[selinux-policy: 3143/3172] Use permission sets where possible.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:39:28 UTC 2010
commit 7d1f5642b0571e22cdb9ce74c1796e94fb078406
Author: Dominick Grift <domg472 at gmail.com>
Date: Fri Sep 24 09:28:34 2010 +0200
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
Use permission sets where possible.
policy/modules/services/rhgb.te | 2 +-
policy/modules/services/ricci.te | 2 +-
policy/modules/services/rlogin.te | 2 +-
policy/modules/services/rpc.te | 4 ++--
policy/modules/services/snort.te | 6 +++---
policy/modules/services/ssh.te | 4 ++--
policy/modules/services/sssd.te | 2 +-
policy/modules/services/stunnel.te | 2 +-
policy/modules/services/telnet.te | 2 +-
policy/modules/services/tftp.te | 2 +-
policy/modules/services/tgtd.te | 2 +-
policy/modules/services/uptime.te | 2 +-
policy/modules/services/uucp.te | 2 +-
policy/modules/services/vhostmd.te | 2 +-
policy/modules/services/virt.te | 2 +-
policy/modules/services/xserver.te | 8 ++++----
policy/modules/services/zabbix.te | 4 ++--
policy/modules/services/zebra.te | 2 +-
policy/modules/services/zosremote.te | 2 +-
19 files changed, 27 insertions(+), 27 deletions(-)
---
diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te
index 0f262a7..4d10897 100644
--- a/policy/modules/services/rhgb.te
+++ b/policy/modules/services/rhgb.te
@@ -30,7 +30,7 @@ allow rhgb_t self:tcp_socket create_socket_perms;
allow rhgb_t self:udp_socket create_socket_perms;
allow rhgb_t self:netlink_route_socket r_netlink_socket_perms;
-allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr };
+allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty(rhgb_t, rhgb_devpts_t)
manage_dirs_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
index 9f38104..29e7311 100644
--- a/policy/modules/services/ricci.te
+++ b/policy/modules/services/ricci.te
@@ -99,7 +99,7 @@ manage_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
manage_sock_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
files_var_lib_filetrans(ricci_t, ricci_var_lib_t, { file dir sock_file })
-allow ricci_t ricci_var_log_t:dir setattr;
+allow ricci_t ricci_var_log_t:dir setattr_dir_perms;
manage_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
manage_sock_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
logging_log_filetrans(ricci_t, ricci_var_log_t, { sock_file file dir })
diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te
index 2744af2..0155ca7 100644
--- a/policy/modules/services/rlogin.te
+++ b/policy/modules/services/rlogin.te
@@ -34,7 +34,7 @@ allow rlogind_t self:tcp_socket connected_stream_socket_perms;
# for identd; cjp: this should probably only be inetd_child rules?
allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr };
+allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty(rlogind_t, rlogind_devpts_t)
# for /usr/lib/telnetlogin
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 698b763..68d36c5 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -62,7 +62,7 @@ allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid };
allow rpcd_t self:process { getcap setcap };
allow rpcd_t self:fifo_file rw_fifo_file_perms;
-allow rpcd_t rpcd_var_run_t:dir setattr;
+allow rpcd_t rpcd_var_run_t:dir setattr_dir_perms;
manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir })
@@ -196,7 +196,7 @@ tunable_policy(`nfs_export_all_ro',`
allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
allow gssd_t self:process { getsched setsched };
-allow gssd_t self:fifo_file rw_file_perms;
+allow gssd_t self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te
index d7f4bd4..012723c 100644
--- a/policy/modules/services/snort.te
+++ b/policy/modules/services/snort.te
@@ -32,17 +32,17 @@ files_pid_file(snort_var_run_t)
allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
dontaudit snort_t self:capability sys_tty_config;
allow snort_t self:process signal_perms;
-allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow snort_t self:netlink_route_socket create_netlink_socket_perms;
allow snort_t self:tcp_socket create_stream_socket_perms;
allow snort_t self:udp_socket create_socket_perms;
allow snort_t self:packet_socket create_socket_perms;
allow snort_t self:socket create_socket_perms;
# Snort IPS node. unverified.
-allow snort_t self:netlink_firewall_socket { bind create getattr };
+allow snort_t self:netlink_firewall_socket create_socket_perms;
allow snort_t snort_etc_t:dir list_dir_perms;
allow snort_t snort_etc_t:file read_file_perms;
-allow snort_t snort_etc_t:lnk_file { getattr read };
+allow snort_t snort_etc_t:lnk_file read_lnk_file_perms;
manage_files_pattern(snort_t, snort_log_t, snort_log_t)
create_dirs_pattern(snort_t, snort_log_t, snort_log_t)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index f03a8ce..c7efe5d 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -258,7 +258,7 @@ tunable_policy(`allow_ssh_keysign',`
allow ssh_keysign_t self:capability { setgid setuid };
allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
- allow ssh_keysign_t sshd_key_t:file { getattr read };
+ allow ssh_keysign_t sshd_key_t:file read_file_perms;
dev_read_urand(ssh_keysign_t)
@@ -383,7 +383,7 @@ ifdef(`TODO',`
# ioctl is necessary for logout() processing for utmp entry and for w to
# display the tty.
# some versions of sshd on the new SE Linux require setattr
- allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr };
+ allow sshd_t userpty_type:chr_file { relabelto rw_inherited_chr_file_perms setattr_chr_file_perms };
')
') dnl endif TODO
diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
index be42115..7113802 100644
--- a/policy/modules/services/sssd.te
+++ b/policy/modules/services/sssd.te
@@ -31,7 +31,7 @@ files_pid_file(sssd_var_run_t)
allow sssd_t self:capability { chown dac_read_search dac_override kill sys_nice setgid setuid };
allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
-allow sssd_t self:fifo_file rw_file_perms;
+allow sssd_t self:fifo_file rw_fifo_file_perms;
allow sssd_t self:key manage_key_perms;
allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te
index 9cc4d7d..296e5ba 100644
--- a/policy/modules/services/stunnel.te
+++ b/policy/modules/services/stunnel.te
@@ -36,7 +36,7 @@ allow stunnel_t self:udp_socket create_socket_perms;
allow stunnel_t stunnel_etc_t:dir list_dir_perms;
allow stunnel_t stunnel_etc_t:file read_file_perms;
-allow stunnel_t stunnel_etc_t:lnk_file { getattr read };
+allow stunnel_t stunnel_etc_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te
index d9d8e18..34c4c57 100644
--- a/policy/modules/services/telnet.te
+++ b/policy/modules/services/telnet.te
@@ -31,7 +31,7 @@ allow telnetd_t self:udp_socket create_socket_perms;
# for identd; cjp: this should probably only be inetd_child rules?
allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr };
+allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty(telnetd_t, telnetd_devpts_t)
manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te
index f4080d1..97ce79e 100644
--- a/policy/modules/services/tftp.te
+++ b/policy/modules/services/tftp.te
@@ -40,7 +40,7 @@ allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
allow tftpd_t tftpdir_t:dir list_dir_perms;
allow tftpd_t tftpdir_t:file read_file_perms;
-allow tftpd_t tftpdir_t:lnk_file { getattr read };
+allow tftpd_t tftpdir_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
diff --git a/policy/modules/services/tgtd.te b/policy/modules/services/tgtd.te
index 678ab90..44dfdc8 100644
--- a/policy/modules/services/tgtd.te
+++ b/policy/modules/services/tgtd.te
@@ -29,7 +29,7 @@ files_type(tgtd_var_lib_t)
allow tgtd_t self:capability sys_resource;
allow tgtd_t self:process { setrlimit signal };
allow tgtd_t self:fifo_file rw_fifo_file_perms;
-allow tgtd_t self:netlink_route_socket { create_socket_perms nlmsg_read };
+allow tgtd_t self:netlink_route_socket create_netlink_socket_perms;
allow tgtd_t self:shm create_shm_perms;
allow tgtd_t self:sem create_sem_perms;
allow tgtd_t self:tcp_socket create_stream_socket_perms;
diff --git a/policy/modules/services/uptime.te b/policy/modules/services/uptime.te
index c2cf97e..037a1e8 100644
--- a/policy/modules/services/uptime.te
+++ b/policy/modules/services/uptime.te
@@ -25,7 +25,7 @@ files_pid_file(uptimed_var_run_t)
dontaudit uptimed_t self:capability sys_tty_config;
allow uptimed_t self:process signal_perms;
-allow uptimed_t self:fifo_file write_file_perms;
+allow uptimed_t self:fifo_file write_fifo_file_perms;
allow uptimed_t uptimed_etc_t:file read_file_perms;
files_search_etc(uptimed_t)
diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te
index 91886b2..1e40c2a 100644
--- a/policy/modules/services/uucp.te
+++ b/policy/modules/services/uucp.te
@@ -123,7 +123,7 @@ optional_policy(`
#
allow uux_t self:capability { setuid setgid };
-allow uux_t self:fifo_file write_file_perms;
+allow uux_t self:fifo_file write_fifo_file_perms;
uucp_append_log(uux_t)
uucp_manage_spool(uux_t)
diff --git a/policy/modules/services/vhostmd.te b/policy/modules/services/vhostmd.te
index f56f51f..7baeb6f 100644
--- a/policy/modules/services/vhostmd.te
+++ b/policy/modules/services/vhostmd.te
@@ -25,7 +25,7 @@ files_pid_file(vhostmd_var_run_t)
allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid };
allow vhostmd_t self:process { setsched getsched };
-allow vhostmd_t self:fifo_file rw_file_perms;
+allow vhostmd_t self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
manage_files_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index 9930bcb..62e349a 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -473,7 +473,7 @@ optional_policy(`
allow virt_domain self:capability { dac_read_search dac_override kill };
allow virt_domain self:process { execmem execstack signal getsched signull };
-allow virt_domain self:fifo_file rw_file_perms;
+allow virt_domain self:fifo_file rw_fifo_file_perms;
allow virt_domain self:shm create_shm_perms;
allow virt_domain self:unix_stream_socket create_stream_socket_perms;
allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 739b23b..c80794b 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -414,7 +414,7 @@ allow xdm_t self:key { search link write };
allow xdm_t xauth_home_t:file manage_file_perms;
-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
@@ -483,7 +483,7 @@ allow xdm_t xserver_t:process { signal signull };
allow xdm_t xserver_t:unix_stream_socket connectto;
allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
-allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms };
+allow xdm_t xserver_tmp_t:dir { setattr_dir_perms list_dir_perms };
# transition to the xdm xserver
domtrans_pattern(xdm_t, xserver_exec_t, xserver_t)
@@ -1115,7 +1115,7 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
allow xserver_t xdm_var_lib_t:file read_file_perms;
-dontaudit xserver_t xdm_var_lib_t:dir search;
+dontaudit xserver_t xdm_var_lib_t:dir search_dir_perms;
read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
@@ -1125,7 +1125,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
-allow xserver_t xkb_var_lib_t:lnk_file read;
+allow xserver_t xkb_var_lib_t:lnk_file read_lnk_file_perms;
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te
index b8dd21a..20d7cde 100644
--- a/policy/modules/services/zabbix.te
+++ b/policy/modules/services/zabbix.te
@@ -26,11 +26,11 @@ files_pid_file(zabbix_var_run_t)
#
allow zabbix_t self:capability { setuid setgid };
-allow zabbix_t self:fifo_file rw_file_perms;
+allow zabbix_t self:fifo_file rw_fifo_file_perms;
allow zabbix_t self:unix_stream_socket create_stream_socket_perms;
# log files
-allow zabbix_t zabbix_log_t:dir setattr;
+allow zabbix_t zabbix_log_t:dir setattr_dir_perms;
manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
logging_log_filetrans(zabbix_t, zabbix_log_t, file)
diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te
index a1035a4..f0b1201 100644
--- a/policy/modules/services/zebra.te
+++ b/policy/modules/services/zebra.te
@@ -51,7 +51,7 @@ allow zebra_t zebra_conf_t:dir list_dir_perms;
read_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
-allow zebra_t zebra_log_t:dir setattr;
+allow zebra_t zebra_log_t:dir setattr_dir_perms;
manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir })
diff --git a/policy/modules/services/zosremote.te b/policy/modules/services/zosremote.te
index f9a06d2..3d407c6 100644
--- a/policy/modules/services/zosremote.te
+++ b/policy/modules/services/zosremote.te
@@ -16,7 +16,7 @@ logging_dispatcher_domain(zos_remote_t, zos_remote_exec_t)
#
allow zos_remote_t self:process signal;
-allow zos_remote_t self:fifo_file rw_file_perms;
+allow zos_remote_t self:fifo_file rw_fifo_file_perms;
allow zos_remote_t self:unix_stream_socket create_stream_socket_perms;
files_read_etc_files(zos_remote_t)
More information about the scm-commits
mailing list