miscfiles_read_localization(amanda_recover_t)
-userdom_use_user_terminals(amanda_recover_t)
+userdom_use_inherited_user_terminals(amanda_recover_t)
userdom_search_user_home_content(amanda_recover_t)
optional_policy(`
logging_send_audit_msgs(amtu_t)
-userdom_use_user_terminals(amtu_t)
+userdom_use_inherited_user_terminals(amtu_t)
optional_policy(`
nscd_dontaudit_search_pid(amtu_t)
term_create_pty(apt_t, apt_devpts_t)
term_list_ptys(apt_t)
-term_use_all_terms(apt_t)
+term_use_all_inherited_terms(apt_t)
libs_exec_ld_so(apt_t)
libs_exec_lib_files(apt_t)
sysnet_read_config(apt_t)
-userdom_use_user_terminals(apt_t)
+userdom_use_inherited_user_terminals(apt_t)
# with boolean, for cron-apt and such?
#optional_policy(`
sysnet_read_config(backup_t)
-userdom_use_user_terminals(backup_t)
+userdom_use_inherited_user_terminals(backup_t)
optional_policy(`
cron_system_entry(backup_t, backup_exec_t)
seutil_read_loadpolicy(bootloader_t)
seutil_dontaudit_search_config(bootloader_t)
-userdom_use_user_terminals(bootloader_t)
+userdom_use_inherited_user_terminals(bootloader_t)
userdom_dontaudit_search_user_home_dirs(bootloader_t)
ifdef(`distro_debian',`
miscfiles_read_all_certs(certwatch_t)
miscfiles_read_localization(certwatch_t)
-userdom_use_user_terminals(certwatch_t)
+userdom_use_inherited_user_terminals(certwatch_t)
userdom_dontaudit_list_admin_dir(certwatch_t)
optional_policy(`
mls_file_read_all_levels(consoletype_t)
mls_file_write_all_levels(consoletype_t)
-term_use_all_terms(consoletype_t)
+term_use_all_inherited_terms(consoletype_t)
term_use_ptmx(consoletype_t)
init_use_fds(consoletype_t)
init_rw_script_pipes(consoletype_t)
init_rw_inherited_script_tmp_files(consoletype_t)
-userdom_use_user_terminals(consoletype_t)
+userdom_use_inherited_user_terminals(consoletype_t)
ifdef(`distro_redhat',`
fs_rw_tmpfs_chr_files(consoletype_t)
miscfiles_read_localization(ddcprobe_t)
-userdom_use_user_terminals(ddcprobe_t)
+userdom_use_inherited_user_terminals(ddcprobe_t)
userdom_use_all_users_fds(ddcprobe_t)
optional_policy(`
miscfiles_read_localization(dmesg_t)
userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
-userdom_use_user_terminals(dmesg_t)
+userdom_use_inherited_user_terminals(dmesg_t)
optional_policy(`
abrt_cache_append(dmesg_t)
locallogin_use_fds(dmidecode_t)
-userdom_use_user_terminals(dmidecode_t)
+userdom_use_inherited_user_terminals(dmidecode_t)
sysnet_read_config(dpkg_t)
-userdom_use_user_terminals(dpkg_t)
+userdom_use_inherited_user_terminals(dpkg_t)
userdom_use_unpriv_users_fds(dpkg_t)
# transition to dpkg script:
storage_raw_read_fixed_disk(dpkg_script_t)
storage_raw_write_fixed_disk(dpkg_script_t)
-term_use_all_terms(dpkg_script_t)
+term_use_all_inherited_terms(dpkg_script_t)
auth_dontaudit_getattr_shadow(dpkg_script_t)
# ideally we would not need this
miscfiles_read_localization(firstboot_t)
-userdom_use_user_terminals(firstboot_t)
+userdom_use_inherited_user_terminals(firstboot_t)
# Add/remove user home directories
userdom_manage_user_home_content_dirs(firstboot_t)
userdom_manage_user_home_content_files(firstboot_t)
miscfiles_read_localization(kismet_t)
-userdom_use_user_terminals(kismet_t)
+userdom_use_inherited_user_terminals(kismet_t)
userdom_read_user_tmpfs_files(kismet_t)
optional_policy(`
sysnet_read_config(kudzu_t)
-userdom_use_user_terminals(kudzu_t)
+userdom_use_inherited_user_terminals(kudzu_t)
userdom_dontaudit_use_unpriv_user_fds(kudzu_t)
userdom_search_user_home_dirs(kudzu_t)
seutil_dontaudit_read_config(logrotate_t)
-userdom_use_user_terminals(logrotate_t)
+userdom_use_inherited_user_terminals(logrotate_t)
userdom_list_user_home_dirs(logrotate_t)
userdom_use_unpriv_users_fds(logrotate_t)
userdom_dontaudit_list_admin_dir(logrotate_t)
selinux_dontaudit_getattr_dir(mrtg_t)
-userdom_use_user_terminals(mrtg_t)
+userdom_use_inherited_user_terminals(mrtg_t)
userdom_dontaudit_read_user_home_content_files(mrtg_t)
userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
userdom_dontaudit_list_admin_dir(mrtg_t)
files_read_etc_runtime_files(ncftool_t)
files_read_usr_files(ncftool_t)
-term_use_all_terms(ncftool_t)
+term_use_all_inherited_terms(ncftool_t)
miscfiles_read_localization(ncftool_t)
miscfiles_read_localization(netutils_t)
term_dontaudit_use_console(netutils_t)
-userdom_use_user_terminals(netutils_t)
+userdom_use_inherited_user_terminals(netutils_t)
userdom_use_all_users_fds(netutils_t)
optional_policy(`
')
')
-term_use_all_terms(ping_t)
+term_use_all_inherited_terms(ping_t)
tunable_policy(`user_ping',`
term_use_all_ttys(ping_t)
dev_read_rand(traceroute_t)
dev_read_urand(traceroute_t)
-term_use_all_terms(traceroute_t)
+term_use_all_inherited_terms(traceroute_t)
tunable_policy(`user_ping',`
term_use_all_ttys(traceroute_t)
logging_send_syslog_msg($1)
- userdom_use_user_terminals($1)
+ userdom_use_inherited_user_terminals($1)
# SELinux-enabled programs running in the sandbox
seutil_libselinux_linked($1)
miscfiles_read_localization(gcc_config_t)
-userdom_use_user_terminals(gcc_config_t)
+userdom_use_inherited_user_terminals(gcc_config_t)
optional_policy(`
consoletype_exec(gcc_config_t)
sysnet_read_config(portage_fetch_t)
sysnet_dns_name_resolve(portage_fetch_t)
-userdom_use_user_terminals(portage_fetch_t)
+userdom_use_inherited_user_terminals(portage_fetch_t)
userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
ifdef(`hide_broken_symptoms',`
miscfiles_read_localization(prelink_t)
-userdom_use_user_terminals(prelink_t)
+userdom_use_inherited_user_terminals(prelink_t)
userdom_manage_user_home_content(prelink_t)
userdom_execmod_user_home_files(prelink_t)
logging_send_syslog_msg(quota_t)
-userdom_use_user_terminals(quota_t)
+userdom_use_inherited_user_terminals(quota_t)
userdom_dontaudit_use_unpriv_user_fds(quota_t)
optional_policy(`
seutil_manage_src_policy(rpm_t)
seutil_manage_bin_policy(rpm_t)
-userdom_use_user_terminals(rpm_t)
+userdom_use_inherited_user_terminals(rpm_t)
userdom_use_unpriv_users_fds(rpm_t)
optional_policy(`
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
-term_use_all_terms(rpm_script_t)
+term_use_all_inherited_terms(rpm_script_t)
auth_dontaudit_getattr_shadow(rpm_script_t)
auth_use_nsswitch(rpm_script_t)
mls_file_write_to_clearance(shutdown_t)
-term_use_all_terms(shutdown_t)
+term_use_all_inherited_terms(shutdown_t)
auth_use_nsswitch(shutdown_t)
auth_write_login_records(shutdown_t)
miscfiles_read_localization($1_su_t)
- userdom_use_user_terminals($1_su_t)
+ userdom_use_inherited_user_terminals($1_su_t)
userdom_search_user_home_dirs($1_su_t)
userdom_search_admin_dir($1_su_t)
userdom_manage_user_home_content_symlinks($1_sudo_t)
userdom_manage_user_tmp_files($1_sudo_t)
userdom_manage_user_tmp_symlinks($1_sudo_t)
- userdom_use_user_terminals($1_sudo_t)
+ userdom_use_inherited_user_terminals($1_sudo_t)
userdom_signal_all_users($1_sudo_t)
# for some PAM modules and for cwd
userdom_search_user_home_content($1_sudo_t)
logging_send_syslog_msg(tripwire_t)
-userdom_use_user_terminals(tripwire_t)
+userdom_use_inherited_user_terminals(tripwire_t)
optional_policy(`
cron_system_entry(tripwire_t, tripwire_exec_t)
miscfiles_read_localization(twadmin_t)
-userdom_use_user_terminals(twadmin_t)
+userdom_use_inherited_user_terminals(twadmin_t)
########################################
#
miscfiles_read_localization(twprint_t)
-userdom_use_user_terminals(twprint_t)
+userdom_use_inherited_user_terminals(twprint_t)
########################################
#
miscfiles_read_localization(siggen_t)
-userdom_use_user_terminals(siggen_t)
+userdom_use_inherited_user_terminals(siggen_t)
miscfiles_manage_localization(tzdata_t)
miscfiles_etc_filetrans_localization(tzdata_t)
-userdom_use_user_terminals(tzdata_t)
+userdom_use_inherited_user_terminals(tzdata_t)
# tzdata looks for /var/spool/postfix/etc/localtime.
optional_policy(`
miscfiles_read_hwdata(usbmodules_t)
-userdom_use_user_terminals(usbmodules_t)
+userdom_use_inherited_user_terminals(usbmodules_t)
optional_policy(`
hotplug_read_config(usbmodules_t)
selinux_compute_relabel_context(chfn_t)
selinux_compute_user_contexts(chfn_t)
-term_use_all_ttys(chfn_t)
-term_use_all_ptys(chfn_t)
+term_use_all_inherited_ttys(chfn_t)
+term_use_all_inherited_ptys(chfn_t)
fs_getattr_xattr_fs(chfn_t)
fs_search_auto_mountpoints(chfn_t)
selinux_compute_relabel_context(groupadd_t)
selinux_compute_user_contexts(groupadd_t)
-term_use_all_terms(groupadd_t)
+term_use_all_inherited_terms(groupadd_t)
init_use_fds(groupadd_t)
init_read_utmp(groupadd_t)
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
-term_use_all_terms(passwd_t)
+term_use_all_inherited_terms(passwd_t)
auth_manage_shadow(passwd_t)
auth_relabel_shadow(passwd_t)
seutil_dontaudit_search_config(passwd_t)
-userdom_use_user_terminals(passwd_t)
+userdom_use_inherited_user_terminals(passwd_t)
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
-term_use_all_terms(sysadm_passwd_t)
+term_use_all_inherited_terms(sysadm_passwd_t)
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
selinux_compute_relabel_context(useradd_t)
selinux_compute_user_contexts(useradd_t)
-term_use_all_terms(useradd_t)
+term_use_all_inherited_terms(useradd_t)
auth_domtrans_chk_passwd(useradd_t)
auth_rw_lastlog(useradd_t)
fs_getattr_xattr_fs(vpnc_t)
fs_getattr_tmpfs(vpnc_t)
-term_use_all_ptys(vpnc_t)
-term_use_all_ttys(vpnc_t)
+term_use_all_inherited_ptys(vpnc_t)
+term_use_all_inherited_ttys(vpnc_t)
corecmd_exec_all_executables(vpnc_t)
allow ada_t self:process { execstack execmem };
-userdom_use_user_terminals(ada_t)
+userdom_use_inherited_user_terminals(ada_t)
optional_policy(`
unconfined_domain(ada_t)
miscfiles_read_localization(cdrecord_t)
# write to the user domain tty.
-userdom_use_user_terminals(cdrecord_t)
+userdom_use_inherited_user_terminals(cdrecord_t)
userdom_read_user_home_content_files(cdrecord_t)
# Handle nfs home dirs
userdom_manage_user_tmp_dirs(evolution_t)
userdom_manage_user_tmp_sockets(evolution_t)
userdom_manage_user_tmp_files(evolution_t)
-userdom_use_user_terminals(evolution_t)
+userdom_use_inherited_user_terminals(evolution_t)
# FIXME: suppress access to .local/.icons/.themes until properly implemented
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
# until properly implemented
sysnet_read_config(giftd_t)
-userdom_use_user_terminals(giftd_t)
+userdom_use_inherited_user_terminals(giftd_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(giftd_t)
ssh_read_user_home_files(gkeyringd_domain)
')
-userdom_use_user_terminals(gnome_domain)
+userdom_use_inherited_user_terminals(gnome_domain)
miscfiles_read_localization(gpg_t)
-userdom_use_user_terminals(gpg_t)
+userdom_use_inherited_user_terminals(gpg_t)
# sign/encrypt user files
userdom_manage_all_user_tmp_content(gpg_t)
#userdom_manage_user_home_content(gpg_t)
auth_use_nsswitch(gpg_helper_t)
-userdom_use_user_terminals(gpg_helper_t)
+userdom_use_inherited_user_terminals(gpg_helper_t)
tunable_policy(`use_nfs_home_dirs',`
fs_dontaudit_rw_nfs_files(gpg_helper_t)
miscfiles_read_localization(gpg_agent_t)
# Write to the user domain tty.
-userdom_use_user_terminals(gpg_agent_t)
+userdom_use_inherited_user_terminals(gpg_agent_t)
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
userdom_search_user_home_dirs(gpg_agent_t)
sysnet_read_config(irc_t)
# Write to the user domain tty.
-userdom_use_user_terminals(irc_t)
+userdom_use_inherited_user_terminals(irc_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(irc_t)
miscfiles_read_localization(irssi_t)
-userdom_use_user_terminals(irssi_t)
+userdom_use_inherited_user_terminals(irssi_t)
tunable_policy(`irssi_use_full_network', `
corenet_tcp_bind_all_unreserved_ports(irssi_t)
miscfiles_read_localization(loadkeys_t)
-userdom_use_user_ttys(loadkeys_t)
+userdom_use_inherited_user_ttys(loadkeys_t)
userdom_list_user_home_content(loadkeys_t)
ifdef(`hide_broken_symptoms',`
logging_send_syslog_msg(lockdev_t)
-userdom_use_user_terminals(lockdev_t)
+userdom_use_inherited_user_terminals(lockdev_t)
# Browse the web, connect to printer
sysnet_dns_name_resolve(mozilla_t)
-userdom_use_user_ptys(mozilla_t)
+userdom_use_inherited_user_ptys(mozilla_t)
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
miscfiles_read_localization(mencoder_t)
-userdom_use_user_terminals(mencoder_t)
+userdom_use_inherited_user_terminals(mencoder_t)
# Handle removable media, /tmp, and /home
userdom_list_user_tmp(mencoder_t)
userdom_read_user_tmp_files(mencoder_t)
miscfiles_read_localization(mplayer_t)
miscfiles_read_fonts(mplayer_t)
-userdom_use_user_terminals(mplayer_t)
+userdom_use_inherited_user_terminals(mplayer_t)
# Read media files
userdom_list_user_tmp(mplayer_t)
userdom_read_user_tmp_files(mplayer_t)
stream_connect_pattern(nsplugin_t, user_home_t, user_home_t, $2)
gnome_stream_connect(nsplugin_t, $2)
- userdom_use_user_terminals(nsplugin_t)
- userdom_use_user_terminals(nsplugin_config_t)
+ userdom_use_inherited_user_terminals(nsplugin_t)
+ userdom_use_inherited_user_terminals(nsplugin_config_t)
userdom_dontaudit_setattr_user_home_content_files(nsplugin_t)
userdom_manage_tmpfs_role($1, nsplugin_t)
fs_getattr_tmpfs(pulseaudio_t)
fs_list_inotifyfs(pulseaudio_t)
-term_use_all_ttys(pulseaudio_t)
-term_use_all_ptys(pulseaudio_t)
+term_use_all_inherited_ttys(pulseaudio_t)
+term_use_all_inherited_ptys(pulseaudio_t)
auth_use_nsswitch(pulseaudio_t)
sysnet_read_config($1_t)
- userdom_use_user_terminals($1_t)
+ userdom_use_inherited_user_terminals($1_t)
userdom_attach_admin_tun_iface($1_t)
optional_policy(`
logging_send_syslog_msg(sandbox_xserver_t)
logging_send_audit_msgs(sandbox_xserver_t)
-userdom_use_user_terminals(sandbox_xserver_t)
+userdom_use_inherited_user_terminals(sandbox_xserver_t)
userdom_dontaudit_search_user_home_content(sandbox_xserver_t)
xserver_entry_type(sandbox_xserver_t)
seutil_read_config($1_screen_t)
- userdom_use_user_terminals($1_screen_t)
+ userdom_use_inherited_user_terminals($1_screen_t)
userdom_create_user_pty($1_screen_t)
userdom_user_home_domtrans($1_screen_t, $3)
userdom_setattr_user_ptys($1_screen_t)
miscfiles_read_localization(seunshare_domain)
-userdom_use_user_terminals(seunshare_domain)
+userdom_use_inherited_user_terminals(seunshare_domain)
userdom_list_user_home_content(seunshare_domain)
ifdef(`hide_broken_symptoms', `
fs_dontaudit_rw_anon_inodefs_files(seunshare_domain)
miscfiles_read_localization(telepathy_domain)
-sysnet_dns_name_resolve(telepathy_domain)
-
# This interface does not facilitate files_search_tmp which appears to be a bug.
userdom_stream_connect(telepathy_domain)
-userdom_use_user_terminals(telepathy_domain)
+userdom_use_inherited_user_terminals(telepathy_domain)
tunable_policy(`telepathy_tcp_connect_generic_network_ports', `
corenet_tcp_connect_generic_port(telepathy_domain)
miscfiles_read_localization(tvtime_t)
miscfiles_read_fonts(tvtime_t)
-userdom_use_user_terminals(tvtime_t)
+userdom_use_inherited_user_terminals(tvtime_t)
userdom_read_user_home_content_files(tvtime_t)
# X access, Home files
# Use the network.
sysnet_read_config(uml_t)
-userdom_use_user_terminals(uml_t)
+userdom_use_inherited_user_terminals(uml_t)
userdom_attach_admin_tun_iface(uml_t)
optional_policy(`
sysnet_read_config(usernetctl_t)
-userdom_use_user_terminals(usernetctl_t)
+userdom_use_inherited_user_terminals(usernetctl_t)
optional_policy(`
hostname_exec(usernetctl_t)
miscfiles_read_localization(vlock_t)
userdom_dontaudit_search_user_home_dirs(vlock_t)
-userdom_use_user_terminals(vlock_t)
+userdom_use_inherited_user_terminals(vlock_t)
miscfiles_read_localization(vmware_t)
-userdom_use_user_terminals(vmware_t)
+userdom_use_inherited_user_terminals(vmware_t)
userdom_list_user_home_dirs(vmware_t)
# cjp: why?
userdom_read_user_home_content_files(vmware_t)
sysnet_dns_name_resolve(webalizer_t)
sysnet_read_config(webalizer_t)
-userdom_use_user_terminals(webalizer_t)
+userdom_use_inherited_user_terminals(webalizer_t)
userdom_use_unpriv_users_fds(webalizer_t)
userdom_dontaudit_search_user_home_content(webalizer_t)
files_execmod_all_files(wine_t)
-userdom_use_user_terminals(wine_t)
+userdom_use_inherited_user_terminals(wine_t)
tunable_policy(`wine_mmap_zero_ignore',`
dontaudit wine_t self:memprotect mmap_zero;
miscfiles_read_localization(xscreensaver_t)
-userdom_use_user_ptys(xscreensaver_t)
+userdom_use_inherited_user_ptys(xscreensaver_t)
#access to .icons and ~/.xscreensaver
userdom_read_user_home_content_files(xscreensaver_t)
sysnet_dns_name_resolve(yam_t)
sysnet_read_config(yam_t)
-userdom_use_user_terminals(yam_t)
+userdom_use_inherited_user_terminals(yam_t)
userdom_use_unpriv_users_fds(yam_t)
# Reading dotfiles...
# cjp: ?
allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms;
')
+########################################
+## <summary>
+## Read and write the inherited console, all inherited
+## ttys and ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_use_all_inherited_terms',`
+ gen_require(`
+ attribute ttynode, ptynode;
+ type console_device_t, devpts_t, tty_device_t;
+ ')
+
+ allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_inherited_term_perms;
+')
+
########################################
## <summary>
## Write to the console.
allow $1 ptynode:chr_file { rw_term_perms lock append };
')
+########################################
+## <summary>
+## Read and write all inherited ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_use_all_inherited_ptys',`
+ gen_require(`
+ attribute ptynode;
+ type devpts_t;
+ ')
+
+ allow $1 ptynode:chr_file { rw_inherited_term_perms lock };
+')
+
########################################
## <summary>
## Do not audit attempts to read or write any ptys.
')
dev_list_all_dev_nodes($1)
- allow $1 ttynode:chr_file rw_chr_file_perms;
+ allow $1 ttynode:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Read and write all inherited ttys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_use_all_inherited_ttys',`
+ gen_require(`
+ attribute ttynode;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 ttynode:chr_file rw_inherited_term_perms;
')
########################################
seutil_use_newrole_fds(aide_t)
-userdom_use_user_terminals(aide_t)
+userdom_use_inherited_user_terminals(aide_t)
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
- userdom_use_user_terminals(httpd_t)
- userdom_use_user_terminals(httpd_suexec_t)
+ userdom_use_inherited_user_terminals(httpd_t)
+ userdom_use_inherited_user_terminals(httpd_suexec_t)
',`
userdom_dontaudit_use_user_terminals(httpd_t)
userdom_dontaudit_use_user_terminals(httpd_suexec_t)
logging_send_syslog_msg(httpd_helper_t)
-userdom_use_user_terminals(httpd_helper_t)
+userdom_use_inherited_user_terminals(httpd_helper_t)
tunable_policy(`httpd_tty_comm',`
- userdom_use_user_terminals(httpd_helper_t)
+ userdom_use_inherited_user_terminals(httpd_helper_t)
')
########################################
sysnet_dns_name_resolve(apcupsd_t)
-userdom_use_user_ttys(apcupsd_t)
+userdom_use_inherited_user_ttys(apcupsd_t)
optional_policy(`
hostname_exec(apcupsd_t)
fs_getattr_xattr_fs(apm_t)
-term_use_all_terms(apm_t)
+term_use_all_inherited_terms(apm_t)
domain_use_interactive_fds(apm_t)
sysnet_read_config(ndc_t)
sysnet_dns_name_resolve(ndc_t)
-userdom_use_user_terminals(ndc_t)
+userdom_use_inherited_user_terminals(ndc_t)
term_dontaudit_use_console(ndc_t)
miscfiles_read_localization(clockspeed_cli_t)
-userdom_use_user_terminals(clockspeed_cli_t)
+userdom_use_inherited_user_terminals(clockspeed_cli_t)
########################################
#
userdom_manage_user_tmp_dirs($1_t)
userdom_manage_user_tmp_files($1_t)
# Access terminals.
- userdom_use_user_terminals($1_t)
+ userdom_use_inherited_user_terminals($1_t)
# Read user crontabs
userdom_read_user_home_content_files($1_t)
userdom_read_user_home_content_symlinks($1_t)
seutil_read_config($1_dbusd_t)
seutil_read_default_contexts($1_dbusd_t)
- term_use_all_terms($1_dbusd_t)
+ term_use_all_inherited_terms($1_dbusd_t)
userdom_dontaudit_search_admin_dir($1_dbusd_t)
userdom_manage_user_home_content_dirs($1_dbusd_t)
miscfiles_read_localization(cdcc_t)
-userdom_use_user_terminals(cdcc_t)
+userdom_use_inherited_user_terminals(cdcc_t)
########################################
#
miscfiles_read_localization(dcc_client_t)
-userdom_use_user_terminals(dcc_client_t)
+userdom_use_inherited_user_terminals(dcc_client_t)
optional_policy(`
amavis_read_spool_files(dcc_client_t)
miscfiles_read_localization(dcc_dbclean_t)
-userdom_use_user_terminals(dcc_dbclean_t)
+userdom_use_inherited_user_terminals(dcc_dbclean_t)
########################################
#
storage_raw_read_removable_device(devicekit_disk_t)
storage_raw_write_removable_device(devicekit_disk_t)
-term_use_all_terms(devicekit_disk_t)
+term_use_all_inherited_terms(devicekit_disk_t)
auth_use_nsswitch(devicekit_disk_t)
fs_list_inotifyfs(devicekit_power_t)
fs_getattr_all_fs(devicekit_power_t)
-term_use_all_terms(devicekit_power_t)
+term_use_all_inherited_terms(devicekit_power_t)
auth_use_nsswitch(devicekit_power_t)
# Allow ftpdctl to read config files
files_read_etc_files(ftpdctl_t)
-userdom_use_user_terminals(ftpdctl_t)
+userdom_use_inherited_user_terminals(ftpdctl_t)
########################################
#
read_files_pattern(git_session_t, git_session_content_t, git_session_content_t)
userdom_search_user_home_dirs(git_session_t)
-userdom_use_user_terminals(git_session_t)
+userdom_use_inherited_user_terminals(git_session_t)
tunable_policy(`git_session_bind_all_unreserved_ports',`
corenet_tcp_bind_all_unreserved_ports(git_session_t)
userdom_dontaudit_use_unpriv_user_fds(gpm_t)
userdom_dontaudit_search_user_home_dirs(gpm_t)
-userdom_use_user_terminals(gpm_t)
+userdom_use_inherited_user_terminals(gpm_t)
optional_policy(`
seutil_sigchld_newrole(gpm_t)
sysnet_read_config(hadoop_t)
-userdom_use_user_terminals(hadoop_t)
+userdom_use_inherited_user_terminals(hadoop_t)
java_exec(hadoop_t)
sysnet_read_config(zookeeper_t)
-userdom_use_user_terminals(zookeeper_t)
+userdom_use_inherited_user_terminals(zookeeper_t)
userdom_dontaudit_search_user_home_dirs(zookeeper_t)
java_exec(zookeeper_t)
mls_file_read_to_clearance(ksmtuned_t)
-term_use_all_terms(ksmtuned_t)
+term_use_all_inherited_terms(ksmtuned_t)
logging_send_syslog_msg(ksmtuned_t)
files_read_etc_files(ktalkd_t)
term_search_ptys(ktalkd_t)
-term_use_all_terms(ktalkd_t)
+term_use_all_inherited_terms(ktalkd_t)
auth_use_nsswitch(ktalkd_t)
sysnet_read_config(checkpc_t)
-userdom_use_user_terminals(checkpc_t)
+userdom_use_inherited_user_terminals(checkpc_t)
optional_policy(`
cron_system_entry(checkpc_t, checkpc_exec_t)
userdom_read_user_tmp_symlinks(lpr_t)
# Write to the user domain tty.
-userdom_use_user_terminals(lpr_t)
+userdom_use_inherited_user_terminals(lpr_t)
userdom_read_user_home_content_files(lpr_t)
userdom_read_user_tmp_files(lpr_t)
init_use_script_ptys(system_mail_t)
-userdom_use_user_terminals(system_mail_t)
+userdom_use_inherited_user_terminals(system_mail_t)
userdom_dontaudit_search_user_home_dirs(system_mail_t)
userdom_dontaudit_list_admin_dir(system_mail_t)
domain_use_interactive_fds(user_mail_t)
-userdom_use_user_terminals(user_mail_t)
+userdom_use_inherited_user_terminals(user_mail_t)
# Write to the user domain tty. cjp: why?
-userdom_use_user_terminals(mta_user_agent)
+userdom_use_inherited_user_terminals(mta_user_agent)
# Create dead.letter in user home directories.
userdom_manage_user_home_content_files(user_mail_t)
userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
sysnet_read_config(oav_update_t)
-userdom_use_user_terminals(oav_update_t)
+userdom_use_inherited_user_terminals(oav_update_t)
optional_policy(`
cron_system_entry(oav_update_t, oav_update_exec_t)
sysnet_manage_config(openvpn_t)
sysnet_etc_filetrans_config(openvpn_t)
-userdom_use_user_terminals(openvpn_t)
+userdom_use_inherited_user_terminals(openvpn_t)
userdom_read_home_certs(openvpn_t)
userdom_attach_admin_tun_iface(openvpn_t)
sysnet_read_config(portmap_helper_t)
-userdom_use_user_terminals(portmap_helper_t)
+userdom_use_inherited_user_terminals(portmap_helper_t)
userdom_dontaudit_use_all_users_fds(portmap_helper_t)
optional_policy(`
term_use_unallocated_ttys(portslave_t)
term_setattr_unallocated_ttys(portslave_t)
-term_use_all_ttys(portslave_t)
+term_use_all_inherited_ttys(portslave_t)
term_search_ptys(portslave_t)
auth_rw_login_records(portslave_t)
domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
# to write the mailq output, it really should not need read access!
-term_use_all_ptys(postfix_postqueue_t)
-term_use_all_ttys(postfix_postqueue_t)
+term_use_all_inherited_ptys(postfix_postqueue_t)
+term_use_all_inherited_ttys(postfix_postqueue_t)
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
sysnet_manage_config(pppd_t)
sysnet_etc_filetrans_config(pppd_t)
-userdom_use_user_terminals(pppd_t)
+userdom_use_inherited_user_terminals(pppd_t)
userdom_dontaudit_use_unpriv_user_fds(pppd_t)
userdom_search_user_home_dirs(pppd_t)
userdom_dontaudit_use_unpriv_user_fds(privoxy_t)
userdom_dontaudit_search_user_home_dirs(privoxy_t)
# cjp: this should really not be needed
-userdom_use_user_terminals(privoxy_t)
+userdom_use_inherited_user_terminals(privoxy_t)
tunable_policy(`privoxy_connect_any',`
corenet_tcp_connect_all_ports(privoxy_t)
logging_send_syslog_msg(razor_t)
userdom_search_user_home_dirs(razor_t)
- userdom_use_user_terminals(razor_t)
+ userdom_use_inherited_user_terminals(razor_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(razor_t)
samba_read_var_files(samba_net_t)
-userdom_use_user_terminals(samba_net_t)
+userdom_use_inherited_user_terminals(samba_net_t)
userdom_list_user_home_dirs(samba_net_t)
optional_policy(`
miscfiles_read_localization(smbcontrol_t)
-userdom_use_user_terminals(smbcontrol_t)
+userdom_use_inherited_user_terminals(smbcontrol_t)
########################################
#
logging_search_logs(smbmount_t)
-userdom_use_user_terminals(smbmount_t)
+userdom_use_inherited_user_terminals(smbmount_t)
userdom_use_all_users_fds(smbmount_t)
optional_policy(`
miscfiles_read_localization(winbind_helper_t)
-userdom_use_user_terminals(winbind_helper_t)
+userdom_use_inherited_user_terminals(winbind_helper_t)
optional_policy(`
apache_append_log(winbind_helper_t)
manage_files_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file)
- userdom_use_user_terminals(samba_unconfined_net_t)
+ userdom_use_inherited_user_terminals(samba_unconfined_net_t)
')
type samba_unconfined_script_t;
seutil_sigchld_newrole(samhain_t)
-userdom_use_user_terminals(samhain_t)
+userdom_use_inherited_user_terminals(samhain_t)
########################################
#
seutil_dontaudit_read_config($1_ssh_agent_t)
# Write to the user domain tty.
- userdom_use_user_terminals($1_ssh_agent_t)
+ userdom_use_inherited_user_terminals($1_ssh_agent_t)
# for the transition back to normal privs upon exec
userdom_search_user_home_content($1_ssh_agent_t)
userdom_dontaudit_list_user_home_dirs(ssh_t)
userdom_search_user_home_dirs(ssh_t)
# Write to the user domain tty.
-userdom_use_user_terminals(ssh_t)
+userdom_use_inherited_user_terminals(ssh_t)
# needs to read krb/write tgt
userdom_read_user_tmp_files(ssh_t)
userdom_write_user_tmp_files(ssh_t)
fs_list_inotifyfs(sysstat_t)
term_use_console(sysstat_t)
-term_use_all_terms(sysstat_t)
+term_use_all_inherited_terms(sysstat_t)
init_use_fds(sysstat_t)
miscfiles_read_public_files(virt_domain)
storage_raw_read_removable_device(virt_domain)
-term_use_all_terms(virt_domain)
+term_use_all_inherited_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
term_use_generic_ptys(virt_domain)
term_use_ptmx(virt_domain)
storage_raw_read_fixed_disk(virsh_t)
-term_use_all_terms(virsh_t)
+term_use_all_inherited_terms(virsh_t)
init_stream_connect_script(virsh_t)
init_rw_script_stream_sockets(virsh_t)
fs_search_auto_mountpoints(iceauth_t)
-userdom_use_user_terminals(iceauth_t)
+userdom_use_inherited_user_terminals(iceauth_t)
userdom_read_user_tmp_files(iceauth_t)
userdom_read_all_users_state(iceauth_t)
auth_use_nsswitch(xauth_t)
-userdom_use_user_terminals(xauth_t)
+userdom_use_inherited_user_terminals(xauth_t)
userdom_read_user_tmp_files(xauth_t)
userdom_read_all_users_state(xauth_t)
seutil_read_config(chkpwd_t)
seutil_dontaudit_use_newrole_fds(chkpwd_t)
-userdom_use_user_terminals(chkpwd_t)
+userdom_use_inherited_user_terminals(chkpwd_t)
ifdef(`distro_ubuntu',`
optional_policy(`
miscfiles_read_localization(updpwd_t)
-userdom_use_user_terminals(updpwd_t)
+userdom_use_inherited_user_terminals(updpwd_t)
ifdef(`distro_ubuntu',`
optional_policy(`
logging_search_logs(utempter_t)
-userdom_use_user_terminals(utempter_t)
+userdom_use_inherited_user_terminals(utempter_t)
# Allow utemper to write to /tmp/.xses-*
userdom_write_user_tmp_files(utempter_t)
term_dontaudit_use_console(hwclock_t)
term_use_unallocated_ttys(hwclock_t)
-term_use_all_ttys(hwclock_t)
-term_use_all_ptys(hwclock_t)
+term_use_all_inherited_ttys(hwclock_t)
+term_use_all_inherited_ptys(hwclock_t)
domain_use_interactive_fds(hwclock_t)
seutil_read_config(fsadm_t)
-term_use_all_terms(fsadm_t)
+term_use_all_inherited_terms(fsadm_t)
ifdef(`distro_redhat',`
optional_policy(`
fs_dontaudit_use_tmpfs_chr_dev(hostname_t)
term_dontaudit_use_console(hostname_t)
-term_use_all_ttys(hostname_t)
-term_use_all_ptys(hostname_t)
+term_use_all_inherited_ttys(hostname_t)
+term_use_all_inherited_ptys(hostname_t)
init_use_fds(hostname_t)
init_use_script_fds(hostname_t)
files_read_system_conf_files(init_t)
files_rw_generic_pids(init_t)
files_dontaudit_search_isid_type_dirs(init_t)
-files_read_etc_runtime_files(init_t)
files_manage_etc_runtime_files(init_t)
files_etc_filetrans_etc_runtime(init_t, file)
# Run /etc/X11/prefdm:
selinux_set_all_booleans(init_t)
-term_use_all_terms(init_t)
+term_use_unallocated_ttys(init_t)
+term_use_console(init_t)
+term_use_all_inherited_terms(init_t)
# Run init scripts.
init_domtrans_script(init_t)
storage_setattr_fixed_disk_dev(initrc_t)
storage_setattr_removable_dev(initrc_t)
-term_use_all_terms(initrc_t)
+term_use_all_inherited_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
# started from init should be placed in their own domain.
-userdom_use_user_terminals(initrc_t)
+userdom_use_inherited_user_terminals(initrc_t)
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
optional_policy(`
unconfined_domain(initrc_t)
domain_role_change_exemption(initrc_t)
- mcs_file_read_all(initrc_t)
- mcs_file_write_all(initrc_t)
- mcs_socket_write_all_levels(initrc_t)
- mcs_killall(initrc_t)
- mcs_ptrace_all(initrc_t)
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
-term_use_all_terms(ipsec_mgmt_t)
+term_use_all_inherited_terms(ipsec_mgmt_t)
auth_dontaudit_read_login_records(ipsec_mgmt_t)
sysnet_domtrans_ifconfig(ipsec_mgmt_t)
sysnet_etc_filetrans_config(ipsec_mgmt_t)
-userdom_use_user_terminals(ipsec_mgmt_t)
+userdom_use_inherited_user_terminals(ipsec_mgmt_t)
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
seutil_read_config(setkey_t)
-userdom_use_user_terminals(setkey_t)
+userdom_use_inherited_user_terminals(setkey_t)
userdom_read_user_tmp_files(setkey_t)
mls_file_read_all_levels(iptables_t)
term_dontaudit_use_console(iptables_t)
-term_use_all_terms(iptables_t)
+term_use_all_inherited_terms(iptables_t)
domain_use_interactive_fds(iptables_t)
sysnet_domtrans_ifconfig(iptables_t)
sysnet_dns_name_resolve(iptables_t)
-userdom_use_user_terminals(iptables_t)
+userdom_use_inherited_user_terminals(iptables_t)
userdom_use_all_users_fds(iptables_t)
optional_policy(`
logging_send_syslog_msg(ldconfig_t)
term_use_console(ldconfig_t)
-userdom_use_user_terminals(ldconfig_t)
+userdom_use_inherited_user_terminals(ldconfig_t)
userdom_use_all_users_fds(ldconfig_t)
ifdef(`distro_ubuntu',`
mls_file_read_all_levels(auditctl_t)
-term_use_all_terms(auditctl_t)
+term_use_all_inherited_terms(auditctl_t)
init_dontaudit_use_fds(auditctl_t)
sysnet_dns_name_resolve(auditd_t)
-userdom_use_user_terminals(auditd_t)
+userdom_use_inherited_user_terminals(auditd_t)
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
userdom_dontaudit_search_user_home_dirs(auditd_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t)
-term_use_all_terms(lvm_t)
+term_use_all_inherited_terms(lvm_t)
init_use_fds(lvm_t)
init_dontaudit_getattr_initctl(lvm_t)
seutil_search_default_contexts(lvm_t)
seutil_sigchld_newrole(lvm_t)
-userdom_use_user_terminals(lvm_t)
+userdom_use_inherited_user_terminals(lvm_t)
ifdef(`distro_redhat',`
# this is from the initrd:
init_use_script_fds(depmod_t)
init_use_script_ptys(depmod_t)
-userdom_use_user_terminals(depmod_t)
+userdom_use_inherited_user_terminals(depmod_t)
# Read System.map from home directories.
files_list_home(depmod_t)
userdom_read_user_home_content_files(depmod_t)
seutil_read_file_contexts(insmod_t)
-term_use_all_terms(insmod_t)
+term_use_all_inherited_terms(insmod_t)
userdom_dontaudit_search_user_home_dirs(insmod_t)
if( ! secure_mode_insmod ) {
miscfiles_read_localization(update_modules_t)
-userdom_use_user_terminals(update_modules_t)
+userdom_use_inherited_user_terminals(update_modules_t)
userdom_dontaudit_search_user_home_dirs(update_modules_t)
ifdef(`distro_gentoo',`
storage_raw_write_removable_device(mount_t)
storage_rw_fuse(mount_t)
-term_use_all_terms(mount_t)
+term_use_all_inherited_terms(mount_t)
auth_use_nsswitch(mount_t)
sysnet_dns_name_resolve(showmount_t)
-userdom_use_user_terminals(showmount_t)
+userdom_use_inherited_user_terminals(showmount_t)
seutil_use_newrole_fds(netlabel_mgmt_t)
-userdom_use_user_terminals(netlabel_mgmt_t)
+userdom_use_inherited_user_terminals(netlabel_mgmt_t)
sysnet_etc_filetrans_config(cardmgr_t)
sysnet_manage_config(cardmgr_t)
-userdom_use_user_terminals(cardmgr_t)
+userdom_use_inherited_user_terminals(cardmgr_t)
userdom_dontaudit_use_unpriv_user_fds(cardmgr_t)
userdom_dontaudit_search_user_home_dirs(cardmgr_t)
selinux_validate_context($1)
selinux_get_enforce_mode($1)
- term_use_all_terms($1)
+ term_use_all_inherited_terms($1)
locallogin_use_fds($1)
selinux_compute_relabel_context($1)
selinux_compute_user_contexts($1)
-term_use_all_terms($1)
+term_use_all_inherited_terms($1)
# this is to satisfy the assertion:
auth_relabelto_shadow($1)
init_use_fds(checkpolicy_t)
init_use_script_ptys(checkpolicy_t)
-userdom_use_user_terminals(checkpolicy_t)
+userdom_use_inherited_user_terminals(checkpolicy_t)
userdom_use_all_users_fds(checkpolicy_t)
ifdef(`distro_ubuntu',`
seutil_libselinux_linked(load_policy_t)
-userdom_use_user_terminals(load_policy_t)
+userdom_use_inherited_user_terminals(load_policy_t)
userdom_use_all_users_fds(load_policy_t)
ifdef(`distro_ubuntu',`
seutil_libselinux_linked(run_init_t)
seutil_read_default_contexts(run_init_t)
-userdom_use_user_terminals(run_init_t)
+userdom_use_inherited_user_terminals(run_init_t)
ifndef(`direct_sysadm_daemon',`
ifdef(`distro_gentoo',`
miscfiles_read_generic_certs(dhcpc_t)
miscfiles_read_localization(dhcpc_t)
-userdom_use_user_terminals(dhcpc_t)
+userdom_use_inherited_user_terminals(dhcpc_t)
userdom_dontaudit_search_user_home_dirs(dhcpc_t)
ifdef(`distro_redhat', `
sysnet_dns_name_resolve(ifconfig_t)
-userdom_use_user_terminals(ifconfig_t)
+userdom_use_inherited_user_terminals(ifconfig_t)
userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
storage_raw_write_removable_device($1_t)
storage_dontaudit_read_fixed_disk($1_t)
- term_use_all_terms($1_t)
+ term_use_all_inherited_terms($1_t)
auth_getattr_shadow($1_t)
# Manage almost all files
allow $1 user_tty_device_t:chr_file rw_term_perms;
')
+########################################
+## <summary>
+## Read and write a inherited user domain tty.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_use_inherited_user_ttys',`
+ gen_require(`
+ type user_tty_device_t;
+ ')
+
+ allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
+')
+
########################################
## <summary>
## Read and write a user domain pty.
allow $1 user_devpts_t:chr_file rw_term_perms;
')
+########################################
+## <summary>
+## Read and write a inherited user domain pty.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_use_inherited_user_ptys',`
+ gen_require(`
+ type user_devpts_t;
+ ')
+
+ allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
+')
+
########################################
## <summary>
## Read and write a user TTYs and PTYs.
## </param>
## <infoflow type="both" weight="10"/>
#
-interface(`userdom_use_user_terminals',`
+interface(`userdom_use_inherited_user_terminals',`
gen_require(`
type user_tty_device_t, user_devpts_t;
')
term_list_ptys($1)
')
+########################################
+## <summary>
+## Read and write a inherited user TTYs and PTYs.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read and write inherited user
+## TTYs and PTYs. This will allow the domain to
+## interact with the user via the terminal. Typically
+## all interactive applications will require this
+## access.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`userdom_use_inherited_user_terminals',`
+ gen_require(`
+ type user_tty_device_t, user_devpts_t;
+ ')
+
+ allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
+ allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
+')
+
########################################
## <summary>
## Do not audit attempts to read and write
#
# All socket classes.
#
-define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
+define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
+
#
# Datagram socket classes.
#
# Permissions for using sockets.
#
-define(`rw_socket_perms', `{ ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }')
+define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
#
# Permissions for creating and using sockets.
#
define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
-define(`read_inherited_file_perms',`{ getattr read ioctl lock }')
-define(`read_file_perms',`{ open read_inherited_file_perms }')
+define(`read_file_perms',`{ getattr open read lock ioctl }')
define(`mmap_file_perms',`{ getattr open read execute ioctl }')
define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }')
define(`append_file_perms',`{ getattr open append lock ioctl }')
define(`write_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }')
-define(`rw_file_perms',`{ open rw_inherited_file_perms }')
+define(`rw_file_perms',`{ getattr open read write append ioctl lock }')
define(`create_file_perms',`{ getattr create open }')
define(`rename_file_perms',`{ getattr rename }')
define(`delete_file_perms',`{ getattr unlink }')
define(`create_lnk_file_perms',`{ create getattr }')
define(`rename_lnk_file_perms',`{ getattr rename }')
define(`delete_lnk_file_perms',`{ getattr unlink }')
-define(`manage_lnk_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }')
+define(`manage_lnk_file_perms',`{ create read write getattr setattr link unlink rename }')
define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')
define(`relabelto_lnk_file_perms',`{ getattr relabelto }')
define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')
define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')
define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }')
-define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }')
+define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }')
define(`create_fifo_file_perms',`{ getattr create open }')
define(`rename_fifo_file_perms',`{ getattr rename }')
define(`delete_fifo_file_perms',`{ getattr unlink }')
define(`setattr_sock_file_perms',`{ setattr }')
define(`read_sock_file_perms',`{ getattr open read }')
define(`write_sock_file_perms',`{ getattr write open append }')
-define(`rw_inherited_sock_file_perms',`{ getattr read write append }')
-define(`rw_sock_file_perms',`{ open rw_inherited_sock_file_perms }')
+define(`rw_sock_file_perms',`{ getattr open read write append }')
define(`create_sock_file_perms',`{ getattr create open }')
define(`rename_sock_file_perms',`{ getattr rename }')
define(`delete_sock_file_perms',`{ getattr unlink }')
define(`read_blk_file_perms',`{ getattr open read lock ioctl }')
define(`append_blk_file_perms',`{ getattr open append lock ioctl }')
define(`write_blk_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_inherited_blk_file_perms',`{ getattr read write append ioctl lock }')
-define(`rw_blk_file_perms',`{ open rw_inherited_blk_file_perms }')
+define(`rw_blk_file_perms',`{ getattr open read write append ioctl lock }')
define(`create_blk_file_perms',`{ getattr create }')
define(`rename_blk_file_perms',`{ getattr rename }')
define(`delete_blk_file_perms',`{ getattr unlink }')
define(`read_chr_file_perms',`{ getattr open read lock ioctl }')
define(`append_chr_file_perms',`{ getattr open append lock ioctl }')
define(`write_chr_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_inherited_chr_file_perms',`{ getattr read write append ioctl lock }')
-define(`rw_chr_file_perms',`{ open rw_inherited_chr_file_perms }')
+define(`rw_chr_file_perms',`{ getattr open read write append ioctl lock }')
define(`create_chr_file_perms',`{ getattr create }')
define(`rename_chr_file_perms',`{ getattr rename }')
define(`delete_chr_file_perms',`{ getattr unlink }')
#
# Use (read and write) terminals
#
-define(`rw_inherited_term_perms', `{ getattr read write append ioctl }')
-define(`rw_term_perms', `{ rw_inherited_term_perms open }')
+define(`rw_term_perms', `{ getattr open read write append ioctl }')
#
# Sockets