[selinux-policy: 299/3172] aliases
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:30:49 UTC 2010
commit dc67f782e47b545d5a6acaf0120080f6e09338e6
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Jun 9 17:21:52 2005 +0000
aliases
refpolicy/policy/modules/admin/consoletype.if | 10 +--
refpolicy/policy/modules/admin/consoletype.te | 18 +++---
refpolicy/policy/modules/admin/dmesg.if | 7 +-
refpolicy/policy/modules/admin/dmesg.te | 4 +-
refpolicy/policy/modules/admin/netutils.if | 7 +-
refpolicy/policy/modules/admin/netutils.te | 18 +++---
refpolicy/policy/modules/admin/rpm.if | 28 ++++----
refpolicy/policy/modules/admin/rpm.te | 92 +++++++++++++------------
refpolicy/policy/modules/admin/usermanage.if | 20 ++---
refpolicy/policy/modules/admin/usermanage.te | 78 +++++++++++-----------
10 files changed, 140 insertions(+), 142 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/consoletype.if b/refpolicy/policy/modules/admin/consoletype.if
index 401465c..7a45f5a 100644
--- a/refpolicy/policy/modules/admin/consoletype.if
+++ b/refpolicy/policy/modules/admin/consoletype.if
@@ -6,10 +6,7 @@
define(`consoletype_transition',`
requires_block_template(`$0'_depend)
- allow $1 consoletype_exec_t:file { getattr read execute };
- allow $1 consoletype_t:process transition;
- type_transition $1 consoletype_exec_t:process consoletype_t;
- dontaudit $1 consoletype_t:process { noatsecure siginh rlimitinh };
+ domain_auto_trans($1,consoletype_exec_t,consoletype_t)
allow $1 consoletype_t:fd use;
allow consoletype_t $1:fd use;
@@ -20,7 +17,7 @@ define(`consoletype_transition',`
define(`consoletype_transition_depend',`
type consoletype_t, consoletype_exec_t;
- class file { getattr read execute };
+ class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@@ -33,7 +30,8 @@ define(`consoletype_transition_depend',`
define(`consoletype_execute',`
requires_block_template(`$0'_depend)
- allow $1 consoletype_exec_t:file { getattr read execute execute_no_trans };
+ can_exec($1,consoletype_exec_t)
+
')
define(`consoletype_execute_depend',`
diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te
index 2ed973f..9ade7b4 100644
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ b/refpolicy/policy/modules/admin/consoletype.te
@@ -21,14 +21,14 @@ allow consoletype_t self:capability sys_admin;
allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
allow consoletype_t self:fd use;
-allow consoletype_t self:fifo_file { read getattr lock ioctl write append };
-allow consoletype_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-allow consoletype_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+allow consoletype_t self:fifo_file rw_file_perms;
+allow consoletype_t self:unix_dgram_socket create_socket_perms;
+allow consoletype_t self:unix_stream_socket create_stream_socket_perms;
allow consoletype_t self:unix_dgram_socket sendto;
allow consoletype_t self:unix_stream_socket connectto;
-allow consoletype_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
-allow consoletype_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
-allow consoletype_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
+allow consoletype_t self:shm rw_shm_perms;
+allow consoletype_t self:sem rw_sem_perms;
+allow consoletype_t self:msgq rw_msgq_perms;
allow consoletype_t self:msg { send receive };
kernel_use_file_descriptors(consoletype_t)
@@ -70,7 +70,7 @@ allow consoletype_t sysadm_t:fifo_file rw_file_perms;
allow consoletype_t nfs_t:file write;
-allow consoletype_t crond_t:fifo_file { read getattr ioctl };
+allow consoletype_t crond_t:fifo_file r_file_perms;
allow consoletype_t system_crond_t:fd use;
optional_policy(`ypbind.te', `
@@ -95,11 +95,11 @@ allow consoletype_t autofs_t:dir { search getattr };
optional_policy(`xdm.te', `
domain_auto_trans(xdm_t, consoletype_exec_t, consoletype_t)
-allow consoletype_t xdm_tmp_t:file { read write };
+allow consoletype_t xdm_tmp_t:file rw_file_perms;
')
optional_policy(`lpd.te', `
-allow consoletype_t printconf_t:file { getattr read };
+allow consoletype_t printconf_t:file r_file_perms;
')
optional_policy(`firstboot.te', `
diff --git a/refpolicy/policy/modules/admin/dmesg.if b/refpolicy/policy/modules/admin/dmesg.if
index 2b2b8c6..9c78dc9 100644
--- a/refpolicy/policy/modules/admin/dmesg.if
+++ b/refpolicy/policy/modules/admin/dmesg.if
@@ -15,7 +15,7 @@
define(`dmesg_transition',`
requires_block_template(`$0'_depend)
- allow $1 dmesg_exec_t:file { getattr read execute };
+ allow $1 dmesg_exec_t:file rx_file_perms;
allow $1 dmesg_t:process transition;
type_transition $1 dmesg_exec_t:process dmesg_t;
dontaudit $1 dmesg_t:process { noatsecure siginh rlimitinh };
@@ -29,7 +29,7 @@ define(`dmesg_transition',`
define(`dmesg_transition_depend',`
type dmesg_t, dmesg_exec_t;
- class file { getattr read execute };
+ class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@@ -49,7 +49,8 @@ define(`dmesg_transition_depend',`
define(`dmesg_execute',`
requires_block_template(`$0'_depend)
- allow $1 dmesg_exec_t:file { getattr read execute execute_no_trans };
+ can_exec($1,dmesg_exec_t)
+
')
define(`dmesg_execute_depend',`
diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te
index eb8b780..e13fb5f 100644
--- a/refpolicy/policy/modules/admin/dmesg.te
+++ b/refpolicy/policy/modules/admin/dmesg.te
@@ -19,7 +19,7 @@ role system_r types dmesg_t;
allow dmesg_t self:capability sys_admin;
dontaudit dmesg_t self:capability sys_tty_config;
-allow dmesg_t self:process { sigchld sigkill sigstop signull signal };
+allow dmesg_t self:process signal_perms;
kernel_read_kernel_sysctl(dmesg_t)
kernel_read_hardware_state(dmesg_t)
@@ -70,7 +70,7 @@ allow dmesg_t proc_t:lnk_file read;
optional_policy(`rhgb.te', `
allow dmesg_t rhgb_t:process sigchld;
allow dmesg_t rhgb_t:fd use;
-allow dmesg_t rhgb_t:fifo_file { read write };
+allow dmesg_t rhgb_t:fifo_file rw_file_perms;
')
allow dmesg_t autofs_t:dir { search getattr };
diff --git a/refpolicy/policy/modules/admin/netutils.if b/refpolicy/policy/modules/admin/netutils.if
index 79b2e61..72fc713 100644
--- a/refpolicy/policy/modules/admin/netutils.if
+++ b/refpolicy/policy/modules/admin/netutils.if
@@ -6,7 +6,7 @@
define(`netutils_transition',`
requires_block_template(`$0'_depend)
- allow $1 netutils_exec_t:file { getattr read execute };
+ allow $1 netutils_exec_t:file rx_file_perms;
allow $1 netutils_t:process transition;
type_transition $1 netutils_exec_t:process netutils_t;
dontaudit $1 netutils_t:process { noatsecure siginh rlimitinh };
@@ -20,7 +20,7 @@ define(`netutils_transition',`
define(`netutils_transition_depend',`
type netutils_t, netutils_exec_t;
- class file { getattr read execute };
+ class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@@ -33,7 +33,8 @@ define(`netutils_transition_depend',`
define(`netutils_execute',`
requires_block_template(`$0'_depend)
- allow $1 netutils_exec_t:file { getattr read execute execute_no_trans };
+ can_exec($1,netutils_exec_t)
+
')
define(`netutils_execute_depend',`
diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
index 9a35ab6..9af0617 100644
--- a/refpolicy/policy/modules/admin/netutils.te
+++ b/refpolicy/policy/modules/admin/netutils.te
@@ -38,12 +38,12 @@ bool user_ping false;
allow netutils_t self:capability { net_admin net_raw setuid setgid };
allow netutils_t self:process { sigkill sigstop signull signal };
allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
-allow netutils_t self:packet_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-allow netutils_t self:udp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-allow netutils_t self:tcp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+allow netutils_t self:packet_socket create_socket_perms;
+allow netutils_t self:udp_socket create_socket_perms;
+allow netutils_t self:tcp_socket create_socket_perms;
-allow netutils_t netutils_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-allow netutils_t netutils_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow netutils_t netutils_tmp_t:dir create_dir_perms;
+allow netutils_t netutils_tmp_t:file create_file_perms;
files_create_private_tmp_data(netutils_t, netutils_tmp_t, { file dir })
corenetwork_sendrecv_tcp_on_all_interfaces(netutils_t)
@@ -100,8 +100,8 @@ allow netutils_t proc_t:dir search;
allow ping_t self:capability setuid;
dontaudit ping_t self:capability sys_tty_config;
-allow ping_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
-allow ping_t self:udp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
+allow ping_t self:tcp_socket create_socket_perms;
+allow ping_t self:udp_socket create_socket_perms;
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
corenetwork_sendrecv_tcp_on_all_interfaces(ping_t)
@@ -155,8 +155,8 @@ if (user_ping) {
#
allow traceroute_t self:capability { net_admin net_raw setuid setgid };
-allow traceroute_t self:rawip_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-allow traceroute_t self:packet_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+allow traceroute_t self:rawip_socket create_socket_perms;
+allow traceroute_t self:packet_socket create_socket_perms;
allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
kernel_read_system_state(traceroute_t)
diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if
index ac47688..424600c 100644
--- a/refpolicy/policy/modules/admin/rpm.if
+++ b/refpolicy/policy/modules/admin/rpm.if
@@ -15,7 +15,7 @@
define(`rpm_transition',`
requires_block_template(`$0'_depend)
- allow $1 rpm_exec_t:file { getattr read execute };
+ allow $1 rpm_exec_t:file rx_file_perms;
allow $1 rpm_t:process transition;
type_transition $1 rpm_exec_t:process rpm_t;
dontaudit $1 rpm_t:process { noatsecure siginh rlimitinh };
@@ -29,7 +29,7 @@ define(`rpm_transition',`
define(`rpm_transition_depend',`
type rpm_t, rpm_exec_t;
- class file { getattr read execute };
+ class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@@ -104,13 +104,13 @@ define(`rpm_use_file_descriptors_depend',`
define(`rpm_read_pipe',`
requires_block_template(`$0'_depend)
- allow $1 rpm_t:fifo_file { getattr read };
+ allow $1 rpm_t:fifo_file r_file_perms;
')
define(`rpm_read_pipe_depend',`
type rpm_t;
- class fifo_file { getattr read };
+ class fifo_file r_file_perms;
')
########################################
@@ -127,17 +127,17 @@ define(`rpm_read_pipe_depend',`
define(`rpm_read_package_database',`
requires_block_template(`$0'_depend)
- allow $1 rpm_var_lib_t:dir { getattr read search };
- allow $1 rpm_var_lib_t:file { read getattr };
- allow $1 rpm_var_lib_t:lnk_file { getattr read };
+ allow $1 rpm_var_lib_t:dir r_dir_perms;
+ allow $1 rpm_var_lib_t:file r_file_perms;
+ allow $1 rpm_var_lib_t:lnk_file r_file_perms;
')
define(`rpm_read_package_database_depend',`
type rpm_var_lib_t_t;
- class dir { search getattr read };
- class lnk_file { getattr read };
- class file { getattr read };
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ class file r_file_perms;
')
########################################
@@ -147,7 +147,7 @@ define(`rpm_read_package_database_depend',`
define(`rpm_manage_package_database',`
requires_block_template(`$0'_depend)
- allow $1 rpm_var_lib_t:dir { getattr search read write add_name remove_name };
+ allow $1 rpm_var_lib_t:dir rw_dir_perms;
allow $1 rpm_var_lib_t:file { getattr create read write append unlink };
allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink };
')
@@ -155,9 +155,9 @@ define(`rpm_manage_package_database',`
define(`rpm_manage_package_database_depend',`
type rpm_var_lib_t_t;
- class dir { search getattr read };
- class lnk_file { getattr read };
- class file { getattr read };
+ class dir rw_dir_perms;
+ class lnk_file { getattr read write unlink };
+ class file { getattr create read write append unlink };
')
## </module>
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index 40ab210..6838164 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -59,38 +59,38 @@ allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid net
allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
allow rpm_t self:process { getattr setexec setfscreate setrlimit };
allow rpm_t self:fd use;
-allow rpm_t self:fifo_file { read getattr lock ioctl write append };
-allow rpm_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-allow rpm_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+allow rpm_t self:fifo_file rw_file_perms;
+allow rpm_t self:unix_dgram_socket create_socket_perms;
+allow rpm_t self:unix_stream_socket rw_stream_socket_perms;
allow rpm_t self:unix_dgram_socket sendto;
allow rpm_t self:unix_stream_socket connectto;
allow rpm_t self:udp_socket { connect };
-allow rpm_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown };
-allow rpm_t self:tcp_socket { listen accept create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
-allow rpm_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
-allow rpm_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
-allow rpm_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
+allow rpm_t self:udp_socket create_socket_perms;
+allow rpm_t self:tcp_socket rw_stream_socket_perms;
+allow rpm_t self:shm create_shm_perms;
+allow rpm_t self:sem create_sem_perms;
+allow rpm_t self:msgq create_msgq_perms;
allow rpm_t self:msg { send receive };
allow rpm_t self:dir search;
-allow rpm_t self:file { getattr read write };
+allow rpm_t self:file rw_file_perms;;
-allow rpm_t rpm_log_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow rpm_t rpm_log_t:file create_file_perms;
logging_create_private_log(rpm_t,rpm_log_t)
-allow rpm_t rpm_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-allow rpm_t rpm_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow rpm_t rpm_tmp_t:dir create_dir_perms;
+allow rpm_t rpm_tmp_t:file create_file_perms;
files_create_private_tmp_data(rpm_t, rpm_tmp_t, { file dir })
-allow rpm_t rpm_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
-allow rpm_t rpm_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-allow rpm_t rpm_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
-allow rpm_t rpm_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
-allow rpm_t rpm_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+allow rpm_t rpm_tmpfs_t:dir create_dir_perms;
+allow rpm_t rpm_tmpfs_t:file create_file_perms;
+allow rpm_t rpm_tmpfs_t:lnk_file create_file_perms;
+allow rpm_t rpm_tmpfs_t:sock_file create_file_perms;
+allow rpm_t rpm_tmpfs_t:fifo_file create_file_perms;
fs_create_private_tmpfs_data(rpm_t,rpm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
# Access /var/lib/rpm files
-allow rpm_t rpm_var_lib_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-allow rpm_t rpm_var_lib_t:dir { read getattr lock search ioctl add_name remove_name write };
+allow rpm_t rpm_var_lib_t:file create_file_perms;
+allow rpm_t rpm_var_lib_t:dir rw_dir_perms;
#files_create_private_libraries(rpm_t,rpm_var_lib_t,dir)
kernel_read_system_state(rpm_t)
@@ -166,8 +166,8 @@ dontaudit rpm_t domain:process ptrace;
# read/write/create any files in the system
allow rpm_t { file_type -shadow_t }:{ file lnk_file dir fifo_file sock_file } { relabelfrom relabelto };
-allow rpm_t { file_type - shadow_t }:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-allow rpm_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } { create ioctl read getattr lock write setattr append link unlink rename };
+allow rpm_t { file_type - shadow_t }:dir create_dir_perms;
+allow rpm_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } create_file_perms;
dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
allow rpm_t ttyfile:chr_file unlink;
@@ -176,10 +176,10 @@ allow rpm_t ttyfile:chr_file unlink;
allow rpm_t fs_type:dir { setattr rw_dir_perms };
allow rpm_t mount_t:tcp_socket write;
-allow rpm_t nfs_t:lnk_file { create read getattr setattr link unlink rename };
+allow rpm_t nfs_t:lnk_file create_file_perms;
-allow rpm_t sysfs_t:dir { read getattr lock search ioctl };
-allow rpm_t usbdevfs_t:dir { read getattr lock search ioctl };
+allow rpm_t sysfs_t:dir r_dir_perms;
+allow rpm_t usbdevfs_t:dir r_dir_perms;
allow rpm_t rpc_pipefs_t:dir search;
@@ -220,28 +220,28 @@ allow crond_t rpm_t:fifo_file r_file_perms;
allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
allow rpm_script_t self:fd use;
-allow rpm_script_t self:fifo_file { read getattr lock ioctl write append };
-allow rpm_script_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-allow rpm_script_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+allow rpm_script_t self:fifo_file rw_file_perms;
+allow rpm_script_t self:unix_dgram_socket create_socket_perms;
+allow rpm_script_t self:unix_stream_socket rw_stream_socket_perms;
allow rpm_script_t self:unix_dgram_socket sendto;
allow rpm_script_t self:unix_stream_socket connectto;
-allow rpm_script_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
-allow rpm_script_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
-allow rpm_script_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
+allow rpm_script_t self:shm create_shm_perms;
+allow rpm_script_t self:sem create_sem_perms;
+allow rpm_script_t self:msgq create_msgq_perms;
allow rpm_script_t self:msg { send receive };
-allow rpm_script_t rpm_tmp_t:file { getattr read ioctl };
+allow rpm_script_t rpm_tmp_t:file r_file_perms;
allow rpm_script_t rpm_script_tmp_t:dir mounton;
-allow rpm_script_t rpm_script_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-allow rpm_script_t rpm_script_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow rpm_script_t rpm_script_tmp_t:dir create_dir_perms;
+allow rpm_script_t rpm_script_tmp_t:file create_file_perms;
files_create_private_tmp_data(rpm_script_t, rpm_script_tmp_t, { file dir })
-allow rpm_script_t rpm_script_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
-allow rpm_script_t rpm_script_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-allow rpm_script_t rpm_script_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
-allow rpm_script_t rpm_script_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
-allow rpm_script_t rpm_script_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+allow rpm_script_t rpm_script_tmpfs_t:dir rw_dir_perms;
+allow rpm_script_t rpm_script_tmpfs_t:file create_file_perms;
+allow rpm_script_t rpm_script_tmpfs_t:lnk_file create_file_perms;
+allow rpm_script_t rpm_script_tmpfs_t:sock_file create_file_perms;
+allow rpm_script_t rpm_script_tmpfs_t:fifo_file create_file_perms;
fs_create_private_tmpfs_data(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
kernel_read_kernel_sysctl(rpm_script_t)
@@ -316,7 +316,8 @@ ifdef(`TODO',`
allow rpm_script_t sysfs_t:dir r_dir_perms;
-allow rpm_script_t usr_t:file { getattr read execute execute_no_trans };
+can_exec(rpm_script_t,usr_t)
+
allow rpm_script_t autofs_t:dir { search getattr };
@@ -327,7 +328,8 @@ allow rpm_script_t autofs_t:dir { search getattr };
')
optional_policy(`lpd.te', `
-allow rpm_script_t printconf_t:file { getattr read execute execute_no_trans };
+can_exec(rpm_script_t,printconf_t)
+
')
optional_policy(`ssh.te', `
@@ -358,13 +360,13 @@ ifdef(`TODO',`
allow userdomain var_lib_t:dir { getattr search };
-allow { insmod_t depmod_t } rpm_t:fifo_file { getattr read write append ioctl lock };
+allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms;
optional_policy(`cups.te', `
-allow cupsd_t rpm_var_lib_t:dir { getattr read search };
-allow cupsd_t rpm_var_lib_t:file { read getattr };
-allow cupsd_t rpb_var_lib_t:lnk_file { getattr read };
-allow cupsd_t initrc_exec_t:file { getattr read };
+allow cupsd_t rpm_var_lib_t:dir r_dir_perms;
+allow cupsd_t rpm_var_lib_t:file r_file_perms;
+allow cupsd_t rpb_var_lib_t:lnk_file r_file_perms;
+allow cupsd_t initrc_exec_t:file r_file_perms;
domain_auto_trans(rpm_script_t, cupsd_exec_t, cupsd_t)
')
diff --git a/refpolicy/policy/modules/admin/usermanage.if b/refpolicy/policy/modules/admin/usermanage.if
index aa03a72..dc3997f 100644
--- a/refpolicy/policy/modules/admin/usermanage.if
+++ b/refpolicy/policy/modules/admin/usermanage.if
@@ -15,7 +15,7 @@
define(`usermanage_chfn_transition',`
requires_block_template(`$0'_depend)
- allow $1 chfn_exec_t:file { getattr read execute };
+ allow $1 chfn_exec_t:file rx_file_perms;
allow $1 chfn_t:process transition;
type_transition $1 chfn_exec_t:process chfn_t;
dontaudit $1 chfn_t:process { noatsecure siginh rlimitinh };
@@ -29,7 +29,7 @@ define(`usermanage_chfn_transition',`
define(`usermanage_chfn_transition_depend',`
type chfn_t, chfn_exec_t;
- class file { getattr read execute };
+ class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@@ -81,11 +81,7 @@ define(`usermanage_chfn_transition_add_role_use_terminal_depend',`
define(`usermanage_groupadd_transition',`
requires_block_template(`$0'_depend)
- allow $1 groupadd_exec_t:file { getattr read execute };
- allow $1 groupadd_t:process transition;
- type_transition $1 groupadd_exec_t:process groupadd_t;
- dontaudit $1 groupadd_t:process { noatsecure siginh rlimitinh };
-
+ domain_auto_trans($1,groupadd_t,groupadd_t)
allow $1 groupadd_t:fd use;
allow groupadd_t $1:fd use;
allow groupadd_t $1:fifo_file rw_file_perms;
@@ -95,7 +91,7 @@ define(`usermanage_groupadd_transition',`
define(`usermanage_groupadd_transition_depend',`
type groupadd_t, groupadd_exec_t;
- class file { getattr read execute };
+ class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@@ -147,7 +143,7 @@ define(`usermanage_groupadd_transition_add_role_use_terminal_depend',`
define(`usermanage_passwd_transition',`
requires_block_template(`$0'_depend)
- allow $1 passwd_exec_t:file { getattr read execute };
+ allow $1 passwd_exec_t:file rx_file_perms;
allow $1 passwd_t:process transition;
type_transition $1 passwd_exec_t:process passwd_t;
dontaudit $1 passwd_t:process { noatsecure siginh rlimitinh };
@@ -161,7 +157,7 @@ define(`usermanage_passwd_transition',`
define(`usermanage_passwd_transition_depend',`
type passwd_t, passwd_exec_t;
- class file { getattr read execute };
+ class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@@ -213,7 +209,7 @@ define(`usermanage_passwd_transition_add_role_use_terminal_depend',`
define(`usermanage_useradd_transition',`
requires_block_template(`$0'_depend)
- allow $1 useradd_exec_t:file { getattr read execute };
+ allow $1 useradd_exec_t:file rx_file_perms;
allow $1 useradd_t:process transition;
type_transition $1 useradd_exec_t:process useradd_t;
dontaudit $1 useradd_t:process { noatsecure siginh rlimitinh };
@@ -227,7 +223,7 @@ define(`usermanage_useradd_transition',`
define(`usermanage_useradd_transition_depend',`
type useradd_t, useradd_exec_t;
- class file { getattr read execute };
+ class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index 3698461..2cb945c 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -66,14 +66,14 @@ allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resou
allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
allow chfn_t self:process { setrlimit setfscreate };
allow chfn_t self:fd use;
-allow chfn_t self:fifo_file { read getattr lock ioctl write append };
-allow chfn_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-allow chfn_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+allow chfn_t self:fifo_file rw_file_perms;
+allow chfn_t self:unix_dgram_socket create_rw_socket_perms;
+allow chfn_t self:unix_stream_socket rwcreate_stream_socket_perms;
allow chfn_t self:unix_dgram_socket sendto;
allow chfn_t self:unix_stream_socket connectto;
-allow chfn_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
-allow chfn_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
-allow chfn_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
+allow chfn_t self:shm create_shm_perms;
+allow chfn_t self:sem create_sem_perms;
+allow chfn_t self:msgq create_msgq_perms;
allow chfn_t self:msg { send receive };
kernel_read_system_state(chfn_t)
@@ -147,15 +147,15 @@ dontaudit chfn_t selinux_config_t:dir search;
#
allow crack_t self:process { sigkill sigstop signull signal };
-allow crack_t self:fifo_file { read write getattr };
+allow crack_t self:fifo_file rw_file_perms;
-allow crack_t crack_db_t:dir { read getattr lock search ioctl add_name remove_name write };
-allow crack_t crack_db_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-allow crack_t crack_db_t:lnk_file { create read getattr setattr link unlink rename };
+allow crack_t crack_db_t:dir rw_dir_perms;
+allow crack_t crack_db_t:file create_file_perms;
+allow crack_t crack_db_t:lnk_file create_file_perms;
files_search_system_state_data_directory(crack_t)
-allow crack_t crack_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-allow crack_t crack_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow crack_t crack_tmp_t:dir create_dir_perms;
+allow crack_t crack_tmp_t:file create_file_perms;
files_create_private_tmp_data(crack_t, crack_tmp_t, { file dir })
kernel_read_system_state(crack_t)
@@ -180,7 +180,7 @@ logging_send_system_log_message(crack_t)
ifdef(`TODO',`
ifdef(`crond.te', `
domain_auto_trans(system_crond_t, crack_exec_t, crack_t)
-allow crack_t crond_t:fifo_file { getattr read write ioctl };
+allow crack_t crond_t:fifo_file rw_file_perms;
# a rule for privfd may make this obsolete
allow crack_t crond_t:fd use;
allow crack_t crond_t:process sigchld;
@@ -199,14 +199,14 @@ dontaudit groupadd_t self:capability fsetid;
allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
allow groupadd_t self:process { setrlimit setfscreate };
allow groupadd_t self:fd use;
-allow groupadd_t self:fifo_file { read getattr lock ioctl write append };
-allow groupadd_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-allow groupadd_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+allow groupadd_t self:fifo_file rw_file_perms;
+allow groupadd_t self:unix_dgram_socket create_socket_perms;
+allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
allow groupadd_t self:unix_dgram_socket sendto;
allow groupadd_t self:unix_stream_socket connectto;
-allow groupadd_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
-allow groupadd_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
-allow groupadd_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
+allow groupadd_t self:shm create_shm_perms;
+allow groupadd_t self:sem create_sem_perms;
+allow groupadd_t self:msgq create_msgq_perms;
allow groupadd_t self:msg { send receive };
# Allow access to context for shadow file
@@ -275,14 +275,14 @@ allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_res
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
allow passwd_t self:process { setrlimit setfscreate };
allow passwd_t self:fd use;
-allow passwd_t self:fifo_file { read getattr lock ioctl write append };
-allow passwd_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-allow passwd_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+allow passwd_t self:fifo_file rw_file_perms;
+allow passwd_t self:unix_dgram_socket create_socket_perms;
+allow passwd_t self:unix_stream_socket create_stream_socket_perms;
allow passwd_t self:unix_dgram_socket sendto;
allow passwd_t self:unix_stream_socket connectto;
-allow passwd_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
-allow passwd_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
-allow passwd_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
+allow passwd_t self:shm create_shm_perms;
+allow passwd_t self:sem create_sem_perms;
+allow passwd_t self:msgq create_msgq_perm;
allow passwd_t self:msg { send receive };
kernel_get_selinuxfs_mount_point(passwd_t)
@@ -366,19 +366,19 @@ allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid
allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
allow sysadm_passwd_t self:process { setrlimit setfscreate };
allow sysadm_passwd_t self:fd use;
-allow sysadm_passwd_t self:fifo_file { read getattr lock ioctl write append };
-allow sysadm_passwd_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-allow sysadm_passwd_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+allow sysadm_passwd_t self:fifo_file rw_file_perms;
+allow sysadm_passwd_t self:unix_dgram_socket create_socket_perms;
+allow sysadm_passwd_t self:unix_stream_socket create_stream_socket_perms;
allow sysadm_passwd_t self:unix_dgram_socket sendto;
allow sysadm_passwd_t self:unix_stream_socket connectto;
-allow sysadm_passwd_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
-allow sysadm_passwd_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
-allow sysadm_passwd_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
+allow sysadm_passwd_t self:shm create_shm_perms;
+allow sysadm_passwd_t self:sem create_sem_perms;
+allow sysadm_passwd_t self:msgq create_msgq_perms;
allow sysadm_passwd_t self:msg { send receive };
# allow vipw to create temporary files under /var/tmp/vi.recover
-allow sysadm_passwd_t sysadm_passwd_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-allow sysadm_passwd_t sysadm_passwd_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow sysadm_passwd_t sysadm_passwd_tmp_t:dir create_dir_perms;
+allow sysadm_passwd_t sysadm_passwd_tmp_t:file creat_file_perms;
files_create_private_tmp_data(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
files_search_system_state_data_directory(sysadm_passwd_t)
@@ -463,14 +463,14 @@ allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid s
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
allow useradd_t self:process setfscreate;
allow useradd_t self:fd use;
-allow useradd_t self:fifo_file { read getattr lock ioctl write append };
-allow useradd_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-allow useradd_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+allow useradd_t self:fifo_file rw_file_perms;
+allow useradd_t self:unix_dgram_socket create_socket_perms;
+allow useradd_t self:unix_stream_socket create_stream_socket_perms;
allow useradd_t self:unix_dgram_socket sendto;
allow useradd_t self:unix_stream_socket connectto;
-allow useradd_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
-allow useradd_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
-allow useradd_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
+allow useradd_t self:shm create_shm_perms;
+allow useradd_t self:sem create_sem_perms;
+allow useradd_t self:msgq create_msgq_perms;
allow useradd_t self:msg { send receive };
# Allow access to context for shadow file
More information about the scm-commits
mailing list