selinux: further style and comprehensibility improvements

Sections and rules blocks reordered according to the Style guide.

https://github.com/TresysTechnology/refpolicy/wiki/StyleGuide

diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
index 63ad8a85fd614fbd0306a7ca122779f13f42304a..86fd6e5ef4ee61558cdae4a36ac8f83621e44e43 100644 (file)
--- a/unix/vncserver/selinux/vncsession.te
+++ b/unix/vncserver/selinux/vncsession.te
@@ -20,48 +20,61 @@
 policy_module(vncsession, 1.0.0)
 
 gen_require(`
-    attribute userdomain;
-    type xdm_home_t;
+       attribute userdomain;
+       type xdm_home_t;
 ')
 
-type vnc_session_exec_t;
-corecmd_executable_file(vnc_session_exec_t)
 type vnc_session_t;
+type vnc_session_exec_t;
 init_daemon_domain(vnc_session_t, vnc_session_exec_t)
-auth_login_pgm_domain(vnc_session_t)
+can_exec(vnc_session_t, vnc_session_exec_t)
 
 type vnc_session_var_run_t;
 files_pid_file(vnc_session_var_run_t)
-allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
-files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)
-
-auth_write_login_records(vnc_session_t)
-
-can_exec(vnc_session_t, vnc_session_exec_t)
-
-userdom_spec_domtrans_all_users(vnc_session_t)
-userdom_signal_all_users(vnc_session_t)
 
 allow vnc_session_t self:capability { chown dac_override dac_read_search fowner kill setgid setuid sys_resource };
 allow vnc_session_t self:process { getcap setexec setrlimit setsched };
 allow vnc_session_t self:fifo_file rw_fifo_file_perms;
 
+allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
+files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)
+
 manage_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
 manage_fifo_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
 manage_sock_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
 manage_lnk_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
-userdom_user_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
-userdom_admin_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
-
-# This also affects other tools, e.g. vncpasswd
-userdom_admin_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
-userdom_user_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
-
-miscfiles_read_localization(vnc_session_t)
 
 kernel_read_kernel_sysctls(vnc_session_t)
 
-logging_append_all_logs(vnc_session_t)
+corecmd_executable_file(vnc_session_exec_t)
 
 mcs_process_set_categories(vnc_session_t)
 mcs_killall(vnc_session_t)
+
+optional_policy(`
+       auth_login_pgm_domain(vnc_session_t)
+       auth_write_login_records(vnc_session_t)
+')
+
+optional_policy(`
+       logging_append_all_logs(vnc_session_t)
+')
+
+optional_policy(`
+       miscfiles_read_localization(vnc_session_t)
+')
+
+optional_policy(`
+       userdom_spec_domtrans_all_users(vnc_session_t)
+       userdom_signal_all_users(vnc_session_t)
+
+       userdom_user_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
+       userdom_admin_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
+
+       # This also affects other tools, e.g. vncpasswd
+       gen_require(`
+               attribute userdomain;
+       ')
+       userdom_admin_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
+       userdom_user_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
+')