[selinux-policy: 2041/3172] trunk: more open perm fixes.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:01:15 UTC 2010
commit 82d2775c923b1474b010b58d0e180d0a60a4f37c
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Oct 20 16:10:42 2008 +0000
trunk: more open perm fixes.
policy/modules/admin/dpkg.if | 2 +-
policy/modules/admin/portage.if | 2 +-
policy/modules/admin/prelink.if | 2 +-
policy/modules/apps/evolution.if | 4 +---
policy/modules/apps/uml.if | 2 +-
policy/modules/apps/vmware.if | 2 +-
policy/modules/kernel/corecommands.if | 3 +--
policy/modules/kernel/corenetwork.if.in | 4 ++--
policy/modules/kernel/files.if | 14 +++++++-------
policy/modules/kernel/filesystem.if | 3 +--
policy/modules/kernel/kernel.if | 2 +-
policy/modules/kernel/selinux.if | 26 +++++++++++++-------------
policy/modules/kernel/terminal.if | 16 ++++++++--------
policy/modules/services/amavis.if | 2 +-
policy/modules/services/apache.if | 4 ++--
policy/modules/services/apcupsd.if | 4 ++--
policy/modules/services/bitlbee.if | 4 ++--
policy/modules/services/cron.if | 2 +-
policy/modules/services/cups.if | 4 ++--
policy/modules/services/fail2ban.if | 2 +-
policy/modules/services/ftp.if | 2 +-
policy/modules/services/inn.if | 18 +++++++++---------
policy/modules/services/kerberos.if | 2 +-
policy/modules/services/ldap.if | 2 +-
policy/modules/services/mta.if | 2 +-
policy/modules/services/mysql.if | 12 ++++++------
policy/modules/services/nis.if | 2 +-
policy/modules/services/portmap.if | 2 +-
policy/modules/services/postfix.if | 6 +++---
policy/modules/services/postgresql.if | 6 +++---
policy/modules/services/ppp.if | 4 ++--
policy/modules/services/qmail.if | 12 ++++++------
policy/modules/services/razor.if | 3 ++-
policy/modules/services/rhgb.if | 2 +-
policy/modules/services/samba.if | 2 +-
policy/modules/services/smartmon.if | 2 +-
policy/modules/services/ssh.if | 4 ++--
policy/modules/services/xserver.if | 20 ++++++++++----------
policy/modules/system/authlogin.if | 2 +-
policy/modules/system/clock.if | 2 +-
policy/modules/system/fstools.if | 2 +-
policy/modules/system/getty.if | 4 ++--
policy/modules/system/hostname.if | 2 +-
policy/modules/system/init.if | 2 +-
policy/modules/system/sysnetwork.if | 6 +++---
policy/modules/system/unconfined.if | 2 +-
policy/modules/system/userdomain.if | 4 ++--
policy/support/misc_patterns.spt | 7 ++++---
48 files changed, 119 insertions(+), 121 deletions(-)
---
diff --git a/policy/modules/admin/dpkg.if b/policy/modules/admin/dpkg.if
index 67b78aa..1822169 100644
--- a/policy/modules/admin/dpkg.if
+++ b/policy/modules/admin/dpkg.if
@@ -228,5 +228,5 @@ interface(`dpkg_lock_db',`
files_search_var_lib($1)
allow $1 dpkg_var_lib_t:dir list_dir_perms;
- allow $1 dpkg_lock_t:file { getattr create read write append unlink lock };
+ allow $1 dpkg_lock_t:file manage_file_perms;
')
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index 4f69198..da338ab 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -111,7 +111,7 @@ interface(`portage_compile_domain',`
# write compile logs
allow $1 portage_log_t:dir setattr;
- allow $1 portage_log_t:file { append write setattr };
+ allow $1 portage_log_t:file { write_file_perms setattr };
# run scripts out of the build directory
can_exec(portage_sandbox_t, portage_tmp_t)
diff --git a/policy/modules/admin/prelink.if b/policy/modules/admin/prelink.if
index 94bd0f3..9e09e88 100644
--- a/policy/modules/admin/prelink.if
+++ b/policy/modules/admin/prelink.if
@@ -85,7 +85,7 @@ interface(`prelink_read_cache',`
')
files_search_etc($1)
- allow $1 prelink_cache_t:file { getattr read };
+ allow $1 prelink_cache_t:file read_file_perms;
')
########################################
diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if
index 66f4659..d50b4b7 100644
--- a/policy/modules/apps/evolution.if
+++ b/policy/modules/apps/evolution.if
@@ -166,9 +166,7 @@ template(`evolution_per_role_template',`
userdom_search_user_home_dirs($1, $1_evolution_t)
# Allow the user domain to signal/ps.
- allow $2 $1_evolution_t:dir { search getattr read };
- allow $2 $1_evolution_t:{ file lnk_file } { read getattr };
- allow $2 $1_evolution_t:process getattr;
+ ps_process_pattern($2, $1_evolution_t)
domain_dontaudit_read_all_domains_state($1_evolution_t)
diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if
index 810ee04..a833644 100644
--- a/policy/modules/apps/uml.if
+++ b/policy/modules/apps/uml.if
@@ -79,7 +79,7 @@ template(`uml_per_role_template',`
allow $1_uml_t $2:fifo_file { ioctl read write getattr lock append };
# allow the UML thing to happen
- allow $1_uml_t $1_uml_devpts_t:chr_file { rw_file_perms setattr };
+ allow $1_uml_t $1_uml_devpts_t:chr_file { rw_chr_file_perms setattr };
term_create_pty($1_uml_t,$1_uml_devpts_t)
manage_dirs_pattern($1_uml_t, $1_uml_tmp_t, $1_uml_tmp_t)
diff --git a/policy/modules/apps/vmware.if b/policy/modules/apps/vmware.if
index 806bb80..d4d83f6 100644
--- a/policy/modules/apps/vmware.if
+++ b/policy/modules/apps/vmware.if
@@ -180,7 +180,7 @@ interface(`vmware_read_system_config',`
type vmware_sys_conf_t;
')
- allow $1 vmware_sys_conf_t:file { getattr read };
+ allow $1 vmware_sys_conf_t:file read_file_perms;
')
########################################
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 777dc49..7df3bde 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -360,8 +360,7 @@ interface(`corecmd_mmap_bin_files',`
type bin_t;
')
- allow $1 bin_t:dir search_dir_perms;
- allow $1 bin_t:file { getattr read execute };
+ mmap_files_pattern($1, bin_t, bin_t)
')
########################################
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index 2b473b3..e89e304 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -1555,7 +1555,7 @@ interface(`corenet_rw_tun_tap_dev',`
')
dev_list_all_dev_nodes($1)
- allow $1 tun_tap_device_t:chr_file { getattr read write ioctl lock append };
+ allow $1 tun_tap_device_t:chr_file rw_chr_file_perms;
')
########################################
@@ -1574,7 +1574,7 @@ interface(`corenet_rw_ppp_dev',`
')
dev_list_all_dev_nodes($1)
- allow $1 ppp_device_t:chr_file rw_file_perms;
+ allow $1 ppp_device_t:chr_file rw_chr_file_perms;
')
########################################
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 9e4865b..acede28 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1119,7 +1119,7 @@ interface(`files_mounton_all_mountpoints',`
attribute mountpoint;
')
- allow $1 mountpoint:dir { getattr search mounton };
+ allow $1 mountpoint:dir { search_dir_perms mounton };
allow $1 mountpoint:file { getattr mounton };
')
@@ -1552,7 +1552,7 @@ interface(`files_create_kernel_img',`
type boot_t;
')
- allow $1 boot_t:file { getattr read write create };
+ allow $1 boot_t:file { create_file_perms rw_file_perms };
manage_lnk_files_pattern($1, boot_t, boot_t)
')
@@ -1682,7 +1682,7 @@ interface(`files_mounton_default',`
type default_t;
')
- allow $1 default_t:dir { getattr search mounton };
+ allow $1 default_t:dir { search_dir_perms mounton };
')
########################################
@@ -3723,7 +3723,7 @@ interface(`files_create_kernel_symbol_table',`
')
allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
- allow $1 system_map_t:file { rw_file_perms create };
+ allow $1 system_map_t:file { create_file_perms rw_file_perms };
')
########################################
@@ -4742,7 +4742,7 @@ interface(`files_polyinstantiate_all',`
allow $1 self:capability { chown fsetid sys_admin };
# Need to give access to the directories to be polyinstantiated
- allow $1 polydir:dir { create getattr search write add_name setattr mounton rmdir };
+ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
# Need to give access to the polyinstantiated subdirectories
allow $1 polymember:dir search_dir_perms;
@@ -4754,8 +4754,8 @@ interface(`files_polyinstantiate_all',`
# Need to give permission to create directories where applicable
allow $1 self:process setfscreate;
allow $1 polymember: dir { create setattr relabelto };
- allow $1 polydir: dir { write add_name };
- allow $1 polyparent:dir { read write remove_name add_name relabelfrom relabelto };
+ allow $1 polydir: dir { write add_name open };
+ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
# Default type for mountpoints
allow $1 poly_t:dir { create mounton };
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 60877b0..08535cf 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -1936,7 +1936,6 @@ interface(`fs_read_rpc_sockets',`
')
allow $1 rpc_pipefs_t:sock_file { read write };
-
')
########################################
@@ -2706,7 +2705,7 @@ interface(`fs_rw_rpc_named_pipes',`
type rpc_pipefs_t;
')
- allow $1 rpc_pipefs_t:fifo_file { read write };
+ allow $1 rpc_pipefs_t:fifo_file rw_fifo_file_perms;
')
########################################
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index c16bf9a..111596b 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2147,7 +2147,7 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
type unlabeled_t;
')
- allow $1 unlabeled_t:dir { getattr search read relabelfrom };
+ allow $1 unlabeled_t:dir { list_dir_perms relabelfrom };
')
########################################
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index c931e1e..946f8fc 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -165,7 +165,7 @@ interface(`selinux_dontaudit_read_fs',`
')
dontaudit $1 security_t:dir search_dir_perms;
- dontaudit $1 security_t:file { getattr read };
+ dontaudit $1 security_t:file read_file_perms;
')
########################################
@@ -186,7 +186,7 @@ interface(`selinux_get_enforce_mode',`
')
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file { getattr read };
+ allow $1 security_t:file read_file_perms;
')
########################################
@@ -219,7 +219,7 @@ interface(`selinux_set_enforce_mode',`
')
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file { getattr read write };
+ allow $1 security_t:file rw_file_perms;
typeattribute $1 can_setenforce;
if(!secure_mode_policyload) {
@@ -250,7 +250,7 @@ interface(`selinux_load_policy',`
')
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file { getattr read write };
+ allow $1 security_t:file rw_file_perms;
typeattribute $1 can_load_policy;
if(!secure_mode_policyload) {
@@ -292,7 +292,7 @@ interface(`selinux_set_boolean',`
')
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file { getattr read write };
+ allow $1 security_t:file rw_file_perms;
if(!secure_mode_policyload) {
allow $1 security_t:security setbool;
@@ -333,7 +333,7 @@ interface(`selinux_set_parameters',`
')
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file { getattr read write };
+ allow $1 security_t:file rw_file_perms;
allow $1 security_t:security setsecparam;
auditallow $1 security_t:security setsecparam;
typeattribute $1 can_setsecparam;
@@ -356,7 +356,7 @@ interface(`selinux_validate_context',`
')
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file { getattr read write };
+ allow $1 security_t:file rw_file_perms;
allow $1 security_t:security check_context;
')
@@ -377,7 +377,7 @@ interface(`selinux_dontaudit_validate_context',`
')
dontaudit $1 security_t:dir list_dir_perms;
- dontaudit $1 security_t:file { getattr read write };
+ dontaudit $1 security_t:file rw_file_perms;
dontaudit $1 security_t:security check_context;
')
@@ -398,7 +398,7 @@ interface(`selinux_compute_access_vector',`
')
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file { getattr read write };
+ allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_av;
')
@@ -419,7 +419,7 @@ interface(`selinux_compute_create_context',`
')
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file { getattr read write };
+ allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_create;
')
@@ -440,7 +440,7 @@ interface(`selinux_compute_member',`
')
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file { getattr read write };
+ allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_member;
')
@@ -469,7 +469,7 @@ interface(`selinux_compute_relabel_context',`
')
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file { getattr read write };
+ allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_relabel;
')
@@ -489,7 +489,7 @@ interface(`selinux_compute_user_contexts',`
')
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file { getattr read write };
+ allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_user;
')
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 5486553..38b493a 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -173,7 +173,7 @@ interface(`term_use_all_terms',`
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir list_dir_perms;
- allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perms;
+ allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms;
')
########################################
@@ -932,7 +932,7 @@ interface(`term_append_unallocated_ttys',`
')
dev_list_all_dev_nodes($1)
- allow $1 tty_device_t:chr_file { getattr append };
+ allow $1 tty_device_t:chr_file append_chr_file_perms;
')
########################################
@@ -951,7 +951,7 @@ interface(`term_write_unallocated_ttys',`
')
dev_list_all_dev_nodes($1)
- allow $1 tty_device_t:chr_file { getattr write };
+ allow $1 tty_device_t:chr_file write_chr_file_perms;
')
########################################
@@ -971,7 +971,7 @@ interface(`term_use_unallocated_ttys',`
')
dev_list_all_dev_nodes($1)
- allow $1 tty_device_t:chr_file { rw_term_perms lock append };
+ allow $1 tty_device_t:chr_file rw_chr_file_perms;
')
########################################
@@ -990,7 +990,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
type tty_device_t;
')
- dontaudit $1 tty_device_t:chr_file { rw_term_perms lock append };
+ dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
')
########################################
@@ -1092,7 +1092,7 @@ interface(`term_write_all_user_ttys',`
')
dev_list_all_dev_nodes($1)
- allow $1 ttynode:chr_file { getattr write append };
+ allow $1 ttynode:chr_file write_chr_file_perms;
')
########################################
@@ -1112,7 +1112,7 @@ interface(`term_use_all_user_ttys',`
')
dev_list_all_dev_nodes($1)
- allow $1 ttynode:chr_file { rw_term_perms lock append };
+ allow $1 ttynode:chr_file rw_chr_file_perms;
')
########################################
@@ -1131,5 +1131,5 @@ interface(`term_dontaudit_use_all_user_ttys',`
attribute ttynode;
')
- dontaudit $1 ttynode:chr_file { read write };
+ dontaudit $1 ttynode:chr_file rw_chr_file_perms;
')
diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if
index 3e5f6db..db18f31 100644
--- a/policy/modules/services/amavis.if
+++ b/policy/modules/services/amavis.if
@@ -37,7 +37,7 @@ interface(`amavis_read_spool_files',`
')
files_search_spool($1)
- allow $1 amavis_spool_t:file { getattr read };
+ allow $1 amavis_spool_t:file read_file_perms;
')
########################################
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index f038c0d..7946f40 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -940,7 +940,7 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
- allow $1 httpd_squirrelmail_t:file { getattr read };
+ allow $1 httpd_squirrelmail_t:file read_file_perms;
')
########################################
@@ -959,7 +959,7 @@ interface(`apache_append_squirrelmail_data',`
type httpd_squirrelmail_t;
')
- allow $1 httpd_squirrelmail_t:file { getattr append };
+ allow $1 httpd_squirrelmail_t:file append_file_perms;
')
########################################
diff --git a/policy/modules/services/apcupsd.if b/policy/modules/services/apcupsd.if
index 4da96a5..d8a10d0 100644
--- a/policy/modules/services/apcupsd.if
+++ b/policy/modules/services/apcupsd.if
@@ -55,7 +55,7 @@ interface(`apcupsd_read_log',`
logging_search_logs($1)
allow $1 apcupsd_log_t:dir list_dir_perms;
- allow $1 apcupsd_log_t:file { read getattr lock };
+ allow $1 apcupsd_log_t:file read_file_perms;
')
########################################
@@ -76,7 +76,7 @@ interface(`apcupsd_append_log',`
logging_search_logs($1)
allow $1 apcupsd_log_t:dir list_dir_perms;
- allow $1 apcupsd_log_t:file { getattr append };
+ allow $1 apcupsd_log_t:file append_file_perms;
')
########################################
diff --git a/policy/modules/services/bitlbee.if b/policy/modules/services/bitlbee.if
index 9e12e95..293f0fd 100644
--- a/policy/modules/services/bitlbee.if
+++ b/policy/modules/services/bitlbee.if
@@ -16,8 +16,8 @@ interface(`bitlbee_read_config',`
')
files_search_etc($1)
- allow $1 bitlbee_conf_t:dir { getattr read search };
- allow $1 bitlbee_conf_t:file { read getattr };
+ allow $1 bitlbee_conf_t:dir list_dir_perms;
+ allow $1 bitlbee_conf_t:file read_file_perms;
')
########################################
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
index 00186a1..0822ff9 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -285,7 +285,7 @@ template(`cron_admin_template',`
')
# Allow our crontab domain to unlink a user cron spool file.
- allow $1_crontab_t cron_spool_type:file { getattr read unlink };
+ allow $1_crontab_t cron_spool_type:file { read_file_perms delete_file_perms };
logging_read_generic_logs($1_crond_t)
diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if
index 8d6b4af..5ee5930 100644
--- a/policy/modules/services/cups.if
+++ b/policy/modules/services/cups.if
@@ -207,7 +207,7 @@ interface(`cups_read_log',`
')
logging_search_logs($1)
- allow $1 cupsd_log_t:file { getattr read };
+ allow $1 cupsd_log_t:file read_file_perms;
')
########################################
@@ -226,7 +226,7 @@ interface(`cups_write_log',`
')
logging_search_logs($1)
- allow $1 cupsd_log_t:file write;
+ allow $1 cupsd_log_t:file write_file_perms;
')
########################################
diff --git a/policy/modules/services/fail2ban.if b/policy/modules/services/fail2ban.if
index fced310..d9fc7e1 100644
--- a/policy/modules/services/fail2ban.if
+++ b/policy/modules/services/fail2ban.if
@@ -36,7 +36,7 @@ interface(`fail2ban_read_log',`
logging_search_logs($1)
allow $1 fail2ban_log_t:dir list_dir_perms;
- allow $1 fail2ban_log_t:file { read getattr lock };
+ allow $1 fail2ban_log_t:file read_file_perms;
')
########################################
diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if
index 63c9801..f07f6d4 100644
--- a/policy/modules/services/ftp.if
+++ b/policy/modules/services/ftp.if
@@ -67,7 +67,7 @@ interface(`ftp_read_config',`
')
files_search_etc($1)
- allow $1 ftpd_etc_t:file { getattr read };
+ allow $1 ftpd_etc_t:file read_file_perms;
')
########################################
diff --git a/policy/modules/services/inn.if b/policy/modules/services/inn.if
index f3291e9..1240337 100644
--- a/policy/modules/services/inn.if
+++ b/policy/modules/services/inn.if
@@ -93,9 +93,9 @@ interface(`inn_read_config',`
type innd_etc_t;
')
- allow $1 innd_etc_t:dir { getattr read search };
- allow $1 innd_etc_t:file { read getattr };
- allow $1 innd_etc_t:lnk_file { getattr read };
+ allow $1 innd_etc_t:dir list_dir_perms;
+ allow $1 innd_etc_t:file read_file_perms;
+ allow $1 innd_etc_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -113,9 +113,9 @@ interface(`inn_read_news_lib',`
type innd_var_lib_t;
')
- allow $1 innd_var_lib_t:dir { getattr read search };
- allow $1 innd_var_lib_t:file { read getattr };
- allow $1 innd_var_lib_t:lnk_file { getattr read };
+ allow $1 innd_var_lib_t:dir list_dir_perms;
+ allow $1 innd_var_lib_t:file read_file_perms;
+ allow $1 innd_var_lib_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -133,9 +133,9 @@ interface(`inn_read_news_spool',`
type news_spool_t;
')
- allow $1 news_spool_t:dir { getattr read search };
- allow $1 news_spool_t:file { read getattr };
- allow $1 news_spool_t:lnk_file { getattr read };
+ allow $1 news_spool_t:dir list_dir_perms;
+ allow $1 news_spool_t:file read_file_perms;
+ allow $1 news_spool_t:lnk_file read_lnk_file_perms;
')
########################################
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
index 366f395..12c1cfc 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -73,7 +73,7 @@ interface(`kerberos_use',`
')
files_search_etc($1)
- allow $1 krb5_conf_t:file { getattr read };
+ allow $1 krb5_conf_t:file read_file_perms;
dontaudit $1 krb5_conf_t:file write;
dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if
index 2d767ff..3aa8fa7 100644
--- a/policy/modules/services/ldap.if
+++ b/policy/modules/services/ldap.if
@@ -36,7 +36,7 @@ interface(`ldap_read_config',`
')
files_search_etc($1)
- allow $1 slapd_etc_t:file { getattr read };
+ allow $1 slapd_etc_t:file read_file_perms;
')
########################################
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 23ba2b2..5bfa326 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -114,7 +114,7 @@ template(`mta_base_mail_template',`
manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir })
- allow $1_mail_t etc_mail_t:dir { getattr search };
+ allow $1_mail_t etc_mail_t:dir search_dir_perms;
# Write to /var/spool/mail and /var/spool/mqueue.
manage_files_pattern($1_mail_t, mail_spool_t, mail_spool_t)
diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
index 0115dbf..308a383 100644
--- a/policy/modules/services/mysql.if
+++ b/policy/modules/services/mysql.if
@@ -74,9 +74,9 @@ interface(`mysql_read_config',`
type mysqld_etc_t;
')
- allow $1 mysqld_etc_t:dir { getattr read search };
- allow $1 mysqld_etc_t:file { read getattr };
- allow $1 mysqld_etc_t:lnk_file { getattr read };
+ allow $1 mysqld_etc_t:dir list_dir_perms;
+ allow $1 mysqld_etc_t:file read_file_perms;
+ allow $1 mysqld_etc_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -98,7 +98,7 @@ interface(`mysql_search_db',`
')
files_search_var_lib($1)
- allow $1 mysqld_db_t:dir search;
+ allow $1 mysqld_db_t:dir search_dir_perms;
')
########################################
@@ -156,7 +156,7 @@ interface(`mysql_rw_db_sockets',`
')
files_search_var_lib($1)
- allow $1 mysqld_db_t:dir search;
+ allow $1 mysqld_db_t:dir search_dir_perms;
allow $1 mysqld_db_t:sock_file rw_sock_file_perms;
')
@@ -176,5 +176,5 @@ interface(`mysql_write_log',`
')
logging_search_logs($1)
- allow $1 mysqld_log_t:file { write append setattr ioctl };
+ allow $1 mysqld_log_t:file { write_file_perms setattr };
')
diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if
index f1196e1..2e23018 100644
--- a/policy/modules/services/nis.if
+++ b/policy/modules/services/nis.if
@@ -223,7 +223,7 @@ interface(`nis_read_ypserv_config',`
')
files_search_etc($1)
- allow $1 ypserv_conf_t:file { getattr read };
+ allow $1 ypserv_conf_t:file read_file_perms;
')
########################################
diff --git a/policy/modules/services/portmap.if b/policy/modules/services/portmap.if
index 4fa2123..039c6de 100644
--- a/policy/modules/services/portmap.if
+++ b/policy/modules/services/portmap.if
@@ -49,7 +49,7 @@ interface(`portmap_run_helper',`
portmap_domtrans_helper($1)
role $2 types portmap_helper_t;
- allow portmap_helper_t $3:chr_file { getattr read write ioctl };
+ allow portmap_helper_t $3:chr_file rw_term_perms;
')
########################################
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
index a9d7b71..0eeb4e7 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -208,9 +208,9 @@ interface(`postfix_read_config',`
type postfix_etc_t;
')
- allow $1 postfix_etc_t:dir { getattr read search };
- allow $1 postfix_etc_t:file { read getattr };
- allow $1 postfix_etc_t:lnk_file { getattr read };
+ allow $1 postfix_etc_t:dir list_dir_perms;
+ allow $1 postfix_etc_t:file read_file_perms;
+ allow $1 postfix_etc_t:lnk_file read_lnk_file_perms;
files_search_etc($1)
')
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index bae1e10..4351a8c 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -272,9 +272,9 @@ interface(`postgresql_read_config',`
')
files_search_etc($1)
- allow $1 postgresql_etc_t:dir { getattr read search };
- allow $1 postgresql_etc_t:file { read getattr };
- allow $1 postgresql_etc_t:lnk_file { getattr read };
+ allow $1 postgresql_etc_t:dir list_dir_perms;
+ allow $1 postgresql_etc_t:file read_file_perms;
+ allow $1 postgresql_etc_t:lnk_file read_lnk_file_perms;
')
########################################
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
index 5d98797..e100e9a 100644
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@@ -230,7 +230,7 @@ interface(`ppp_read_rw_config',`
')
allow $1 pppd_etc_t:dir list_dir_perms;
- allow $1 pppd_etc_rw_t:file { getattr read };
+ allow $1 pppd_etc_rw_t:file read_file_perms;
files_search_etc($1)
')
@@ -250,7 +250,7 @@ interface(`ppp_read_secrets',`
')
allow $1 pppd_etc_t:dir list_dir_perms;
- allow $1 pppd_secret_t:file { getattr read };
+ allow $1 pppd_secret_t:file read_file_perms;
files_search_etc($1)
')
diff --git a/policy/modules/services/qmail.if b/policy/modules/services/qmail.if
index ed76186..a40b0a2 100644
--- a/policy/modules/services/qmail.if
+++ b/policy/modules/services/qmail.if
@@ -72,9 +72,9 @@ template(`qmail_child_domain_template',`
allow $1_t $2:fifo_file rw_file_perms;
allow $1_t $2:process sigchld;
- allow $1_t qmail_etc_t:dir { getattr read search };
- allow $1_t qmail_etc_t:file { getattr read };
- allow $1_t qmail_etc_t:lnk_file { getattr read };
+ allow $1_t qmail_etc_t:dir list_dir_perms;
+ allow $1_t qmail_etc_t:file read_file_perms;
+ allow $1_t qmail_etc_t:lnk_file read_lnk_file_perms;
allow $1_t qmail_start_t:fd use;
@@ -158,9 +158,9 @@ interface(`qmail_read_config',`
type qmail_etc_t;
')
- allow $1 qmail_etc_t:dir { getattr read search };
- allow $1 qmail_etc_t:file { getattr read };
- allow $1 qmail_etc_t:lnk_file { getattr read };
+ allow $1 qmail_etc_t:dir list_dir_perms;
+ allow $1 qmail_etc_t:file read_file_perms;
+ allow $1 qmail_etc_t:lnk_file read_lnk_file_perms;
files_search_var($1)
ifdef(`distro_debian',`
diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if
index f3480f0..37fc170 100644
--- a/policy/modules/services/razor.if
+++ b/policy/modules/services/razor.if
@@ -56,7 +56,8 @@ template(`razor_common_domain_template',`
files_search_var_lib($1_t)
# Razor is one executable and several symlinks
- allow $1_t razor_exec_t:{ file lnk_file } { getattr read };
+ allow $1_t razor_exec_t:file read_file_perms;
+ allow $1_t razor_exec_t:lnk_file read_lnk_file_perms;
kernel_read_system_state($1_t)
kernel_read_network_state($1_t)
diff --git a/policy/modules/services/rhgb.if b/policy/modules/services/rhgb.if
index c9711c6..d7d282a 100644
--- a/policy/modules/services/rhgb.if
+++ b/policy/modules/services/rhgb.if
@@ -194,5 +194,5 @@ interface(`rhgb_rw_tmpfs_files',`
type rhgb_tmpfs_t;
')
- allow $1 rhgb_tmpfs_t:file { read write };
+ allow $1 rhgb_tmpfs_t:file rw_file_perms;
')
diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
index dddbcd9..23da552 100644
--- a/policy/modules/services/samba.if
+++ b/policy/modules/services/samba.if
@@ -263,7 +263,7 @@ interface(`samba_read_secrets',`
')
files_search_etc($1)
- allow $1 samba_secrets_t:file { read getattr lock };
+ allow $1 samba_secrets_t:file read_file_perms;
')
########################################
diff --git a/policy/modules/services/smartmon.if b/policy/modules/services/smartmon.if
index 8566394..f3d8459 100644
--- a/policy/modules/services/smartmon.if
+++ b/policy/modules/services/smartmon.if
@@ -15,7 +15,7 @@ interface(`smartmon_read_tmp_files',`
type fsdaemon_tmp_t;
')
- allow $1 fsdaemon_tmp_t:file { getattr ioctl read };
+ allow $1 fsdaemon_tmp_t:file read_file_perms;
')
########################################
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index d567479..58b25e6 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -391,7 +391,7 @@ template(`ssh_per_role_template',`
allow $1_ssh_keysign_t self:capability { setgid setuid };
allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms;
- allow $1_ssh_keysign_t sshd_key_t:file { getattr read };
+ allow $1_ssh_keysign_t sshd_key_t:file read_file_perms;
dev_read_urand($1_ssh_keysign_t)
@@ -452,7 +452,7 @@ template(`ssh_server_template', `
can_exec($1_t, sshd_exec_t)
# Access key files
- allow $1_t sshd_key_t:file { getattr read };
+ allow $1_t sshd_key_t:file read_file_perms;
kernel_read_kernel_sysctls($1_t)
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 5b7e8f4..ffa2bd7 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -320,7 +320,7 @@ template(`xserver_per_role_template',`
domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
- allow $1_xserver_t $1_xauth_home_t:file { getattr read };
+ allow $1_xserver_t $1_xauth_home_t:file read_file_perms;
domtrans_pattern($2, xserver_exec_t, $1_xserver_t)
allow $1_xserver_t $2:process signal;
@@ -539,7 +539,7 @@ template(`xserver_ro_session_template',`
allow $2 $1_xserver_t:process signal;
# Read /tmp/.X0-lock
- allow $2 $1_xserver_tmp_t:file { getattr read };
+ allow $2 $1_xserver_tmp_t:file read_file_perms;
# Client read xserver shm
allow $2 $1_xserver_t:fd use;
@@ -615,8 +615,8 @@ template(`xserver_user_client_template',`
allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
- allow $2 $1_xauth_home_t:file { getattr read };
- allow $2 $1_iceauth_home_t:file { getattr read };
+ allow $2 $1_xauth_home_t:file read_file_perms;
+ allow $2 $1_iceauth_home_t:file read_file_perms;
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
@@ -885,13 +885,13 @@ template(`xserver_user_x_domain_template',`
allow $3 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
- allow $3 $1_xauth_home_t:file { getattr read };
- allow $3 $1_iceauth_home_t:file { getattr read };
+ allow $3 $1_xauth_home_t:file read_file_perms;
+ allow $3 $1_iceauth_home_t:file read_file_perms;
# for when /tmp/.X11-unix is created by the system
allow $3 xdm_t:fd use;
allow $3 xdm_t:fifo_file { getattr read write ioctl };
- allow $3 xdm_tmp_t:dir search;
+ allow $3 xdm_tmp_t:dir search_dir_perms;
allow $3 xdm_tmp_t:sock_file { read write };
dontaudit $3 xdm_t:tcp_socket { read write };
@@ -1230,7 +1230,7 @@ interface(`xserver_read_xdm_rw_config',`
')
files_search_etc($1)
- allow $1 xdm_rw_etc_t:file { getattr read };
+ allow $1 xdm_rw_etc_t:file read_file_perms;
')
########################################
@@ -1306,7 +1306,7 @@ interface(`xserver_read_xdm_lib_files',`
type xdm_var_lib_t;
')
- allow $1 xdm_var_lib_t:file { getattr read };
+ allow $1 xdm_var_lib_t:file read_file_perms;
')
########################################
@@ -1479,7 +1479,7 @@ interface(`xserver_read_xdm_xserver_tmp_files',`
type xdm_xserver_tmp_t;
')
- allow $1 xdm_xserver_tmp_t:file { getattr read };
+ allow $1 xdm_xserver_tmp_t:file read_file_perms;
')
########################################
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index deb5755..0a12587 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -31,7 +31,7 @@ template(`authlogin_common_auth_domain_template',`
allow $1_chkpwd_t self:process getattr;
files_list_etc($1_chkpwd_t)
- allow $1_chkpwd_t shadow_t:file { getattr read };
+ allow $1_chkpwd_t shadow_t:file read_file_perms;
# is_selinux_enabled
kernel_read_system_state($1_chkpwd_t)
diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if
index 2665fac..29397af 100644
--- a/policy/modules/system/clock.if
+++ b/policy/modules/system/clock.if
@@ -47,7 +47,7 @@ interface(`clock_run',`
clock_domtrans($1)
role $2 types hwclock_t;
- allow hwclock_t $3:chr_file { getattr read write ioctl };
+ allow hwclock_t $3:chr_file rw_term_perms;
')
########################################
diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
index 2b1ddda..e529bd6 100644
--- a/policy/modules/system/fstools.if
+++ b/policy/modules/system/fstools.if
@@ -48,7 +48,7 @@ interface(`fstools_run',`
fstools_domtrans($1)
role $2 types fsadm_t;
- allow fsadm_t $3:chr_file { getattr read write ioctl };
+ allow fsadm_t $3:chr_file rw_term_perms;
')
########################################
diff --git a/policy/modules/system/getty.if b/policy/modules/system/getty.if
index bd8ead4..9ae3682 100644
--- a/policy/modules/system/getty.if
+++ b/policy/modules/system/getty.if
@@ -54,7 +54,7 @@ interface(`getty_read_log',`
')
logging_search_logs($1)
- allow $1 getty_log_t:file { getattr read };
+ allow $1 getty_log_t:file read_file_perms;
')
########################################
@@ -74,7 +74,7 @@ interface(`getty_read_config',`
')
files_search_etc($1)
- allow $1 getty_etc_t:file { getattr read };
+ allow $1 getty_etc_t:file read_file_perms;
')
########################################
diff --git a/policy/modules/system/hostname.if b/policy/modules/system/hostname.if
index f325978..7910037 100644
--- a/policy/modules/system/hostname.if
+++ b/policy/modules/system/hostname.if
@@ -47,7 +47,7 @@ interface(`hostname_run',`
hostname_domtrans($1)
role $2 types hostname_t;
- allow hostname_t $3:chr_file { getattr read write ioctl };
+ allow hostname_t $3:chr_file rw_term_perms;
')
########################################
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index e6a1c83..d6f0c52 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1394,7 +1394,7 @@ interface(`init_write_utmp',`
')
files_list_pids($1)
- allow $1 initrc_var_run_t:file { getattr write };
+ allow $1 initrc_var_run_t:file { getattr open write };
')
########################################
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index e8bd0c7..57a33a7 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -48,7 +48,7 @@ interface(`sysnet_run_dhcpc',`
sysnet_domtrans_dhcpc($1)
role $2 types dhcpc_t;
- allow dhcpc_t $3:chr_file { getattr read write ioctl };
+ allow dhcpc_t $3:chr_file rw_term_perms;
')
########################################
@@ -198,7 +198,7 @@ interface(`sysnet_read_dhcpc_state',`
type dhcpc_state_t;
')
- allow $1 dhcpc_state_t:file { getattr read };
+ allow $1 dhcpc_state_t:file read_file_perms;
')
#######################################
@@ -348,7 +348,7 @@ interface(`sysnet_read_dhcpc_pid',`
')
files_list_pids($1)
- allow $1 dhcpc_var_run_t:file { getattr read };
+ allow $1 dhcpc_var_run_t:file read_file_perms;
')
#######################################
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index 21df880..cb43eb1 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -645,5 +645,5 @@ interface(`unconfined_write_tmp_files',`
type unconfined_tmp_t;
')
- allow $1 unconfined_tmp_t:file { getattr write append };
+ allow $1 unconfined_tmp_t:file write_file_perms;
')
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index ff37b35..d546c89 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -57,7 +57,7 @@ template(`userdom_base_user_template',`
allow $1_t self:context contains;
dontaudit $1_t self:socket create;
- allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
+ allow $1_t $1_devpts_t:chr_file { setattr rw_chr_file_perms };
term_create_pty($1_t,$1_devpts_t)
allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
@@ -5310,7 +5310,7 @@ interface(`userdom_write_unpriv_users_tmp_files',`
attribute user_tmpfile;
')
- allow $1 user_tmpfile:file { getattr write append };
+ allow $1 user_tmpfile:file write_file_perms;
')
########################################
diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
index ca7aa43..56d4c5d 100644
--- a/policy/support/misc_patterns.spt
+++ b/policy/support/misc_patterns.spt
@@ -2,7 +2,7 @@
# Specified domain transition patterns
#
define(`domain_transition_pattern',`
- allow $1 $2:file { getattr read execute };
+ allow $1 $2:file { getattr open read execute };
allow $1 $3:process transition;
dontaudit $1 $3:process { noatsecure siginh rlimitinh };
')
@@ -48,7 +48,8 @@ define(`send_audit_msgs_pattern',`
')
define(`ps_process_pattern',`
- allow $1 $2:dir { search getattr read };
- allow $1 $2:{ file lnk_file } { read getattr };
+ allow $1 $2:dir list_dir_perms;
+ allow $1 $2:file read_file_perms;
+ allow $1 $2:lnk_file read_lnk_file_perms;
allow $1 $2:process getattr;
')
More information about the scm-commits
mailing list