Tighten controls on append, to eliminate open. These interfaces are currently given...

diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if
index c76708e69771991710f3969f791387aed8532e5f..8ba0f8609373d002449d802b98cc9d54d3a049a9 100644 (file)
--- a/policy/modules/admin/rpm.if
+++ b/policy/modules/admin/rpm.if
@@ -320,8 +320,7 @@ interface(`rpm_append_log',`
                type rpm_log_t;
        ')
 
-       logging_search_logs($1)
-       append_files_pattern($1, rpm_log_t, rpm_log_t)
+       allow $1 rpm_log_t:file append_inherited_file_perms;
 ')
 
 ########################################
@@ -399,8 +398,7 @@ interface(`rpm_append_tmp_files',`
                type rpm_tmp_t;
        ')
 
-       files_search_tmp($1)
-       append_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
+       allow $1 rpm_tmp_t:file append_inherited_file_perms;
 ')
 
 ########################################

diff --git a/policy/modules/admin/sosreport.if b/policy/modules/admin/sosreport.if
index 94c01b54b9f0431e1a324eee32d5688611de2e4f..f64bd9302b29b8a0f8278d6c6dbe908fffc279b4 100644 (file)
--- a/policy/modules/admin/sosreport.if
+++ b/policy/modules/admin/sosreport.if
@@ -106,7 +106,7 @@ interface(`sosreport_append_tmp_files',`
                type sosreport_tmp_t;
        ')
 
-       append_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t)
+       allow $1 sosreport_tmp_t:file append_inherited_file_perms;
 ')
 
 ########################################