Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

policy/modules/services/ajaxterm.te

@@ -30,7 +30,7 @@ allow ajaxterm_t self:fifo_file rw_fifo_file_perms;
 allow ajaxterm_t self:unix_stream_socket create_stream_socket_perms;
 allow ajaxterm_t self:tcp_socket create_stream_socket_perms;
 
-allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
+allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom };
 term_create_pty(ajaxterm_t, ajaxterm_devpts_t)
 
 manage_dirs_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)

policy/modules/services/amavis.te

@@ -76,7 +76,7 @@ files_search_spool(amavis_t)
 
 # tmp files
 manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
-allow amavis_t amavis_tmp_t:dir setattr;
+allow amavis_t amavis_tmp_t:dir setattr_dir_perms;
 files_tmp_filetrans(amavis_t, amavis_tmp_t, file)
 
 # var/lib files for amavis
@@ -86,7 +86,7 @@ manage_sock_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
 files_search_var_lib(amavis_t)
 
 # log files
-allow amavis_t amavis_var_log_t:dir setattr;
+allow amavis_t amavis_var_log_t:dir setattr_dir_perms;
 manage_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
 manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
 logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir })

policy/modules/services/avahi.te

@@ -40,7 +40,7 @@ files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file })
 manage_dirs_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
 manage_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
 manage_sock_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
-allow avahi_t avahi_var_run_t:dir setattr;
+allow avahi_t avahi_var_run_t:dir setattr_dir_perms;
 files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file })
 
 kernel_read_system_state(avahi_t)

policy/modules/services/bind.te

@@ -202,12 +202,12 @@ allow ndc_t self:tcp_socket create_socket_perms;
 allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
 
 allow ndc_t dnssec_t:file read_file_perms;
-allow ndc_t dnssec_t:lnk_file { getattr read };
+allow ndc_t dnssec_t:lnk_file read_lnk_file_perms;
 
 stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t)
 
 allow ndc_t named_conf_t:file read_file_perms;
-allow ndc_t named_conf_t:lnk_file { getattr read };
+allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
 
 allow ndc_t named_zone_t:dir search_dir_perms;
 
@@ -245,7 +245,7 @@ term_dontaudit_use_console(ndc_t)
 
 # for /etc/rndc.key
 ifdef(`distro_redhat',`
-	allow ndc_t named_conf_t:dir search;
+	allow ndc_t named_conf_t:dir search_dir_perms;
 ')
 
 optional_policy(`

policy/modules/services/boinc.te

@@ -136,7 +136,7 @@ files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, { file dir })
 allow boinc_project_t boinc_project_var_lib_t:file execmod;
 
 allow boinc_project_t boinc_t:shm rw_shm_perms;
-allow boinc_project_t boinc_tmpfs_t:file { read write };
+allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms;
 
 list_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
 rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)

policy/modules/services/gatekeeper.te

@@ -33,7 +33,7 @@ allow gatekeeper_t self:fifo_file rw_fifo_file_perms;
 allow gatekeeper_t self:tcp_socket create_stream_socket_perms;
 allow gatekeeper_t self:udp_socket create_socket_perms;
 
-allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read };
+allow gatekeeper_t gatekeeper_etc_t:lnk_file read_lnk_file_perms;
 allow gatekeeper_t gatekeeper_etc_t:file read_file_perms;
 files_search_etc(gatekeeper_t)