From: jason@perfinion.com (Jason Zaman) Date: Fri, 22 May 2015 18:08:42 +0400 Subject: [refpolicy] [PATCH 1/2] Use init_startstop_service in admin interfaces A-M Message-ID: <1432303723-7753-1-git-send-email-jason@perfinion.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Most foo_admin interfaces have transitions on the foo_initrc_exec_t to system_r. These are only applicable for RedHat <6. This replaces them with the interface init_startstop_service which can easily be changed for other init systems. make validate passes for all combinations of distros, standard/mcs/mls, monolithic y/n and direct_initrc y/n This patch is for files starting with A-M. --- abrt.if | 5 +---- acct.if | 5 +---- afs.if | 5 +---- aiccu.if | 5 +---- aisexec.if | 5 +---- amavis.if | 5 +---- amtu.if | 5 +---- apache.if | 5 +---- apcupsd.if | 5 +---- apm.if | 5 +---- arpwatch.if | 5 +---- asterisk.if | 5 +---- automount.if | 5 +---- avahi.if | 5 +---- bacula.if | 5 +---- bcfg2.if | 5 +---- bind.if | 5 +---- bird.if | 5 +---- bitlbee.if | 5 +---- bluetooth.if | 5 +---- boinc.if | 5 +---- cachefilesd.if | 5 +---- callweaver.if | 5 +---- canna.if | 5 +---- ccs.if | 5 +---- certmaster.if | 5 +---- certmonger.if | 5 +---- cfengine.if | 5 +---- cgroup.if | 7 ++----- chronyd.if | 5 +---- cipe.if | 5 +---- clamav.if | 5 +---- cmirrord.if | 5 +---- cobbler.if | 5 +---- collectd.if | 5 +---- condor.if | 5 +---- corosync.if | 5 +---- couchdb.if | 5 +---- ctdb.if | 5 +---- cups.if | 5 +---- cvs.if | 5 +---- cyphesis.if | 5 +---- cyrus.if | 5 +---- dante.if | 5 +---- ddclient.if | 5 +---- denyhosts.if | 5 +---- dhcp.if | 5 +---- dictd.if | 5 +---- dirmngr.if | 5 +---- distcc.if | 5 +---- dkim.if | 5 +---- dnsmasq.if | 5 +---- dnssectrigger.if | 5 +---- dovecot.if | 5 +---- drbd.if | 5 +---- dspam.if | 5 +---- entropyd.if | 5 +---- exim.if | 5 +---- fail2ban.if | 5 +---- fcoe.if | 5 +---- fetchmail.if | 5 +---- firewalld.if | 5 +---- ftp.if | 5 +---- gatekeeper.if | 5 +---- gdomap.if | 5 +---- glance.if | 6 ++---- glusterfs.if | 5 +---- gpm.if | 5 +---- gpsd.if | 5 +---- hadoop.if | 5 +---- hddtemp.if | 5 +---- howl.if | 5 +---- hypervkvp.if | 5 +---- i18n_input.if | 5 +---- icecast.if | 5 +---- ifplugd.if | 5 +---- inn.if | 5 +---- iodine.if | 5 +---- ircd.if | 5 +---- irqbalance.if | 5 +---- iscsi.if | 5 +---- isns.if | 5 +---- jabber.if | 5 +---- kdump.if | 5 +---- kerberos.if | 5 +---- kerneloops.if | 5 +---- keystone.if | 5 +---- kismet.if | 5 +---- ksmtuned.if | 5 +---- kudzu.if | 5 +---- l2tp.if | 5 +---- ldap.if | 5 +---- likewise.if | 5 +---- lircd.if | 5 +---- lldpad.if | 5 +---- mailscanner.if | 5 +---- mcelog.if | 5 +---- memcached.if | 5 +---- minidlna.if | 5 +---- minissdpd.if | 5 +---- mongodb.if | 5 +---- monop.if | 5 +---- mpd.if | 5 +---- mrtg.if | 5 +---- munin.if | 5 +---- mysql.if | 6 ++---- 106 files changed, 109 insertions(+), 425 deletions(-) diff --git a/abrt.if b/abrt.if index 058d908..39b6d29 100644 --- a/abrt.if +++ b/abrt.if @@ -304,10 +304,7 @@ interface(`abrt_admin',` allow $1 abrt_domain:process { ptrace signal_perms }; ps_process_pattern($1, abrt_domain) - init_labeled_script_domtrans($1, abrt_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 abrt_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, abrt_t, abrt_initrc_exec_t) files_search_etc($1) admin_pattern($1, abrt_etc_t) diff --git a/acct.if b/acct.if index 81280d0..59d95d0 100644 --- a/acct.if +++ b/acct.if @@ -106,10 +106,7 @@ interface(`acct_admin',` allow $1 acct_t:process { ptrace signal_perms }; ps_process_pattern($1, acct_t) - init_labeled_script_domtrans($1, acct_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 acct_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, acct_t, acct_initrc_exec_t) logging_search_logs($1) admin_pattern($1, acct_data_t) diff --git a/afs.if b/afs.if index 3b41be6..d934f45 100644 --- a/afs.if +++ b/afs.if @@ -103,10 +103,7 @@ interface(`afs_admin',` allow $1 afs_domain:process { ptrace signal_perms }; ps_process_pattern($1, afs_domain) - afs_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 afs_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, afs_domain, afs_initrc_exec_t) files_search_etc($1) admin_pattern($1, afs_config_t) diff --git a/aiccu.if b/aiccu.if index 3b5dcb9..cd22faa 100644 --- a/aiccu.if +++ b/aiccu.if @@ -82,10 +82,7 @@ interface(`aiccu_admin',` allow $1 aiccu_t:process { ptrace signal_perms }; ps_process_pattern($1, aiccu_t) - aiccu_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 aiccu_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, aiccu_t, aiccu_initrc_exec_t) admin_pattern($1, aiccu_etc_t) files_list_etc($1) diff --git a/aisexec.if b/aisexec.if index a2997fa..9e1a105 100644 --- a/aisexec.if +++ b/aisexec.if @@ -86,10 +86,7 @@ interface(`aisexecd_admin',` allow $1 aisexec_t:process { ptrace signal_perms }; ps_process_pattern($1, aisexec_t) - init_labeled_script_domtrans($1, aisexec_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 aisexec_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, aisexec_t, aisexec_initrc_exec_t) files_list_var_lib($1) admin_pattern($1, aisexec_var_lib_t) diff --git a/amavis.if b/amavis.if index 60d4f8c..f8a810c 100644 --- a/amavis.if +++ b/amavis.if @@ -237,10 +237,7 @@ interface(`amavis_admin',` allow $1 amavis_t:process { ptrace signal_perms }; ps_process_pattern($1, amavis_t) - amavis_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 amavis_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, amavis_t, amavis_initrc_exec_t) files_list_etc($1) admin_pattern($1, amavis_etc_t) diff --git a/amtu.if b/amtu.if index 884b23b..6942560 100644 --- a/amtu.if +++ b/amtu.if @@ -70,8 +70,5 @@ interface(`amtu_admin',` allow $1 amtu_t:process { ptrace signal_perms }; ps_process_pattern($1, amtu_t) - init_labeled_script_domtrans($1, amtu_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 amtu_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, amtu_t, amtu_initrc_exec_t) ') diff --git a/apache.if b/apache.if index 717c6f7..16539db 100644 --- a/apache.if +++ b/apache.if @@ -1318,10 +1318,7 @@ interface(`apache_admin',` ps_process_pattern($1, { httpd_script_domains httpd_t httpd_helper_t }) ps_process_pattern($1, { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t }) - init_labeled_script_domtrans($1, httpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 httpd_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, httpd_t, httpd_initrc_exec_t) apache_manage_all_content($1) miscfiles_manage_public_files($1) diff --git a/apcupsd.if b/apcupsd.if index f3c0aba..3dda634 100644 --- a/apcupsd.if +++ b/apcupsd.if @@ -149,10 +149,7 @@ interface(`apcupsd_admin',` allow $1 apcupsd_t:process { ptrace signal_perms }; ps_process_pattern($1, apcupsd_t) - apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 apcupsd_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, apcupsd_t, apcupsd_initrc_exec_t) files_list_var($1) admin_pattern($1, apcupsd_lock_t) diff --git a/apm.if b/apm.if index 1a7a97e..32a59e1 100644 --- a/apm.if +++ b/apm.if @@ -166,10 +166,7 @@ interface(`apm_admin',` allow $1 apmd_t:process { ptrace signal_perms }; ps_process_pattern($1, apmd_t) - init_labeled_script_domtrans($1, apmd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 apmd_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, apmd_t, apmd_initrc_exec_t) logging_search_logs($1) admin_pattern($1, apmd_log_t) diff --git a/arpwatch.if b/arpwatch.if index 50c9b9c..76389b7 100644 --- a/arpwatch.if +++ b/arpwatch.if @@ -143,10 +143,7 @@ interface(`arpwatch_admin',` allow $1 arpwatch_t:process { ptrace signal_perms }; ps_process_pattern($1, arpwatch_t) - arpwatch_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 arpwatch_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, arpwatch_t, arpwatch_initrc_exec_t) files_list_tmp($1) admin_pattern($1, arpwatch_tmp_t) diff --git a/asterisk.if b/asterisk.if index 2077053..2e3f5a4 100644 --- a/asterisk.if +++ b/asterisk.if @@ -127,10 +127,7 @@ interface(`asterisk_admin',` allow $1 asterisk_t:process { ptrace signal_perms }; ps_process_pattern($1, asterisk_t) - init_labeled_script_domtrans($1, asterisk_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 asterisk_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, asterisk_t, asterisk_initrc_exec_t) asterisk_exec($1) diff --git a/automount.if b/automount.if index f24e369..37847d9 100644 --- a/automount.if +++ b/automount.if @@ -159,10 +159,7 @@ interface(`automount_admin',` allow $1 automount_t:process { ptrace signal_perms }; ps_process_pattern($1, automount_t) - init_labeled_script_domtrans($1, automount_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 automount_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, automount_t, automount_initrc_exec_t) files_list_etc($1) admin_pattern($1, automount_keytab_t) diff --git a/avahi.if b/avahi.if index 9078c3d..4652358 100644 --- a/avahi.if +++ b/avahi.if @@ -264,10 +264,7 @@ interface(`avahi_admin',` allow $1 avahi_t:process { ptrace signal_perms }; ps_process_pattern($1, avahi_t) - avahi_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 avahi_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, avahi_t, avahi_initrc_exec_t) files_search_pids($1) admin_pattern($1, avahi_var_run_t) diff --git a/bacula.if b/bacula.if index dcd774e..18ad480 100644 --- a/bacula.if +++ b/bacula.if @@ -74,10 +74,7 @@ interface(`bacula_admin',` allow $1 bacula_t:process { ptrace signal_perms }; ps_process_pattern($1, bacula_t) - init_labeled_script_domtrans($1, bacula_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 bacula_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, bacula_t, bacula_initrc_exec_t) files_search_etc($1) admin_pattern($1, bacula_etc_t) diff --git a/bcfg2.if b/bcfg2.if index ec95d36..0cd2d35 100644 --- a/bcfg2.if +++ b/bcfg2.if @@ -141,10 +141,7 @@ interface(`bcfg2_admin',` allow $1 bcfg2_t:process { ptrace signal_perms }; ps_process_pattern($1, bcfg2_t) - bcfg2_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 bcfg2_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, bcfg2_t, bcfg2_initrc_exec_t) files_search_pids($1) admin_pattern($1, bcfg2_var_run_t) diff --git a/bind.if b/bind.if index 531a8f2..9654435 100644 --- a/bind.if +++ b/bind.if @@ -370,10 +370,7 @@ interface(`bind_admin',` allow $1 { named_t ndc_t }:process { ptrace signal_perms }; ps_process_pattern($1, { named_t ndc_t }) - init_labeled_script_domtrans($1, named_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 named_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, named_t, named_initrc_exec_t) files_list_tmp($1) admin_pattern($1, named_tmp_t) diff --git a/bird.if b/bird.if index 85c035f..d744d6b 100644 --- a/bird.if +++ b/bird.if @@ -26,10 +26,7 @@ interface(`bird_admin',` allow $1 bird_t:process { ptrace signal_perms }; ps_process_pattern($1, bird_t) - init_labeled_script_domtrans($1, bird_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 bird_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, bird_t, bird_initrc_exec_t) files_list_etc($1) admin_pattern($1, bird_etc_t) diff --git a/bitlbee.if b/bitlbee.if index e73fb79..3409d80 100644 --- a/bitlbee.if +++ b/bitlbee.if @@ -47,10 +47,7 @@ interface(`bitlbee_admin',` allow $1 bitlbee_t:process { ptrace signal_perms }; ps_process_pattern($1, bitlbee_t) - init_labeled_script_domtrans($1, bitlbee_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 bitlbee_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, bitlbee_t, bitlbee_initrc_exec_t) files_search_etc($1) admin_pattern($1, bitlbee_conf_t) diff --git a/bluetooth.if b/bluetooth.if index c723a0a..09d6248 100644 --- a/bluetooth.if +++ b/bluetooth.if @@ -216,10 +216,7 @@ interface(`bluetooth_admin',` allow $1 bluetooth_t:process { ptrace signal_perms }; ps_process_pattern($1, bluetooth_t) - init_labeled_script_domtrans($1, bluetooth_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 bluetooth_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, bluetooth_t, bluetooth_initrc_exec_t) files_list_tmp($1) admin_pattern($1, bluetooth_tmp_t) diff --git a/boinc.if b/boinc.if index 02fefaa..464a896 100644 --- a/boinc.if +++ b/boinc.if @@ -28,10 +28,7 @@ interface(`boinc_admin',` allow $1 { boinc_t boinc_project_t }:process { ptrace signal_perms }; ps_process_pattern($1, { boinc_t boinc_project_t }) - init_labeled_script_domtrans($1, boinc_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 boinc_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, boinc_t, boinc_initrc_exec_t) logging_search_logs($1) admin_pattern($1, boinc_log_t) diff --git a/cachefilesd.if b/cachefilesd.if index 8de2ab9..c4084b9 100644 --- a/cachefilesd.if +++ b/cachefilesd.if @@ -26,10 +26,7 @@ interface(`cachefilesd_admin',` allow $1 cachefilesd_t:process { ptrace signal_perms }; ps_process_pattern($1, cachefilesd_t) - init_labeled_script_domtrans($1, cachefilesd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 cachefilesd_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, cachefilesd_t, cachefilesd_initrc_exec_t) files_search_var($1) admin_pattern($1, cachefilesd_cache_t) diff --git a/callweaver.if b/callweaver.if index 16f1855..f89bf39 100644 --- a/callweaver.if +++ b/callweaver.if @@ -65,10 +65,7 @@ interface(`callweaver_admin',` allow $1 callweaver_t:process { ptrace signal_perms }; ps_process_pattern($1, callweaver_t) - init_labeled_script_domtrans($1, callweaver_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 callweaver_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, callweaver_t, callweaver_initrc_exec_t) logging_search_logs($1) admin_pattern($1, callweaver_log_t) diff --git a/canna.if b/canna.if index 400db07..e3fd199 100644 --- a/canna.if +++ b/canna.if @@ -46,10 +46,7 @@ interface(`canna_admin',` allow $1 canna_t:process { ptrace signal_perms }; ps_process_pattern($1, canna_t) - init_labeled_script_domtrans($1, canna_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 canna_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, canna_t, canna_initrc_exec_t) logging_list_logs($1) admin_pattern($1, canna_log_t) diff --git a/ccs.if b/ccs.if index bb17e0f..92f67fa 100644 --- a/ccs.if +++ b/ccs.if @@ -105,10 +105,7 @@ interface(`ccs_admin',` allow $1 ccs_t:process { ptrace signal_perms }; ps_process_pattern($1, ccs_t) - init_labeled_script_domtrans($1, ccs_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ccs_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, ccs_t, ccs_initrc_exec_t) files_search_etc($1) admin_pattern($1, ccs_conf_t) diff --git a/certmaster.if b/certmaster.if index 0c53b18..741fdd3 100644 --- a/certmaster.if +++ b/certmaster.if @@ -124,10 +124,7 @@ interface(`certmaster_admin',` allow $1 certmaster_t:process { ptrace signal_perms }; ps_process_pattern($1, certmaster_t) - init_labeled_script_domtrans($1, certmaster_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 certmaster_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, certmaster_t, certmaster_initrc_exec_t) files_list_etc($1) miscfiles_manage_generic_cert_dirs($1) diff --git a/certmonger.if b/certmonger.if index 008f8ef..3a456b7 100644 --- a/certmonger.if +++ b/certmonger.if @@ -162,10 +162,7 @@ interface(`certmonger_admin',` ps_process_pattern($1, certmonger_t) allow $1 certmonger_t:process { ptrace signal_perms }; - certmonger_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 certmonger_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, certmonger_t, certmonger_initrc_exec_t) files_search_var_lib($1) admin_pattern($1, certmonger_var_lib_t) diff --git a/cfengine.if b/cfengine.if index a731122..fdef5f3 100644 --- a/cfengine.if +++ b/cfengine.if @@ -97,10 +97,7 @@ interface(`cfengine_admin',` allow $1 cfengine_domain:process { ptrace signal_perms }; ps_process_pattern($1, cfengine_domain) - init_labeled_script_domtrans($1, cfengine_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 cfengine_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, cfengine_domain, cfengine_initrc_exec_t) files_search_var_lib($1) admin_pattern($1, { cfengine_log_t cfengine_var_lib_t }) diff --git a/cgroup.if b/cgroup.if index 85ca63f..2f8fa6f 100644 --- a/cgroup.if +++ b/cgroup.if @@ -180,11 +180,8 @@ interface(`cgroup_admin',` admin_pattern($1, cgred_var_run_t) files_list_pids($1) - cgroup_initrc_domtrans_cgconfig($1) - cgroup_initrc_domtrans_cgred($1) - domain_system_change_exemption($1) - role_transition $2 { cgconfig_initrc_exec_t cgred_initrc_exec_t } system_r; - allow $2 system_r; + init_startstop_service($1, $2, cgred_t, cgred_initrc_exec_t) + init_startstop_service($1, $2, cgconfig_t, cgconfig_initrc_exec_t) cgroup_run_cgclear($1, $2) ') diff --git a/chronyd.if b/chronyd.if index 32e8265..3d45be4 100644 --- a/chronyd.if +++ b/chronyd.if @@ -184,10 +184,7 @@ interface(`chronyd_admin',` allow $1 chronyd_t:process { ptrace signal_perms }; ps_process_pattern($1, chronyd_t) - chronyd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 chronyd_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, chronyd_t, chronyd_initrc_exec_t) files_search_etc($1) admin_pattern($1, chronyd_keys_t) diff --git a/cipe.if b/cipe.if index 5fb51b2..11ec9dc 100644 --- a/cipe.if +++ b/cipe.if @@ -25,8 +25,5 @@ interface(`cipe_admin',` allow $1 ciped_t:process { ptrace signal_perms }; ps_process_pattern($1, ciped_t) - init_labeled_script_domtrans($1, ciped_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ciped_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, ciped_t, ciped_initrc_exec_t) ') diff --git a/clamav.if b/clamav.if index 4cc4a5c..7ad8e80 100644 --- a/clamav.if +++ b/clamav.if @@ -205,10 +205,7 @@ interface(`clamav_admin',` allow $1 { clamd_t clamscan_t freshclam_t }:process { ptrace signal_perms }; ps_process_pattern($1, { clamd_t clamscan_t freshclam_t }) - init_labeled_script_domtrans($1, clamd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 clamd_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, clamd_t, clamd_initrc_exec_t) files_list_etc($1) admin_pattern($1, clamd_etc_t) diff --git a/cmirrord.if b/cmirrord.if index cc4e7cb..0785068 100644 --- a/cmirrord.if +++ b/cmirrord.if @@ -106,10 +106,7 @@ interface(`cmirrord_admin',` allow $1 cmirrord_t:process { ptrace signal_perms }; ps_process_pattern($1, cmirrord_t) - cmirrord_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 cmirrord_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, cmirrord_t, cmirrord_initrc_exec_t) files_list_pids($1) admin_pattern($1, cmirrord_var_run_t) diff --git a/cobbler.if b/cobbler.if index c223f81..376fa84 100644 --- a/cobbler.if +++ b/cobbler.if @@ -183,10 +183,7 @@ interface(`cobbler_admin',` allow $1 cobblerd_t:process { ptrace signal_perms }; ps_process_pattern($1, cobblerd_t) - cobblerd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 cobblerd_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, cobblerd_t, cobblerd_initrc_exec_t) files_search_etc($1) admin_pattern($1, cobbler_etc_t) diff --git a/collectd.if b/collectd.if index 954309e..a55db07 100644 --- a/collectd.if +++ b/collectd.if @@ -26,10 +26,7 @@ interface(`collectd_admin',` allow $1 collectd_t:process { ptrace signal_perms }; ps_process_pattern($1, collectd_t) - init_labeled_script_domtrans($1, collectd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 collectd_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, collectd_t, collectd_initrc_exec_t) files_search_pids($1) admin_pattern($1, collectd_var_run_t) diff --git a/condor.if b/condor.if index c80aaf5..b2af357 100644 --- a/condor.if +++ b/condor.if @@ -66,10 +66,7 @@ interface(`condor_admin',` allow $1 condor_domain:process { ptrace signal_perms }; ps_process_pattern($1, condor_domain) - init_labeled_script_domtrans($1, condor_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 condor_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, condor_domain, condor_initrc_exec_t) files_search_etc($1) admin_pattern($1, condor_conf_t) diff --git a/corosync.if b/corosync.if index 694a037..57736aa 100644 --- a/corosync.if +++ b/corosync.if @@ -165,10 +165,7 @@ interface(`corosync_admin',` allow $1 corosync_t:process { ptrace signal_perms }; ps_process_pattern($1, corosync_t) - corosync_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 corosync_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, corosync_t, corosync_initrc_exec_t) files_list_tmp($1) admin_pattern($1, corosync_tmp_t) diff --git a/couchdb.if b/couchdb.if index 715a826..830c271 100644 --- a/couchdb.if +++ b/couchdb.if @@ -103,10 +103,7 @@ interface(`couchdb_admin',` allow $1 couchdb_t:process { ptrace signal_perms }; ps_process_pattern($1, couchdb_t) - init_labeled_script_domtrans($1, couchdb_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 couchdb_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, couchdb_t, couchdb_initrc_exec_t) files_search_etc($1) admin_pattern($1, couchdb_conf_t) diff --git a/ctdb.if b/ctdb.if index b25b01d..79b0c9a 100644 --- a/ctdb.if +++ b/ctdb.if @@ -66,10 +66,7 @@ interface(`ctdb_admin',` allow $1 ctdbd_t:process { ptrace signal_perms }; ps_process_pattern($1, ctdbd_t) - init_labeled_script_domtrans($1, ctdbd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ctdbd_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, ctdbd_t, ctdbd_initrc_exec_t) logging_search_logs($1) admin_pattern($1, ctdbd_log_t) diff --git a/cups.if b/cups.if index 3023be7..cad7df2 100644 --- a/cups.if +++ b/cups.if @@ -357,10 +357,7 @@ interface(`cups_admin',` ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t }) ps_process_pattern($1, { cups_pdf_t hplip_t ptal_t }) - init_labeled_script_domtrans($1, cupsd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 cupsd_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, cupsd_t, cupsd_initrc_exec_t) files_list_etc($1) admin_pattern($1, { cupsd_etc_t cupsd_rw_etc_t ptal_etc_t }) diff --git a/cvs.if b/cvs.if index 64775fd..49f6c1c 100644 --- a/cvs.if +++ b/cvs.if @@ -65,10 +65,7 @@ interface(`cvs_admin',` allow $1 cvs_t:process { ptrace signal_perms }; ps_process_pattern($1, cvs_t) - init_labeled_script_domtrans($1, cvs_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 cvs_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, cvs_t, cvs_initrc_exec_t) files_search_etc($1) admin_pattern($1, cvs_keytab_t) diff --git a/cyphesis.if b/cyphesis.if index df8aa4a..da37d4e 100644 --- a/cyphesis.if +++ b/cyphesis.if @@ -45,10 +45,7 @@ interface(`cyphesis_admin',` allow $1 cyphesis_t:process { ptrace signal_perms }; ps_process_pattern($1, cyphesis_t) - init_labeled_script_domtrans($1, cyphesis_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 cyphesis_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, cyphesis_t, cyphesis_initrc_exec_t) logging_search_logs($1) admin_pattern($1, cyphesis_log_t) diff --git a/cyrus.if b/cyrus.if index 83bfda6..759e074 100644 --- a/cyrus.if +++ b/cyrus.if @@ -67,10 +67,7 @@ interface(`cyrus_admin',` allow $1 cyrus_t:process { ptrace signal_perms }; ps_process_pattern($1, cyrus_t) - init_labeled_script_domtrans($1, cyrus_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 cyrus_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, cyrus_t, cyrus_initrc_exec_t) files_list_etc($1) admin_pattern($1, cyrus_keytab_t) diff --git a/dante.if b/dante.if index e709177..8d02f8c 100644 --- a/dante.if +++ b/dante.if @@ -26,10 +26,7 @@ interface(`dante_admin',` allow $1 dante_t:process { ptrace signal_perms }; ps_process_pattern($1, dante_t) - init_labeled_script_domtrans($1, dante_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dante_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, dante_t, dante_initrc_exec_t) files_search_etc($1) admin_pattern($1, dante_conf_t) diff --git a/ddclient.if b/ddclient.if index 5606b40..96ddeea 100644 --- a/ddclient.if +++ b/ddclient.if @@ -73,10 +73,7 @@ interface(`ddclient_admin',` allow $1 ddclient_t:process { ptrace signal_perms }; ps_process_pattern($1, ddclient_t) - init_labeled_script_domtrans($1, ddclient_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ddclient_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, ddclient_t, ddclient_initrc_exec_t) files_list_etc($1) admin_pattern($1, ddclient_etc_t) diff --git a/denyhosts.if b/denyhosts.if index a7326da..0fb8ec7 100644 --- a/denyhosts.if +++ b/denyhosts.if @@ -63,10 +63,7 @@ interface(`denyhosts_admin',` allow $1 denyhosts_t:process { ptrace signal_perms }; ps_process_pattern($1, denyhosts_t) - denyhosts_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 denyhosts_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, denyhosts_t, denyhosts_initrc_exec_t) files_search_var_lib($1) admin_pattern($1, denyhosts_var_lib_t) diff --git a/dhcp.if b/dhcp.if index c697edb..b7a0337 100644 --- a/dhcp.if +++ b/dhcp.if @@ -84,10 +84,7 @@ interface(`dhcpd_admin',` allow $1 dhcpd_t:process { ptrace signal_perms }; ps_process_pattern($1, dhcpd_t) - init_labeled_script_domtrans($1, dhcpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dhcpd_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, dhcpd_t, dhcpd_initrc_exec_t) files_list_tmp($1) admin_pattern($1, dhcpd_tmp_t) diff --git a/dictd.if b/dictd.if index 3cc3494..3878acc 100644 --- a/dictd.if +++ b/dictd.if @@ -41,10 +41,7 @@ interface(`dictd_admin',` allow $1 dictd_t:process { ptrace signal_perms }; ps_process_pattern($1, dictd_t) - init_labeled_script_domtrans($1, dictd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dictd_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, dictd_t, dictd_initrc_exec_t) files_list_etc($1) admin_pattern($1, dictd_etc_t) diff --git a/dirmngr.if b/dirmngr.if index e5f6733..4cd2810 100644 --- a/dirmngr.if +++ b/dirmngr.if @@ -26,10 +26,7 @@ interface(`dirmngr_admin',` allow $1 dirmngr_t:process { ptrace signal_perms }; ps_process_pattern($1, dirmngr_t) - init_labeled_script_domtrans($1, dirmngr_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dirmngr_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, dirmngr_t, dirmngr_initrc_exec_t) files_search_etc($1) admin_pattern($1, dirmngr_conf_t) diff --git a/distcc.if b/distcc.if index 473823d..6b43286 100644 --- a/distcc.if +++ b/distcc.if @@ -26,10 +26,7 @@ interface(`distcc_admin',` allow $1 distccd_t:process { ptrace signal_perms }; ps_process_pattern($1, distccd_t) - init_labeled_script_domtrans($1, distccd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 distccd_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, distccd_t, distccd_initrc_exec_t) logging_search_logs($1) admin_pattern($1, distccd_log_t) diff --git a/dkim.if b/dkim.if index 386e494..61e1f19 100644 --- a/dkim.if +++ b/dkim.if @@ -26,10 +26,7 @@ interface(`dkim_admin',` allow $1 dkim_milter_t:process { ptrace signal_perms }; ps_process_pattern($1, dkim_milter_t) - init_labeled_script_domtrans($1, dkim_milter_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dkim_milter_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, dkim_milter_t, dkim_milter_initrc_exec_t) files_search_etc($1) admin_pattern($1, dkim_milter_private_key_t) diff --git a/dnsmasq.if b/dnsmasq.if index 62e4948..f81566a 100644 --- a/dnsmasq.if +++ b/dnsmasq.if @@ -273,10 +273,7 @@ interface(`dnsmasq_admin',` allow $1 dnsmasq_t:process { ptrace signal_perms }; ps_process_pattern($1, dnsmasq_t) - init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dnsmasq_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, dnsmasq_t, dnsmasq_initrc_exec_t) files_list_var_lib($1) admin_pattern($1, dnsmasq_lease_t) diff --git a/dnssectrigger.if b/dnssectrigger.if index 456da5c..eea250e 100644 --- a/dnssectrigger.if +++ b/dnssectrigger.if @@ -26,10 +26,7 @@ interface(`dnssectrigger_admin',` allow $1 dnssec_triggerd_t:process { ptrace signal_perms }; ps_process_pattern($1, dnssec_triggerd_t) - init_labeled_script_domtrans($1, dnssec_triggerd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dnssec_triggerd_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, dnssec_triggerd_t, dnssec_triggerd_initrc_exec_t) files_search_etc($1) admin_pattern($1, dnssec_trigger_conf_t) diff --git a/dovecot.if b/dovecot.if index d5badb7..3608ba2 100644 --- a/dovecot.if +++ b/dovecot.if @@ -149,10 +149,7 @@ interface(`dovecot_admin',` allow $1 dovecot_t:process { ptrace signal_perms }; ps_process_pattern($1, dovecot_t) - init_labeled_script_domtrans($1, dovecot_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dovecot_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, dovecot_t, dovecot_initrc_exec_t) files_list_etc($1) admin_pattern($1, { dovecot_keytab_t dovecot_etc_t }) diff --git a/drbd.if b/drbd.if index 9a21639..f147c10 100644 --- a/drbd.if +++ b/drbd.if @@ -46,10 +46,7 @@ interface(`drbd_admin',` allow $1 drbd_t:process { ptrace signal_perms }; ps_process_pattern($1, drbd_t) - init_labeled_script_domtrans($1, drbd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 drbd_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, drbd_t, drbd_initrc_exec_t) files_search_locks($1) admin_pattern($1, drbd_lock_t) diff --git a/dspam.if b/dspam.if index 18f2452..a8cd028 100644 --- a/dspam.if +++ b/dspam.if @@ -66,10 +66,7 @@ interface(`dspam_admin',` allow $1 dspam_t:process { ptrace signal_perms }; ps_process_pattern($1, dspam_t) - init_labeled_script_domtrans($1, dspam_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dspam_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, dspam_t, dspam_initrc_exec_t) logging_search_logs($1) admin_pattern($1, dspam_log_t) diff --git a/entropyd.if b/entropyd.if index 1161fbf..eedfae6 100644 --- a/entropyd.if +++ b/entropyd.if @@ -25,10 +25,7 @@ interface(`entropyd_admin',` allow $1 entropyd_t:process { ptrace signal_perms }; ps_process_pattern($1, entropyd_t) - init_labeled_script_domtrans($1, entropyd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 entropyd_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, entropyd_t, entropyd_initrc_exec_t) files_search_pids($1) admin_pattern($1, entropyd_var_run_t) diff --git a/exim.if b/exim.if index 9bbc690..51655bb 100644 --- a/exim.if +++ b/exim.if @@ -288,10 +288,7 @@ interface(`exim_admin',` allow $1 exim_t:process { ptrace signal_perms }; ps_process_pattern($1, exim_t) - init_labeled_script_domtrans($1, exim_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 exim_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, exim_t, exim_initrc_exec_t) files_search_etc($1) admin_pattern($1, exim_keytab_t) diff --git a/fail2ban.if b/fail2ban.if index 50d0084..5b8e08b 100644 --- a/fail2ban.if +++ b/fail2ban.if @@ -266,10 +266,7 @@ interface(`fail2ban_admin',` allow $1 { fail2ban_t fail2ban_client_t }:process { ptrace signal_perms }; ps_process_pattern($1, { fail2ban_t fail2ban_client_t }) - init_labeled_script_domtrans($1, fail2ban_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 fail2ban_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, fail2ban_t, fail2ban_initrc_exec_t) logging_list_logs($1) admin_pattern($1, fail2ban_log_t) diff --git a/fcoe.if b/fcoe.if index c3484a9..78d1147 100644 --- a/fcoe.if +++ b/fcoe.if @@ -44,10 +44,7 @@ interface(`fcoe_admin',` allow $1 fcoemon_t:process { ptrace signal_perms }; ps_process_pattern($1, fcoemon_t) - init_labeled_script_domtrans($1, fcoemon_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 fcoemon_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, fcoemon_t, fcoemon_initrc_exec_t) files_search_pids($1) admin_pattern($1, fcoemon_var_run_t) diff --git a/fetchmail.if b/fetchmail.if index c3f7916..5115aff 100644 --- a/fetchmail.if +++ b/fetchmail.if @@ -23,10 +23,7 @@ interface(`fetchmail_admin',` type fetchmail_var_run_t, fetchmail_initrc_exec_t, fetchmail_log_t; ') - init_labeled_script_domtrans($1, fetchmail_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 fetchmail_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, fetchmail_t, fetchmail_initrc_exec_t) allow $1 fetchmail_t:process { ptrace signal_perms }; ps_process_pattern($1, fetchmail_t) diff --git a/firewalld.if b/firewalld.if index c62c567..a16179b 100644 --- a/firewalld.if +++ b/firewalld.if @@ -86,10 +86,7 @@ interface(`firewalld_admin',` allow $1 firewalld_t:process { ptrace signal_perms }; ps_process_pattern($1, firewalld_t) - init_labeled_script_domtrans($1, firewalld_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 firewalld_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, firewalld_t, firewalld_initrc_exec_t) files_search_pids($1) admin_pattern($1, firewalld_var_run_t) diff --git a/ftp.if b/ftp.if index 65adda9..93fd4be 100644 --- a/ftp.if +++ b/ftp.if @@ -182,10 +182,7 @@ interface(`ftp_admin',` allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }:process { ptrace signal_perms }; ps_process_pattern($1, { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }) - init_labeled_script_domtrans($1, ftpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ftpd_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, ftpd_t, ftpd_initrc_exec_t) miscfiles_manage_public_files($1) diff --git a/gatekeeper.if b/gatekeeper.if index 30926d7..83681df 100644 --- a/gatekeeper.if +++ b/gatekeeper.if @@ -26,10 +26,7 @@ interface(`gatekeeper_admin',` allow $1 gatekeeper_t:process { ptrace signal_perms }; ps_process_pattern($1, gatekeeper_t) - init_labeled_script_domtrans($1, gatekeeper_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 gatekeeper_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, gatekeeper_t, gatekeeper_initrc_exec_t) files_search_etc($1) admin_pattern($1, gatekeeper_etc_t) diff --git a/gdomap.if b/gdomap.if index 7d6b6b7..58e5c44 100644 --- a/gdomap.if +++ b/gdomap.if @@ -45,10 +45,7 @@ interface(`gdomap_admin',` allow $1 gdomap_t:process { ptrace signal_perms }; ps_process_pattern($1, gdomap_t) - init_labeled_script_domtrans($1, gdomap_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 gdomap_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, gdomap_t, gdomap_initrc_exec_t) files_search_etc($1) admin_pattern($1, gdomap_conf_t) diff --git a/glance.if b/glance.if index 9eacb2c..6d9f3da 100644 --- a/glance.if +++ b/glance.if @@ -245,10 +245,8 @@ interface(`glance_admin',` allow $1 { glance_api_t glance_registry_t }:process signal_perms; ps_process_pattern($1, { glance_api_t glance_registry_t }) - init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t }) - domain_system_change_exemption($1) - role_transition $2 { glance_api_initrc_exec_t glance_registry_initrc_exec_t } system_r; - allow $2 system_r; + init_startstop_service($1, $2, glance_api_t, glance_api_initrc_exec_t) + init_startstop_service($1, $2, glance_registry_t, glance_registry_initrc_exec_t) logging_search_logs($1) admin_pattern($1, glance_log_t) diff --git a/glusterfs.if b/glusterfs.if index 05233c8..0945d87 100644 --- a/glusterfs.if +++ b/glusterfs.if @@ -46,10 +46,7 @@ interface(`glusterfs_admin',` type glusterd_var_run_t; ') - init_labeled_script_domtrans($1, glusterd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 glusterd_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, glusterd_t, glusterd_initrc_exec_t) allow $1 glusterd_t:process { ptrace signal_perms }; ps_process_pattern($1, glusterd_t) diff --git a/gpm.if b/gpm.if index f1528c9..b9a4743 100644 --- a/gpm.if +++ b/gpm.if @@ -106,10 +106,7 @@ interface(`gpm_admin',` allow $1 gpm_t:process { ptrace signal_perms }; ps_process_pattern($1, gpm_t) - init_labeled_script_domtrans($1, gpm_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 gpm_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, gpm_t, gpm_initrc_exec_t) files_search_etc($1) admin_pattern($1, gpm_conf_t) diff --git a/gpsd.if b/gpsd.if index 92eb564..1d10f63 100644 --- a/gpsd.if +++ b/gpsd.if @@ -91,10 +91,7 @@ interface(`gpsd_admin',` allow $1 gpsd_t:process { ptrace signal_perms }; ps_process_pattern($1, gpsd_t) - init_labeled_script_domtrans($1, gpsd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 gpsd_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, gpsd_t, gpsd_initrc_exec_t) files_search_pids($1) admin_pattern($1, gpsd_var_run_t) diff --git a/hadoop.if b/hadoop.if index 2b0d488..a0a819f 100644 --- a/hadoop.if +++ b/hadoop.if @@ -441,10 +441,7 @@ interface(`hadoop_admin',` allow $1 { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t }:process { ptrace signal_perms }; ps_process_pattern($1, { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t }) - init_labeled_script_domtrans($1, hadoop_init_script_file) - domain_system_change_exemption($1) - role_transition $2 hadoop_init_script_file system_r; - allow $2 system_r; + init_startstop_service($1, $2, hadoop_domain, hadoop_init_script_file) files_search_etc($1) admin_pattern($1, { hadoop_etc_t zookeeper_etc_t }) diff --git a/hddtemp.if b/hddtemp.if index 1728071..269bafd 100644 --- a/hddtemp.if +++ b/hddtemp.if @@ -63,10 +63,7 @@ interface(`hddtemp_admin',` allow $1 hddtemp_t:process { ptrace signal_perms }; ps_process_pattern($1, hddtemp_t) - init_labeled_script_domtrans($1, hddtemp_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 hddtemp_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, hddtemp_t, hddtemp_initrc_exec_t) admin_pattern($1, hddtemp_etc_t) files_search_etc($1) diff --git a/howl.if b/howl.if index dc609f0..afea184 100644 --- a/howl.if +++ b/howl.if @@ -43,10 +43,7 @@ interface(`howl_admin',` allow $1 howl_t:process { ptrace signal_perms }; ps_process_pattern($1, howl_t) - init_labeled_script_domtrans($1, howl_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 howl_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, howl_t, howl_initrc_exec_t) files_search_pids($1) admin_pattern($1, howl_var_run_t) diff --git a/hypervkvp.if b/hypervkvp.if index 6517fad..f9a3b8e 100644 --- a/hypervkvp.if +++ b/hypervkvp.if @@ -25,8 +25,5 @@ interface(`hypervkvp_admin',` allow $1 hypervkvpd_t:process { ptrace signal_perms }; ps_process_pattern($1, hypervkvpd_t) - init_labeled_script_domtrans($1, hypervkvpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 hypervkvpd_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, hypervkvpd_t, hypervkvpd_initrc_exec_t) ') diff --git a/i18n_input.if b/i18n_input.if index 5eab254..b908264 100644 --- a/i18n_input.if +++ b/i18n_input.if @@ -40,10 +40,7 @@ interface(`i18n_input_admin',` allow $1 i18n_input_t:process { ptrace signal_perms }; ps_process_pattern($1, i18n_input_t) - init_labeled_script_domtrans($1, i18n_input_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 i18n_input_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, i18n_input_t, i18n_input_initrc_exec_t) files_search_pids($1) admin_pattern($1, i18n_input_var_run_t) diff --git a/icecast.if b/icecast.if index 580b533..38ce1b7 100644 --- a/icecast.if +++ b/icecast.if @@ -176,10 +176,7 @@ interface(`icecast_admin',` type icecast_var_run_t; ') - icecast_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 icecast_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, icecast_t, icecast_initrc_exec_t) allow $1 icecast_t:process { ptrace signal_perms }; ps_process_pattern($1, icecast_t) diff --git a/ifplugd.if b/ifplugd.if index 8999899..3cd19b3 100644 --- a/ifplugd.if +++ b/ifplugd.if @@ -122,10 +122,7 @@ interface(`ifplugd_admin',` allow $1 ifplugd_t:process { ptrace signal_perms }; ps_process_pattern($1, ifplugd_t) - init_labeled_script_domtrans($1, ifplugd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ifplugd_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, ifplugd_t, ifplugd_initrc_exec_t) files_list_etc($1) admin_pattern($1, ifplugd_etc_t) diff --git a/inn.if b/inn.if index eb87f23..8e24feb 100644 --- a/inn.if +++ b/inn.if @@ -230,10 +230,7 @@ interface(`inn_admin',` type innd_var_run_t, innd_initrc_exec_t; ') - init_labeled_script_domtrans($1, innd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 innd_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, innd_t, innd_initrc_exec_t) allow $1 innd_t:process { ptrace signal_perms }; ps_process_pattern($1, innd_t) diff --git a/iodine.if b/iodine.if index a0bfbd0..87e47eb 100644 --- a/iodine.if +++ b/iodine.if @@ -47,8 +47,5 @@ interface(`iodine_admin',` allow $1 iodined_t:process { ptrace signal_perms }; ps_process_pattern($1, iodined_t) - init_labeled_script_domtrans($1, iodined_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 iodined_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, iodined_t, iodined_initrc_exec_t) ') diff --git a/ircd.if b/ircd.if index 1a88664..3dbe87d 100644 --- a/ircd.if +++ b/ircd.if @@ -23,10 +23,7 @@ interface(`ircd_admin',` type ircd_log_t, ircd_var_lib_t, ircd_var_run_t; ') - init_labeled_script_domtrans($1, ircd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ircd_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, ircd_t, ircd_initrc_exec_t) allow $1 ircd_t:process { ptrace signal_perms }; ps_process_pattern($1, ircd_t) diff --git a/irqbalance.if b/irqbalance.if index d7113e7..9e943d3 100644 --- a/irqbalance.if +++ b/irqbalance.if @@ -25,10 +25,7 @@ interface(`irqbalance_admin',` allow $1 irqbalance_t:process { ptrace signal_perms }; ps_process_pattern($1, irqbalance_t) - init_labeled_script_domtrans($1, irqbalance_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 irqbalance_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, irqbalance_t, irqbalance_initrc_exec_t) files_search_pids($1) admin_pattern($1, irqbalance_var_run_t) diff --git a/iscsi.if b/iscsi.if index 1a35420..44a891d 100644 --- a/iscsi.if +++ b/iscsi.if @@ -105,10 +105,7 @@ interface(`iscsi_admin',` allow $1 iscsid_t:process { ptrace signal_perms }; ps_process_pattern($1, iscsid_t) - init_labeled_script_domtrans($1, iscsi_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 iscsi_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, iscsi_t, iscsi_initrc_exec_t) logging_search_logs($1) admin_pattern($1, iscsi_log_t) diff --git a/isns.if b/isns.if index da7e970..4d847e9 100644 --- a/isns.if +++ b/isns.if @@ -26,10 +26,7 @@ interface(`isnsd_admin',` allow $1 isnsd_t:process { ptrace signal_perms }; ps_process_pattern($1, isnsd_t) - init_labeled_script_domtrans($1, isnsd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 isnsd_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, isnsd_t, isnsd_initrc_exec_t) files_search_var_lib($1) admin_pattern($1, isnsd_var_lib_t) diff --git a/jabber.if b/jabber.if index 7eb3811..549dac1 100644 --- a/jabber.if +++ b/jabber.if @@ -81,10 +81,7 @@ interface(`jabber_admin',` allow $1 jabberd_domain:process { ptrace signal_perms }; ps_process_pattern($1, jabberd_domain) - init_labeled_script_domtrans($1, jabberd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 jabberd_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, jabberd_domain, jabberd_initrc_exec_t) files_search_locks($1) admin_pattern($1, jabberd_lock_t) diff --git a/kdump.if b/kdump.if index 3a00b3a..f90bfb4 100644 --- a/kdump.if +++ b/kdump.if @@ -102,10 +102,7 @@ interface(`kdump_admin',` allow $1 { kdump_t kdumpctl_t }:process { ptrace signal_perms }; ps_process_pattern($1, { kdump_t kdumpctl_t }) - init_labeled_script_domtrans($1, kdump_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 kdump_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, kdump_t, kdump_initrc_exec_t) files_search_etc($1) admin_pattern($1, kdump_etc_t) diff --git a/kerberos.if b/kerberos.if index 77a5c49..01caeea 100644 --- a/kerberos.if +++ b/kerberos.if @@ -493,10 +493,7 @@ interface(`kerberos_admin',` allow $1 { kadmind_t krb5kdc_t kpropd_t }:process { ptrace signal_perms }; ps_process_pattern($1, { kadmind_t krb5kdc_t kpropd_t }) - init_labeled_script_domtrans($1, kerberos_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 kerberos_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, { kadmind_t krb5kdc_t }, kerberos_initrc_exec_t) logging_list_logs($1) admin_pattern($1, kadmind_log_t) diff --git a/kerneloops.if b/kerneloops.if index 714448f..d6f5fd8 100644 --- a/kerneloops.if +++ b/kerneloops.if @@ -108,10 +108,7 @@ interface(`kerneloops_admin',` allow $1 kerneloops_t:process { ptrace signal_perms }; ps_process_pattern($1, kerneloops_t) - init_labeled_script_domtrans($1, kerneloops_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 kerneloops_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, kerneloops_t, kerneloops_initrc_exec_t) files_search_tmp($1) admin_pattern($1, kerneloops_tmp_t) diff --git a/keystone.if b/keystone.if index e88fb16..ec9adb0 100644 --- a/keystone.if +++ b/keystone.if @@ -26,10 +26,7 @@ interface(`keystone_admin',` allow $1 keystone_t:process { ptrace signal_perms }; ps_process_pattern($1, keystone_t) - init_labeled_script_domtrans($1, keystone_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 keystone_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, keystone_t, keystone_initrc_exec_t) logging_search_logs($1) admin_pattern($1, keystone_log_t) diff --git a/kismet.if b/kismet.if index f20de6e..24d623b 100644 --- a/kismet.if +++ b/kismet.if @@ -286,10 +286,7 @@ interface(`kismet_admin',` type kismet_log_t, kismet_tmp_t, kismet_initrc_exec_t; ') - init_labeled_script_domtrans($1, kismet_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 kismet_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, kismet_t, kismet_initrc_exec_t) ps_process_pattern($1, kismet_t) allow $1 kismet_t:process { ptrace signal_perms }; diff --git a/ksmtuned.if b/ksmtuned.if index 93a64bc..59f401b 100644 --- a/ksmtuned.if +++ b/ksmtuned.if @@ -61,10 +61,7 @@ interface(`ksmtuned_admin',` type ksmtuned_initrc_exec_t, ksmtuned_log_t; ') - ksmtuned_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 ksmtuned_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, ksmtuned_t, ksmtuned_initrc_exec_t) allow $1 ksmtuned_t:process { ptrace signal_perms }; ps_process_pattern($1, ksmtuned_t) diff --git a/kudzu.if b/kudzu.if index 5297064..993e152 100644 --- a/kudzu.if +++ b/kudzu.if @@ -89,10 +89,7 @@ interface(`kudzu_admin',` allow $1 kudzu_t:process { ptrace signal_perms }; ps_process_pattern($1, kudzu_t) - init_labeled_script_domtrans($1, kudzu_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 kudzu_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, kudzu_t, kudzu_initrc_exec_t) files_search_tmp($1) admin_pattern($1, kudzu_tmp_t) diff --git a/l2tp.if b/l2tp.if index 73e2803..24d3c44 100644 --- a/l2tp.if +++ b/l2tp.if @@ -86,10 +86,7 @@ interface(`l2tp_admin',` allow $1 l2tpd_t:process { ptrace signal_perms }; ps_process_pattern($1, l2tpd_t) - init_labeled_script_domtrans($1, l2tpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 l2tpd_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, l2tpd_t, l2tpd_initrc_exec_t) files_search_etc($1) admin_pattern($1, l2tp_conf_t) diff --git a/ldap.if b/ldap.if index 3602712..ebcf59a 100644 --- a/ldap.if +++ b/ldap.if @@ -122,10 +122,7 @@ interface(`ldap_admin',` allow $1 slapd_t:process { ptrace signal_perms }; ps_process_pattern($1, slapd_t) - init_labeled_script_domtrans($1, slapd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 slapd_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, slapd_t, slapd_initrc_exec_t) files_list_etc($1) admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t }) diff --git a/likewise.if b/likewise.if index bd20e8c..2b884e6 100644 --- a/likewise.if +++ b/likewise.if @@ -110,10 +110,7 @@ interface(`likewise_admin',` allow $1 likewise_domains:process { ptrace signal_perms }; ps_process_pattern($1, likewise_domains) - init_labeled_script_domtrans($1, likewise_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 likewise_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, likewise_domains, likewise_initrc_exec_t) files_list_etc($1) admin_pattern($1, { likewise_etc_t likewise_pstore_lock_t likewise_krb5_ad_t }) diff --git a/lircd.if b/lircd.if index dff21a7..f54240e 100644 --- a/lircd.if +++ b/lircd.if @@ -84,10 +84,7 @@ interface(`lircd_admin',` allow $1 lircd_t:process { ptrace signal_perms }; ps_process_pattern($1, lircd_t) - init_labeled_script_domtrans($1, lircd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 lircd_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, lircd_t, lircd_initrc_exec_t) files_search_etc($1) admin_pattern($1, lircd_etc_t) diff --git a/lldpad.if b/lldpad.if index d18c960..8d7692a 100644 --- a/lldpad.if +++ b/lldpad.if @@ -45,10 +45,7 @@ interface(`lldpad_admin',` allow $1 lldpad_t:process { ptrace signal_perms }; ps_process_pattern($1, lldpad_t) - init_labeled_script_domtrans($1, lldpad_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 lldpad_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, lldpad_t, lldpad_initrc_exec_t) files_search_var_lib($1) admin_pattern($1, lldpad_var_lib_t) diff --git a/mailscanner.if b/mailscanner.if index 214cb44..a684cfd 100644 --- a/mailscanner.if +++ b/mailscanner.if @@ -47,10 +47,7 @@ interface(`mscan_admin',` allow $1 mscan_t:process { ptrace signal_perms }; ps_process_pattern($1, mscan_t) - init_labeled_script_domtrans($1, mscan_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 mscan_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, mscan_t, mscan_initrc_exec_t) files_search_etc($1) admin_pattern($1, mscan_etc_t) diff --git a/mcelog.if b/mcelog.if index f89651e..9b731b8 100644 --- a/mcelog.if +++ b/mcelog.if @@ -45,10 +45,7 @@ interface(`mcelog_admin',` allow $1 mcelog_t:process { ptrace signal_perms }; ps_process_pattern($1, mcelog_t) - init_labeled_script_domtrans($1, mcelog_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 mcelog_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, mcelog_t, mcelog_initrc_exec_t) files_search_etc($1) admin_pattern($1, mcelog_etc_t) diff --git a/memcached.if b/memcached.if index 1d4eb19..5c12b31 100644 --- a/memcached.if +++ b/memcached.if @@ -124,10 +124,7 @@ interface(`memcached_admin',` allow $1 memcached_t:process { ptrace signal_perms }; ps_process_pattern($1, memcached_t) - init_labeled_script_domtrans($1, memcached_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 memcached_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, memcached_t, memcached_initrc_exec_t) files_search_pids($1) admin_pattern($1, memcached_var_run_t) diff --git a/minidlna.if b/minidlna.if index 358917a..7aa4fc9 100644 --- a/minidlna.if +++ b/minidlna.if @@ -26,10 +26,7 @@ interface(`minidlna_admin',` allow $1 minidlna_t:process { ptrace signal_perms }; ps_process_pattern($1, minidlna_t) - minidlna_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 minidlna_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, minidlna_t, minidlna_initrc_exec_t) files_search_etc($1) admin_pattern($1, minidlna_conf_t) diff --git a/minissdpd.if b/minissdpd.if index f37a116..d4bdf6c 100644 --- a/minissdpd.if +++ b/minissdpd.if @@ -45,10 +45,7 @@ interface(`minissdpd_admin',` allow $1 minissdpd_t:process { ptrace signal_perms }; ps_process_pattern($1, minissdpd_t) - init_labeled_script_domtrans($1, minissdpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 minissdpd_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, minissdpd_t, minissdpd_initrc_exec_t) files_search_etc($1) admin_pattern($1, minissdpd_conf_t) diff --git a/mongodb.if b/mongodb.if index b247d25..9a184f2 100644 --- a/mongodb.if +++ b/mongodb.if @@ -26,10 +26,7 @@ interface(`mongodb_admin',` allow $1 mongod_t:process { ptrace signal_perms }; ps_process_pattern($1, mongod_t) - init_labeled_script_domtrans($1, mongod_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 mongod_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, mongod_t, mongod_initrc_exec_t) logging_search_logs($1) admin_pattern($1, mongod_log_t) diff --git a/monop.if b/monop.if index a6ec137..0106004 100644 --- a/monop.if +++ b/monop.if @@ -26,10 +26,7 @@ interface(`monop_admin',` allow $1 monopd_t:process { ptrace signal_perms }; ps_process_pattern($1, monopd_t) - init_labeled_script_domtrans($1, monopd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 monopd_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, monopd_t, monopd_initrc_exec_t) files_search_etc($1) admin_pattern($1, monopd_etc_t) diff --git a/mpd.if b/mpd.if index 5fa77c7..384599f 100644 --- a/mpd.if +++ b/mpd.if @@ -347,10 +347,7 @@ interface(`mpd_admin',` allow $1 mpd_t:process { ptrace signal_perms }; ps_process_pattern($1, mpd_t) - mpd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 mpd_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, mpd_t, mpd_initrc_exec_t) files_search_etc($1) admin_pattern($1, mpd_etc_t) diff --git a/mrtg.if b/mrtg.if index c595094..0a71bd8 100644 --- a/mrtg.if +++ b/mrtg.if @@ -47,10 +47,7 @@ interface(`mrtg_admin',` allow $1 mrtg_t:process { ptrace signal_perms }; ps_process_pattern($1, mrtg_t) - init_labeled_script_domtrans($1, mrtg_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 mrtg_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, mrtg_t, mrtg_initrc_exec_t) files_search_etc($1) admin_pattern($1, mrtg_etc_t) diff --git a/munin.if b/munin.if index b744fe3..cd67499 100644 --- a/munin.if +++ b/munin.if @@ -173,10 +173,7 @@ interface(`munin_admin',` allow $1 { munin_plugin_domain munin_t }:process { ptrace signal_perms }; ps_process_pattern($1, { munin_plugin_domain munin_t }) - init_labeled_script_domtrans($1, munin_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 munin_initrc_exec_t system_r; - allow $2 system_r; + init_startstop_service($1, $2, munin_t, munin_initrc_exec_t) files_list_tmp($1) admin_pattern($1, { munin_tmp_t munin_plugin_tmp_content }) diff --git a/mysql.if b/mysql.if index 687af38..83badcf 100644 --- a/mysql.if +++ b/mysql.if @@ -450,10 +450,8 @@ interface(`mysql_admin',` allow $1 { mysqld_safe_t mysqld_t mysqlmanagerd_t }:process { ptrace signal_perms }; ps_process_pattern($1, { mysqld_safe_t mysqld_t mysqlmanagerd_t }) - init_labeled_script_domtrans($1, { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t }) - domain_system_change_exemption($1) - role_transition $2 { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t } system_r; - allow $2 system_r; + init_startstop_service($1, $2, mysqld_t, mysqld_initrc_exec_t) + init_startstop_service($1, $2, mysqlmanagerd_t, mysqlmanagerd_initrc_exec_t) files_search_pids($1) admin_pattern($1, { mysqlmanagerd_var_run_t mysqld_var_run_t }) -- 2.3.6