diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te index c1825dec..737415e9 100644 --- a/policy/modules/services/nx.te +++ b/policy/modules/services/nx.te @@ -39,7 +39,7 @@ allow nx_server_t self:fifo_file rw_fifo_file_perms; allow nx_server_t self:tcp_socket create_socket_perms; allow nx_server_t self:udp_socket create_socket_perms; -allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr }; +allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; term_create_pty(nx_server_t, nx_server_devpts_t) manage_dirs_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t) @@ -90,9 +90,9 @@ sysnet_read_config(nx_server_t) ifdef(`TODO',` # clients already have create permissions; the nxclient wants to also have unlink rights -allow userdomain xdm_tmp_t:sock_file unlink; +allow userdomain xdm_tmp_t:sock_file delete_sock_file_perms; # for a lockfile created by the client process -allow nx_server_t user_tmpfile:file getattr; +allow nx_server_t user_tmpfile:file getattr_file_perms; ') ######################################## diff --git a/policy/modules/services/oident.te b/policy/modules/services/oident.te index 90976565..b1effe64 100644 --- a/policy/modules/services/oident.te +++ b/policy/modules/services/oident.te @@ -26,10 +26,10 @@ files_config_file(oidentd_config_t) # allow oidentd_t self:capability { setuid setgid }; -allow oidentd_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; -allow oidentd_t self:netlink_tcpdiag_socket { write read create nlmsg_read }; -allow oidentd_t self:tcp_socket { setopt read bind create accept write getattr listen }; -allow oidentd_t self:udp_socket { write read create connect getattr ioctl }; +allow oidentd_t self:netlink_route_socket create_netlink_socket_perms; +allow oidentd_t self:netlink_tcpdiag_socket create_netlink_socket_perms; +allow oidentd_t self:tcp_socket create_stream_socket_perms; +allow oidentd_t self:udp_socket create_socket_perms; allow oidentd_t self:unix_dgram_socket { create connect }; allow oidentd_t oidentd_config_t:file read_file_perms; diff --git a/policy/modules/services/pads.te b/policy/modules/services/pads.te index ea5755e4..5e25230f 100644 --- a/policy/modules/services/pads.te +++ b/policy/modules/services/pads.te @@ -24,10 +24,10 @@ files_pid_file(pads_var_run_t) # allow pads_t self:capability { dac_override net_raw }; -allow pads_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; -allow pads_t self:packet_socket { ioctl setopt getopt read bind create }; -allow pads_t self:udp_socket { create ioctl }; -allow pads_t self:unix_dgram_socket { write create connect }; +allow pads_t self:netlink_route_socket create_netlink_socket_perms; +allow pads_t self:packet_socket create_socket_perms; +allow pads_t self:udp_socket create_socket_perms; +allow pads_t self:unix_dgram_socket create_socket_perms; allow pads_t pads_config_t:file manage_file_perms; files_etc_filetrans(pads_t, pads_config_t, file) diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te index e2e2f67a..53224125 100644 --- a/policy/modules/services/pegasus.te +++ b/policy/modules/services/pegasus.te @@ -38,7 +38,7 @@ allow pegasus_t self:unix_stream_socket create_stream_socket_perms; allow pegasus_t self:tcp_socket create_stream_socket_perms; allow pegasus_t pegasus_conf_t:dir rw_dir_perms; -allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink }; +allow pegasus_t pegasus_conf_t:file { read_file_perms link delete_file_perms }; allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -56,7 +56,7 @@ manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t) manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t) files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir }) -allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink }; +allow pegasus_t pegasus_var_run_t:sock_file { create_sock_file_perms setattr_sock_file_perms delete_sock_file_perms }; manage_dirs_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) manage_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) files_pid_filetrans(pegasus_t, pegasus_var_run_t, { file dir }) diff --git a/policy/modules/services/pingd.te b/policy/modules/services/pingd.te index e9cf8a49..4a9d196a 100644 --- a/policy/modules/services/pingd.te +++ b/policy/modules/services/pingd.te @@ -27,7 +27,7 @@ files_type(pingd_modules_t) allow pingd_t self:capability net_raw; allow pingd_t self:tcp_socket create_stream_socket_perms; -allow pingd_t self:rawip_socket { write read create bind }; +allow pingd_t self:rawip_socket create_socket_perms; read_files_pattern(pingd_t, pingd_etc_t, pingd_etc_t) diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index 17ee8e2f..ff20bb03 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -123,9 +123,9 @@ allow postfix_master_t postfix_data_t:file manage_file_perms; allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms lock }; -allow postfix_master_t postfix_postdrop_exec_t:file getattr; +allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms; -allow postfix_master_t postfix_postqueue_exec_t:file getattr; +allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms; manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) @@ -145,7 +145,7 @@ manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) files_spool_filetrans(postfix_master_t, postfix_spool_t, dir) allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms; -allow postfix_master_t postfix_spool_bounce_t:file getattr; +allow postfix_master_t postfix_spool_bounce_t:file getattr_file_perms; manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) @@ -240,7 +240,7 @@ allow postfix_bounce_t self:capability dac_read_search; allow postfix_bounce_t self:tcp_socket create_socket_perms; allow postfix_bounce_t postfix_public_t:sock_file write; -allow postfix_bounce_t postfix_public_t:dir search; +allow postfix_bounce_t postfix_public_t:dir search_dir_perms; manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) @@ -559,7 +559,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; -allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read }; +allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms; corecmd_exec_bin(postfix_qmgr_t) @@ -579,7 +579,7 @@ postfix_list_spool(postfix_showq_t) allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; -allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read }; +allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; # to write the mailq output, it really should not need read access! term_use_all_ptys(postfix_showq_t) diff --git a/policy/modules/services/postfixpolicyd.te b/policy/modules/services/postfixpolicyd.te index fbd27288..7d736567 100644 --- a/policy/modules/services/postfixpolicyd.te +++ b/policy/modules/services/postfixpolicyd.te @@ -26,11 +26,11 @@ files_pid_file(postfix_policyd_var_run_t) allow postfix_policyd_t self:capability { sys_resource sys_chroot setgid setuid }; allow postfix_policyd_t self:process setrlimit; allow postfix_policyd_t self:tcp_socket create_stream_socket_perms; -allow postfix_policyd_t self:unix_dgram_socket { connect create write}; +allow postfix_policyd_t self:unix_dgram_socket create_socket_perms; allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms; allow postfix_policyd_t postfix_policyd_conf_t:file read_file_perms; -allow postfix_policyd_t postfix_policyd_conf_t:lnk_file { getattr read }; +allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms; manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t) files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file) diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index 4a85c123..fac7b138 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -185,7 +185,7 @@ allow postgresql_t postgresql_etc_t:dir list_dir_perms; read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t) read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t) -allow postgresql_t postgresql_exec_t:lnk_file { getattr read }; +allow postgresql_t postgresql_exec_t:lnk_file read_lnk_file_perms; can_exec(postgresql_t, postgresql_exec_t ) allow postgresql_t postgresql_lock_t:file manage_file_perms; diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te index 74f07f8a..916f73f7 100644 --- a/policy/modules/services/ppp.te +++ b/policy/modules/services/ppp.te @@ -84,11 +84,11 @@ allow pppd_t self:packet_socket create_socket_perms; domtrans_pattern(pppd_t, pptp_exec_t, pptp_t) -allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr }; +allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; allow pppd_t pppd_etc_t:dir rw_dir_perms; allow pppd_t pppd_etc_t:file read_file_perms; -allow pppd_t pppd_etc_t:lnk_file { getattr read }; +allow pppd_t pppd_etc_t:lnk_file read_lnk_file_perms; manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t) # Automatically label newly created files under /etc/ppp with this type diff --git a/policy/modules/services/prelude.te b/policy/modules/services/prelude.te index 3c06f6c5..7a7310de 100644 --- a/policy/modules/services/prelude.te +++ b/policy/modules/services/prelude.te @@ -209,8 +209,8 @@ prelude_manage_spool(prelude_correlator_t) # allow prelude_lml_t self:capability dac_override; -allow prelude_lml_t self:tcp_socket { write getattr setopt read create connect }; -allow prelude_lml_t self:unix_dgram_socket { write create connect }; +allow prelude_lml_t self:tcp_socket { setopt create_socket_perms }; +allow prelude_lml_t self:unix_dgram_socket create_socket_perms; allow prelude_lml_t self:fifo_file rw_fifo_file_perms; allow prelude_lml_t self:unix_stream_socket connectto; diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te index b5588113..2a70dd19 100644 --- a/policy/modules/services/procmail.te +++ b/policy/modules/services/procmail.te @@ -35,7 +35,7 @@ allow procmail_t self:udp_socket create_socket_perms; can_exec(procmail_t, procmail_exec_t) # Write log to /var/log/procmail.log or /var/log/procmail/.* -allow procmail_t procmail_log_t:dir setattr; +allow procmail_t procmail_log_t:dir setattr_dir_perms; create_files_pattern(procmail_t, procmail_log_t, procmail_log_t) append_files_pattern(procmail_t, procmail_log_t, procmail_log_t) read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t) diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te index 95872242..4a3866b2 100644 --- a/policy/modules/services/puppet.te +++ b/policy/modules/services/puppet.te @@ -176,8 +176,8 @@ allow puppetmaster_t self:udp_socket create_socket_perms; list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) -allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr }; -allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr }; +allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr_dir_perms }; +allow puppetmaster_t puppet_log_t:file { rw_file_perms create_file_perms setattr_file_perms }; logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir }) allow puppetmaster_t puppet_log_t:file relabel_file_perms;