Use permission sets where possible.

Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Signed-off-by: Dominick Grift <domg472@gmail.com> Use permission sets where possible. Signed-off-by: Dominick Grift <domg472@gmail.com> Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible.
2010-09-15 22:09:15 +02:00 · 2010-09-15 22:09:15 +02:00 · 59c0340548
commit 59c0340548
parent ba6db03dc0
7 changed files with 22 additions and 22 deletions
--- a/policy/modules/services/sendmail.if
+++ b/policy/modules/services/sendmail.if
@ -166,7 +166,7 @@ interface(`sendmail_rw_unix_stream_sockets',`
 		type sendmail_t;
 	')

-	allow $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
+	allow $1 sendmail_t:unix_stream_socket rw_socket_perms;
 ')

 ########################################
@ -185,7 +185,7 @@ interface(`sendmail_dontaudit_rw_unix_stream_sockets',`
 		type sendmail_t;
 	')

-	dontaudit $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
+	dontaudit $1 sendmail_t:unix_stream_socket rw_socket_perms;
 ')

 ########################################
--- a/policy/modules/services/snmp.if
+++ b/policy/modules/services/snmp.if
@ -84,7 +84,7 @@ interface(`snmp_dontaudit_read_snmp_var_lib_files',`
 	')
 	dontaudit $1 snmpd_var_lib_t:dir list_dir_perms;
 	dontaudit $1 snmpd_var_lib_t:file read_file_perms;
-	dontaudit $1 snmpd_var_lib_t:lnk_file { getattr read };
+	dontaudit $1 snmpd_var_lib_t:lnk_file read_lnk_file_perms;
 ')

 ########################################
--- a/policy/modules/services/spamassassin.if
+++ b/policy/modules/services/spamassassin.if
@ -270,7 +270,7 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
 		type spamd_tmp_t;
 	')

-	dontaudit $1 spamd_tmp_t:sock_file getattr;
+	dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms;
 ')

 ########################################
--- a/policy/modules/services/squid.if
+++ b/policy/modules/services/squid.if
@ -71,7 +71,7 @@ interface(`squid_rw_stream_sockets',`
 		type squid_t;
 	')

-	allow $1 squid_t:unix_stream_socket { getattr read write };
+	allow $1 squid_t:unix_stream_socket rw_socket_perms;
 ')

 ########################################
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@ -189,7 +189,7 @@ template(`ssh_server_template', `
 	allow $1_t self:unix_stream_socket create_stream_socket_perms;
 	allow $1_t self:shm create_shm_perms;

-	allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
+	allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom };
 	term_create_pty($1_t, $1_devpts_t)

 	manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
@ -485,7 +485,7 @@ interface(`ssh_read_pipes',`
 		type sshd_t;
 	')

-	allow $1 sshd_t:fifo_file { getattr read };
+	allow $1 sshd_t:fifo_file read_fifo_file_perms;
 ')
 ########################################
 ## <summary>
@ -502,7 +502,7 @@ interface(`ssh_rw_pipes',`
 		type sshd_t;
 	')

-	allow $1 sshd_t:fifo_file { write read getattr ioctl };
+	allow $1 sshd_t:fifo_file rw_inherited_fifo_file_perms;
 ')

 ########################################
@ -645,7 +645,7 @@ interface(`ssh_setattr_key_files',`
 		type sshd_key_t;
 	')

-	allow $1 sshd_key_t:file setattr;
+	allow $1 sshd_key_t:file setattr_file_perms;
 	files_search_pids($1)
 ')

@ -722,7 +722,7 @@ interface(`ssh_dontaudit_read_server_keys',`
 		type sshd_key_t;
 	')

-	dontaudit $1 sshd_key_t:file { getattr read };
+	dontaudit $1 sshd_key_t:file read_file_perms;
 ')

 ######################################
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@ -38,7 +38,7 @@ template(`virt_domain_template',`
 	dev_node($1_image_t)
 	dev_associate_sysfs($1_image_t)

-	allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
+	allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
 	term_create_pty($1_t, $1_devpts_t)

 	manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@ -73,11 +73,11 @@ interface(`xserver_restricted_role',`

 	# for when /tmp/.X11-unix is created by the system
 	allow $2 xdm_t:fd use;
-	allow $2 xdm_t:fifo_file { getattr read write ioctl };
+	allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
 	allow $2 xdm_tmp_t:dir search_dir_perms;
-	allow $2 xdm_tmp_t:sock_file { read write };
+	allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
 	dontaudit $2 xdm_t:tcp_socket { read write };
-	dontaudit $2 xdm_tmp_t:dir setattr;
+	dontaudit $2 xdm_tmp_t:dir setattr_dir_perms;

 	allow $2 xdm_t:dbus send_msg;
 	allow xdm_t  $2:dbus send_msg;
@ -87,7 +87,7 @@ interface(`xserver_restricted_role',`
 	allow $2 xserver_tmpfs_t:file read_file_perms;

 	# Read /tmp/.X0-lock
-	allow $2 xserver_tmp_t:file { getattr read };
+	allow $2 xserver_tmp_t:file read_inherited_file_perms;

 	dev_rw_xserver_misc($2)
 	dev_rw_power_management($2)
@ -489,9 +489,9 @@ template(`xserver_user_x_domain_template',`

 	# for when /tmp/.X11-unix is created by the system
 	allow $2 xdm_t:fd use;
-	allow $2 xdm_t:fifo_file { getattr read write ioctl };
+	allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
 	allow $2 xdm_tmp_t:dir search_dir_perms;
-	allow $2 xdm_tmp_t:sock_file { read write };
+	allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
 	dontaudit $2 xdm_t:tcp_socket { read write };

 	# Allow connections to X server.
@ -675,7 +675,7 @@ interface(`xserver_setattr_console_pipes',`
 		type xconsole_device_t;
 	')

-	allow $1 xconsole_device_t:fifo_file setattr;
+	allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms;
 ')

 ########################################
@ -748,7 +748,7 @@ interface(`xserver_rw_xdm_pipes',`
 		type xdm_t;
 	')

-	allow $1 xdm_t:fifo_file { getattr read write };
+	allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
 ')

 ########################################
@ -827,7 +827,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
 		type xdm_tmp_t;
 	')

-	allow $1 xdm_tmp_t:dir setattr;
+	allow $1 xdm_tmp_t:dir setattr_dir_perms;
 ')

 ########################################
@ -959,7 +959,7 @@ interface(`xserver_getattr_log',`
 	')

 	logging_search_logs($1)
-	allow $1 xserver_log_t:file getattr;
+	allow $1 xserver_log_t:file getattr_file_perms;
 ')

 ########################################
@ -1152,7 +1152,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
 		type xdm_tmp_t;
 	')

-	dontaudit $1 xdm_tmp_t:sock_file getattr;
+	dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
 ')

 ########################################