[selinux-policy: 3042/3172] Use permission sets where possible.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:30:42 UTC 2010
commit f66acfd9f24e41efd78e320b5d971767b729c615
Author: Dominick Grift <domg472 at gmail.com>
Date: Mon Sep 20 11:59:03 2010 +0200
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
policy/modules/services/gpm.if | 6 +++---
policy/modules/services/kerberos.if | 2 +-
policy/modules/services/likewise.if | 2 +-
policy/modules/services/mta.if | 14 +++++++-------
policy/modules/services/munin.if | 2 +-
policy/modules/services/mysql.if | 2 +-
policy/modules/services/nis.if | 2 +-
policy/modules/services/nscd.if | 4 ++--
8 files changed, 17 insertions(+), 17 deletions(-)
---
diff --git a/policy/modules/services/gpm.if b/policy/modules/services/gpm.if
index 9a21080..d6b2959 100644
--- a/policy/modules/services/gpm.if
+++ b/policy/modules/services/gpm.if
@@ -37,7 +37,7 @@ interface(`gpm_getattr_gpmctl',`
')
dev_list_all_dev_nodes($1)
- allow $1 gpmctl_t:sock_file getattr;
+ allow $1 gpmctl_t:sock_file getattr_sock_file_perms;
')
########################################
@@ -57,7 +57,7 @@ interface(`gpm_dontaudit_getattr_gpmctl',`
type gpmctl_t;
')
- dontaudit $1 gpmctl_t:sock_file getattr;
+ dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms;
')
########################################
@@ -77,5 +77,5 @@ interface(`gpm_setattr_gpmctl',`
')
dev_list_all_dev_nodes($1)
- allow $1 gpmctl_t:sock_file setattr;
+ allow $1 gpmctl_t:sock_file setattr_sock_file_perms;
')
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
index 541cc80..f7d4b6d 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -103,7 +103,7 @@ interface(`kerberos_use',`
corenet_sendrecv_kerberos_client_packets($1)
corenet_sendrecv_ocsp_client_packets($1)
- allow $1 krb5_host_rcache_t:file getattr;
+ allow $1 krb5_host_rcache_t:file getattr_file_perms;
')
optional_policy(`
diff --git a/policy/modules/services/likewise.if b/policy/modules/services/likewise.if
index 771e04b..81d98b3 100644
--- a/policy/modules/services/likewise.if
+++ b/policy/modules/services/likewise.if
@@ -63,7 +63,7 @@ template(`likewise_domain_template',`
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
- allow $1_t likewise_var_lib_t:dir setattr;
+ allow $1_t likewise_var_lib_t:dir setattr_dir_perms;
manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
files_pid_filetrans($1_t, $1_var_run_t, file)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 8e607ad..4d1401d 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -168,7 +168,7 @@ interface(`mta_role',`
# Transition from the user domain to the derived domain.
domtrans_pattern($2, sendmail_exec_t, user_mail_t)
- allow $2 sendmail_exec_t:lnk_file { getattr read };
+ allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms;
allow mta_user_agent $2:fd use;
allow mta_user_agent $2:process sigchld;
@@ -512,7 +512,7 @@ interface(`mta_write_config',`
')
manage_files_pattern($1, etc_mail_t, etc_mail_t)
- allow $1 etc_mail_t:file setattr;
+ allow $1 etc_mail_t:file setattr_file_perms;
')
########################################
@@ -590,7 +590,7 @@ interface(`mta_rw_aliases',`
')
files_search_etc($1)
- allow $1 etc_aliases_t:file { rw_file_perms setattr };
+ allow $1 etc_aliases_t:file { rw_file_perms setattr_file_perms };
')
#######################################
@@ -684,8 +684,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
files_dontaudit_search_spool($1)
dontaudit $1 mail_spool_t:dir search_dir_perms;
- dontaudit $1 mail_spool_t:lnk_file read;
- dontaudit $1 mail_spool_t:file getattr;
+ dontaudit $1 mail_spool_t:lnk_file read_lnk_file_perms;
+ dontaudit $1 mail_spool_t:file getattr_file_perms;
')
#######################################
@@ -735,7 +735,7 @@ interface(`mta_rw_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
- allow $1 mail_spool_t:file setattr;
+ allow $1 mail_spool_t:file setattr_file_perms;
manage_files_pattern($1, mail_spool_t, mail_spool_t)
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
@@ -876,7 +876,7 @@ interface(`mta_dontaudit_rw_queue',`
')
dontaudit $1 mqueue_spool_t:dir search_dir_perms;
- dontaudit $1 mqueue_spool_t:file { getattr read write };
+ dontaudit $1 mqueue_spool_t:file rw_file_perms;
')
########################################
diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if
index 297e392..4d06f74 100644
--- a/policy/modules/services/munin.if
+++ b/policy/modules/services/munin.if
@@ -78,7 +78,7 @@ interface(`munin_read_config',`
allow $1 munin_etc_t:dir list_dir_perms;
allow $1 munin_etc_t:file read_file_perms;
- allow $1 munin_etc_t:lnk_file { getattr read };
+ allow $1 munin_etc_t:lnk_file read_lnk_file_perms;
files_search_etc($1)
')
diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
index 8cabfd2..6df118b 100644
--- a/policy/modules/services/mysql.if
+++ b/policy/modules/services/mysql.if
@@ -253,7 +253,7 @@ interface(`mysql_write_log',`
')
logging_search_logs($1)
- allow $1 mysqld_log_t:file { write_file_perms setattr };
+ allow $1 mysqld_log_t:file { write_file_perms setattr_file_perms };
')
######################################
diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if
index 9b51af1..d060ea7 100644
--- a/policy/modules/services/nis.if
+++ b/policy/modules/services/nis.if
@@ -34,7 +34,7 @@ interface(`nis_use_ypbind_uncond',`
allow $1 self:udp_socket create_socket_perms;
allow $1 var_yp_t:dir list_dir_perms;
- allow $1 var_yp_t:lnk_file { getattr read };
+ allow $1 var_yp_t:lnk_file read_lnk_file_perms;
allow $1 var_yp_t:file read_file_perms;
corenet_all_recvfrom_unlabeled($1)
diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if
index f1ee95b..cb66404 100644
--- a/policy/modules/services/nscd.if
+++ b/policy/modules/services/nscd.if
@@ -116,7 +116,7 @@ interface(`nscd_socket_use',`
dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
files_search_pids($1)
stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
- dontaudit $1 nscd_var_run_t:file { getattr read };
+ dontaudit $1 nscd_var_run_t:file read_file_perms;
')
########################################
@@ -171,7 +171,7 @@ interface(`nscd_shm_use',`
stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
files_search_pids($1)
allow $1 nscd_t:nscd { getpwd getgrp gethost };
- dontaudit $1 nscd_var_run_t:file { getattr read };
+ dontaudit $1 nscd_var_run_t:file read_file_perms;
')
########################################
More information about the scm-commits
mailing list