Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

policy/modules/services/postgresql.if

@@ -195,7 +195,7 @@ interface(`postgresql_search_db',`
 		type postgresql_db_t;
 	')
 
-	allow $1 postgresql_db_t:dir search;
+	allow $1 postgresql_db_t:dir search_dir_perms;
 ')
 
 ########################################
@@ -214,7 +214,7 @@ interface(`postgresql_manage_db',`
 
 	allow $1 postgresql_db_t:dir rw_dir_perms;
 	allow $1 postgresql_db_t:file rw_file_perms;
-	allow $1 postgresql_db_t:lnk_file { getattr read };
+	allow $1 postgresql_db_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################

policy/modules/services/razor.if

@@ -47,7 +47,7 @@ template(`razor_common_domain_template',`
 	# Read system config file
 	allow $1_t razor_etc_t:dir list_dir_perms;
 	allow $1_t razor_etc_t:file read_file_perms;
-	allow $1_t razor_etc_t:lnk_file { getattr read };
+	allow $1_t razor_etc_t:lnk_file read_lnk_file_perms;
 
 	manage_dirs_pattern($1_t, razor_log_t, razor_log_t)
 	manage_files_pattern($1_t, razor_log_t, razor_log_t)

policy/modules/services/rgmanager.if

@@ -91,7 +91,7 @@ interface(`rgmanager_rw_semaphores',`
 		type rgmanager_t;
 	')
 
-	allow $1 rgmanager_t:sem { unix_read unix_write associate read write };
+	allow $1 rgmanager_t:sem rw_sem_perms;
 ')
 
 ######################################

policy/modules/services/ricci.if

@@ -89,7 +89,7 @@ interface(`ricci_dontaudit_rw_modcluster_pipes',`
 		type ricci_modcluster_t;
 	')
 
-	dontaudit $1 ricci_modcluster_t:fifo_file { read write };
+	dontaudit $1 ricci_modcluster_t:fifo_file rw_inherited_fifo_file_perms;
 ')
 
 ########################################

policy/modules/services/rpc.if

@@ -156,7 +156,7 @@ interface(`rpc_dontaudit_getattr_exports',`
 		type exports_t;
 	')
 
-	dontaudit $1 exports_t:file getattr;
+	dontaudit $1 exports_t:file getattr_file_perms;
 ')
 
 ########################################
@@ -192,7 +192,7 @@ interface(`rpc_write_exports',`
 		type exports_t;
 	')
 
-	allow $1 exports_t:file write;
+	allow $1 exports_t:file write_file_perms;
 ')
 
 ########################################
@@ -306,7 +306,7 @@ interface(`rpc_read_nfs_content',`
 
 	allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms;
 	allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms;
-	allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file { getattr read };
+	allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
@@ -399,7 +399,7 @@ interface(`rpc_search_nfs_state_data',`
 	')
 
 	files_search_var_lib($1)
-	allow $1 var_lib_nfs_t:dir search;
+	allow $1 var_lib_nfs_t:dir search_dir_perms;
 ')
 
 ########################################

policy/modules/services/xserver.if

@@ -47,7 +47,7 @@ interface(`xserver_restricted_role',`
 	manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
 
 	stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
-	allow $2 xserver_tmp_t:sock_file unlink;
+	allow $2 xserver_tmp_t:sock_file delete_sock_file_perms;
 	files_search_tmp($2)
 
 	# Communicate via System V shared memory.
@@ -271,7 +271,7 @@ interface(`xserver_non_drawing_client',`
 
 	allow $1 self:x_gc { create setattr };
 
-	allow $1 xdm_var_run_t:dir search;
+	allow $1 xdm_var_run_t:dir search_dir_perms;
 	allow $1 xserver_t:unix_stream_socket connectto;
 
 	allow $1 xextension_t:x_extension { query use };
@@ -313,7 +313,7 @@ interface(`xserver_user_client',`
 	# for when /tmp/.X11-unix is created by the system
 	allow $1 xdm_t:fd use;
 	allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
-	allow $1 xdm_tmp_t:dir search;
+	allow $1 xdm_tmp_t:dir search_dir_perms;
 	allow $1 xdm_tmp_t:sock_file { read write };
 	dontaudit $1 xdm_t:tcp_socket { read write };