DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5B921206B2
From:   David Sugar <dsugar@tresys.com>
To:     "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
Subject: [PATCH] Move 'locallogin_*' interface uses into 'optioal_policy'
Thread-Topic: [PATCH] Move 'locallogin_*' interface uses into 'optioal_policy'
Thread-Index: AQHUfi8/Ies8siuwW0e3jgN9v9Jr/A==
Date:   Sat, 17 Nov 2018 04:37:28 +0000
Message-ID: <20181117043653.25812-1-dsugar@tresys.com>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;BN6PR15MB1572;6:G/tyGOriniAkboFvin1GU4NpM98yi6ckX0yXj/Hm5lAWza8cGWlxe7D0fYkFlHOoxKp+7fvCNqjs2CnNk9p2xdPY5rvS/+ru0j7sDlwzXqyeNOctkf75DaRdzPgNxp6pCoN3A9NHW1n2TCkpwiYm9noArTrWkFU1dXw5lR3K/L5jfhGtscOXvkEIOM+Lop8FkhoTEDNUYpwA2vT2xTD+M6/QAFZeyqaAQDAiNzvJT4XzzQLEl7aWv5qDjfBQ3wA+CkzyLfEcKqTFLdnaaCsRwgS7ztIKB1IL+fK8c1tLAVVgjJD555YCwbLVRRogsJIuJ1T1dBaEmRkPbrFlbT7YGS99PbUI+74v/3GTlyhuFILvP8njmIN+kX50yfEurCqxLfEo7ksF9SsNviEhEVhsL1Jf7no1ZJg7a6M6pdYbRu9hYtjgMSC6HIHQD6+CJty96cQvVwUhy2UWq6Wa45lLwg==;5:I1OQb4ACEynFBjE02+ZNxnMBgPDLTQMSeY2ueu73csMpJVGOErVwGkvGz88iKnORl8TE2PollDRgMArVnetnh/QJ06nqBNoCSlpOS9I0e6jnJb7sqsye10jTEGQbH69RtQoci2vmkAgAVSFP80mt5Fm90St4KKBOJmrldxuKSRY=;7:JFFF2B5vELgfR4y+h+Afwmqc7iodTIvDrJ8r03ENFPYqaiJD9XG/X6PDpmhSHEfHJogJf8TugiRRejvsvZilOkWz+G0Kec77xdznAGg19QogsKKZK7UY+AXUqpCkP9PWnD3bgy0P3vyP5jRM+oT+Ew==
x-ms-office365-filtering-correlation-id: 4f4dcdf3-ec3b-4c1f-1001-08d64c46613d
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390098)(7020095)(4652040)(7021145)(8989299)(5600074)(711020)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(2017052603328)(7153060)(7193020);SRVR:BN6PR15MB1572;
x-ms-traffictypediagnostic: BN6PR15MB1572:
x-microsoft-antispam-prvs: <BN6PR15MB1572C366B709DBAC26F51158B9DE0@BN6PR15MB1572.namprd15.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(10201501046)(3231415)(944501410)(52105112)(3002001)(93006095)(93001095)(148016)(149066)(150057)(6041310)(20161123558120)(2016111802025)(20161123560045)(20161123562045)(20161123564045)(6043046)(201708071742011)(7699051)(76991095);SRVR:BN6PR15MB1572;BCL:0;PCL:0;RULEID:;SRVR:BN6PR15MB1572;
x-forefront-prvs: 085956473E
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(376002)(39830400003)(366004)(346002)(136003)(396003)(199004)(189003)(186003)(8936002)(102836004)(2900100001)(99286004)(97736004)(2501003)(1857600001)(386003)(26005)(2351001)(106356001)(3846002)(6116002)(86362001)(71190400001)(8676002)(256004)(5024004)(52116002)(476003)(2616005)(71200400001)(6916009)(81166006)(68736007)(81156014)(6486002)(486006)(508600001)(575784001)(5640700003)(2906002)(53946003)(25786009)(105586002)(305945005)(4744004)(7736002)(6512007)(6436002)(1076002)(53936002)(36756003)(316002)(6506007)(14454004)(66066001)(5660300001);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1572;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1;
received-spf: None (protection.outlook.com: tresys.com does not designate
 permitted sender hosts)
x-microsoft-antispam-message-info: x2AaIc8D5gB3fA91a6ms0FAgseOWxNafSrSQOVeUJV9Ihp5bjdULkR40FNUNq/yyY5jGngo2O1M73qsLXeVdx9N0IPrQZWr83i3FQn6DZa/FJexi9J1SgAVlv8jH8aqFUqA1VgSDFNyKbLh3T8bbaIR3p+K6z9ldh3vbe6yEISR39kpmWlyXKKfPJB6907TpkMh4RJShbH0NHX4K6loTFCGQbDf/GEo2szKLYhdt1ks5IRPDnxK3oTP3QqdWHNkYGwVIuYIASzsbGK/3QR+uMm6Y6pzuwCQ+g9NOjQrVWfQkdQyN1raHQxLRfN9R2cabBFC2lgf8yu2hSGSiTbi88pmd/MBcO2/L0kYYV1hfY0Y=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: tresys.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4f4dcdf3-ec3b-4c1f-1001-08d64c46613d
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Nov 2018 04:37:28.8254
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1572
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Allow the locallogin module to be turned off.  This required any
interface use to be moved into an optional_policy block.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/admin/dmidecode.te         |  7 +++++--
 policy/modules/admin/firstboot.te         |  6 ++++--
 policy/modules/admin/mcelog.te            |  6 ++++--
 policy/modules/admin/tzdata.te            |  6 ++++--
 policy/modules/admin/vpn.te               |  6 ++++--
 policy/modules/apps/java.te               |  6 ++++--
 policy/modules/apps/loadkeys.te           |  6 ++++--
 policy/modules/apps/wm.te                 |  6 ++++--
 policy/modules/services/bluetooth.te      |  5 ++++-
 policy/modules/services/chronyd.te        |  5 +++--
 policy/modules/services/oddjob.te         |  6 ++++--
 policy/modules/services/pcscd.te          |  6 ++++--
 policy/modules/services/pyzor.te          |  6 ++++--
 policy/modules/services/ricci.te          | 12 ++++++++----
 policy/modules/services/samba.te          |  6 ++++--
 policy/modules/services/setroubleshoot.te |  6 ++++--
 policy/modules/services/sysstat.te        |  6 ++++--
 policy/modules/services/xserver.te        |  6 ++++--
 policy/modules/system/getty.te            |  6 ++++--
 policy/modules/system/ipsec.te            | 12 ++++++++----
 policy/modules/system/setrans.te          |  6 ++++--
 policy/modules/system/systemd.te          |  6 ++++--
 policy/modules/system/xen.te              |  6 ++++--
 23 files changed, 100 insertions(+), 49 deletions(-)

diff --git a/policy/modules/admin/dmidecode.te b/policy/modules/admin/dmide=
code.te
index bda30744..e5a481fa 100644
--- a/policy/modules/admin/dmidecode.te
+++ b/policy/modules/admin/dmidecode.te
@@ -29,6 +29,9 @@ files_list_usr(dmidecode_t)
=20
 mls_file_read_all_levels(dmidecode_t)
=20
-locallogin_use_fds(dmidecode_t)
-
 userdom_use_inherited_user_terminals(dmidecode_t)
+
+optional_policy(`
+	locallogin_use_fds(dmidecode_t)
+')
+
diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/first=
boot.te
index 2ac82a13..140933f4 100644
--- a/policy/modules/admin/firstboot.te
+++ b/policy/modules/admin/firstboot.te
@@ -69,8 +69,6 @@ init_rw_utmp(firstboot_t)
 libs_exec_ld_so(firstboot_t)
 libs_exec_lib_files(firstboot_t)
=20
-locallogin_use_fds(firstboot_t)
-
 logging_send_syslog_msg(firstboot_t)
=20
 miscfiles_read_localization(firstboot_t)
@@ -96,6 +94,10 @@ optional_policy(`
 	')
 ')
=20
+optional_policy(`
+	locallogin_use_fds(firstboot_t)
+')
+
 optional_policy(`
 	modutils_domtrans(firstboot_t)
 	modutils_read_module_config(firstboot_t)
diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.t=
e
index 1c342132..1728052e 100644
--- a/policy/modules/admin/mcelog.te
+++ b/policy/modules/admin/mcelog.te
@@ -93,8 +93,6 @@ files_read_etc_files(mcelog_t)
=20
 mls_file_read_all_levels(mcelog_t)
=20
-locallogin_use_fds(mcelog_t)
-
 miscfiles_read_localization(mcelog_t)
=20
 tunable_policy(`mcelog_client',`
@@ -122,3 +120,7 @@ tunable_policy(`mcelog_syslog',`
 optional_policy(`
 	cron_system_entry(mcelog_t, mcelog_exec_t)
 ')
+
+optional_policy(`
+	locallogin_use_fds(mcelog_t)
+')
diff --git a/policy/modules/admin/tzdata.te b/policy/modules/admin/tzdata.t=
e
index cbfb2299..35cd0fcc 100644
--- a/policy/modules/admin/tzdata.te
+++ b/policy/modules/admin/tzdata.te
@@ -25,14 +25,16 @@ fs_getattr_xattr_fs(tzdata_t)
=20
 term_dontaudit_list_ptys(tzdata_t)
=20
-locallogin_dontaudit_use_fds(tzdata_t)
-
 miscfiles_read_localization(tzdata_t)
 miscfiles_manage_localization(tzdata_t)
 miscfiles_etc_filetrans_localization(tzdata_t)
=20
 userdom_use_user_terminals(tzdata_t)
=20
+optional_policy(`
+	locallogin_dontaudit_use_fds(tzdata_t)
+')
+
 optional_policy(`
 	postfix_search_spool(tzdata_t)
 ')
diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
index 65de9063..99a9310b 100644
--- a/policy/modules/admin/vpn.te
+++ b/policy/modules/admin/vpn.te
@@ -98,8 +98,6 @@ init_dontaudit_use_fds(vpnc_t)
 libs_exec_ld_so(vpnc_t)
 libs_exec_lib_files(vpnc_t)
=20
-locallogin_use_fds(vpnc_t)
-
 logging_send_syslog_msg(vpnc_t)
 logging_dontaudit_search_logs(vpnc_t)
=20
@@ -122,6 +120,10 @@ optional_policy(`
 	')
 ')
=20
+optional_policy(`
+	locallogin_use_fds(vpnc_t)
+')
+
 optional_policy(`
 	networkmanager_attach_tun_iface(vpnc_t)
 ')
diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
index 6502efeb..5cb8588d 100644
--- a/policy/modules/apps/java.te
+++ b/policy/modules/apps/java.te
@@ -139,11 +139,13 @@ corecmd_search_bin(java_t)
=20
 dev_read_sysfs(java_t)
=20
-locallogin_use_fds(java_t)
-
 userdom_read_user_tmp_files(java_t)
 userdom_use_user_terminals(java_t)
=20
+optional_policy(`
+	locallogin_use_fds(java_t)
+')
+
 optional_policy(`
 	xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
 ')
diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys=
.te
index 1976e2cb..71725fde 100644
--- a/policy/modules/apps/loadkeys.te
+++ b/policy/modules/apps/loadkeys.te
@@ -41,8 +41,6 @@ term_use_unallocated_ttys(loadkeys_t)
=20
 init_read_script_tmp_files(loadkeys_t)
=20
-locallogin_use_fds(loadkeys_t)
-
 miscfiles_read_localization(loadkeys_t)
=20
 userdom_use_user_ttys(loadkeys_t)
@@ -52,6 +50,10 @@ optional_policy(`
 	keyboardd_read_pipes(loadkeys_t)
 ')
=20
+optional_policy(`
+	locallogin_use_fds(loadkeys_t)
+')
+
 optional_policy(`
 	nscd_dontaudit_search_pid(loadkeys_t)
 ')
diff --git a/policy/modules/apps/wm.te b/policy/modules/apps/wm.te
index df481cc7..99bf1299 100644
--- a/policy/modules/apps/wm.te
+++ b/policy/modules/apps/wm.te
@@ -65,8 +65,6 @@ kernel_read_fs_sysctls(wm_domain)
 kernel_read_proc_symlinks(wm_domain)
 kernel_read_sysctl(wm_domain)
=20
-locallogin_dontaudit_use_fds(wm_domain)
-
 miscfiles_read_fonts(wm_domain)
 miscfiles_read_generic_certs(wm_domain)
 miscfiles_read_localization(wm_domain)
@@ -120,6 +118,10 @@ optional_policy(`
 	games_dbus_chat(wm_domain)
 ')
=20
+optional_policy(`
+	locallogin_dontaudit_use_fds(wm_domain)
+')
+
 optional_policy(`
 	# gnome-shell
 	mount_exec(wm_domain)
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services=
/bluetooth.te
index 45e5a361..1498e243 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -210,7 +210,6 @@ term_dontaudit_use_all_ttys(bluetooth_helper_t)
=20
 auth_use_nsswitch(bluetooth_helper_t)
=20
-locallogin_dontaudit_use_fds(bluetooth_helper_t)
=20
 logging_send_syslog_msg(bluetooth_helper_t)
=20
@@ -223,6 +222,10 @@ optional_policy(`
 	dbus_connect_system_bus(bluetooth_helper_t)
 ')
=20
+optional_policy(`
+	locallogin_dontaudit_use_fds(bluetooth_helper_t)
+')
+
 optional_policy(`
 	xserver_user_x_domain_template(bluetooth_helper, bluetooth_helper_t, blue=
tooth_helper_tmpfs_t)
 ')
diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/c=
hronyd.te
index 77716407..54985b68 100644
--- a/policy/modules/services/chronyd.te
+++ b/policy/modules/services/chronyd.te
@@ -136,8 +136,6 @@ corenet_udp_sendrecv_chronyd_port(chronyc_t)
 files_read_etc_files(chronyc_t)
 files_read_usr_files(chronyc_t)
=20
-locallogin_use_fds(chronyc_t)
-
 logging_send_syslog_msg(chronyc_t)
=20
 sysnet_read_config(chronyc_t)
@@ -150,3 +148,6 @@ userdom_use_user_ttys(chronyc_t)
 chronyd_dgram_send(chronyc_t)
 chronyd_read_config(chronyc_t)
=20
+optional_policy(`
+	locallogin_use_fds(chronyc_t)
+')
diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/od=
djob.te
index 39e2dcf5..e656bea6 100644
--- a/policy/modules/services/oddjob.te
+++ b/policy/modules/services/oddjob.te
@@ -58,13 +58,15 @@ auth_use_nsswitch(oddjob_t)
=20
 miscfiles_read_localization(oddjob_t)
=20
-locallogin_dontaudit_use_fds(oddjob_t)
-
 optional_policy(`
 	dbus_system_bus_client(oddjob_t)
 	dbus_connect_system_bus(oddjob_t)
 ')
=20
+optional_policy(`
+	locallogin_dontaudit_use_fds(oddjob_t)
+')
+
 optional_policy(`
 	unconfined_domtrans(oddjob_t)
 ')
diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcs=
cd.te
index 247fe5c8..bca54f9d 100644
--- a/policy/modules/services/pcscd.te
+++ b/policy/modules/services/pcscd.te
@@ -59,8 +59,6 @@ files_read_etc_runtime_files(pcscd_t)
 term_use_unallocated_ttys(pcscd_t)
 term_dontaudit_getattr_pty_dirs(pcscd_t)
=20
-locallogin_use_fds(pcscd_t)
-
 logging_send_syslog_msg(pcscd_t)
=20
 miscfiles_read_localization(pcscd_t)
@@ -79,6 +77,10 @@ optional_policy(`
 	')
 ')
=20
+optional_policy(`
+	locallogin_use_fds(pcscd_t)
+')
+
 optional_policy(`
 	openct_stream_connect(pcscd_t)
 	openct_read_pid_files(pcscd_t)
diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyz=
or.te
index 3119df00..cdea0bfd 100644
--- a/policy/modules/services/pyzor.te
+++ b/policy/modules/services/pyzor.te
@@ -151,10 +151,12 @@ auth_use_nsswitch(pyzord_t)
=20
 logging_send_syslog_msg(pyzord_t)
=20
-locallogin_dontaudit_use_fds(pyzord_t)
-
 miscfiles_read_localization(pyzord_t)
=20
 userdom_dontaudit_search_user_home_dirs(pyzord_t)
=20
 mta_manage_spool(pyzord_t)
+
+optional_policy(`
+	locallogin_dontaudit_use_fds(pyzord_t)
+')
diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ric=
ci.te
index d808ab66..048ae41e 100644
--- a/policy/modules/services/ricci.te
+++ b/policy/modules/services/ricci.te
@@ -145,8 +145,6 @@ auth_append_login_records(ricci_t)
=20
 init_stream_connect_script(ricci_t)
=20
-locallogin_dontaudit_use_fds(ricci_t)
-
 logging_send_syslog_msg(ricci_t)
=20
 miscfiles_read_localization(ricci_t)
@@ -173,6 +171,10 @@ optional_policy(`
 	oddjob_system_entry(ricci_t, ricci_exec_t)
 ')
=20
+optional_policy(`
+	locallogin_dontaudit_use_fds(ricci_t)
+')
+
 optional_policy(`
 	rpm_use_script_fds(ricci_t)
 ')
@@ -332,8 +334,6 @@ auth_use_nsswitch(ricci_modclusterd_t)
=20
 init_stream_connect_script(ricci_modclusterd_t)
=20
-locallogin_dontaudit_use_fds(ricci_modclusterd_t)
-
 logging_send_syslog_msg(ricci_modclusterd_t)
=20
 miscfiles_read_localization(ricci_modclusterd_t)
@@ -351,6 +351,10 @@ optional_policy(`
 	ccs_read_config(ricci_modclusterd_t)
 ')
=20
+optional_policy(`
+	locallogin_dontaudit_use_fds(ricci_modclusterd_t)
+')
+
 optional_policy(`
 	rgmanager_stream_connect(ricci_modclusterd_t)
 ')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/sam=
ba.te
index 6d8c0cbe..eb497b8d 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -720,8 +720,6 @@ miscfiles_read_localization(smbmount_t)
=20
 mount_use_fds(smbmount_t)
=20
-locallogin_use_fds(smbmount_t)
-
 logging_search_logs(smbmount_t)
=20
 userdom_use_user_terminals(smbmount_t)
@@ -731,6 +729,10 @@ optional_policy(`
 	cups_read_rw_config(smbmount_t)
 ')
=20
+optional_policy(`
+	locallogin_use_fds(smbmount_t)
+')
+
 ########################################
 #
 # Swat Local policy
diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/ser=
vices/setroubleshoot.te
index 3ee1e0d5..56dc8c2c 100644
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
@@ -110,8 +110,6 @@ init_dontaudit_write_utmp(setroubleshootd_t)
=20
 libs_exec_ld_so(setroubleshootd_t)
=20
-locallogin_dontaudit_use_fds(setroubleshootd_t)
-
 logging_send_audit_msgs(setroubleshootd_t)
 logging_send_syslog_msg(setroubleshootd_t)
 logging_stream_connect_dispatcher(setroubleshootd_t)
@@ -132,6 +130,10 @@ optional_policy(`
 	')
 ')
=20
+optional_policy(`
+	locallogin_dontaudit_use_fds(setroubleshootd_t)
+')
+
 optional_policy(`
 	locate_read_lib_files(setroubleshootd_t)
 ')
diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/s=
ysstat.te
index ffa56160..2ef803d0 100644
--- a/policy/modules/services/sysstat.te
+++ b/policy/modules/services/sysstat.te
@@ -58,8 +58,6 @@ auth_use_nsswitch(sysstat_t)
=20
 init_use_fds(sysstat_t)
=20
-locallogin_use_fds(sysstat_t)
-
 logging_send_syslog_msg(sysstat_t)
=20
 miscfiles_read_localization(sysstat_t)
@@ -70,3 +68,7 @@ optional_policy(`
 	cron_system_entry(sysstat_t, sysstat_exec_t)
 	cron_rw_tmp_files(sysstat_t)
 ')
+
+optional_policy(`
+	locallogin_use_fds(sysstat_t)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/x=
server.te
index 7d4c0c1b..06022f2c 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -785,8 +785,6 @@ term_use_unallocated_ttys(xserver_t)
=20
 getty_use_fds(xserver_t)
=20
-locallogin_use_fds(xserver_t)
-
 logging_send_syslog_msg(xserver_t)
 logging_send_audit_msgs(xserver_t)
=20
@@ -841,6 +839,10 @@ optional_policy(`
 	auth_search_pam_console_data(xserver_t)
 ')
=20
+optional_policy(`
+	locallogin_use_fds(xserver_t)
+')
+
 optional_policy(`
 	rhgb_getpgid(xserver_t)
 	rhgb_signal(xserver_t)
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.t=
e
index 6d3c4284..88b408a9 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -85,8 +85,6 @@ auth_rw_login_records(getty_t)
=20
 init_rw_utmp(getty_t)
=20
-locallogin_domtrans(getty_t)
-
 logging_send_syslog_msg(getty_t)
=20
 miscfiles_read_localization(getty_t)
@@ -114,6 +112,10 @@ optional_policy(`
 	mta_send_mail(getty_t)
 ')
=20
+optional_policy(`
+	locallogin_domtrans(getty_t)
+')
+
 optional_policy(`
 	nscd_use(getty_t)
 ')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.t=
e
index 7dc80136..2855174d 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -411,8 +411,6 @@ auth_use_nsswitch(racoon_t)
=20
 ipsec_setcontext_default_spd(racoon_t)
=20
-locallogin_use_fds(racoon_t)
-
 logging_send_syslog_msg(racoon_t)
 logging_send_audit_msgs(racoon_t)
=20
@@ -425,6 +423,10 @@ tunable_policy(`racoon_read_shadow',`
 	auth_tunable_read_shadow(racoon_t)
 ')
=20
+optional_policy(`
+	locallogin_use_fds(racoon_t)
+')
+
 ########################################
 #
 # Setkey local policy
@@ -451,14 +453,16 @@ init_read_script_tmp_files(setkey_t)
 # allow setkey to set the context for ipsec SAs and policy.
 corenet_setcontext_all_spds(setkey_t)
=20
-locallogin_use_fds(setkey_t)
-
 miscfiles_read_localization(setkey_t)
=20
 seutil_read_config(setkey_t)
=20
 userdom_use_user_terminals(setkey_t)
=20
+optional_policy(`
+	locallogin_use_fds(setkey_t)
+')
+
 ########################################
 #
 # ipsec_supervisor policy
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setra=
ns.te
index 24c3577e..3182f83e 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -81,14 +81,16 @@ term_dontaudit_use_unallocated_ttys(setrans_t)
=20
 init_dontaudit_use_script_ptys(setrans_t)
=20
-locallogin_dontaudit_use_fds(setrans_t)
-
 logging_send_syslog_msg(setrans_t)
=20
 miscfiles_read_localization(setrans_t)
=20
 seutil_libselinux_linked(setrans_t)
=20
+optional_policy(`
+	locallogin_dontaudit_use_fds(setrans_t)
+')
+
 optional_policy(`
 	rpm_use_script_fds(setrans_t)
 ')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/syste=
md.te
index e9b74257..251094b9 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -464,8 +464,6 @@ init_stop_all_units(systemd_logind_t)
 init_start_system(systemd_logind_t)
 init_stop_system(systemd_logind_t)
=20
-locallogin_read_state(systemd_logind_t)
-
 seutil_libselinux_linked(systemd_logind_t)
 seutil_read_default_contexts(systemd_logind_t)
 seutil_read_file_contexts(systemd_logind_t)
@@ -514,6 +512,10 @@ optional_policy(`
 	devicekit_dbus_chat_power(systemd_logind_t)
 ')
=20
+optional_policy(`
+	locallogin_read_state(systemd_logind_t)
+')
+
 optional_policy(`
 	modemmanager_dbus_chat(systemd_logind_t)
 ')
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
index 04dd1ea7..67552cca 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -297,8 +297,6 @@ term_getattr_pty_fs(xend_t)
=20
 init_stream_connect_script(xend_t)
=20
-locallogin_dontaudit_use_fds(xend_t)
-
 logging_send_syslog_msg(xend_t)
=20
 miscfiles_read_localization(xend_t)
@@ -340,6 +338,10 @@ optional_policy(`
 	consoletype_exec(xend_t)
 ')
=20
+optional_policy(`
+	locallogin_dontaudit_use_fds(xend_t)
+')
+
 optional_policy(`
 	lvm_domtrans(xend_t)
 ')
--=20
2.19.1