add can_exec

refpolicy/policy/modules/system/clock.if

@@ -15,10 +15,7 @@
 define(`clock_transition',`
 	requires_block_template(`$0'_depend)
 
-	allow $1 hwclock_exec_t:file { getattr read execute };
+	domain_auto_trans($1,hwclock_exec_t,hwclock_t)
-	allow $1 hwclock_t:process transition;
-	type_transition $1 hwclock_exec_t:process hwclock_t;
-	dontaudit $1 hwclock_t:process { noatsecure siginh rlimitinh };
 
 	allow $1 hwclock_t:fd use;
 	allow hwclock_t $1:fd use;
@@ -81,7 +78,7 @@ define(`clock_transition_add_role_use_terminal_depend',`
 define(`clock_execute',`
 	requires_block_template(`$0'_depend)
 
-	allow $1 hwclock_exec_t:file { getattr read execute execute_no_trans };
+	can_exec($1,hwclock_exec_t)
 ')
 
 define(`clock_execute_depend',`
@@ -104,14 +101,14 @@ define(`clock_execute_depend',`
 define(`clock_modify_drift_records',`
 	requires_block_template(`$0'_depend)
 
-	allow $1 adjtime_t:file { getattr read write ioctl lock append };
+	allow $1 adjtime_t:file rw_file_perms;
 	files_read_general_system_config_directory($1)
 ')
 
 define(`clock_modify_drift_records_depend',`
 	type adjtime_t;
 
-	class file { getattr read write ioctl lock append };
+	class file rw_file_perms;
 ')
 
 ## </module>

refpolicy/policy/support/support_macros

@@ -25,3 +25,4 @@ define(`context_template',`ifdef(`enable_mls',`$1:$2',`$1')') dnl
 #
 define(`user_mls',`ifdef(`enable_mls',`level $1 range $2')') dnl
 
+define(`can_exec',`allow $1 $2:file { getattr read execute execute_no_trans };')