Use relabel permission sets where possible.

Signed-off-by: Dominick Grift <domg472@gmail.com>
This commit is contained in:
Dominick Grift 2010-09-15 14:57:02 +02:00
parent 4ec4a49e8a
commit 83029ff3c5
10 changed files with 17 additions and 17 deletions

View File

@ -127,7 +127,7 @@ cron_search_spool(logrotate_t)
mta_send_mail(logrotate_t)
ifdef(`distro_debian', `
allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
allow logrotate_t logrotate_tmp_t:file relabel_file_perms;
# for savelog
can_exec(logrotate_t, logrotate_exec_t)

View File

@ -63,7 +63,7 @@ files_search_var_lib(prelink_t)
# prelink misc objects that are not system
# libraries or entrypoints
allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom };
allow prelink_t prelink_object:file { manage_file_perms execute relabel_file_perms };
kernel_read_system_state(prelink_t)
kernel_read_kernel_sysctls(prelink_t)

View File

@ -336,7 +336,7 @@ interface(`term_relabel_console',`
')
dev_list_all_dev_nodes($1)
allow $1 console_device_t:chr_file { relabelfrom relabelto };
allow $1 console_device_t:chr_file relabel_chr_file_perms;
')
########################################
@ -1118,7 +1118,7 @@ interface(`term_relabel_unallocated_ttys',`
')
dev_list_all_dev_nodes($1)
allow $1 tty_device_t:chr_file { relabelfrom relabelto };
allow $1 tty_device_t:chr_file relabel_chr_file_perms;
')
########################################
@ -1300,7 +1300,7 @@ interface(`term_relabel_all_ttys',`
')
dev_list_all_dev_nodes($1)
allow $1 ttynode:chr_file { relabelfrom relabelto };
allow $1 ttynode:chr_file relabel_chr_file_perms;
')
########################################

View File

@ -153,7 +153,7 @@ interface(`lpd_relabel_spool',`
')
files_search_spool($1)
allow $1 print_spool_t:file { relabelto relabelfrom };
allow $1 print_spool_t:file relabel_file_perms;
')
########################################

View File

@ -179,21 +179,21 @@ read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr };
allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr };
logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
allow puppetmaster_t puppet_log_t:file { relabelfrom relabelto };
allow puppetmaster_t puppet_log_t:file relabel_file_perms;
manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
allow puppetmaster_t puppet_var_lib_t:dir { relabelfrom relabelto };
allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms;
setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
allow puppetmaster_t puppet_var_run_t:dir { relabelfrom relabelto };
allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms;
manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
allow puppetmaster_t puppet_tmp_t:dir { relabelfrom relabelto };
allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms;
kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
kernel_read_system_state(puppetmaster_t)

View File

@ -434,5 +434,5 @@ interface(`rpc_manage_nfs_state_data',`
files_search_var_lib($1)
manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
allow $1 var_lib_nfs_t:file { relabelfrom relabelto };
allow $1 var_lib_nfs_t:file relabel_file_perms;
')

View File

@ -238,8 +238,8 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
allow virtd_t virt_image_type:file { relabelfrom relabelto };
allow virtd_t virt_image_type:blk_file { relabelfrom relabelto };
allow virtd_t virt_image_type:file relabel_file_perms;
allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)

View File

@ -741,7 +741,7 @@ interface(`auth_relabel_shadow',`
')
files_search_etc($1)
allow $1 shadow_t:file { relabelfrom relabelto };
allow $1 shadow_t:file relabel_file_perms;
typeattribute $1 can_relabelto_shadow_passwords;
')

View File

@ -1033,8 +1033,8 @@ interface(`logging_admin_syslog',`
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
allow $1 logfile:dir { relabelfrom relabelto };
allow $1 logfile:file { relabelfrom relabelto };
allow $1 logfile:dir relabel_dir_perms;
allow $1 logfile:file relabel_file_perms;
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)

View File

@ -1781,7 +1781,7 @@ interface(`userdom_relabel_user_home_files',`
type user_home_t;
')
allow $1 user_home_t:file { relabelto relabelfrom };
allow $1 user_home_t:file relabel_file_perms;
')
########################################