selinux: further style and comprehensibility improvements

Sections and rules blocks reordered according to the Style guide.

https://github.com/TresysTechnology/refpolicy/wiki/StyleGuide

1 files changed, 36 insertions, 23 deletions

diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
index 63ad8a85..86fd6e5e 100644
--- a/unix/vncserver/selinux/vncsession.te
+++ b/unix/vncserver/selinux/vncsession.te
@@ -20,48 +20,61 @@
 policy_module(vncsession, 1.0.0)
 
 gen_require(`
-    attribute userdomain;
-    type xdm_home_t;
+	attribute userdomain;
+	type xdm_home_t;
 ')
 
-type vnc_session_exec_t;
-corecmd_executable_file(vnc_session_exec_t)
 type vnc_session_t;
+type vnc_session_exec_t;
 init_daemon_domain(vnc_session_t, vnc_session_exec_t)
-auth_login_pgm_domain(vnc_session_t)
+can_exec(vnc_session_t, vnc_session_exec_t)
 
 type vnc_session_var_run_t;
 files_pid_file(vnc_session_var_run_t)
-allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
-files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)
-
-auth_write_login_records(vnc_session_t)
-
-can_exec(vnc_session_t, vnc_session_exec_t)
-
-userdom_spec_domtrans_all_users(vnc_session_t)
-userdom_signal_all_users(vnc_session_t)
 
 allow vnc_session_t self:capability { chown dac_override dac_read_search fowner kill setgid setuid sys_resource };
 allow vnc_session_t self:process { getcap setexec setrlimit setsched };
 allow vnc_session_t self:fifo_file rw_fifo_file_perms;
 
+allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
+files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)
+
 manage_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
 manage_fifo_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
 manage_sock_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
 manage_lnk_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
-userdom_user_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
-userdom_admin_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
-
-# This also affects other tools, e.g. vncpasswd
-userdom_admin_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
-userdom_user_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
-
-miscfiles_read_localization(vnc_session_t)
 
 kernel_read_kernel_sysctls(vnc_session_t)
 
-logging_append_all_logs(vnc_session_t)
+corecmd_executable_file(vnc_session_exec_t)
 
 mcs_process_set_categories(vnc_session_t)
 mcs_killall(vnc_session_t)
+
+optional_policy(`
+	auth_login_pgm_domain(vnc_session_t)
+	auth_write_login_records(vnc_session_t)
+')
+
+optional_policy(`
+	logging_append_all_logs(vnc_session_t)
+')
+
+optional_policy(`
+	miscfiles_read_localization(vnc_session_t)
+')
+
+optional_policy(`
+	userdom_spec_domtrans_all_users(vnc_session_t)
+	userdom_signal_all_users(vnc_session_t)
+
+	userdom_user_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
+	userdom_admin_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
+
+	# This also affects other tools, e.g. vncpasswd
+	gen_require(`
+		attribute userdomain;
+	')
+	userdom_admin_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
+	userdom_user_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
+')