[selinux-policy: 3111/3172] Use permission sets where possible.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:36:42 UTC 2010
commit 0f7c400223823495e7d2630126c2f5158416d473
Author: Dominick Grift <domg472 at gmail.com>
Date: Thu Sep 23 09:57:42 2010 +0200
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
policy/modules/services/nx.te | 6 +++---
policy/modules/services/oident.te | 8 ++++----
policy/modules/services/pads.te | 8 ++++----
policy/modules/services/pegasus.te | 4 ++--
policy/modules/services/pingd.te | 2 +-
policy/modules/services/postfix.te | 12 ++++++------
policy/modules/services/postfixpolicyd.te | 4 ++--
policy/modules/services/postgresql.te | 2 +-
policy/modules/services/ppp.te | 4 ++--
policy/modules/services/prelude.te | 4 ++--
policy/modules/services/procmail.te | 2 +-
policy/modules/services/puppet.te | 4 ++--
12 files changed, 30 insertions(+), 30 deletions(-)
---
diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te
index c1825de..737415e 100644
--- a/policy/modules/services/nx.te
+++ b/policy/modules/services/nx.te
@@ -39,7 +39,7 @@ allow nx_server_t self:fifo_file rw_fifo_file_perms;
allow nx_server_t self:tcp_socket create_socket_perms;
allow nx_server_t self:udp_socket create_socket_perms;
-allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr };
+allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty(nx_server_t, nx_server_devpts_t)
manage_dirs_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t)
@@ -90,9 +90,9 @@ sysnet_read_config(nx_server_t)
ifdef(`TODO',`
# clients already have create permissions; the nxclient wants to also have unlink rights
-allow userdomain xdm_tmp_t:sock_file unlink;
+allow userdomain xdm_tmp_t:sock_file delete_sock_file_perms;
# for a lockfile created by the client process
-allow nx_server_t user_tmpfile:file getattr;
+allow nx_server_t user_tmpfile:file getattr_file_perms;
')
########################################
diff --git a/policy/modules/services/oident.te b/policy/modules/services/oident.te
index 9097656..b1effe6 100644
--- a/policy/modules/services/oident.te
+++ b/policy/modules/services/oident.te
@@ -26,10 +26,10 @@ files_config_file(oidentd_config_t)
#
allow oidentd_t self:capability { setuid setgid };
-allow oidentd_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
-allow oidentd_t self:netlink_tcpdiag_socket { write read create nlmsg_read };
-allow oidentd_t self:tcp_socket { setopt read bind create accept write getattr listen };
-allow oidentd_t self:udp_socket { write read create connect getattr ioctl };
+allow oidentd_t self:netlink_route_socket create_netlink_socket_perms;
+allow oidentd_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
+allow oidentd_t self:tcp_socket create_stream_socket_perms;
+allow oidentd_t self:udp_socket create_socket_perms;
allow oidentd_t self:unix_dgram_socket { create connect };
allow oidentd_t oidentd_config_t:file read_file_perms;
diff --git a/policy/modules/services/pads.te b/policy/modules/services/pads.te
index ea5755e..5e25230 100644
--- a/policy/modules/services/pads.te
+++ b/policy/modules/services/pads.te
@@ -24,10 +24,10 @@ files_pid_file(pads_var_run_t)
#
allow pads_t self:capability { dac_override net_raw };
-allow pads_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
-allow pads_t self:packet_socket { ioctl setopt getopt read bind create };
-allow pads_t self:udp_socket { create ioctl };
-allow pads_t self:unix_dgram_socket { write create connect };
+allow pads_t self:netlink_route_socket create_netlink_socket_perms;
+allow pads_t self:packet_socket create_socket_perms;
+allow pads_t self:udp_socket create_socket_perms;
+allow pads_t self:unix_dgram_socket create_socket_perms;
allow pads_t pads_config_t:file manage_file_perms;
files_etc_filetrans(pads_t, pads_config_t, file)
diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te
index e2e2f67..5322412 100644
--- a/policy/modules/services/pegasus.te
+++ b/policy/modules/services/pegasus.te
@@ -38,7 +38,7 @@ allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
allow pegasus_t self:tcp_socket create_stream_socket_perms;
allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
-allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink };
+allow pegasus_t pegasus_conf_t:file { read_file_perms link delete_file_perms };
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -56,7 +56,7 @@ manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir })
-allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink };
+allow pegasus_t pegasus_var_run_t:sock_file { create_sock_file_perms setattr_sock_file_perms delete_sock_file_perms };
manage_dirs_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
manage_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
files_pid_filetrans(pegasus_t, pegasus_var_run_t, { file dir })
diff --git a/policy/modules/services/pingd.te b/policy/modules/services/pingd.te
index e9cf8a4..4a9d196 100644
--- a/policy/modules/services/pingd.te
+++ b/policy/modules/services/pingd.te
@@ -27,7 +27,7 @@ files_type(pingd_modules_t)
allow pingd_t self:capability net_raw;
allow pingd_t self:tcp_socket create_stream_socket_perms;
-allow pingd_t self:rawip_socket { write read create bind };
+allow pingd_t self:rawip_socket create_socket_perms;
read_files_pattern(pingd_t, pingd_etc_t, pingd_etc_t)
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 17ee8e2..ff20bb0 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -123,9 +123,9 @@ allow postfix_master_t postfix_data_t:file manage_file_perms;
allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms lock };
-allow postfix_master_t postfix_postdrop_exec_t:file getattr;
+allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms;
-allow postfix_master_t postfix_postqueue_exec_t:file getattr;
+allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms;
manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
@@ -145,7 +145,7 @@ manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
files_spool_filetrans(postfix_master_t, postfix_spool_t, dir)
allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
-allow postfix_master_t postfix_spool_bounce_t:file getattr;
+allow postfix_master_t postfix_spool_bounce_t:file getattr_file_perms;
manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
@@ -240,7 +240,7 @@ allow postfix_bounce_t self:capability dac_read_search;
allow postfix_bounce_t self:tcp_socket create_socket_perms;
allow postfix_bounce_t postfix_public_t:sock_file write;
-allow postfix_bounce_t postfix_public_t:dir search;
+allow postfix_bounce_t postfix_public_t:dir search_dir_perms;
manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
@@ -559,7 +559,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
-allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read };
+allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms;
corecmd_exec_bin(postfix_qmgr_t)
@@ -579,7 +579,7 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
-allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read };
+allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
diff --git a/policy/modules/services/postfixpolicyd.te b/policy/modules/services/postfixpolicyd.te
index fbd2728..7d73656 100644
--- a/policy/modules/services/postfixpolicyd.te
+++ b/policy/modules/services/postfixpolicyd.te
@@ -26,11 +26,11 @@ files_pid_file(postfix_policyd_var_run_t)
allow postfix_policyd_t self:capability { sys_resource sys_chroot setgid setuid };
allow postfix_policyd_t self:process setrlimit;
allow postfix_policyd_t self:tcp_socket create_stream_socket_perms;
-allow postfix_policyd_t self:unix_dgram_socket { connect create write};
+allow postfix_policyd_t self:unix_dgram_socket create_socket_perms;
allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms;
allow postfix_policyd_t postfix_policyd_conf_t:file read_file_perms;
-allow postfix_policyd_t postfix_policyd_conf_t:lnk_file { getattr read };
+allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms;
manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 4a85c12..fac7b13 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -185,7 +185,7 @@ allow postgresql_t postgresql_etc_t:dir list_dir_perms;
read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
-allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
+allow postgresql_t postgresql_exec_t:lnk_file read_lnk_file_perms;
can_exec(postgresql_t, postgresql_exec_t )
allow postgresql_t postgresql_lock_t:file manage_file_perms;
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
index 74f07f8..916f73f 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -84,11 +84,11 @@ allow pppd_t self:packet_socket create_socket_perms;
domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
-allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr };
+allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
allow pppd_t pppd_etc_t:dir rw_dir_perms;
allow pppd_t pppd_etc_t:file read_file_perms;
-allow pppd_t pppd_etc_t:lnk_file { getattr read };
+allow pppd_t pppd_etc_t:lnk_file read_lnk_file_perms;
manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t)
# Automatically label newly created files under /etc/ppp with this type
diff --git a/policy/modules/services/prelude.te b/policy/modules/services/prelude.te
index 3c06f6c..7a7310d 100644
--- a/policy/modules/services/prelude.te
+++ b/policy/modules/services/prelude.te
@@ -209,8 +209,8 @@ prelude_manage_spool(prelude_correlator_t)
#
allow prelude_lml_t self:capability dac_override;
-allow prelude_lml_t self:tcp_socket { write getattr setopt read create connect };
-allow prelude_lml_t self:unix_dgram_socket { write create connect };
+allow prelude_lml_t self:tcp_socket { setopt create_socket_perms };
+allow prelude_lml_t self:unix_dgram_socket create_socket_perms;
allow prelude_lml_t self:fifo_file rw_fifo_file_perms;
allow prelude_lml_t self:unix_stream_socket connectto;
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
index b558811..2a70dd1 100644
--- a/policy/modules/services/procmail.te
+++ b/policy/modules/services/procmail.te
@@ -35,7 +35,7 @@ allow procmail_t self:udp_socket create_socket_perms;
can_exec(procmail_t, procmail_exec_t)
# Write log to /var/log/procmail.log or /var/log/procmail/.*
-allow procmail_t procmail_log_t:dir setattr;
+allow procmail_t procmail_log_t:dir setattr_dir_perms;
create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
index 9587224..4a3866b 100644
--- a/policy/modules/services/puppet.te
+++ b/policy/modules/services/puppet.te
@@ -176,8 +176,8 @@ allow puppetmaster_t self:udp_socket create_socket_perms;
list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
-allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr };
-allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr };
+allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr_dir_perms };
+allow puppetmaster_t puppet_log_t:file { rw_file_perms create_file_perms setattr_file_perms };
logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
allow puppetmaster_t puppet_log_t:file relabel_file_perms;
More information about the scm-commits
mailing list