From 59c03405487678f6de02969b4ed3a5e225a36516 Mon Sep 17 00:00:00 2001
From: Dominick Grift <domg472@gmail.com>
Date: Wed, 15 Sep 2010 22:09:15 +0200
Subject: [PATCH] Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Signed-off-by: Dominick Grift <domg472@gmail.com>

Use permission sets where possible.

Signed-off-by: Dominick Grift <domg472@gmail.com>

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.
---
 policy/modules/services/sendmail.if     |  4 ++--
 policy/modules/services/snmp.if         |  2 +-
 policy/modules/services/spamassassin.if |  2 +-
 policy/modules/services/squid.if        |  2 +-
 policy/modules/services/ssh.if          | 10 +++++-----
 policy/modules/services/virt.if         |  2 +-
 policy/modules/services/xserver.if      | 22 +++++++++++-----------
 7 files changed, 22 insertions(+), 22 deletions(-)

diff --git a/policy/modules/services/sendmail.if b/policy/modules/services/sendmail.if
index 1e9cb000..0c97e36a 100644
--- a/policy/modules/services/sendmail.if
+++ b/policy/modules/services/sendmail.if
@@ -166,7 +166,7 @@ interface(`sendmail_rw_unix_stream_sockets',`
 		type sendmail_t;
 	')
 
-	allow $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
+	allow $1 sendmail_t:unix_stream_socket rw_socket_perms;
 ')
 
 ########################################
@@ -185,7 +185,7 @@ interface(`sendmail_dontaudit_rw_unix_stream_sockets',`
 		type sendmail_t;
 	')
 
-	dontaudit $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
+	dontaudit $1 sendmail_t:unix_stream_socket rw_socket_perms;
 ')
 
 ########################################
diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if
index 699c2aba..64e9fb1d 100644
--- a/policy/modules/services/snmp.if
+++ b/policy/modules/services/snmp.if
@@ -84,7 +84,7 @@ interface(`snmp_dontaudit_read_snmp_var_lib_files',`
 	')
 	dontaudit $1 snmpd_var_lib_t:dir list_dir_perms;
 	dontaudit $1 snmpd_var_lib_t:file read_file_perms;
-	dontaudit $1 snmpd_var_lib_t:lnk_file { getattr read };
+	dontaudit $1 snmpd_var_lib_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
index 56950e6a..f906f43a 100644
--- a/policy/modules/services/spamassassin.if
+++ b/policy/modules/services/spamassassin.if
@@ -270,7 +270,7 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
 		type spamd_tmp_t;
 	')
 
-	dontaudit $1 spamd_tmp_t:sock_file getattr;
+	dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if
index fb9774ae..dc4f590c 100644
--- a/policy/modules/services/squid.if
+++ b/policy/modules/services/squid.if
@@ -71,7 +71,7 @@ interface(`squid_rw_stream_sockets',`
 		type squid_t;
 	')
 
-	allow $1 squid_t:unix_stream_socket { getattr read write };
+	allow $1 squid_t:unix_stream_socket rw_socket_perms;
 ')
 
 ########################################
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index d3b2b559..bb8c7d1f 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -189,7 +189,7 @@ template(`ssh_server_template', `
 	allow $1_t self:unix_stream_socket create_stream_socket_perms;
 	allow $1_t self:shm create_shm_perms;
 
-	allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
+	allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom };
 	term_create_pty($1_t, $1_devpts_t)
 
 	manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
@@ -485,7 +485,7 @@ interface(`ssh_read_pipes',`
 		type sshd_t;
 	')
 
-	allow $1 sshd_t:fifo_file { getattr read };
+	allow $1 sshd_t:fifo_file read_fifo_file_perms;
 ')
 ########################################
 ## <summary>
@@ -502,7 +502,7 @@ interface(`ssh_rw_pipes',`
 		type sshd_t;
 	')
 
-	allow $1 sshd_t:fifo_file { write read getattr ioctl };
+	allow $1 sshd_t:fifo_file rw_inherited_fifo_file_perms;
 ')
 
 ########################################
@@ -645,7 +645,7 @@ interface(`ssh_setattr_key_files',`
 		type sshd_key_t;
 	')
 
-	allow $1 sshd_key_t:file setattr;
+	allow $1 sshd_key_t:file setattr_file_perms;
 	files_search_pids($1)
 ')
 
@@ -722,7 +722,7 @@ interface(`ssh_dontaudit_read_server_keys',`
 		type sshd_key_t;
 	')
 
-	dontaudit $1 sshd_key_t:file { getattr read };
+	dontaudit $1 sshd_key_t:file read_file_perms;
 ')
 
 ######################################
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
index 9a3d24fe..1840faaf 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -38,7 +38,7 @@ template(`virt_domain_template',`
 	dev_node($1_image_t)
 	dev_associate_sysfs($1_image_t)
 
-	allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
+	allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
 	term_create_pty($1_t, $1_devpts_t)
 
 	manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index f6cb1add..54f5506e 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -73,11 +73,11 @@ interface(`xserver_restricted_role',`
 
 	# for when /tmp/.X11-unix is created by the system
 	allow $2 xdm_t:fd use;
-	allow $2 xdm_t:fifo_file { getattr read write ioctl };
+	allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
 	allow $2 xdm_tmp_t:dir search_dir_perms;
-	allow $2 xdm_tmp_t:sock_file { read write };
+	allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
 	dontaudit $2 xdm_t:tcp_socket { read write };
-	dontaudit $2 xdm_tmp_t:dir setattr;
+	dontaudit $2 xdm_tmp_t:dir setattr_dir_perms;
 
 	allow $2 xdm_t:dbus send_msg;
 	allow xdm_t  $2:dbus send_msg;
@@ -87,7 +87,7 @@ interface(`xserver_restricted_role',`
 	allow $2 xserver_tmpfs_t:file read_file_perms;
 
 	# Read /tmp/.X0-lock
-	allow $2 xserver_tmp_t:file { getattr read };
+	allow $2 xserver_tmp_t:file read_inherited_file_perms;
 
 	dev_rw_xserver_misc($2)
 	dev_rw_power_management($2)
@@ -489,9 +489,9 @@ template(`xserver_user_x_domain_template',`
 
 	# for when /tmp/.X11-unix is created by the system
 	allow $2 xdm_t:fd use;
-	allow $2 xdm_t:fifo_file { getattr read write ioctl };
+	allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
 	allow $2 xdm_tmp_t:dir search_dir_perms;
-	allow $2 xdm_tmp_t:sock_file { read write };
+	allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
 	dontaudit $2 xdm_t:tcp_socket { read write };
 
 	# Allow connections to X server.
@@ -675,7 +675,7 @@ interface(`xserver_setattr_console_pipes',`
 		type xconsole_device_t;
 	')
 
-	allow $1 xconsole_device_t:fifo_file setattr;
+	allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms;
 ')
 
 ########################################
@@ -748,7 +748,7 @@ interface(`xserver_rw_xdm_pipes',`
 		type xdm_t;
 	')
 
-	allow $1 xdm_t:fifo_file { getattr read write };
+	allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
 ')
 
 ########################################
@@ -827,7 +827,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
 		type xdm_tmp_t;
 	')
 
-	allow $1 xdm_tmp_t:dir setattr;
+	allow $1 xdm_tmp_t:dir setattr_dir_perms;
 ')
 
 ########################################
@@ -959,7 +959,7 @@ interface(`xserver_getattr_log',`
 	')
 
 	logging_search_logs($1)
-	allow $1 xserver_log_t:file getattr;
+	allow $1 xserver_log_t:file getattr_file_perms;
 ')
 
 ########################################
@@ -1152,7 +1152,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
 		type xdm_tmp_t;
 	')
 
-	dontaudit $1 xdm_tmp_t:sock_file getattr;
+	dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
 ')
 
 ########################################