bump for changes to various policy modules by Miroslav Grepl Fix inconsistencies in the pkcs policy module Fix fetchmail inconsistencies Module version bump for changes in various policy modules by Dan Walsh Support for window managers to stream socket connect to pulseaudio - Logwatch does not need to be able to bind tcp sockets to generic nodes + Logwatch does not need to be able to bind tcp sockets to generic nodes since its only connecting Adds userhelper_exec_consolehelper for window managers Remove duplicate rules due to addition of auth_use_nsswitch() @@ -918,7 +918,7 @@ Dominick Grift (126): condor_conf_t Hit by a nasty optional policy nesting issue We will find another way to run pa as a system server - Module version bump for changes to various policy modules by Miroslav + Module version bump for changes to various policy modules by Miroslav Grepl Clean up hypervkvp policy module (seems incomplete) Clean up initial redis policy module @@ -950,45 +950,45 @@ Dominick Grift (126): stops avahi via its init script. I also created a avahi_manage_pid_files() for udev_t because the script manages a file called "checked_nameservers.*" in /run/avahi-daemon - Cleanups of various modules with regard to regular expressions and white + Cleanups of various modules with regard to regular expressions and white space - apt: As it turns out the /var/backups directory is labeled in the backup + apt: As it turns out the /var/backups directory is labeled in the backup module (which i incidentally did not have installed earlier). Instead of creating this file with a file type transition to apt_var_cache_t, allow apt_t to manage backup_store files - mta: this needs to be verified again, it should just have been running + mta: this needs to be verified again, it should just have been running in exim_t. I might have taken this from old logs mandb: /etc/cron.daily/man-db executes dpkg, reads dpkg db on Debian - slocate: catch /usr/bin/updatedb.mlocate, and /etc/cron.daily/mlocate on + slocate: catch /usr/bin/updatedb.mlocate, and /etc/cron.daily/mlocate on Debian dpkg: catch /etc/cron.daily/dpkg on Debian dpkg: allow /etc/cron.daily/dpkg to manage backup store files on Debian cron: consistent usage of regular expressions cron: prelink no longer runs in the system cronjob domain - alsa: alsactl wants to associate pulse-shm-.* to device_t type - filesystems. This happens early on but i do not understand how that + alsa: alsactl wants to associate pulse-shm-.* to device_t type + filesystems. This happens early on but i do not understand how that (/dev) relates to /dev/shm in this regard devicekit: reads udev pid files modemmanager: reads udev pid files vdagent: spice-vdagentd uses /dev/vport1p1 virtio console - tmpreaper: mountall-bootcl in the tmpreaper_t domain reads, writes + tmpreaper: mountall-bootcl in the tmpreaper_t domain reads, writes /dev/pts/0 inherited from init script revert regular expressions wm: allow $1_wm_t to stream connect to $1_gkeyringd_t - mta: allow system_mail_t (user_mail_domains) to read kernel sysctls and + mta: allow system_mail_t (user_mail_domains) to read kernel sysctls and to read exim var lib files. - mta: These are duplicates because system_mail_t is a user_mail_domain, - as it is based off of the mta_base_mail_template() which assigns that + mta: These are duplicates because system_mail_t is a user_mail_domain, + as it is based off of the mta_base_mail_template() which assigns that type attribute locate: extra rules needed by debian /etc/cron.daily/locate script - backup: in Debian /etc/cron.daily/passwd backs-up shadow, passwd etc to + backup: in Debian /etc/cron.daily/passwd backs-up shadow, passwd etc to /var/backups - avahi: create interfaces that will allow calles to create avahi pid dirs + avahi: create interfaces that will allow calles to create avahi pid dirs and create specifc avahi pid objects with a type transition (for udev, which runs: /usr/lib/avahi/avahi-daemon-check-dns.sh in Debian Initial gdomap policy module Initial minissdpd policy module - alsa: due to a bug in gnome 3.4, in debian, alsactl does all kinds of + alsa: due to a bug in gnome 3.4, in debian, alsactl does all kinds of weird things related to pulseaudio various: revert regex fixes: fcsort does not want this now gdomap: gdomap_port_t is now available, gdomap binds tcp, and udp socket @@ -1211,7 +1211,7 @@ Dominick Grift (889): fcoemon sends to lldpad with a dgram socket Initial quantum policy module Initial dspam policy module - Module version bump for Telepathy file context spec fixes from Laurent + Module version bump for Telepathy file context spec fixes from Laurent Bigonville. Initial isns policy module Various changes to tcs policy module @@ -1257,7 +1257,7 @@ Dominick Grift (889): Changes to the abrt policy module and relevant dependencies numad sends/receives msgs from Fedora Amtu executable file in installed in /usr/sbin in Fedora - The (usr/)? expression does not work consistently so better not use it + The (usr/)? expression does not work consistently so better not use it at all Changes to the httpd policy module Merge branch 'master' of @@ -1308,7 +1308,7 @@ Dominick Grift (889): Changes to the ccs policy module Changes to the cdrecord policy module Changes to the certmaster policy module and various role attribute fixes - cdrecord needs to read and write callers unix domain stream socket not + cdrecord needs to read and write callers unix domain stream socket not create it Changes to the certmonger policy module and its dependencies Initial cachefilesd policy module @@ -1354,9 +1354,9 @@ Dominick Grift (889): Changes to the djbdns policy module Changes to the dkim policy module Changes to the dmidecode policy module - Module bump for Laurent Bigonville trousers init script file context + Module bump for Laurent Bigonville trousers init script file context specification fix - Module bump for Laurent Bigonville libvirt init script file context + Module bump for Laurent Bigonville libvirt init script file context specification fix Changes to the dnsmasq policy module and relevant dependencies Changes to the dovecot policy module @@ -1383,7 +1383,7 @@ Dominick Grift (889): Initial glusterfs policy module Add gatekeeper newline Deprecate glusterd_admin() use glusterfs_admin() instead - Portage module version bump for autofs support by Matthew Thode and + Portage module version bump for autofs support by Matthew Thode and clean up cfengine: This location is now labeled with a cfengine private type Changes to the slpd policy module @@ -1395,8 +1395,8 @@ Dominick Grift (889): Changes to the gnomeclock policy module Deprecate various DBUS interfaces and relevant dependencies Changes to the cachefilesd policy module - Remove file context specification for kgpg which is a GUI frontend to - GPG. Domain transition to gpg_t will happen when kgpg runs gpg. + Remove file context specification for kgpg which is a GUI frontend to + GPG. Domain transition to gpg_t will happen when kgpg runs gpg. (rhbz#862229) Initial mandb policy module Changes to the hadoop policy module @@ -1492,7 +1492,7 @@ Dominick Grift (889): Changes to the iodine policy module Changes to the kerberos policy module Changes to the kdumpgui policy module - Update deprecated interface calls ( gnome_read_config -> + Update deprecated interface calls ( gnome_read_config -> gnome_read_generic_home_content ) Changes to the mozilla policy module Changes to the thunderbird policy module @@ -1663,7 +1663,7 @@ Dominick Grift (889): Fix a fatal syntax error in mozilla_plugin_role() Changes to the plymouth policy module Changes to the policykit policy module - Module version bump for fixes in shorewall, fail2ban and portage policy + Module version bump for fixes in shorewall, fail2ban and portage policy modules by Sven Vermeulen Tab clean up in the puppet file context file Changes to ther puppet policy module and relevant dependencies @@ -1696,7 +1696,7 @@ Dominick Grift (889): Tab clean up in the razor file context file Changes to the razor policy module and relevant dependencies Smokeping cgi needs to run ping with a domain transition Remove - redundant socket create already provided by + redundant socket create already provided by sysnet_dns_name_resolve() Changes to the virt policy module Changes to the apache policy module @@ -1779,7 +1779,7 @@ Dominick Grift (889): Changes to the shutdown policy module and relevant dependencies Tab clean up in the slocate file context file Changes to the slocate policy module and relevant dependencies - These domains transition to shutdown domain now so they no longer need + These domains transition to shutdown domain now so they no longer need direct access Re-add missing network rule in screen policy module fail2ban server sets scheduler @@ -1802,7 +1802,7 @@ Dominick Grift (889): Changes to the soundserver policy module Tab clean up in the spamassassin file context file Changes to the spamassassin policy module and relevant dependendies - spamassassin_role callers create ~/.spamd with the spamd_home_t user + spamassassin_role callers create ~/.spamd with the spamd_home_t user home type instead Re-add sys_admin capability that was lost with porting from Fedora Move mailscanner content to mailscanner module @@ -1865,7 +1865,7 @@ Dominick Grift (889): Changes to the ulogd policy module Tab clean up in the uml file context file Changes to the uml policy module - Make it so that irc clients can also get attributes of cifs, nfs, fuse + Make it so that irc clients can also get attributes of cifs, nfs, fuse and other file systems Changes to the updfstab policy module Changes to the uptime policy module @@ -1954,7 +1954,7 @@ Dominick Grift (889): Zabbix sends signals from Fedora Blueman sets scheduler and sends signals from Fedora pcscd_read_pub_files is deprecated, use pcscd_read_pid_files instead - Module version bumps for fixes in portage and virt modules by Sven + Module version bumps for fixes in portage and virt modules by Sven Vermeulen Policy module version bumps for various changes by Sven Vermeulen Changes to the openvpn policy module @@ -2020,11 +2020,11 @@ Dominick Grift (889): Changes to the amavis policy module Changes to the ppp policy module Initial jockey policy module - Module version bumps for "several named transition for directories - created in /var/run by initscripts" in various modules by Laurent + Module version bumps for "several named transition for directories + created in /var/run by initscripts" in various modules by Laurent Bigonville Module version bumps for fixes in various modules by Laurent Bigonville - Module version bump for changes to the consolekit policy module by + Module version bump for changes to the consolekit policy module by Laurent Bigonville Changes to the stunnel policy module Module version bumps for fixes in various modules by Sven Vermeulen @@ -2063,7 +2063,7 @@ Dominick Grift (889): Changes to the wdmd policy module and relevant dependencies Changes to the nscd policy module and relevant dependencies Changes to the dbus policy module - Module version bumps for fixes in various policy modules by Laurent + Module version bumps for fixes in various policy modules by Laurent Bigonville Changes to the cups policy module Changes to the dbus policy module @@ -2071,25 +2071,25 @@ Dominick Grift (889): Remove redundant net_bind_service capabilities in various modules Changes to the virt policy module Changes to the puppet policy module - Module version bumps for fixes in various policy module by Sven + Module version bumps for fixes in various policy module by Sven Vermeulen - Module version bumps for file context fixes in various policy modules by + Module version bumps for file context fixes in various policy modules by Laurent Bigonville Make httpd_manage_all_user_content() do what it advertises Add more networking rules to mplayer policy module for compatibility - Fix fcronsighup file context. Should be crontab_exec_t as per previous + Fix fcronsighup file context. Should be crontab_exec_t as per previous spec Module version bumps for changes in various modules by Sven Vermeulen Move asterisk_exec() and modify XML header - Consolekit creates /var/run/console directories with a type transition + Consolekit creates /var/run/console directories with a type transition unconditionally - Module version bump in consolekit policy module for changes by Sven + Module version bump in consolekit policy module for changes by Sven Vermeulen - The imaplogin executable file should be courier_pop_exec_t according to + The imaplogin executable file should be courier_pop_exec_t according to existing file context specification - Module version bump for changes to the fail2ban policy module by Sven + Module version bump for changes to the fail2ban policy module by Sven Vermeulen - Modules version bumps for changes in various policy modules by Sven + Modules version bumps for changes in various policy modules by Sven Vermeulen Laurent Bigonville (28): @@ -2212,4 +2212,3 @@ Sven Vermeulen (75): Add setuid/setgid capability to ulogd_t Support tmux control socket Postfix creates defer(red) queue locations - diff --git a/Changelog.old b/Changelog.old index 672e632aa..ca4654770 100644 --- a/Changelog.old +++ b/Changelog.old @@ -181,7 +181,7 @@ vhostmd (Dan Walsh) * Tue Nov 17 2009 Chris PeBenito - 2.20091117 -- Add separate x_pointer and x_keyboard classes inheriting from x_device. +- Add separate x_pointer and x_keyboard classes inheriting from x_device. From Eamon Walsh. - Deprecated the userdom_xwindows_client_template(). - Misc Gentoo fixes from Corentin Labbe. @@ -713,7 +713,7 @@ xserver * Tue Jan 17 2006 Chris PeBenito - 20060117 -- Adds support for generating corenetwork interfaces based on attributes +- Adds support for generating corenetwork interfaces based on attributes in addition to types. - Permits the listing of multiple nodes in a network_node() that will be given the same type. @@ -777,7 +777,7 @@ - Add appconfig dependency to the load target. - Miscellaneous fixes from Dan Walsh. - Fix corenetwork gen_context()'s to expand during the policy - build phase instead of during the generation phase. + build phase instead of during the generation phase. - Added policies: amanda avahi diff --git a/config/appconfig-mcs/staff_u_default_contexts b/config/appconfig-mcs/staff_u_default_contexts index 8f506fa57..15d6a955d 100644 --- a/config/appconfig-mcs/staff_u_default_contexts +++ b/config/appconfig-mcs/staff_u_default_contexts @@ -8,4 +8,3 @@ staff_r:staff_su_t:s0 staff_r:staff_t:s0 staff_r:staff_sudo_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 - diff --git a/config/appconfig-mcs/user_u_default_contexts b/config/appconfig-mcs/user_u_default_contexts index 24af20b93..975222baa 100644 --- a/config/appconfig-mcs/user_u_default_contexts +++ b/config/appconfig-mcs/user_u_default_contexts @@ -6,4 +6,3 @@ system_r:crond_t:s0 user_r:user_t:s0 user_r:cronjob_t:s0 system_r:xdm_t:s0 user_r:user_t:s0 user_r:user_su_t:s0 user_r:user_t:s0 user_r:user_sudo_t:s0 user_r:user_t:s0 - diff --git a/config/appconfig-mls/staff_u_default_contexts b/config/appconfig-mls/staff_u_default_contexts index 8f506fa57..15d6a955d 100644 --- a/config/appconfig-mls/staff_u_default_contexts +++ b/config/appconfig-mls/staff_u_default_contexts @@ -8,4 +8,3 @@ staff_r:staff_su_t:s0 staff_r:staff_t:s0 staff_r:staff_sudo_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 - diff --git a/config/appconfig-mls/user_u_default_contexts b/config/appconfig-mls/user_u_default_contexts index 24af20b93..975222baa 100644 --- a/config/appconfig-mls/user_u_default_contexts +++ b/config/appconfig-mls/user_u_default_contexts @@ -6,4 +6,3 @@ system_r:crond_t:s0 user_r:user_t:s0 user_r:cronjob_t:s0 system_r:xdm_t:s0 user_r:user_t:s0 user_r:user_su_t:s0 user_r:user_t:s0 user_r:user_sudo_t:s0 user_r:user_t:s0 - diff --git a/config/appconfig-standard/guest_u_default_contexts b/config/appconfig-standard/guest_u_default_contexts index 85a35fb1b..8df24dec7 100644 --- a/config/appconfig-standard/guest_u_default_contexts +++ b/config/appconfig-standard/guest_u_default_contexts @@ -4,4 +4,3 @@ system_r:initrc_su_t guest_r:guest_t system_r:local_login_t guest_r:guest_t system_r:remote_login_t guest_r:guest_t system_r:sshd_t guest_r:guest_t - diff --git a/config/appconfig-standard/staff_u_default_contexts b/config/appconfig-standard/staff_u_default_contexts index e44544f08..38bec4def 100644 --- a/config/appconfig-standard/staff_u_default_contexts +++ b/config/appconfig-standard/staff_u_default_contexts @@ -8,4 +8,3 @@ staff_r:staff_su_t staff_r:staff_t staff_r:staff_sudo_t staff_r:staff_t sysadm_r:sysadm_su_t sysadm_r:sysadm_t sysadm_r:sysadm_sudo_t sysadm_r:sysadm_t - diff --git a/config/appconfig-standard/user_u_default_contexts b/config/appconfig-standard/user_u_default_contexts index 8b553c4bd..ef4fe2261 100644 --- a/config/appconfig-standard/user_u_default_contexts +++ b/config/appconfig-standard/user_u_default_contexts @@ -6,4 +6,3 @@ system_r:crond_t user_r:user_t user_r:cronjob_t system_r:xdm_t user_r:user_t user_r:user_su_t user_r:user_t user_r:user_sudo_t user_r:user_t - diff --git a/man/man8/httpd_selinux.8 b/man/man8/httpd_selinux.8 index d5500ddc4..44b3e15e6 100644 --- a/man/man8/httpd_selinux.8 +++ b/man/man8/httpd_selinux.8 @@ -116,5 +116,3 @@ This manual page was written by Dan Walsh . .SH "SEE ALSO" selinux(8), httpd(8), chcon(1), setsebool(8) - - diff --git a/man/man8/named_selinux.8 b/man/man8/named_selinux.8 index 38b76352e..313bb5d24 100644 --- a/man/man8/named_selinux.8 +++ b/man/man8/named_selinux.8 @@ -26,5 +26,3 @@ This manual page was written by Dan Walsh . .SH "SEE ALSO" selinux(8), named(8), chcon(1), setsebool(8) - - diff --git a/man/ru/man8/ftpd_selinux.8 b/man/ru/man8/ftpd_selinux.8 index d94bf001f..4f897d8a7 100644 --- a/man/ru/man8/ftpd_selinux.8 +++ b/man/ru/man8/ftpd_selinux.8 @@ -53,5 +53,3 @@ service vsftpd restart .SH "СМОТРИ ТАКЖЕ" selinux(8), ftpd(8), chcon(1), setsebool(8) - - diff --git a/man/ru/man8/httpd_selinux.8 b/man/ru/man8/httpd_selinux.8 index dbf870337..4c58c83d9 100644 --- a/man/ru/man8/httpd_selinux.8 +++ b/man/ru/man8/httpd_selinux.8 @@ -133,5 +133,3 @@ setsebool -P httpd_can_network_connect 1 .SH "СМОТРИ ТАКЖЕ" selinux(8), httpd(8), chcon(1), setsebool(8) - - diff --git a/man/ru/man8/named_selinux.8 b/man/ru/man8/named_selinux.8 index dc3130684..c26877293 100644 --- a/man/ru/man8/named_selinux.8 +++ b/man/ru/man8/named_selinux.8 @@ -27,5 +27,3 @@ setsebool -P named_write_master_zones 1 .SH "СМОТРИ ТАКЖЕ" selinux(8), named(8), chcon(1), setsebool(8) - - diff --git a/policy/constraints b/policy/constraints index 1cbbe2fba..b1e26189e 100644 --- a/policy/constraints +++ b/policy/constraints @@ -91,7 +91,7 @@ constrain process { transition dyntransition noatsecure siginh rlimitinh } ( u1 == u2 or ( t1 == can_change_process_identity and t2 == process_user_target ) - or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) ) + or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) ) or ( t1 == can_system_change and u2 == system_u ) or ( t1 == process_uncond_exempt ) ); @@ -100,7 +100,7 @@ constrain process { transition dyntransition noatsecure siginh rlimitinh } ( r1 == r2 or ( t1 == can_change_process_role and t2 == process_user_target ) - or ( t1 == cron_source_domain and t2 == cron_job_domain ) + or ( t1 == cron_source_domain and t2 == cron_job_domain ) or ( t1 == can_system_change and r2 == system_r ) or ( t1 == process_uncond_exempt ) ); diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te index 34b1a2c60..d5bb02ba6 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te @@ -289,4 +289,3 @@ optional_policy(` logging_read_all_logs(logrotate_mail_t) ') - diff --git a/policy/modules/admin/sectoolm.te b/policy/modules/admin/sectoolm.te index d50439375..3fcbfd54c 100644 --- a/policy/modules/admin/sectoolm.te +++ b/policy/modules/admin/sectoolm.te @@ -105,4 +105,3 @@ optional_policy(` rpm_exec(sectoolm_t) rpm_dontaudit_manage_db(sectoolm_t) ') - diff --git a/policy/modules/apps/sigrok.te b/policy/modules/apps/sigrok.te index 01493bd35..698c87175 100644 --- a/policy/modules/apps/sigrok.te +++ b/policy/modules/apps/sigrok.te @@ -1,5 +1,5 @@ policy_module(sigrok, 1.0.1) - + ######################################## # # Declarations diff --git a/policy/modules/apps/syncthing.te b/policy/modules/apps/syncthing.te index 050e3659c..8c0d5741e 100644 --- a/policy/modules/apps/syncthing.te +++ b/policy/modules/apps/syncthing.te @@ -62,4 +62,3 @@ miscfiles_read_localization(syncthing_t) userdom_user_content_access_template(syncthing, syncthing_t) userdom_use_user_terminals(syncthing_t) - diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if index 73f2e3b25..1f3524f63 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -1482,7 +1482,7 @@ interface(`domain_mmap_low_uncond',` interface(`domain_all_recvfrom_all_domains',` gen_require(` attribute domain; - ') + ') corenet_all_recvfrom_labeled($1, domain) ') @@ -1493,7 +1493,7 @@ interface(`domain_all_recvfrom_all_domains',` ## ## ##

-## When setting up IMA/EVM key(s) are added to the +## When setting up IMA/EVM key(s) are added to the ## kernel keyring but the type of the key is the domain ## adding the key. This interface will allow all domains ## search the key so IMA/EVM validation can happen. diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 3a93e1419..f63193010 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -6808,7 +6808,7 @@ interface(`files_manage_all_pid_dirs',` # interface(`files_read_all_pids',` refpolicywarn(`$0($*) has been deprecated, please use files_read_all_runtime_files() instead.') - files_read_all_runtime_files($1) + files_read_all_runtime_files($1) ') ######################################## diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index 2e915da3e..3d03ba9ad 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -3698,4 +3698,3 @@ interface(`kernel_ib_manage_subnet_unlabeled_endports',` allow $1 unlabeled_t:infiniband_endport manage_subnet; ') - diff --git a/policy/modules/kernel/ubac.te b/policy/modules/kernel/ubac.te index 0a57c4125..0dd3efe8f 100644 --- a/policy/modules/kernel/ubac.te +++ b/policy/modules/kernel/ubac.te @@ -16,4 +16,3 @@ attribute ubacxwin; attribute ubacdbus; attribute ubackey; attribute ubacdb; - diff --git a/policy/modules/roles/secadm.if b/policy/modules/roles/secadm.if index bb6a5feba..bc0603da5 100644 --- a/policy/modules/roles/secadm.if +++ b/policy/modules/roles/secadm.if @@ -48,4 +48,3 @@ interface(`secadm_role_change_to_template',` allow secadm_r $1; ') - diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index f0370b426..fd327e969 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -1363,4 +1363,3 @@ ifndef(`distro_redhat',` java_role(sysadm_r, sysadm_t) ') ') - diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if index 1e147586d..e763b4b9f 100644 --- a/policy/modules/services/abrt.if +++ b/policy/modules/services/abrt.if @@ -249,7 +249,6 @@ interface(`abrt_read_pid_files',` interface(`abrt_manage_pid_files',` refpolicywarn(`$0($*) has been deprecated, please use abrt_manage_runtime_files() instead.') abrt_manage_runtime_files($1) - ') ###################################### diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te index 2ac089a4a..a2c447a1d 100644 --- a/policy/modules/services/chronyd.te +++ b/policy/modules/services/chronyd.te @@ -144,4 +144,3 @@ userdom_use_user_terminals(chronyc_t) chronyd_dgram_send(chronyc_t) chronyd_read_config(chronyc_t) - diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if index 4bfb59a6f..85f072950 100644 --- a/policy/modules/services/dnsmasq.if +++ b/policy/modules/services/dnsmasq.if @@ -164,7 +164,7 @@ interface(`dnsmasq_delete_pid_files',` # interface(`dnsmasq_manage_pid_files',` refpolicywarn(`$0($*) has been deprecated, please use dnsmasq_manage_runtime_files() instead.') - dnsmasq_manage_runtime_files($1) + dnsmasq_manage_runtime_files($1) ') ######################################## diff --git a/policy/modules/services/mon.if b/policy/modules/services/mon.if index 4701724e6..3fa2acfb3 100644 --- a/policy/modules/services/mon.if +++ b/policy/modules/services/mon.if @@ -35,4 +35,3 @@ interface(`mon_dontaudit_search_var_lib',` dontaudit $1 mon_var_lib_t:dir search; ') - diff --git a/policy/modules/services/oident.te b/policy/modules/services/oident.te index 1e831e080..50a86dbac 100644 --- a/policy/modules/services/oident.te +++ b/policy/modules/services/oident.te @@ -58,10 +58,10 @@ userdom_search_user_home_dirs(oidentd_t) tunable_policy(`use_samba_home_dirs',` fs_list_cifs(oidentd_t) - fs_read_cifs_files(oidentd_t) + fs_read_cifs_files(oidentd_t) ') tunable_policy(`use_nfs_home_dirs',` fs_list_nfs(oidentd_t) - fs_read_nfs_files(oidentd_t) + fs_read_nfs_files(oidentd_t) ') diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te index 558ef3e02..4ba31d934 100644 --- a/policy/modules/services/policykit.te +++ b/policy/modules/services/policykit.te @@ -304,4 +304,3 @@ optional_policy(` optional_policy(` hal_read_state(policykit_resolve_t) ') - diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te index 1e7c5be8f..828c9964b 100644 --- a/policy/modules/services/stunnel.te +++ b/policy/modules/services/stunnel.te @@ -98,4 +98,3 @@ optional_policy(` optional_policy(` udev_read_db(stunnel_t) ') - diff --git a/policy/modules/services/tpm2.if b/policy/modules/services/tpm2.if index a0166bb8c..6cc9421cb 100644 --- a/policy/modules/services/tpm2.if +++ b/policy/modules/services/tpm2.if @@ -130,7 +130,7 @@ interface(`tpm2_dbus_chat_abrmd',` ## ##

## Allow the tpm to open and read pipes from other -## domain. This is seen when piping input to one +## domain. This is seen when piping input to one ## of the tpm2_* processes. For example: ## sha512sum my_file | tpm2_hmac -k 0x81001000 -g sha256 /dev/stdin ##

@@ -224,4 +224,3 @@ interface(`tpm2_rw_abrmd_pipes',` allow $1 tpm2_abrmd_t:fd use; allow $1 tpm2_abrmd_t:fifo_file rw_fifo_file_perms; ') - diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index 7ecdaaef0..c245ca190 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -1301,7 +1301,7 @@ interface(`xserver_read_xdm_tmp_files',` type xdm_tmp_t; ') - files_search_tmp($1) + files_search_tmp($1) read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') @@ -1413,7 +1413,7 @@ interface(`xserver_domtrans',` type xserver_t, xserver_exec_t; ') - allow $1 xserver_t:process siginh; + allow $1 xserver_t:process siginh; domtrans_pattern($1, xserver_exec_t, xserver_t) ') diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if index ee606537d..e633217fe 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -968,4 +968,3 @@ interface(`miscfiles_manage_localization',` manage_files_pattern($1, locale_t, locale_t) manage_lnk_files_pattern($1, locale_t, locale_t) ') - diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index 8fd009742..8fb78caf6 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -194,4 +194,3 @@ optional_policy(` xserver_getattr_log(kmod_t) ') - diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if index 0704e388d..ee74b0787 100644 --- a/policy/modules/system/mount.if +++ b/policy/modules/system/mount.if @@ -257,4 +257,3 @@ interface(`mount_rw_runtime_files',` rw_files_pattern($1, mount_runtime_t, mount_runtime_t) ') - diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc index fddf9f693..2a2c2940f 100644 --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc @@ -92,4 +92,3 @@ ifdef(`distro_debian',` /run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) /run/resolvconf/.* -- gen_context(system_u:object_r:net_conf_t,s0) ') - diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc index feac7cb1d..b48612f19 100644 --- a/policy/modules/system/systemd.fc +++ b/policy/modules/system/systemd.fc @@ -79,4 +79,3 @@ /run/tmpfiles\.d/.* <> /var/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0) - diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 52da11acd..7e57d0de6 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -422,4 +422,3 @@ kernel_read_kernel_sysctls(udevadm_t) kernel_read_system_state(udevadm_t) seutil_read_file_contexts(udevadm_t) - diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index e9556084f..81892e967 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -3215,7 +3215,7 @@ interface(`userdom_relabel_user_tmpfs_files',` ######################################## ## -## Make the specified type usable in +## Make the specified type usable in ## the directory /run/user/%{USERID}/. ## ##