From 7d1f5642b0571e22cdb9ce74c1796e94fb078406 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Fri, 24 Sep 2010 09:28:34 +0200 Subject: [PATCH] Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. --- policy/modules/services/rhgb.te | 2 +- policy/modules/services/ricci.te | 2 +- policy/modules/services/rlogin.te | 2 +- policy/modules/services/rpc.te | 4 ++-- policy/modules/services/snort.te | 6 +++--- policy/modules/services/ssh.te | 4 ++-- policy/modules/services/sssd.te | 2 +- policy/modules/services/stunnel.te | 2 +- policy/modules/services/telnet.te | 2 +- policy/modules/services/tftp.te | 2 +- policy/modules/services/tgtd.te | 2 +- policy/modules/services/uptime.te | 2 +- policy/modules/services/uucp.te | 2 +- policy/modules/services/vhostmd.te | 2 +- policy/modules/services/virt.te | 2 +- policy/modules/services/xserver.te | 8 ++++---- policy/modules/services/zabbix.te | 4 ++-- policy/modules/services/zebra.te | 2 +- policy/modules/services/zosremote.te | 2 +- 19 files changed, 27 insertions(+), 27 deletions(-) diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te index 0f262a7d..4d108978 100644 --- a/policy/modules/services/rhgb.te +++ b/policy/modules/services/rhgb.te @@ -30,7 +30,7 @@ allow rhgb_t self:tcp_socket create_socket_perms; allow rhgb_t self:udp_socket create_socket_perms; allow rhgb_t self:netlink_route_socket r_netlink_socket_perms; -allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr }; +allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; term_create_pty(rhgb_t, rhgb_devpts_t) manage_dirs_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t) diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te index 9f38104d..29e73111 100644 --- a/policy/modules/services/ricci.te +++ b/policy/modules/services/ricci.te @@ -99,7 +99,7 @@ manage_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t) manage_sock_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t) files_var_lib_filetrans(ricci_t, ricci_var_lib_t, { file dir sock_file }) -allow ricci_t ricci_var_log_t:dir setattr; +allow ricci_t ricci_var_log_t:dir setattr_dir_perms; manage_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t) manage_sock_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t) logging_log_filetrans(ricci_t, ricci_var_log_t, { sock_file file dir }) diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te index 2744af25..0155ca70 100644 --- a/policy/modules/services/rlogin.te +++ b/policy/modules/services/rlogin.te @@ -34,7 +34,7 @@ allow rlogind_t self:tcp_socket connected_stream_socket_perms; # for identd; cjp: this should probably only be inetd_child rules? allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr }; +allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; term_create_pty(rlogind_t, rlogind_devpts_t) # for /usr/lib/telnetlogin diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te index 698b7635..68d36c54 100644 --- a/policy/modules/services/rpc.te +++ b/policy/modules/services/rpc.te @@ -62,7 +62,7 @@ allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid }; allow rpcd_t self:process { getcap setcap }; allow rpcd_t self:fifo_file rw_fifo_file_perms; -allow rpcd_t rpcd_var_run_t:dir setattr; +allow rpcd_t rpcd_var_run_t:dir setattr_dir_perms; manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir }) @@ -196,7 +196,7 @@ tunable_policy(`nfs_export_all_ro',` allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice }; allow gssd_t self:process { getsched setsched }; -allow gssd_t self:fifo_file rw_file_perms; +allow gssd_t self:fifo_file rw_fifo_file_perms; manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te index d7f4bd4e..012723c4 100644 --- a/policy/modules/services/snort.te +++ b/policy/modules/services/snort.te @@ -32,17 +32,17 @@ files_pid_file(snort_var_run_t) allow snort_t self:capability { setgid setuid net_admin net_raw dac_override }; dontaudit snort_t self:capability sys_tty_config; allow snort_t self:process signal_perms; -allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; +allow snort_t self:netlink_route_socket create_netlink_socket_perms; allow snort_t self:tcp_socket create_stream_socket_perms; allow snort_t self:udp_socket create_socket_perms; allow snort_t self:packet_socket create_socket_perms; allow snort_t self:socket create_socket_perms; # Snort IPS node. unverified. -allow snort_t self:netlink_firewall_socket { bind create getattr }; +allow snort_t self:netlink_firewall_socket create_socket_perms; allow snort_t snort_etc_t:dir list_dir_perms; allow snort_t snort_etc_t:file read_file_perms; -allow snort_t snort_etc_t:lnk_file { getattr read }; +allow snort_t snort_etc_t:lnk_file read_lnk_file_perms; manage_files_pattern(snort_t, snort_log_t, snort_log_t) create_dirs_pattern(snort_t, snort_log_t, snort_log_t) diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index f03a8ce0..c7efe5d3 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -258,7 +258,7 @@ tunable_policy(`allow_ssh_keysign',` allow ssh_keysign_t self:capability { setgid setuid }; allow ssh_keysign_t self:unix_stream_socket create_socket_perms; - allow ssh_keysign_t sshd_key_t:file { getattr read }; + allow ssh_keysign_t sshd_key_t:file read_file_perms; dev_read_urand(ssh_keysign_t) @@ -383,7 +383,7 @@ ifdef(`TODO',` # ioctl is necessary for logout() processing for utmp entry and for w to # display the tty. # some versions of sshd on the new SE Linux require setattr - allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr }; + allow sshd_t userpty_type:chr_file { relabelto rw_inherited_chr_file_perms setattr_chr_file_perms }; ') ') dnl endif TODO diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te index be42115f..71138028 100644 --- a/policy/modules/services/sssd.te +++ b/policy/modules/services/sssd.te @@ -31,7 +31,7 @@ files_pid_file(sssd_var_run_t) allow sssd_t self:capability { chown dac_read_search dac_override kill sys_nice setgid setuid }; allow sssd_t self:process { setfscreate setsched sigkill signal getsched }; -allow sssd_t self:fifo_file rw_file_perms; +allow sssd_t self:fifo_file rw_fifo_file_perms; allow sssd_t self:key manage_key_perms; allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto }; diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te index 9cc4d7de..296e5ba0 100644 --- a/policy/modules/services/stunnel.te +++ b/policy/modules/services/stunnel.te @@ -36,7 +36,7 @@ allow stunnel_t self:udp_socket create_socket_perms; allow stunnel_t stunnel_etc_t:dir list_dir_perms; allow stunnel_t stunnel_etc_t:file read_file_perms; -allow stunnel_t stunnel_etc_t:lnk_file { getattr read }; +allow stunnel_t stunnel_etc_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te index d9d8e18f..34c4c573 100644 --- a/policy/modules/services/telnet.te +++ b/policy/modules/services/telnet.te @@ -31,7 +31,7 @@ allow telnetd_t self:udp_socket create_socket_perms; # for identd; cjp: this should probably only be inetd_child rules? allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr }; +allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; term_create_pty(telnetd_t, telnetd_devpts_t) manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t) diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te index f4080d12..97ce79e3 100644 --- a/policy/modules/services/tftp.te +++ b/policy/modules/services/tftp.te @@ -40,7 +40,7 @@ allow tftpd_t self:unix_stream_socket create_stream_socket_perms; allow tftpd_t tftpdir_t:dir list_dir_perms; allow tftpd_t tftpdir_t:file read_file_perms; -allow tftpd_t tftpdir_t:lnk_file { getattr read }; +allow tftpd_t tftpdir_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) diff --git a/policy/modules/services/tgtd.te b/policy/modules/services/tgtd.te index 678ab903..44dfdc87 100644 --- a/policy/modules/services/tgtd.te +++ b/policy/modules/services/tgtd.te @@ -29,7 +29,7 @@ files_type(tgtd_var_lib_t) allow tgtd_t self:capability sys_resource; allow tgtd_t self:process { setrlimit signal }; allow tgtd_t self:fifo_file rw_fifo_file_perms; -allow tgtd_t self:netlink_route_socket { create_socket_perms nlmsg_read }; +allow tgtd_t self:netlink_route_socket create_netlink_socket_perms; allow tgtd_t self:shm create_shm_perms; allow tgtd_t self:sem create_sem_perms; allow tgtd_t self:tcp_socket create_stream_socket_perms; diff --git a/policy/modules/services/uptime.te b/policy/modules/services/uptime.te index c2cf97e2..037a1e8b 100644 --- a/policy/modules/services/uptime.te +++ b/policy/modules/services/uptime.te @@ -25,7 +25,7 @@ files_pid_file(uptimed_var_run_t) dontaudit uptimed_t self:capability sys_tty_config; allow uptimed_t self:process signal_perms; -allow uptimed_t self:fifo_file write_file_perms; +allow uptimed_t self:fifo_file write_fifo_file_perms; allow uptimed_t uptimed_etc_t:file read_file_perms; files_search_etc(uptimed_t) diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te index 91886b2b..1e40c2a0 100644 --- a/policy/modules/services/uucp.te +++ b/policy/modules/services/uucp.te @@ -123,7 +123,7 @@ optional_policy(` # allow uux_t self:capability { setuid setgid }; -allow uux_t self:fifo_file write_file_perms; +allow uux_t self:fifo_file write_fifo_file_perms; uucp_append_log(uux_t) uucp_manage_spool(uux_t) diff --git a/policy/modules/services/vhostmd.te b/policy/modules/services/vhostmd.te index f56f51f9..7baeb6ff 100644 --- a/policy/modules/services/vhostmd.te +++ b/policy/modules/services/vhostmd.te @@ -25,7 +25,7 @@ files_pid_file(vhostmd_var_run_t) allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid }; allow vhostmd_t self:process { setsched getsched }; -allow vhostmd_t self:fifo_file rw_file_perms; +allow vhostmd_t self:fifo_file rw_fifo_file_perms; manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t) manage_files_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t) diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te index 9930bcb1..62e349ad 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -473,7 +473,7 @@ optional_policy(` allow virt_domain self:capability { dac_read_search dac_override kill }; allow virt_domain self:process { execmem execstack signal getsched signull }; -allow virt_domain self:fifo_file rw_file_perms; +allow virt_domain self:fifo_file rw_fifo_file_perms; allow virt_domain self:shm create_shm_perms; allow virt_domain self:unix_stream_socket create_stream_socket_perms; allow virt_domain self:unix_dgram_socket { create_socket_perms sendto }; diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 739b23b6..c80794bc 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -414,7 +414,7 @@ allow xdm_t self:key { search link write }; allow xdm_t xauth_home_t:file manage_file_perms; -allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; +allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms }; manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) @@ -483,7 +483,7 @@ allow xdm_t xserver_t:process { signal signull }; allow xdm_t xserver_t:unix_stream_socket connectto; allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms; -allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms }; +allow xdm_t xserver_tmp_t:dir { setattr_dir_perms list_dir_perms }; # transition to the xdm xserver domtrans_pattern(xdm_t, xserver_exec_t, xserver_t) @@ -1115,7 +1115,7 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! allow xserver_t xdm_var_lib_t:file read_file_perms; -dontaudit xserver_t xdm_var_lib_t:dir search; +dontaudit xserver_t xdm_var_lib_t:dir search_dir_perms; read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t) @@ -1125,7 +1125,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. -allow xserver_t xkb_var_lib_t:lnk_file read; +allow xserver_t xkb_var_lib_t:lnk_file read_lnk_file_perms; can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te index b8dd21a3..20d7cde2 100644 --- a/policy/modules/services/zabbix.te +++ b/policy/modules/services/zabbix.te @@ -26,11 +26,11 @@ files_pid_file(zabbix_var_run_t) # allow zabbix_t self:capability { setuid setgid }; -allow zabbix_t self:fifo_file rw_file_perms; +allow zabbix_t self:fifo_file rw_fifo_file_perms; allow zabbix_t self:unix_stream_socket create_stream_socket_perms; # log files -allow zabbix_t zabbix_log_t:dir setattr; +allow zabbix_t zabbix_log_t:dir setattr_dir_perms; manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) logging_log_filetrans(zabbix_t, zabbix_log_t, file) diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te index a1035a4f..f0b1201e 100644 --- a/policy/modules/services/zebra.te +++ b/policy/modules/services/zebra.te @@ -51,7 +51,7 @@ allow zebra_t zebra_conf_t:dir list_dir_perms; read_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) -allow zebra_t zebra_log_t:dir setattr; +allow zebra_t zebra_log_t:dir setattr_dir_perms; manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t) manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t) logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir }) diff --git a/policy/modules/services/zosremote.te b/policy/modules/services/zosremote.te index f9a06d2c..3d407c69 100644 --- a/policy/modules/services/zosremote.te +++ b/policy/modules/services/zosremote.te @@ -16,7 +16,7 @@ logging_dispatcher_domain(zos_remote_t, zos_remote_exec_t) # allow zos_remote_t self:process signal; -allow zos_remote_t self:fifo_file rw_file_perms; +allow zos_remote_t self:fifo_file rw_fifo_file_perms; allow zos_remote_t self:unix_stream_socket create_stream_socket_perms; files_read_etc_files(zos_remote_t)