From 82d2775c923b1474b010b58d0e180d0a60a4f37c Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 20 Oct 2008 16:10:42 +0000 Subject: [PATCH] trunk: more open perm fixes. --- policy/modules/admin/dpkg.if | 2 +- policy/modules/admin/portage.if | 2 +- policy/modules/admin/prelink.if | 2 +- policy/modules/apps/evolution.if | 4 +--- policy/modules/apps/uml.if | 2 +- policy/modules/apps/vmware.if | 2 +- policy/modules/kernel/corecommands.if | 3 +-- policy/modules/kernel/corenetwork.if.in | 4 ++-- policy/modules/kernel/files.if | 14 ++++++------- policy/modules/kernel/filesystem.if | 3 +-- policy/modules/kernel/kernel.if | 2 +- policy/modules/kernel/selinux.if | 26 ++++++++++++------------- policy/modules/kernel/terminal.if | 16 +++++++-------- policy/modules/services/amavis.if | 2 +- policy/modules/services/apache.if | 4 ++-- policy/modules/services/apcupsd.if | 4 ++-- policy/modules/services/bitlbee.if | 4 ++-- policy/modules/services/cron.if | 2 +- policy/modules/services/cups.if | 4 ++-- policy/modules/services/fail2ban.if | 2 +- policy/modules/services/ftp.if | 2 +- policy/modules/services/inn.if | 18 ++++++++--------- policy/modules/services/kerberos.if | 2 +- policy/modules/services/ldap.if | 2 +- policy/modules/services/mta.if | 2 +- policy/modules/services/mysql.if | 12 ++++++------ policy/modules/services/nis.if | 2 +- policy/modules/services/portmap.if | 2 +- policy/modules/services/postfix.if | 6 +++--- policy/modules/services/postgresql.if | 6 +++--- policy/modules/services/ppp.if | 4 ++-- policy/modules/services/qmail.if | 12 ++++++------ policy/modules/services/razor.if | 3 ++- policy/modules/services/rhgb.if | 2 +- policy/modules/services/samba.if | 2 +- policy/modules/services/smartmon.if | 2 +- policy/modules/services/ssh.if | 4 ++-- policy/modules/services/xserver.if | 20 +++++++++---------- policy/modules/system/authlogin.if | 2 +- policy/modules/system/clock.if | 2 +- policy/modules/system/fstools.if | 2 +- policy/modules/system/getty.if | 4 ++-- policy/modules/system/hostname.if | 2 +- policy/modules/system/init.if | 2 +- policy/modules/system/sysnetwork.if | 6 +++--- policy/modules/system/unconfined.if | 2 +- policy/modules/system/userdomain.if | 4 ++-- policy/support/misc_patterns.spt | 7 ++++--- 48 files changed, 119 insertions(+), 121 deletions(-) diff --git a/policy/modules/admin/dpkg.if b/policy/modules/admin/dpkg.if index 67b78aa0..1822169a 100644 --- a/policy/modules/admin/dpkg.if +++ b/policy/modules/admin/dpkg.if @@ -228,5 +228,5 @@ interface(`dpkg_lock_db',` files_search_var_lib($1) allow $1 dpkg_var_lib_t:dir list_dir_perms; - allow $1 dpkg_lock_t:file { getattr create read write append unlink lock }; + allow $1 dpkg_lock_t:file manage_file_perms; ') diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if index 4f69198c..da338abe 100644 --- a/policy/modules/admin/portage.if +++ b/policy/modules/admin/portage.if @@ -111,7 +111,7 @@ interface(`portage_compile_domain',` # write compile logs allow $1 portage_log_t:dir setattr; - allow $1 portage_log_t:file { append write setattr }; + allow $1 portage_log_t:file { write_file_perms setattr }; # run scripts out of the build directory can_exec(portage_sandbox_t, portage_tmp_t) diff --git a/policy/modules/admin/prelink.if b/policy/modules/admin/prelink.if index 94bd0f39..9e09e88e 100644 --- a/policy/modules/admin/prelink.if +++ b/policy/modules/admin/prelink.if @@ -85,7 +85,7 @@ interface(`prelink_read_cache',` ') files_search_etc($1) - allow $1 prelink_cache_t:file { getattr read }; + allow $1 prelink_cache_t:file read_file_perms; ') ######################################## diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if index 66f46592..d50b4b79 100644 --- a/policy/modules/apps/evolution.if +++ b/policy/modules/apps/evolution.if @@ -166,9 +166,7 @@ template(`evolution_per_role_template',` userdom_search_user_home_dirs($1, $1_evolution_t) # Allow the user domain to signal/ps. - allow $2 $1_evolution_t:dir { search getattr read }; - allow $2 $1_evolution_t:{ file lnk_file } { read getattr }; - allow $2 $1_evolution_t:process getattr; + ps_process_pattern($2, $1_evolution_t) domain_dontaudit_read_all_domains_state($1_evolution_t) diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if index 810ee044..a8336447 100644 --- a/policy/modules/apps/uml.if +++ b/policy/modules/apps/uml.if @@ -79,7 +79,7 @@ template(`uml_per_role_template',` allow $1_uml_t $2:fifo_file { ioctl read write getattr lock append }; # allow the UML thing to happen - allow $1_uml_t $1_uml_devpts_t:chr_file { rw_file_perms setattr }; + allow $1_uml_t $1_uml_devpts_t:chr_file { rw_chr_file_perms setattr }; term_create_pty($1_uml_t,$1_uml_devpts_t) manage_dirs_pattern($1_uml_t, $1_uml_tmp_t, $1_uml_tmp_t) diff --git a/policy/modules/apps/vmware.if b/policy/modules/apps/vmware.if index 806bb805..d4d83f6a 100644 --- a/policy/modules/apps/vmware.if +++ b/policy/modules/apps/vmware.if @@ -180,7 +180,7 @@ interface(`vmware_read_system_config',` type vmware_sys_conf_t; ') - allow $1 vmware_sys_conf_t:file { getattr read }; + allow $1 vmware_sys_conf_t:file read_file_perms; ') ######################################## diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if index 777dc492..7df3bdef 100644 --- a/policy/modules/kernel/corecommands.if +++ b/policy/modules/kernel/corecommands.if @@ -360,8 +360,7 @@ interface(`corecmd_mmap_bin_files',` type bin_t; ') - allow $1 bin_t:dir search_dir_perms; - allow $1 bin_t:file { getattr read execute }; + mmap_files_pattern($1, bin_t, bin_t) ') ######################################## diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in index 2b473b30..e89e304e 100644 --- a/policy/modules/kernel/corenetwork.if.in +++ b/policy/modules/kernel/corenetwork.if.in @@ -1555,7 +1555,7 @@ interface(`corenet_rw_tun_tap_dev',` ') dev_list_all_dev_nodes($1) - allow $1 tun_tap_device_t:chr_file { getattr read write ioctl lock append }; + allow $1 tun_tap_device_t:chr_file rw_chr_file_perms; ') ######################################## @@ -1574,7 +1574,7 @@ interface(`corenet_rw_ppp_dev',` ') dev_list_all_dev_nodes($1) - allow $1 ppp_device_t:chr_file rw_file_perms; + allow $1 ppp_device_t:chr_file rw_chr_file_perms; ') ######################################## diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 9e4865b4..acede285 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1119,7 +1119,7 @@ interface(`files_mounton_all_mountpoints',` attribute mountpoint; ') - allow $1 mountpoint:dir { getattr search mounton }; + allow $1 mountpoint:dir { search_dir_perms mounton }; allow $1 mountpoint:file { getattr mounton }; ') @@ -1552,7 +1552,7 @@ interface(`files_create_kernel_img',` type boot_t; ') - allow $1 boot_t:file { getattr read write create }; + allow $1 boot_t:file { create_file_perms rw_file_perms }; manage_lnk_files_pattern($1, boot_t, boot_t) ') @@ -1682,7 +1682,7 @@ interface(`files_mounton_default',` type default_t; ') - allow $1 default_t:dir { getattr search mounton }; + allow $1 default_t:dir { search_dir_perms mounton }; ') ######################################## @@ -3723,7 +3723,7 @@ interface(`files_create_kernel_symbol_table',` ') allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; - allow $1 system_map_t:file { rw_file_perms create }; + allow $1 system_map_t:file { create_file_perms rw_file_perms }; ') ######################################## @@ -4742,7 +4742,7 @@ interface(`files_polyinstantiate_all',` allow $1 self:capability { chown fsetid sys_admin }; # Need to give access to the directories to be polyinstantiated - allow $1 polydir:dir { create getattr search write add_name setattr mounton rmdir }; + allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; # Need to give access to the polyinstantiated subdirectories allow $1 polymember:dir search_dir_perms; @@ -4754,8 +4754,8 @@ interface(`files_polyinstantiate_all',` # Need to give permission to create directories where applicable allow $1 self:process setfscreate; allow $1 polymember: dir { create setattr relabelto }; - allow $1 polydir: dir { write add_name }; - allow $1 polyparent:dir { read write remove_name add_name relabelfrom relabelto }; + allow $1 polydir: dir { write add_name open }; + allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; # Default type for mountpoints allow $1 poly_t:dir { create mounton }; diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 60877b01..08535cf1 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -1936,7 +1936,6 @@ interface(`fs_read_rpc_sockets',` ') allow $1 rpc_pipefs_t:sock_file { read write }; - ') ######################################## @@ -2706,7 +2705,7 @@ interface(`fs_rw_rpc_named_pipes',` type rpc_pipefs_t; ') - allow $1 rpc_pipefs_t:fifo_file { read write }; + allow $1 rpc_pipefs_t:fifo_file rw_fifo_file_perms; ') ######################################## diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index c16bf9a5..111596b0 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -2147,7 +2147,7 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` type unlabeled_t; ') - allow $1 unlabeled_t:dir { getattr search read relabelfrom }; + allow $1 unlabeled_t:dir { list_dir_perms relabelfrom }; ') ######################################## diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if index c931e1eb..946f8fc1 100644 --- a/policy/modules/kernel/selinux.if +++ b/policy/modules/kernel/selinux.if @@ -165,7 +165,7 @@ interface(`selinux_dontaudit_read_fs',` ') dontaudit $1 security_t:dir search_dir_perms; - dontaudit $1 security_t:file { getattr read }; + dontaudit $1 security_t:file read_file_perms; ') ######################################## @@ -186,7 +186,7 @@ interface(`selinux_get_enforce_mode',` ') allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file { getattr read }; + allow $1 security_t:file read_file_perms; ') ######################################## @@ -219,7 +219,7 @@ interface(`selinux_set_enforce_mode',` ') allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file { getattr read write }; + allow $1 security_t:file rw_file_perms; typeattribute $1 can_setenforce; if(!secure_mode_policyload) { @@ -250,7 +250,7 @@ interface(`selinux_load_policy',` ') allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file { getattr read write }; + allow $1 security_t:file rw_file_perms; typeattribute $1 can_load_policy; if(!secure_mode_policyload) { @@ -292,7 +292,7 @@ interface(`selinux_set_boolean',` ') allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file { getattr read write }; + allow $1 security_t:file rw_file_perms; if(!secure_mode_policyload) { allow $1 security_t:security setbool; @@ -333,7 +333,7 @@ interface(`selinux_set_parameters',` ') allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file { getattr read write }; + allow $1 security_t:file rw_file_perms; allow $1 security_t:security setsecparam; auditallow $1 security_t:security setsecparam; typeattribute $1 can_setsecparam; @@ -356,7 +356,7 @@ interface(`selinux_validate_context',` ') allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file { getattr read write }; + allow $1 security_t:file rw_file_perms; allow $1 security_t:security check_context; ') @@ -377,7 +377,7 @@ interface(`selinux_dontaudit_validate_context',` ') dontaudit $1 security_t:dir list_dir_perms; - dontaudit $1 security_t:file { getattr read write }; + dontaudit $1 security_t:file rw_file_perms; dontaudit $1 security_t:security check_context; ') @@ -398,7 +398,7 @@ interface(`selinux_compute_access_vector',` ') allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file { getattr read write }; + allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_av; ') @@ -419,7 +419,7 @@ interface(`selinux_compute_create_context',` ') allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file { getattr read write }; + allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_create; ') @@ -440,7 +440,7 @@ interface(`selinux_compute_member',` ') allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file { getattr read write }; + allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_member; ') @@ -469,7 +469,7 @@ interface(`selinux_compute_relabel_context',` ') allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file { getattr read write }; + allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_relabel; ') @@ -489,7 +489,7 @@ interface(`selinux_compute_user_contexts',` ') allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file { getattr read write }; + allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_user; ') diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if index 54865536..38b493a7 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -173,7 +173,7 @@ interface(`term_use_all_terms',` dev_list_all_dev_nodes($1) allow $1 devpts_t:dir list_dir_perms; - allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perms; + allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms; ') ######################################## @@ -932,7 +932,7 @@ interface(`term_append_unallocated_ttys',` ') dev_list_all_dev_nodes($1) - allow $1 tty_device_t:chr_file { getattr append }; + allow $1 tty_device_t:chr_file append_chr_file_perms; ') ######################################## @@ -951,7 +951,7 @@ interface(`term_write_unallocated_ttys',` ') dev_list_all_dev_nodes($1) - allow $1 tty_device_t:chr_file { getattr write }; + allow $1 tty_device_t:chr_file write_chr_file_perms; ') ######################################## @@ -971,7 +971,7 @@ interface(`term_use_unallocated_ttys',` ') dev_list_all_dev_nodes($1) - allow $1 tty_device_t:chr_file { rw_term_perms lock append }; + allow $1 tty_device_t:chr_file rw_chr_file_perms; ') ######################################## @@ -990,7 +990,7 @@ interface(`term_dontaudit_use_unallocated_ttys',` type tty_device_t; ') - dontaudit $1 tty_device_t:chr_file { rw_term_perms lock append }; + dontaudit $1 tty_device_t:chr_file rw_chr_file_perms; ') ######################################## @@ -1092,7 +1092,7 @@ interface(`term_write_all_user_ttys',` ') dev_list_all_dev_nodes($1) - allow $1 ttynode:chr_file { getattr write append }; + allow $1 ttynode:chr_file write_chr_file_perms; ') ######################################## @@ -1112,7 +1112,7 @@ interface(`term_use_all_user_ttys',` ') dev_list_all_dev_nodes($1) - allow $1 ttynode:chr_file { rw_term_perms lock append }; + allow $1 ttynode:chr_file rw_chr_file_perms; ') ######################################## @@ -1131,5 +1131,5 @@ interface(`term_dontaudit_use_all_user_ttys',` attribute ttynode; ') - dontaudit $1 ttynode:chr_file { read write }; + dontaudit $1 ttynode:chr_file rw_chr_file_perms; ') diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if index 3e5f6dbe..db18f31c 100644 --- a/policy/modules/services/amavis.if +++ b/policy/modules/services/amavis.if @@ -37,7 +37,7 @@ interface(`amavis_read_spool_files',` ') files_search_spool($1) - allow $1 amavis_spool_t:file { getattr read }; + allow $1 amavis_spool_t:file read_file_perms; ') ######################################## diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if index f038c0d4..7946f403 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -940,7 +940,7 @@ interface(`apache_read_squirrelmail_data',` type httpd_squirrelmail_t; ') - allow $1 httpd_squirrelmail_t:file { getattr read }; + allow $1 httpd_squirrelmail_t:file read_file_perms; ') ######################################## @@ -959,7 +959,7 @@ interface(`apache_append_squirrelmail_data',` type httpd_squirrelmail_t; ') - allow $1 httpd_squirrelmail_t:file { getattr append }; + allow $1 httpd_squirrelmail_t:file append_file_perms; ') ######################################## diff --git a/policy/modules/services/apcupsd.if b/policy/modules/services/apcupsd.if index 4da96a50..d8a10d00 100644 --- a/policy/modules/services/apcupsd.if +++ b/policy/modules/services/apcupsd.if @@ -55,7 +55,7 @@ interface(`apcupsd_read_log',` logging_search_logs($1) allow $1 apcupsd_log_t:dir list_dir_perms; - allow $1 apcupsd_log_t:file { read getattr lock }; + allow $1 apcupsd_log_t:file read_file_perms; ') ######################################## @@ -76,7 +76,7 @@ interface(`apcupsd_append_log',` logging_search_logs($1) allow $1 apcupsd_log_t:dir list_dir_perms; - allow $1 apcupsd_log_t:file { getattr append }; + allow $1 apcupsd_log_t:file append_file_perms; ') ######################################## diff --git a/policy/modules/services/bitlbee.if b/policy/modules/services/bitlbee.if index 9e12e951..293f0fd1 100644 --- a/policy/modules/services/bitlbee.if +++ b/policy/modules/services/bitlbee.if @@ -16,8 +16,8 @@ interface(`bitlbee_read_config',` ') files_search_etc($1) - allow $1 bitlbee_conf_t:dir { getattr read search }; - allow $1 bitlbee_conf_t:file { read getattr }; + allow $1 bitlbee_conf_t:dir list_dir_perms; + allow $1 bitlbee_conf_t:file read_file_perms; ') ######################################## diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if index 00186a15..0822ff97 100644 --- a/policy/modules/services/cron.if +++ b/policy/modules/services/cron.if @@ -285,7 +285,7 @@ template(`cron_admin_template',` ') # Allow our crontab domain to unlink a user cron spool file. - allow $1_crontab_t cron_spool_type:file { getattr read unlink }; + allow $1_crontab_t cron_spool_type:file { read_file_perms delete_file_perms }; logging_read_generic_logs($1_crond_t) diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if index 8d6b4af6..5ee59302 100644 --- a/policy/modules/services/cups.if +++ b/policy/modules/services/cups.if @@ -207,7 +207,7 @@ interface(`cups_read_log',` ') logging_search_logs($1) - allow $1 cupsd_log_t:file { getattr read }; + allow $1 cupsd_log_t:file read_file_perms; ') ######################################## @@ -226,7 +226,7 @@ interface(`cups_write_log',` ') logging_search_logs($1) - allow $1 cupsd_log_t:file write; + allow $1 cupsd_log_t:file write_file_perms; ') ######################################## diff --git a/policy/modules/services/fail2ban.if b/policy/modules/services/fail2ban.if index fced3105..d9fc7e1c 100644 --- a/policy/modules/services/fail2ban.if +++ b/policy/modules/services/fail2ban.if @@ -36,7 +36,7 @@ interface(`fail2ban_read_log',` logging_search_logs($1) allow $1 fail2ban_log_t:dir list_dir_perms; - allow $1 fail2ban_log_t:file { read getattr lock }; + allow $1 fail2ban_log_t:file read_file_perms; ') ######################################## diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if index 63c9801f..f07f6d44 100644 --- a/policy/modules/services/ftp.if +++ b/policy/modules/services/ftp.if @@ -67,7 +67,7 @@ interface(`ftp_read_config',` ') files_search_etc($1) - allow $1 ftpd_etc_t:file { getattr read }; + allow $1 ftpd_etc_t:file read_file_perms; ') ######################################## diff --git a/policy/modules/services/inn.if b/policy/modules/services/inn.if index f3291e92..12403378 100644 --- a/policy/modules/services/inn.if +++ b/policy/modules/services/inn.if @@ -93,9 +93,9 @@ interface(`inn_read_config',` type innd_etc_t; ') - allow $1 innd_etc_t:dir { getattr read search }; - allow $1 innd_etc_t:file { read getattr }; - allow $1 innd_etc_t:lnk_file { getattr read }; + allow $1 innd_etc_t:dir list_dir_perms; + allow $1 innd_etc_t:file read_file_perms; + allow $1 innd_etc_t:lnk_file read_lnk_file_perms; ') ######################################## @@ -113,9 +113,9 @@ interface(`inn_read_news_lib',` type innd_var_lib_t; ') - allow $1 innd_var_lib_t:dir { getattr read search }; - allow $1 innd_var_lib_t:file { read getattr }; - allow $1 innd_var_lib_t:lnk_file { getattr read }; + allow $1 innd_var_lib_t:dir list_dir_perms; + allow $1 innd_var_lib_t:file read_file_perms; + allow $1 innd_var_lib_t:lnk_file read_lnk_file_perms; ') ######################################## @@ -133,9 +133,9 @@ interface(`inn_read_news_spool',` type news_spool_t; ') - allow $1 news_spool_t:dir { getattr read search }; - allow $1 news_spool_t:file { read getattr }; - allow $1 news_spool_t:lnk_file { getattr read }; + allow $1 news_spool_t:dir list_dir_perms; + allow $1 news_spool_t:file read_file_perms; + allow $1 news_spool_t:lnk_file read_lnk_file_perms; ') ######################################## diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if index 366f3954..12c1cfc4 100644 --- a/policy/modules/services/kerberos.if +++ b/policy/modules/services/kerberos.if @@ -73,7 +73,7 @@ interface(`kerberos_use',` ') files_search_etc($1) - allow $1 krb5_conf_t:file { getattr read }; + allow $1 krb5_conf_t:file read_file_perms; dontaudit $1 krb5_conf_t:file write; dontaudit $1 krb5kdc_conf_t:dir list_dir_perms; dontaudit $1 krb5kdc_conf_t:file rw_file_perms; diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if index 2d767ff0..3aa8fa77 100644 --- a/policy/modules/services/ldap.if +++ b/policy/modules/services/ldap.if @@ -36,7 +36,7 @@ interface(`ldap_read_config',` ') files_search_etc($1) - allow $1 slapd_etc_t:file { getattr read }; + allow $1 slapd_etc_t:file read_file_perms; ') ######################################## diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if index 23ba2b26..5bfa326c 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -114,7 +114,7 @@ template(`mta_base_mail_template',` manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir }) - allow $1_mail_t etc_mail_t:dir { getattr search }; + allow $1_mail_t etc_mail_t:dir search_dir_perms; # Write to /var/spool/mail and /var/spool/mqueue. manage_files_pattern($1_mail_t, mail_spool_t, mail_spool_t) diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if index 0115dbf1..308a383b 100644 --- a/policy/modules/services/mysql.if +++ b/policy/modules/services/mysql.if @@ -74,9 +74,9 @@ interface(`mysql_read_config',` type mysqld_etc_t; ') - allow $1 mysqld_etc_t:dir { getattr read search }; - allow $1 mysqld_etc_t:file { read getattr }; - allow $1 mysqld_etc_t:lnk_file { getattr read }; + allow $1 mysqld_etc_t:dir list_dir_perms; + allow $1 mysqld_etc_t:file read_file_perms; + allow $1 mysqld_etc_t:lnk_file read_lnk_file_perms; ') ######################################## @@ -98,7 +98,7 @@ interface(`mysql_search_db',` ') files_search_var_lib($1) - allow $1 mysqld_db_t:dir search; + allow $1 mysqld_db_t:dir search_dir_perms; ') ######################################## @@ -156,7 +156,7 @@ interface(`mysql_rw_db_sockets',` ') files_search_var_lib($1) - allow $1 mysqld_db_t:dir search; + allow $1 mysqld_db_t:dir search_dir_perms; allow $1 mysqld_db_t:sock_file rw_sock_file_perms; ') @@ -176,5 +176,5 @@ interface(`mysql_write_log',` ') logging_search_logs($1) - allow $1 mysqld_log_t:file { write append setattr ioctl }; + allow $1 mysqld_log_t:file { write_file_perms setattr }; ') diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if index f1196e1f..2e23018d 100644 --- a/policy/modules/services/nis.if +++ b/policy/modules/services/nis.if @@ -223,7 +223,7 @@ interface(`nis_read_ypserv_config',` ') files_search_etc($1) - allow $1 ypserv_conf_t:file { getattr read }; + allow $1 ypserv_conf_t:file read_file_perms; ') ######################################## diff --git a/policy/modules/services/portmap.if b/policy/modules/services/portmap.if index 4fa21233..039c6de8 100644 --- a/policy/modules/services/portmap.if +++ b/policy/modules/services/portmap.if @@ -49,7 +49,7 @@ interface(`portmap_run_helper',` portmap_domtrans_helper($1) role $2 types portmap_helper_t; - allow portmap_helper_t $3:chr_file { getattr read write ioctl }; + allow portmap_helper_t $3:chr_file rw_term_perms; ') ######################################## diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if index a9d7b716..0eeb4e70 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if @@ -208,9 +208,9 @@ interface(`postfix_read_config',` type postfix_etc_t; ') - allow $1 postfix_etc_t:dir { getattr read search }; - allow $1 postfix_etc_t:file { read getattr }; - allow $1 postfix_etc_t:lnk_file { getattr read }; + allow $1 postfix_etc_t:dir list_dir_perms; + allow $1 postfix_etc_t:file read_file_perms; + allow $1 postfix_etc_t:lnk_file read_lnk_file_perms; files_search_etc($1) ') diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if index bae1e10f..4351a8c1 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if @@ -272,9 +272,9 @@ interface(`postgresql_read_config',` ') files_search_etc($1) - allow $1 postgresql_etc_t:dir { getattr read search }; - allow $1 postgresql_etc_t:file { read getattr }; - allow $1 postgresql_etc_t:lnk_file { getattr read }; + allow $1 postgresql_etc_t:dir list_dir_perms; + allow $1 postgresql_etc_t:file read_file_perms; + allow $1 postgresql_etc_t:lnk_file read_lnk_file_perms; ') ######################################## diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if index 5d987978..e100e9af 100644 --- a/policy/modules/services/ppp.if +++ b/policy/modules/services/ppp.if @@ -230,7 +230,7 @@ interface(`ppp_read_rw_config',` ') allow $1 pppd_etc_t:dir list_dir_perms; - allow $1 pppd_etc_rw_t:file { getattr read }; + allow $1 pppd_etc_rw_t:file read_file_perms; files_search_etc($1) ') @@ -250,7 +250,7 @@ interface(`ppp_read_secrets',` ') allow $1 pppd_etc_t:dir list_dir_perms; - allow $1 pppd_secret_t:file { getattr read }; + allow $1 pppd_secret_t:file read_file_perms; files_search_etc($1) ') diff --git a/policy/modules/services/qmail.if b/policy/modules/services/qmail.if index ed761865..a40b0a23 100644 --- a/policy/modules/services/qmail.if +++ b/policy/modules/services/qmail.if @@ -72,9 +72,9 @@ template(`qmail_child_domain_template',` allow $1_t $2:fifo_file rw_file_perms; allow $1_t $2:process sigchld; - allow $1_t qmail_etc_t:dir { getattr read search }; - allow $1_t qmail_etc_t:file { getattr read }; - allow $1_t qmail_etc_t:lnk_file { getattr read }; + allow $1_t qmail_etc_t:dir list_dir_perms; + allow $1_t qmail_etc_t:file read_file_perms; + allow $1_t qmail_etc_t:lnk_file read_lnk_file_perms; allow $1_t qmail_start_t:fd use; @@ -158,9 +158,9 @@ interface(`qmail_read_config',` type qmail_etc_t; ') - allow $1 qmail_etc_t:dir { getattr read search }; - allow $1 qmail_etc_t:file { getattr read }; - allow $1 qmail_etc_t:lnk_file { getattr read }; + allow $1 qmail_etc_t:dir list_dir_perms; + allow $1 qmail_etc_t:file read_file_perms; + allow $1 qmail_etc_t:lnk_file read_lnk_file_perms; files_search_var($1) ifdef(`distro_debian',` diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if index f3480f0f..37fc1704 100644 --- a/policy/modules/services/razor.if +++ b/policy/modules/services/razor.if @@ -56,7 +56,8 @@ template(`razor_common_domain_template',` files_search_var_lib($1_t) # Razor is one executable and several symlinks - allow $1_t razor_exec_t:{ file lnk_file } { getattr read }; + allow $1_t razor_exec_t:file read_file_perms; + allow $1_t razor_exec_t:lnk_file read_lnk_file_perms; kernel_read_system_state($1_t) kernel_read_network_state($1_t) diff --git a/policy/modules/services/rhgb.if b/policy/modules/services/rhgb.if index c9711c6c..d7d282aa 100644 --- a/policy/modules/services/rhgb.if +++ b/policy/modules/services/rhgb.if @@ -194,5 +194,5 @@ interface(`rhgb_rw_tmpfs_files',` type rhgb_tmpfs_t; ') - allow $1 rhgb_tmpfs_t:file { read write }; + allow $1 rhgb_tmpfs_t:file rw_file_perms; ') diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if index dddbcd9d..23da5527 100644 --- a/policy/modules/services/samba.if +++ b/policy/modules/services/samba.if @@ -263,7 +263,7 @@ interface(`samba_read_secrets',` ') files_search_etc($1) - allow $1 samba_secrets_t:file { read getattr lock }; + allow $1 samba_secrets_t:file read_file_perms; ') ######################################## diff --git a/policy/modules/services/smartmon.if b/policy/modules/services/smartmon.if index 85663947..f3d84598 100644 --- a/policy/modules/services/smartmon.if +++ b/policy/modules/services/smartmon.if @@ -15,7 +15,7 @@ interface(`smartmon_read_tmp_files',` type fsdaemon_tmp_t; ') - allow $1 fsdaemon_tmp_t:file { getattr ioctl read }; + allow $1 fsdaemon_tmp_t:file read_file_perms; ') ######################################## diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index d5674791..58b25e64 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -391,7 +391,7 @@ template(`ssh_per_role_template',` allow $1_ssh_keysign_t self:capability { setgid setuid }; allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms; - allow $1_ssh_keysign_t sshd_key_t:file { getattr read }; + allow $1_ssh_keysign_t sshd_key_t:file read_file_perms; dev_read_urand($1_ssh_keysign_t) @@ -452,7 +452,7 @@ template(`ssh_server_template', ` can_exec($1_t, sshd_exec_t) # Access key files - allow $1_t sshd_key_t:file { getattr read }; + allow $1_t sshd_key_t:file read_file_perms; kernel_read_kernel_sysctls($1_t) diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index 5b7e8f4a..ffa2bd78 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -320,7 +320,7 @@ template(`xserver_per_role_template',` domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t) - allow $1_xserver_t $1_xauth_home_t:file { getattr read }; + allow $1_xserver_t $1_xauth_home_t:file read_file_perms; domtrans_pattern($2, xserver_exec_t, $1_xserver_t) allow $1_xserver_t $2:process signal; @@ -539,7 +539,7 @@ template(`xserver_ro_session_template',` allow $2 $1_xserver_t:process signal; # Read /tmp/.X0-lock - allow $2 $1_xserver_tmp_t:file { getattr read }; + allow $2 $1_xserver_tmp_t:file read_file_perms; # Client read xserver shm allow $2 $1_xserver_t:fd use; @@ -615,8 +615,8 @@ template(`xserver_user_client_template',` allow $2 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file - allow $2 $1_xauth_home_t:file { getattr read }; - allow $2 $1_iceauth_home_t:file { getattr read }; + allow $2 $1_xauth_home_t:file read_file_perms; + allow $2 $1_iceauth_home_t:file read_file_perms; # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; @@ -885,13 +885,13 @@ template(`xserver_user_x_domain_template',` allow $3 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file - allow $3 $1_xauth_home_t:file { getattr read }; - allow $3 $1_iceauth_home_t:file { getattr read }; + allow $3 $1_xauth_home_t:file read_file_perms; + allow $3 $1_iceauth_home_t:file read_file_perms; # for when /tmp/.X11-unix is created by the system allow $3 xdm_t:fd use; allow $3 xdm_t:fifo_file { getattr read write ioctl }; - allow $3 xdm_tmp_t:dir search; + allow $3 xdm_tmp_t:dir search_dir_perms; allow $3 xdm_tmp_t:sock_file { read write }; dontaudit $3 xdm_t:tcp_socket { read write }; @@ -1230,7 +1230,7 @@ interface(`xserver_read_xdm_rw_config',` ') files_search_etc($1) - allow $1 xdm_rw_etc_t:file { getattr read }; + allow $1 xdm_rw_etc_t:file read_file_perms; ') ######################################## @@ -1306,7 +1306,7 @@ interface(`xserver_read_xdm_lib_files',` type xdm_var_lib_t; ') - allow $1 xdm_var_lib_t:file { getattr read }; + allow $1 xdm_var_lib_t:file read_file_perms; ') ######################################## @@ -1479,7 +1479,7 @@ interface(`xserver_read_xdm_xserver_tmp_files',` type xdm_xserver_tmp_t; ') - allow $1 xdm_xserver_tmp_t:file { getattr read }; + allow $1 xdm_xserver_tmp_t:file read_file_perms; ') ######################################## diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index deb5755c..0a125870 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -31,7 +31,7 @@ template(`authlogin_common_auth_domain_template',` allow $1_chkpwd_t self:process getattr; files_list_etc($1_chkpwd_t) - allow $1_chkpwd_t shadow_t:file { getattr read }; + allow $1_chkpwd_t shadow_t:file read_file_perms; # is_selinux_enabled kernel_read_system_state($1_chkpwd_t) diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if index 2665facf..29397afa 100644 --- a/policy/modules/system/clock.if +++ b/policy/modules/system/clock.if @@ -47,7 +47,7 @@ interface(`clock_run',` clock_domtrans($1) role $2 types hwclock_t; - allow hwclock_t $3:chr_file { getattr read write ioctl }; + allow hwclock_t $3:chr_file rw_term_perms; ') ######################################## diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if index 2b1dddab..e529bd6f 100644 --- a/policy/modules/system/fstools.if +++ b/policy/modules/system/fstools.if @@ -48,7 +48,7 @@ interface(`fstools_run',` fstools_domtrans($1) role $2 types fsadm_t; - allow fsadm_t $3:chr_file { getattr read write ioctl }; + allow fsadm_t $3:chr_file rw_term_perms; ') ######################################## diff --git a/policy/modules/system/getty.if b/policy/modules/system/getty.if index bd8ead46..9ae3682e 100644 --- a/policy/modules/system/getty.if +++ b/policy/modules/system/getty.if @@ -54,7 +54,7 @@ interface(`getty_read_log',` ') logging_search_logs($1) - allow $1 getty_log_t:file { getattr read }; + allow $1 getty_log_t:file read_file_perms; ') ######################################## @@ -74,7 +74,7 @@ interface(`getty_read_config',` ') files_search_etc($1) - allow $1 getty_etc_t:file { getattr read }; + allow $1 getty_etc_t:file read_file_perms; ') ######################################## diff --git a/policy/modules/system/hostname.if b/policy/modules/system/hostname.if index f325978f..79100370 100644 --- a/policy/modules/system/hostname.if +++ b/policy/modules/system/hostname.if @@ -47,7 +47,7 @@ interface(`hostname_run',` hostname_domtrans($1) role $2 types hostname_t; - allow hostname_t $3:chr_file { getattr read write ioctl }; + allow hostname_t $3:chr_file rw_term_perms; ') ######################################## diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index e6a1c833..d6f0c522 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1394,7 +1394,7 @@ interface(`init_write_utmp',` ') files_list_pids($1) - allow $1 initrc_var_run_t:file { getattr write }; + allow $1 initrc_var_run_t:file { getattr open write }; ') ######################################## diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if index e8bd0c7e..57a33a74 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -48,7 +48,7 @@ interface(`sysnet_run_dhcpc',` sysnet_domtrans_dhcpc($1) role $2 types dhcpc_t; - allow dhcpc_t $3:chr_file { getattr read write ioctl }; + allow dhcpc_t $3:chr_file rw_term_perms; ') ######################################## @@ -198,7 +198,7 @@ interface(`sysnet_read_dhcpc_state',` type dhcpc_state_t; ') - allow $1 dhcpc_state_t:file { getattr read }; + allow $1 dhcpc_state_t:file read_file_perms; ') ####################################### @@ -348,7 +348,7 @@ interface(`sysnet_read_dhcpc_pid',` ') files_list_pids($1) - allow $1 dhcpc_var_run_t:file { getattr read }; + allow $1 dhcpc_var_run_t:file read_file_perms; ') ####################################### diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if index 21df8801..cb43eb10 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if @@ -645,5 +645,5 @@ interface(`unconfined_write_tmp_files',` type unconfined_tmp_t; ') - allow $1 unconfined_tmp_t:file { getattr write append }; + allow $1 unconfined_tmp_t:file write_file_perms; ') diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index ff37b359..d546c89e 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -57,7 +57,7 @@ template(`userdom_base_user_template',` allow $1_t self:context contains; dontaudit $1_t self:socket create; - allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; + allow $1_t $1_devpts_t:chr_file { setattr rw_chr_file_perms }; term_create_pty($1_t,$1_devpts_t) allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms }; @@ -5310,7 +5310,7 @@ interface(`userdom_write_unpriv_users_tmp_files',` attribute user_tmpfile; ') - allow $1 user_tmpfile:file { getattr write append }; + allow $1 user_tmpfile:file write_file_perms; ') ######################################## diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt index ca7aa438..56d4c5d9 100644 --- a/policy/support/misc_patterns.spt +++ b/policy/support/misc_patterns.spt @@ -2,7 +2,7 @@ # Specified domain transition patterns # define(`domain_transition_pattern',` - allow $1 $2:file { getattr read execute }; + allow $1 $2:file { getattr open read execute }; allow $1 $3:process transition; dontaudit $1 $3:process { noatsecure siginh rlimitinh }; ') @@ -48,7 +48,8 @@ define(`send_audit_msgs_pattern',` ') define(`ps_process_pattern',` - allow $1 $2:dir { search getattr read }; - allow $1 $2:{ file lnk_file } { read getattr }; + allow $1 $2:dir list_dir_perms; + allow $1 $2:file read_file_perms; + allow $1 $2:lnk_file read_lnk_file_perms; allow $1 $2:process getattr; ')