trunk: more open perm fixes.

This commit is contained in:
Chris PeBenito 2008-10-20 16:10:42 +00:00
parent 6e68e6bb5e
commit 82d2775c92
48 changed files with 119 additions and 121 deletions

View File

@ -228,5 +228,5 @@ interface(`dpkg_lock_db',`
files_search_var_lib($1)
allow $1 dpkg_var_lib_t:dir list_dir_perms;
allow $1 dpkg_lock_t:file { getattr create read write append unlink lock };
allow $1 dpkg_lock_t:file manage_file_perms;
')

View File

@ -111,7 +111,7 @@ interface(`portage_compile_domain',`
# write compile logs
allow $1 portage_log_t:dir setattr;
allow $1 portage_log_t:file { append write setattr };
allow $1 portage_log_t:file { write_file_perms setattr };
# run scripts out of the build directory
can_exec(portage_sandbox_t, portage_tmp_t)

View File

@ -85,7 +85,7 @@ interface(`prelink_read_cache',`
')
files_search_etc($1)
allow $1 prelink_cache_t:file { getattr read };
allow $1 prelink_cache_t:file read_file_perms;
')
########################################

View File

@ -166,9 +166,7 @@ template(`evolution_per_role_template',`
userdom_search_user_home_dirs($1, $1_evolution_t)
# Allow the user domain to signal/ps.
allow $2 $1_evolution_t:dir { search getattr read };
allow $2 $1_evolution_t:{ file lnk_file } { read getattr };
allow $2 $1_evolution_t:process getattr;
ps_process_pattern($2, $1_evolution_t)
domain_dontaudit_read_all_domains_state($1_evolution_t)

View File

@ -79,7 +79,7 @@ template(`uml_per_role_template',`
allow $1_uml_t $2:fifo_file { ioctl read write getattr lock append };
# allow the UML thing to happen
allow $1_uml_t $1_uml_devpts_t:chr_file { rw_file_perms setattr };
allow $1_uml_t $1_uml_devpts_t:chr_file { rw_chr_file_perms setattr };
term_create_pty($1_uml_t,$1_uml_devpts_t)
manage_dirs_pattern($1_uml_t, $1_uml_tmp_t, $1_uml_tmp_t)

View File

@ -180,7 +180,7 @@ interface(`vmware_read_system_config',`
type vmware_sys_conf_t;
')
allow $1 vmware_sys_conf_t:file { getattr read };
allow $1 vmware_sys_conf_t:file read_file_perms;
')
########################################

View File

@ -360,8 +360,7 @@ interface(`corecmd_mmap_bin_files',`
type bin_t;
')
allow $1 bin_t:dir search_dir_perms;
allow $1 bin_t:file { getattr read execute };
mmap_files_pattern($1, bin_t, bin_t)
')
########################################

View File

@ -1555,7 +1555,7 @@ interface(`corenet_rw_tun_tap_dev',`
')
dev_list_all_dev_nodes($1)
allow $1 tun_tap_device_t:chr_file { getattr read write ioctl lock append };
allow $1 tun_tap_device_t:chr_file rw_chr_file_perms;
')
########################################
@ -1574,7 +1574,7 @@ interface(`corenet_rw_ppp_dev',`
')
dev_list_all_dev_nodes($1)
allow $1 ppp_device_t:chr_file rw_file_perms;
allow $1 ppp_device_t:chr_file rw_chr_file_perms;
')
########################################

View File

@ -1119,7 +1119,7 @@ interface(`files_mounton_all_mountpoints',`
attribute mountpoint;
')
allow $1 mountpoint:dir { getattr search mounton };
allow $1 mountpoint:dir { search_dir_perms mounton };
allow $1 mountpoint:file { getattr mounton };
')
@ -1552,7 +1552,7 @@ interface(`files_create_kernel_img',`
type boot_t;
')
allow $1 boot_t:file { getattr read write create };
allow $1 boot_t:file { create_file_perms rw_file_perms };
manage_lnk_files_pattern($1, boot_t, boot_t)
')
@ -1682,7 +1682,7 @@ interface(`files_mounton_default',`
type default_t;
')
allow $1 default_t:dir { getattr search mounton };
allow $1 default_t:dir { search_dir_perms mounton };
')
########################################
@ -3723,7 +3723,7 @@ interface(`files_create_kernel_symbol_table',`
')
allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
allow $1 system_map_t:file { rw_file_perms create };
allow $1 system_map_t:file { create_file_perms rw_file_perms };
')
########################################
@ -4742,7 +4742,7 @@ interface(`files_polyinstantiate_all',`
allow $1 self:capability { chown fsetid sys_admin };
# Need to give access to the directories to be polyinstantiated
allow $1 polydir:dir { create getattr search write add_name setattr mounton rmdir };
allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
# Need to give access to the polyinstantiated subdirectories
allow $1 polymember:dir search_dir_perms;
@ -4754,8 +4754,8 @@ interface(`files_polyinstantiate_all',`
# Need to give permission to create directories where applicable
allow $1 self:process setfscreate;
allow $1 polymember: dir { create setattr relabelto };
allow $1 polydir: dir { write add_name };
allow $1 polyparent:dir { read write remove_name add_name relabelfrom relabelto };
allow $1 polydir: dir { write add_name open };
allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
# Default type for mountpoints
allow $1 poly_t:dir { create mounton };

View File

@ -1936,7 +1936,6 @@ interface(`fs_read_rpc_sockets',`
')
allow $1 rpc_pipefs_t:sock_file { read write };
')
########################################
@ -2706,7 +2705,7 @@ interface(`fs_rw_rpc_named_pipes',`
type rpc_pipefs_t;
')
allow $1 rpc_pipefs_t:fifo_file { read write };
allow $1 rpc_pipefs_t:fifo_file rw_fifo_file_perms;
')
########################################

View File

@ -2147,7 +2147,7 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
type unlabeled_t;
')
allow $1 unlabeled_t:dir { getattr search read relabelfrom };
allow $1 unlabeled_t:dir { list_dir_perms relabelfrom };
')
########################################

View File

@ -165,7 +165,7 @@ interface(`selinux_dontaudit_read_fs',`
')
dontaudit $1 security_t:dir search_dir_perms;
dontaudit $1 security_t:file { getattr read };
dontaudit $1 security_t:file read_file_perms;
')
########################################
@ -186,7 +186,7 @@ interface(`selinux_get_enforce_mode',`
')
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read };
allow $1 security_t:file read_file_perms;
')
########################################
@ -219,7 +219,7 @@ interface(`selinux_set_enforce_mode',`
')
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read write };
allow $1 security_t:file rw_file_perms;
typeattribute $1 can_setenforce;
if(!secure_mode_policyload) {
@ -250,7 +250,7 @@ interface(`selinux_load_policy',`
')
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read write };
allow $1 security_t:file rw_file_perms;
typeattribute $1 can_load_policy;
if(!secure_mode_policyload) {
@ -292,7 +292,7 @@ interface(`selinux_set_boolean',`
')
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read write };
allow $1 security_t:file rw_file_perms;
if(!secure_mode_policyload) {
allow $1 security_t:security setbool;
@ -333,7 +333,7 @@ interface(`selinux_set_parameters',`
')
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read write };
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security setsecparam;
auditallow $1 security_t:security setsecparam;
typeattribute $1 can_setsecparam;
@ -356,7 +356,7 @@ interface(`selinux_validate_context',`
')
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read write };
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security check_context;
')
@ -377,7 +377,7 @@ interface(`selinux_dontaudit_validate_context',`
')
dontaudit $1 security_t:dir list_dir_perms;
dontaudit $1 security_t:file { getattr read write };
dontaudit $1 security_t:file rw_file_perms;
dontaudit $1 security_t:security check_context;
')
@ -398,7 +398,7 @@ interface(`selinux_compute_access_vector',`
')
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read write };
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_av;
')
@ -419,7 +419,7 @@ interface(`selinux_compute_create_context',`
')
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read write };
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_create;
')
@ -440,7 +440,7 @@ interface(`selinux_compute_member',`
')
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read write };
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_member;
')
@ -469,7 +469,7 @@ interface(`selinux_compute_relabel_context',`
')
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read write };
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_relabel;
')
@ -489,7 +489,7 @@ interface(`selinux_compute_user_contexts',`
')
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read write };
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_user;
')

View File

@ -173,7 +173,7 @@ interface(`term_use_all_terms',`
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir list_dir_perms;
allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perms;
allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms;
')
########################################
@ -932,7 +932,7 @@ interface(`term_append_unallocated_ttys',`
')
dev_list_all_dev_nodes($1)
allow $1 tty_device_t:chr_file { getattr append };
allow $1 tty_device_t:chr_file append_chr_file_perms;
')
########################################
@ -951,7 +951,7 @@ interface(`term_write_unallocated_ttys',`
')
dev_list_all_dev_nodes($1)
allow $1 tty_device_t:chr_file { getattr write };
allow $1 tty_device_t:chr_file write_chr_file_perms;
')
########################################
@ -971,7 +971,7 @@ interface(`term_use_unallocated_ttys',`
')
dev_list_all_dev_nodes($1)
allow $1 tty_device_t:chr_file { rw_term_perms lock append };
allow $1 tty_device_t:chr_file rw_chr_file_perms;
')
########################################
@ -990,7 +990,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
type tty_device_t;
')
dontaudit $1 tty_device_t:chr_file { rw_term_perms lock append };
dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
')
########################################
@ -1092,7 +1092,7 @@ interface(`term_write_all_user_ttys',`
')
dev_list_all_dev_nodes($1)
allow $1 ttynode:chr_file { getattr write append };
allow $1 ttynode:chr_file write_chr_file_perms;
')
########################################
@ -1112,7 +1112,7 @@ interface(`term_use_all_user_ttys',`
')
dev_list_all_dev_nodes($1)
allow $1 ttynode:chr_file { rw_term_perms lock append };
allow $1 ttynode:chr_file rw_chr_file_perms;
')
########################################
@ -1131,5 +1131,5 @@ interface(`term_dontaudit_use_all_user_ttys',`
attribute ttynode;
')
dontaudit $1 ttynode:chr_file { read write };
dontaudit $1 ttynode:chr_file rw_chr_file_perms;
')

View File

@ -37,7 +37,7 @@ interface(`amavis_read_spool_files',`
')
files_search_spool($1)
allow $1 amavis_spool_t:file { getattr read };
allow $1 amavis_spool_t:file read_file_perms;
')
########################################

View File

@ -940,7 +940,7 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
allow $1 httpd_squirrelmail_t:file { getattr read };
allow $1 httpd_squirrelmail_t:file read_file_perms;
')
########################################
@ -959,7 +959,7 @@ interface(`apache_append_squirrelmail_data',`
type httpd_squirrelmail_t;
')
allow $1 httpd_squirrelmail_t:file { getattr append };
allow $1 httpd_squirrelmail_t:file append_file_perms;
')
########################################

View File

@ -55,7 +55,7 @@ interface(`apcupsd_read_log',`
logging_search_logs($1)
allow $1 apcupsd_log_t:dir list_dir_perms;
allow $1 apcupsd_log_t:file { read getattr lock };
allow $1 apcupsd_log_t:file read_file_perms;
')
########################################
@ -76,7 +76,7 @@ interface(`apcupsd_append_log',`
logging_search_logs($1)
allow $1 apcupsd_log_t:dir list_dir_perms;
allow $1 apcupsd_log_t:file { getattr append };
allow $1 apcupsd_log_t:file append_file_perms;
')
########################################

View File

@ -16,8 +16,8 @@ interface(`bitlbee_read_config',`
')
files_search_etc($1)
allow $1 bitlbee_conf_t:dir { getattr read search };
allow $1 bitlbee_conf_t:file { read getattr };
allow $1 bitlbee_conf_t:dir list_dir_perms;
allow $1 bitlbee_conf_t:file read_file_perms;
')
########################################

View File

@ -285,7 +285,7 @@ template(`cron_admin_template',`
')
# Allow our crontab domain to unlink a user cron spool file.
allow $1_crontab_t cron_spool_type:file { getattr read unlink };
allow $1_crontab_t cron_spool_type:file { read_file_perms delete_file_perms };
logging_read_generic_logs($1_crond_t)

View File

@ -207,7 +207,7 @@ interface(`cups_read_log',`
')
logging_search_logs($1)
allow $1 cupsd_log_t:file { getattr read };
allow $1 cupsd_log_t:file read_file_perms;
')
########################################
@ -226,7 +226,7 @@ interface(`cups_write_log',`
')
logging_search_logs($1)
allow $1 cupsd_log_t:file write;
allow $1 cupsd_log_t:file write_file_perms;
')
########################################

View File

@ -36,7 +36,7 @@ interface(`fail2ban_read_log',`
logging_search_logs($1)
allow $1 fail2ban_log_t:dir list_dir_perms;
allow $1 fail2ban_log_t:file { read getattr lock };
allow $1 fail2ban_log_t:file read_file_perms;
')
########################################

View File

@ -67,7 +67,7 @@ interface(`ftp_read_config',`
')
files_search_etc($1)
allow $1 ftpd_etc_t:file { getattr read };
allow $1 ftpd_etc_t:file read_file_perms;
')
########################################

View File

@ -93,9 +93,9 @@ interface(`inn_read_config',`
type innd_etc_t;
')
allow $1 innd_etc_t:dir { getattr read search };
allow $1 innd_etc_t:file { read getattr };
allow $1 innd_etc_t:lnk_file { getattr read };
allow $1 innd_etc_t:dir list_dir_perms;
allow $1 innd_etc_t:file read_file_perms;
allow $1 innd_etc_t:lnk_file read_lnk_file_perms;
')
########################################
@ -113,9 +113,9 @@ interface(`inn_read_news_lib',`
type innd_var_lib_t;
')
allow $1 innd_var_lib_t:dir { getattr read search };
allow $1 innd_var_lib_t:file { read getattr };
allow $1 innd_var_lib_t:lnk_file { getattr read };
allow $1 innd_var_lib_t:dir list_dir_perms;
allow $1 innd_var_lib_t:file read_file_perms;
allow $1 innd_var_lib_t:lnk_file read_lnk_file_perms;
')
########################################
@ -133,9 +133,9 @@ interface(`inn_read_news_spool',`
type news_spool_t;
')
allow $1 news_spool_t:dir { getattr read search };
allow $1 news_spool_t:file { read getattr };
allow $1 news_spool_t:lnk_file { getattr read };
allow $1 news_spool_t:dir list_dir_perms;
allow $1 news_spool_t:file read_file_perms;
allow $1 news_spool_t:lnk_file read_lnk_file_perms;
')
########################################

View File

@ -73,7 +73,7 @@ interface(`kerberos_use',`
')
files_search_etc($1)
allow $1 krb5_conf_t:file { getattr read };
allow $1 krb5_conf_t:file read_file_perms;
dontaudit $1 krb5_conf_t:file write;
dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
dontaudit $1 krb5kdc_conf_t:file rw_file_perms;

View File

@ -36,7 +36,7 @@ interface(`ldap_read_config',`
')
files_search_etc($1)
allow $1 slapd_etc_t:file { getattr read };
allow $1 slapd_etc_t:file read_file_perms;
')
########################################

View File

@ -114,7 +114,7 @@ template(`mta_base_mail_template',`
manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir })
allow $1_mail_t etc_mail_t:dir { getattr search };
allow $1_mail_t etc_mail_t:dir search_dir_perms;
# Write to /var/spool/mail and /var/spool/mqueue.
manage_files_pattern($1_mail_t, mail_spool_t, mail_spool_t)

View File

@ -74,9 +74,9 @@ interface(`mysql_read_config',`
type mysqld_etc_t;
')
allow $1 mysqld_etc_t:dir { getattr read search };
allow $1 mysqld_etc_t:file { read getattr };
allow $1 mysqld_etc_t:lnk_file { getattr read };
allow $1 mysqld_etc_t:dir list_dir_perms;
allow $1 mysqld_etc_t:file read_file_perms;
allow $1 mysqld_etc_t:lnk_file read_lnk_file_perms;
')
########################################
@ -98,7 +98,7 @@ interface(`mysql_search_db',`
')
files_search_var_lib($1)
allow $1 mysqld_db_t:dir search;
allow $1 mysqld_db_t:dir search_dir_perms;
')
########################################
@ -156,7 +156,7 @@ interface(`mysql_rw_db_sockets',`
')
files_search_var_lib($1)
allow $1 mysqld_db_t:dir search;
allow $1 mysqld_db_t:dir search_dir_perms;
allow $1 mysqld_db_t:sock_file rw_sock_file_perms;
')
@ -176,5 +176,5 @@ interface(`mysql_write_log',`
')
logging_search_logs($1)
allow $1 mysqld_log_t:file { write append setattr ioctl };
allow $1 mysqld_log_t:file { write_file_perms setattr };
')

View File

@ -223,7 +223,7 @@ interface(`nis_read_ypserv_config',`
')
files_search_etc($1)
allow $1 ypserv_conf_t:file { getattr read };
allow $1 ypserv_conf_t:file read_file_perms;
')
########################################

View File

@ -49,7 +49,7 @@ interface(`portmap_run_helper',`
portmap_domtrans_helper($1)
role $2 types portmap_helper_t;
allow portmap_helper_t $3:chr_file { getattr read write ioctl };
allow portmap_helper_t $3:chr_file rw_term_perms;
')
########################################

View File

@ -208,9 +208,9 @@ interface(`postfix_read_config',`
type postfix_etc_t;
')
allow $1 postfix_etc_t:dir { getattr read search };
allow $1 postfix_etc_t:file { read getattr };
allow $1 postfix_etc_t:lnk_file { getattr read };
allow $1 postfix_etc_t:dir list_dir_perms;
allow $1 postfix_etc_t:file read_file_perms;
allow $1 postfix_etc_t:lnk_file read_lnk_file_perms;
files_search_etc($1)
')

View File

@ -272,9 +272,9 @@ interface(`postgresql_read_config',`
')
files_search_etc($1)
allow $1 postgresql_etc_t:dir { getattr read search };
allow $1 postgresql_etc_t:file { read getattr };
allow $1 postgresql_etc_t:lnk_file { getattr read };
allow $1 postgresql_etc_t:dir list_dir_perms;
allow $1 postgresql_etc_t:file read_file_perms;
allow $1 postgresql_etc_t:lnk_file read_lnk_file_perms;
')
########################################

View File

@ -230,7 +230,7 @@ interface(`ppp_read_rw_config',`
')
allow $1 pppd_etc_t:dir list_dir_perms;
allow $1 pppd_etc_rw_t:file { getattr read };
allow $1 pppd_etc_rw_t:file read_file_perms;
files_search_etc($1)
')
@ -250,7 +250,7 @@ interface(`ppp_read_secrets',`
')
allow $1 pppd_etc_t:dir list_dir_perms;
allow $1 pppd_secret_t:file { getattr read };
allow $1 pppd_secret_t:file read_file_perms;
files_search_etc($1)
')

View File

@ -72,9 +72,9 @@ template(`qmail_child_domain_template',`
allow $1_t $2:fifo_file rw_file_perms;
allow $1_t $2:process sigchld;
allow $1_t qmail_etc_t:dir { getattr read search };
allow $1_t qmail_etc_t:file { getattr read };
allow $1_t qmail_etc_t:lnk_file { getattr read };
allow $1_t qmail_etc_t:dir list_dir_perms;
allow $1_t qmail_etc_t:file read_file_perms;
allow $1_t qmail_etc_t:lnk_file read_lnk_file_perms;
allow $1_t qmail_start_t:fd use;
@ -158,9 +158,9 @@ interface(`qmail_read_config',`
type qmail_etc_t;
')
allow $1 qmail_etc_t:dir { getattr read search };
allow $1 qmail_etc_t:file { getattr read };
allow $1 qmail_etc_t:lnk_file { getattr read };
allow $1 qmail_etc_t:dir list_dir_perms;
allow $1 qmail_etc_t:file read_file_perms;
allow $1 qmail_etc_t:lnk_file read_lnk_file_perms;
files_search_var($1)
ifdef(`distro_debian',`

View File

@ -56,7 +56,8 @@ template(`razor_common_domain_template',`
files_search_var_lib($1_t)
# Razor is one executable and several symlinks
allow $1_t razor_exec_t:{ file lnk_file } { getattr read };
allow $1_t razor_exec_t:file read_file_perms;
allow $1_t razor_exec_t:lnk_file read_lnk_file_perms;
kernel_read_system_state($1_t)
kernel_read_network_state($1_t)

View File

@ -194,5 +194,5 @@ interface(`rhgb_rw_tmpfs_files',`
type rhgb_tmpfs_t;
')
allow $1 rhgb_tmpfs_t:file { read write };
allow $1 rhgb_tmpfs_t:file rw_file_perms;
')

View File

@ -263,7 +263,7 @@ interface(`samba_read_secrets',`
')
files_search_etc($1)
allow $1 samba_secrets_t:file { read getattr lock };
allow $1 samba_secrets_t:file read_file_perms;
')
########################################

View File

@ -15,7 +15,7 @@ interface(`smartmon_read_tmp_files',`
type fsdaemon_tmp_t;
')
allow $1 fsdaemon_tmp_t:file { getattr ioctl read };
allow $1 fsdaemon_tmp_t:file read_file_perms;
')
########################################

View File

@ -391,7 +391,7 @@ template(`ssh_per_role_template',`
allow $1_ssh_keysign_t self:capability { setgid setuid };
allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms;
allow $1_ssh_keysign_t sshd_key_t:file { getattr read };
allow $1_ssh_keysign_t sshd_key_t:file read_file_perms;
dev_read_urand($1_ssh_keysign_t)
@ -452,7 +452,7 @@ template(`ssh_server_template', `
can_exec($1_t, sshd_exec_t)
# Access key files
allow $1_t sshd_key_t:file { getattr read };
allow $1_t sshd_key_t:file read_file_perms;
kernel_read_kernel_sysctls($1_t)

View File

@ -320,7 +320,7 @@ template(`xserver_per_role_template',`
domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
allow $1_xserver_t $1_xauth_home_t:file { getattr read };
allow $1_xserver_t $1_xauth_home_t:file read_file_perms;
domtrans_pattern($2, xserver_exec_t, $1_xserver_t)
allow $1_xserver_t $2:process signal;
@ -539,7 +539,7 @@ template(`xserver_ro_session_template',`
allow $2 $1_xserver_t:process signal;
# Read /tmp/.X0-lock
allow $2 $1_xserver_tmp_t:file { getattr read };
allow $2 $1_xserver_tmp_t:file read_file_perms;
# Client read xserver shm
allow $2 $1_xserver_t:fd use;
@ -615,8 +615,8 @@ template(`xserver_user_client_template',`
allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
allow $2 $1_xauth_home_t:file { getattr read };
allow $2 $1_iceauth_home_t:file { getattr read };
allow $2 $1_xauth_home_t:file read_file_perms;
allow $2 $1_iceauth_home_t:file read_file_perms;
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
@ -885,13 +885,13 @@ template(`xserver_user_x_domain_template',`
allow $3 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
allow $3 $1_xauth_home_t:file { getattr read };
allow $3 $1_iceauth_home_t:file { getattr read };
allow $3 $1_xauth_home_t:file read_file_perms;
allow $3 $1_iceauth_home_t:file read_file_perms;
# for when /tmp/.X11-unix is created by the system
allow $3 xdm_t:fd use;
allow $3 xdm_t:fifo_file { getattr read write ioctl };
allow $3 xdm_tmp_t:dir search;
allow $3 xdm_tmp_t:dir search_dir_perms;
allow $3 xdm_tmp_t:sock_file { read write };
dontaudit $3 xdm_t:tcp_socket { read write };
@ -1230,7 +1230,7 @@ interface(`xserver_read_xdm_rw_config',`
')
files_search_etc($1)
allow $1 xdm_rw_etc_t:file { getattr read };
allow $1 xdm_rw_etc_t:file read_file_perms;
')
########################################
@ -1306,7 +1306,7 @@ interface(`xserver_read_xdm_lib_files',`
type xdm_var_lib_t;
')
allow $1 xdm_var_lib_t:file { getattr read };
allow $1 xdm_var_lib_t:file read_file_perms;
')
########################################
@ -1479,7 +1479,7 @@ interface(`xserver_read_xdm_xserver_tmp_files',`
type xdm_xserver_tmp_t;
')
allow $1 xdm_xserver_tmp_t:file { getattr read };
allow $1 xdm_xserver_tmp_t:file read_file_perms;
')
########################################

View File

@ -31,7 +31,7 @@ template(`authlogin_common_auth_domain_template',`
allow $1_chkpwd_t self:process getattr;
files_list_etc($1_chkpwd_t)
allow $1_chkpwd_t shadow_t:file { getattr read };
allow $1_chkpwd_t shadow_t:file read_file_perms;
# is_selinux_enabled
kernel_read_system_state($1_chkpwd_t)

View File

@ -47,7 +47,7 @@ interface(`clock_run',`
clock_domtrans($1)
role $2 types hwclock_t;
allow hwclock_t $3:chr_file { getattr read write ioctl };
allow hwclock_t $3:chr_file rw_term_perms;
')
########################################

View File

@ -48,7 +48,7 @@ interface(`fstools_run',`
fstools_domtrans($1)
role $2 types fsadm_t;
allow fsadm_t $3:chr_file { getattr read write ioctl };
allow fsadm_t $3:chr_file rw_term_perms;
')
########################################

View File

@ -54,7 +54,7 @@ interface(`getty_read_log',`
')
logging_search_logs($1)
allow $1 getty_log_t:file { getattr read };
allow $1 getty_log_t:file read_file_perms;
')
########################################
@ -74,7 +74,7 @@ interface(`getty_read_config',`
')
files_search_etc($1)
allow $1 getty_etc_t:file { getattr read };
allow $1 getty_etc_t:file read_file_perms;
')
########################################

View File

@ -47,7 +47,7 @@ interface(`hostname_run',`
hostname_domtrans($1)
role $2 types hostname_t;
allow hostname_t $3:chr_file { getattr read write ioctl };
allow hostname_t $3:chr_file rw_term_perms;
')
########################################

View File

@ -1394,7 +1394,7 @@ interface(`init_write_utmp',`
')
files_list_pids($1)
allow $1 initrc_var_run_t:file { getattr write };
allow $1 initrc_var_run_t:file { getattr open write };
')
########################################

View File

@ -48,7 +48,7 @@ interface(`sysnet_run_dhcpc',`
sysnet_domtrans_dhcpc($1)
role $2 types dhcpc_t;
allow dhcpc_t $3:chr_file { getattr read write ioctl };
allow dhcpc_t $3:chr_file rw_term_perms;
')
########################################
@ -198,7 +198,7 @@ interface(`sysnet_read_dhcpc_state',`
type dhcpc_state_t;
')
allow $1 dhcpc_state_t:file { getattr read };
allow $1 dhcpc_state_t:file read_file_perms;
')
#######################################
@ -348,7 +348,7 @@ interface(`sysnet_read_dhcpc_pid',`
')
files_list_pids($1)
allow $1 dhcpc_var_run_t:file { getattr read };
allow $1 dhcpc_var_run_t:file read_file_perms;
')
#######################################

View File

@ -645,5 +645,5 @@ interface(`unconfined_write_tmp_files',`
type unconfined_tmp_t;
')
allow $1 unconfined_tmp_t:file { getattr write append };
allow $1 unconfined_tmp_t:file write_file_perms;
')

View File

@ -57,7 +57,7 @@ template(`userdom_base_user_template',`
allow $1_t self:context contains;
dontaudit $1_t self:socket create;
allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
allow $1_t $1_devpts_t:chr_file { setattr rw_chr_file_perms };
term_create_pty($1_t,$1_devpts_t)
allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
@ -5310,7 +5310,7 @@ interface(`userdom_write_unpriv_users_tmp_files',`
attribute user_tmpfile;
')
allow $1 user_tmpfile:file { getattr write append };
allow $1 user_tmpfile:file write_file_perms;
')
########################################

View File

@ -2,7 +2,7 @@
# Specified domain transition patterns
#
define(`domain_transition_pattern',`
allow $1 $2:file { getattr read execute };
allow $1 $2:file { getattr open read execute };
allow $1 $3:process transition;
dontaudit $1 $3:process { noatsecure siginh rlimitinh };
')
@ -48,7 +48,8 @@ define(`send_audit_msgs_pattern',`
')
define(`ps_process_pattern',`
allow $1 $2:dir { search getattr read };
allow $1 $2:{ file lnk_file } { read getattr };
allow $1 $2:dir list_dir_perms;
allow $1 $2:file read_file_perms;
allow $1 $2:lnk_file read_lnk_file_perms;
allow $1 $2:process getattr;
')