[selinux-policy: 298/3172] aliases
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:30:43 UTC 2010
commit 0a10b1fa12feba2f497a7dba4a88e779e7f841fc
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Jun 9 15:32:23 2005 +0000
aliases
refpolicy/policy/modules/services/cron.if | 32 +++++-----
refpolicy/policy/modules/services/cron.te | 50 +++++++-------
refpolicy/policy/modules/services/mta.if | 74 ++++++++++------------
refpolicy/policy/modules/services/mta.te | 36 +++++-----
refpolicy/policy/modules/services/remotelogin.te | 18 +++---
refpolicy/policy/modules/services/sendmail.te | 14 ++--
6 files changed, 109 insertions(+), 115 deletions(-)
---
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index 43060de..91b6f8c 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -26,10 +26,10 @@ define(`cron_per_userdomain_template',`
#
allow $1_crond_t self:capability dac_override;
- allow $1_crond_t self:process { sigkill sigstop signull signal setsched };
- allow $1_crond_t self:fifo_file { read getattr write append };
- allow $1_crond_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
- allow $1_crond_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+ allow $1_crond_t self:process signal_perms;
+ allow $1_crond_t self:fifo_file rw_file_perms;
+ allow $1_crond_t self:unix_stream_socket create_socket_perms;
+ allow $1_crond_t self:unix_dgram_socket create_stream_socket_perms;
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
@@ -96,7 +96,7 @@ define(`cron_per_userdomain_template',`
miscfiles_read_localization($1_crond_t)
tunable_policy(`fcron_crond', `
- allow crond_t $1_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow crond_t $1_cron_spool_t:file create_file_perms;
')
ifdef(`TODO',`
@@ -111,7 +111,7 @@ define(`cron_per_userdomain_template',`
ifdef(`mta.te', `
domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t)
- allow $1_crond_t sendmail_exec_t:lnk_file { getattr read };
+ allow $1_crond_t sendmail_exec_t:lnk_file r_file_perms;
# $1_mail_t should only be reading from the cron fifo not needing to write
dontaudit $1_mail_t crond_t:fifo_file write;
@@ -122,7 +122,7 @@ define(`cron_per_userdomain_template',`
can_ypbind($1_crond_t)
allow $1_crond_t var_spool_t:dir search;
allow $1_crond_t var_t:dir r_dir_perms;
- allow $1_crond_t var_t:file { getattr read ioctl };
+ allow $1_crond_t var_t:file r_file_perms;
# quiet other ps operations
dontaudit $1_crond_t domain:dir { getattr search };
@@ -137,21 +137,21 @@ define(`cron_per_userdomain_template',`
allow $1_t $1_crontab_t:process signal;
# Allow crond to read those crontabs in cron spool.
- allow crond_t $1_cron_spool_t:file { getattr read };
+ allow crond_t $1_cron_spool_t:file r_file_perms;
# dac_override is to create the file in the directory under /tmp
allow $1_crontab_t self:capability { setuid setgid chown dac_override };
- allow $1_crontab_t self:process { sigkill sigstop signull signal };
+ allow $1_crontab_t self:process signal_perms;
# create files in /var/spool/cron
- allow $1_crontab_t $1_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
- allow $1_crontab_t cron_spool_t:dir { getattr search read write add_name remove_name };
+ allow $1_crontab_t $1_cron_spool_t:file create_file_perms;
+ allow $1_crontab_t cron_spool_t:dir rw_dir_perms;
type_transition $1_crontab_t $1_cron_spool_t:file system_crond_tmp_t;
# crontab signals crond by updating the mtime on the spooldir
allow $1_crontab_t cron_spool_t:dir setattr;
- allow $1_crontab_t crond_log_t:file { getattr read append };
+ allow $1_crontab_t crond_log_t:file ra_file_perms;
fs_get_persistent_fs_attributes($1_crontab_t)
@@ -201,9 +201,9 @@ define(`cron_per_userdomain_template',`
dontaudit $1_crontab_t $1_home_dir_t:dir write;
# Access terminals.
- allow $1_crontab_t devpts_t:dir { read search getattr };
- allow $1_crontab_t $1_tty_device_t:chr_file { read write getattr ioctl };
- allow $1_crontab_t $1_devpts_t:chr_file { read write getattr ioctl };
+ allow $1_crontab_t devpts_t:dir r_dir_perms;
+ allow $1_crontab_t $1_tty_device_t:chr_file rw_file_perms;
+ allow $1_crontab_t $1_devpts_t:chr_file rw_file_perms;
# Inherit and use descriptors from gnome-pty-helper.
ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;')
@@ -246,7 +246,7 @@ define(`cron_admin_template',`
define(`cron_modify_log',`
requires_block_template(`$0'_depend)
- allow $1 crond_log_t:file { getattr read write ioctl lock append };
+ allow $1 crond_log_t:file rw_file_perms;
')
define(`cron_modify_log_depend',`
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 515880f..d1c045e 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -54,29 +54,29 @@ dontaudit crond_t self:capability { sys_resource sys_tty_config };
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
allow crond_t self:process setexec;
allow crond_t self:fd use;
-allow crond_t self:fifo_file { read getattr lock ioctl write append };
-allow crond_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-allow crond_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+allow crond_t self:fifo_file rw_file_perms;
+allow crond_t self:unix_dgram_socket create_socket_perms;
+allow crond_t self:unix_stream_socket create_stream_socket_perms;
allow crond_t self:unix_dgram_socket sendto;
allow crond_t self:unix_stream_socket connectto;
-allow crond_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
-allow crond_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
-allow crond_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
+allow crond_t self:shm create_shm_perms;
+allow crond_t self:sem create_sem_perms;
+allow crond_t self:msgq create_msgq_perms;
allow crond_t self:msg { send receive };
-allow crond_t crond_log_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow crond_t crond_log_t:file create_file_perms;
allow crond_t crond_var_run_t:file create_file_perms;
files_create_daemon_runtime_data(crond_t,crond_var_run_t)
-allow crond_t crond_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-allow crond_t crond_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow crond_t crond_tmp_t:dir create_dir_perms;
+allow crond_t crond_tmp_t:file create_file_perms;
files_create_private_tmp_data(crond_t, crond_tmp_t, { file dir })
-allow crond_t cron_spool_t:dir { getattr search read };
-allow crond_t cron_spool_t:file { getattr read };
-allow crond_t system_cron_spool_t:dir { getattr search read };
-allow crond_t system_cron_spool_t:file { getattr read };
+allow crond_t cron_spool_t:dir r_dir_perms;
+allow crond_t cron_spool_t:file r_file_perms;
+allow crond_t system_cron_spool_t:dir r_dir_perms;
+allow crond_t system_cron_spool_t:file r_file_perms;
kernel_read_kernel_sysctl(crond_t)
kernel_read_hardware_state(crond_t)
@@ -121,7 +121,7 @@ miscfiles_read_localization(crond_t)
userdomain_use_all_unprivileged_users_file_descriptors(crond_t)
tunable_policy(`fcron_crond', `
- allow crond_t system_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow crond_t system_cron_spool_t:file create_file_perms;
')
ifdef(`targeted_policy', `
@@ -184,8 +184,8 @@ allow system_crond_t rpm_log_t:file create_file_perms;
#
allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid };
-allow system_crond_t self:process { sigkill sigstop signull signal setsched };
-allow system_crond_t self:fifo_file { read getattr write append };
+allow system_crond_t self:process signal_perms;
+allow system_crond_t self:fifo_file rw_file_perms;
allow system_crond_t self:passwd rootok;
# The entrypoint interface is not used as this is not
@@ -197,7 +197,7 @@ allow system_crond_t self:passwd rootok;
# for this purpose.
allow system_crond_t system_cron_spool_t:file entrypoint;
-allow system_crond_t system_cron_spool_t:file { getattr read };
+allow system_crond_t system_cron_spool_t:file r_file_perms;
# Permit a transition from the crond_t domain to this domain.
# The transition is requested explicitly by the modified crond
@@ -211,23 +211,23 @@ allow system_crond_t crond_t:fifo_file rw_file_perms;
allow system_crond_t crond_t:process sigchld;
# Write /var/lock/makewhatis.lock.
-allow system_crond_t system_crond_lock_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow system_crond_t system_crond_lock_t:file create_file_perms;
files_create_private_lock_file(system_crond_t,system_crond_lock_t)
# write temporary files
-allow system_crond_t system_crond_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow system_crond_t system_crond_tmp_t:file createfile_perms;
files_create_private_tmp_data(system_crond_t,system_crond_tmp_t)
# write temporary files in crond tmp dir:
-allow system_crond_t crond_tmp_t:dir { getattr search read write add_name remove_name };
+allow system_crond_t crond_tmp_t:dir rw_dir_perms;
type_transition system_crond_t crond_tmp_t:file system_crond_tmp_t;
# Read from /var/spool/cron.
-allow system_crond_t cron_spool_t:dir { getattr search read };
-allow system_crond_t cron_spool_t:file { getattr read };
+allow system_crond_t cron_spool_t:dir r_dir_perms;
+allow system_crond_t cron_spool_t:file r_file_perms;
# Access crond log files
-allow system_crond_t crond_log_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow system_crond_t crond_log_t:file create_file_perms;
logging_create_private_log(system_crond_t,crond_log_t)
kernel_read_kernel_sysctl(system_crond_t)
@@ -323,7 +323,7 @@ allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;
allow system_crond_t initctl_t:fifo_file write;
allow system_crond_t var_t:dir r_dir_perms;
-allow system_crond_t var_t:file { getattr read ioctl };
+allow system_crond_t var_t:file r_file_perms;
# Write to /var/lib/slocate.db.
allow system_crond_t var_lib_t:dir rw_dir_perms;
@@ -345,7 +345,7 @@ allow system_crond_su_t crond_t:fifo_file ioctl;
# Required for webalizer
#
ifdef(`apache.te', `
-allow system_crond_t httpd_log_t:file { getattr read };
+allow system_crond_t httpd_log_t:file r_file_perms;
')
ifdef(`distro_redhat', `
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 220ae94..1fb9daf 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -23,21 +23,18 @@ define(`mta_per_userdomain_template',`
#
allow $1_mail_t self:capability { setuid setgid chown };
- allow $1_mail_t self:process { sigkill sigstop signull signal setrlimit };
+ allow $1_mail_t self:process { signal_perms setrlimit };
# tcp networking
- allow $1_mail_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
+ allow $1_mail_t self:tcp_socket create_socket_perms;
# re-exec itself
- allow $1_mail_t sendmail_exec_t:file { getattr read execute execute_no_trans };
- allow $1_mail_t sendmail_exec_t:lnk_file { getattr read };
+ can_exec($1_mail_t, sendmail_exec_t)
+ allow $1_mail_t sendmail_exec_t:lnk_file r_file_perms;
# Transition from the user domain to the derived domain.
- allow $1_t sendmail_exec_t:file { getattr read execute execute_no_trans };
- allow $1_t sendmail_exec_t:lnk_file { getattr read };
- allow $1_t $1_mail_t:process transition;
- type_transition $1_t sendmail_exec_t:process $1_mail_t;
- dontaudit $1_t $1_mail_t:process { noatsecure siginh rlimitinh };
+ can_exec($1_t, sendmail_exec_t)
+ domain_auto_trans($1_t, sendmail_exec_t, $1_mail_t)
allow $1_t $1_mail_t:fd use;
allow $1_mail_t $1_t:fd use;
@@ -69,7 +66,7 @@ define(`mta_per_userdomain_template',`
sysnetwork_read_network_config($1_mail_t)
tunable_policy(`use_dns',`
- allow $1_mail_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+ allow $1_mail_t self:udp_socket create_socket_perms;
corenetwork_sendrecv_udp_on_all_interfaces($1_mail_t)
corenetwork_sendrecv_udp_on_all_nodes($1_mail_t)
corenetwork_bind_udp_on_all_nodes($1_mail_t)
@@ -102,16 +99,16 @@ define(`mta_per_userdomain_template',`
allow $1_mail_t $1_tmp_t:file write;
')
- allow mta_user_agent $1_tmp_t:file { read getattr };
+ allow mta_user_agent $1_tmp_t:file r_file_perms;
# Write to the user domain tty.
- allow mta_user_agent $1_tty_device_t:chr_file { read write getattr ioctl };
- allow mta_user_agent devpts_t:dir { read search getattr };
- allow mta_user_agent $1_devpts_t:chr_file { read write getattr ioctl };
+ allow mta_user_agent $1_tty_device_t:chr_file rw_file_perms;
+ allow mta_user_agent devpts_t:dir r_dir_perms;
+ allow mta_user_agent $1_devpts_t:chr_file rw_file_perms;
- allow $1_mail_t $1_tty_device_t:chr_file { read write getattr ioctl };
- allow $1_mail_t devpts_t:dir { read search getattr };
- allow $1_mail_t $1_devpts_t:chr_file { read write getattr ioctl };
+ allow $1_mail_t $1_tty_device_t:chr_file rw_file_perms;
+ allow $1_mail_t devpts_t:dir r_dir_perms;
+ allow $1_mail_t $1_devpts_t:chr_file rw_file_perms;
# Inherit and use descriptors from gnome-pty-helper.
ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;')
@@ -179,11 +176,8 @@ define(`mta_make_sendmail_mailserver_domain_depend',`
define(`mta_send_mail',`
requires_block_template(`$0'_depend)
- allow $1 sendmail_exec_t:lnk_file { getattr read };
- allow $1 sendmail_exec_t:file { getattr read execute };
- allow $1 system_mail_t:process transition;
- type_transition $1 sendmail_exec_t:process system_mail_t;
- dontaudit $1 system_mail_t:process { noatsecure siginh rlimitinh };
+ allow $1 sendmail_exec_t:lnk_file r_file_perms;
+ domain_auto_trans($1, sendmail_exec_t, system_mail_t)
allow $1 system_mail_t:fd use;
allow system_mail_t $1:fd use;
@@ -195,7 +189,7 @@ define(`mta_send_mail_depend',`
type system_mail_t, sendmail_exec_t;
class file { getattr read execute };
- class lnk_file { getattr read };
+ class lnk_file r_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@@ -208,7 +202,7 @@ define(`mta_send_mail_depend',`
define(`mta_execute',`
requires_block_template(`$0'_depend)
- allow $1 sendmail_exec_t:file { getattr read execute execute_no_trans };
+ can_exec($1, sendmail_exec_t)
')
define(`mta_execute_depend',`
@@ -231,13 +225,13 @@ define(`mta_execute_depend',`
define(`mta_read_mail_aliases',`
requires_block_template(`$0'_depend)
- allow $1 etc_aliases_t:file { getattr read };
+ allow $1 etc_aliases_t:file r_file_perms;
')
define(`mta_read_mail_aliases_depend',`
type etc_aliases_t;
- class file { getattr read };
+ class file r_file_perms;
')
#######################################
@@ -247,13 +241,13 @@ define(`mta_read_mail_aliases_depend',`
define(`mta_modify_mail_aliases',`
requires_block_template(`$0'_depend)
- allow sendmail_t etc_aliases_t:file { getattr read write append setattr };
+ allow sendmail_t etc_aliases_t:file { rw_file_perms setattr };
')
define(`mta_modify_mail_aliases_depend',`
type etc_aliases_t;
- class file { getattr read write append setattr };
+ class file { rw_file_perms setattr };
')
#######################################
@@ -285,15 +279,15 @@ define(`mta_modify_mail_spool',`
requires_block_template(`$0'_depend)
files_search_system_spool_directory($1)
- allow $1 mail_spool_t:dir { read getattr lock search ioctl add_name remove_name write };
- allow $1 mail_spool_t:file { getattr read write append setattr };
+ allow $1 mail_spool_t:dir rw_dir_perms;
+ allow $1 mail_spool_t:file { rw_file_perms setattr };
')
define(`mta_modify_mail_spool_depend',`
type mail_spool_t;
- class dir { read getattr lock search ioctl add_name remove_name write };
- class file { create ioctl read getattr lock write setattr append link unlink rename };
+ class dir rw_dir_perms;
+ class file { rw_file_perms setattr };
')
#######################################
@@ -304,15 +298,15 @@ define(`mta_manage_mail_spool',`
requires_block_template(`$0'_depend)
files_search_system_spool_directory($1)
- allow $1 mail_spool_t:dir { read getattr lock search ioctl add_name remove_name write };
- allow $1 mail_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow $1 mail_spool_t:dir rw_dir_perms;
+ allow $1 mail_spool_t:file create_file_perms;
')
define(`mta_manage_mail_spool_depend',`
type mail_spool_t;
- class dir { read getattr lock search ioctl add_name remove_name write };
- class file { create ioctl read getattr lock write setattr append link unlink rename };
+ class dir rw_dir_perms;
+ class file create_file_perms;
')
#######################################
@@ -322,15 +316,15 @@ define(`mta_manage_mail_spool_depend',`
define(`mta_manage_mail_queue',`
requires_block_template(`$0'_depend)
- allow $1 mqueue_spool_t:dir { read getattr lock search ioctl add_name remove_name write };
- allow $1 mqueue_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow $1 mqueue_spool_t:dir rw_dir_perms;
+ allow $1 mqueue_spool_t:file create_file_perms;
')
define(`mta_manage_mail_queue_depend',`
type mqueue_spool_t;
- class dir { read getattr lock search ioctl add_name remove_name write };
- class file { create ioctl read getattr lock write setattr append link unlink rename }
+ class dir rw_dir_perms;
+ class file create_file_perms;
')
## </module>
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 1e7cb0b..bd69aba 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -41,13 +41,13 @@ init_make_system_domain(system_mail_t,sendmail_exec_t)
#
allow system_mail_t self:capability { setuid setgid chown };
-allow system_mail_t self:process { sigkill sigstop signull signal setrlimit };
+allow system_mail_t self:process { signal_perms setrlinit };
-allow system_mail_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
+allow system_mail_t self:tcp_socket create_socket_perms;
# re-exec itself
-allow system_mail_t sendmail_exec_t:file { getattr read execute execute_no_trans };
-allow system_mail_t sendmail_exec_t:lnk_file { getattr read };
+can_exec(system_mail_t, sendmail_exec_t)
+allow system_mail_t sendmail_exec_t:lnk_file r_file_perms;
kernel_read_kernel_sysctl(system_mail_t)
kernel_read_system_state(system_mail_t)
@@ -83,7 +83,7 @@ miscfiles_read_localization(system_mail_t)
sysnetwork_read_network_config(system_mail_t)
tunable_policy(`use_dns',`
- allow system_mail_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+ allow system_mail_t self:udp_socket create_socket_perms;
corenetwork_sendrecv_udp_on_all_interfaces(system_mail_t)
corenetwork_sendrecv_udp_on_all_nodes(system_mail_t)
corenetwork_bind_udp_on_all_nodes(system_mail_t)
@@ -130,8 +130,8 @@ allow privmail sendmail_exec_t:lnk_file { getattr read };
ifdef(`crond.te', `
# Read cron temporary files.
-allow system_mail_t system_crond_tmp_t:file { read getattr ioctl };
-allow mta_user_agent system_crond_tmp_t:file { read getattr };
+allow system_mail_t system_crond_tmp_t:file r_file_perms;
+allow mta_user_agent system_crond_tmp_t:file r_file_perms;
')
ifdef(`qmail.te', `
@@ -156,16 +156,16 @@ libraries_execute_library_scripts(system_mail_t)
allow system_mail_t { var_t var_spool_t }:dir getattr;
-allow system_mail_t mqueue_spool_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-allow system_mail_t mqueue_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-allow system_mail_t mqueue_spool_t:lnk_file { create read getattr setattr link unlink rename };
+allow system_mail_t mqueue_spool_t:dir create_dir_perms;
+allow system_mail_t mqueue_spool_t:file create_file_perms;
+allow system_mail_t mqueue_spool_t:lnk_file create_lnk_perms;
-allow system_mail_t mail_spool_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-allow system_mail_t mail_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-allow system_mail_t mail_spool_t:lnk_file { create read getattr setattr link unlink rename };
+allow system_mail_t mail_spool_t:dir create_dir_perms;
+allow system_mail_t mail_spool_t:file create_file_perms;
+allow system_mail_t mail_spool_t:lnk_file create_lnk_perms;
allow system_mail_t mail_spool_t:fifo_file rw_file_perms;
-allow system_mail_t etc_mail_t:file { getattr read };
+allow system_mail_t etc_mail_t:file r_file_perms;
', ` dnl if not targeted policy:
optional_policy(`sendmail.te', `
# sendmail has an ugly design, the one process parses input from the user and
@@ -209,16 +209,16 @@ ra_dir_create_file(mta_delivery_agent, mail_spool_t)
can_exec(mta_delivery_agent, shell_exec_t)
allow mta_delivery_agent bin_t:dir search;
allow mta_delivery_agent bin_t:lnk_file read;
-allow mta_delivery_agent { etc_runtime_t proc_t }:file { getattr read };
+allow mta_delivery_agent { etc_runtime_t proc_t }:file r_file_perms;
# Transition from a system domain to the derived domain.
domain_auto_trans(privmail, sendmail_exec_t, system_mail_t)
-allow privmail sendmail_exec_t:lnk_file { getattr read };
+allow privmail sendmail_exec_t:lnk_file r_file_perms;
ifdef(`crond.te', `
# Read cron temporary files.
-allow system_mail_t system_crond_tmp_t:file { read getattr ioctl };
-allow mta_user_agent system_crond_tmp_t:file { read getattr };
+allow system_mail_t system_crond_tmp_t:file r_file_perms;
+allow mta_user_agent system_crond_tmp_t:file r_file_perms;
')
') dnl end TODO
diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te
index 71979af..c1ba352 100644
--- a/refpolicy/policy/modules/services/remotelogin.te
+++ b/refpolicy/policy/modules/services/remotelogin.te
@@ -27,18 +27,18 @@ allow remote_login_t self:capability { dac_override chown fowner fsetid kill set
allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
allow remote_login_t self:process { setrlimit setexec };
allow remote_login_t self:fd use;
-allow remote_login_t self:fifo_file { read getattr lock ioctl write append };
-allow remote_login_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-allow remote_login_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+allow remote_login_t self:fifo_file rw_file_perms;
+allow remote_login_t self:unix_dgram_socket create_socket_perms;
+allow remote_login_t self:unix_stream_socket create_stream_socket_perms;
allow remote_login_t self:unix_dgram_socket sendto;
allow remote_login_t self:unix_stream_socket connectto;
-allow remote_login_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
-allow remote_login_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
-allow remote_login_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
+allow remote_login_t self:shm create_shm_perms;
+allow remote_login_t self:sem create_sem_perms;
+allow remote_login_t self:msgq create_msgq_perms;
allow remote_login_t self:msg { send receive };
-allow remote_login_t remote_login_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-allow remote_login_t remote_login_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow remote_login_t remote_login_tmp_t:dir create_dir_perms;
+allow remote_login_t remote_login_tmp_t:file create_file_perms;
files_create_private_tmp_data(remote_login_t, remote_login_tmp_t, { file dir })
kernel_read_system_state(remote_login_t)
@@ -113,7 +113,7 @@ allow remote_login_t device_t:lnk_file r_file_perms;
dontaudit remote_login_t sysfs_t:dir search;
-allow remote_login_t autofs_t:dir { search read getattr };
+allow remote_login_t autofs_t:dir r_dir_perms;
allow remote_login_t mnt_t:dir r_dir_perms;
if (use_nfs_home_dirs) {
diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te
index d5f9ac4..0af0e48 100644
--- a/refpolicy/policy/modules/services/sendmail.te
+++ b/refpolicy/policy/modules/services/sendmail.te
@@ -24,16 +24,16 @@ files_make_daemon_runtime_file(sendmail_var_run_t)
#
allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config };
-allow sendmail_t self:fifo_file { getattr read write append ioctl lock };
-allow sendmail_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
-allow sendmail_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+allow sendmail_t self:fifo_file rw_file_perms;
+allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
+allow sendmail_t self:unix_dgram_socket create_socket_perms;
-allow sendmail_t sendmail_log_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-allow sendmail_t sendmail_log_t:dir { getattr search read lock ioctl add_name remove_name write setattr };
+allow sendmail_t sendmail_log_t:file create_file_perms;
+allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr };
logging_create_private_log(sendmail_t,sendmail_log_t,{ file dir })
-allow sendmail_t sendmail_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-allow sendmail_t sendmail_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow sendmail_t sendmail_tmp_t:dir create_dir_perms;
+allow sendmail_t sendmail_tmp_t:file create_file_perms;
files_create_private_tmp_data(sendmail_t, sendmail_tmp_t, { file dir })
allow sendmail_t sendmail_var_run_t:file { getattr create read write append setattr unlink };
More information about the scm-commits
mailing list