aliases

2005-06-09 15:32:23 +00:00 · 2005-06-09 15:32:23 +00:00 · 0a10b1fa12
commit 0a10b1fa12
parent fe040c9777
6 changed files with 109 additions and 115 deletions
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@ -26,10 +26,10 @@ define(`cron_per_userdomain_template',`
 	#

 	allow $1_crond_t self:capability dac_override;
-	allow $1_crond_t self:process { sigkill sigstop signull signal setsched };
-	allow $1_crond_t self:fifo_file { read getattr write append };
-	allow $1_crond_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
-	allow $1_crond_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+	allow $1_crond_t self:process signal_perms;
+	allow $1_crond_t self:fifo_file rw_file_perms;
+	allow $1_crond_t self:unix_stream_socket create_socket_perms;
+	allow $1_crond_t self:unix_dgram_socket create_stream_socket_perms;

 	# The entrypoint interface is not used as this is not
 	# a regular entrypoint.  Since crontab files are
@ -96,7 +96,7 @@ define(`cron_per_userdomain_template',`
 	miscfiles_read_localization($1_crond_t)

 	tunable_policy(`fcron_crond', `
-		allow crond_t $1_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+		allow crond_t $1_cron_spool_t:file create_file_perms;
 	')

 	ifdef(`TODO',`
@ -111,7 +111,7 @@ define(`cron_per_userdomain_template',`

 	ifdef(`mta.te', `
 		domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t)
-		allow $1_crond_t sendmail_exec_t:lnk_file { getattr read };
+		allow $1_crond_t sendmail_exec_t:lnk_file r_file_perms;

 		# $1_mail_t should only be reading from the cron fifo not needing to write
 		dontaudit $1_mail_t crond_t:fifo_file write;
@ -122,7 +122,7 @@ define(`cron_per_userdomain_template',`
 	can_ypbind($1_crond_t)
 	allow $1_crond_t var_spool_t:dir search;
 	allow $1_crond_t var_t:dir r_dir_perms;
-	allow $1_crond_t var_t:file { getattr read ioctl };
+	allow $1_crond_t var_t:file r_file_perms;

 	# quiet other ps operations
 	dontaudit $1_crond_t domain:dir { getattr search };
@ -137,21 +137,21 @@ define(`cron_per_userdomain_template',`
 	allow $1_t $1_crontab_t:process signal;

 	# Allow crond to read those crontabs in cron spool.
-	allow crond_t $1_cron_spool_t:file { getattr read };
+	allow crond_t $1_cron_spool_t:file r_file_perms;

 	# dac_override is to create the file in the directory under /tmp
 	allow $1_crontab_t self:capability { setuid setgid chown dac_override };
-	allow $1_crontab_t self:process { sigkill sigstop signull signal };
+	allow $1_crontab_t self:process signal_perms;

 	# create files in /var/spool/cron
-	allow $1_crontab_t $1_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-	allow $1_crontab_t cron_spool_t:dir { getattr search read write add_name remove_name };
+	allow $1_crontab_t $1_cron_spool_t:file create_file_perms;
+	allow $1_crontab_t cron_spool_t:dir rw_dir_perms;
 	type_transition $1_crontab_t $1_cron_spool_t:file system_crond_tmp_t;

 	# crontab signals crond by updating the mtime on the spooldir
 	allow $1_crontab_t cron_spool_t:dir setattr;

-	allow $1_crontab_t crond_log_t:file { getattr read append };
+	allow $1_crontab_t crond_log_t:file ra_file_perms;

 	fs_get_persistent_fs_attributes($1_crontab_t)

@ -201,9 +201,9 @@ define(`cron_per_userdomain_template',`
 	dontaudit $1_crontab_t $1_home_dir_t:dir write;

 	# Access terminals.
-	allow $1_crontab_t devpts_t:dir { read search getattr };
-	allow $1_crontab_t $1_tty_device_t:chr_file { read write getattr ioctl };
-	allow $1_crontab_t $1_devpts_t:chr_file { read write getattr ioctl };
+	allow $1_crontab_t devpts_t:dir r_dir_perms;
+	allow $1_crontab_t $1_tty_device_t:chr_file rw_file_perms;
+	allow $1_crontab_t $1_devpts_t:chr_file rw_file_perms;

 	# Inherit and use descriptors from gnome-pty-helper.
 	ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;')
@ -246,7 +246,7 @@ define(`cron_admin_template',`
 define(`cron_modify_log',`
 	requires_block_template(`$0'_depend)

-	allow $1 crond_log_t:file { getattr read write ioctl lock append };
+	allow $1 crond_log_t:file rw_file_perms;
 ')

 define(`cron_modify_log_depend',`
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@ -54,29 +54,29 @@ dontaudit crond_t self:capability { sys_resource sys_tty_config };
 allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
 allow crond_t self:process setexec;
 allow crond_t self:fd use;
-allow crond_t self:fifo_file { read getattr lock ioctl write append };
-allow crond_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-allow crond_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+allow crond_t self:fifo_file rw_file_perms;
+allow crond_t self:unix_dgram_socket create_socket_perms;
+allow crond_t self:unix_stream_socket create_stream_socket_perms;
 allow crond_t self:unix_dgram_socket sendto;
 allow crond_t self:unix_stream_socket connectto;
-allow crond_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
-allow crond_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
-allow crond_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
+allow crond_t self:shm create_shm_perms;
+allow crond_t self:sem create_sem_perms;
+allow crond_t self:msgq create_msgq_perms;
 allow crond_t self:msg { send receive };

-allow crond_t crond_log_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow crond_t crond_log_t:file create_file_perms;

 allow crond_t crond_var_run_t:file create_file_perms;
 files_create_daemon_runtime_data(crond_t,crond_var_run_t)

-allow crond_t crond_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-allow crond_t crond_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow crond_t crond_tmp_t:dir create_dir_perms;
+allow crond_t crond_tmp_t:file create_file_perms;
 files_create_private_tmp_data(crond_t, crond_tmp_t, { file dir })

-allow crond_t cron_spool_t:dir { getattr search read };
-allow crond_t cron_spool_t:file { getattr read };
-allow crond_t system_cron_spool_t:dir { getattr search read };
-allow crond_t system_cron_spool_t:file { getattr read };
+allow crond_t cron_spool_t:dir r_dir_perms;
+allow crond_t cron_spool_t:file r_file_perms;
+allow crond_t system_cron_spool_t:dir r_dir_perms;
+allow crond_t system_cron_spool_t:file r_file_perms;

 kernel_read_kernel_sysctl(crond_t)
 kernel_read_hardware_state(crond_t)
@ -121,7 +121,7 @@ miscfiles_read_localization(crond_t)
 userdomain_use_all_unprivileged_users_file_descriptors(crond_t)

 tunable_policy(`fcron_crond', `
-	allow crond_t system_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow crond_t system_cron_spool_t:file create_file_perms;
 ')

 ifdef(`targeted_policy', `
@ -184,8 +184,8 @@ allow system_crond_t rpm_log_t:file create_file_perms;
 #

 allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid };
-allow system_crond_t self:process { sigkill sigstop signull signal setsched };
-allow system_crond_t self:fifo_file { read getattr write append };
+allow system_crond_t self:process signal_perms;
+allow system_crond_t self:fifo_file rw_file_perms;
 allow system_crond_t self:passwd rootok;

 # The entrypoint interface is not used as this is not
@ -197,7 +197,7 @@ allow system_crond_t self:passwd rootok;
 # for this purpose.
 allow system_crond_t system_cron_spool_t:file entrypoint;

-allow system_crond_t system_cron_spool_t:file { getattr read };
+allow system_crond_t system_cron_spool_t:file r_file_perms;

 # Permit a transition from the crond_t domain to this domain.
 # The transition is requested explicitly by the modified crond 
@ -211,23 +211,23 @@ allow system_crond_t crond_t:fifo_file rw_file_perms;
 allow system_crond_t crond_t:process sigchld;

 # Write /var/lock/makewhatis.lock.
-allow system_crond_t system_crond_lock_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow system_crond_t system_crond_lock_t:file create_file_perms;
 files_create_private_lock_file(system_crond_t,system_crond_lock_t)

 # write temporary files
-allow system_crond_t system_crond_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow system_crond_t system_crond_tmp_t:file createfile_perms;
 files_create_private_tmp_data(system_crond_t,system_crond_tmp_t)

 # write temporary files in crond tmp dir:
-allow system_crond_t crond_tmp_t:dir { getattr search read write add_name remove_name };
+allow system_crond_t crond_tmp_t:dir rw_dir_perms;
 type_transition system_crond_t crond_tmp_t:file system_crond_tmp_t;

 # Read from /var/spool/cron.
-allow system_crond_t cron_spool_t:dir { getattr search read };
-allow system_crond_t cron_spool_t:file { getattr read };
+allow system_crond_t cron_spool_t:dir r_dir_perms;
+allow system_crond_t cron_spool_t:file r_file_perms;

 # Access crond log files
-allow system_crond_t crond_log_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow system_crond_t crond_log_t:file create_file_perms;
 logging_create_private_log(system_crond_t,crond_log_t)

 kernel_read_kernel_sysctl(system_crond_t)
@ -323,7 +323,7 @@ allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;
 allow system_crond_t initctl_t:fifo_file write;

 allow system_crond_t var_t:dir r_dir_perms;
-allow system_crond_t var_t:file { getattr read ioctl };
+allow system_crond_t var_t:file r_file_perms;

 # Write to /var/lib/slocate.db.
 allow system_crond_t var_lib_t:dir rw_dir_perms;
@ -345,7 +345,7 @@ allow system_crond_su_t crond_t:fifo_file ioctl;
 # Required for webalizer
 #
 ifdef(`apache.te', `
-allow system_crond_t httpd_log_t:file { getattr read };
+allow system_crond_t httpd_log_t:file r_file_perms;
 ')

 ifdef(`distro_redhat', `
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@ -23,21 +23,18 @@ define(`mta_per_userdomain_template',`
 	#

 	allow $1_mail_t self:capability { setuid setgid chown };
-	allow $1_mail_t self:process { sigkill sigstop signull signal setrlimit };
+	allow $1_mail_t self:process { signal_perms setrlimit };

 	# tcp networking
-	allow $1_mail_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
+	allow $1_mail_t self:tcp_socket create_socket_perms;

 	# re-exec itself
-	allow $1_mail_t sendmail_exec_t:file { getattr read execute execute_no_trans };
-	allow $1_mail_t sendmail_exec_t:lnk_file { getattr read };
+	can_exec($1_mail_t, sendmail_exec_t)
+	allow $1_mail_t sendmail_exec_t:lnk_file r_file_perms;

 	# Transition from the user domain to the derived domain.
-	allow $1_t sendmail_exec_t:file { getattr read execute execute_no_trans };
-	allow $1_t sendmail_exec_t:lnk_file { getattr read };
-	allow $1_t $1_mail_t:process transition;
-	type_transition $1_t sendmail_exec_t:process $1_mail_t;
-	dontaudit $1_t $1_mail_t:process { noatsecure siginh rlimitinh };
+	can_exec($1_t, sendmail_exec_t)
+	domain_auto_trans($1_t, sendmail_exec_t, $1_mail_t)

 	allow $1_t $1_mail_t:fd use;
 	allow $1_mail_t $1_t:fd use;
@ -69,7 +66,7 @@ define(`mta_per_userdomain_template',`
 	sysnetwork_read_network_config($1_mail_t)

 	tunable_policy(`use_dns',`
-		allow $1_mail_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+		allow $1_mail_t self:udp_socket create_socket_perms;
 		corenetwork_sendrecv_udp_on_all_interfaces($1_mail_t)
 		corenetwork_sendrecv_udp_on_all_nodes($1_mail_t)
 		corenetwork_bind_udp_on_all_nodes($1_mail_t)
@ -102,16 +99,16 @@ define(`mta_per_userdomain_template',`
 		allow $1_mail_t $1_tmp_t:file write;
 	')

-	allow mta_user_agent $1_tmp_t:file { read getattr };
+	allow mta_user_agent $1_tmp_t:file r_file_perms;

 	# Write to the user domain tty.
-	allow mta_user_agent $1_tty_device_t:chr_file { read write getattr ioctl };
-	allow mta_user_agent devpts_t:dir { read search getattr };
-	allow mta_user_agent $1_devpts_t:chr_file { read write getattr ioctl };
+	allow mta_user_agent $1_tty_device_t:chr_file rw_file_perms;
+	allow mta_user_agent devpts_t:dir r_dir_perms;
+	allow mta_user_agent $1_devpts_t:chr_file rw_file_perms;

-	allow $1_mail_t $1_tty_device_t:chr_file { read write getattr ioctl };
-	allow $1_mail_t devpts_t:dir { read search getattr };
-	allow $1_mail_t $1_devpts_t:chr_file { read write getattr ioctl };
+	allow $1_mail_t $1_tty_device_t:chr_file rw_file_perms;
+	allow $1_mail_t devpts_t:dir r_dir_perms;
+	allow $1_mail_t $1_devpts_t:chr_file rw_file_perms;

 	# Inherit and use descriptors from gnome-pty-helper.
 	ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;')
@ -179,11 +176,8 @@ define(`mta_make_sendmail_mailserver_domain_depend',`
 define(`mta_send_mail',`
 	requires_block_template(`$0'_depend)

-	allow $1 sendmail_exec_t:lnk_file { getattr read };
-	allow $1 sendmail_exec_t:file { getattr read execute };
-	allow $1 system_mail_t:process transition;
-	type_transition $1 sendmail_exec_t:process system_mail_t;
-	dontaudit $1 system_mail_t:process { noatsecure siginh rlimitinh };
+	allow $1 sendmail_exec_t:lnk_file r_file_perms;
+	domain_auto_trans($1, sendmail_exec_t, system_mail_t)

 	allow $1 system_mail_t:fd use;
 	allow system_mail_t $1:fd use;
@ -195,7 +189,7 @@ define(`mta_send_mail_depend',`
 	type system_mail_t, sendmail_exec_t;

 	class file { getattr read execute };
-	class lnk_file { getattr read };
+	class lnk_file r_file_perms;
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
 	class fifo_file rw_file_perms;
@ -208,7 +202,7 @@ define(`mta_send_mail_depend',`
 define(`mta_execute',`
 	requires_block_template(`$0'_depend)

-	allow $1 sendmail_exec_t:file { getattr read execute execute_no_trans };
+	can_exec($1, sendmail_exec_t)
 ')

 define(`mta_execute_depend',`
@ -231,13 +225,13 @@ define(`mta_execute_depend',`
 define(`mta_read_mail_aliases',`
 	requires_block_template(`$0'_depend)

-	allow $1 etc_aliases_t:file { getattr read };
+	allow $1 etc_aliases_t:file r_file_perms;
 ')

 define(`mta_read_mail_aliases_depend',`
 	type etc_aliases_t;

-	class file { getattr read };
+	class file r_file_perms;
 ')

 #######################################
@ -247,13 +241,13 @@ define(`mta_read_mail_aliases_depend',`
 define(`mta_modify_mail_aliases',`
 	requires_block_template(`$0'_depend)

-	allow sendmail_t etc_aliases_t:file { getattr read write append setattr };
+	allow sendmail_t etc_aliases_t:file { rw_file_perms setattr };
 ')

 define(`mta_modify_mail_aliases_depend',`
 	type etc_aliases_t;

-	class file { getattr read write append setattr };
+	class file { rw_file_perms setattr };
 ')

 #######################################
@ -285,15 +279,15 @@ define(`mta_modify_mail_spool',`
 	requires_block_template(`$0'_depend)

 	files_search_system_spool_directory($1)
-	allow $1 mail_spool_t:dir { read getattr lock search ioctl add_name remove_name write };
-	allow $1 mail_spool_t:file { getattr read write append setattr };
+	allow $1 mail_spool_t:dir rw_dir_perms;
+	allow $1 mail_spool_t:file { rw_file_perms setattr };
 ')

 define(`mta_modify_mail_spool_depend',`
 	type mail_spool_t;

-	class dir { read getattr lock search ioctl add_name remove_name write };
-	class file { create ioctl read getattr lock write setattr append link unlink rename };
+	class dir rw_dir_perms;
+	class file { rw_file_perms setattr };
 ')

 #######################################
@ -304,15 +298,15 @@ define(`mta_manage_mail_spool',`
 	requires_block_template(`$0'_depend)

 	files_search_system_spool_directory($1)
-	allow $1 mail_spool_t:dir { read getattr lock search ioctl add_name remove_name write };
-	allow $1 mail_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow $1 mail_spool_t:dir rw_dir_perms;
+	allow $1 mail_spool_t:file create_file_perms;
 ')

 define(`mta_manage_mail_spool_depend',`
 	type mail_spool_t;

-	class dir { read getattr lock search ioctl add_name remove_name write };
-	class file { create ioctl read getattr lock write setattr append link unlink rename };
+	class dir rw_dir_perms;
+	class file create_file_perms;
 ')

 #######################################
@ -322,15 +316,15 @@ define(`mta_manage_mail_spool_depend',`
 define(`mta_manage_mail_queue',`
 	requires_block_template(`$0'_depend)

-	allow $1 mqueue_spool_t:dir { read getattr lock search ioctl add_name remove_name write };
-	allow $1 mqueue_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow $1 mqueue_spool_t:dir rw_dir_perms;
+	allow $1 mqueue_spool_t:file create_file_perms;
 ')

 define(`mta_manage_mail_queue_depend',`
 	type mqueue_spool_t;

-	class dir { read getattr lock search ioctl add_name remove_name write };
-	class file { create ioctl read getattr lock write setattr append link unlink rename }
+	class dir rw_dir_perms;
+	class file create_file_perms;
 ')

 ## </module>
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@ -41,13 +41,13 @@ init_make_system_domain(system_mail_t,sendmail_exec_t)
 #

 allow system_mail_t self:capability { setuid setgid chown };
-allow system_mail_t self:process { sigkill sigstop signull signal setrlimit };
+allow system_mail_t self:process { signal_perms setrlinit };

-allow system_mail_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
+allow system_mail_t self:tcp_socket create_socket_perms;

 # re-exec itself
-allow system_mail_t sendmail_exec_t:file { getattr read execute execute_no_trans };
-allow system_mail_t sendmail_exec_t:lnk_file { getattr read };
+can_exec(system_mail_t, sendmail_exec_t)
+allow system_mail_t sendmail_exec_t:lnk_file r_file_perms;

 kernel_read_kernel_sysctl(system_mail_t)
 kernel_read_system_state(system_mail_t)
@ -83,7 +83,7 @@ miscfiles_read_localization(system_mail_t)
 sysnetwork_read_network_config(system_mail_t)

 tunable_policy(`use_dns',`
-	allow system_mail_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+	allow system_mail_t self:udp_socket create_socket_perms;
 	corenetwork_sendrecv_udp_on_all_interfaces(system_mail_t)
 	corenetwork_sendrecv_udp_on_all_nodes(system_mail_t)
 	corenetwork_bind_udp_on_all_nodes(system_mail_t)
@ -130,8 +130,8 @@ allow privmail sendmail_exec_t:lnk_file { getattr read };

 ifdef(`crond.te', `
 # Read cron temporary files.
-allow system_mail_t system_crond_tmp_t:file { read getattr ioctl };
-allow mta_user_agent system_crond_tmp_t:file { read getattr };
+allow system_mail_t system_crond_tmp_t:file r_file_perms;
+allow mta_user_agent system_crond_tmp_t:file r_file_perms;
 ')

 ifdef(`qmail.te', `
@ -156,16 +156,16 @@ libraries_execute_library_scripts(system_mail_t)

 allow system_mail_t { var_t var_spool_t }:dir getattr;

-allow system_mail_t mqueue_spool_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-allow system_mail_t mqueue_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-allow system_mail_t mqueue_spool_t:lnk_file { create read getattr setattr link unlink rename };
+allow system_mail_t mqueue_spool_t:dir create_dir_perms;
+allow system_mail_t mqueue_spool_t:file create_file_perms;
+allow system_mail_t mqueue_spool_t:lnk_file create_lnk_perms;

-allow system_mail_t mail_spool_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-allow system_mail_t mail_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-allow system_mail_t mail_spool_t:lnk_file { create read getattr setattr link unlink rename };
+allow system_mail_t mail_spool_t:dir create_dir_perms;
+allow system_mail_t mail_spool_t:file create_file_perms;
+allow system_mail_t mail_spool_t:lnk_file create_lnk_perms;

 allow system_mail_t mail_spool_t:fifo_file rw_file_perms;
-allow system_mail_t etc_mail_t:file { getattr read };
+allow system_mail_t etc_mail_t:file r_file_perms;
 ', ` dnl if not targeted policy:
 optional_policy(`sendmail.te', `
 # sendmail has an ugly design, the one process parses input from the user and
@ -209,16 +209,16 @@ ra_dir_create_file(mta_delivery_agent, mail_spool_t)
 can_exec(mta_delivery_agent, shell_exec_t)
 allow mta_delivery_agent bin_t:dir search;
 allow mta_delivery_agent bin_t:lnk_file read;
-allow mta_delivery_agent { etc_runtime_t proc_t }:file { getattr read };
+allow mta_delivery_agent { etc_runtime_t proc_t }:file r_file_perms;

 # Transition from a system domain to the derived domain.
 domain_auto_trans(privmail, sendmail_exec_t, system_mail_t)
-allow privmail sendmail_exec_t:lnk_file { getattr read };
+allow privmail sendmail_exec_t:lnk_file r_file_perms;

 ifdef(`crond.te', `
 # Read cron temporary files.
-allow system_mail_t system_crond_tmp_t:file { read getattr ioctl };
-allow mta_user_agent system_crond_tmp_t:file { read getattr };
+allow system_mail_t system_crond_tmp_t:file r_file_perms;
+allow mta_user_agent system_crond_tmp_t:file r_file_perms;
 ')

 ') dnl end TODO
--- a/refpolicy/policy/modules/services/remotelogin.te
+++ b/refpolicy/policy/modules/services/remotelogin.te
@ -27,18 +27,18 @@ allow remote_login_t self:capability { dac_override chown fowner fsetid kill set
 allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
 allow remote_login_t self:process { setrlimit setexec };
 allow remote_login_t self:fd use;
-allow remote_login_t self:fifo_file { read getattr lock ioctl write append };
-allow remote_login_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-allow remote_login_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+allow remote_login_t self:fifo_file rw_file_perms;
+allow remote_login_t self:unix_dgram_socket create_socket_perms;
+allow remote_login_t self:unix_stream_socket create_stream_socket_perms;
 allow remote_login_t self:unix_dgram_socket sendto;
 allow remote_login_t self:unix_stream_socket connectto;
-allow remote_login_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
-allow remote_login_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
-allow remote_login_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
+allow remote_login_t self:shm create_shm_perms;
+allow remote_login_t self:sem create_sem_perms;
+allow remote_login_t self:msgq create_msgq_perms;
 allow remote_login_t self:msg { send receive };

-allow remote_login_t remote_login_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-allow remote_login_t remote_login_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow remote_login_t remote_login_tmp_t:dir create_dir_perms;
+allow remote_login_t remote_login_tmp_t:file create_file_perms;
 files_create_private_tmp_data(remote_login_t, remote_login_tmp_t, { file dir })

 kernel_read_system_state(remote_login_t)
@ -113,7 +113,7 @@ allow remote_login_t device_t:lnk_file r_file_perms;

 dontaudit remote_login_t sysfs_t:dir search;

-allow remote_login_t autofs_t:dir { search read getattr };
+allow remote_login_t autofs_t:dir r_dir_perms;
 allow remote_login_t mnt_t:dir r_dir_perms;

 if (use_nfs_home_dirs) {
--- a/refpolicy/policy/modules/services/sendmail.te
+++ b/refpolicy/policy/modules/services/sendmail.te
@ -24,16 +24,16 @@ files_make_daemon_runtime_file(sendmail_var_run_t)
 #

 allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config };
-allow sendmail_t self:fifo_file { getattr read write append ioctl lock  };
-allow sendmail_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
-allow sendmail_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+allow sendmail_t self:fifo_file rw_file_perms;
+allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
+allow sendmail_t self:unix_dgram_socket create_socket_perms;

-allow sendmail_t sendmail_log_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-allow sendmail_t sendmail_log_t:dir { getattr search read lock ioctl add_name remove_name write setattr };
+allow sendmail_t sendmail_log_t:file create_file_perms;
+allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr };
 logging_create_private_log(sendmail_t,sendmail_log_t,{ file dir })

-allow sendmail_t sendmail_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-allow sendmail_t sendmail_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow sendmail_t sendmail_tmp_t:dir create_dir_perms;
+allow sendmail_t sendmail_tmp_t:file create_file_perms;
 files_create_private_tmp_data(sendmail_t, sendmail_tmp_t, { file dir })

 allow sendmail_t sendmail_var_run_t:file { getattr create read write append setattr unlink };