trunk: Enable open permission checks policy capability.

This commit is contained in:
Chris PeBenito 2008-10-16 16:09:20 +00:00
parent aea3f28e40
commit 0b36a2146e
80 changed files with 170 additions and 185 deletions

View File

@ -1,3 +1,4 @@
- Enable open permission checks policy capability.
- Remove hierarchy from portage module as it is not a good example of
hieararchy.
- Remove enableaudit target from modular build as semodule -DB supplants it.

View File

@ -23,7 +23,7 @@ allow acct_t self:capability { sys_pacct chown fsetid };
# not sure why we need kill, the command "last" is reported as using it
dontaudit acct_t self:capability { kill sys_tty_config };
allow acct_t self:fifo_file { read write getattr };
allow acct_t self:fifo_file rw_fifo_file_perms;
allow acct_t self:process signal_perms;
manage_files_pattern(acct_t, acct_data_t, acct_data_t)

View File

@ -76,10 +76,10 @@ allow amanda_t self:tcp_socket create_stream_socket_perms;
allow amanda_t self:udp_socket create_socket_perms;
# access to amanda_amandates_t
allow amanda_t amanda_amandates_t:file { getattr lock read write };
allow amanda_t amanda_amandates_t:file rw_file_perms;
# configuration files -> read only
allow amanda_t amanda_config_t:file { getattr read };
allow amanda_t amanda_config_t:file read_file_perms;
# access to amandas data structure
manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
@ -87,7 +87,7 @@ manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
# access to amanda_dumpdates_t
allow amanda_t amanda_dumpdates_t:file { getattr lock read write };
allow amanda_t amanda_dumpdates_t:file rw_file_perms;
can_exec(amanda_t, amanda_exec_t)
can_exec(amanda_t, amanda_inetd_exec_t)
@ -172,7 +172,7 @@ optional_policy(`
allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override };
allow amanda_recover_t self:process { sigkill sigstop signal };
allow amanda_recover_t self:fifo_file { getattr ioctl read write };
allow amanda_recover_t self:fifo_file rw_fifo_file_perms;
allow amanda_recover_t self:unix_stream_socket { connect create read write };
allow amanda_recover_t self:tcp_socket create_stream_socket_perms;
allow amanda_recover_t self:udp_socket create_socket_perms;

View File

@ -171,7 +171,7 @@ userdom_use_unpriv_users_fds(dpkg_t)
# transition to dpkg script:
dpkg_domtrans_script(dpkg_t)
# since the scripts aren't labeled correctly yet...
allow dpkg_t dpkg_var_lib_t:file execute;
allow dpkg_t dpkg_var_lib_t:file mmap_file_perms;
optional_policy(`
apt_use_ptys(dpkg_t)

View File

@ -27,13 +27,12 @@ files_config_file(firstboot_etc_t)
allow firstboot_t self:capability { dac_override setgid };
allow firstboot_t self:process setfscreate;
allow firstboot_t self:file { read write };
allow firstboot_t self:fifo_file { getattr read write };
allow firstboot_t self:fifo_file rw_fifo_file_perms;
allow firstboot_t self:tcp_socket create_stream_socket_perms;
allow firstboot_t self:unix_stream_socket { connect create };
allow firstboot_t self:passwd rootok;
allow firstboot_t firstboot_etc_t:file { getattr read };
allow firstboot_t firstboot_etc_t:file read_file_perms;
kernel_read_system_state(firstboot_t)
kernel_read_kernel_sysctls(firstboot_t)

View File

@ -33,7 +33,7 @@ files_pid_file(mrtg_var_run_t)
allow mrtg_t self:capability { setgid setuid chown };
dontaudit mrtg_t self:capability sys_tty_config;
allow mrtg_t self:process signal_perms;
allow mrtg_t self:fifo_file { getattr read write ioctl };
allow mrtg_t self:fifo_file rw_fifo_file_perms;
allow mrtg_t self:unix_stream_socket create_socket_perms;
allow mrtg_t self:tcp_socket create_socket_perms;
allow mrtg_t self:udp_socket create_socket_perms;

View File

@ -73,7 +73,7 @@ read_files_pattern(gcc_config_t, portage_conf_t, portage_conf_t)
allow gcc_config_t portage_ebuild_t:dir list_dir_perms;
read_files_pattern(gcc_config_t, portage_ebuild_t, portage_ebuild_t)
allow gcc_config_t portage_exec_t:file { execute getattr };
allow gcc_config_t portage_exec_t:file mmap_file_perms;
kernel_read_system_state(gcc_config_t)
kernel_read_kernel_sysctls(gcc_config_t)

View File

@ -68,8 +68,6 @@ allow rpm_t self:shm create_shm_perms;
allow rpm_t self:sem create_sem_perms;
allow rpm_t self:msgq create_msgq_perms;
allow rpm_t self:msg { send receive };
allow rpm_t self:dir search;
allow rpm_t self:file rw_file_perms;;
allow rpm_t rpm_log_t:file manage_file_perms;
logging_log_filetrans(rpm_t, rpm_log_t, file)

View File

@ -18,7 +18,7 @@ init_system_domain(updfstab_t, updfstab_exec_t)
allow updfstab_t self:capability dac_override;
dontaudit updfstab_t self:capability { sys_admin sys_tty_config };
allow updfstab_t self:process signal_perms;
allow updfstab_t self:fifo_file { getattr read write ioctl };
allow updfstab_t self:fifo_file rw_fifo_file_perms;
kernel_use_fds(updfstab_t)
kernel_read_kernel_sysctls(updfstab_t)

View File

@ -71,7 +71,7 @@ optional_policy(`
# awstats cgi script policy
#
allow httpd_awstats_script_t awstats_var_lib_t:dir read;
allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms;
read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
files_search_var_lib(httpd_awstats_script_t)

View File

@ -24,7 +24,7 @@ logging_log_file(calamaris_log_t)
# for when squid has a different UID
allow calamaris_t self:capability dac_override;
allow calamaris_t self:process { fork signal_perms setsched };
allow calamaris_t self:fifo_file { getattr read write ioctl };
allow calamaris_t self:fifo_file rw_fifo_file_perms;
allow calamaris_t self:unix_stream_socket create_stream_socket_perms;
allow calamaris_t self:tcp_socket create_stream_socket_perms;
allow calamaris_t self:udp_socket create_socket_perms;

View File

@ -48,7 +48,7 @@ allow webalizer_t self:tcp_socket connected_stream_socket_perms;
allow webalizer_t self:udp_socket { connect connected_socket_perms };
allow webalizer_t self:netlink_route_socket r_netlink_socket_perms;
allow webalizer_t webalizer_etc_t:file { getattr read };
allow webalizer_t webalizer_etc_t:file read_file_perms;
manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)

View File

@ -42,7 +42,7 @@ manage_dirs_pattern(yam_t, yam_content_t, yam_content_t)
manage_files_pattern(yam_t, yam_content_t, yam_content_t)
manage_lnk_files_pattern(yam_t, yam_content_t, yam_content_t)
allow yam_t yam_etc_t:file { getattr read };
allow yam_t yam_etc_t:file read_file_perms;
files_search_etc(yam_t)
manage_files_pattern(yam_t, yam_tmp_t, yam_tmp_t)

View File

@ -628,7 +628,7 @@ interface(`domain_read_confined_domains_state',`
read_lnk_files_pattern($1, { domain -unconfined_domain_type }, { domain -unconfined_domain_type })
dontaudit $1 unconfined_domain_type:dir search_dir_perms;
dontaudit $1 unconfined_domain_type:file { getattr read };
dontaudit $1 unconfined_domain_type:file read_file_perms;
')
########################################
@ -743,12 +743,12 @@ interface(`domain_dontaudit_read_all_domains_state',`
')
dontaudit $1 domain:dir list_dir_perms;
dontaudit $1 domain:lnk_file read_file_perms;
dontaudit $1 domain:lnk_file read_lnk_file_perms;
dontaudit $1 domain:file read_file_perms;
# cjp: these should be removed:
dontaudit $1 domain:sock_file read_file_perms;
dontaudit $1 domain:fifo_file read_file_perms;
dontaudit $1 domain:sock_file read_sock_file_perms;
dontaudit $1 domain:fifo_file read_fifo_file_perms;
')
########################################

View File

@ -33,8 +33,8 @@ neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security sets
#
# use SELinuxfs
allow selinux_unconfined_type security_t:dir { getattr search read };
allow selinux_unconfined_type security_t:file { getattr read write };
allow selinux_unconfined_type security_t:dir list_dir_perms;
allow selinux_unconfined_type security_t:file rw_file_perms;
# Access the security API.
allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setbool };

View File

@ -70,7 +70,7 @@ can_exec(afs_bosserver_t,afs_bosserver_exec_t)
manage_dirs_pattern(afs_bosserver_t, afs_config_t, afs_config_t)
manage_files_pattern(afs_bosserver_t, afs_config_t, afs_config_t)
allow afs_bosserver_t afs_dbdir_t:dir { search read getattr };
allow afs_bosserver_t afs_dbdir_t:dir list_dir_perms;
allow afs_bosserver_t afs_fsserver_t:process signal_perms;
domtrans_pattern(afs_bosserver_t, afs_fsserver_exec_t, afs_fsserver_t)

View File

@ -790,7 +790,7 @@ interface(`apache_exec_modules',`
')
allow $1 httpd_modules_t:dir list_dir_perms;
allow $1 httpd_modules_t:lnk_file read_file_perms;
allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
can_exec($1,httpd_modules_t)
')

View File

@ -258,7 +258,7 @@ manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
allow httpd_t httpd_suexec_exec_t:file { getattr read };
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
allow httpd_t httpd_sys_content_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
@ -509,9 +509,9 @@ optional_policy(`
domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
allow httpd_helper_t httpd_config_t:file { getattr read };
allow httpd_helper_t httpd_config_t:file read_file_perms;
allow httpd_helper_t httpd_log_t:file append;
allow httpd_helper_t httpd_log_t:file append_file_perms;
libs_use_ld_so(httpd_helper_t)
libs_use_shared_libs(httpd_helper_t)
@ -677,7 +677,7 @@ allow httpd_sys_script_t httpd_t:tcp_socket { read write };
dontaudit httpd_sys_script_t httpd_config_t:dir search;
allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
@ -692,7 +692,7 @@ files_search_spool(httpd_sys_script_t)
apache_domtrans_rotatelogs(httpd_sys_script_t)
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file { getattr append };
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
tunable_policy(`httpd_enable_homedirs',`

View File

@ -21,7 +21,7 @@ files_pid_file(avahi_var_run_t)
allow avahi_t self:capability { dac_override setgid chown fowner kill setuid sys_chroot };
dontaudit avahi_t self:capability sys_tty_config;
allow avahi_t self:process { setrlimit signal_perms setcap };
allow avahi_t self:fifo_file { read write };
allow avahi_t self:fifo_file rw_fifo_file_perms;
allow avahi_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow avahi_t self:unix_dgram_socket create_socket_perms;
allow avahi_t self:tcp_socket create_stream_socket_perms;

View File

@ -70,7 +70,7 @@ allow named_t self:unix_dgram_socket create_socket_perms;
allow named_t self:tcp_socket create_stream_socket_perms;
allow named_t self:udp_socket create_socket_perms;
allow named_t dnssec_t:file { getattr read };
allow named_t dnssec_t:file read_file_perms;
# read configuration
allow named_t named_conf_t:dir list_dir_perms;
@ -201,22 +201,20 @@ optional_policy(`
# cjp: why net_admin?!
allow ndc_t self:capability { dac_override net_admin };
allow ndc_t self:process { fork signal_perms };
allow ndc_t self:fifo_file { read write getattr ioctl };
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms };
allow ndc_t self:tcp_socket create_socket_perms;
allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
allow ndc_t dnssec_t:file { getattr read };
allow ndc_t dnssec_t:file read_file_perms;
allow ndc_t dnssec_t:lnk_file { getattr read };
allow ndc_t named_t:unix_stream_socket connectto;
stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t)
allow ndc_t named_conf_t:file { getattr read };
allow ndc_t named_conf_t:file read_file_perms;
allow ndc_t named_conf_t:lnk_file { getattr read };
allow ndc_t named_var_run_t:sock_file rw_file_perms;
allow ndc_t named_zone_t:dir search;
allow ndc_t named_zone_t:dir search_dir_perms;
kernel_read_kernel_sysctls(ndc_t)

View File

@ -38,7 +38,7 @@ files_pid_file(ccs_var_run_t)
allow ccs_t self:capability { ipc_lock sys_nice sys_resource sys_admin };
allow ccs_t self:process { signal setrlimit setsched };
dontaudit ccs_t self:process ptrace;
allow ccs_t self:fifo_file { read write };
allow ccs_t self:fifo_file rw_fifo_file_perms;
allow ccs_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow ccs_t self:unix_dgram_socket create_socket_perms;
allow ccs_t self:netlink_route_socket r_netlink_socket_perms;

View File

@ -123,7 +123,7 @@ files_pid_filetrans(cupsd_t, cupsd_var_run_t, file)
read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
allow cupsd_t hplip_var_run_t:file { read getattr };
allow cupsd_t hplip_var_run_t:file read_file_perms;
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
allow cupsd_t ptal_var_run_t : sock_file setattr;
@ -307,7 +307,7 @@ allow cupsd_config_t cupsd_log_t:file rw_file_perms;
allow cupsd_config_t cupsd_tmp_t:file manage_file_perms;
files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { file dir })
allow cupsd_config_t cupsd_var_run_t:file { getattr read };
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)

View File

@ -24,7 +24,7 @@ files_pid_file(dante_var_run_t)
allow dante_t self:capability { setuid setgid };
dontaudit dante_t self:capability sys_tty_config;
allow dante_t self:process signal_perms;
allow dante_t self:fifo_file { read write };
allow dante_t self:fifo_file rw_fifo_file_perms;
allow dante_t self:tcp_socket create_stream_socket_perms;
allow dante_t self:udp_socket create_socket_perms;

View File

@ -36,7 +36,7 @@ files_pid_file(system_dbusd_var_run_t)
allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
dontaudit system_dbusd_t self:capability sys_tty_config;
allow system_dbusd_t self:process { getattr signal_perms setcap };
allow system_dbusd_t self:fifo_file { read write };
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
allow system_dbusd_t self:dbus { send_msg acquire_svc };
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
allow system_dbusd_t self:unix_dgram_socket create_socket_perms;

View File

@ -27,7 +27,7 @@ files_pid_file(dhcpd_var_run_t)
allow dhcpd_t self:capability net_raw;
dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
allow dhcpd_t self:process signal_perms;
allow dhcpd_t self:fifo_file { read write getattr };
allow dhcpd_t self:fifo_file rw_fifo_file_perms;
allow dhcpd_t self:unix_dgram_socket create_socket_perms;
allow dhcpd_t self:unix_stream_socket create_socket_perms;
allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms;

View File

@ -27,7 +27,7 @@ files_pid_file(distccd_var_run_t)
allow distccd_t self:capability { setgid setuid };
dontaudit distccd_t self:capability sys_tty_config;
allow distccd_t self:process { signal_perms setsched };
allow distccd_t self:fifo_file { read write getattr };
allow distccd_t self:fifo_file rw_fifo_file_perms;
allow distccd_t self:netlink_route_socket r_netlink_socket_perms;
allow distccd_t self:tcp_socket create_stream_socket_perms;
allow distccd_t self:udp_socket create_socket_perms;

View File

@ -24,7 +24,7 @@ files_pid_file(dnsmasq_var_run_t)
allow dnsmasq_t self:capability { net_admin setgid setuid net_bind_service net_raw };
dontaudit dnsmasq_t self:capability sys_tty_config;
allow dnsmasq_t self:process { setcap signal_perms };
allow dnsmasq_t self:fifo_file { read write };
allow dnsmasq_t self:fifo_file rw_fifo_file_perms;
allow dnsmasq_t self:netlink_route_socket { bind create nlmsg_read read write };
allow dnsmasq_t self:tcp_socket create_stream_socket_perms;
allow dnsmasq_t self:udp_socket create_socket_perms;

View File

@ -148,7 +148,7 @@ allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
allow dovecot_auth_t dovecot_passwd_t:file { getattr read };
allow dovecot_auth_t dovecot_passwd_t:file read_file_perms;
# Allow dovecot to create and read SSL parameters file
manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)

View File

@ -28,7 +28,7 @@ files_pid_file(fingerd_var_run_t)
allow fingerd_t self:capability { setgid setuid };
dontaudit fingerd_t self:capability { sys_tty_config fsetid };
allow fingerd_t self:process signal_perms;
allow fingerd_t self:fifo_file { read write getattr };
allow fingerd_t self:fifo_file rw_fifo_file_perms;
allow fingerd_t self:tcp_socket connected_stream_socket_perms;
allow fingerd_t self:udp_socket create_socket_perms;
allow fingerd_t self:unix_dgram_socket create_socket_perms;

View File

@ -35,7 +35,7 @@ allow gatekeeper_t self:tcp_socket create_stream_socket_perms;
allow gatekeeper_t self:udp_socket create_socket_perms;
allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read };
allow gatekeeper_t gatekeeper_etc_t:file { getattr read };
allow gatekeeper_t gatekeeper_etc_t:file read_file_perms;
files_search_etc(gatekeeper_t)
manage_files_pattern(gatekeeper_t, gatekeeper_log_t, gatekeeper_log_t)

View File

@ -30,7 +30,7 @@ files_pid_file(jabberd_var_run_t)
allow jabberd_t self:capability dac_override;
dontaudit jabberd_t self:capability sys_tty_config;
allow jabberd_t self:process signal_perms;
allow jabberd_t self:fifo_file { read write getattr };
allow jabberd_t self:fifo_file read_fifo_file_perms;
allow jabberd_t self:tcp_socket create_stream_socket_perms;
allow jabberd_t self:udp_socket create_socket_perms;

View File

@ -44,7 +44,7 @@ files_pid_file(slapd_var_run_t)
allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search };
dontaudit slapd_t self:capability sys_tty_config;
allow slapd_t self:process setsched;
allow slapd_t self:fifo_file { read write };
allow slapd_t self:fifo_file rw_fifo_file_perms;
allow slapd_t self:udp_socket create_socket_perms;
#slapd needs to listen and accept needed by ldapsearch (slapd needs to accept from ldapseach)
allow slapd_t self:tcp_socket create_stream_socket_perms;
@ -58,7 +58,7 @@ manage_dirs_pattern(slapd_t, slapd_db_t, slapd_db_t)
manage_files_pattern(slapd_t, slapd_db_t, slapd_db_t)
manage_lnk_files_pattern(slapd_t, slapd_db_t, slapd_db_t)
allow slapd_t slapd_etc_t:file { getattr read };
allow slapd_t slapd_etc_t:file read_file_perms;
allow slapd_t slapd_lock_t:file manage_file_perms;
files_lock_filetrans(slapd_t,slapd_lock_t,file)

View File

@ -68,7 +68,7 @@ delete_files_pattern(checkpc_t, print_spool_t, print_spool_t)
files_search_spool(checkpc_t)
allow checkpc_t printconf_t:file getattr;
allow checkpc_t printconf_t:dir { getattr search read };
allow checkpc_t printconf_t:dir list_dir_perms;
kernel_read_system_state(checkpc_t)
@ -142,7 +142,7 @@ manage_files_pattern(lpd_t, print_spool_t, print_spool_t)
files_search_spool(lpd_t)
# lpd must be able to execute the filter utilities in /usr/share/printconf.
allow lpd_t printconf_t:dir { getattr search read };
allow lpd_t printconf_t:dir list_dir_perms;
can_exec(lpd_t, printconf_t)
# Create and bind to /dev/printer.

View File

@ -29,7 +29,7 @@ allow monopd_t self:process signal_perms;
allow monopd_t self:tcp_socket create_stream_socket_perms;
allow monopd_t self:udp_socket create_socket_perms;
allow monopd_t monopd_etc_t:file { getattr read };
allow monopd_t monopd_etc_t:file read_file_perms;
files_search_etc(monopd_t)
allow monopd_t monopd_share_t:dir list_dir_perms;

View File

@ -157,7 +157,7 @@ interface(`mysql_rw_db_sockets',`
files_search_var_lib($1)
allow $1 mysqld_db_t:dir search;
allow $1 mysqld_db_t:sock_file rw_file_perms;
allow $1 mysqld_db_t:sock_file rw_sock_file_perms;
')
########################################

View File

@ -33,7 +33,7 @@ files_tmp_file(mysqld_tmp_t)
allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service };
dontaudit mysqld_t self:capability sys_tty_config;
allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
allow mysqld_t self:fifo_file { read write };
allow mysqld_t self:fifo_file rw_fifo_file_perms;
allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
allow mysqld_t self:tcp_socket create_stream_socket_perms;
allow mysqld_t self:udp_socket create_socket_perms;
@ -43,7 +43,7 @@ manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file })
allow mysqld_t mysqld_etc_t:file { getattr read };
allow mysqld_t mysqld_etc_t:file read_file_perms;
allow mysqld_t mysqld_etc_t:lnk_file { getattr read };
allow mysqld_t mysqld_etc_t:dir list_dir_perms;

View File

@ -177,7 +177,7 @@ dontaudit nrpe_t self:capability sys_tty_config;
allow nrpe_t self:process { setpgid signal_perms };
allow nrpe_t self:fifo_file rw_fifo_file_perms;
allow nrpe_t nrpe_etc_t:file { getattr read };
allow nrpe_t nrpe_etc_t:file read_file_perms;
files_search_etc(nrpe_t)
kernel_read_system_state(nrpe_t)

View File

@ -30,7 +30,7 @@ files_pid_file(nessusd_var_run_t)
allow nessusd_t self:capability net_raw;
dontaudit nessusd_t self:capability sys_tty_config;
allow nessusd_t self:process { setsched signal_perms };
allow nessusd_t self:fifo_file { getattr read write };
allow nessusd_t self:fifo_file rw_fifo_file_perms;
allow nessusd_t self:tcp_socket create_stream_socket_perms;
allow nessusd_t self:udp_socket create_socket_perms;
allow nessusd_t self:rawip_socket create_socket_perms;
@ -42,7 +42,7 @@ manage_files_pattern(nessusd_t, nessusd_db_t, nessusd_db_t)
manage_lnk_files_pattern(nessusd_t, nessusd_db_t, nessusd_db_t)
files_list_var_lib(nessusd_t)
allow nessusd_t nessusd_etc_t:file { getattr read };
allow nessusd_t nessusd_etc_t:file read_file_perms;
files_search_etc(nessusd_t)
manage_files_pattern(nessusd_t, nessusd_log_t, nessusd_log_t)

View File

@ -224,7 +224,7 @@ allow ypserv_t self:udp_socket create_socket_perms;
manage_files_pattern(ypserv_t,var_yp_t,var_yp_t)
allow ypserv_t ypserv_conf_t:file { getattr read };
allow ypserv_t ypserv_conf_t:file read_file_perms;
manage_dirs_pattern(ypserv_t, ypserv_tmp_t, ypserv_tmp_t)
manage_files_pattern(ypserv_t, ypserv_tmp_t, ypserv_tmp_t)
@ -304,7 +304,7 @@ manage_files_pattern(ypxfr_t, var_yp_t, var_yp_t)
allow ypxfr_t ypserv_t:tcp_socket { read write };
allow ypxfr_t ypserv_t:udp_socket { read write };
allow ypxfr_t ypserv_conf_t:file { getattr read };
allow ypxfr_t ypserv_conf_t:file read_file_perms;
corenet_all_recvfrom_unlabeled(ypxfr_t)
corenet_all_recvfrom_netlabel(ypxfr_t)

View File

@ -31,7 +31,7 @@ logging_log_file(nscd_log_t)
allow nscd_t self:capability { kill setgid setuid audit_write };
dontaudit nscd_t self:capability sys_tty_config;
allow nscd_t self:process { getattr setsched signal_perms };
allow nscd_t self:fifo_file { read write };
allow nscd_t self:fifo_file read_fifo_file_perms;
allow nscd_t self:unix_stream_socket create_stream_socket_perms;
allow nscd_t self:unix_dgram_socket create_socket_perms;
allow nscd_t self:netlink_selinux_socket create_socket_perms;

View File

@ -124,7 +124,7 @@ allow nsd_crond_t self:fifo_file rw_fifo_file_perms;
allow nsd_crond_t self:tcp_socket create_socket_perms;
allow nsd_crond_t self:udp_socket create_socket_perms;
allow nsd_crond_t nsd_conf_t:file { getattr read ioctl };
allow nsd_crond_t nsd_conf_t:file read_file_perms;
allow nsd_crond_t nsd_db_t:file manage_file_perms;
filetrans_pattern(nsd_crond_t, nsd_zone_t, nsd_db_t, file)

View File

@ -34,7 +34,7 @@ files_pid_file(ntop_var_run_t)
allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin };
dontaudit ntop_t self:capability sys_tty_config;
allow ntop_t self:process signal_perms;
allow ntop_t self:fifo_file { read write };
allow ntop_t self:fifo_file rw_fifo_file_perms;
allow ntop_t self:tcp_socket create_stream_socket_perms;
allow ntop_t self:udp_socket create_socket_perms;
allow ntop_t self:packet_socket create_socket_perms;

View File

@ -41,7 +41,7 @@ init_system_domain(ntpd_t, ntpdate_exec_t)
allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock sys_chroot sys_nice sys_resource };
dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
allow ntpd_t self:fifo_file { read write getattr };
allow ntpd_t self:fifo_file rw_fifo_file_perms;
allow ntpd_t self:unix_dgram_socket create_socket_perms;
allow ntpd_t self:unix_stream_socket create_socket_perms;
allow ntpd_t self:tcp_socket create_stream_socket_perms;

View File

@ -30,7 +30,7 @@ files_pid_file(nx_server_var_run_t)
# NX server local policy
#
allow nx_server_t self:fifo_file { getattr ioctl read write };
allow nx_server_t self:fifo_file rw_fifo_file_perms;
allow nx_server_t self:tcp_socket create_socket_perms;
allow nx_server_t self:udp_socket create_socket_perms;

View File

@ -82,7 +82,7 @@ optional_policy(`
dontaudit scannerdaemon_t self:capability sys_tty_config;
allow scannerdaemon_t self:process signal_perms;
allow scannerdaemon_t self:fifo_file { read write };
allow scannerdaemon_t self:fifo_file rw_fifo_file_perms;
allow scannerdaemon_t self:tcp_socket create_stream_socket_perms;
allow scannerdaemon_t self:udp_socket create_socket_perms;

View File

@ -29,7 +29,7 @@ files_pid_file(oddjob_var_run_t)
allow oddjob_t self:capability setgid;
allow oddjob_t self:process { setexec signal };
allow oddjob_t self:fifo_file { read write };
allow oddjob_t self:fifo_file rw_fifo_file_perms;
allow oddjob_t self:unix_stream_socket create_stream_socket_perms;
manage_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t)
@ -68,7 +68,7 @@ optional_policy(`
# oddjob_mkhomedir local policy
#
allow oddjob_mkhomedir_t self:fifo_file { read write };
allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms;
allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
files_read_etc_files(oddjob_mkhomedir_t)

View File

@ -22,7 +22,7 @@ files_pid_file(pcscd_var_run_t)
allow pcscd_t self:capability { dac_override dac_read_search };
allow pcscd_t self:process signal;
allow pcscd_t self:fifo_file { read write };
allow pcscd_t self:fifo_file rw_fifo_file_perms;
allow pcscd_t self:unix_stream_socket create_stream_socket_perms;
allow pcscd_t self:unix_dgram_socket create_socket_perms;
allow pcscd_t self:tcp_socket create_stream_socket_perms;

View File

@ -27,7 +27,7 @@ allow perdition_t self:process signal_perms;
allow perdition_t self:tcp_socket create_stream_socket_perms;
allow perdition_t self:udp_socket create_socket_perms;
allow perdition_t perdition_etc_t:file { getattr read };
allow perdition_t perdition_etc_t:file read_file_perms;
files_search_etc(perdition_t)
manage_files_pattern(perdition_t, perdition_var_run_t, perdition_var_run_t)

View File

@ -474,8 +474,8 @@ manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
allow postfix_qmgr_t postfix_spool_bounce_t:dir { getattr read search };
allow postfix_qmgr_t postfix_spool_bounce_t:file { read getattr };
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read };
corecmd_exec_bin(postfix_qmgr_t)
@ -494,8 +494,8 @@ allow postfix_showq_t postfix_spool_t:file read_file_perms;
postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir { getattr read search };
allow postfix_showq_t postfix_spool_maildrop_t:file { read getattr };
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read };
# to write the mailq output, it really should not need read access!

View File

@ -103,8 +103,7 @@ role system_r types sepgsql_trusted_proc_t;
allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin };
dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
allow postgresql_t self:process signal_perms;
allow postgresql_t self:fifo_file { getattr read write ioctl };
allow postgresql_t self:file { getattr read };
allow postgresql_t self:fifo_file rw_fifo_file_perms;
allow postgresql_t self:sem create_sem_perms;
allow postgresql_t self:shm create_shm_perms;
allow postgresql_t self:tcp_socket create_stream_socket_perms;

View File

@ -223,23 +223,23 @@ optional_policy(`
allow pptp_t self:capability net_raw;
dontaudit pptp_t self:capability sys_tty_config;
allow pptp_t self:process signal;
allow pptp_t self:fifo_file { read write };
allow pptp_t self:fifo_file rw_fifo_file_perms;
allow pptp_t self:unix_dgram_socket create_socket_perms;
allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow pptp_t self:rawip_socket create_socket_perms;
allow pptp_t self:tcp_socket create_socket_perms;
allow pptp_t pppd_etc_t:dir { getattr read search };
allow pptp_t pppd_etc_t:file { read getattr };
allow pptp_t pppd_etc_t:dir list_dir_perms;
allow pptp_t pppd_etc_t:file read_file_perms;
allow pptp_t pppd_etc_t:lnk_file { getattr read };
allow pptp_t pppd_etc_rw_t:dir { getattr read search };
allow pptp_t pppd_etc_rw_t:file { read getattr };
allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
allow pptp_t pppd_etc_rw_t:file read_file_perms;
allow pptp_t pppd_etc_rw_t:lnk_file { getattr read };
can_exec(pptp_t, pppd_etc_rw_t)
# Allow pptp to append to pppd log files
allow pptp_t pppd_log_t:file append;
allow pptp_t pppd_log_t:file append_file_perms;
allow pptp_t pptp_log_t:file manage_file_perms;
logging_log_filetrans(pptp_t, pptp_log_t, file)

View File

@ -73,10 +73,10 @@ delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
# this component preprocesses mail from stdin and invokes qmail-queue
#
allow qmail_inject_t self:fifo_file write;
allow qmail_inject_t self:fifo_file write_fifo_file_perms;
allow qmail_inject_t self:process signal_perms;
allow qmail_inject_t qmail_queue_exec_t:file read;
allow qmail_inject_t qmail_queue_exec_t:file read_file_perms;
corecmd_search_bin(qmail_inject_t)
@ -95,7 +95,7 @@ qmail_read_config(qmail_inject_t)
# this component delivers a mail message
#
allow qmail_local_t self:fifo_file write;
allow qmail_local_t self:fifo_file write_file_perms;
allow qmail_local_t self:process signal_perms;
allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
@ -104,7 +104,7 @@ manage_files_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
can_exec(qmail_local_t, qmail_local_exec_t)
allow qmail_local_t qmail_queue_exec_t:file read;
allow qmail_local_t qmail_queue_exec_t:file read_file_perms;
allow qmail_local_t qmail_spool_t:file read_file_perms;
@ -132,12 +132,12 @@ qmail_domtrans_queue(qmail_local_t)
allow qmail_lspawn_t self:capability { setuid setgid };
allow qmail_lspawn_t self:process signal_perms;
allow qmail_lspawn_t self:fifo_file { read write };
allow qmail_lspawn_t self:fifo_file rw_fifo_file_perms;
allow qmail_lspawn_t self:unix_stream_socket create_socket_perms;
can_exec(qmail_lspawn_t, qmail_exec_t)
allow qmail_lspawn_t qmail_local_exec_t:file read;
allow qmail_lspawn_t qmail_local_exec_t:file read_file_perms;
read_files_pattern(qmail_lspawn_t, qmail_spool_t, qmail_spool_t)
@ -154,10 +154,10 @@ files_search_tmp(qmail_lspawn_t)
#
allow qmail_queue_t qmail_lspawn_t:fd use;
allow qmail_queue_t qmail_lspawn_t:fifo_file write;
allow qmail_queue_t qmail_lspawn_t:fifo_file write_fifo_file_perms;
allow qmail_queue_t qmail_smtpd_t:fd use;
allow qmail_queue_t qmail_smtpd_t:fifo_file read;
allow qmail_queue_t qmail_smtpd_t:fifo_file read_fifo_file_perms;
allow qmail_queue_t qmail_smtpd_t:process sigchld;
manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
@ -206,9 +206,9 @@ sysnet_read_config(qmail_remote_t)
#
allow qmail_rspawn_t self:process signal_perms;
allow qmail_rspawn_t self:fifo_file read;
allow qmail_rspawn_t self:fifo_file read_fifo_file_perms;
allow qmail_rspawn_t qmail_remote_exec_t:file read;
allow qmail_rspawn_t qmail_remote_exec_t:file read_file_perms;
rw_files_pattern(qmail_rspawn_t, qmail_spool_t, qmail_spool_t)
@ -221,7 +221,7 @@ corecmd_search_bin(qmail_rspawn_t)
#
allow qmail_send_t self:process signal_perms;
allow qmail_send_t self:fifo_file write;
allow qmail_send_t self:fifo_file write_fifo_file_perms;
manage_dirs_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t)
manage_files_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t)
@ -240,10 +240,10 @@ optional_policy(`
#
allow qmail_smtpd_t self:process signal_perms;
allow qmail_smtpd_t self:fifo_file write;
allow qmail_smtpd_t self:fifo_file write_fifo_file_perms;
allow qmail_smtpd_t self:tcp_socket create_socket_perms;
allow qmail_smtpd_t qmail_queue_exec_t:file read;
allow qmail_smtpd_t qmail_queue_exec_t:file read_file_perms;
dev_read_rand(qmail_smtpd_t)
dev_read_urand(qmail_smtpd_t)
@ -280,7 +280,7 @@ miscfiles_read_localization(qmail_splogger_t)
allow qmail_start_t self:capability { setgid setuid };
dontaudit qmail_start_t self:capability sys_tty_config;
allow qmail_start_t self:fifo_file { getattr read write };
allow qmail_start_t self:fifo_file rw_fifo_file_perms;
allow qmail_start_t self:process signal_perms;
can_exec(qmail_start_t, qmail_start_exec_t)
@ -305,7 +305,7 @@ optional_policy(`
# this component sets up TCP-related environment variables
#
allow qmail_tcp_env_t qmail_smtpd_exec_t:file read;
allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms;
corecmd_search_bin(qmail_tcp_env_t)

View File

@ -25,7 +25,7 @@ allow resmgrd_t self:capability { dac_override sys_admin sys_rawio };
dontaudit resmgrd_t self:capability sys_tty_config;
allow resmgrd_t self:process signal_perms;
allow resmgrd_t resmgrd_etc_t:file { getattr read };
allow resmgrd_t resmgrd_etc_t:file read_file_perms;
files_search_etc(resmgrd_t)
allow resmgrd_t resmgrd_var_run_t:file manage_file_perms;

View File

@ -84,7 +84,7 @@ files_lock_file(ricci_modstorage_lock_t)
allow ricci_t self:capability { setuid sys_nice sys_boot };
allow ricci_t self:process setsched;
allow ricci_t self:fifo_file { read write };
allow ricci_t self:fifo_file rw_fifo_file_perms;
allow ricci_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow ricci_t self:tcp_socket create_stream_socket_perms;
@ -362,7 +362,7 @@ optional_policy(`
# ricci_modrpm local policy
#
allow ricci_modrpm_t self:fifo_file { getattr read };
allow ricci_modrpm_t self:fifo_file read_fifo_file_perms;
kernel_read_kernel_sysctls(ricci_modrpm_t)
@ -390,7 +390,7 @@ optional_policy(`
#
allow ricci_modservice_t self:capability { dac_override sys_nice };
allow ricci_modservice_t self:fifo_file { getattr read write };
allow ricci_modservice_t self:fifo_file rw_fifo_file_perms;
allow ricci_modservice_t self:process setsched;
kernel_read_kernel_sysctls(ricci_modservice_t)

View File

@ -95,7 +95,7 @@ optional_policy(`
allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
allow nfsd_t exports_t:file { getattr read };
allow nfsd_t exports_t:file read_file_perms;
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
# for /proc/fs/nfs/exports - should we have a new type?

View File

@ -220,7 +220,7 @@ allow smbd_t self:msg { send receive };
allow smbd_t self:msgq create_msgq_perms;
allow smbd_t self:sem create_sem_perms;
allow smbd_t self:shm create_shm_perms;
allow smbd_t self:sock_file read_file_perms;
allow smbd_t self:sock_file read_sock_file_perms;
allow smbd_t self:tcp_socket create_stream_socket_perms;
allow smbd_t self:udp_socket create_socket_perms;
allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
@ -405,7 +405,7 @@ allow nmbd_t self:msg { send receive };
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
allow nmbd_t self:sock_file read_file_perms;
allow nmbd_t self:sock_file read_sock_file_perms;
allow nmbd_t self:tcp_socket create_stream_socket_perms;
allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
@ -572,17 +572,17 @@ allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow swat_t self:tcp_socket create_stream_socket_perms;
allow swat_t self:udp_socket create_socket_perms;
allow swat_t nmbd_exec_t:file { execute read };
allow swat_t nmbd_exec_t:file mmap_file_perms;
rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
append_files_pattern(swat_t, samba_log_t, samba_log_t)
allow swat_t smbd_exec_t:file execute ;
allow swat_t smbd_exec_t:file mmap_file_perms ;
allow swat_t smbd_t:process signull;
allow swat_t smbd_var_run_t:file read;
allow swat_t smbd_var_run_t:file read_file_perms;
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
@ -591,7 +591,7 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
allow swat_t winbind_exec_t:file execute;
allow swat_t winbind_exec_t:file mmap_file_perms;
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
@ -654,7 +654,7 @@ optional_policy(`
allow winbind_t self:capability { dac_override ipc_lock setuid };
dontaudit winbind_t self:capability sys_tty_config;
allow winbind_t self:process signal_perms;
allow winbind_t self:fifo_file { read write };
allow winbind_t self:fifo_file rw_fifo_file_perms;
allow winbind_t self:unix_dgram_socket create_socket_perms;
allow winbind_t self:unix_stream_socket create_stream_socket_perms;
allow winbind_t self:tcp_socket create_stream_socket_perms;
@ -761,7 +761,7 @@ allow winbind_helper_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t)
allow winbind_helper_t samba_var_t:dir search;
allow winbind_helper_t samba_var_t:dir search_dir_perms;
files_list_var_lib(winbind_helper_t)
stream_connect_pattern(winbind_helper_t, winbind_var_run_t, winbind_var_run_t, winbind_t)

View File

@ -34,7 +34,7 @@ files_pid_file(saslauthd_var_run_t)
allow saslauthd_t self:capability setuid;
dontaudit saslauthd_t self:capability sys_tty_config;
allow saslauthd_t self:process signal_perms;
allow saslauthd_t self:fifo_file { read write };
allow saslauthd_t self:fifo_file rw_fifo_file_perms;
allow saslauthd_t self:unix_dgram_socket create_socket_perms;
allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
allow saslauthd_t self:tcp_socket create_socket_perms;

View File

@ -88,8 +88,7 @@ template(`spamassassin_per_role_template',`
files_tmp_filetrans($1_spamc_t, $1_spamc_tmp_t, { file dir })
# Allow connecting to a local spamd
allow $1_spamc_t spamd_t:unix_stream_socket connectto;
allow $1_spamc_t spamd_tmp_t:sock_file rw_file_perms;
stream_connect_pattern($1_spamc_t, spamd_tmp_t, spamd_tmp_t, spamd_t)
domtrans_pattern($2, spamc_exec_t, $1_spamc_t)

View File

@ -39,8 +39,8 @@ allow stunnel_t self:fifo_file rw_fifo_file_perms;
allow stunnel_t self:tcp_socket create_stream_socket_perms;
allow stunnel_t self:udp_socket create_socket_perms;
allow stunnel_t stunnel_etc_t:dir { getattr read search };
allow stunnel_t stunnel_etc_t:file { read getattr };
allow stunnel_t stunnel_etc_t:dir list_dir_perms;
allow stunnel_t stunnel_etc_t:file read_file_perms;
allow stunnel_t stunnel_etc_t:lnk_file { getattr read };
manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)

View File

@ -39,8 +39,8 @@ allow tftpd_t self:unix_dgram_socket create_socket_perms;
allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
dontaudit tftpd_t self:capability sys_tty_config;
allow tftpd_t tftpdir_t:dir { getattr read search };
allow tftpd_t tftpdir_t:file { read getattr };
allow tftpd_t tftpdir_t:dir list_dir_perms;
allow tftpd_t tftpdir_t:file read_file_perms;
allow tftpd_t tftpdir_t:lnk_file { getattr read };
manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)

View File

@ -35,7 +35,7 @@ files_pid_file(tor_var_run_t)
#
allow tor_t self:capability { setgid setuid };
allow tor_t self:fifo_file { read write };
allow tor_t self:fifo_file rw_fifo_file_perms;
allow tor_t self:unix_stream_socket create_stream_socket_perms;
allow tor_t self:netlink_route_socket r_netlink_socket_perms;
allow tor_t self:tcp_socket create_stream_socket_perms;

View File

@ -52,7 +52,7 @@ optional_policy(`
#
allow ucspitcp_t self:capability { setgid setuid };
allow ucspitcp_t self:fifo_file { read write };
allow ucspitcp_t self:fifo_file rw_fifo_file_perms;
allow ucspitcp_t self:tcp_socket create_stream_socket_perms;
allow ucspitcp_t self:udp_socket create_socket_perms;

View File

@ -26,9 +26,9 @@ files_pid_file(uptimed_var_run_t)
dontaudit uptimed_t self:capability sys_tty_config;
allow uptimed_t self:process signal_perms;
allow uptimed_t self:fifo_file { getattr write };
allow uptimed_t self:fifo_file write_file_perms;
allow uptimed_t uptimed_etc_t:file { getattr read };
allow uptimed_t uptimed_etc_t:file read_file_perms;
files_search_etc(uptimed_t)
allow uptimed_t uptimed_spool_t:file manage_file_perms;

View File

@ -107,7 +107,7 @@ optional_policy(`
#
allow uux_t self:capability { setuid setgid };
allow uux_t self:fifo_file { getattr write };
allow uux_t self:fifo_file write_file_perms;
uucp_append_log(uux_t)
uucp_manage_spool(uux_t)

View File

@ -427,7 +427,7 @@ allow xdm_xserver_t xdm_t:shm rw_shm_perms;
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
allow xdm_xserver_t xdm_var_run_t:file { getattr read };
allow xdm_xserver_t xdm_var_run_t:file read_file_perms;
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t, xdm_tmp_t, xdm_tmp_t)

View File

@ -41,7 +41,7 @@ files_pid_file(zebra_var_run_t)
allow zebra_t self:capability { setgid setuid net_admin net_raw };
dontaudit zebra_t self:capability sys_tty_config;
allow zebra_t self:process { signal_perms getcap setcap };
allow zebra_t self:file { ioctl read write getattr lock append };
allow zebra_t self:file rw_file_perms;
allow zebra_t self:unix_dgram_socket create_socket_perms;
allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow zebra_t self:netlink_route_socket rw_netlink_socket_perms;

View File

@ -871,7 +871,7 @@ interface(`auth_manage_var_auth',`
files_search_var($1)
allow $1 var_auth_t:dir manage_dir_perms;
allow $1 var_auth_t:file rw_file_perms;
allow $1 var_auth_t:lnk_file rw_file_perms;
allow $1 var_auth_t:lnk_file rw_lnk_file_perms;
')
########################################

View File

@ -263,7 +263,7 @@ optional_policy(`
# System check password local policy
#
allow system_chkpwd_t shadow_t:file { getattr read };
allow system_chkpwd_t shadow_t:file read_file_perms;
corecmd_search_bin(system_chkpwd_t)
@ -289,7 +289,7 @@ ifdef(`distro_ubuntu',`
#
allow updpwd_t self:process setfscreate;
allow updpwd_t self:fifo_file { read write };
allow updpwd_t self:fifo_file rw_fifo_file_perms;
allow updpwd_t self:unix_stream_socket create_stream_socket_perms;
allow updpwd_t self:unix_dgram_socket create_socket_perms;

View File

@ -24,7 +24,7 @@ role system_r types hwclock_t;
allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config };
dontaudit hwclock_t self:capability sys_tty_config;
allow hwclock_t self:process signal_perms;
allow hwclock_t self:fifo_file { getattr read write };
allow hwclock_t self:fifo_file rw_fifo_file_perms;
# Allow hwclock to store & retrieve correction factors.
allow hwclock_t adjtime_t:file { rw_file_perms setattr };

View File

@ -774,7 +774,7 @@ interface(`init_read_state',`
allow $1 init_t:dir search_dir_perms;
allow $1 init_t:file read_file_perms;
allow $1 init_t:lnk_file read_file_perms;
allow $1 init_t:lnk_file read_lnk_file_perms;
')
########################################

View File

@ -59,7 +59,7 @@ allow ipsec_t self:process signal;
allow ipsec_t self:netlink_route_socket r_netlink_socket_perms;
allow ipsec_t self:tcp_socket create_stream_socket_perms;
allow ipsec_t self:key_socket { create write read setopt };
allow ipsec_t self:fifo_file { read getattr };
allow ipsec_t self:fifo_file read_file_perms;
allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
read_files_pattern(ipsec_t,ipsec_conf_file_t,ipsec_conf_file_t)
@ -186,7 +186,7 @@ read_lnk_files_pattern(ipsec_mgmt_t,ipsec_t,ipsec_t)
allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };
allow ipsec_mgmt_t ipsec_conf_file_t:file { getattr read ioctl };
allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
manage_files_pattern(ipsec_mgmt_t,ipsec_key_file_t,ipsec_key_file_t)
manage_lnk_files_pattern(ipsec_mgmt_t,ipsec_key_file_t,ipsec_key_file_t)

View File

@ -30,7 +30,7 @@ files_pid_file(iscsi_var_run_t)
allow iscsid_t self:capability { dac_override ipc_lock net_admin sys_nice sys_resource };
allow iscsid_t self:process { setrlimit setsched signal };
allow iscsid_t self:fifo_file { read write };
allow iscsid_t self:fifo_file rw_fifo_file_perms;
allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow iscsid_t self:unix_dgram_socket create_socket_perms;
allow iscsid_t self:sem create_sem_perms;

View File

@ -451,7 +451,7 @@ interface(`logging_send_syslog_msg',`
')
allow $1 devlog_t:lnk_file read;
allow $1 devlog_t:sock_file rw_file_perms;
allow $1 devlog_t:sock_file rw_sock_file_perms;
# the type of socket depends on the syslog daemon
allow $1 syslogd_t:unix_dgram_socket sendto;

View File

@ -127,7 +127,7 @@ logging_send_syslog_msg(auditctl_t)
allow auditd_t self:capability { chown fsetid sys_nice sys_resource };
dontaudit auditd_t self:capability sys_tty_config;
allow auditd_t self:process { signal_perms setpgid setsched };
allow auditd_t self:file { getattr read write };
allow auditd_t self:file rw_file_perms;
allow auditd_t self:unix_dgram_socket create_socket_perms;
allow auditd_t self:fifo_file rw_file_perms;
allow auditd_t self:tcp_socket create_stream_socket_perms;
@ -227,7 +227,7 @@ allow audisp_t self:fifo_file rw_file_perms;
allow audisp_t self:unix_stream_socket create_stream_socket_perms;
allow audisp_t self:unix_dgram_socket create_socket_perms;
allow audisp_t auditd_t:unix_stream_socket rw_file_perms;
allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;
manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)

View File

@ -440,7 +440,7 @@ allow semanage_t self:unix_stream_socket create_stream_socket_perms;
allow semanage_t self:unix_dgram_socket create_socket_perms;
allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow semanage_t policy_config_t:file { read write };
allow semanage_t policy_config_t:file rw_file_perms;
allow semanage_t semanage_tmp_t:dir manage_dir_perms;
allow semanage_t semanage_tmp_t:file manage_file_perms;

View File

@ -56,7 +56,6 @@ allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
read_lnk_files_pattern(dhcpc_t,dhcp_etc_t,dhcp_etc_t)
exec_files_pattern(dhcpc_t,dhcp_etc_t,dhcp_etc_t)
allow dhcpc_t dhcp_state_t:file { getattr read };
manage_files_pattern(dhcpc_t,dhcpc_state_t,dhcpc_state_t)
filetrans_pattern(dhcpc_t,dhcp_state_t,dhcpc_state_t,file)

View File

@ -45,7 +45,7 @@ allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem ex
allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
allow udev_t self:fifo_file rw_fifo_file_perms;
allow udev_t self:sock_file read_file_perms;
allow udev_t self:sock_file read_sock_file_perms;
allow udev_t self:shm create_shm_perms;
allow udev_t self:sem create_sem_perms;
allow udev_t self:msgq create_msgq_perms;

View File

@ -123,10 +123,7 @@ manage_fifo_files_pattern(xend_t,xend_var_lib_t,xend_var_lib_t)
files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir })
# transition to store
domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t)
allow xenstored_t xend_t:fd use;
allow xenstored_t xend_t:process sigchld;
allow xenstored_t xend_t:fifo_file write;
domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t)
# transition to console
domain_auto_trans(xend_t, xenconsoled_exec_t, xenconsoled_t)
@ -224,7 +221,7 @@ optional_policy(`
allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
allow xenconsoled_t self:fifo_file { read write };
allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
@ -318,7 +315,7 @@ xen_append_log(xenstored_t)
allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
# internal communication is often done using fifo and unix sockets.
allow xm_t self:fifo_file { read write };
allow xm_t self:fifo_file rw_fifo_file_perms;
allow xm_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xm_t self:tcp_socket create_stream_socket_perms;

View File

@ -2,7 +2,7 @@
# This file contains the policy capabilites
# that are enabled in this policy, not a
# declaration of DAC capabilites such as
# CAP_DAC_OVERRIDE.
# dac_override.
#
# The affected object classes and their
# permissions should also be listed in
@ -25,9 +25,8 @@
# Checks enabled:
# dir: open
# file: open
# lnk_file: open
# fifo_file: open
# chr_file: open
# blk_file: open
#
#policycap open_perms;
policycap open_perms;

View File

@ -59,22 +59,22 @@ define(`stat_file_perms', `{ getattr } refpolicywarn(`$0 is deprecated please us
#
# Permissions for executing files.
#
define(`x_file_perms', `{ getattr execute } refpolicywarn(`$0 is deprecated please use { getattr execute } instead.')')
define(`x_file_perms', `{ getattr open execute } refpolicywarn(`$0 is deprecated please use { getattr execute } instead.')')
#
# Permissions for reading files and their attributes.
#
define(`r_file_perms', `{ read getattr lock ioctl } refpolicywarn(`$0 is deprecated please use read_file_perms instead.')')
define(`r_file_perms', `{ open read getattr lock ioctl } refpolicywarn(`$0 is deprecated please use read_file_perms instead.')')
#
# Permissions for reading and executing files.
#
define(`rx_file_perms', `{ read getattr lock execute ioctl } refpolicywarn(`$0 is deprecated please use { mmap_file_perms ioctl lock } instead.')')
define(`rx_file_perms', `{ open read getattr lock execute ioctl } refpolicywarn(`$0 is deprecated please use { mmap_file_perms ioctl lock } instead.')')
#
# Permissions for reading and appending to files.
#
define(`ra_file_perms', `{ ioctl read getattr lock append } refpolicywarn(`$0 is deprecated please use { read_file_perms append_file_perms } instead.')')
define(`ra_file_perms', `{ open ioctl read getattr lock append } refpolicywarn(`$0 is deprecated please use { read_file_perms append_file_perms } instead.')')
#
# Permissions for linking, unlinking and renaming files.
@ -89,17 +89,12 @@ define(`create_lnk_perms', `{ create read getattr setattr link unlink rename } r
#
# Permissions for reading directories and their attributes.
#
define(`r_dir_perms', `{ read getattr lock search ioctl } refpolicywarn(`$0 is deprecated please use list_dir_perms instead.')')
#
# Permissions for reading and writing directories and their attributes.
#
define(`rw_dir_perms', `{ read getattr lock search ioctl add_name remove_name write }')
define(`r_dir_perms', `{ open read getattr lock search ioctl } refpolicywarn(`$0 is deprecated please use list_dir_perms instead.')')
#
# Permissions for reading and adding names to directories.
#
define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write } refpolicywarn(`$0 is deprecated please use { list_dir_perms add_entry_dir_perms } instead.')')
define(`ra_dir_perms', `{ open read getattr lock search ioctl add_name write } refpolicywarn(`$0 is deprecated please use { list_dir_perms add_entry_dir_perms } instead.')')
#
@ -187,9 +182,10 @@ define(`create_shm_perms', `{ associate getattr setattr create destroy read writ
define(`getattr_dir_perms',`{ getattr }')
define(`setattr_dir_perms',`{ setattr }')
define(`search_dir_perms',`{ getattr search }')
define(`list_dir_perms',`{ getattr search read lock ioctl }')
define(`add_entry_dir_perms',`{ getattr search lock ioctl write add_name }')
define(`del_entry_dir_perms',`{ getattr search lock ioctl write remove_name }')
define(`list_dir_perms',`{ getattr search open read lock ioctl }')
define(`add_entry_dir_perms',`{ getattr search open lock ioctl write add_name }')
define(`del_entry_dir_perms',`{ getattr search open lock ioctl write remove_name }')
define(`rw_dir_perms', `{ open read getattr lock search ioctl add_name remove_name write }')
define(`create_dir_perms',`{ getattr create }')
define(`rename_dir_perms',`{ getattr rename }')
define(`delete_dir_perms',`{ getattr rmdir }')
@ -203,12 +199,12 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
#
define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
define(`read_file_perms',`{ getattr read lock ioctl }')
define(`mmap_file_perms',`{ getattr read execute ioctl }')
define(`exec_file_perms',`{ getattr read execute execute_no_trans }')
define(`append_file_perms',`{ getattr append lock ioctl }')
define(`write_file_perms',`{ getattr write append lock ioctl }')
define(`rw_file_perms',`{ getattr read write append ioctl lock }')
define(`read_file_perms',`{ getattr open read lock ioctl }')
define(`mmap_file_perms',`{ getattr open read execute ioctl }')
define(`exec_file_perms',`{ getattr open read execute execute_no_trans }')
define(`append_file_perms',`{ getattr open append lock ioctl }')
define(`write_file_perms',`{ getattr open write append lock ioctl }')
define(`rw_file_perms',`{ getattr open read write append ioctl lock }')
define(`create_file_perms',`{ getattr create open }')
define(`rename_file_perms',`{ getattr rename }')
define(`delete_file_perms',`{ getattr unlink }')
@ -239,10 +235,10 @@ define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
#
define(`getattr_fifo_file_perms',`{ getattr }')
define(`setattr_fifo_file_perms',`{ setattr }')
define(`read_fifo_file_perms',`{ getattr read lock ioctl }')
define(`append_fifo_file_perms',`{ getattr append lock ioctl }')
define(`write_fifo_file_perms',`{ getattr write append lock ioctl }')
define(`rw_fifo_file_perms',`{ getattr read write append ioctl lock }')
define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')
define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')
define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }')
define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }')
define(`create_fifo_file_perms',`{ getattr create open }')
define(`rename_fifo_file_perms',`{ getattr rename }')
define(`delete_fifo_file_perms',`{ getattr unlink }')
@ -272,10 +268,10 @@ define(`relabel_sock_file_perms',`{ getattr relabelfrom relabelto }')
#
define(`getattr_blk_file_perms',`{ getattr }')
define(`setattr_blk_file_perms',`{ setattr }')
define(`read_blk_file_perms',`{ getattr read lock ioctl }')
define(`append_blk_file_perms',`{ getattr append lock ioctl }')
define(`write_blk_file_perms',`{ getattr write append lock ioctl }')
define(`rw_blk_file_perms',`{ getattr read write append ioctl lock }')
define(`read_blk_file_perms',`{ getattr open read lock ioctl }')
define(`append_blk_file_perms',`{ getattr open append lock ioctl }')
define(`write_blk_file_perms',`{ getattr open write append lock ioctl }')
define(`rw_blk_file_perms',`{ getattr open read write append ioctl lock }')
define(`create_blk_file_perms',`{ getattr create }')
define(`rename_blk_file_perms',`{ getattr rename }')
define(`delete_blk_file_perms',`{ getattr unlink }')
@ -289,10 +285,10 @@ define(`relabel_blk_file_perms',`{ getattr relabelfrom relabelto }')
#
define(`getattr_chr_file_perms',`{ getattr }')
define(`setattr_chr_file_perms',`{ setattr }')
define(`read_chr_file_perms',`{ getattr read lock ioctl }')
define(`append_chr_file_perms',`{ getattr append lock ioctl }')
define(`write_chr_file_perms',`{ getattr write append lock ioctl }')
define(`rw_chr_file_perms',`{ getattr read write append ioctl lock }')
define(`read_chr_file_perms',`{ getattr open read lock ioctl }')
define(`append_chr_file_perms',`{ getattr open append lock ioctl }')
define(`write_chr_file_perms',`{ getattr open write append lock ioctl }')
define(`rw_chr_file_perms',`{ getattr open read write append ioctl lock }')
define(`create_chr_file_perms',`{ getattr create }')
define(`rename_chr_file_perms',`{ getattr rename }')
define(`delete_chr_file_perms',`{ getattr unlink }')
@ -309,7 +305,7 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')
#
# Use (read and write) terminals
#
define(`rw_term_perms', `{ getattr read write ioctl }')
define(`rw_term_perms', `{ getattr open read write ioctl }')
#
# Sockets