Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

policy/modules/services/rhgb.te

@@ -30,7 +30,7 @@ allow rhgb_t self:tcp_socket create_socket_perms;
 allow rhgb_t self:udp_socket create_socket_perms;
 allow rhgb_t self:netlink_route_socket r_netlink_socket_perms;
 
-allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr };
+allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
 term_create_pty(rhgb_t, rhgb_devpts_t)
 
 manage_dirs_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)

policy/modules/services/ricci.te

@@ -99,7 +99,7 @@ manage_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
 manage_sock_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
 files_var_lib_filetrans(ricci_t, ricci_var_lib_t, { file dir sock_file })
 
-allow ricci_t ricci_var_log_t:dir setattr;
+allow ricci_t ricci_var_log_t:dir setattr_dir_perms;
 manage_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
 manage_sock_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
 logging_log_filetrans(ricci_t, ricci_var_log_t, { sock_file file dir })

policy/modules/services/rlogin.te

@@ -34,7 +34,7 @@ allow rlogind_t self:tcp_socket connected_stream_socket_perms;
 # for identd; cjp: this should probably only be inetd_child rules?
 allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
 
-allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr };
+allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
 term_create_pty(rlogind_t, rlogind_devpts_t)
 
 # for /usr/lib/telnetlogin

policy/modules/services/rpc.te

@@ -62,7 +62,7 @@ allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid };
 allow rpcd_t self:process { getcap setcap };
 allow rpcd_t self:fifo_file rw_fifo_file_perms;
 
-allow rpcd_t rpcd_var_run_t:dir setattr;
+allow rpcd_t rpcd_var_run_t:dir setattr_dir_perms;
 manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
 manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
 files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir })
@@ -196,7 +196,7 @@ tunable_policy(`nfs_export_all_ro',`
 
 allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
 allow gssd_t self:process { getsched setsched };
-allow gssd_t self:fifo_file rw_file_perms;
+allow gssd_t self:fifo_file rw_fifo_file_perms;
 
 manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
 manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)

policy/modules/services/snort.te

@@ -32,17 +32,17 @@ files_pid_file(snort_var_run_t)
 allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
 dontaudit snort_t self:capability sys_tty_config;
 allow snort_t self:process signal_perms;
-allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow snort_t self:netlink_route_socket create_netlink_socket_perms;
 allow snort_t self:tcp_socket create_stream_socket_perms;
 allow snort_t self:udp_socket create_socket_perms;
 allow snort_t self:packet_socket create_socket_perms;
 allow snort_t self:socket create_socket_perms;
 # Snort IPS node. unverified.
-allow snort_t self:netlink_firewall_socket { bind create getattr };
+allow snort_t self:netlink_firewall_socket create_socket_perms;
 
 allow snort_t snort_etc_t:dir list_dir_perms;
 allow snort_t snort_etc_t:file read_file_perms;
-allow snort_t snort_etc_t:lnk_file { getattr read };
+allow snort_t snort_etc_t:lnk_file read_lnk_file_perms;
 
 manage_files_pattern(snort_t, snort_log_t, snort_log_t)
 create_dirs_pattern(snort_t, snort_log_t, snort_log_t)

policy/modules/services/ssh.te

@@ -258,7 +258,7 @@ tunable_policy(`allow_ssh_keysign',`
 	allow ssh_keysign_t self:capability { setgid setuid };
 	allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
 
-	allow ssh_keysign_t sshd_key_t:file { getattr read };
+	allow ssh_keysign_t sshd_key_t:file read_file_perms;
 
 	dev_read_urand(ssh_keysign_t)
 
@@ -383,7 +383,7 @@ ifdef(`TODO',`
 		# ioctl is necessary for logout() processing for utmp entry and for w to
 		# display the tty.
 		# some versions of sshd on the new SE Linux require setattr
-		allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr };
+		allow sshd_t userpty_type:chr_file { relabelto rw_inherited_chr_file_perms setattr_chr_file_perms };
 	')
 ') dnl endif TODO
 

policy/modules/services/sssd.te

@@ -31,7 +31,7 @@ files_pid_file(sssd_var_run_t)
 
 allow sssd_t self:capability { chown dac_read_search dac_override kill sys_nice setgid setuid };
 allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
-allow sssd_t self:fifo_file rw_file_perms;
+allow sssd_t self:fifo_file rw_fifo_file_perms;
 allow sssd_t self:key manage_key_perms;
 allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 

policy/modules/services/stunnel.te

@@ -36,7 +36,7 @@ allow stunnel_t self:udp_socket create_socket_perms;
 
 allow stunnel_t stunnel_etc_t:dir list_dir_perms;
 allow stunnel_t stunnel_etc_t:file read_file_perms;
-allow stunnel_t stunnel_etc_t:lnk_file { getattr read };
+allow stunnel_t stunnel_etc_t:lnk_file read_lnk_file_perms;
 
 manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
 manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)

policy/modules/services/telnet.te

@@ -31,7 +31,7 @@ allow telnetd_t self:udp_socket create_socket_perms;
 # for identd; cjp: this should probably only be inetd_child rules?
 allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
 
-allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr };
+allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
 term_create_pty(telnetd_t, telnetd_devpts_t)
 
 manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)

policy/modules/services/tftp.te

@@ -40,7 +40,7 @@ allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
 
 allow tftpd_t tftpdir_t:dir list_dir_perms;
 allow tftpd_t tftpdir_t:file read_file_perms;
-allow tftpd_t tftpdir_t:lnk_file { getattr read };
+allow tftpd_t tftpdir_t:lnk_file read_lnk_file_perms;
 
 manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
 manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)

policy/modules/services/tgtd.te

@@ -29,7 +29,7 @@ files_type(tgtd_var_lib_t)
 allow tgtd_t self:capability sys_resource;
 allow tgtd_t self:process { setrlimit signal };
 allow tgtd_t self:fifo_file rw_fifo_file_perms;
-allow tgtd_t self:netlink_route_socket { create_socket_perms nlmsg_read };
+allow tgtd_t self:netlink_route_socket create_netlink_socket_perms;
 allow tgtd_t self:shm create_shm_perms;
 allow tgtd_t self:sem create_sem_perms;
 allow tgtd_t self:tcp_socket create_stream_socket_perms;

policy/modules/services/uptime.te

@@ -25,7 +25,7 @@ files_pid_file(uptimed_var_run_t)
 
 dontaudit uptimed_t self:capability sys_tty_config;
 allow uptimed_t self:process signal_perms;
-allow uptimed_t self:fifo_file write_file_perms;
+allow uptimed_t self:fifo_file write_fifo_file_perms;
 
 allow uptimed_t uptimed_etc_t:file read_file_perms;
 files_search_etc(uptimed_t)

policy/modules/services/uucp.te

@@ -123,7 +123,7 @@ optional_policy(`
 #
 
 allow uux_t self:capability { setuid setgid };
-allow uux_t self:fifo_file write_file_perms;
+allow uux_t self:fifo_file write_fifo_file_perms;
 
 uucp_append_log(uux_t)
 uucp_manage_spool(uux_t)

policy/modules/services/vhostmd.te

@@ -25,7 +25,7 @@ files_pid_file(vhostmd_var_run_t)
 
 allow vhostmd_t self:capability { dac_override ipc_lock	setuid setgid };
 allow vhostmd_t self:process { setsched getsched };
-allow vhostmd_t self:fifo_file rw_file_perms;
+allow vhostmd_t self:fifo_file rw_fifo_file_perms;
 
 manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
 manage_files_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)

policy/modules/services/virt.te

@@ -473,7 +473,7 @@ optional_policy(`
 
 allow virt_domain self:capability { dac_read_search dac_override kill };
 allow virt_domain self:process { execmem execstack signal getsched signull };
-allow virt_domain self:fifo_file rw_file_perms;
+allow virt_domain self:fifo_file rw_fifo_file_perms;
 allow virt_domain self:shm create_shm_perms;
 allow virt_domain self:unix_stream_socket create_stream_socket_perms;
 allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };

policy/modules/services/xserver.te

@@ -414,7 +414,7 @@ allow xdm_t self:key { search link write };
 
 allow xdm_t xauth_home_t:file manage_file_perms;
 
-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
 manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
 manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
 
@@ -483,7 +483,7 @@ allow xdm_t xserver_t:process { signal signull };
 allow xdm_t xserver_t:unix_stream_socket connectto;
 
 allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
-allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms };
+allow xdm_t xserver_tmp_t:dir { setattr_dir_perms list_dir_perms };
 
 # transition to the xdm xserver
 domtrans_pattern(xdm_t, xserver_exec_t, xserver_t)
@@ -1115,7 +1115,7 @@ allow xserver_t xdm_t:shm rw_shm_perms;
 # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
 # handle of a file inside the dir!!!
 allow xserver_t xdm_var_lib_t:file read_file_perms;
-dontaudit xserver_t xdm_var_lib_t:dir search;
+dontaudit xserver_t xdm_var_lib_t:dir search_dir_perms;
 
 read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
 
@@ -1125,7 +1125,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 
 # Run xkbcomp.
-allow xserver_t xkb_var_lib_t:lnk_file read;
+allow xserver_t xkb_var_lib_t:lnk_file read_lnk_file_perms;
 can_exec(xserver_t, xkb_var_lib_t)
 
 # VNC v4 module in X server

policy/modules/services/zabbix.te

@@ -26,11 +26,11 @@ files_pid_file(zabbix_var_run_t)
 #
 
 allow zabbix_t self:capability { setuid setgid };
-allow zabbix_t self:fifo_file rw_file_perms;
+allow zabbix_t self:fifo_file rw_fifo_file_perms;
 allow zabbix_t self:unix_stream_socket create_stream_socket_perms;
 
 # log files
-allow zabbix_t zabbix_log_t:dir setattr;
+allow zabbix_t zabbix_log_t:dir setattr_dir_perms;
 manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
 logging_log_filetrans(zabbix_t, zabbix_log_t, file)
 

policy/modules/services/zebra.te

@@ -51,7 +51,7 @@ allow zebra_t zebra_conf_t:dir list_dir_perms;
 read_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
 read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
 
-allow zebra_t zebra_log_t:dir setattr;
+allow zebra_t zebra_log_t:dir setattr_dir_perms;
 manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
 manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
 logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir })

policy/modules/services/zosremote.te

@@ -16,7 +16,7 @@ logging_dispatcher_domain(zos_remote_t, zos_remote_exec_t)
 #
 
 allow zos_remote_t self:process signal;
-allow zos_remote_t self:fifo_file rw_file_perms;
+allow zos_remote_t self:fifo_file rw_fifo_file_perms;
 allow zos_remote_t self:unix_stream_socket create_stream_socket_perms;
 
 files_read_etc_files(zos_remote_t)