From 0b36a2146ea6ddcb9ed580f14a8e80b9cab7ae0c Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 16 Oct 2008 16:09:20 +0000 Subject: [PATCH] trunk: Enable open permission checks policy capability. --- Changelog | 1 + policy/modules/admin/acct.te | 2 +- policy/modules/admin/amanda.te | 8 ++-- policy/modules/admin/dpkg.te | 2 +- policy/modules/admin/firstboot.te | 5 +- policy/modules/admin/mrtg.te | 2 +- policy/modules/admin/portage.te | 2 +- policy/modules/admin/rpm.te | 2 - policy/modules/admin/updfstab.te | 2 +- policy/modules/apps/awstats.te | 2 +- policy/modules/apps/calamaris.te | 2 +- policy/modules/apps/webalizer.te | 2 +- policy/modules/apps/yam.te | 2 +- policy/modules/kernel/domain.if | 8 ++-- policy/modules/kernel/selinux.te | 4 +- policy/modules/services/afs.te | 2 +- policy/modules/services/apache.if | 2 +- policy/modules/services/apache.te | 10 ++-- policy/modules/services/avahi.te | 2 +- policy/modules/services/bind.te | 14 +++--- policy/modules/services/ccs.te | 2 +- policy/modules/services/cups.te | 4 +- policy/modules/services/dante.te | 2 +- policy/modules/services/dbus.te | 2 +- policy/modules/services/dhcp.te | 2 +- policy/modules/services/distcc.te | 2 +- policy/modules/services/dnsmasq.te | 2 +- policy/modules/services/dovecot.te | 2 +- policy/modules/services/finger.te | 2 +- policy/modules/services/gatekeeper.te | 2 +- policy/modules/services/jabber.te | 2 +- policy/modules/services/ldap.te | 4 +- policy/modules/services/lpd.te | 4 +- policy/modules/services/monop.te | 2 +- policy/modules/services/mysql.if | 2 +- policy/modules/services/mysql.te | 4 +- policy/modules/services/nagios.te | 2 +- policy/modules/services/nessus.te | 4 +- policy/modules/services/nis.te | 4 +- policy/modules/services/nscd.te | 2 +- policy/modules/services/nsd.te | 2 +- policy/modules/services/ntop.te | 2 +- policy/modules/services/ntp.te | 2 +- policy/modules/services/nx.te | 2 +- policy/modules/services/oav.te | 2 +- policy/modules/services/oddjob.te | 4 +- policy/modules/services/pcscd.te | 2 +- policy/modules/services/perdition.te | 2 +- policy/modules/services/postfix.te | 8 ++-- policy/modules/services/postgresql.te | 3 +- policy/modules/services/ppp.te | 12 ++--- policy/modules/services/qmail.te | 30 ++++++------ policy/modules/services/resmgr.te | 2 +- policy/modules/services/ricci.te | 6 +-- policy/modules/services/rpc.te | 2 +- policy/modules/services/samba.te | 16 +++---- policy/modules/services/sasl.te | 2 +- policy/modules/services/spamassassin.if | 3 +- policy/modules/services/stunnel.te | 4 +- policy/modules/services/tftp.te | 4 +- policy/modules/services/tor.te | 2 +- policy/modules/services/ucspitcp.te | 2 +- policy/modules/services/uptime.te | 4 +- policy/modules/services/uucp.te | 2 +- policy/modules/services/xserver.te | 2 +- policy/modules/services/zebra.te | 2 +- policy/modules/system/authlogin.if | 2 +- policy/modules/system/authlogin.te | 4 +- policy/modules/system/clock.te | 2 +- policy/modules/system/init.if | 2 +- policy/modules/system/ipsec.te | 4 +- policy/modules/system/iscsi.te | 2 +- policy/modules/system/logging.if | 2 +- policy/modules/system/logging.te | 4 +- policy/modules/system/selinuxutil.te | 2 +- policy/modules/system/sysnetwork.te | 1 - policy/modules/system/udev.te | 2 +- policy/modules/system/xen.te | 9 ++-- policy/policy_capabilities | 5 +- policy/support/obj_perm_sets.spt | 62 ++++++++++++------------- 80 files changed, 170 insertions(+), 185 deletions(-) diff --git a/Changelog b/Changelog index 773ad92c..8a78a19d 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- Enable open permission checks policy capability. - Remove hierarchy from portage module as it is not a good example of hieararchy. - Remove enableaudit target from modular build as semodule -DB supplants it. diff --git a/policy/modules/admin/acct.te b/policy/modules/admin/acct.te index 6d084c92..1e6ec2dc 100644 --- a/policy/modules/admin/acct.te +++ b/policy/modules/admin/acct.te @@ -23,7 +23,7 @@ allow acct_t self:capability { sys_pacct chown fsetid }; # not sure why we need kill, the command "last" is reported as using it dontaudit acct_t self:capability { kill sys_tty_config }; -allow acct_t self:fifo_file { read write getattr }; +allow acct_t self:fifo_file rw_fifo_file_perms; allow acct_t self:process signal_perms; manage_files_pattern(acct_t, acct_data_t, acct_data_t) diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te index b6512fee..4b5209cd 100644 --- a/policy/modules/admin/amanda.te +++ b/policy/modules/admin/amanda.te @@ -76,10 +76,10 @@ allow amanda_t self:tcp_socket create_stream_socket_perms; allow amanda_t self:udp_socket create_socket_perms; # access to amanda_amandates_t -allow amanda_t amanda_amandates_t:file { getattr lock read write }; +allow amanda_t amanda_amandates_t:file rw_file_perms; # configuration files -> read only -allow amanda_t amanda_config_t:file { getattr read }; +allow amanda_t amanda_config_t:file read_file_perms; # access to amandas data structure manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t) @@ -87,7 +87,7 @@ manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t) filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir }) # access to amanda_dumpdates_t -allow amanda_t amanda_dumpdates_t:file { getattr lock read write }; +allow amanda_t amanda_dumpdates_t:file rw_file_perms; can_exec(amanda_t, amanda_exec_t) can_exec(amanda_t, amanda_inetd_exec_t) @@ -172,7 +172,7 @@ optional_policy(` allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override }; allow amanda_recover_t self:process { sigkill sigstop signal }; -allow amanda_recover_t self:fifo_file { getattr ioctl read write }; +allow amanda_recover_t self:fifo_file rw_fifo_file_perms; allow amanda_recover_t self:unix_stream_socket { connect create read write }; allow amanda_recover_t self:tcp_socket create_stream_socket_perms; allow amanda_recover_t self:udp_socket create_socket_perms; diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te index 456fca92..07e58a50 100644 --- a/policy/modules/admin/dpkg.te +++ b/policy/modules/admin/dpkg.te @@ -171,7 +171,7 @@ userdom_use_unpriv_users_fds(dpkg_t) # transition to dpkg script: dpkg_domtrans_script(dpkg_t) # since the scripts aren't labeled correctly yet... -allow dpkg_t dpkg_var_lib_t:file execute; +allow dpkg_t dpkg_var_lib_t:file mmap_file_perms; optional_policy(` apt_use_ptys(dpkg_t) diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te index 2d221998..cadd3495 100644 --- a/policy/modules/admin/firstboot.te +++ b/policy/modules/admin/firstboot.te @@ -27,13 +27,12 @@ files_config_file(firstboot_etc_t) allow firstboot_t self:capability { dac_override setgid }; allow firstboot_t self:process setfscreate; -allow firstboot_t self:file { read write }; -allow firstboot_t self:fifo_file { getattr read write }; +allow firstboot_t self:fifo_file rw_fifo_file_perms; allow firstboot_t self:tcp_socket create_stream_socket_perms; allow firstboot_t self:unix_stream_socket { connect create }; allow firstboot_t self:passwd rootok; -allow firstboot_t firstboot_etc_t:file { getattr read }; +allow firstboot_t firstboot_etc_t:file read_file_perms; kernel_read_system_state(firstboot_t) kernel_read_kernel_sysctls(firstboot_t) diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te index 962f7520..7cc90c2b 100644 --- a/policy/modules/admin/mrtg.te +++ b/policy/modules/admin/mrtg.te @@ -33,7 +33,7 @@ files_pid_file(mrtg_var_run_t) allow mrtg_t self:capability { setgid setuid chown }; dontaudit mrtg_t self:capability sys_tty_config; allow mrtg_t self:process signal_perms; -allow mrtg_t self:fifo_file { getattr read write ioctl }; +allow mrtg_t self:fifo_file rw_fifo_file_perms; allow mrtg_t self:unix_stream_socket create_socket_perms; allow mrtg_t self:tcp_socket create_socket_perms; allow mrtg_t self:udp_socket create_socket_perms; diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index d2a092e7..4f8ebcd0 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -73,7 +73,7 @@ read_files_pattern(gcc_config_t, portage_conf_t, portage_conf_t) allow gcc_config_t portage_ebuild_t:dir list_dir_perms; read_files_pattern(gcc_config_t, portage_ebuild_t, portage_ebuild_t) -allow gcc_config_t portage_exec_t:file { execute getattr }; +allow gcc_config_t portage_exec_t:file mmap_file_perms; kernel_read_system_state(gcc_config_t) kernel_read_kernel_sysctls(gcc_config_t) diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te index ce325ba1..fc30eb55 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -68,8 +68,6 @@ allow rpm_t self:shm create_shm_perms; allow rpm_t self:sem create_sem_perms; allow rpm_t self:msgq create_msgq_perms; allow rpm_t self:msg { send receive }; -allow rpm_t self:dir search; -allow rpm_t self:file rw_file_perms;; allow rpm_t rpm_log_t:file manage_file_perms; logging_log_filetrans(rpm_t, rpm_log_t, file) diff --git a/policy/modules/admin/updfstab.te b/policy/modules/admin/updfstab.te index ccb521f2..d23ce818 100644 --- a/policy/modules/admin/updfstab.te +++ b/policy/modules/admin/updfstab.te @@ -18,7 +18,7 @@ init_system_domain(updfstab_t, updfstab_exec_t) allow updfstab_t self:capability dac_override; dontaudit updfstab_t self:capability { sys_admin sys_tty_config }; allow updfstab_t self:process signal_perms; -allow updfstab_t self:fifo_file { getattr read write ioctl }; +allow updfstab_t self:fifo_file rw_fifo_file_perms; kernel_use_fds(updfstab_t) kernel_read_kernel_sysctls(updfstab_t) diff --git a/policy/modules/apps/awstats.te b/policy/modules/apps/awstats.te index d59f8be7..43af46d0 100644 --- a/policy/modules/apps/awstats.te +++ b/policy/modules/apps/awstats.te @@ -71,7 +71,7 @@ optional_policy(` # awstats cgi script policy # -allow httpd_awstats_script_t awstats_var_lib_t:dir read; +allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms; read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t) files_search_var_lib(httpd_awstats_script_t) diff --git a/policy/modules/apps/calamaris.te b/policy/modules/apps/calamaris.te index b7390741..60968817 100644 --- a/policy/modules/apps/calamaris.te +++ b/policy/modules/apps/calamaris.te @@ -24,7 +24,7 @@ logging_log_file(calamaris_log_t) # for when squid has a different UID allow calamaris_t self:capability dac_override; allow calamaris_t self:process { fork signal_perms setsched }; -allow calamaris_t self:fifo_file { getattr read write ioctl }; +allow calamaris_t self:fifo_file rw_fifo_file_perms; allow calamaris_t self:unix_stream_socket create_stream_socket_perms; allow calamaris_t self:tcp_socket create_stream_socket_perms; allow calamaris_t self:udp_socket create_socket_perms; diff --git a/policy/modules/apps/webalizer.te b/policy/modules/apps/webalizer.te index 12ec66e3..8d02fcab 100644 --- a/policy/modules/apps/webalizer.te +++ b/policy/modules/apps/webalizer.te @@ -48,7 +48,7 @@ allow webalizer_t self:tcp_socket connected_stream_socket_perms; allow webalizer_t self:udp_socket { connect connected_socket_perms }; allow webalizer_t self:netlink_route_socket r_netlink_socket_perms; -allow webalizer_t webalizer_etc_t:file { getattr read }; +allow webalizer_t webalizer_etc_t:file read_file_perms; manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t) manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t) diff --git a/policy/modules/apps/yam.te b/policy/modules/apps/yam.te index 70a5ab88..bf2bf54e 100644 --- a/policy/modules/apps/yam.te +++ b/policy/modules/apps/yam.te @@ -42,7 +42,7 @@ manage_dirs_pattern(yam_t, yam_content_t, yam_content_t) manage_files_pattern(yam_t, yam_content_t, yam_content_t) manage_lnk_files_pattern(yam_t, yam_content_t, yam_content_t) -allow yam_t yam_etc_t:file { getattr read }; +allow yam_t yam_etc_t:file read_file_perms; files_search_etc(yam_t) manage_files_pattern(yam_t, yam_tmp_t, yam_tmp_t) diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if index 526df995..8fcf126f 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -628,7 +628,7 @@ interface(`domain_read_confined_domains_state',` read_lnk_files_pattern($1, { domain -unconfined_domain_type }, { domain -unconfined_domain_type }) dontaudit $1 unconfined_domain_type:dir search_dir_perms; - dontaudit $1 unconfined_domain_type:file { getattr read }; + dontaudit $1 unconfined_domain_type:file read_file_perms; ') ######################################## @@ -743,12 +743,12 @@ interface(`domain_dontaudit_read_all_domains_state',` ') dontaudit $1 domain:dir list_dir_perms; - dontaudit $1 domain:lnk_file read_file_perms; + dontaudit $1 domain:lnk_file read_lnk_file_perms; dontaudit $1 domain:file read_file_perms; # cjp: these should be removed: - dontaudit $1 domain:sock_file read_file_perms; - dontaudit $1 domain:fifo_file read_file_perms; + dontaudit $1 domain:sock_file read_sock_file_perms; + dontaudit $1 domain:fifo_file read_fifo_file_perms; ') ######################################## diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te index a4c47e77..32d4c26f 100644 --- a/policy/modules/kernel/selinux.te +++ b/policy/modules/kernel/selinux.te @@ -33,8 +33,8 @@ neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security sets # # use SELinuxfs -allow selinux_unconfined_type security_t:dir { getattr search read }; -allow selinux_unconfined_type security_t:file { getattr read write }; +allow selinux_unconfined_type security_t:dir list_dir_perms; +allow selinux_unconfined_type security_t:file rw_file_perms; # Access the security API. allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setbool }; diff --git a/policy/modules/services/afs.te b/policy/modules/services/afs.te index d8b0334e..b6c15b1c 100644 --- a/policy/modules/services/afs.te +++ b/policy/modules/services/afs.te @@ -70,7 +70,7 @@ can_exec(afs_bosserver_t,afs_bosserver_exec_t) manage_dirs_pattern(afs_bosserver_t, afs_config_t, afs_config_t) manage_files_pattern(afs_bosserver_t, afs_config_t, afs_config_t) -allow afs_bosserver_t afs_dbdir_t:dir { search read getattr }; +allow afs_bosserver_t afs_dbdir_t:dir list_dir_perms; allow afs_bosserver_t afs_fsserver_t:process signal_perms; domtrans_pattern(afs_bosserver_t, afs_fsserver_exec_t, afs_fsserver_t) diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if index 630b5e3d..6bb849d7 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -790,7 +790,7 @@ interface(`apache_exec_modules',` ') allow $1 httpd_modules_t:dir list_dir_perms; - allow $1 httpd_modules_t:lnk_file read_file_perms; + allow $1 httpd_modules_t:lnk_file read_lnk_file_perms; can_exec($1,httpd_modules_t) ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index bb7d2c92..490683fb 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -258,7 +258,7 @@ manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) -allow httpd_t httpd_suexec_exec_t:file { getattr read }; +allow httpd_t httpd_suexec_exec_t:file read_file_perms; allow httpd_t httpd_sys_content_t:dir list_dir_perms; read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) @@ -509,9 +509,9 @@ optional_policy(` domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t) -allow httpd_helper_t httpd_config_t:file { getattr read }; +allow httpd_helper_t httpd_config_t:file read_file_perms; -allow httpd_helper_t httpd_log_t:file append; +allow httpd_helper_t httpd_log_t:file append_file_perms; libs_use_ld_so(httpd_helper_t) libs_use_shared_libs(httpd_helper_t) @@ -677,7 +677,7 @@ allow httpd_sys_script_t httpd_t:tcp_socket { read write }; dontaudit httpd_sys_script_t httpd_config_t:dir search; -allow httpd_sys_script_t httpd_squirrelmail_t:file { append read }; +allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms }; allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -692,7 +692,7 @@ files_search_spool(httpd_sys_script_t) apache_domtrans_rotatelogs(httpd_sys_script_t) ifdef(`distro_redhat',` - allow httpd_sys_script_t httpd_log_t:file { getattr append }; + allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') tunable_policy(`httpd_enable_homedirs',` diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te index 3869e4fa..6703a6be 100644 --- a/policy/modules/services/avahi.te +++ b/policy/modules/services/avahi.te @@ -21,7 +21,7 @@ files_pid_file(avahi_var_run_t) allow avahi_t self:capability { dac_override setgid chown fowner kill setuid sys_chroot }; dontaudit avahi_t self:capability sys_tty_config; allow avahi_t self:process { setrlimit signal_perms setcap }; -allow avahi_t self:fifo_file { read write }; +allow avahi_t self:fifo_file rw_fifo_file_perms; allow avahi_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow avahi_t self:unix_dgram_socket create_socket_perms; allow avahi_t self:tcp_socket create_stream_socket_perms; diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te index ee0ae501..57ab1155 100644 --- a/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te @@ -70,7 +70,7 @@ allow named_t self:unix_dgram_socket create_socket_perms; allow named_t self:tcp_socket create_stream_socket_perms; allow named_t self:udp_socket create_socket_perms; -allow named_t dnssec_t:file { getattr read }; +allow named_t dnssec_t:file read_file_perms; # read configuration allow named_t named_conf_t:dir list_dir_perms; @@ -201,22 +201,20 @@ optional_policy(` # cjp: why net_admin?! allow ndc_t self:capability { dac_override net_admin }; allow ndc_t self:process { fork signal_perms }; -allow ndc_t self:fifo_file { read write getattr ioctl }; +allow ndc_t self:fifo_file rw_fifo_file_perms; allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms }; allow ndc_t self:tcp_socket create_socket_perms; allow ndc_t self:netlink_route_socket r_netlink_socket_perms; -allow ndc_t dnssec_t:file { getattr read }; +allow ndc_t dnssec_t:file read_file_perms; allow ndc_t dnssec_t:lnk_file { getattr read }; -allow ndc_t named_t:unix_stream_socket connectto; +stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t) -allow ndc_t named_conf_t:file { getattr read }; +allow ndc_t named_conf_t:file read_file_perms; allow ndc_t named_conf_t:lnk_file { getattr read }; -allow ndc_t named_var_run_t:sock_file rw_file_perms; - -allow ndc_t named_zone_t:dir search; +allow ndc_t named_zone_t:dir search_dir_perms; kernel_read_kernel_sysctls(ndc_t) diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te index 0dbde417..670a60d6 100644 --- a/policy/modules/services/ccs.te +++ b/policy/modules/services/ccs.te @@ -38,7 +38,7 @@ files_pid_file(ccs_var_run_t) allow ccs_t self:capability { ipc_lock sys_nice sys_resource sys_admin }; allow ccs_t self:process { signal setrlimit setsched }; dontaudit ccs_t self:process ptrace; -allow ccs_t self:fifo_file { read write }; +allow ccs_t self:fifo_file rw_fifo_file_perms; allow ccs_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow ccs_t self:unix_dgram_socket create_socket_perms; allow ccs_t self:netlink_route_socket r_netlink_socket_perms; diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te index 357ba468..22d152d7 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -123,7 +123,7 @@ files_pid_filetrans(cupsd_t, cupsd_var_run_t, file) read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) -allow cupsd_t hplip_var_run_t:file { read getattr }; +allow cupsd_t hplip_var_run_t:file read_file_perms; stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) allow cupsd_t ptal_var_run_t : sock_file setattr; @@ -307,7 +307,7 @@ allow cupsd_config_t cupsd_log_t:file rw_file_perms; allow cupsd_config_t cupsd_tmp_t:file manage_file_perms; files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { file dir }) -allow cupsd_config_t cupsd_var_run_t:file { getattr read }; +allow cupsd_config_t cupsd_var_run_t:file read_file_perms; manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file) diff --git a/policy/modules/services/dante.te b/policy/modules/services/dante.te index e59c8ace..d2a68992 100644 --- a/policy/modules/services/dante.te +++ b/policy/modules/services/dante.te @@ -24,7 +24,7 @@ files_pid_file(dante_var_run_t) allow dante_t self:capability { setuid setgid }; dontaudit dante_t self:capability sys_tty_config; allow dante_t self:process signal_perms; -allow dante_t self:fifo_file { read write }; +allow dante_t self:fifo_file rw_fifo_file_perms; allow dante_t self:tcp_socket create_stream_socket_perms; allow dante_t self:udp_socket create_socket_perms; diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index 2e8dc2eb..3054bcef 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -36,7 +36,7 @@ files_pid_file(system_dbusd_var_run_t) allow system_dbusd_t self:capability { dac_override setgid setpcap setuid }; dontaudit system_dbusd_t self:capability sys_tty_config; allow system_dbusd_t self:process { getattr signal_perms setcap }; -allow system_dbusd_t self:fifo_file { read write }; +allow system_dbusd_t self:fifo_file rw_fifo_file_perms; allow system_dbusd_t self:dbus { send_msg acquire_svc }; allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto }; allow system_dbusd_t self:unix_dgram_socket create_socket_perms; diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te index d8b0e5a6..7f7729e3 100644 --- a/policy/modules/services/dhcp.te +++ b/policy/modules/services/dhcp.te @@ -27,7 +27,7 @@ files_pid_file(dhcpd_var_run_t) allow dhcpd_t self:capability net_raw; dontaudit dhcpd_t self:capability { net_admin sys_tty_config }; allow dhcpd_t self:process signal_perms; -allow dhcpd_t self:fifo_file { read write getattr }; +allow dhcpd_t self:fifo_file rw_fifo_file_perms; allow dhcpd_t self:unix_dgram_socket create_socket_perms; allow dhcpd_t self:unix_stream_socket create_socket_perms; allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms; diff --git a/policy/modules/services/distcc.te b/policy/modules/services/distcc.te index 610d0831..10b412cf 100644 --- a/policy/modules/services/distcc.te +++ b/policy/modules/services/distcc.te @@ -27,7 +27,7 @@ files_pid_file(distccd_var_run_t) allow distccd_t self:capability { setgid setuid }; dontaudit distccd_t self:capability sys_tty_config; allow distccd_t self:process { signal_perms setsched }; -allow distccd_t self:fifo_file { read write getattr }; +allow distccd_t self:fifo_file rw_fifo_file_perms; allow distccd_t self:netlink_route_socket r_netlink_socket_perms; allow distccd_t self:tcp_socket create_stream_socket_perms; allow distccd_t self:udp_socket create_socket_perms; diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te index ed88fff8..86085fb9 100644 --- a/policy/modules/services/dnsmasq.te +++ b/policy/modules/services/dnsmasq.te @@ -24,7 +24,7 @@ files_pid_file(dnsmasq_var_run_t) allow dnsmasq_t self:capability { net_admin setgid setuid net_bind_service net_raw }; dontaudit dnsmasq_t self:capability sys_tty_config; allow dnsmasq_t self:process { setcap signal_perms }; -allow dnsmasq_t self:fifo_file { read write }; +allow dnsmasq_t self:fifo_file rw_fifo_file_perms; allow dnsmasq_t self:netlink_route_socket { bind create nlmsg_read read write }; allow dnsmasq_t self:tcp_socket create_stream_socket_perms; allow dnsmasq_t self:udp_socket create_socket_perms; diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te index 3d4b1ff9..9785ac9f 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -148,7 +148,7 @@ allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl }; -allow dovecot_auth_t dovecot_passwd_t:file { getattr read }; +allow dovecot_auth_t dovecot_passwd_t:file read_file_perms; # Allow dovecot to create and read SSL parameters file manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t) diff --git a/policy/modules/services/finger.te b/policy/modules/services/finger.te index 56cc74ba..add0d44f 100644 --- a/policy/modules/services/finger.te +++ b/policy/modules/services/finger.te @@ -28,7 +28,7 @@ files_pid_file(fingerd_var_run_t) allow fingerd_t self:capability { setgid setuid }; dontaudit fingerd_t self:capability { sys_tty_config fsetid }; allow fingerd_t self:process signal_perms; -allow fingerd_t self:fifo_file { read write getattr }; +allow fingerd_t self:fifo_file rw_fifo_file_perms; allow fingerd_t self:tcp_socket connected_stream_socket_perms; allow fingerd_t self:udp_socket create_socket_perms; allow fingerd_t self:unix_dgram_socket create_socket_perms; diff --git a/policy/modules/services/gatekeeper.te b/policy/modules/services/gatekeeper.te index 9de0edcb..70acca3a 100644 --- a/policy/modules/services/gatekeeper.te +++ b/policy/modules/services/gatekeeper.te @@ -35,7 +35,7 @@ allow gatekeeper_t self:tcp_socket create_stream_socket_perms; allow gatekeeper_t self:udp_socket create_socket_perms; allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read }; -allow gatekeeper_t gatekeeper_etc_t:file { getattr read }; +allow gatekeeper_t gatekeeper_etc_t:file read_file_perms; files_search_etc(gatekeeper_t) manage_files_pattern(gatekeeper_t, gatekeeper_log_t, gatekeeper_log_t) diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te index e3e529a1..04674d98 100644 --- a/policy/modules/services/jabber.te +++ b/policy/modules/services/jabber.te @@ -30,7 +30,7 @@ files_pid_file(jabberd_var_run_t) allow jabberd_t self:capability dac_override; dontaudit jabberd_t self:capability sys_tty_config; allow jabberd_t self:process signal_perms; -allow jabberd_t self:fifo_file { read write getattr }; +allow jabberd_t self:fifo_file read_fifo_file_perms; allow jabberd_t self:tcp_socket create_stream_socket_perms; allow jabberd_t self:udp_socket create_socket_perms; diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te index 1a5ef74a..0038d758 100644 --- a/policy/modules/services/ldap.te +++ b/policy/modules/services/ldap.te @@ -44,7 +44,7 @@ files_pid_file(slapd_var_run_t) allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search }; dontaudit slapd_t self:capability sys_tty_config; allow slapd_t self:process setsched; -allow slapd_t self:fifo_file { read write }; +allow slapd_t self:fifo_file rw_fifo_file_perms; allow slapd_t self:udp_socket create_socket_perms; #slapd needs to listen and accept needed by ldapsearch (slapd needs to accept from ldapseach) allow slapd_t self:tcp_socket create_stream_socket_perms; @@ -58,7 +58,7 @@ manage_dirs_pattern(slapd_t, slapd_db_t, slapd_db_t) manage_files_pattern(slapd_t, slapd_db_t, slapd_db_t) manage_lnk_files_pattern(slapd_t, slapd_db_t, slapd_db_t) -allow slapd_t slapd_etc_t:file { getattr read }; +allow slapd_t slapd_etc_t:file read_file_perms; allow slapd_t slapd_lock_t:file manage_file_perms; files_lock_filetrans(slapd_t,slapd_lock_t,file) diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te index d44f2116..ca30c341 100644 --- a/policy/modules/services/lpd.te +++ b/policy/modules/services/lpd.te @@ -68,7 +68,7 @@ delete_files_pattern(checkpc_t, print_spool_t, print_spool_t) files_search_spool(checkpc_t) allow checkpc_t printconf_t:file getattr; -allow checkpc_t printconf_t:dir { getattr search read }; +allow checkpc_t printconf_t:dir list_dir_perms; kernel_read_system_state(checkpc_t) @@ -142,7 +142,7 @@ manage_files_pattern(lpd_t, print_spool_t, print_spool_t) files_search_spool(lpd_t) # lpd must be able to execute the filter utilities in /usr/share/printconf. -allow lpd_t printconf_t:dir { getattr search read }; +allow lpd_t printconf_t:dir list_dir_perms; can_exec(lpd_t, printconf_t) # Create and bind to /dev/printer. diff --git a/policy/modules/services/monop.te b/policy/modules/services/monop.te index eb4880a8..04b480fe 100644 --- a/policy/modules/services/monop.te +++ b/policy/modules/services/monop.te @@ -29,7 +29,7 @@ allow monopd_t self:process signal_perms; allow monopd_t self:tcp_socket create_stream_socket_perms; allow monopd_t self:udp_socket create_socket_perms; -allow monopd_t monopd_etc_t:file { getattr read }; +allow monopd_t monopd_etc_t:file read_file_perms; files_search_etc(monopd_t) allow monopd_t monopd_share_t:dir list_dir_perms; diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if index ba21f5f9..0115dbf1 100644 --- a/policy/modules/services/mysql.if +++ b/policy/modules/services/mysql.if @@ -157,7 +157,7 @@ interface(`mysql_rw_db_sockets',` files_search_var_lib($1) allow $1 mysqld_db_t:dir search; - allow $1 mysqld_db_t:sock_file rw_file_perms; + allow $1 mysqld_db_t:sock_file rw_sock_file_perms; ') ######################################## diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te index 708735c0..760dad27 100644 --- a/policy/modules/services/mysql.te +++ b/policy/modules/services/mysql.te @@ -33,7 +33,7 @@ files_tmp_file(mysqld_tmp_t) allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service }; dontaudit mysqld_t self:capability sys_tty_config; allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh }; -allow mysqld_t self:fifo_file { read write }; +allow mysqld_t self:fifo_file rw_fifo_file_perms; allow mysqld_t self:unix_stream_socket create_stream_socket_perms; allow mysqld_t self:tcp_socket create_stream_socket_perms; allow mysqld_t self:udp_socket create_socket_perms; @@ -43,7 +43,7 @@ manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file }) -allow mysqld_t mysqld_etc_t:file { getattr read }; +allow mysqld_t mysqld_etc_t:file read_file_perms; allow mysqld_t mysqld_etc_t:lnk_file { getattr read }; allow mysqld_t mysqld_etc_t:dir list_dir_perms; diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te index 741b1577..5a92af19 100644 --- a/policy/modules/services/nagios.te +++ b/policy/modules/services/nagios.te @@ -177,7 +177,7 @@ dontaudit nrpe_t self:capability sys_tty_config; allow nrpe_t self:process { setpgid signal_perms }; allow nrpe_t self:fifo_file rw_fifo_file_perms; -allow nrpe_t nrpe_etc_t:file { getattr read }; +allow nrpe_t nrpe_etc_t:file read_file_perms; files_search_etc(nrpe_t) kernel_read_system_state(nrpe_t) diff --git a/policy/modules/services/nessus.te b/policy/modules/services/nessus.te index eda0e124..af734bc2 100644 --- a/policy/modules/services/nessus.te +++ b/policy/modules/services/nessus.te @@ -30,7 +30,7 @@ files_pid_file(nessusd_var_run_t) allow nessusd_t self:capability net_raw; dontaudit nessusd_t self:capability sys_tty_config; allow nessusd_t self:process { setsched signal_perms }; -allow nessusd_t self:fifo_file { getattr read write }; +allow nessusd_t self:fifo_file rw_fifo_file_perms; allow nessusd_t self:tcp_socket create_stream_socket_perms; allow nessusd_t self:udp_socket create_socket_perms; allow nessusd_t self:rawip_socket create_socket_perms; @@ -42,7 +42,7 @@ manage_files_pattern(nessusd_t, nessusd_db_t, nessusd_db_t) manage_lnk_files_pattern(nessusd_t, nessusd_db_t, nessusd_db_t) files_list_var_lib(nessusd_t) -allow nessusd_t nessusd_etc_t:file { getattr read }; +allow nessusd_t nessusd_etc_t:file read_file_perms; files_search_etc(nessusd_t) manage_files_pattern(nessusd_t, nessusd_log_t, nessusd_log_t) diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te index 9cec5d3f..bd0e701b 100644 --- a/policy/modules/services/nis.te +++ b/policy/modules/services/nis.te @@ -224,7 +224,7 @@ allow ypserv_t self:udp_socket create_socket_perms; manage_files_pattern(ypserv_t,var_yp_t,var_yp_t) -allow ypserv_t ypserv_conf_t:file { getattr read }; +allow ypserv_t ypserv_conf_t:file read_file_perms; manage_dirs_pattern(ypserv_t, ypserv_tmp_t, ypserv_tmp_t) manage_files_pattern(ypserv_t, ypserv_tmp_t, ypserv_tmp_t) @@ -304,7 +304,7 @@ manage_files_pattern(ypxfr_t, var_yp_t, var_yp_t) allow ypxfr_t ypserv_t:tcp_socket { read write }; allow ypxfr_t ypserv_t:udp_socket { read write }; -allow ypxfr_t ypserv_conf_t:file { getattr read }; +allow ypxfr_t ypserv_conf_t:file read_file_perms; corenet_all_recvfrom_unlabeled(ypxfr_t) corenet_all_recvfrom_netlabel(ypxfr_t) diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te index 5e4eb69b..e8718574 100644 --- a/policy/modules/services/nscd.te +++ b/policy/modules/services/nscd.te @@ -31,7 +31,7 @@ logging_log_file(nscd_log_t) allow nscd_t self:capability { kill setgid setuid audit_write }; dontaudit nscd_t self:capability sys_tty_config; allow nscd_t self:process { getattr setsched signal_perms }; -allow nscd_t self:fifo_file { read write }; +allow nscd_t self:fifo_file read_fifo_file_perms; allow nscd_t self:unix_stream_socket create_stream_socket_perms; allow nscd_t self:unix_dgram_socket create_socket_perms; allow nscd_t self:netlink_selinux_socket create_socket_perms; diff --git a/policy/modules/services/nsd.te b/policy/modules/services/nsd.te index 22611c0a..7cd87e54 100644 --- a/policy/modules/services/nsd.te +++ b/policy/modules/services/nsd.te @@ -124,7 +124,7 @@ allow nsd_crond_t self:fifo_file rw_fifo_file_perms; allow nsd_crond_t self:tcp_socket create_socket_perms; allow nsd_crond_t self:udp_socket create_socket_perms; -allow nsd_crond_t nsd_conf_t:file { getattr read ioctl }; +allow nsd_crond_t nsd_conf_t:file read_file_perms; allow nsd_crond_t nsd_db_t:file manage_file_perms; filetrans_pattern(nsd_crond_t, nsd_zone_t, nsd_db_t, file) diff --git a/policy/modules/services/ntop.te b/policy/modules/services/ntop.te index 54a2c5ff..fd482171 100644 --- a/policy/modules/services/ntop.te +++ b/policy/modules/services/ntop.te @@ -34,7 +34,7 @@ files_pid_file(ntop_var_run_t) allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin }; dontaudit ntop_t self:capability sys_tty_config; allow ntop_t self:process signal_perms; -allow ntop_t self:fifo_file { read write }; +allow ntop_t self:fifo_file rw_fifo_file_perms; allow ntop_t self:tcp_socket create_stream_socket_perms; allow ntop_t self:udp_socket create_socket_perms; allow ntop_t self:packet_socket create_socket_perms; diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te index 53a81509..19005e3c 100644 --- a/policy/modules/services/ntp.te +++ b/policy/modules/services/ntp.te @@ -41,7 +41,7 @@ init_system_domain(ntpd_t, ntpdate_exec_t) allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock sys_chroot sys_nice sys_resource }; dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice }; allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit }; -allow ntpd_t self:fifo_file { read write getattr }; +allow ntpd_t self:fifo_file rw_fifo_file_perms; allow ntpd_t self:unix_dgram_socket create_socket_perms; allow ntpd_t self:unix_stream_socket create_socket_perms; allow ntpd_t self:tcp_socket create_stream_socket_perms; diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te index eef573e3..16d321dc 100644 --- a/policy/modules/services/nx.te +++ b/policy/modules/services/nx.te @@ -30,7 +30,7 @@ files_pid_file(nx_server_var_run_t) # NX server local policy # -allow nx_server_t self:fifo_file { getattr ioctl read write }; +allow nx_server_t self:fifo_file rw_fifo_file_perms; allow nx_server_t self:tcp_socket create_socket_perms; allow nx_server_t self:udp_socket create_socket_perms; diff --git a/policy/modules/services/oav.te b/policy/modules/services/oav.te index 9800dde5..fc63af20 100644 --- a/policy/modules/services/oav.te +++ b/policy/modules/services/oav.te @@ -82,7 +82,7 @@ optional_policy(` dontaudit scannerdaemon_t self:capability sys_tty_config; allow scannerdaemon_t self:process signal_perms; -allow scannerdaemon_t self:fifo_file { read write }; +allow scannerdaemon_t self:fifo_file rw_fifo_file_perms; allow scannerdaemon_t self:tcp_socket create_stream_socket_perms; allow scannerdaemon_t self:udp_socket create_socket_perms; diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te index 0a38d3a7..051098cf 100644 --- a/policy/modules/services/oddjob.te +++ b/policy/modules/services/oddjob.te @@ -29,7 +29,7 @@ files_pid_file(oddjob_var_run_t) allow oddjob_t self:capability setgid; allow oddjob_t self:process { setexec signal }; -allow oddjob_t self:fifo_file { read write }; +allow oddjob_t self:fifo_file rw_fifo_file_perms; allow oddjob_t self:unix_stream_socket create_stream_socket_perms; manage_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t) @@ -68,7 +68,7 @@ optional_policy(` # oddjob_mkhomedir local policy # -allow oddjob_mkhomedir_t self:fifo_file { read write }; +allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms; allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms; files_read_etc_files(oddjob_mkhomedir_t) diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te index a90f6030..b3e9931b 100644 --- a/policy/modules/services/pcscd.te +++ b/policy/modules/services/pcscd.te @@ -22,7 +22,7 @@ files_pid_file(pcscd_var_run_t) allow pcscd_t self:capability { dac_override dac_read_search }; allow pcscd_t self:process signal; -allow pcscd_t self:fifo_file { read write }; +allow pcscd_t self:fifo_file rw_fifo_file_perms; allow pcscd_t self:unix_stream_socket create_stream_socket_perms; allow pcscd_t self:unix_dgram_socket create_socket_perms; allow pcscd_t self:tcp_socket create_stream_socket_perms; diff --git a/policy/modules/services/perdition.te b/policy/modules/services/perdition.te index b221e6b2..e7c66500 100644 --- a/policy/modules/services/perdition.te +++ b/policy/modules/services/perdition.te @@ -27,7 +27,7 @@ allow perdition_t self:process signal_perms; allow perdition_t self:tcp_socket create_stream_socket_perms; allow perdition_t self:udp_socket create_socket_perms; -allow perdition_t perdition_etc_t:file { getattr read }; +allow perdition_t perdition_etc_t:file read_file_perms; files_search_etc(perdition_t) manage_files_pattern(perdition_t, perdition_var_run_t, perdition_var_run_t) diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index 3f2cb82c..ad008aa4 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -474,8 +474,8 @@ manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) -allow postfix_qmgr_t postfix_spool_bounce_t:dir { getattr read search }; -allow postfix_qmgr_t postfix_spool_bounce_t:file { read getattr }; +allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; +allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read }; corecmd_exec_bin(postfix_qmgr_t) @@ -494,8 +494,8 @@ allow postfix_showq_t postfix_spool_t:file read_file_perms; postfix_list_spool(postfix_showq_t) -allow postfix_showq_t postfix_spool_maildrop_t:dir { getattr read search }; -allow postfix_showq_t postfix_spool_maildrop_t:file { read getattr }; +allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; +allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read }; # to write the mailq output, it really should not need read access! diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index 36ac371e..060a6012 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -103,8 +103,7 @@ role system_r types sepgsql_trusted_proc_t; allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin }; dontaudit postgresql_t self:capability { sys_tty_config sys_admin }; allow postgresql_t self:process signal_perms; -allow postgresql_t self:fifo_file { getattr read write ioctl }; -allow postgresql_t self:file { getattr read }; +allow postgresql_t self:fifo_file rw_fifo_file_perms; allow postgresql_t self:sem create_sem_perms; allow postgresql_t self:shm create_shm_perms; allow postgresql_t self:tcp_socket create_stream_socket_perms; diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te index 269950e7..229a6fef 100644 --- a/policy/modules/services/ppp.te +++ b/policy/modules/services/ppp.te @@ -223,23 +223,23 @@ optional_policy(` allow pptp_t self:capability net_raw; dontaudit pptp_t self:capability sys_tty_config; allow pptp_t self:process signal; -allow pptp_t self:fifo_file { read write }; +allow pptp_t self:fifo_file rw_fifo_file_perms; allow pptp_t self:unix_dgram_socket create_socket_perms; allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow pptp_t self:rawip_socket create_socket_perms; allow pptp_t self:tcp_socket create_socket_perms; -allow pptp_t pppd_etc_t:dir { getattr read search }; -allow pptp_t pppd_etc_t:file { read getattr }; +allow pptp_t pppd_etc_t:dir list_dir_perms; +allow pptp_t pppd_etc_t:file read_file_perms; allow pptp_t pppd_etc_t:lnk_file { getattr read }; -allow pptp_t pppd_etc_rw_t:dir { getattr read search }; -allow pptp_t pppd_etc_rw_t:file { read getattr }; +allow pptp_t pppd_etc_rw_t:dir list_dir_perms; +allow pptp_t pppd_etc_rw_t:file read_file_perms; allow pptp_t pppd_etc_rw_t:lnk_file { getattr read }; can_exec(pptp_t, pppd_etc_rw_t) # Allow pptp to append to pppd log files -allow pptp_t pppd_log_t:file append; +allow pptp_t pppd_log_t:file append_file_perms; allow pptp_t pptp_log_t:file manage_file_perms; logging_log_filetrans(pptp_t, pptp_log_t, file) diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te index 8ad47dac..8ff937b7 100644 --- a/policy/modules/services/qmail.te +++ b/policy/modules/services/qmail.te @@ -73,10 +73,10 @@ delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t) # this component preprocesses mail from stdin and invokes qmail-queue # -allow qmail_inject_t self:fifo_file write; +allow qmail_inject_t self:fifo_file write_fifo_file_perms; allow qmail_inject_t self:process signal_perms; -allow qmail_inject_t qmail_queue_exec_t:file read; +allow qmail_inject_t qmail_queue_exec_t:file read_file_perms; corecmd_search_bin(qmail_inject_t) @@ -95,7 +95,7 @@ qmail_read_config(qmail_inject_t) # this component delivers a mail message # -allow qmail_local_t self:fifo_file write; +allow qmail_local_t self:fifo_file write_file_perms; allow qmail_local_t self:process signal_perms; allow qmail_local_t self:unix_stream_socket create_stream_socket_perms; @@ -104,7 +104,7 @@ manage_files_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t) can_exec(qmail_local_t, qmail_local_exec_t) -allow qmail_local_t qmail_queue_exec_t:file read; +allow qmail_local_t qmail_queue_exec_t:file read_file_perms; allow qmail_local_t qmail_spool_t:file read_file_perms; @@ -132,12 +132,12 @@ qmail_domtrans_queue(qmail_local_t) allow qmail_lspawn_t self:capability { setuid setgid }; allow qmail_lspawn_t self:process signal_perms; -allow qmail_lspawn_t self:fifo_file { read write }; +allow qmail_lspawn_t self:fifo_file rw_fifo_file_perms; allow qmail_lspawn_t self:unix_stream_socket create_socket_perms; can_exec(qmail_lspawn_t, qmail_exec_t) -allow qmail_lspawn_t qmail_local_exec_t:file read; +allow qmail_lspawn_t qmail_local_exec_t:file read_file_perms; read_files_pattern(qmail_lspawn_t, qmail_spool_t, qmail_spool_t) @@ -154,10 +154,10 @@ files_search_tmp(qmail_lspawn_t) # allow qmail_queue_t qmail_lspawn_t:fd use; -allow qmail_queue_t qmail_lspawn_t:fifo_file write; +allow qmail_queue_t qmail_lspawn_t:fifo_file write_fifo_file_perms; allow qmail_queue_t qmail_smtpd_t:fd use; -allow qmail_queue_t qmail_smtpd_t:fifo_file read; +allow qmail_queue_t qmail_smtpd_t:fifo_file read_fifo_file_perms; allow qmail_queue_t qmail_smtpd_t:process sigchld; manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) @@ -206,9 +206,9 @@ sysnet_read_config(qmail_remote_t) # allow qmail_rspawn_t self:process signal_perms; -allow qmail_rspawn_t self:fifo_file read; +allow qmail_rspawn_t self:fifo_file read_fifo_file_perms; -allow qmail_rspawn_t qmail_remote_exec_t:file read; +allow qmail_rspawn_t qmail_remote_exec_t:file read_file_perms; rw_files_pattern(qmail_rspawn_t, qmail_spool_t, qmail_spool_t) @@ -221,7 +221,7 @@ corecmd_search_bin(qmail_rspawn_t) # allow qmail_send_t self:process signal_perms; -allow qmail_send_t self:fifo_file write; +allow qmail_send_t self:fifo_file write_fifo_file_perms; manage_dirs_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t) manage_files_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t) @@ -240,10 +240,10 @@ optional_policy(` # allow qmail_smtpd_t self:process signal_perms; -allow qmail_smtpd_t self:fifo_file write; +allow qmail_smtpd_t self:fifo_file write_fifo_file_perms; allow qmail_smtpd_t self:tcp_socket create_socket_perms; -allow qmail_smtpd_t qmail_queue_exec_t:file read; +allow qmail_smtpd_t qmail_queue_exec_t:file read_file_perms; dev_read_rand(qmail_smtpd_t) dev_read_urand(qmail_smtpd_t) @@ -280,7 +280,7 @@ miscfiles_read_localization(qmail_splogger_t) allow qmail_start_t self:capability { setgid setuid }; dontaudit qmail_start_t self:capability sys_tty_config; -allow qmail_start_t self:fifo_file { getattr read write }; +allow qmail_start_t self:fifo_file rw_fifo_file_perms; allow qmail_start_t self:process signal_perms; can_exec(qmail_start_t, qmail_start_exec_t) @@ -305,7 +305,7 @@ optional_policy(` # this component sets up TCP-related environment variables # -allow qmail_tcp_env_t qmail_smtpd_exec_t:file read; +allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms; corecmd_search_bin(qmail_tcp_env_t) diff --git a/policy/modules/services/resmgr.te b/policy/modules/services/resmgr.te index 70c426f5..167918d3 100644 --- a/policy/modules/services/resmgr.te +++ b/policy/modules/services/resmgr.te @@ -25,7 +25,7 @@ allow resmgrd_t self:capability { dac_override sys_admin sys_rawio }; dontaudit resmgrd_t self:capability sys_tty_config; allow resmgrd_t self:process signal_perms; -allow resmgrd_t resmgrd_etc_t:file { getattr read }; +allow resmgrd_t resmgrd_etc_t:file read_file_perms; files_search_etc(resmgrd_t) allow resmgrd_t resmgrd_var_run_t:file manage_file_perms; diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te index 5cd75678..78fe27bd 100644 --- a/policy/modules/services/ricci.te +++ b/policy/modules/services/ricci.te @@ -84,7 +84,7 @@ files_lock_file(ricci_modstorage_lock_t) allow ricci_t self:capability { setuid sys_nice sys_boot }; allow ricci_t self:process setsched; -allow ricci_t self:fifo_file { read write }; +allow ricci_t self:fifo_file rw_fifo_file_perms; allow ricci_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow ricci_t self:tcp_socket create_stream_socket_perms; @@ -362,7 +362,7 @@ optional_policy(` # ricci_modrpm local policy # -allow ricci_modrpm_t self:fifo_file { getattr read }; +allow ricci_modrpm_t self:fifo_file read_fifo_file_perms; kernel_read_kernel_sysctls(ricci_modrpm_t) @@ -390,7 +390,7 @@ optional_policy(` # allow ricci_modservice_t self:capability { dac_override sys_nice }; -allow ricci_modservice_t self:fifo_file { getattr read write }; +allow ricci_modservice_t self:fifo_file rw_fifo_file_perms; allow ricci_modservice_t self:process setsched; kernel_read_kernel_sysctls(ricci_modservice_t) diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te index f0403ed8..55995a52 100644 --- a/policy/modules/services/rpc.te +++ b/policy/modules/services/rpc.te @@ -95,7 +95,7 @@ optional_policy(` allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource }; -allow nfsd_t exports_t:file { getattr read }; +allow nfsd_t exports_t:file read_file_perms; allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; # for /proc/fs/nfs/exports - should we have a new type? diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te index 14e1c8cd..c7d47a53 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -220,7 +220,7 @@ allow smbd_t self:msg { send receive }; allow smbd_t self:msgq create_msgq_perms; allow smbd_t self:sem create_sem_perms; allow smbd_t self:shm create_shm_perms; -allow smbd_t self:sock_file read_file_perms; +allow smbd_t self:sock_file read_sock_file_perms; allow smbd_t self:tcp_socket create_stream_socket_perms; allow smbd_t self:udp_socket create_socket_perms; allow smbd_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -405,7 +405,7 @@ allow nmbd_t self:msg { send receive }; allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; -allow nmbd_t self:sock_file read_file_perms; +allow nmbd_t self:sock_file read_sock_file_perms; allow nmbd_t self:tcp_socket create_stream_socket_perms; allow nmbd_t self:udp_socket create_socket_perms; allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -572,17 +572,17 @@ allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow swat_t self:tcp_socket create_stream_socket_perms; allow swat_t self:udp_socket create_socket_perms; -allow swat_t nmbd_exec_t:file { execute read }; +allow swat_t nmbd_exec_t:file mmap_file_perms; rw_files_pattern(swat_t, samba_etc_t, samba_etc_t) append_files_pattern(swat_t, samba_log_t, samba_log_t) -allow swat_t smbd_exec_t:file execute ; +allow swat_t smbd_exec_t:file mmap_file_perms ; allow swat_t smbd_t:process signull; -allow swat_t smbd_var_run_t:file read; +allow swat_t smbd_var_run_t:file read_file_perms; manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) @@ -591,7 +591,7 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) files_pid_filetrans(swat_t, swat_var_run_t, file) -allow swat_t winbind_exec_t:file execute; +allow swat_t winbind_exec_t:file mmap_file_perms; kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) @@ -654,7 +654,7 @@ optional_policy(` allow winbind_t self:capability { dac_override ipc_lock setuid }; dontaudit winbind_t self:capability sys_tty_config; allow winbind_t self:process signal_perms; -allow winbind_t self:fifo_file { read write }; +allow winbind_t self:fifo_file rw_fifo_file_perms; allow winbind_t self:unix_dgram_socket create_socket_perms; allow winbind_t self:unix_stream_socket create_stream_socket_perms; allow winbind_t self:tcp_socket create_stream_socket_perms; @@ -761,7 +761,7 @@ allow winbind_helper_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t) -allow winbind_helper_t samba_var_t:dir search; +allow winbind_helper_t samba_var_t:dir search_dir_perms; files_list_var_lib(winbind_helper_t) stream_connect_pattern(winbind_helper_t, winbind_var_run_t, winbind_var_run_t, winbind_t) diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te index df51a47f..bc0c13ae 100644 --- a/policy/modules/services/sasl.te +++ b/policy/modules/services/sasl.te @@ -34,7 +34,7 @@ files_pid_file(saslauthd_var_run_t) allow saslauthd_t self:capability setuid; dontaudit saslauthd_t self:capability sys_tty_config; allow saslauthd_t self:process signal_perms; -allow saslauthd_t self:fifo_file { read write }; +allow saslauthd_t self:fifo_file rw_fifo_file_perms; allow saslauthd_t self:unix_dgram_socket create_socket_perms; allow saslauthd_t self:unix_stream_socket create_stream_socket_perms; allow saslauthd_t self:tcp_socket create_socket_perms; diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if index 715eba1b..f583eb2c 100644 --- a/policy/modules/services/spamassassin.if +++ b/policy/modules/services/spamassassin.if @@ -88,8 +88,7 @@ template(`spamassassin_per_role_template',` files_tmp_filetrans($1_spamc_t, $1_spamc_tmp_t, { file dir }) # Allow connecting to a local spamd - allow $1_spamc_t spamd_t:unix_stream_socket connectto; - allow $1_spamc_t spamd_tmp_t:sock_file rw_file_perms; + stream_connect_pattern($1_spamc_t, spamd_tmp_t, spamd_tmp_t, spamd_t) domtrans_pattern($2, spamc_exec_t, $1_spamc_t) diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te index bf4e7a2b..e433bbb6 100644 --- a/policy/modules/services/stunnel.te +++ b/policy/modules/services/stunnel.te @@ -39,8 +39,8 @@ allow stunnel_t self:fifo_file rw_fifo_file_perms; allow stunnel_t self:tcp_socket create_stream_socket_perms; allow stunnel_t self:udp_socket create_socket_perms; -allow stunnel_t stunnel_etc_t:dir { getattr read search }; -allow stunnel_t stunnel_etc_t:file { read getattr }; +allow stunnel_t stunnel_etc_t:dir list_dir_perms; +allow stunnel_t stunnel_etc_t:file read_file_perms; allow stunnel_t stunnel_etc_t:lnk_file { getattr read }; manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te index 68ef3f91..0635932d 100644 --- a/policy/modules/services/tftp.te +++ b/policy/modules/services/tftp.te @@ -39,8 +39,8 @@ allow tftpd_t self:unix_dgram_socket create_socket_perms; allow tftpd_t self:unix_stream_socket create_stream_socket_perms; dontaudit tftpd_t self:capability sys_tty_config; -allow tftpd_t tftpdir_t:dir { getattr read search }; -allow tftpd_t tftpdir_t:file { read getattr }; +allow tftpd_t tftpdir_t:dir list_dir_perms; +allow tftpd_t tftpdir_t:file read_file_perms; allow tftpd_t tftpdir_t:lnk_file { getattr read }; manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te index d9374804..51e05004 100644 --- a/policy/modules/services/tor.te +++ b/policy/modules/services/tor.te @@ -35,7 +35,7 @@ files_pid_file(tor_var_run_t) # allow tor_t self:capability { setgid setuid }; -allow tor_t self:fifo_file { read write }; +allow tor_t self:fifo_file rw_fifo_file_perms; allow tor_t self:unix_stream_socket create_stream_socket_perms; allow tor_t self:netlink_route_socket r_netlink_socket_perms; allow tor_t self:tcp_socket create_stream_socket_perms; diff --git a/policy/modules/services/ucspitcp.te b/policy/modules/services/ucspitcp.te index 0077c4c9..8afcd4c3 100644 --- a/policy/modules/services/ucspitcp.te +++ b/policy/modules/services/ucspitcp.te @@ -52,7 +52,7 @@ optional_policy(` # allow ucspitcp_t self:capability { setgid setuid }; -allow ucspitcp_t self:fifo_file { read write }; +allow ucspitcp_t self:fifo_file rw_fifo_file_perms; allow ucspitcp_t self:tcp_socket create_stream_socket_perms; allow ucspitcp_t self:udp_socket create_socket_perms; diff --git a/policy/modules/services/uptime.te b/policy/modules/services/uptime.te index 4840ab37..8932b665 100644 --- a/policy/modules/services/uptime.te +++ b/policy/modules/services/uptime.te @@ -26,9 +26,9 @@ files_pid_file(uptimed_var_run_t) dontaudit uptimed_t self:capability sys_tty_config; allow uptimed_t self:process signal_perms; -allow uptimed_t self:fifo_file { getattr write }; +allow uptimed_t self:fifo_file write_file_perms; -allow uptimed_t uptimed_etc_t:file { getattr read }; +allow uptimed_t uptimed_etc_t:file read_file_perms; files_search_etc(uptimed_t) allow uptimed_t uptimed_spool_t:file manage_file_perms; diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te index 0c0353a8..b7f8f7a2 100644 --- a/policy/modules/services/uucp.te +++ b/policy/modules/services/uucp.te @@ -107,7 +107,7 @@ optional_policy(` # allow uux_t self:capability { setuid setgid }; -allow uux_t self:fifo_file { getattr write }; +allow uux_t self:fifo_file write_file_perms; uucp_append_log(uux_t) uucp_manage_spool(uux_t) diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index a46e866a..ce109e91 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -427,7 +427,7 @@ allow xdm_xserver_t xdm_t:shm rw_shm_perms; allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xdm_xserver_t xdm_var_lib_t:dir search; -allow xdm_xserver_t xdm_var_run_t:file { getattr read }; +allow xdm_xserver_t xdm_var_run_t:file read_file_perms; # Label pid and temporary files with derived types. manage_files_pattern(xdm_xserver_t, xdm_tmp_t, xdm_tmp_t) diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te index 3fcae716..1000a574 100644 --- a/policy/modules/services/zebra.te +++ b/policy/modules/services/zebra.te @@ -41,7 +41,7 @@ files_pid_file(zebra_var_run_t) allow zebra_t self:capability { setgid setuid net_admin net_raw }; dontaudit zebra_t self:capability sys_tty_config; allow zebra_t self:process { signal_perms getcap setcap }; -allow zebra_t self:file { ioctl read write getattr lock append }; +allow zebra_t self:file rw_file_perms; allow zebra_t self:unix_dgram_socket create_socket_perms; allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow zebra_t self:netlink_route_socket rw_netlink_socket_perms; diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index 4b47e528..7b170e58 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -871,7 +871,7 @@ interface(`auth_manage_var_auth',` files_search_var($1) allow $1 var_auth_t:dir manage_dir_perms; allow $1 var_auth_t:file rw_file_perms; - allow $1 var_auth_t:lnk_file rw_file_perms; + allow $1 var_auth_t:lnk_file rw_lnk_file_perms; ') ######################################## diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index b62d578e..7246fd84 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -263,7 +263,7 @@ optional_policy(` # System check password local policy # -allow system_chkpwd_t shadow_t:file { getattr read }; +allow system_chkpwd_t shadow_t:file read_file_perms; corecmd_search_bin(system_chkpwd_t) @@ -289,7 +289,7 @@ ifdef(`distro_ubuntu',` # allow updpwd_t self:process setfscreate; -allow updpwd_t self:fifo_file { read write }; +allow updpwd_t self:fifo_file rw_fifo_file_perms; allow updpwd_t self:unix_stream_socket create_stream_socket_perms; allow updpwd_t self:unix_dgram_socket create_socket_perms; diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te index f6d05df7..469f749b 100644 --- a/policy/modules/system/clock.te +++ b/policy/modules/system/clock.te @@ -24,7 +24,7 @@ role system_r types hwclock_t; allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config }; dontaudit hwclock_t self:capability sys_tty_config; allow hwclock_t self:process signal_perms; -allow hwclock_t self:fifo_file { getattr read write }; +allow hwclock_t self:fifo_file rw_fifo_file_perms; # Allow hwclock to store & retrieve correction factors. allow hwclock_t adjtime_t:file { rw_file_perms setattr }; diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index a7db5fe6..302cc9cd 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -774,7 +774,7 @@ interface(`init_read_state',` allow $1 init_t:dir search_dir_perms; allow $1 init_t:file read_file_perms; - allow $1 init_t:lnk_file read_file_perms; + allow $1 init_t:lnk_file read_lnk_file_perms; ') ######################################## diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te index 1381dd58..b1c3e749 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -59,7 +59,7 @@ allow ipsec_t self:process signal; allow ipsec_t self:netlink_route_socket r_netlink_socket_perms; allow ipsec_t self:tcp_socket create_stream_socket_perms; allow ipsec_t self:key_socket { create write read setopt }; -allow ipsec_t self:fifo_file { read getattr }; +allow ipsec_t self:fifo_file read_file_perms; allow ipsec_t ipsec_conf_file_t:dir list_dir_perms; read_files_pattern(ipsec_t,ipsec_conf_file_t,ipsec_conf_file_t) @@ -186,7 +186,7 @@ read_lnk_files_pattern(ipsec_mgmt_t,ipsec_t,ipsec_t) allow ipsec_mgmt_t self:unix_dgram_socket { create connect write }; allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write }; -allow ipsec_mgmt_t ipsec_conf_file_t:file { getattr read ioctl }; +allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms; manage_files_pattern(ipsec_mgmt_t,ipsec_key_file_t,ipsec_key_file_t) manage_lnk_files_pattern(ipsec_mgmt_t,ipsec_key_file_t,ipsec_key_file_t) diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te index deccf565..c8492b7c 100644 --- a/policy/modules/system/iscsi.te +++ b/policy/modules/system/iscsi.te @@ -30,7 +30,7 @@ files_pid_file(iscsi_var_run_t) allow iscsid_t self:capability { dac_override ipc_lock net_admin sys_nice sys_resource }; allow iscsid_t self:process { setrlimit setsched signal }; -allow iscsid_t self:fifo_file { read write }; +allow iscsid_t self:fifo_file rw_fifo_file_perms; allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow iscsid_t self:unix_dgram_socket create_socket_perms; allow iscsid_t self:sem create_sem_perms; diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if index 86b18510..4855a567 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -451,7 +451,7 @@ interface(`logging_send_syslog_msg',` ') allow $1 devlog_t:lnk_file read; - allow $1 devlog_t:sock_file rw_file_perms; + allow $1 devlog_t:sock_file rw_sock_file_perms; # the type of socket depends on the syslog daemon allow $1 syslogd_t:unix_dgram_socket sendto; diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index d7c7dcf8..072759f9 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -127,7 +127,7 @@ logging_send_syslog_msg(auditctl_t) allow auditd_t self:capability { chown fsetid sys_nice sys_resource }; dontaudit auditd_t self:capability sys_tty_config; allow auditd_t self:process { signal_perms setpgid setsched }; -allow auditd_t self:file { getattr read write }; +allow auditd_t self:file rw_file_perms; allow auditd_t self:unix_dgram_socket create_socket_perms; allow auditd_t self:fifo_file rw_file_perms; allow auditd_t self:tcp_socket create_stream_socket_perms; @@ -227,7 +227,7 @@ allow audisp_t self:fifo_file rw_file_perms; allow audisp_t self:unix_stream_socket create_stream_socket_perms; allow audisp_t self:unix_dgram_socket create_socket_perms; -allow audisp_t auditd_t:unix_stream_socket rw_file_perms; +allow audisp_t auditd_t:unix_stream_socket rw_socket_perms; manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t) files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file) diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 16bf947d..aeb194b1 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -440,7 +440,7 @@ allow semanage_t self:unix_stream_socket create_stream_socket_perms; allow semanage_t self:unix_dgram_socket create_socket_perms; allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -allow semanage_t policy_config_t:file { read write }; +allow semanage_t policy_config_t:file rw_file_perms; allow semanage_t semanage_tmp_t:dir manage_dir_perms; allow semanage_t semanage_tmp_t:file manage_file_perms; diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index 34d03d96..15ad57cb 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -56,7 +56,6 @@ allow dhcpc_t dhcp_etc_t:dir list_dir_perms; read_lnk_files_pattern(dhcpc_t,dhcp_etc_t,dhcp_etc_t) exec_files_pattern(dhcpc_t,dhcp_etc_t,dhcp_etc_t) -allow dhcpc_t dhcp_state_t:file { getattr read }; manage_files_pattern(dhcpc_t,dhcpc_state_t,dhcpc_state_t) filetrans_pattern(dhcpc_t,dhcp_state_t,dhcpc_state_t,file) diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index f88cf176..9c832b61 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -45,7 +45,7 @@ allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem ex allow udev_t self:process { execmem setfscreate }; allow udev_t self:fd use; allow udev_t self:fifo_file rw_fifo_file_perms; -allow udev_t self:sock_file read_file_perms; +allow udev_t self:sock_file read_sock_file_perms; allow udev_t self:shm create_shm_perms; allow udev_t self:sem create_sem_perms; allow udev_t self:msgq create_msgq_perms; diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te index 6b6823d2..3b04a408 100644 --- a/policy/modules/system/xen.te +++ b/policy/modules/system/xen.te @@ -123,10 +123,7 @@ manage_fifo_files_pattern(xend_t,xend_var_lib_t,xend_var_lib_t) files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir }) # transition to store -domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t) -allow xenstored_t xend_t:fd use; -allow xenstored_t xend_t:process sigchld; -allow xenstored_t xend_t:fifo_file write; +domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t) # transition to console domain_auto_trans(xend_t, xenconsoled_exec_t, xenconsoled_t) @@ -224,7 +221,7 @@ optional_policy(` allow xenconsoled_t self:capability { dac_override fsetid ipc_lock }; allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms; -allow xenconsoled_t self:fifo_file { read write }; +allow xenconsoled_t self:fifo_file rw_fifo_file_perms; allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms; @@ -318,7 +315,7 @@ xen_append_log(xenstored_t) allow xm_t self:capability { dac_override ipc_lock sys_tty_config }; # internal communication is often done using fifo and unix sockets. -allow xm_t self:fifo_file { read write }; +allow xm_t self:fifo_file rw_fifo_file_perms; allow xm_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xm_t self:tcp_socket create_stream_socket_perms; diff --git a/policy/policy_capabilities b/policy/policy_capabilities index ad2d5d60..054cfbc3 100644 --- a/policy/policy_capabilities +++ b/policy/policy_capabilities @@ -2,7 +2,7 @@ # This file contains the policy capabilites # that are enabled in this policy, not a # declaration of DAC capabilites such as -# CAP_DAC_OVERRIDE. +# dac_override. # # The affected object classes and their # permissions should also be listed in @@ -25,9 +25,8 @@ # Checks enabled: # dir: open # file: open -# lnk_file: open # fifo_file: open # chr_file: open # blk_file: open # -#policycap open_perms; +policycap open_perms; diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt index d308697a..0960f339 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -59,22 +59,22 @@ define(`stat_file_perms', `{ getattr } refpolicywarn(`$0 is deprecated please us # # Permissions for executing files. # -define(`x_file_perms', `{ getattr execute } refpolicywarn(`$0 is deprecated please use { getattr execute } instead.')') +define(`x_file_perms', `{ getattr open execute } refpolicywarn(`$0 is deprecated please use { getattr execute } instead.')') # # Permissions for reading files and their attributes. # -define(`r_file_perms', `{ read getattr lock ioctl } refpolicywarn(`$0 is deprecated please use read_file_perms instead.')') +define(`r_file_perms', `{ open read getattr lock ioctl } refpolicywarn(`$0 is deprecated please use read_file_perms instead.')') # # Permissions for reading and executing files. # -define(`rx_file_perms', `{ read getattr lock execute ioctl } refpolicywarn(`$0 is deprecated please use { mmap_file_perms ioctl lock } instead.')') +define(`rx_file_perms', `{ open read getattr lock execute ioctl } refpolicywarn(`$0 is deprecated please use { mmap_file_perms ioctl lock } instead.')') # # Permissions for reading and appending to files. # -define(`ra_file_perms', `{ ioctl read getattr lock append } refpolicywarn(`$0 is deprecated please use { read_file_perms append_file_perms } instead.')') +define(`ra_file_perms', `{ open ioctl read getattr lock append } refpolicywarn(`$0 is deprecated please use { read_file_perms append_file_perms } instead.')') # # Permissions for linking, unlinking and renaming files. @@ -89,17 +89,12 @@ define(`create_lnk_perms', `{ create read getattr setattr link unlink rename } r # # Permissions for reading directories and their attributes. # -define(`r_dir_perms', `{ read getattr lock search ioctl } refpolicywarn(`$0 is deprecated please use list_dir_perms instead.')') - -# -# Permissions for reading and writing directories and their attributes. -# -define(`rw_dir_perms', `{ read getattr lock search ioctl add_name remove_name write }') +define(`r_dir_perms', `{ open read getattr lock search ioctl } refpolicywarn(`$0 is deprecated please use list_dir_perms instead.')') # # Permissions for reading and adding names to directories. # -define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write } refpolicywarn(`$0 is deprecated please use { list_dir_perms add_entry_dir_perms } instead.')') +define(`ra_dir_perms', `{ open read getattr lock search ioctl add_name write } refpolicywarn(`$0 is deprecated please use { list_dir_perms add_entry_dir_perms } instead.')') # @@ -187,9 +182,10 @@ define(`create_shm_perms', `{ associate getattr setattr create destroy read writ define(`getattr_dir_perms',`{ getattr }') define(`setattr_dir_perms',`{ setattr }') define(`search_dir_perms',`{ getattr search }') -define(`list_dir_perms',`{ getattr search read lock ioctl }') -define(`add_entry_dir_perms',`{ getattr search lock ioctl write add_name }') -define(`del_entry_dir_perms',`{ getattr search lock ioctl write remove_name }') +define(`list_dir_perms',`{ getattr search open read lock ioctl }') +define(`add_entry_dir_perms',`{ getattr search open lock ioctl write add_name }') +define(`del_entry_dir_perms',`{ getattr search open lock ioctl write remove_name }') +define(`rw_dir_perms', `{ open read getattr lock search ioctl add_name remove_name write }') define(`create_dir_perms',`{ getattr create }') define(`rename_dir_perms',`{ getattr rename }') define(`delete_dir_perms',`{ getattr rmdir }') @@ -203,12 +199,12 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }') # define(`getattr_file_perms',`{ getattr }') define(`setattr_file_perms',`{ setattr }') -define(`read_file_perms',`{ getattr read lock ioctl }') -define(`mmap_file_perms',`{ getattr read execute ioctl }') -define(`exec_file_perms',`{ getattr read execute execute_no_trans }') -define(`append_file_perms',`{ getattr append lock ioctl }') -define(`write_file_perms',`{ getattr write append lock ioctl }') -define(`rw_file_perms',`{ getattr read write append ioctl lock }') +define(`read_file_perms',`{ getattr open read lock ioctl }') +define(`mmap_file_perms',`{ getattr open read execute ioctl }') +define(`exec_file_perms',`{ getattr open read execute execute_no_trans }') +define(`append_file_perms',`{ getattr open append lock ioctl }') +define(`write_file_perms',`{ getattr open write append lock ioctl }') +define(`rw_file_perms',`{ getattr open read write append ioctl lock }') define(`create_file_perms',`{ getattr create open }') define(`rename_file_perms',`{ getattr rename }') define(`delete_file_perms',`{ getattr unlink }') @@ -239,10 +235,10 @@ define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }') # define(`getattr_fifo_file_perms',`{ getattr }') define(`setattr_fifo_file_perms',`{ setattr }') -define(`read_fifo_file_perms',`{ getattr read lock ioctl }') -define(`append_fifo_file_perms',`{ getattr append lock ioctl }') -define(`write_fifo_file_perms',`{ getattr write append lock ioctl }') -define(`rw_fifo_file_perms',`{ getattr read write append ioctl lock }') +define(`read_fifo_file_perms',`{ getattr open read lock ioctl }') +define(`append_fifo_file_perms',`{ getattr open append lock ioctl }') +define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }') +define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }') define(`create_fifo_file_perms',`{ getattr create open }') define(`rename_fifo_file_perms',`{ getattr rename }') define(`delete_fifo_file_perms',`{ getattr unlink }') @@ -272,10 +268,10 @@ define(`relabel_sock_file_perms',`{ getattr relabelfrom relabelto }') # define(`getattr_blk_file_perms',`{ getattr }') define(`setattr_blk_file_perms',`{ setattr }') -define(`read_blk_file_perms',`{ getattr read lock ioctl }') -define(`append_blk_file_perms',`{ getattr append lock ioctl }') -define(`write_blk_file_perms',`{ getattr write append lock ioctl }') -define(`rw_blk_file_perms',`{ getattr read write append ioctl lock }') +define(`read_blk_file_perms',`{ getattr open read lock ioctl }') +define(`append_blk_file_perms',`{ getattr open append lock ioctl }') +define(`write_blk_file_perms',`{ getattr open write append lock ioctl }') +define(`rw_blk_file_perms',`{ getattr open read write append ioctl lock }') define(`create_blk_file_perms',`{ getattr create }') define(`rename_blk_file_perms',`{ getattr rename }') define(`delete_blk_file_perms',`{ getattr unlink }') @@ -289,10 +285,10 @@ define(`relabel_blk_file_perms',`{ getattr relabelfrom relabelto }') # define(`getattr_chr_file_perms',`{ getattr }') define(`setattr_chr_file_perms',`{ setattr }') -define(`read_chr_file_perms',`{ getattr read lock ioctl }') -define(`append_chr_file_perms',`{ getattr append lock ioctl }') -define(`write_chr_file_perms',`{ getattr write append lock ioctl }') -define(`rw_chr_file_perms',`{ getattr read write append ioctl lock }') +define(`read_chr_file_perms',`{ getattr open read lock ioctl }') +define(`append_chr_file_perms',`{ getattr open append lock ioctl }') +define(`write_chr_file_perms',`{ getattr open write append lock ioctl }') +define(`rw_chr_file_perms',`{ getattr open read write append ioctl lock }') define(`create_chr_file_perms',`{ getattr create }') define(`rename_chr_file_perms',`{ getattr rename }') define(`delete_chr_file_perms',`{ getattr unlink }') @@ -309,7 +305,7 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }') # # Use (read and write) terminals # -define(`rw_term_perms', `{ getattr read write ioctl }') +define(`rw_term_perms', `{ getattr open read write ioctl }') # # Sockets -- 2.39.2