[selinux-policy: 3082/3172] Use permission sets where possible.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:34:11 UTC 2010
commit 1dfc76f76bb3fd8416237fa0da6324393cc05645
Author: Dominick Grift <domg472 at gmail.com>
Date: Wed Sep 22 12:02:34 2010 +0200
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
policy/modules/services/cachefilesd.te | 4 ++--
policy/modules/services/canna.te | 2 +-
policy/modules/services/ccs.te | 2 +-
policy/modules/services/clamav.te | 2 +-
policy/modules/services/courier.te | 2 +-
policy/modules/services/cron.te | 4 ++--
policy/modules/services/cups.te | 4 ++--
policy/modules/services/fail2ban.te | 2 +-
policy/modules/services/ftp.te | 4 ++--
policy/modules/services/inn.te | 2 +-
policy/modules/services/kerberos.te | 6 +++---
policy/modules/services/lpd.te | 6 +++---
policy/modules/services/mysql.te | 2 +-
13 files changed, 21 insertions(+), 21 deletions(-)
---
diff --git a/policy/modules/services/cachefilesd.te b/policy/modules/services/cachefilesd.te
index d9bf917..d0a0063 100644
--- a/policy/modules/services/cachefilesd.te
+++ b/policy/modules/services/cachefilesd.te
@@ -102,8 +102,8 @@ files_create_as_is_all_files(cachefilesd_t)
allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms;
# Allow access to cache superstructure
-allow cachefilesd_t cachefiles_var_t:dir { rw_dir_perms rmdir };
-allow cachefilesd_t cachefiles_var_t:file { getattr rename unlink };
+allow cachefilesd_t cachefiles_var_t:dir { rw_dir_perms delete_dir_perms };
+allow cachefilesd_t cachefiles_var_t:file { rename delete_file_perms};
# Permit statfs on the backing filesystem
fs_getattr_xattr_fs(cachefilesd_t)
diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te
index a0dfd2f..d60e2bf 100644
--- a/policy/modules/services/canna.te
+++ b/policy/modules/services/canna.te
@@ -34,7 +34,7 @@ allow canna_t self:unix_dgram_socket create_stream_socket_perms;
allow canna_t self:tcp_socket create_stream_socket_perms;
manage_files_pattern(canna_t, canna_log_t, canna_log_t)
-allow canna_t canna_log_t:dir setattr;
+allow canna_t canna_log_t:dir setattr_dir_perms;
logging_log_filetrans(canna_t, canna_log_t, { file dir })
manage_dirs_pattern(canna_t, canna_var_lib_t, canna_var_lib_t)
diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te
index bffe6b6..112dc77 100644
--- a/policy/modules/services/ccs.te
+++ b/policy/modules/services/ccs.te
@@ -61,7 +61,7 @@ manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir })
-allow ccs_t ccs_var_log_t:dir setattr;
+allow ccs_t ccs_var_log_t:dir setattr_dir_perms;
manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir })
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index 16598a4..ae2656a 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -182,7 +182,7 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
# log files (own logfiles only)
manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
-allow freshclam_t freshclam_var_log_t:dir setattr;
+allow freshclam_t freshclam_var_log_t:dir setattr_dir_perms;
read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t)
logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te
index 37f4810..cc93958 100644
--- a/policy/modules/services/courier.te
+++ b/policy/modules/services/courier.te
@@ -93,7 +93,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld;
allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
# inherits file handle - should it?
-allow courier_pop_t courier_var_lib_t:file { read write };
+allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
miscfiles_read_localization(courier_pop_t)
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 45f5a6f..eb079a2 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -128,7 +128,7 @@ files_pid_file(system_cronjob_var_run_t)
#
# Allow our crontab domain to unlink a user cron spool file.
-allow admin_crontab_t user_cron_spool_t:file { getattr read unlink };
+allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms };
# Manipulate other users crontab.
selinux_get_fs_mount(admin_crontab_t)
@@ -351,7 +351,7 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
# This is to handle /var/lib/misc directory. Used currently
# by prelink var/lib files for cron
-allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabelfrom relabelto };
+allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
allow system_cronjob_t cron_var_run_t:file manage_file_perms;
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
index 11e74af..6160cea 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -149,7 +149,7 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
-allow cupsd_t cupsd_var_run_t:dir setattr;
+allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms;
manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
@@ -163,7 +163,7 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
allow cupsd_t hplip_var_run_t:file read_file_perms;
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
-allow cupsd_t ptal_var_run_t : sock_file setattr;
+allow cupsd_t ptal_var_run_t : sock_file setattr_sock_file_perms;
kernel_read_system_state(cupsd_t)
kernel_read_network_state(cupsd_t)
diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
index fd30b02..e09b9df 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@@ -36,7 +36,7 @@ allow fail2ban_t self:unix_dgram_socket create_socket_perms;
allow fail2ban_t self:tcp_socket create_stream_socket_perms;
# log files
-allow fail2ban_t fail2ban_log_t:dir setattr;
+allow fail2ban_t fail2ban_log_t:dir setattr_dir_perms;
manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index 34a0014..6033c3b 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -187,7 +187,7 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} )
# it can stat the socket to perform access control decisions,
# since getsockopt with SO_PEERCRED is not available on all
# proftpd-supported OSs
-allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
+allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms;
# Create and modify /var/log/xferlog.
manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
@@ -388,7 +388,7 @@ stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
# ftpdctl creates a socket so that the daemon can perform
# access control decisions (see comments in ftpd_t rules above)
-allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr };
+allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms;
files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
# Allow ftpdctl to read config files
diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te
index 05119f7..61ea05e 100644
--- a/policy/modules/services/inn.te
+++ b/policy/modules/services/inn.te
@@ -46,7 +46,7 @@ read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t)
can_exec(innd_t, innd_exec_t)
manage_files_pattern(innd_t, innd_log_t, innd_log_t)
-allow innd_t innd_log_t:dir setattr;
+allow innd_t innd_log_t:dir setattr_dir_perms;
logging_log_filetrans(innd_t, innd_log_t, file)
manage_dirs_pattern(innd_t, innd_var_lib_t, innd_var_lib_t)
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
index 225e33f..4e39714 100644
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@@ -93,9 +93,9 @@ allow kadmind_t krb5_conf_t:file read_file_perms;
dontaudit kadmind_t krb5_conf_t:file write;
read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t)
-dontaudit kadmind_t krb5kdc_conf_t:file { write setattr };
+dontaudit kadmind_t krb5kdc_conf_t:file { write_file_perms setattr_file_perms };
-allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr };
+allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms };
allow kadmind_t krb5kdc_principal_t:file manage_file_perms;
filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file)
@@ -197,7 +197,7 @@ can_exec(krb5kdc_t, krb5kdc_exec_t)
read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t)
dontaudit krb5kdc_t krb5kdc_conf_t:file write;
-allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr };
+allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms };
allow krb5kdc_t krb5kdc_log_t:file manage_file_perms;
logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
index 4d31118..2727020 100644
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -80,7 +80,7 @@ rw_files_pattern(checkpc_t, print_spool_t, print_spool_t)
delete_files_pattern(checkpc_t, print_spool_t, print_spool_t)
files_search_spool(checkpc_t)
-allow checkpc_t printconf_t:file getattr;
+allow checkpc_t printconf_t:file getattr_file_perms;
allow checkpc_t printconf_t:dir list_dir_perms;
kernel_read_system_state(checkpc_t)
@@ -284,8 +284,8 @@ userdom_read_user_tmp_files(lpr_t)
tunable_policy(`use_lpd_server',`
# lpr can run in lightweight mode, without a local print spooler.
- allow lpr_t lpd_var_run_t:dir search;
- allow lpr_t lpd_var_run_t:sock_file write;
+ allow lpr_t lpd_var_run_t:dir search_dir_perms;
+ allow lpr_t lpd_var_run_t:sock_file write_sock_file_perms;
files_read_var_files(lpr_t)
# Connect to lpd via a Unix domain socket.
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index b370d53..5e96c0a 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -69,7 +69,7 @@ manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
allow mysqld_t mysqld_etc_t:file read_file_perms;
-allow mysqld_t mysqld_etc_t:lnk_file { getattr read };
+allow mysqld_t mysqld_etc_t:lnk_file read_lnk_file_perms;
allow mysqld_t mysqld_etc_t:dir list_dir_perms;
allow mysqld_t mysqld_log_t:file manage_file_perms;
More information about the scm-commits
mailing list