diff --git a/packages/clip-selinux-policy/20140512.zip b/packages/clip-selinux-policy/20140512.zip
deleted file mode 100644
index cd4795fe..00000000
Binary files a/packages/clip-selinux-policy/20140512.zip and /dev/null differ
diff --git a/packages/clip-selinux-policy/clip-selinux-policy.spec b/packages/clip-selinux-policy/clip-selinux-policy.spec
index 70b67a3e..e24879e9 100644
--- a/packages/clip-selinux-policy/clip-selinux-policy.spec
+++ b/packages/clip-selinux-policy/clip-selinux-policy.spec
@@ -128,7 +128,7 @@ fi
%define loadpolicy() \
. %{_sysconfdir}/selinux/config; \
-( cd /usr/share/selinux/%1; semodule -n -b base.pp.bz2 -i %2 -s %1 2>&1 ); \
+( cd /usr/share/selinux/%1; semodule -n -b base.pp.bz2 -i %2 -s %1 2>&1 | /bin/tee /tmp/load_policy.log ); \
%define relabel() \
. %{_sysconfdir}/selinux/config; \
@@ -246,12 +246,13 @@ Based off of reference policy refpolicy-2.20110726.tar.bz2
packages=`cat /usr/share/selinux/clip/modules.lst`
if [ $1 -eq 1 ]; then
%loadpolicy clip $packages
- restorecon -R /root /var/log /var/run 2> /dev/null
+ restorecon -R /root /var/log /var/run
else
# semodule -n -s clip 2>/dev/null
%loadpolicy clip $packages
%relabel clip
fi
+
touch /.autorelabel
exit 0
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/Makefile b/packages/clip-selinux-policy/clip-selinux-policy/Makefile
index 15354e78..a55d55e3 100644
--- a/packages/clip-selinux-policy/clip-selinux-policy/Makefile
+++ b/packages/clip-selinux-policy/clip-selinux-policy/Makefile
@@ -181,11 +181,6 @@ ifeq "$(TYPE)" "mcs"
gennetfilter += -c
endif
-# enable systemd policy
-ifeq "$(INIT)" "systemd"
- M4PARAM += -D init_systemd
-endif
-
# enable distribution-specific policy
ifneq ($(DISTRO),)
M4PARAM += -D distro_$(DISTRO)
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/build.conf b/packages/clip-selinux-policy/clip-selinux-policy/build.conf
index f27c7aec..6241da0a 100644
--- a/packages/clip-selinux-policy/clip-selinux-policy/build.conf
+++ b/packages/clip-selinux-policy/clip-selinux-policy/build.conf
@@ -27,7 +27,7 @@ NAME = refpolicy
# for the distribution.
# redhat, gentoo, debian, suse, and rhel4 are current options.
# Fedora users should enable redhat.
-#DISTRO = redhat
+DISTRO = redhat
# Unknown Permissions Handling
# The behavior for handling permissions defined in the
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/config/file_contexts.subs_dist b/packages/clip-selinux-policy/clip-selinux-policy/config/file_contexts.subs_dist
index e233ea70..860d826b 100644
--- a/packages/clip-selinux-policy/clip-selinux-policy/config/file_contexts.subs_dist
+++ b/packages/clip-selinux-policy/clip-selinux-policy/config/file_contexts.subs_dist
@@ -9,6 +9,7 @@
# example, but aliasing.
#
/etc/init.d /etc/rc.d/init.d
+/etc/systemd/system /usr/lib/systemd/system
/lib/systemd /usr/lib/systemd
/lib32 /lib
/lib64 /lib
@@ -20,3 +21,5 @@
/usr/local/lib64 /usr/lib
/usr/local/lib /usr/lib
/var/run/lock /var/lock
+/usr/bin /bin
+/usr/sbin /sbin
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules.conf b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules.conf
index ba27551a..6dea6e9b 100644
--- a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules.conf
+++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules.conf
@@ -1007,7 +1007,7 @@ cgroup = off
#
# Chrony NTP background daemon
#
-chronyd = off
+chronyd = module
# Layer: services
# Module: cipe
@@ -1147,7 +1147,7 @@ dbskk = off
#
# Desktop messaging bus
#
-dbus = off
+dbus = module
# Layer: services
# Module: dcc
@@ -1182,7 +1182,7 @@ devicekit = off
#
# Dynamic host configuration protocol (DHCP) server
#
-dhcp = off
+dhcp = module
# Layer: services
# Module: dictd
@@ -2351,6 +2351,12 @@ hotplug = off
#
init = base
+# Layer: system
+# Module: systemd
+#
+# Policy for systemd
+systemd = base
+
# Layer: system
# Module: ipsec
#
@@ -2491,3 +2497,9 @@ userdomain = base
#
xen = off
+# Layer: contrib
+# Module: firewalld
+#
+# Policy for firewalld.
+firewalld = module
+
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/chronyd.fc b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/chronyd.fc
index 4e4143ed..9c4384d8 100644
--- a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/chronyd.fc
+++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/chronyd.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
+/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
+
/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/chronyd.te b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/chronyd.te
index e5b621c2..3edb0eab 100644
--- a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/chronyd.te
+++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/chronyd.te
@@ -33,11 +33,17 @@ files_pid_file(chronyd_var_run_t)
#
allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
+#uncomment this if it works after testing in enforcing
+#dontaudit chronyd_t self:capability fsetid;
allow chronyd_t self:process { getcap setcap setrlimit signal };
allow chronyd_t self:shm create_shm_perms;
allow chronyd_t self:fifo_file rw_fifo_file_perms;
allow chronyd_t chronyd_keys_t:file read_file_perms;
+# allow chronyd to create key if not present
+allow chronyd_t chronyd_keys_t:file append_file_perms;
+# allow chronyd to change perms to not be world readable
+allow chronyd_t chronyd_keys_t:file setattr_file_perms;
manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
manage_files_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
@@ -61,6 +67,10 @@ files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file })
kernel_read_system_state(chronyd_t)
kernel_read_network_state(chronyd_t)
+kernel_read_crypto_sysctls(chronyd_t)
+
+dev_read_rand(chronyd_t)
+dev_read_urand(chronyd_t)
corenet_all_recvfrom_unlabeled(chronyd_t)
corenet_all_recvfrom_netlabel(chronyd_t)
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/cron.fc b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/cron.fc
index ad0bae94..d6c77ef9 100644
--- a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/cron.fc
+++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/cron.fc
@@ -1,8 +1,13 @@
+/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
+
/etc/rc\.d/init\.d/(anacron|atd) -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0)
+/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
+
/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/dhcp.fc b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/dhcp.fc
index 8182c480..66f9435b 100644
--- a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/dhcp.fc
+++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/dhcp.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
+/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
+
/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0)
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/firewalld.fc b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/firewalld.fc
index 21d7b844..bda83404 100644
--- a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/firewalld.fc
+++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/firewalld.fc
@@ -2,7 +2,9 @@
/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
-/usr/sbin/firewalld -- gen_context(system_u:object_r:firewalld_exec_t,s0)
+/sbin/firewalld -- gen_context(system_u:object_r:firewalld_exec_t,s0)
+
+/usr/sbin/firewalld -- gen_context(system_u:object_r:firewalld_exec_t,s0)
/var/log/firewalld.* -- gen_context(system_u:object_r:firewalld_var_log_t,s0)
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/readahead.fc b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/readahead.fc
index f01b32fe..d2ee9c97 100644
--- a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/readahead.fc
+++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/readahead.fc
@@ -2,6 +2,8 @@
/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
+/usr/lib/systemd/systemd-readahead -- gen_context(system_u:object_r:readahead_exec_t,s0)
+
/var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0)
/var/run/readahead.* gen_context(system_u:object_r:readahead_var_run_t,s0)
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/shutdown.fc b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/shutdown.fc
index a91f33b0..23938637 100644
--- a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/shutdown.fc
+++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/shutdown.fc
@@ -6,6 +6,8 @@
/usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+/usr/lib/systemd/systemd-shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+
/usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/kernel/corecommands.fc b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/kernel/corecommands.fc
index 79606934..528e84d2 100644
--- a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/kernel/corecommands.fc
+++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/kernel/corecommands.fc
@@ -234,7 +234,6 @@ ifdef(`distro_gentoo',`
/usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
-/usr/lib/systemd/systemd-random-seed -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/tumbler-1/tumblerd -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/kernel/devices.if b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/kernel/devices.if
index bc2c501f..ad4d3401 100644
--- a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/kernel/devices.if
+++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/kernel/devices.if
@@ -3871,6 +3871,24 @@ interface(`dev_associate_sysfs',`
allow $1 sysfs_t:filesystem associate;
')
+########################################
+##
+## Relabel sysfs dirs.
+##
+##
+##
+## The type of the file to be allowed access.
+##
+##
+#
+interface(`dev_relabel_dir_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
########################################
##
## Get the attributes of sysfs directories.
@@ -4969,3 +4987,22 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
+
+
+#######################################
+##
+## Relabel to usb device character device files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_relabelto_usb_device_chr_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:chr_file relabelfrom;
+')
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/kernel/files.if b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/kernel/files.if
index 527f37cf..44ef6a05 100644
--- a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/kernel/files.if
+++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/kernel/files.if
@@ -3203,6 +3203,24 @@ interface(`files_etc_filetrans_etc_runtime',`
filetrans_pattern($1, etc_t, etc_runtime_t, $2, $3)
')
+########################################
+##
+## Status permissions on etc service object
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_service_status_etc',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:service status;
+')
+
########################################
##
## Getattr of directories on new filesystems
@@ -6390,6 +6408,7 @@ interface(`files_delete_all_pid_dirs',`
delete_dirs_pattern($1, pidfile, pidfile)
')
+
########################################
##
## Create, read, write and delete all
@@ -6697,3 +6716,114 @@ interface(`files_unconfined',`
auth_relabelto_shadow($1)
auth_rw_shadow($1)
')
+
+#######################################
+##
+## Execute library
+##
+##
+##
+## Domain to allow access
+##
+##
+#
+interface(`files_exec_no_trans_lib',`
+ gen_require(`
+ attribute lib_t;
+ ')
+
+ allow $1 lib_t:file execute_no_trans;
+')
+
+########################################
+##
+## Status permissions on lib service object
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_service_status_lib',`
+ gen_require(`
+ type lib_t;
+ ')
+
+ allow $1 lib_t:service status;
+')
+
+#######################################
+##
+## Allow domain to write var_lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_write_var_lib_files',`
+ gen_require(`
+ type var_lib_t;
+ ')
+
+ allow $1 var_lib_t:file write;
+')
+
+#######################################
+##
+## manage generic sock files
+## in the /var/run directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_manage_generic_pids_sock_files',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ manage_sock_files_pattern($1,var_run_t,var_run_t)
+')
+
+
+######################################
+##
+## Relabel pid files.
+##
+##
+##
+## The type of the domain to be allowed access.
+##
+##
+#
+interface(`files_relabel_pid_files',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ relabel_files_pattern($1, var_run_t, var_run_t)
+')
+
+######################################
+##
+## Relabel pid dirs.
+##
+##
+##
+## The type of the domain to be allowed access.
+##
+##
+#
+interface(`files_relabel_pid_dirs',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ relabel_dirs_pattern($1, var_run_t, var_run_t)
+')
+
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/kernel/filesystem.if b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/kernel/filesystem.if
index f02da28e..874181b4 100644
--- a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/kernel/filesystem.if
+++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/kernel/filesystem.if
@@ -3892,6 +3892,26 @@ interface(`fs_getattr_tmpfs',`
allow $1 tmpfs_t:filesystem getattr;
')
+########################################
+##
+## Get the attributes of tmpfs
+## files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`fs_getattr_tmpfs_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:file getattr;
+')
+
########################################
##
## Allow the type to associate to tmpfs filesystems.
@@ -4971,3 +4991,22 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
+
+
+#######################################
+##
+## Relabel tmpfs dirs.
+##
+##
+##
+## The type of the file to be allowed access.
+##
+##
+#
+interface(`fs_relabel_dir_tmpfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ relabel_dirs_pattern($1, tmpfs_t, tmpfs_t)
+')
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/kernel/kernel.if b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/kernel/kernel.if
index 09d25d04..e51b3330 100644
--- a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/kernel/kernel.if
+++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/kernel/kernel.if
@@ -3285,3 +3285,22 @@ interface(`kernel_unconfined',`
typeattribute $1 kern_unconfined;
kernel_load_module($1)
')
+
+########################################
+##
+## Allow the specified domain to search
+## kernel dir
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kernel_search_dir',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:dir search;
+')
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/kernel/terminal.if b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/kernel/terminal.if
index cbb729b6..ecac0fb0 100644
--- a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/kernel/terminal.if
+++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/kernel/terminal.if
@@ -1531,3 +1531,21 @@ interface(`term_use_virtio_console',`
dev_list_all_dev_nodes($1)
allow $1 virtio_device_t:chr_file rw_term_perms;
')
+
+#######################################
+##
+## Relabel from/to devpts dir
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_relabel_devpts_dir',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ relabel_dirs_pattern($1, devpts_t, devpts_t)
+')
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/roles/toor.te b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/roles/toor.te
index 9468f0ba..70e238a4 100644
--- a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/roles/toor.te
+++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/roles/toor.te
@@ -5,6 +5,7 @@ policy_module(toor, 2.3.0)
# Declarations
#
role toor_r;
+#role toor_r types toor_t;
userdom_admin_user_template(toor)
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/services/ssh.fc b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/services/ssh.fc
index 81682445..2b92dc18 100644
--- a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/services/ssh.fc
+++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/services/ssh.fc
@@ -1,8 +1,12 @@
HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
+
/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
/etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0)
+/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
+
/usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
/usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
/usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/clock.fc b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/clock.fc
index c5e05ca7..2f5e82d6 100644
--- a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/clock.fc
+++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/clock.fc
@@ -1,5 +1,5 @@
/etc/adjtime -- gen_context(system_u:object_r:adjtime_t,s0)
-/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
+/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/fstools.fc b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/fstools.fc
index 3101274e..e0d4940b 100644
--- a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/fstools.fc
+++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/fstools.fc
@@ -48,6 +48,8 @@
/usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/lib/systemd/systemd-fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+
/usr/sbin/addpart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/delpart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/hostname.fc b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/hostname.fc
index 9dfecf77..16c1b8d4 100644
--- a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/hostname.fc
+++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/hostname.fc
@@ -1,2 +1,3 @@
/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
+/usr/lib/systemd/systemd-hostnamed -- gen_context(system_u:object_r:hostname_exec_t,s0)
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/init.if b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/init.if
index c4502cbe..78fade0b 100644
--- a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/init.if
+++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/init.if
@@ -1509,6 +1509,25 @@ interface(`init_dbus_send_script',`
allow $1 initrc_t:dbus send_msg;
')
+########################################
+##
+## Acquire service and send messages to init scripts over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_dbus_acquire_service_send_script',`
+ gen_require(`
+ type initrc_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 initrc_t:dbus { acquire_svc send_msg };
+')
+
########################################
##
## Send and receive messages from
@@ -1997,3 +2016,22 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
+
+########################################
+##
+## Read init scripts
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_read_scripts',`
+ gen_require(`
+ type initctl_t;
+ ')
+
+ allow $1 initrc_t:dir search;
+ allow $1 initrc_t:file { getattr open read };
+')
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/init.te b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/init.te
index 733e7985..fb652453 100644
--- a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/init.te
+++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/init.te
@@ -209,6 +209,9 @@ ifdef(`init_systemd',`
selinux_compute_create_context(init_t)
selinux_compute_access_vector(init_t)
+ seutil_read_file_contexts(init_t)
+
+ systemd_read_unitfile_files(init_t)
logging_send_audit_msgs(init_t)
@@ -488,6 +491,9 @@ modutils_read_module_config(initrc_t)
modutils_domtrans_insmod(initrc_t)
seutil_read_config(initrc_t)
+seutil_domtrans_setfiles(initrc_t)
+logging_domtrans_auditd(initrc_t)
+logging_domtrans_auditctl(initrc_t)
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/logging.te b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/logging.te
index be1477d7..e419b224 100644
--- a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/logging.te
+++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/logging.te
@@ -232,7 +232,7 @@ manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
kernel_read_system_state(audisp_t)
-
+kernel_dgram_send(audisp_t)
corecmd_exec_bin(audisp_t)
corecmd_exec_shell(audisp_t)
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/lvm.fc b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/lvm.fc
index 6b917403..dc8b8a4b 100644
--- a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/lvm.fc
+++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/lvm.fc
@@ -45,7 +45,10 @@ ifdef(`distro_gentoo',`
/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvmconf -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvmdump -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvmetad -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -92,6 +95,8 @@ ifdef(`distro_gentoo',`
/usr/sbin/clvmd -- gen_context(system_u:object_r:clvmd_exec_t,s0)
/usr/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/lib/systemd/systemd-cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
+
#
# /var
#
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/selinuxutil.fc b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/selinuxutil.fc
index ec19d63d..366110bc 100644
--- a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/selinuxutil.fc
+++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/selinuxutil.fc
@@ -1,5 +1,11 @@
# SELinux userland utilities
+#
+# /bin
+#
+/bin/checkpolicy -- gen_context(system_u:object_r:checkpolicy_exec_t,s0)
+/bin/newrole -- gen_context(system_u:object_r:newrole_exec_t,s0)
+
#
# /etc
#
@@ -24,8 +30,11 @@
#
/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
/sbin/restorecon -- gen_context(system_u:object_r:setfiles_exec_t,s0)
+/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
-
+/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0)
+/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
+/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
#
# /usr
#
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/selinuxutil.te b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/selinuxutil.te
index c322a6f6..73523087 100644
--- a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/selinuxutil.te
+++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/selinuxutil.te
@@ -97,6 +97,7 @@ role run_init_roles types run_init_t;
type semanage_t;
type semanage_exec_t;
application_domain(semanage_t, semanage_exec_t)
+init_system_domain(semanage_t, semanage_exec_t)
domain_interactive_fd(semanage_t)
role semanage_roles types semanage_t;
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/systemd.fc b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/systemd.fc
index 15d6bb09..dc6b16c5 100644
--- a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/systemd.fc
+++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/systemd.fc
@@ -2,12 +2,42 @@
/usr/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
-/usr/lib/systemd/systemd-cgroups-agent -- gen_context(system_u:object_r:systemd_cgroups_exec_t,s0)
-/usr/lib/systemd/systemd-hostnamed -- gen_context(system_u:object_r:systemd_hostnamed_exec_t,s0)
-/usr/lib/systemd/systemd-localed -- gen_context(system_u:object_r:systemd_locale_exec_t,s0)
-/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
-/usr/lib/systemd/systemd-update-utmp -- gen_context(system_u:object_r:systemd_utmp_exec_t,s0)
-/usr/lib/systemd/systemd-user-sessions -- gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
+/usr/lib/systemd/catalog(/.*)? gen_context(system_u:object_r:systemd_log_t,s0)
+/usr/lib/systemd/rhel-.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
+/usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/systemd/system-shutdown(/.*)? gen_context(system_u:object_r:systemd_shutdown_t,s0)
+/usr/lib/systemd/system-preset(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
+/usr/lib/systemd/system/sshd.* -- gen_context(system_u:object_r:sshd_unit_file_t,s0)
+/usr/lib/systemd/system/ip6?tables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+/usr/lib/systemd/user-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/systemd/user-preset(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
+
+
+/usr/lib/systemd/systemd-cgroups-agent -- gen_context(system_u:object_r:systemd_cgroups_exec_t,s0)
+/usr/lib/systemd/systemd-localed -- gen_context(system_u:object_r:systemd_locale_exec_t,s0)
+/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
+/usr/lib/systemd/systemd-update-utmp -- gen_context(system_u:object_r:systemd_utmp_exec_t,s0)
+/usr/lib/systemd/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
+/usr/lib/systemd/systemd-initctl -- gen_context(system_u:object_r:systemd_initctl_exec_t,s0)
+/usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0)
+/usr/lib/systemd/systemd-modules-load -- gen_context(system_u:object_r:systemd_modules_load_exec_t,s0)
+/usr/lib/systemd/systemd-multi-seat-x -- gen_context(system_u:object_r:systemd_multi_seat_x_exec_t,s0)
+/usr/lib/systemd/systemd-quotacheck -- gen_context(system_u:object_r:systemd_quotacheck_exec_t,s0)
+/usr/lib/systemd/systemd-random-seed -- gen_context(system_u:object_r:systemd_random_seed_exec_t,s0)
+/usr/lib/systemd/systemd-remount-fs -- gen_context(system_u:object_r:systemd_remount_fs_exec_t,s0)
+/usr/lib/systemd/systemd-reply-password -- gen_context(system_u:object_r:systemd_reply_password_exec_t,s0)
+/usr/lib/systemd/systemd-shutdownd -- gen_context(system_u:object_r:systemd_shutdownd_exec_t,s1)
+/usr/lib/systemd/systemd-sleep -- gen_context(system_u:object_r:systemd_sleep_exec_t,s0)
+/usr/lib/systemd/systemd-sysctl -- gen_context(system_u:object_r:systemd_sysctl_exec_t,s0)
+/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:systemd_timedated_exec_t,s0)
+/usr/lib/systemd/systemd-user-sessions -- gen_context(system_u:object_r:systemd_user_sessions_exec_t,s0)
+/usr/lib/systemd/systemd-vconsole-setup -- gen_context(system_u:object_r:systemd_vconsole_setup_exec_t,s0)
+/usr/lib/systemd/systemd-ac-power -- gen_context(system_u:object_r:systemd_ac_power_exec_t,s0)
+/usr/lib/systemd/systemd-activate -- gen_context(system_u:object_r:systemd_activate_exec_t,s0)
+/usr/lib/systemd/systemd-backlight -- gen_context(system_u:object_r:systemd_backlight_exec_t,s0)
+/usr/lib/systemd/systemd-binfmt -- gen_context(system_u:object_r:systemd_binfmt_exec_t,s0)
+/usr/lib/systemd/systemd-bootchart -- gen_context(system_u:object_r:systemd_bootchart_exec_t,s0)
/var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,mls_systemhigh)
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/systemd.if b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/systemd.if
index 93f805f8..af5a9a6d 100644
--- a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/systemd.if
+++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/systemd.if
@@ -1 +1,83 @@
## Systemd components (not PID 1)
+
+
+#######################################
+##
+## Send messages to systemd_logind over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`systemd_dbus_send_systemd_logind',`
+ gen_require(`
+ type systemd_logind_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 systemd_logind_t:dbus send_msg;
+')
+
+
+#######################################
+##
+## Make the specified domain trusted
+## to inherit and use systemd_logind
+## file descriptors.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`systemd_fd_use_systemd_logind',`
+ gen_require(`
+ type systemd_logind_t;
+ ')
+
+ allow $1 systemd_logind_t:fd use;
+')
+
+########################################
+##
+## Make the specified type usable for
+## systemd unit files.
+##
+##
+##
+## Type to be used for systemd unit files.
+##
+##
+#
+interface(`systemd_unit_file',`
+ gen_require(`
+ attribute systemdunitfile;
+ ')
+
+ files_type($1)
+ typeattribute $1 systemdunitfile;
+')
+
+
+########################################
+##
+## Read all systemd unit files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`systemd_read_unitfile_files',`
+ gen_require(`
+ attribute systemdunitfile;
+ type lib_t;
+ ')
+
+ read_files_pattern($1, systemd_unit_file_t, systemdunitfile)
+')
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/systemd.te b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/systemd.te
index 1dc8ca91..d36470ab 100644
--- a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/systemd.te
+++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/systemd.te
@@ -5,6 +5,9 @@ policy_module(systemd, 1.0.0)
# Declarations
#
+# make interfaces which generate systemd domain type exec pairs
+# and systemd short running type exec pairs
+
type systemd_cgroups_t;
type systemd_cgroups_exec_t;
domain_type(systemd_cgroups_t)
@@ -16,10 +19,6 @@ type systemd_locale_t;
type systemd_locale_exec_t;
init_system_domain(systemd_locale_t, systemd_locale_exec_t)
-type systemd_hostnamed_t;
-type systemd_hostnamed_exec_t;
-init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
-
type systemd_logind_t;
type systemd_logind_exec_t;
init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
@@ -36,6 +35,97 @@ init_system_domain(systemd_sessions_t, systemd_sessions_exec_t)
type systemd_sessions_var_run_t;
files_type(systemd_sessions_var_run_t)
+init_daemon_domain(systemd_sessions_t, systemd_sessions_exec_t)
+
+#type systemd_utmp_t;
+#role system_r types systemd_utmp_t;
+#domain_type(systemd_utmp_t)
+#domain_entry_file(systemd_utmp_t, systemd_utmp_exec_t)
+#init_system_domain(systemd_utmp_t, systemd_utmp_exec_t)
+
+type systemd_ac_power_t;
+type systemd_ac_power_exec_t;
+init_system_domain(systemd_ac_power_t, systemd_ac_power_exec_t)
+
+type systemd_activate_t;
+type systemd_activate_exec_t;
+init_system_domain(systemd_activate_t, systemd_activate_exec_t)
+
+type systemd_backlight_t;
+type systemd_backlight_exec_t;
+init_system_domain(systemd_backlight_t, systemd_backlight_exec_t)
+
+type systemd_binfmt_t;
+type systemd_binfmt_exec_t;
+init_system_domain(systemd_binfmt_t, systemd_binfmt_exec_t)
+
+type systemd_bootchart_t;
+type systemd_bootchart_exec_t;
+init_system_domain(systemd_bootchart_t, systemd_bootchart_exec_t)
+
+type systemd_coredump_t;
+type systemd_coredump_exec_t;
+init_system_domain(systemd_coredump_t, systemd_coredump_exec_t)
+
+type systemd_initctl_t;
+type systemd_initctl_exec_t;
+init_system_domain(systemd_initctl_t, systemd_initctl_exec_t)
+
+type systemd_machined_t;
+type systemd_machined_exec_t;
+init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)
+
+type systemd_modules_load_t;
+type systemd_modules_load_exec_t;
+init_system_domain(systemd_modules_load_t, systemd_modules_load_exec_t)
+
+type systemd_multi_seat_x_t;
+type systemd_multi_seat_x_exec_t;
+init_system_domain(systemd_multi_seat_x_t, systemd_multi_seat_x_exec_t)
+
+type systemd_quotacheck_t;
+type systemd_quotacheck_exec_t;
+init_system_domain(systemd_quotacheck_t, systemd_quotacheck_exec_t)
+
+type systemd_random_seed_t;
+type systemd_random_seed_exec_t;
+init_system_domain(systemd_random_seed_t, systemd_random_seed_exec_t)
+
+type systemd_remount_fs_t;
+type systemd_remount_fs_exec_t;
+init_system_domain(systemd_remount_fs_t, systemd_remount_fs_exec_t)
+
+type systemd_reply_password_t;
+type systemd_reply_password_exec_t;
+init_system_domain(systemd_reply_password_t, systemd_reply_password_exec_t)
+
+type systemd_shutdownd_t;
+type systemd_shutdownd_exec_t;
+init_daemon_domain(systemd_shutdownd_t, systemd_shutdownd_exec_t)
+
+type systemd_sleep_t;
+type systemd_sleep_exec_t;
+init_system_domain(systemd_sleep_t, systemd_sleep_exec_t)
+
+type systemd_sysctl_t;
+type systemd_sysctl_exec_t;
+init_system_domain(systemd_sysctl_t, systemd_sysctl_exec_t)
+
+type systemd_timedated_t;
+type systemd_timedated_exec_t;
+init_daemon_domain(systemd_timedated_t, systemd_timedated_exec_t)
+
+type systemd_update_utmp_t;
+type systemd_update_utmp_exec_t;
+init_system_domain(systemd_update_utmp_t, systemd_update_utmp_exec_t)
+
+type systemd_user_sessions_t;
+type systemd_user_sessions_exec_t;
+init_system_domain(systemd_user_sessions_t, systemd_user_sessions_exec_t)
+
+type systemd_vconsole_setup_t;
+type systemd_vconsole_setup_exec_t;
+init_system_domain(systemd_vconsole_setup_t, systemd_vconsole_setup_exec_t)
type systemd_tmpfiles_t;
type systemd_tmpfiles_exec_t;
@@ -59,22 +149,6 @@ init_system_domain(systemd_utmp_t, systemd_utmp_exec_t)
logging_send_syslog_msg(systemd_cgroups_t)
-#######################################
-#
-# Hostnamed policy
-#
-
-files_read_etc_files(systemd_hostnamed_t)
-
-logging_send_syslog_msg(systemd_hostnamed_t)
-
-seutil_read_file_contexts(systemd_hostnamed_t)
-
-optional_policy(`
- dbus_system_bus_client(systemd_hostnamed_t)
- dbus_connect_system_bus(systemd_hostnamed_t)
-')
-
#######################################
#
# locale local policy
@@ -170,10 +244,12 @@ logging_send_syslog_msg(systemd_tmpfiles_t)
seutil_read_file_contexts(systemd_tmpfiles_t)
+typeattribute systemd_tmpfiles_t can_relabelto_binary_policy;
+
tunable_policy(`systemd_tmpfiles_manage_all',`
# systemd-tmpfiles can be configured to manage anything.
# have a last-resort option for users to do this.
- files_manage_non_security_dirs(systemd_tmpfiles_t)
+ files_manage_non_security_dirs(systemd_tmpfiles_t)
files_manage_non_security_files(systemd_tmpfiles_t)
files_relabel_non_security_dirs(systemd_tmpfiles_t)
files_relabel_non_security_files(systemd_tmpfiles_t)
@@ -190,3 +266,21 @@ init_rw_utmp(systemd_utmp_t)
logging_send_audit_msgs(systemd_utmp_t)
logging_send_syslog_msg(systemd_utmp_t)
+
+#########################################
+#
+# Unit file types
+#
+attribute systemdunitfile;
+
+type systemd_unit_file_t;
+systemd_unit_file(systemd_unit_file_t)
+
+type systemd_shutdown_t;
+type systemd_log_t;
+
+type iptables_unit_file_t;
+systemd_unit_file(iptables_unit_file_t)
+
+type sshd_unit_file_t;
+systemd_unit_file(sshd_unit_file_t)
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/udev.if b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/udev.if
index 9a1650d3..c1efd8c2 100644
--- a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/udev.if
+++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/udev.if
@@ -261,14 +261,14 @@ interface(`udev_manage_pid_dirs',`
manage_dirs_pattern($1, udev_var_run_t, udev_var_run_t)
')
-########################################
+#######################################
##
-## Read udev pid files.
+## Read udev pid files.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
#
interface(`udev_read_pid_files',`