cleanup: domain self references

cleanup: domain self references

[Thomas Bleher]

[-- Attachment #1.1: Type: text/plain, Size: 335 bytes --]

I just did a global search and replace to clean up rules of the form
        allow some_domain_t some_domain_t:capability setuid;
This makes the policy easier to read.

Please apply.
Thomas

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

[-- Attachment #1.2: self_cleanup.patch --]
[-- Type: text/plain, Size: 18732 bytes --]

diff -urN orig/domains/program/getty.te mod/domains/program/getty.te
--- orig/domains/program/getty.te	2004-10-11 10:03:20.000000000 +0200
+++ mod/domains/program/getty.te	2004-10-11 10:32:22.000000000 +0200
@@ -34,7 +34,7 @@
 allow getty_t self:capability { dac_override chown sys_resource sys_tty_config };
 
 # fbgetty needs fsetid for some reason
-#allow getty_t getty_t:capability fsetid;
+#allow getty_t self:capability fsetid;
 
 read_locale(getty_t)
 
diff -urN orig/domains/program/initrc.te mod/domains/program/initrc.te
--- orig/domains/program/initrc.te	2004-10-11 10:03:20.000000000 +0200
+++ mod/domains/program/initrc.te	2004-10-11 10:32:22.000000000 +0200
@@ -309,7 +309,7 @@
 #
 allow initrc_t device_t:dir rw_dir_perms;
 allow initrc_t device_t:lnk_file { unlink };
-allow initrc_t initrc_t:process { getsched };
+allow initrc_t self:process { getsched };
 
 r_dir_file(initrc_t,selinux_config_t)
 
diff -urN orig/domains/program/init.te mod/domains/program/init.te
--- orig/domains/program/init.te	2004-09-15 19:01:05.000000000 +0200
+++ mod/domains/program/init.te	2004-10-11 10:32:22.000000000 +0200
@@ -29,7 +29,7 @@
 allow init_t file_t:dir search;
 
 # Use capabilities.
-allow init_t init_t:capability ~sys_module;
+allow init_t self:capability ~sys_module;
 
 # Run /etc/rc.sysinit, /etc/rc, /etc/rc.local in the initrc_t domain.
 domain_auto_trans(init_t, initrc_exec_t, initrc_t)
diff -urN orig/domains/program/unused/dhcpd.te mod/domains/program/unused/dhcpd.te
--- orig/domains/program/unused/dhcpd.te	2004-09-11 14:31:46.000000000 +0200
+++ mod/domains/program/unused/dhcpd.te	2004-10-11 10:32:22.000000000 +0200
@@ -39,7 +39,7 @@
 allow dhcpd_t devtty_t:chr_file { read write };
 
 # Use capabilities
-allow dhcpd_t dhcpd_t:capability { net_raw net_bind_service };
+allow dhcpd_t self:capability { net_raw net_bind_service };
 
 # Allow access to the dhcpd file types
 type dhcp_state_t, file_type, sysadmfile;
diff -urN orig/domains/program/unused/firstboot.te mod/domains/program/unused/firstboot.te
--- orig/domains/program/unused/firstboot.te	2004-09-25 19:52:49.000000000 +0200
+++ mod/domains/program/unused/firstboot.te	2004-10-11 10:32:22.000000000 +0200
@@ -36,9 +36,9 @@
 
 allow firstboot_t firstboot_rw_t:dir create_dir_perms;
 allow firstboot_t firstboot_rw_t:file create_file_perms;
-allow firstboot_t firstboot_t:fifo_file { getattr read write };
-allow firstboot_t firstboot_t:process { fork sigchld };
-allow firstboot_t firstboot_t:unix_stream_socket { connect create };
+allow firstboot_t self:fifo_file { getattr read write };
+allow firstboot_t self:process { fork sigchld };
+allow firstboot_t self:unix_stream_socket { connect create };
 allow firstboot_t initrc_exec_t:file { getattr read };
 allow firstboot_t initrc_var_run_t:file r_file_perms;
 allow firstboot_t lib_t:file { getattr read };
@@ -82,10 +82,10 @@
 
 allow firstboot_t etc_t:{ file lnk_file } create_file_perms;
 
-allow firstboot_t firstboot_t:capability { dac_override setgid };
-allow firstboot_t firstboot_t:dir { search };
-allow firstboot_t firstboot_t:file { read write };
-allow firstboot_t firstboot_t:lnk_file read;
+allow firstboot_t self:capability { dac_override setgid };
+allow firstboot_t self:dir { search };
+allow firstboot_t self:file { read write };
+allow firstboot_t self:lnk_file read;
 can_setfscreate(firstboot_t)
 allow firstboot_t krb5_conf_t:file rw_file_perms;
 
diff -urN orig/domains/program/unused/hald.te mod/domains/program/unused/hald.te
--- orig/domains/program/unused/hald.te	2004-10-11 10:03:21.000000000 +0200
+++ mod/domains/program/unused/hald.te	2004-10-11 10:32:22.000000000 +0200
@@ -26,7 +26,7 @@
 allow hald_t { self proc_t }:file { getattr read };
 
 allow hald_t { bin_t sbin_t }:dir search;
-allow hald_t hald_t:fifo_file rw_file_perms;
+allow hald_t self:fifo_file rw_file_perms;
 allow hald_t usr_t:file { getattr read };
 
 allow hald_t bin_t:file { getattr };
diff -urN orig/domains/program/unused/inetd.te mod/domains/program/unused/inetd.te
--- orig/domains/program/unused/inetd.te	2004-10-11 10:03:21.000000000 +0200
+++ mod/domains/program/unused/inetd.te	2004-10-11 10:32:22.000000000 +0200
@@ -25,7 +25,7 @@
 allow inetd_t self:unix_stream_socket create_socket_perms;
 allow inetd_t self:fifo_file rw_file_perms;
 allow inetd_t etc_t:file { getattr read ioctl };
-allow inetd_t inetd_t:process setsched;
+allow inetd_t self:process setsched;
 
 log_domain(inetd)
 tmp_domain(inetd)
diff -urN orig/domains/program/unused/ipsec.te mod/domains/program/unused/ipsec.te
--- orig/domains/program/unused/ipsec.te	2004-09-15 19:01:06.000000000 +0200
+++ mod/domains/program/unused/ipsec.te	2004-10-11 10:32:22.000000000 +0200
@@ -63,7 +63,7 @@
 # it in its own domain?)
 can_exec(ipsec_mgmt_t, bin_t)
 # logger, running in ipsec_mgmt_t needs to use sockets
-allow ipsec_mgmt_t ipsec_mgmt_t:unix_dgram_socket { create connect write };
+allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
 allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };
 
 # also need to run things like whack and shell scripts
@@ -168,12 +168,12 @@
 allow ipsec_mgmt_t self:process { sigchld signal setrlimit };
 
 # Allow read/write access to /var/run/pluto.ctl
-allow ipsec_t ipsec_t:unix_stream_socket {create setopt bind listen accept read write };
+allow ipsec_t self:unix_stream_socket {create setopt bind listen accept read write };
 
 # Pluto needs network access
 can_network(ipsec_t)
 can_ypbind(ipsec_t)
-allow ipsec_t ipsec_t:unix_dgram_socket { create connect write };
+allow ipsec_t self:unix_dgram_socket { create connect write };
 
 # for sleep
 allow ipsec_mgmt_t fs_t:filesystem getattr;
@@ -194,7 +194,7 @@
 allow ipsec_mgmt_t var_lock_t:file create_file_perms;
 
 # allow tncfg to create sockets
-allow ipsec_mgmt_t ipsec_mgmt_t:udp_socket { create ioctl };
+allow ipsec_mgmt_t self:udp_socket { create ioctl };
 
 #When running ipsec auto --up <conname>
 allow ipsec_t self:process { fork sigchld };
diff -urN orig/domains/program/unused/iptables.te mod/domains/program/unused/iptables.te
--- orig/domains/program/unused/iptables.te	2004-09-28 09:34:16.000000000 +0200
+++ mod/domains/program/unused/iptables.te	2004-10-11 10:32:22.000000000 +0200
@@ -40,8 +40,8 @@
 
 allow iptables_t bin_t:file { execute execute_no_trans };
 allow iptables_t iptables_exec_t:file { execute_no_trans };
-allow iptables_t iptables_t:capability { net_admin net_raw };
-allow iptables_t iptables_t:rawip_socket create_socket_perms;
+allow iptables_t self:capability { net_admin net_raw };
+allow iptables_t self:rawip_socket create_socket_perms;
 
 allow iptables_t etc_t:file { getattr read };
 
diff -urN orig/domains/program/unused/kerberos.te mod/domains/program/unused/kerberos.te
--- orig/domains/program/unused/kerberos.te	2004-10-11 10:03:21.000000000 +0200
+++ mod/domains/program/unused/kerberos.te	2004-10-11 10:32:22.000000000 +0200
@@ -75,7 +75,7 @@
 
 #
 # Rules for Kerberos5 Kadmin daemon
-allow kadmind_t kadmind_t:unix_dgram_socket { connect create write };
+allow kadmind_t self:unix_dgram_socket { connect create write };
 allow kadmind_t krb5kdc_conf_t:dir { search };
 allow kadmind_t krb5kdc_conf_t:file r_file_perms;
 allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr };
diff -urN orig/domains/program/unused/portslave.te mod/domains/program/unused/portslave.te
--- orig/domains/program/unused/portslave.te	2004-09-11 14:31:47.000000000 +0200
+++ mod/domains/program/unused/portslave.te	2004-10-11 10:32:22.000000000 +0200
@@ -53,7 +53,7 @@
 ifdef(`sshd.te', `can_tcp_connect(portslave_t, sshd_t)')
 
 # for pppd
-allow portslave_t portslave_t:capability { setuid setgid net_admin fsetid };
+allow portslave_t self:capability { setuid setgid net_admin fsetid };
 allow portslave_t ppp_device_t:chr_file rw_file_perms;
 
 # for ~/.ppprc - if it actually exists then you need some policy to read it
diff -urN orig/domains/program/unused/postfix.te mod/domains/program/unused/postfix.te
--- orig/domains/program/unused/postfix.te	2004-10-11 10:03:22.000000000 +0200
+++ mod/domains/program/unused/postfix.te	2004-10-11 10:32:22.000000000 +0200
@@ -322,7 +322,7 @@
 postfix_public_domain(pipe)
 allow postfix_pipe_t postfix_spool_t:dir search;
 allow postfix_pipe_t postfix_spool_t:file rw_file_perms;
-allow postfix_pipe_t postfix_pipe_t:fifo_file { read write };
+allow postfix_pipe_t self:fifo_file { read write };
 allow postfix_pipe_t postfix_private_t:dir search;
 allow postfix_pipe_t postfix_private_t:sock_file write;
 ifdef(`procmail.te', `
diff -urN orig/domains/program/unused/pppd.te mod/domains/program/unused/pppd.te
--- orig/domains/program/unused/pppd.te	2004-09-11 14:31:47.000000000 +0200
+++ mod/domains/program/unused/pppd.te	2004-10-11 10:32:22.000000000 +0200
@@ -92,7 +92,7 @@
 can_create_pty(pppd)
 allow pppd_t self:file { read getattr };
 allow pppd_t self:capability { fowner net_raw };
-allow pppd_t pppd_t:packet_socket create_socket_perms;
+allow pppd_t self:packet_socket create_socket_perms;
 
 file_type_auto_trans(pppd_t, etc_t, net_conf_t, file)
 tmp_domain(pppd)
diff -urN orig/domains/program/unused/qmail.te mod/domains/program/unused/qmail.te
--- orig/domains/program/unused/qmail.te	2004-09-11 14:31:47.000000000 +0200
+++ mod/domains/program/unused/qmail.te	2004-10-11 10:32:22.000000000 +0200
@@ -46,7 +46,7 @@
 allow qmail_start_t qmail_etc_t:dir search;
 allow qmail_start_t qmail_etc_t:file { getattr read };
 can_exec(qmail_start_t, qmail_start_exec_t)
-allow qmail_start_t qmail_start_t:fifo_file { getattr read write };
+allow qmail_start_t self:fifo_file { getattr read write };
 
 qmail_daemon_domain(lspawn, `, mta_delivery_agent')
 allow qmail_lspawn_t self:fifo_file { read write };
diff -urN orig/domains/program/unused/rlogind.te mod/domains/program/unused/rlogind.te
--- orig/domains/program/unused/rlogind.te	2004-10-11 10:03:23.000000000 +0200
+++ mod/domains/program/unused/rlogind.te	2004-10-11 10:32:22.000000000 +0200
@@ -32,7 +32,7 @@
 allow rlogind_t inetd_t:tcp_socket rw_stream_socket_perms;
 
 # Use capabilities.
-allow rlogind_t rlogind_t:capability { net_bind_service setuid setgid fowner fsetid chown dac_override };
+allow rlogind_t self:capability { net_bind_service setuid setgid fowner fsetid chown dac_override };
 
 # so telnetd can start a child process for the login
 allow rlogind_t self:process { fork signal_perms };
diff -urN orig/domains/program/unused/slocate.te mod/domains/program/unused/slocate.te
--- orig/domains/program/unused/slocate.te	2004-05-04 21:35:53.000000000 +0200
+++ mod/domains/program/unused/slocate.te	2004-10-11 10:32:22.000000000 +0200
@@ -61,7 +61,7 @@
 # Read nsswitch file
 #
 allow locate_t etc_t:file { getattr read };
-dontaudit locate_t locate_t:capability dac_override;
+dontaudit locate_t self:capability dac_override;
 allow locate_t self:capability dac_read_search;
 
 # sysadm_t runs locate in his own domain.
diff -urN orig/domains/program/unused/squid.te mod/domains/program/unused/squid.te
--- orig/domains/program/unused/squid.te	2004-09-16 15:07:09.000000000 +0200
+++ mod/domains/program/unused/squid.te	2004-10-11 10:32:22.000000000 +0200
@@ -27,7 +27,7 @@
 # type for /var/cache/squid
 type squid_cache_t, file_type, sysadmfile;
 
-allow squid_t squid_t:capability { setgid setuid };
+allow squid_t self:capability { setgid setuid };
 allow squid_t { etc_t etc_runtime_t }:file r_file_perms;
 allow squid_t etc_t:lnk_file read;
 allow squid_t self:unix_stream_socket create_socket_perms;
diff -urN orig/domains/program/unused/udev.te mod/domains/program/unused/udev.te
--- orig/domains/program/unused/udev.te	2004-10-11 10:03:24.000000000 +0200
+++ mod/domains/program/unused/udev.te	2004-10-11 10:32:22.000000000 +0200
@@ -108,5 +108,5 @@
 allow udev_t sysctl_dev_t:dir { search };
 allow udev_t sysctl_dev_t:file { getattr read };
 allow udev_t sysctl_modprobe_t:file { getattr read };
-allow udev_t udev_t:rawip_socket create_socket_perms;
+allow udev_t self:rawip_socket create_socket_perms;
 dontaudit  udev_t domain:dir r_dir_perms;
diff -urN orig/domains/program/unused/utempter.te mod/domains/program/unused/utempter.te
--- orig/domains/program/unused/utempter.te	2004-06-19 10:31:43.000000000 +0200
+++ mod/domains/program/unused/utempter.te	2004-10-11 10:32:22.000000000 +0200
@@ -20,7 +20,7 @@
 domain_auto_trans(userdomain, utempter_exec_t, utempter_t)
 
 # Use capabilities.
-allow utempter_t utempter_t:capability { setgid };
+allow utempter_t self:capability { setgid };
 
 allow utempter_t etc_t:file { getattr read };
 
diff -urN orig/domains/program/unused/vpnc.te mod/domains/program/unused/vpnc.te
--- orig/domains/program/unused/vpnc.te	2004-10-05 20:52:36.000000000 +0200
+++ mod/domains/program/unused/vpnc.te	2004-10-11 10:32:22.000000000 +0200
@@ -24,7 +24,7 @@
 allow vpnc_t devpts_t:dir search;
 allow vpnc_t etc_t:file { getattr read };
 allow vpnc_t tun_tap_device_t:chr_file { ioctl read write };
-allow vpnc_t vpnc_t:rawip_socket create_socket_perms;
-allow vpnc_t vpnc_t:unix_dgram_socket create_socket_perms;
-allow vpnc_t vpnc_t:unix_stream_socket create_socket_perms;
+allow vpnc_t self:rawip_socket create_socket_perms;
+allow vpnc_t self:unix_dgram_socket create_socket_perms;
+allow vpnc_t self:unix_stream_socket create_socket_perms;
 allow vpnc_t admin_tty_type:chr_file rw_file_perms;
diff -urN orig/domains/program/unused/watchdog.te mod/domains/program/unused/watchdog.te
--- orig/domains/program/unused/watchdog.te	2004-09-23 11:38:29.000000000 +0200
+++ mod/domains/program/unused/watchdog.te	2004-10-11 10:32:22.000000000 +0200
@@ -36,7 +36,7 @@
 # for orderly shutdown
 can_exec(watchdog_t, shell_exec_t)
 allow watchdog_t domain:process { signal_perms getsession };
-allow watchdog_t watchdog_t:capability { kill };
+allow watchdog_t self:capability { kill };
 allow watchdog_t sbin_t:dir search;
 
 # for updating mtab on umount
diff -urN orig/domains/program/unused/xdm.te mod/domains/program/unused/xdm.te
--- orig/domains/program/unused/xdm.te	2004-10-11 10:03:24.000000000 +0200
+++ mod/domains/program/unused/xdm.te	2004-10-11 10:32:22.000000000 +0200
@@ -310,8 +310,8 @@
 allow xdm_t var_log_t:file { read };
 dontaudit xdm_t krb5_conf_t:file { write };
 allow xdm_t krb5_conf_t:file { getattr read };
-allow xdm_t xdm_t:capability { sys_nice sys_rawio };
-allow xdm_t xdm_t:process { setrlimit };
+allow xdm_t self:capability { sys_nice sys_rawio };
+allow xdm_t self:process { setrlimit };
 allow xdm_t wtmp_t:file { getattr read };
 
 domain_auto_trans(initrc_t, xserver_exec_t, xdm_xserver_t)
diff -urN orig/domains/program/unused/xfs.te mod/domains/program/unused/xfs.te
--- orig/domains/program/unused/xfs.te	2004-09-11 14:31:47.000000000 +0200
+++ mod/domains/program/unused/xfs.te	2004-10-11 10:32:22.000000000 +0200
@@ -30,12 +30,12 @@
 can_ypbind(xfs_t)
 
 # Use capabilities.
-allow xfs_t xfs_t:capability { setgid setuid };
+allow xfs_t self:capability { setgid setuid };
 
 # Bind to /tmp/.font-unix/fs-1.
 allow xfs_t xfs_tmp_t:unix_stream_socket name_bind;
-allow xfs_t xfs_t:unix_stream_socket create_stream_socket_perms;
-allow xfs_t xfs_t:unix_dgram_socket create_socket_perms;
+allow xfs_t self:unix_stream_socket create_stream_socket_perms;
+allow xfs_t self:unix_dgram_socket create_socket_perms;
 
 # Read /usr/X11R6/lib/X11/fonts/.* and /usr/share/fonts/.*
 allow xfs_t fonts_t:dir search;
diff -urN orig/domains/program/unused/ypbind.te mod/domains/program/unused/ypbind.te
--- orig/domains/program/unused/ypbind.te	2004-10-11 10:03:24.000000000 +0200
+++ mod/domains/program/unused/ypbind.te	2004-10-11 10:32:22.000000000 +0200
@@ -21,7 +21,7 @@
 can_network(ypbind_t)
 allow ypbind_t port_t:{ tcp_socket udp_socket } name_bind;
 
-allow ypbind_t ypbind_t:fifo_file rw_file_perms;
+allow ypbind_t self:fifo_file rw_file_perms;
 
 allow ypbind_t { sysctl_t sysctl_kernel_t }:dir search;
 allow ypbind_t sysctl_kernel_t:file { getattr read };
diff -urN orig/targeted/domains/unconfined.te mod/targeted/domains/unconfined.te
--- orig/targeted/domains/unconfined.te	2004-10-11 10:03:26.000000000 +0200
+++ mod/targeted/domains/unconfined.te	2004-10-11 10:32:22.000000000 +0200
@@ -37,4 +37,4 @@
 user_typealias(user)
 
 allow unconfined_t unlabeled_t:filesystem *;
-allow unlabeled_t unlabeled_t:filesystem { associate };
+allow unlabeled_t self:filesystem { associate };
diff -urN orig/types/file.te mod/types/file.te
--- orig/types/file.te	2004-09-23 11:38:30.000000000 +0200
+++ mod/types/file.te	2004-10-11 10:32:22.000000000 +0200
@@ -263,31 +263,31 @@
 ')
 
 # Allow the pty to be associated with the file system.
-allow devpts_t devpts_t:filesystem associate;
+allow devpts_t self:filesystem associate;
 
 type tmpfs_t, file_type, sysadmfile, fs_type, root_dir_type;
 allow { tmpfs_t tmp_t } tmpfs_t:filesystem associate;
 
 type autofs_t, fs_type, root_dir_type, noexattrfile, sysadmfile;
-allow autofs_t autofs_t:filesystem associate;
+allow autofs_t self:filesystem associate;
 
 type usbdevfs_t, fs_type, root_dir_type, noexattrfile, sysadmfile;
-allow usbdevfs_t usbdevfs_t:filesystem associate;
+allow usbdevfs_t self:filesystem associate;
 
 type sysfs_t, fs_type, root_dir_type, sysadmfile;
-allow sysfs_t sysfs_t:filesystem associate;
+allow sysfs_t self:filesystem associate;
 
 type iso9660_t, fs_type, root_dir_type, noexattrfile, sysadmfile;
-allow iso9660_t iso9660_t:filesystem associate;
+allow iso9660_t self:filesystem associate;
 
 type romfs_t, fs_type, root_dir_type, sysadmfile;
-allow romfs_t romfs_t:filesystem associate;
+allow romfs_t self:filesystem associate;
 
 type ramfs_t, fs_type, root_dir_type, sysadmfile;
-allow ramfs_t ramfs_t:filesystem associate;
+allow ramfs_t self:filesystem associate;
 
 type dosfs_t, fs_type, root_dir_type, noexattrfile, sysadmfile;
-allow dosfs_t dosfs_t:filesystem associate;
+allow dosfs_t self:filesystem associate;
 
 # udev_runtime_t is the type of the udev table file
 type udev_runtime_t, file_type, sysadmfile;
@@ -296,7 +296,7 @@
 type krb5_conf_t, file_type, sysadmfile;
 
 type cifs_t, fs_type, root_dir_type, noexattrfile, sysadmfile;
-allow cifs_t cifs_t:filesystem associate;
+allow cifs_t self:filesystem associate;
 typealias cifs_t alias sambafs_t;
 
 # removable_t is the default type of all removable media

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: cleanup: domain self references

[Thomas Bleher]

[-- Attachment #1.1: Type: text/plain, Size: 519 bytes --]

* Thomas Bleher <bleher@informatik.uni-muenchen.de> [2004-10-11 12:15]:
> I just did a global search and replace to clean up rules of the form
>         allow some_domain_t some_domain_t:capability setuid;
> This makes the policy easier to read.

Attached is a small patch to audit2allow in order to make this ugliness
less frequent in the future.

Please apply.
Thomas

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

[-- Attachment #1.2: audit2allow.diff --]
[-- Type: text/plain, Size: 389 bytes --]

--- audit2allow.old     2004-10-11 16:36:18.760329072 +0200
+++ audit2allow 2004-10-11 16:37:20.472947328 +0200
@@ -124,6 +124,9 @@
 foreach $k (sort keys %rules)
 {
     my ($a,$scontext,$tcontext,$tclass) = split /\|/, $k;
+    if ($scontext eq $tcontext) {
+        $tcontext = 'self';
+    }
     print OUT  "allow $scontext $tcontext:$tclass {";

     my $access_types = $rules{$k};


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: cleanup: domain self references

[James Carter]

Merged.

On Mon, 2004-10-11 at 04:54, Thomas Bleher wrote:
> I just did a global search and replace to clean up rules of the form
>         allow some_domain_t some_domain_t:capability setuid;
> This makes the policy easier to read.
> 
> Please apply.
> Thomas
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.